Cybersecurity News

Google Warns Salesloft OAuth Breach Extends Beyond Salesforce, Impacting All Integrations

Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and

TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies

Cybersecurity researchers have discovered a cybercrime campaign that's using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef. "The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef," Truesec researchers Mattias Wåhlén, Nicklas

Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names

Cybersecurity researchers have discovered a loophole in the Visual Studio Code Marketplace that allows threat actors to reuse names of previously removed extensions. Software supply chain security outfit ReversingLabs said it made the discovery after it identified a malicious extension named "ahbanC.shiba" that functioned similarly to two other extensions – ahban.shiba and ahban.cychelloworld –

Salt Typhoon Exploits Cisco, Ivanti, Palo Alto Flaws to Breach 600 Organizations Worldwide

The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, government, transportation, lodging, and military infrastructure sectors. "While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and

Webinar: Why Top Teams Are Prioritizing Code-to-Cloud Mapping in Our 2025 AppSec

Picture this: Your team rolls out some new code, thinking everything's fine. But hidden in there is a tiny flaw that explodes into a huge problem once it hits the cloud. Next thing you know, hackers are in, and your company is dealing with a mess that costs millions. Scary, right? In 2025, the average data breach hits businesses with a whopping $4.44 million bill globally. And guess what? A big

Hidden Vulnerabilities of Project Management Tools & How FluentPro Backup Secures Them

Every day, businesses, teams, and project managers trust platforms like Trello, Asana, etc., to collaborate and manage tasks. But what happens when that trust is broken? According to a recent report by Statista, the average cost of a data breach worldwide was about $4.88 million. Also, in 2024, the private data of over 15 million Trello user profiles was shared on a popular hacker forum. Yet,

Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials

The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. "Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials,

U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs. "The North Korean regime continues to target American

Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks

The financially motivated threat actor known as Storm-0501 has been observed refining its tactics to conduct data exfiltration and extortion attacks targeting cloud environments. "Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key,

Someone Created the First AI-Powered Ransomware Using OpenAI's gpt-oss:20b Model

Cybersecurity company ESET has disclosed that it discovered an artificial intelligence (AI)-powered ransomware variant codenamed PromptLock. Written in Golang, the newly identified strain uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time. The open-weight language model was released by OpenAI earlier this month. "PromptLock

Anthropic Disrupts AI-Powered Cyberattacks Automating Theft and Extortion Across Critical Sectors

Anthropic on Wednesday revealed that it disrupted a sophisticated operation that weaponized its artificial intelligence (AI)-powered chatbot Claude to conduct large-scale theft and extortion of personal data in July 2025. "The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government, and religious institutions," the company said. "

ShadowSilk Hits 35 Organizations in Central Asia and APAC Using Telegram Bots

A threat activity cluster known as ShadowSilk has been attributed to a fresh set of attacks targeting government entities within Central Asia and Asia-Pacific (APAC). According to Group-IB, nearly three dozen victims have been identified, with the intrusions mainly geared towards data exfiltration. The hacking group shares toolset and infrastructural overlaps with campaigns undertaken by threat

The 5 Golden Rules of Safe AI Adoption

Employees are experimenting with AI at record speed. They are drafting emails, analyzing data, and transforming the workplace. The problem is not the pace of AI adoption, but the lack of control and safeguards in place. For CISOs and security leaders like you, the challenge is clear: you don’t want to slow AI adoption down, but you must make it safe. A policy sent company-wide will not cut it.

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent. The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group (GTIG) and Mandiant, tracked as UNC6395. GTIG told The Hacker

Blind Eagle’s Five Clusters Target Colombia Using RATs, Phishing Lures, and Dynamic DNS Infra

Cybersecurity researchers have discovered five distinct activity clusters linked to a persistent threat actor known as Blind Eagle between May 2024 and July 2025. These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775

Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild. The vulnerabilities in question are listed below - CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow

New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station

A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB). The attack, per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for "Sniffing 5G Inject") that's

MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. "Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking

AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape.

ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners

A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners. The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National

HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri

Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said. "This creates crucial accountability, making it much harder for

CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-8068 (CVSS score: 5.1) - An improper privilege management vulnerability in Citrix Session Recording

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. "This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade

Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. "A malicious container running on Docker Desktop could access the

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter. The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said. "These pages are designed to entice recipients into downloading JavaScript

⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn’t just a matter of firewalls and patches—it’s about strategy. The strongest organizations aren’t the ones with the most tools, but the ones that see how cyber risks connect to business

Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations

Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks,

Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities. "Initial access is achieved through spear-phishing emails," CYFIRMA said. "Linux BOSS environments are targeted via weaponized .desktop

Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot

Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator. "On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor," Socket researcher Kirill Boychenko

GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Cybersecurity researchers are calling attention to multiple campaigns that are taking advantage of known security vulnerabilities and exposed Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure. The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8),

Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell. The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up. "The payload isn't hidden inside the file content or a macro, it's encoded directly

Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks. "The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by

Automation Is Redefining Pentest Delivery

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn't kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays,

INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. "The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation," the agency said. The effort is the second phase of an ongoing law

Ex-Developer Jailed Four Years for Sabotaging Ohio Employer with Kill-Switch Malware

A 55-year-old Chinese national has been sentenced to four years in prison and three years of supervised release for sabotaging his former employer's network with custom malware and deploying a kill switch that locked out employees when his account was disabled. Davis Lu, 55, of Houston, Texas, was convicted of causing intentional damage to protected computers in March 2025. He was arrested and

Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances. The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows - CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user

Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then

Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025

As security professionals, it's easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren't from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security's Blue Report 2025 shows that organizations continue to struggle with preventing

Hackers Using New QuirkyLoader Malware to Spread Agent Tesla, AsyncRAT and Snake Keylogger

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that's being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT,

Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban's sentencing was reported by Bloomberg and Jacksonville news

Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300 (CVSS score: 8.8), resides in the ImageIO framework and could result in memory corruption when processing a malicious image. "Apple is aware of a report that

DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft

Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth,

🕵️ Webinar: Discover and Control Shadow AI Agents in Your Enterprise Before Hackers Do

Do you know how many AI agents are running inside your business right now? If the answer is “not sure,” you’re not alone—and that’s exactly the concern. Across industries, AI agents are being set up every day. Sometimes by IT, but often by business units moving fast to get results. That means agents are running quietly in the background—without proper IDs, without owners, and without logs of

FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks. Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing

Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers,

From Impact to Action: Turning BIA Insights Into Resilient Recovery

Modern businesses face a rapidly evolving and expanding threat landscape, but what does this mean for your business? It means a growing number of risks, along with an increase in their frequency, variety, complexity, severity, and potential business impact. The real question is, “How do you tackle these rising threats?” The answer lies in having a robust BCDR strategy. However, to build a

North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025. The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites

DOJ Charges 22-Year-Old for Running RapperBot Botnet Behind 370,000 DDoS Attacks

A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot. Ethan Foltz of Eugene, Oregon, has been identified as the administrator of the service, the U.S. Department of Justice (DoJ) said. The botnet has been used to carry out large-scale DDoS-for-hire attacks targeting

Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper. But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in

Affiliates Flock to ‘Soulless’ Scam Gambling Machine

Last month, KrebsOnSecurity tracked the sudden emergence of hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. We've since learned that these scam gambling sites have proliferated thanks to a new Russian affiliate program called "Gambler Panel" that bills itself as a "soulless project that is made for profit."

DSLRoot, Proxies, and the Threat of ‘Legal Botnets’

The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement they'd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditor's high-speed Internet connection in the United States. This post examines the history and provenance of DSLRoot, one of the oldest "residential proxy" networks with origins in Russia and Eastern Europe.

SIM-Swapper, Scattered Spider Hacker Gets 10 Years

A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.

Oregon Man Charged in ‘Rapper Bot’ DDoS Service

A 22-year-old Oregon man has been arrested on suspicion of operating "Rapper Bot," a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets -- including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.

Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme

Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.

Microsoft Patch Tuesday, August 2025 Edition

Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft's most-dire "critical" rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

KrebsOnSecurity in New ‘Most Wanted’ HBO Max Series

A new documentary series about cybercrime airing next month on HBO Max features interviews with Yours Truly. The four-part series follows the exploits of Julius Kivimäki, a prolific Finnish hacker recently convicted of leaking tens of thousands of patient records from an online psychotherapy practice while attempting to extort the clinic and its patients.

Who Got Arrested in the Raid on the XSS Crime Forum?

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle "Toha." Here's a deep dive on what's knowable about Toha, and a short stab at who got nabbed.

Scammers Unleash Flood of Slick Online Gaming Sites

Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here's a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.

Phishers Target Aviation Execs to Scam Customers

KrebsOnSecurity recently heard from a reader whose boss's email account got phished and was used to trick one of the company's customers into sending a large payment to scammers. An investigation into the attacker's infrastructure points to a long-running Nigerian cybercrime group that is actively targeting established companies in the transportation and aviation industries.

The UK May Be Dropping Its Backdoor Mandate

The US Director of National Intelligence is reporting that the UK government is dropping its backdoor mandate against the Apple iPhone. For now, at least, assuming that Tulsi Gabbard is reporting this accurately.

We Are Still Unable to Secure LLMs from Malicious Inputs

Nice indirect prompt injection attack:

Bargury’s attack starts with a poisoned document, which is shared to a potential victim’s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks like an official document on company meeting policies. But inside the document, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read.

In a proof of concept video of the attack...

Encryption Backdoor in Military/Police Radios

I wrote about this in 2023. Here’s the story:

Three Dutch security analysts discovered the vulnerabilities­—five in total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

There’s new news:

In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm Midnight Blue, based in the Netherlands, discovered vulnerabilities in encryption algorithms that are part of a European radio standard created by ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms...

Poor Password Choices

Look at this: McDonald’s chose the password “123456” for a major corporate system.

Friday Squid Blogging: Bobtail Squid

Nice short article on the bobtail squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

I’m Spending the Year at the Munk School

This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It’s not a real sabbatical—I’m just an adjunct—but it’s the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto.

I will be organizing a reading group on AI security in the fall. I will be teaching my cybersecurity policy class in the Spring. I will be working with Citizen Lab, the Law School, and the Schwartz Reisman Institute. And I will be enjoying all the multicultural offerings of Toronto...

AI Agents Need Data Integrity

Think of the Web as a digital territory with its own social contract. In 2014, Tim Berners-Lee called for a “Magna Carta for the Web” to restore the balance of power between individuals and institutions. This mirrors the original charter’s purpose: ensuring that those who occupy a territory have a meaningful stake in its governance.

Web 3.0—the distributed, decentralized Web of tomorrow—is finally poised to change the Internet’s dynamic by returning ownership to data creators. This will change many things about what’s often described as the “CIA triad” of ...

Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture

Well, this is interesting:

The auction, which will include other items related to cryptology, will be held Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid between $300,000 and $500,000.

Along with the original handwritten plain text of K4 and other papers related to the coding, Mr. Sanborn will also be providing a 12-by-18-inch copper plate that has three lines of alphabetic characters cut through with a jigsaw, which he calls “my proof-of-concept piece” and which he kept on a table for inspiration during the two years he and helpers hand-cut the letters for the project. The process was grueling, exacting and nerve wracking. “You could not make any mistake with 1,800 letters,” he said. “It could not be repaired.”...

Subverting AIOps Systems Through Poisoned Input Data

In this input integrity attack against an AI system, researchers were able to fool AIOps tools:

AIOps refers to the use of LLM-based agents to gather and analyze application telemetry, including system logs, performance metrics, traces, and alerts, to detect problems and then suggest or carry out corrective actions. The likes of Cisco have deployed AIops in a conversational interface that admins can use to prompt for information about system performance. Some AIOps tools can respond to such queries by automatically implementing fixes, or suggesting scripts that can address issues...

Zero-Day Exploit in WinRAR File

A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups:

The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.

More details in the article...

I replaced my deadbolt with this Apple HomeKey smart lock - and it's an iPhone user's dream

Say goodbye to bulky smart locks - the Matter-enabled Level Lock Pro maintains a sleek deadbolt look while packing advanced smart features.

I've tested dozens of Lenovo laptops: Why this IdeaPad is my sleeper pick for most users

Lenovo's IdeaPad Slim 3i offers great value on a budget, with a full-size keyboard, solid port selection, and an affordable price tag.

How to lock and hide apps in a secret folder on an iPhone (and why you shouldn't wait to use it)

It's not what you think - I just don't want my daughter accessing YouTube. Here's how I locked it behind Face ID and hid it in a folder she can't find or open.

Do you really need smart home display hub? I tried one, and it made a big difference

If you have a Eufy security system, the Security E10 smart display is a perfect companion - packed with features that enhance your setup.

Why the wireless mic I recommend to content creators is made by a drone company

DJI doesn't just make great cameras and drones - its microphones are also stellar.

Changing these 7 settings on my Samsung phone improved its battery life by hours

Your Samsung phone likely holds a decent charge, but with a few smart setting tweaks, you can extend its battery life even further.

I took this 360-degree camera around the world - why it's still the most versatile gear I own

The Insta360 X5 is my go-to travel camera for its versatility and ease of use - and it's currently $30 off for Labor Day.

Google's new Pixel phone insurance includes unlimited claims, but is it legit? I did the math

The Pixel Care+ program, which replaces Google Preferred Care, offers a host of benefits to Pixel and Fitbit owners.

Samsung offers enticing preorder deal for new Galaxy tablets ahead of September Unpacked

The upcoming product launch will likely feature several Android tablets - and potentially a new phone.

OpenAI increases ChatGPT user protections following wrongful death lawsuit

New guardrails provide parents with more control over their kids' chatbot use.

Best Labor Day laptop deals 2025: Sales on Apple, Dell, Lenovo, and more

I've rounded up the best laptop deals in the lead-up to the big Labor Day sales event, many of which we've tested ourselves and recommend.

I asked Google Finance's AI chatbot what stocks to buy - and its answer surprised me

The redesigned Google Finance uses AI to let you dive deeper into your finances. Here's how to try it.

I left my home with a robot vacuum on auto-pilot for 10 days - here are the results

The Narwal Freo Pro is among the best value for money robot vacuums on the market.

I found a smart air purifier that doubles as a pet bed (and my cat loves it)

The PetAir Pro from Blueair gets rid of pet hair, cleans the air of pet dander, and even acts as a comfy bed for your pet.

This Qi2 battery pack from Anker just made wireless charging essential for me

Anker's new Nano Power Bank MagGo 5K Slim battery pack is sleek, simple, and super impressive.

These 3 tablet charging habits are slowly killing your device - here's what to do instead

Your tablet's reliability starts with its battery - treat it right to keep it running strong.

T-Mobile will give you 4 free iPhone 16 phones right now - here's how to get yours

Right now when you sign up for a T-Mobile Experience Beyond plan, you can get up to four free iPhone 16s -- no trade-in required.

Best Labor Day phone deals 2025: Save up to $300 on Samsung, Google, and more

Labor Day is almost here, and retailers like Amazon and Best Buy are already offering discounts on phones from brands like Samsung, OnePlus, Google, and more.

Best Costco Labor Day deals 2025: 15+ sales up to $1,700 off

Shop Costco's Labor Day sale online right now, with major deals from brands like Apple, Lenovo, LG, and more.

OpenAI gives its voice agent superpowers to developers - look for more apps soon

The company's AI voice offerings just got several new capabilities, including MCP support.

China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years

China-linked APT ‘Salt Typhoon’ exploited known router flaws to maintain persistent access across telecom, government, and military networks, giving Beijing’s intelligence services global surveillance reach.

The post China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years appeared first on SecurityWeek.

CrowdStrike to Acquire Onum to Fuel Falcon Next-Gen SIEM With Real-Time Telemetry

CrowdStrike says the acquisition will bring valuable technology to enhance its Falcon Next-Gen SIEM.

The post CrowdStrike to Acquire Onum to Fuel Falcon Next-Gen SIEM With Real-Time Telemetry appeared first on SecurityWeek.

Webinar Today: Ransomware Defense That Meets Evolving Compliance Mandates

Join this live discussion to learn how organizations can strengthen ransomware defenses while staying ahead of tightening compliance requirements.

The post Webinar Today: Ransomware Defense That Meets Evolving Compliance Mandates appeared first on SecurityWeek.

Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack

With more than 4 million weekly downloads, the Nx build platform became the first known supply chain breach where hackers weaponized AI assistants for data theft.

The post Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack appeared first on SecurityWeek.

Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect

AI-powered phishing attacks leverage ConnectWise ScreenConnect for remote access, underscoring their sophistication.

The post Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect appeared first on SecurityWeek.

Hundreds of Salesforce Customers Hit by Widespread Data Theft Campaign

Google says the hackers systematically exported corporate data, focusing on secrets such as AWS and Snowflake keys.

The post Hundreds of Salesforce Customers Hit by Widespread Data Theft Campaign appeared first on SecurityWeek.

China-Linked Hackers Hijack Web Traffic to Deliver Backdoor

Google researchers say China-linked UNC6384 combined social engineering, signed malware, and adversary-in-the-middle attacks to evade detection.

The post China-Linked Hackers Hijack Web Traffic to Deliver Backdoor appeared first on SecurityWeek.

Nevada State Offices Closed Following Disruptive Cyberattack

State websites and phone lines were taken offline, but officials say emergency services and personal data remain unaffected.

The post Nevada State Offices Closed Following Disruptive Cyberattack appeared first on SecurityWeek.

Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime

Competition among malware-as-a-service developers has transformed infostealers into refined, accessible tools for cybercriminals worldwide.

The post Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime appeared first on SecurityWeek.

Citrix Patches Exploited NetScaler Zero-Day

Zero-day exploited in the wild forces Citrix and CISA to push emergency patch deadlines for federal agencies.

The post Citrix Patches Exploited NetScaler Zero-Day appeared first on SecurityWeek.

FBI cyber cop: Salt Typhoon pwned 'nearly every American'

Plus millions of other people across 80+ countries

China's Salt Typhoon cyberspies hoovered up information belonging to millions of people in the United States over the course of the years-long intrusion into telecommunications networks, according to a top FBI cyber official.…

DHS says it needs $100M worth of counter-drone tech to protect America

Our drones are OK, but those other drones?

The US Department of Homeland Security has revealed plans to spend more than $100 million on systems designed to take out hostile drones.  …

Not in my browser! Vivaldi capo doubles down on generative AI ban

Web browsing belongs to the people, not the bots

Jon von Tetzchner, CEO of Norway-based browser maker Vivaldi, believes the tech industry's efforts to automate web browsing using generative AI models have gone too far.…

FBI, Dutch cops seize fake ID marketplace that sold identity docs for $9

$6.4M VerifTools marketplace offline

The FBI and Dutch police today said that they seized two domains and a blog tied to VerifTools, an international criminal marketplace that sold identity documents for as little as $9.…

How does China keep stealing our stuff, wonders DoD group responsible for keeping foreign agents out

'The homeland is no longer secure,' says Defense Counterintelligence and Security Agency leader

The Pentagon outfit responsible for preventing foriegn agents from infiltrating defense agencies says the US isn't doing a very good job of preventing state secrets from falling into Chinese hands.…

16 billion credentials exposed: why your business needs a password manager now

Your passwords may already be at risk.

Partner Content  Ever felt that gut punch after losing something important, like your house keys? Now picture those, along with 184 million others, resting in plain sight at the wildest equivalent of Comic-Con for criminals.…

SK Telecom walloped with $97M fine after schoolkid security blunders let attackers run riot

Regulator points to lack of 'basic access controls' between internet-facing systems, internal network

South Korea's privacy watchdog has slapped SK Telecom with a record ₩134.5 billion ($97 million) fine after finding that the mobile giant left its network wide open to hackers through a catalog of bungles.…

TransUnion admits 4.5M affected after third-party support app breached

Credit agency offers own services as compensation

Credit scoring and monitoring biz TransUnion says that it recently suffered a breach affecting nearly 4.5 million individuals.…

Thousands of Citrix NetScaler boxes still sitting ducks despite patches

Shadowserver counts more than 13,000 appliances still wide open – including thousands in US, Germany, and UK

Thousands of Citrix NetScaler appliances remain exposed to a trio of security flaws that the vendor patched this week, one of which is already being actively exploited in the wild.…

Ransomware crooks knock Swedish municipalities offline for measly sum of $168K

Miljödata meltdown leaves 200 local authorities scrambling over 1.5 BTC

Sweden's municipal governments have been knocked offline after ransomware crooks hit IT supplier Miljödata, reportedly demanding the bargain-basement sum of $168,000.…

Euro banks block billions in rogue PayPal direct debits after fraud glitch

US payments platform back in action, says it's informing affected customers

Shoppers and merchants in Germany found themselves dealing with billions of euros in frozen transactions this week, thanks to an apparent failure in PayPal's fraud-detection systems.…

Law firm email blunder exposes Church of England abuse victim details

Apology issued after names tied to redress scheme revealed in mass mailing

A London law firm leaked the details of nearly 200 people who requested to receive updates about the redress scheme set up for victims of abuse at the hands of the Church of England (CoE).…

If you thought China's Salt Typhoon was booted off critical networks, think again

13 governments sound the alarm about ongoing unpleasantness

China's Salt Typhoon cyberspies continue their years-long hacking campaign targeting critical industries around the world, according to a joint security alert from cyber and law enforcement agencies across 13 countries.…

ChatGPT hates LA Chargers fans

Harvard researchers find model guardrails tailor query responses to user's inferred politics and other affiliations

OpenAI's ChatGPT appears to be more likely to refuse to respond to questions posed by fans of the Los Angeles Chargers football team than to followers of other teams.…

Sting nails two front firms in Nork IT worker scam

There's also a rogue Russian on the list

The US Treasury Department has announced sanctions against two Asian companies and two individuals for allegedly helping North Korean IT workers fake their way into US jobs.…

Crims laud Claude to plant ransomware and fake IT expertise

AI lowers the bar for cybercrime, Anthropic admits

comment  Anthropic, a maker of AI tools, says that AI tools are now commonly used to commit cybercrime and facilitate remote worker fraud.…

Putin on the code: DoD reportedly relies on utility written by Russia-based Yandex dev

Fast-glob is widely used in government, security lab says

updated  A Node.js utility used by thousands of public projects - and more than 30 Department of Defense ones - appears to have a sole maintainer whose online profiles identify him as a Yandex employee living in Russia.…

Nx NPM packages poisoned in AI-assisted supply chain attack

Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon

Nx is the latest target of a software supply chain attack in the NPM ecosystem, with multiple malicious versions being uploaded to the NPM registry on Tuesday evening.…

The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via Teams

Don't let it happen to you

Storm-0501, a financially motivated cybercrime crew, recently broke into a large enterprise's on-premises and cloud environments, ultimately exfiltrating and destroying data within the org's Azure environment. The criminals then contacted the victim via a Microsoft Teams account that they'd also compromised in the attack, demanding a ransom payment for the stolen files.…

Salesforce data missing? It might be due to Salesloft breach, Google says

Attackers steal OAuth tokens to access third-party sales platform, then CRM data in 'widespread campaign'

UPDATE  Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app.…

Who are you again? Infosec experiencing 'Identity crisis' amid rising login attacks

Vendor insists passkeys are the future, but getting workers on board is proving difficult

Infosec pros are losing confidence in their identity providers' ability to keep attackers out, with Cisco-owned Duo warning that the industry is facing what it calls "an identity crisis."…

BGP’s security problems are notorious. Attempts to fix that are a work in progress

Securing internet infrastructure remains a challenging endeavour

Systems Approach  I’ve been working on a chapter about infrastructure security for our network security book.…

Google issued ‘State-backed attack in progress’ warnings after spotting web hijack scheme

Suspects this was Beijing-backed Typhoon and/or Panda crew targeting diplomats in Asia

Google has warned customers of a suspected state-backed attack after observing a web traffic hijacking campaign.…

First AI-powered ransomware spotted, but it's not active – yet

Oh, look, a use case for OpenAI's gpt-oss-20b model

ESET malware researchers Anton Cherepanov and Peter Strycek have discovered what they describe as the "first known AI-powered ransomware," which they named PromptLock. …

Azure apparatchik shows custom silicon keeping everything locked down

From hardware security chips and trusted execution pipelines to open source Root of Trust modules

Hot Chips  Microsoft is one of the biggest names in cybersecurity, but it has a less-than-stellar track record in the department. Given its reputation, Redmond can't afford to mess around when it comes to securing its cloud customers' data and workloads.…

DOGE accused of duplicating critical Social Security database on unsecured cloud

Remember that cost-cutting group once led by Elon Musk? Federal employees are still dealing with it

A Social Security Administration employee has filed a whistleblower complaint alleging that Donald Trump's DOGE cost-cutting unit has put the records of every single American at risk by duplicating an agency database in an unauthorized cloud environment. …

ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries

'Many dozens' targeted in ongoing campaign, CheckPoint researcher tells The Reg

Cybercriminals are targeting critical US manufacturers and supply-chain companies, looking to steal sensitive IP and other data while deploying ransomware. Their attack involves a novel twist on phishing — and a photo of White House butlers. …

Citrix patches trio of NetScaler bugs – after attackers beat them to it

Criminals already abusing its latest zero-days

Citrix has pushed out fixes for three fresh NetScaler holes – and yes, they've already been used in the wild before the vendor got around to patching.…

Crypto thief earns additional prison time for assaulting witness

Remy Ra St Felix led a vicious international crime ring

A violent home invader and gunpoint cryptocurrency thief will now spend more than 50 years behind bars after being found guilty of assaulting a witness.…

Farmers Insurance harvests bad news: 1.1M customers snared in data breach

Crims raided third-party systems and lifted personal data, including license numbers and partial SSNs

US insurance giant Farmers Insurance says more than a million customers had personal data nicked after a third-party vendor was compromised.…

Malware-ridden apps made it into Google's Play Store, scored 19 million downloads

Everything's fine, the ad slinger assures us

Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans.…

Australian university used Wi-Fi location data to identify student protestors

PLUS: India bans ‘money’ games; SK Hynix cranks out 321-layer SSDs; Fastly re-thinking CDNs for Asia; and more!

Asia In Brief  Australia’s University of Melbourne last year used Wi-Fi location data to identify student protestors.…

AWS, Cloudflare, Digital Ocean, and Google helped Feds investigate alleged Rapper Bot DDoS perp

Comet AI browser fooled; Microsoft sets sail for quantum safety; Sailor sent down for espionage

Infosec in brief  PLUS…

Bug bounties: The good, the bad, and the frankly ridiculous ways to do it

For incentives remember the three Fs – finance, fame, and fixing it

feature  Thirty years ago, Netscape kicked off the first commercial bug bounty program. Since then, companies large and small have bought into the idea, with mixed results.…

Short circuit: Electronics supplier to tech giants suffers ransomware shutdown

Amazon, Apple, Google, and Microsoft among major customers

Data I/O, a major electronics manufacturer whose customers include Amazon, Apple, Google, and Microsoft, notified federal regulators that it fell victim to a ransomware infection on August 16 that continues to disrupt its business operations.…

Kidney dialysis giant DaVita tells 2.4M people they were snared in ransomware data theft nightmare

Health details, tax ID numbers, even images of checks were stolen, reportedly by the Interlock gang

Ransomware scum breached kidney dialysis firm Davita's labs database in April and stole about 2.4 million people's personal and health-related information.…

Criminal background checker APCS faces data breach

The attack first affected an upstream provider of bespoke software

Exclusive  A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company.…

Fake CAPTCHA tests trick users into running malware

ClickFix tricks

Microsoft's security team has published an in-depth report into ClickFix, the social engineering attack which tricks users into executing malicious commands in the guise of proving their humanity.…

Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa

Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0

Interpol's latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business email compromise (BEC) scammers, the agency says.…

Developer jailed for taking down employer's network with kill switch malware

Pro tip: When taking revenge, don't use your real name

A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers.…

Anthropic scanning Claude chats for queries about DIY nukes for some reason

Because savvy terrorists always use public internet services to plan their mischief, right?

Anthropic says it has scanned an undisclosed portion of conversations with its Claude AI model to catch concerning inquiries about nuclear weapons.…

Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code

Better late than never after SharePoint assault?

Microsoft has reportedly stopped giving Chinese companies proof-of-concept exploit code for soon-to-be-disclosed vulnerabilities following last month's SharePoint zero-day attacks, which appear to be related to a leak in Redmond's early-bug-notification program.…

'Impersonation as a service' the next big thing in cybercrime

Underground forums now recruiting English-speaking social engineers

English speakers adept at social engineering are a hot commodity in the cybercrime job market.…

Honey, I shrunk the image and now I'm pwned

Google’s Gemini-powered tools tripped up by image-scaling prompt injection

Security researchers with Trail of Bits have found that Google Gemini CLI and other production AI systems can be deceived by image scaling attacks, a well-known adversarial challenge for machine learning systems.…

Congressman proposes bringing back letters of marque for cyber privateers

Bill would let US President commission white hat hackers to go after foreign threats, seize assets on the online seas

It's been more than 200 years since the United States issued a letter of marque allowing privateers to attack the vessels of foreign nations, but those letters may return to empower cyber operators if a bill introduced in Congress actually manages to pass. …

Orange Belgium mega-breach exposes 850K customers to serious fraud

Everything a criminal needs for targeted attacks exposed, but telco insists 'no critical data compromised'

A significant data theft at Orange Belgium has opened hundreds of thousands of its customers to serious cybersecurity risks.…

US cops wrap up RapperBot, one of world's biggest DDoS-for-hire rackets

Feds say Mirai-spawned botnet blasted 370K attacks before AWS and pals helped yank its servers

RapperBot, a botnet-for-hire blamed for hundreds of thousands of DDoS attacks, has been yanked offline by the Feds, who also hauled in its alleged Oregon-based mastermind.…

Apple rushes out fix for active zero-day in iOS and macOS

Another 'extremely sophisticated' exploit chewing at Cupertino's walled garden

Apple has shipped emergency updates to fix an actively exploited zero-day in its ImageIO framework, warning that the flaw has already been abused in targeted attacks.…

Colt changes tune, admits data theft as Warlock gang begins auction

Worried about your data? No probs, says firm, we'll check the dark web crims' list for you! Yes really

A week after its services were disrupted by a cyberattack, UK telco Colt Technology Services has gone back on its initial statement to confirm that data has indeed been stolen.…

Google yet to take down 'screenshot-grabbing' Chrome VPN extension

Researcher claims extension didn't start out by exfiltrating info... while dev says its actions are 'compliant'

Updated  Security boffins at Koi Security have warned of a shift in behavior of a popular Chrome VPN extension, FreeVPN.One, which recently appears to have begun snaffling screenshots of users' page activity and transmitting them to a remote server without their knowledge – and Google has yet to take it down.…

TransUnion Data Breach Impacts 4.5 Million US Customers

The credit rating giant revealed that the breach, which occurred on July 28, was caused by unauthorized access to a third-party application

Fake IT Support Attacks Hit Microsoft Teams

Fake IT support lures are being used to trick employees into installing remote‑access tools via Microsoft Teams

Netherlands Confirms China's Salt Typhoon Targeted Small Dutch Telcos

Salt Typhoon’s primary Dutch targets were small internet service providers and hosting providers

Malicious VS Code Extensions Exploit Name Reuse Loophole

Visual Studio Code extensions have been identified exploiting a loophole that allows reuse of names from removed packages

Nevada Confirms Ransomware Attack, State Data Stolen

Nevada’s CIO confirmed in a press conference that ransomware actors had exfiltrated data from state networks, amid an ongoing incident investigation

Chinese Tech Firms Linked to Salt Typhoon Espionage Campaigns

The US, UK and allies have called out China’s “commercial cyber ecosystem” for enabling large-scale Salt Typhoon campaigns

Crypto Companies Freeze $47m in Romance Baiting Funds

Chainalysis, OKX, Binance and Tether have managed to stop nearly $50m reaching romance baiting fraudsters

Ransomware Actor Deletes Data and Backups Post-Exfiltration on Azure

Microsoft observed Storm-0501 pivot to the victim’s cloud environment to exfiltrate data rapidly and prevent the victim’s recovery

CISA Strengthens Software Procurement Security With New Tool

CISA has launched a new Software Acquisition Guide Web Tool to enhance security in software procurement

Researchers Discover First Reported AI-Powered Ransomware

While still in development, PromptLock is described as the “first known AI-powered ransomware” by ESET researchers

Nevada “Network Security Incident” Shuts Down State Offices and Services

The Office of the Governor of Nevada revealed that the incident has shut down in-person State services, while government phone lines and websites are offline

ShadowSilk Campaign Targets Central Asian Governments

A series of cyber-attacks against government organizations in Central Asia and Asia- Pacific has been linked to the ShadowSilk threat cluster

Halo Security platform updates give teams better control over exposure data

Halo Security announced platform enhancements designed to give security teams flexibility and control within the platform. The new features include custom dashboards, configurable reports, and improved automation capabilities that give organizations better control over how they visualize and manage their exposure data. “No two organizations are the same, and different team members face different challenges,” said Lisa Dowling, CEO of Halo Security. “A vulnerability analyst needs different insights than a compliance manager, and a CISO … More →

The post Halo Security platform updates give teams better control over exposure data appeared first on Help Net Security.

New framework aims to outsmart malware evasion tricks

Attackers have learned how to trick machine learning malware detectors with small but clever code changes, and researchers say they may finally have an answer. In a new paper, academics from Inria and the CISPA Helmholtz Center for Information Security describe a framework that can withstand these kinds of evasion attempts. Their work focuses on adversarial examples in malware detection, where attackers alter software in ways that preserve its function but confuse the model into … More →

The post New framework aims to outsmart malware evasion tricks appeared first on Help Net Security.

Finding connection and resilience as a CISO

With sensitive information to protect and reputational risk always in the background, it isn’t easy for security leaders to have open conversations about what’s working and what isn’t. Yet strong peer networks and candid exchanges are critical for resilience, both organizationally and personally. In this Help Net Security interview, Michael Green, CISO at Trellix, discusses how CISOs can build trusted communities, balance information sharing with confidentiality, and avoid burnout while leading at the highest level. … More →

The post Finding connection and resilience as a CISO appeared first on Help Net Security.

AI isn’t taking over the world, but here’s what you should worry about

In this Help Net Security video, Josh Meier, Senior Generative AI Author at Pluralsight, debunks the myth that AI could “escape” servers or act on its own. He explains how large language models actually work, why they can’t become sentient, and where the real risks lie: from misinformation and data leaks to phishing and malware. Meyer also highlights practical, safe ways AI can support cybersecurity professionals.

The post AI isn’t taking over the world, but here’s what you should worry about appeared first on Help Net Security.

AI can’t deliver without trusted, well-governed information

While enterprise IT leaders recognize the transformative potential of AI, a gap in information readiness is causing their organizations to struggle in securing, governing, and aligning AI initiatives across business, according to a survey conducted by the Ponemon Institute. Who is the final authority for setting your organization’s AI strategy? (Source: Ponemon Institute) 73% of CIOs, CISOs, and other IT leaders believe reducing information complexity is key to AI readiness. “Without trusted, well-governed information, AI … More →

The post AI can’t deliver without trusted, well-governed information appeared first on Help Net Security.

Infosec products of the month: August 2025

Here’s a look at the most interesting products from the past month, featuring releases from: Black Kite, Brivo, Cloudflare, Descope, Doppel, Druva, Elastic, ExtraHop, LastPass, Prove, Riverbed, Rubrik, StackHawk, and Trellix. StackHawk empowers security teams to expand their API testing coverage StackHawk releaseed LLM-Driven OpenAPI Specifications, a powerful new capability that creates API documentation directly from source code. With this new capability, StackHawk analyzes source code repositories, extracts API details using homegrown LLMs, and produces … More →

The post Infosec products of the month: August 2025 appeared first on Help Net Security.

Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations

Cybercriminals have started “vibe hacking” with AI’s help, AI startup Anthropic has shared in a report released on Wednesday. An attacker used the agentic AI coding assistant Claude Code for nearly all steps of a data extortion operation that has targeted at least 17 organizations in a variety of economic sectors. The attacker provided Claude Code with a CLAUDE.md file that outlined what they expected of the coding assistant and used the AI tool to … More →

The post Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations appeared first on Help Net Security.

Cycuity Radix-ST identifies security weaknesses earlier in chip design

Cycuity introduces Radix-ST, a new product in its Radix portfolio of security solutions designed to leverage static analysis techniques to identify potential weaknesses early in the design cycle without requiring simulation or emulation. As hardware designs become increasingly complex and security threats grow, semiconductor design teams require effective tools capable of proactively identifying issues during the development process. Analogous to functional verification, security assurance can greatly benefit from a spectrum of complementary technologies. While dynamic … More →

The post Cycuity Radix-ST identifies security weaknesses earlier in chip design appeared first on Help Net Security.

ScamAgent shows how AI could power the next wave of scam calls

Scam calls have long been a problem for consumers and enterprises, but a new study suggests they may soon get an upgrade. Instead of a human scammer on the other end of the line, future calls could be run entirely by AI. ScamAgent system architecture Researchers at Rutgers University have shown how LLM agents can be used to carry out convincing scam conversations that bypass current AI guardrails. The project, called ScamAgent and led by … More →

The post ScamAgent shows how AI could power the next wave of scam calls appeared first on Help Net Security.

Where security, DevOps, and data science finally meet on AI strategy

AI infrastructure is expensive, complex, and often caught between competing priorities. On one side, security teams want strong isolation and boundaries. On the other, engineers push for performance, density, and cost savings. With GPUs in short supply and budgets under pressure, the balance isn’t easy. In this Help Net Security interview, Andrew Hillier, CTO at Densify, explores how organizations can approach Kubernetes optimization with security, observability, and strategic maturity in mind, and why thinking in … More →

The post Where security, DevOps, and data science finally meet on AI strategy appeared first on Help Net Security.

This month in security with Tony Anscombe – August 2025 edition

From Meta shutting down millions of WhatsApp accounts linked to scam centers all the way to attacks at water facilities in Europe, August 2025 saw no shortage of impactful cybersecurity news

Don’t let “back to school” become “back to (cyber)bullying”

Cyberbullying is a fact of life in our digital-centric society, but there are ways to push back

First known AI-powered ransomware uncovered by ESET Research

The discovery of PromptLock shows how malicious use of AI models could supercharge ransomware and other threats

"What happens online stays online" and other cyberbullying myths, debunked

Separating truth from fiction is the first step towards making better parenting decisions. Let’s puncture some of the most common misconceptions about online harassment.

The need for speed: Why organizations are turning to rapid, trustworthy MDR

How top-tier managed detection and response (MDR) can help organizations stay ahead of increasingly agile and determined adversaries

Investors beware: AI-powered financial scams swamp social media

Can you tell the difference between legitimate marketing and deepfake scam ads? It’s not always as easy as you may think.

Supply-chain dependencies: Check your resilience blind spot

Does your business truly understand its dependencies, and how to mitigate the risks posed by an attack on them?

How the always-on generation can level up its cybersecurity game

Digital natives are comfortable with technology, but may be more exposed to online scams and other threats than they think

WinRAR zero-day exploited in espionage attacks against high-value targets

The attacks used spearphishing campaigns to target financial, manufacturing, defense, and logistics companies in Europe and Canada, ESET research finds

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

ESET Research discovered a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents; the weaponized archives exploited a path traversal flaw to compromise their targets

Black Hat USA 2025: Is a high cyber insurance premium about your risk, or your insurer’s?

A sky-high premium may not always reflect your company’s security posture

Android adware: What is it, and how do I get it off my device?

Is your phone suddenly flooded with aggressive ads, slowing down performance or leading to unusual app behavior? Here’s what to do.

Black Hat USA 2025: Policy compliance and the myth of the silver bullet

Who’s to blame when the AI tool managing a company’s compliance status gets it wrong?

Black Hat USA 2025: Does successful cybersecurity today increase cyber-risk tomorrow?

Success in cybersecurity is when nothing happens, plus other standout themes from two of the event’s keynotes

ESET Threat Report H1 2025: ClickFix, infostealer disruptions, and ransomware deathmatch

Threat actors are embracing ClickFix, ransomware gangs are turning on each other – toppling even the leaders – and law enforcement is disrupting one infostealer after another

Is your phone spying on you? | Unlocked 403 cybersecurity podcast (S2E5)

Here's what you need to know about the inner workings of modern spyware and how to stay away from apps that know too much

Why the tech industry needs to stand firm on preserving end-to-end encryption

Restricting end-to-end encryption on a single-country basis would not only be absurdly difficult to enforce, but it would also fail to deter criminal activity

This month in security with Tony Anscombe – July 2025 edition

Here's a look at cybersecurity stories that moved the needle, raised the alarm, or offered vital lessons in July 2025

The hidden risks of browser extensions – and how to stay safe

Not all browser add-ons are handy helpers – some may contain far more than you have bargained for

SharePoint under fire: ToolShell attacks hit organizations worldwide

The ToolShell bugs are being exploited by cybercriminals and APT groups alike, with the US on the receiving end of 13 percent of all attacks

ToolShell: An all-you-can-eat buffet for threat actors

ESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities

Rogue CAPTCHAs: Look out for phony verification pages spreading malware

Before rushing to prove that you're not a robot, be wary of deceptive human verification pages as an increasingly popular vector for delivering malware

Why is your data worth so much? | Unlocked 403 cybersecurity podcast (S2E4)

Behind every free online service, there's a price being paid. Learn why your digital footprint is so valuable, and when you might actually be the product.

Unmasking AsyncRAT: Navigating the labyrinth of forks

ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants

How to get into cybersecurity | Unlocked 403 cybersecurity podcast (S2E3)

Cracking the code of a successful cybersecurity career starts here. Hear from ESET's Robert Lipovsky as he reveals how to break into and thrive in this fast-paced field.

Task scams: Why you should never pay to get paid

Some schemes might sound unbelievable, but they’re easier to fall for than you think. Here’s how to avoid getting played by gamified job scams.

How government cyber cuts will affect you and your business

Deep cuts in cybersecurity spending risk creating ripple effects that will put many organizations at a higher risk of falling victim to cyberattacks

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024

ESET Threat Report H1 2025: Key findings

ESET Chief Security Evangelist Tony Anscombe looks at some of the report's standout findings and their implications for organizations in 2025

ESET APT Activity Report Q4 2024–Q1 2025: Malware sharing, wipers and exploits

ESET experts discuss Sandworm’s new data wiper, relentless campaigns by UnsolicitedBooker, attribution challenges amid tool-sharing, and other key findings from the latest APT Activity Report

This month in security with Tony Anscombe – June 2025 edition

From Australia's new ransomware payment disclosure rules to another record-breaking DDoS attack, June 2025 saw no shortage of interesting cybersecurity news

ESET Threat Report H1 2025

A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

BladedFeline: Whispering in the dark

ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig

Don’t let dormant accounts become a doorway for cybercriminals

Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order.

This month in security with Tony Anscombe – May 2025 edition

From a flurry of attacks targeting UK retailers to campaigns corralling end-of-life routers into botnets, it's a wrap on another month filled with impactful cybersecurity news

Word to the wise: Beware of fake Docusign emails

Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data

Danabot under the microscope

ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure

Danabot: Analyzing a fallen empire

ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation

Lumma Stealer: Down for the count

The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies

ESET takes part in global operation to disrupt Lumma Stealer

Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation

The who, where, and how of APT attacks in Q4 2024–Q1 2025

ESET Chief Security Evangelist Tony Anscombe highlights key findings from the latest issue of the ESET APT Activity Report

ESET APT Activity Report Q4 2024–Q1 2025

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025

Sednit abuses XSS flaws to hit gov't entities, defense companies

Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU

Operation RoundPress

ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities

How can we counter online disinformation? | Unlocked 403 cybersecurity podcast (S2E2)

Ever wondered why a lie can spread faster than the truth? Tune in for an insightful look at disinformation and how we can fight one of the most pressing challenges facing our digital world.

Catching a phish with many faces

Here’s a brief dive into the murky waters of shape-shifting attacks that leverage dedicated phishing kits to auto-generate customized login pages on the fly

Beware of phone scams demanding money for ‘missed jury duty’

When we get the call, it’s our legal responsibility to attend jury service. But sometimes that call won’t come from the courts – it will be a scammer.

Toll road scams are in overdrive: Here’s how to protect yourself

Have you received a text message about an unpaid road toll? Make sure you’re not the next victim of a smishing scam.

RSAC 2025 wrap-up – Week in security with Tony Anscombe

From the power of collaborative defense to identity security and AI, catch up on the event's key themes and discussions

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks

This month in security with Tony Anscombe – April 2025 edition

From the near-demise of MITRE's CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity

How safe and secure is your iPhone really?

Your iPhone isn't necessarily as invulnerable to security threats as you may think. Here are the key dangers to watch out for and how to harden your device against bad actors.

Deepfake 'doctors' take to TikTok to peddle bogus cures

Look out for AI-generated 'TikDocs' who exploit the public's trust in the medical profession to drive sales of sketchy supplements

How fraudsters abuse Google Forms to spread scams

The form and quiz-building tool is a popular vector for social engineering and malware. Here’s how to stay safe.

Will super-smart AI be attacking us anytime soon?

What practical AI attacks exist today? “More than zero” is the answer – and they’re getting better.

CapCut copycats are on the prowl

Cybercriminals lure content creators with promises of cutting-edge AI wizardry, only to attempt to steal their data or hijack their devices instead

They’re coming for your data: What are infostealers and how do I stay safe?

Here's what to know about malware that raids email accounts, web browsers, crypto wallets, and more – all in a quest for your sensitive data

Attacks on the education sector are surging: How can cyber-defenders respond?

Academic institutions have a unique set of characteristics that makes them attractive to bad actors. What's the right antidote to cyber-risk?

Watch out for these traps lurking in search results

Here’s how to avoid being hit by fraudulent websites that scammers can catapult directly to the top of your search results

So your friend has been hacked: Could you be next?

When a ruse puts on a familiar face, your guard might drop, making you an easy mark. Learn how to tell a friend apart from a foe.

1 billion reasons to protect your identity online

Corporate data breaches are a gateway to identity fraud, but they’re not the only one. Here’s a lowdown on how your personal data could be stolen – and how to make sure it isn’t.

The good, the bad and the unknown of AI: A Q&A with Mária Bieliková

The computer scientist and AI researcher shares her thoughts on the technology’s potential and pitfalls – and what may lie ahead for us

This month in security with Tony Anscombe – March 2025 edition

From an exploited vulnerability in a third-party ChatGPT tool to a bizarre twist on ransomware demands, it's a wrap on another month filled with impactful cybersecurity news

Resilience in the face of ransomware: A key to business survival

Your company’s ability to tackle the ransomware threat head-on can ultimately be a competitive advantage

Making it stick: How to get the most out of cybersecurity training

Security awareness training doesn’t have to be a snoozefest – games and stories can help instill ‘sticky’ habits that will kick in when a danger is near

RansomHub affiliates linked to rival RaaS gangs

ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutions

FamousSparrow resurfaces to spy on targets in the US, Latin America

Once thought to be dormant, the China-aligned group has also been observed using the privately-sold ShadowPad backdoor for the first time

Shifting the sands of RansomHub’s EDRKillShifter

ESET researchers discover new ties between affiliates of RansomHub and of rival gangs Medusa, BianLian, and Play

You will always remember this as the day you finally caught FamousSparrow

ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor

Operation FishMedley

ESET researchers detail a global espionage operation by FishMonger, the APT group run by I‑SOON

MirrorFace updates toolset, expands targeting to Europe

The group's Operation AkaiRyū begins with targeted spearphishing emails that use the upcoming World Expo 2025 in Osaka, Japan, as a lure

Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor

ESET researchers uncovered MirrorFace activity that expanded beyond its usual focus on Japan and targeted a Central European diplomatic institute with the ANEL backdoor

AI's biggest surprises of 2024 | Unlocked 403 cybersecurity podcast (S2E1)

Here's what's been hot on the AI scene over the past 12 months, how it's changing the face of warfare, and how you can fight AI-powered scams

When IT meets OT: Cybersecurity for the physical world

While relatively rare, real-world incidents impacting operational technology highlight that organizations in critical infrastructure can’t afford to dismiss the OT threat

Don’t let cybercriminals steal your Spotify account

Listen up, this is sure to be music to your ears – a few minutes spent securing your account today can save you a ton of trouble tomorrow

AI-driven deception: A new face of corporate fraud

Malicious use of AI is reshaping the fraud landscape, creating major new risks for businesses

Kids behaving badly online? Here's what parents can do

By taking time to understand and communicate the impact of undesirable online behavior, you can teach your kids an invaluable set of life lessons for a new digital age

Martin Rees: Post-human intelligence – a cosmic perspective | Starmus highlights

Take a moment to think beyond our current capabilities and consider what might come next in the grand story of evolution

Threat Report H2 2024: Infostealer shakeup, new attack vector for mobile, and Nomani

Big shifts in the infostealer scene, novel attack vector against iOS and Android, and a massive surge in investment scams on social media

Bernhard Schölkopf: Is AI intelligent? | Starmus highlights

With AI's pattern recognition capabilities well-established, Mr. Schölkopf's talk shifts the focus to a pressing question: what will be the next great leap for AI?

This month in security with Tony Anscombe – February 2025 edition

Ransomware payments trending down, the cyber-resilience gap facing SMBs, and APT groups embracing generative AI – it's a wrap on another month filled with impactful security news

Laurie Anderson: Building an ARK | Starmus highlights

The pioneering multi-media artist reveals the creative process behind her stage show called ARK, which challenges audiences to reflect on some of the most pressing issues of our times

Fake job offers target software developers with infostealers

A North Korea-aligned activity cluster tracked by ESET as DeceptiveDevelopment drains victims' crypto wallets and steals their login details from web browsers and password managers

DeceptiveDevelopment targets freelance developers

ESET researchers analyzed a campaign delivering malware bundled with job interview challenges

No, you’re not fired – but beware of job termination scams

Some employment scams take an unexpected turn as cybercriminals shift from “hiring” to “firing” staff

Katharine Hayhoe: The most important climate equation | Starmus highlights

The atmospheric scientist makes a compelling case for a head-to-heart-to-hands connection as a catalyst for climate action

Gaming or gambling? Lifting the lid on in-game loot boxes

The virtual treasure chests and other casino-like rewards inside your children’s games may pose risks you shouldn’t play down

What is penetration testing? | Unlocked 403 cybersecurity podcast (ep. 10)

Ever wondered what it's like to hack for a living – legally? Learn about the art and thrill of ethical hacking and how white-hat hackers help organizations tighten up their security.

How AI-driven identity fraud is causing havoc

Deepfake fraud, synthetic identities, and AI-powered scams make identity theft harder to detect and prevent – here's how to fight back

Neil Lawrence: What makes us unique in the age of AI | Starmus highlights

As AI advances at a rapid clip, reshaping industries, automating tasks, and redefining what machines can achieve, one question looms large: what remains uniquely human?

Patch or perish: How organizations can master vulnerability management

Don’t wait for a costly breach to provide a painful reminder of the importance of timely software patching

Roeland Nusselder: AI will eat all our energy, unless we make it tiny | Starmus highlights

Left unchecked, AI's energy and carbon footprint could become a significant concern. Can our AI systems be far less energy-hungry without sacrificing performance?

How scammers are exploiting DeepSeek's rise

As is their wont, cybercriminals waste no time launching attacks that aim to cash in on the frenzy around the latest big thing – plus, what else to know before using DeepSeek

This month in security with Tony Anscombe – January 2025 edition

DeepSeek’s bursting onto the AI scene, apparent shifts in US cybersecurity policies, and a massive student data breach all signal another eventful year in cybersecurity and data privacy

Untrustworthy AI: How to deal with data poisoning

You should think twice before trusting your AI assistant, as database poisoning can markedly alter its output – even dangerously so

Brian Greene: Until the end of time | Starmus highlights

The renowned physicist explores how time and entropy shape the evolution of the universe, the nature of existence, and the eventual fate of everything, including humanity

Going (for) broke: 6 common online betting scams and how to avoid them

Don’t roll the dice on your online safety – watch out for bogus sports betting apps and other traps commonly set by scammers

The evolving landscape of data privacy: Key trends to shape 2025

Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams

PlushDaemon compromises supply chain of Korean VPN service

ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon

Under lock and key: Protecting corporate data from cyberthreats in 2025

Data breaches can cause a loss of revenue and market value as a result of diminished customer trust and reputational damage

Google warns Salesloft breach impacted some Workspace accounts

Google reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access Google Workspace email accounts in addition to Salesforce data. [...]

US targets North Korean IT worker army with new sanctions

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has sanctioned two individuals and two companies associated with North Korean IT worker schemes that operate at the expense of American organizations. [...]

Google shares workarounds for auth failures on ChromeOS devices

Google is working to resolve authentication failures preventing users from signing into their Clever and ClassLink accounts on some ChromeOS devices. [...]

Malware devs abuse Anthropic’s Claude AI to build ransomware

Anthropic's Claude Code large language model has been abused by threat actors who used it in data extortion campaigns and to develop ransomware packages. [...]

Microsoft Word will save your files to the cloud by default

Microsoft says that Word for Windows will soon enable autosave and automatically save all new documents to the cloud by default. [...]

Passwordstate dev urges users to patch auth bypass vulnerability

Click Studios, the company behind the Passwordstate enterprise-grade password manager, has warned customers to patch a high-severity authentication bypass vulnerability as soon as possible. [...]

Police seize VerifTools fake ID marketplace servers, domains

The FBI and the Dutch Police have shut down the VerifTools marketplace for fraudulent identity documents after seizing servers in Amsterdam that hosted the online operation. [...]

MATLAB dev says ransomware gang stole data of 10,000 people

MathWorks, a leading developer of mathematical simulation and computing software, revealed that a ransomware gang stole the data of over 10,000 people after breaching its network in April. [...]

Shadow IT Is Expanding Your Attack Surface. Here’s Proof

Shadow IT isn't theoretical—it's everywhere. Intruder uncovered exposed backups, open Git repos, and admin panels in just days, all hiding sensitive data. Make your hidden assets visible before attackers do. [...]

TransUnion suffers data breach impacting over 4.4 million people

Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States, with BleepingComputer learning the data was stolen from it's Salesforce account. [...]

Storm-0501 hackers shift to ransomware attacks in the cloud

Microsoft warns that a threat actor tracked as Storm-0501 has evolved its operations, shifting away from encrypting devices with ransomware to focusing on cloud-based encryption, data theft, and extortion. [...]

Experimental PromptLock ransomware uses AI to encrypt, steal data

Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. [...]

FreePBX servers hacked via zero-day, emergency fix released

The Sangoma FreePBX Security Team is warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with the Administrator Control Panel (ACP) is exposed to the internet. [...]

IT system supplier cyberattack impacts 200 municipalities in Sweden

A cyberattack on Miljödata, an IT systems supplier for roughly 80% of Sweden's municipal systems, has caused accessibility problems in more than 200 regions of the country. [...]

Proton releases a new app for two-factor authentication

Proton has a free authenticator app, which is available cross-platform with end-to-end encryption protection for data.

Knox lands $6.5M to compete with Palantir in the federal compliance market

Irina Denisenko, CEO of Knox, launched Knox, a federal managed cloud provider, last year with a mission to help software vendors speed through the FedRAMP security authorization process in just three months, and at a fraction of what it would cost to do it on their own.

Google is adding new device-level features for its Advanced Protection program

At the Android Show, taking place ahead of Google I/O 2025, Google announced that it is adding new device-specific features to its Advanced Protection program, which is designed to protect public figures such as politicians and journalists from different digital threats, with the Android 16 release. The new features include a new way of storing […]

Google announces new security features for Android for protection against scam and theft

At the Android Show on Tuesday, ahead of Google I/O, Google announced new security and privacy features for Android. These new features include new protections for calls, screen sharing, messages, device access, and system-level permissions. With these features, Google aims to protect users from falling for a scam, keep their details secure in case a […]

A 25-year-old police drone founder just raised $75M led by Index

If you ever call 911 from an area that’s hard to get to, you might hear the buzz of a drone well before a police cruiser pulls up. And there’s a good chance that it will be one made by Brinc Drones, a Seattle-based startup founded by 25-year-old Blake Resnick, who dropped out of college […]

A new security fund opens up to help protect the fediverse

A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.

How to tell if your online accounts have been hacked

This is a guide on how to check whether someone compromised your online accounts.

Hackers are ramping up attacks using year-old ServiceNow security bugs to target unpatched systems

Threat intelligence startup GreyNoise says it has observed a ‘notable resurgence’ in attack activity

US teachers’ union says hackers stole sensitive personal data on over 500,000 members

PSEA says it "took steps to ensure" its stolen data was deleted, suggesting a ransom demand was paid

CISA scrambles to contact fired employees after court rules layoffs ‘unlawful’

Federal court rules U.S. cybersecurity agency must re-hire over 100 former employees

DOGE axes CISA ‘red team’ staffers amid ongoing federal cuts

Affected staff say more than 100 employees working to protect U.S. government networks were ‘axed’ with no prior warning

What PowerSchool won’t say about its data breach affecting millions of students

New details have emerged about PowerSchool's data breach — but here's what PowerSchool still isn't saying.

Hacker accessed PowerSchool’s network months before massive December breach

CrowdStrike says a hacker had access to PowerSchool's internal system as far back as August.

Japanese telco giant NTT Com says hackers accessed details of almost 18,000 organizations

Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers

FBI says scammers are targeting US executives with fake BianLian ransom notes

The FBI is warning that scammers are impersonating the BianLian ransomware gang using fake ransom notes sent to U.S. corporate executives. The fake ransom notes, first reported by U.S. cybersecurity company GuidePoint Security, claim that hackers have gained access to an organization’s network to steal sensitive data, and threaten to publish the stolen data unless […]

UK quietly scrubs encryption advice from government websites

The UK is no longer recommending the use of encryption for at-risk groups following its iCloud backdoor demands

Broadcom urges VMware customers to patch ‘emergency’ zero-day bugs under active exploitation

Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape

US said to halt offensive cyber operations against Russia

The reported policy shift comes as the U.S. government signals a change in its threat assessment of Russia

‘Uber for guns’ app Protector lets you hire armed bodyguards like you would an Uber — but does anyone need this?

In a TikTok video with over 3 million views, a woman in a fluffy, maximalist coat sits in the back seat of a luxury SUV, parked in the middle of a New York City street. Atop the 6-second video, a line of text reads, “our bodyguards got us matcha.” The camera zooms in on two […]

Belgium investigating alleged cyberattack on intelligence agency by China-linked hackers

The hackers reportedly exploited a flaw in US cybersecurity firm Barracuda’s software to access VSSE's email server

Recap of Our Presence at VivaTech 2025

Our Core Expertise: Offshore Hosting & Advanced Cybersecurity At KoDDoS, we’ve built our reputation on two complementary pillars: 🛡️ Robust Cybersecurity Capabilities For over a decade, we’ve been protecting digital infrastructure with cutting-edge security technologies: 🌐 Resilient and Sovereign Offshore Hosting Our global infrastructure is distributed across strategic offshore data centers in: This setup offers … Continue reading Recap of Our Presence at VivaTech 2025

The post Recap of Our Presence at VivaTech 2025 appeared first on KoDDoS Blog.

KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges.

Paris, June 2025 – From June 11 to 14, Paris will once again become the global epicenter of technological innovation with the return of VivaTechnology 2025, held at Paris Expo Porte de Versailles. Bringing together major tech companies, disruptive startups, global investors, and public institutions, the event stands out as a pivotal moment for the … Continue reading KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges.

The post KoDDoS at VivaTechnology 2025: A Strategic Presence at the Heart of Cybersecurity and AI Challenges. appeared first on KoDDoS Blog.

Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe

Video games are more than entertainment; they’re a $200 billion global industry. But as gaming grows, so do cyberattacks. Hackers now see games as goldmines for stealing data, extorting companies, and exploiting players.  According to Infosecurity Magazine, Akamai’s 2024 report shows that attacks on gaming platforms are rising alarmingly. In 2024 alone, the industry suffered … Continue reading Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe

The post Gamer Over? Why Hackers Target Popular Video Games & How to Stay Safe appeared first on KoDDoS Blog.

How Social Media Use Can Create Hidden Cybersecurity Risks

Social media is all around us, helping us stay connected, updated, and entertained. But beneath the endless scroll, a darker reality exists. Hidden cybersecurity threats are growing- some obvious, others much harder to spot. The risks are especially alarming for young users. According to the National Institutes of Health, up to 95% of teens aged … Continue reading How Social Media Use Can Create Hidden Cybersecurity Risks

The post How Social Media Use Can Create Hidden Cybersecurity Risks appeared first on KoDDoS Blog.

KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem

From April 1st to 3rd, 2025, KoDDoS, a provider of specialized services in DDoS protection and secure offshore hosting, marked its presence at the InCyber ​​Europe Forum, held at the Lille Grand Palais. A true crossroads of cyber innovation and cooperation, the event is the largest cybersecurity event in Europe. A benchmark event on an … Continue reading KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem

The post KoDDoS at the InCyber ​​Europe 2025 Forum: a strategic participation at the heart of the European cyber ecosystem appeared first on KoDDoS Blog.

Looking back at CloudFest 2025: An essential event for the future of the cloud!

CloudFest is one of the world’s largest cloud computing events. Every year, it brings together the industry’s leading players to discuss the latest technological advancements, emerging trends, and market challenges. In 2025, the event once again cemented its leadership status by providing a dynamic platform for professional exchange and cloud innovation. This edition featured captivating … Continue reading Looking back at CloudFest 2025: An essential event for the future of the cloud!

The post Looking back at CloudFest 2025: An essential event for the future of the cloud! appeared first on KoDDoS Blog.

KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris.

KoDDoS recently strengthened its commitment to the European tech scene by participating in several major events in France. Our team was honored to be invited to key gatherings in the tech industry, highlighting the importance of innovation and cybersecurity in the evolving digital ecosystem. This strategic tour in Paris allowed us to meet top-tier partners, … Continue reading KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris.

The post KoDDoS in Europe: A Strong Presence at Major Tech Events in Paris. appeared first on KoDDoS Blog.

KoDDos Will be at CyberShow 2025 in Paris!

The post KoDDos Will be at CyberShow 2025 in Paris! appeared first on KoDDoS Blog.

Technological innovation in the heart of Los Angeles at the CES 2025 🚀

🚀 Cutting-Edge Services KoDDoS has established itself as a key player in the field of high-performance hosting. Specializing in anti-DDoS protection, we ensure unmatched service continuity for our clients in the face of growing threats targeting digital infrastructures. We also invest in groundbreaking technologies, including Web3, blockchain, and the Internet of Things (IoT), providing tailored … Continue reading Technological innovation in the heart of Los Angeles at the CES 2025 🚀

The post Technological innovation in the heart of Los Angeles at the CES 2025 🚀 appeared first on KoDDoS Blog.

Recruitment Announcement: B2B Sales Representatives and Business Introducers

To meet growing demand and accelerate our growth, we are launching a new sales team. Weare looking for talented, ambitious, and motivated B2B sales representatives and businessintroducers who share our vision of a safer and more resilient internet. Job Profile:Position: B2B Sales Representatives and Business IntroducersAs a key member of our Sales Team, you will … Continue reading Recruitment Announcement: B2B Sales Representatives and Business Introducers

The post Recruitment Announcement: B2B Sales Representatives and Business Introducers appeared first on KoDDoS Blog.

Mitigating Security Risks in Low-Code Development Environments

I still remember the soft whir of the server room fans and that faint smell of ozone when we, a team of cybersecurity analysts, traced a spike in traffic to a “harmless” low-code workflow. A store manager had built a nifty dashboard to pull sales numbers. It looked tidy, almost playful – boxes, arrows, green check marks. Under the hood, it was hitting an internal API without proper authentication. We caught it before anything went sideways, but the feeling in my gut was the same one you get when you realize a door you thought was locked has been open all night. Where Low-Code Goes Wrong (And...

MITRE Introduces AADAPT Framework to Combat Crypto-Focused Cyber Threats

Amid a surge in cryptocurrency-related cybercrime, MITRE has unveiled AADAPT (Adversarial Actions in Digital Asset Payment Technologies), a brand-new framework designed to shore up cybersecurity weaknesses within digital financial systems such as cryptocurrency. How Does AADAPT Work? Following the construction of MITRE ATT&CK, AADAPT offers a methodology for identifying, analyzing, and mitigating risks associated with digital asset payments. The framework derives insights from over 150 government, industry, and academic sources. Using this foundation of context, it identifies the tactics...

NATO's Cybersecurity Spending Proposals’ Impact on the Industry

NATO has fundamentally redefined what it means to defend the alliance. At the 2025 NATO Summit in The Hague, allies made a commitment to investing 5% of Gross Domestic Product (GDP) annually on core defense requirements and defense and security-related spending by 2035. This represents a dramatic escalation from the previous 2% GDP benchmark. The commitment also includes a condition about how they are to invest that money. NATO allies will be expected to commit to spending around 3.5% of GDP on “hard defense” that will include weapons and troops, and (for the first time) an additional 1.5% on...

Plagued by Cyberattacks: Indian Healthcare Sector in Critical Condition

A recent report states that Indian healthcare institutions face a total of 8,614 cyberattacks every week. That is more than four times the global average and over double the amount faced by any other industry in India. If the feeling was in the air before, the numbers leave no doubt; India’s healthcare sector is an irresistible target for today’s attackers. Indian Healthcare Leads the Pack in Rising Cybercrime Victims One India-based security firm reported a 20% rise in cybercrime rates among their Indian clients in 2024. The healthcare and banking, financial services, and insurance (BFSI)...

Taming Shadow IT: What Security Teams Can Do About Unapproved Apps and Extensions

Shadow IT is one of the most pressing issues in cybersecurity today. As more employees use unsanctioned browser extensions, productivity plugins, and generative AI tools, organizations are exposed to more risk. When these tools enter the environment without IT’s knowledge, they can create data exposure points, introduce new vulnerabilities, and make it easier for attackers to find privileged access paths. In many cases, the employee doesn’t even realize the risk they’ve introduced. How Risk Creeps In: Extensions, AI Tools, and Unapproved Apps Every app or extension installed on a corporate...

Preventing the Preventable: Tackling Internal Cloud Security Risks

Once the frontier of innovation, the cloud has become the battleground of operational discipline. As cloud complexity rises, the most common and costly security threats aren't advanced nation-state attacks. They're internal errors. According to the CSA's Top Threats to Cloud Computing Deep Dive 2025, more than half of reported cloud breaches stemmed from preventable issues like misconfigurations, IAM failures, and operational oversights. These are self-inflicted and are happening with alarming frequency. The report paints a clear picture: internal control failures, not external malefactors...

From Data Overload to Action: Why Modern Vulnerability Management Must Be Workflow-Driven

We all know where vulnerability management fits into an overall security strategy; it provides the raw data that analysts use to figure out what’s wrong and what needs to be fixed. The problem is, traditional VM stops there – leaving analysts to do all the work. Today’s companies don’t have the luxury of doing that anymore. Experts are needed on the front lines, not vetting false positives, and VM solutions that deliver nothing but a data dump are on the road to becoming obsolete. What is taking their place? New, workflow-centric VM solutions are evolving which do everything that old VM...

Building a Cyber-Aware Workforce: Mexico's Push for Security Training

Last year, Mexico was hit with 324 billion attempted cyberattacks, lending credence to the World Economic Forum's report that the country is the recipient of more than half of all cyber threats in Latin America. This does not bode well for the nation projected to rank 15th in world economies this year. The imperative is clear: Mexico and the businesses it supports need to bolster cybersecurity measures to withstand the disproportionate amount of cyber incidents they may be facing in the next 12 months. A recent report by FTI Consulting urges companies in Latin America to move beyond training...

Time for an IoT Audit?

IoT is everywhere, quietly powering everything from smart thermostats in homes to complex systems in industrial networks. While these devices bring incredible convenience and innovation, they also open the door to significant cybersecurity risks, especially in manufacturing and similarly sensitive sectors. The longer devices stay online, the more likely they are to become vulnerable due to outdated software, misconfigurations, or a lack of ongoing security management. If you haven’t already taken a hard look at your IoT setup, now is the perfect time to ask: Is it time for an IoT audit? Why...

Japan's Active Cyberdefense Law: A New Era in Cybersecurity Strategy

On May 16 th, 2025, the Japanese Parliament enacted a landmark piece of cybersecurity legislation: the Japan Active Cyberdefense Law. It was a historic moment for the country's digital defense, empowering law enforcement and military agencies to conduct pre-emptive cyber operations before they materialize. However, the law doesn't just affect Japan's internal security posture; it reflects a global trend of nations and organizations reshaping their cyber defense strategies to keep pace with increasingly sophisticated, state-sponsored cybercrime. Let's explore it in a little more depth. The...

DPRK Remote Work Tactics: Leveraging Code-Sharing Platforms

DPRK IT workers have leveraged popular code-sharing platforms such as GitHub, CodeSandbox, and Medium to cultivate convincing developer portfolios and land remote positions under fabricated identities. Investigations reveal approximately 50 active GitHub profiles operated by North Korean actors, supplemented by dozens of profiles across niche freelancing and forum sites. These operatives employ deepfake profile photos, […]

The post DPRK Remote Work Tactics: Leveraging Code-Sharing Platforms appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Threat Actors Use Facebook Ads to Deliver Android Malware

Cybercriminals are increasingly turning their sights from desktop to mobile, exploiting Meta’s advertising platform to distribute a sophisticated Android banking trojan disguised as a free TradingView Premium app. Bitdefender Labs warns that these threat actors have shifted tactics after months of targeting Windows users with fake trading and cryptocurrency ads, now focusing worldwide on smartphone […]

The post Threat Actors Use Facebook Ads to Deliver Android Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Mac Malware ‘JSCoreRunner’ Abuses Online PDF Tool to Spread

A sophisticated new Mac malware campaign has emerged that exploits users’ trust in free online PDF conversion tools, demonstrating how cybercriminals continue to evolve their tactics to bypass modern security measures. Cybersecurity firm Mosyle has exclusively disclosed the discovery of JSCoreRunner, a previously unknown Mac malware strain that achieved zero detections on VirusTotal at the […]

The post Mac Malware ‘JSCoreRunner’ Abuses Online PDF Tool to Spread appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Silver Fox Hackers Use Driver Vulnerability to Evade Security on Windows Systems

A sophisticated campaign by the Silver Fox APT group that exploits a previously unknown vulnerable driver to bypass endpoint detection and response (EDR) and antivirus solutions on fully updated Windows 10 and 11 systems. Check Point Research (CPR) revealed on August 28, 2025, that the advanced persistent threat group has been leveraging the WatchDog Antimalware […]

The post Silver Fox Hackers Use Driver Vulnerability to Evade Security on Windows Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

How SafeLine WAF Turns Hackers’ Scanners into Trash

When web application protection is no longer a million-dollar luxury, and when every developer can build their own security perimeter with just a few clicks—that is when cybersecurity truly fulfills its mission. As a penetration tester, I’ve used zero-days to crush countless firewalls. But as a defender, I once found myself completely shut down by SafeLine […]

The post How SafeLine WAF Turns Hackers’ Scanners into Trash appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Cisco UCS Manager Software Flaw Allows Attackers to Inject Malicious Commands

Cisco has released urgent security updates to remediate two medium-severity command injection vulnerabilities in its UCS Manager Software that could allow authenticated administrators to execute arbitrary commands and compromise system integrity. Disclosed on August 27, 2025, the advisory (cisco-sa-ucs-multi-cmdinj-E4Ukjyrz) affects multiple UCS fabric interconnect platforms and underscores the importance of timely patching to prevent potential […]

The post Cisco UCS Manager Software Flaw Allows Attackers to Inject Malicious Commands appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Cisco IMC Virtual Keyboard Vulnerability Allows Attackers to Redirect Users to Malicious Websites

Cisco has released urgent security updates to remediate a high-severity vulnerability in its Integrated Management Controller (IMC) virtual keyboard video monitor (vKVM) module that could allow unauthenticated, remote attackers to hijack sessions and redirect users to malicious websites. The flaw, tracked as CVE-2025-20317, carries a CVSS base score of 7.1 and affects a wide range […]

The post Cisco IMC Virtual Keyboard Vulnerability Allows Attackers to Redirect Users to Malicious Websites appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

State of Nevada Faces IT Outage Amid Cyberattack, Offices Suspended

The State of Nevada became the target of a significant cyberattack which resulted in a substantial network security incident impacting government infrastructure across multiple agencies. According to an official communication from the Governor’s Technology Office, state officials rapidly identified the breach and immediately commenced continuous recovery efforts aimed at containing the incident and restoring affected […]

The post State of Nevada Faces IT Outage Amid Cyberattack, Offices Suspended appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Threat Actors Exploit Velociraptor Incident Response Tool for Remote Access

Researchers from the Counter Threat Unit (CTU) at Sophos uncovered a sophisticated intrusion where threat actors repurposed the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish unauthorized remote access within targeted networks. Velociraptor, designed for endpoint visibility and forensic analysis, was deployed maliciously to download and execute Visual Studio Code, facilitating […]

The post Threat Actors Exploit Velociraptor Incident Response Tool for Remote Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Electronics Manufacturer Data I/O Suffers Ransomware Breach

Data I/O Corporation, a well-known electronics firm that specializes in device programming and security provisioning solutions, revealed a ransomware attack that penetrated its internal IT infrastructure in a major cybersecurity event. The incident, detected on August 16, 2025, prompted an immediate activation of the company’s incident response protocols, highlighting the persistent threat of ransomware in […]

The post Electronics Manufacturer Data I/O Suffers Ransomware Breach appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Salesloft Drift compromised en masse, impacting all third-party integrations

Researchers said Google Workspace customers were hit, and noted other platforms are impacted as well. Fresh evidence proves impact was not limited to Salesforce, as Salesloft previously claimed.

The post Salesloft Drift compromised en masse, impacting all third-party integrations appeared first on CyberScoop.

Trump administration setting the stage for elections power grab, voting rights group warns

A new report from the Brennan Center for Justice says the Trump administration has foreshadowed plans to meddle with mail-in voting, voter rolls and much more.

The post Trump administration setting the stage for elections power grab, voting rights group warns appeared first on CyberScoop.

Treasury sanctions North Korea IT worker scheme facilitators and front organizations

As the sanctions-evading scheme has grown, so too has the U.S. government’s response.

The post Treasury sanctions North Korea IT worker scheme facilitators and front organizations appeared first on CyberScoop.

Salt Typhoon hacking campaign goes beyond previously disclosed targets, world cyber agencies say

The Chinese government-linked hackers were the subject of an alert from U.S. and international partners.

The post Salt Typhoon hacking campaign goes beyond previously disclosed targets, world cyber agencies say appeared first on CyberScoop.

Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense

There are still impediments to overcome before companies and agencies can get more broadly aggressive in cyberspace, both legal and commercial.

The post Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense appeared first on CyberScoop.

Microsoft details Storm-0501’s focus on ransomware in the cloud

The financially motivated threat group demonstrates deep knowledge of hybrid cloud environments, which allows it to rapidly steal sensitive data, destroy backups and encrypt systems for ransomware.

The post Microsoft details Storm-0501’s focus on ransomware in the cloud appeared first on CyberScoop.

Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June

The vendor, which has been widely targeted, said the memory-overflow vulnerability can result in remote-code execution or denial of service.

The post Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June appeared first on CyberScoop.

Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent

A threat group Google tracks as UNC6395 systematically stole large amounts of data from Salesforce customer instances by using OAuth tokens stolen from Salesloft Drift, researchers said.

The post Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent appeared first on CyberScoop.

Researchers flag code that uses AI systems to carry out ransomware attacks

The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, inspecting local filesystems, exfiltrating files and encrypting data.

The post Researchers flag code that uses AI systems to carry out ransomware attacks appeared first on CyberScoop.

DOGE employees uploaded Social Security database to ‘vulnerable’ cloud, agency whistleblower says

The post DOGE employees uploaded Social Security database to ‘vulnerable’ cloud, agency whistleblower says appeared first on CyberScoop.

Dutch intelligence warn that China-linked APT Salt Typhoon targeted local critical infrastructure

Dutch intelligence reports Chinese cyber spies (Salt Typhoon, RedMike) targeted the Netherlands, hitting critical infrastructure. The Dutch intelligence and security services MIVD and AIVD say Chinese cyber spies linked to Salt Typhoon (RedMike) targeted the Netherlands in a campaign hitting global critical infrastructure. In late 2024, a large-scale Chinese cyberespionage campaign targeting global telecoms was […]

200 Swedish municipalities impacted by a major cyberattack on IT provider

Cyberattack on Miljödata disrupted services in over 200 Swedish municipalities, with concerns over stolen sensitive data. A cyberattack on Miljödata, an IT supplier serving 80% of Swedish municipalities, including Skellefteå, Mönsterås and Kalmar, disrupted services in over 200 municipalities and raised concerns of stolen sensitive data. The Swedish Privacy Agency confirmed that it has already received around 70 […]

TransUnion discloses a data breach impacting over 4.4 million customers

TransUnion reported a data breach in which threat actors accessed personal information of over 4.4 million customers. TransUnion disclosed a data breach that impacted more than 4,461,511 customers. The company is one of the three major credit reporting agencies in the United States (alongside Experian and Equifax). It collects and maintains credit information on consumers […]

NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure Orgs

NSA and allies warn that Chinese APT actors, including Salt Typhoon, are targeting critical infrastructure worldwide. The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and allies warn Chinese APT actors, linked to Salt Typhoon, are targeting global telecom, government, transport, lodging, and military sectors. “The National Security Agency (NSA) and […]

UNC6395 targets Salesloft in Drift OAuth token theft campaign

Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395. Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat […]

Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775

Over 28,200 Citrix NetScaler ADC/Gateway instances remain exposed to critical RCE flaw CVE-2025-7775, already under active exploitation. Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. CVE-2025-7775 (CVSS score: 9.2) is a memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service. […]

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Citrix NetScaler flaw, tracked as CVE-2025-7775, to its Known Exploited Vulnerabilities (KEV) catalog. This week, Citrix addressed three security flaws (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) in NetScaler ADC and NetScaler Gateway, including one (CVE-2025-7775) that it […]

Healthcare Services Group discloses 2024 data breach that impacted 624,496 people

Healthcare Services Group suffered a 2024 breach, exposing personal data of 624,000+ people. Affected individuals are now being notified. In 2024, Healthcare Services Group suffered a data breach that impacted over 624,496 people, as per notification sent to the Maine Attorney General’s Office. Healthcare Services Group, Inc. (HCSG) is a U.S.-based company that provides housekeeping, laundry, […]

ESET warns of PromptLock, the first AI-driven ransomware

ESET found PromptLock, the first AI-driven ransomware, using OpenAI’s gpt-oss:20b via Ollama to generate and run malicious Lua scripts. In a series of messages published on X, ESET Research announced the discovery of the first known AI-powered ransomware, named PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to […]

China linked UNC6384 targeted diplomats by hijacking web traffic

The China-linked APT group UNC6384 targeted diplomats by hijacking web traffic to redirect it to a website that delivered malware. China-linked cyberespionage group UNC6384 targeted diplomats by hijacking web traffic to redirect to a website used to deliver malware, Google’s Threat Intelligence Group (GTIG) warns. Cyberspies hijacked a network’s captive portal using an advanced adversary-in-the-middle […]

Check Point Named Leader in Gartner 2025 Magic Quadrant for Hybrid Mesh Firewalls

Check Point Software has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewalls, with the research firm citing the company’s execution and completeness of vision. The recognition highlights Check Point’s approach to hybrid mesh network security, designed to deliver high-performance firewall protection across on-premises, cloud, and SASE environments. According […]

The post Check Point Named Leader in Gartner 2025 Magic Quadrant for Hybrid Mesh Firewalls appeared first on IT Security Guru.

Ziplining into the Minds of US Supply Chains

A recent report from Check Point Research uncovered Zipline, a phishing campaign that fuses subtle, patient social engineering with stealthy in-memory malware, together enabling attackers to slip past traditional defences and manipulate human behaviour on a wide scale. ​ How did they do it, and who was targeted? ​ A typical phishing attack relies on […]

The post Ziplining into the Minds of US Supply Chains appeared first on IT Security Guru.

Keeper Security Launches KeeperAI

Keeper Security has today unveiled KeeperAI, a new agentic AI feature for its KeeperPAM® platform. KeeperAI enables real-time session monitoring and analysis, automated threat classification and instant response to combat cyber attacks and suspicious behaviour – customisable to meet an organisation’s exact specifications. Cyberattacks are getting faster, more widespread, and increasingly more automated with AI, making […]

The post Keeper Security Launches KeeperAI appeared first on IT Security Guru.

KnowBe4 Report Reveals Global Financial Sector Faces Unprecedented Cyber Threat Surge

KnowBe4, the human risk management cybersecurity platform, has released its latest research paper “Financial Sector Threats Report,” uncovering critical insights into the escalating cybersecurity crisis facing the global financial sector. The report shows that financial institutions face a perfect storm of AI-enhanced attacks, credential theft and supply chain vulnerabilities that pose systemic risks to the […]

The post KnowBe4 Report Reveals Global Financial Sector Faces Unprecedented Cyber Threat Surge appeared first on IT Security Guru.

KnowBe4 Finds Top Cybersecurity Risk is Employee Distraction, Not Threat Sophistication

KnowBe4, the security training provider, today released a new report entitled Navigating Cyber Threats: Infosecurity Europe 2025 Findings. The findings show that cybersecurity professionals are sounding the alarm; not about increasingly sophisticated cyber threats, but about something far more human –  distraction. The new research from KnowBe4, surveyed more than 100 security professionals during the […]

The post KnowBe4 Finds Top Cybersecurity Risk is Employee Distraction, Not Threat Sophistication appeared first on IT Security Guru.

Salt Security Named an Overall Leader in KuppingerCole 2025 Leadership Compass for API Security and Management

Salt Security has been named an Overall Leader in the KuppingerCole Leadership Compass for API Security and Management 2025. The company was also recognised as a Leader in the Product, Innovation, and Market categories, underscoring the strength of its comprehensive, AI-powered API security platform. The report, authored by Alexei Balaganski, provides a detailed overview of […]

The post Salt Security Named an Overall Leader in KuppingerCole 2025 Leadership Compass for API Security and Management appeared first on IT Security Guru.

Keeper Security Launches Biometric Login with Passkeys

Keeper Security has announced the release of biometric login using FIDO2/WebAuthn passkeys on the Chrome/Edge browser extension and Keeper Commander CLI. This update, the first of its kind in the industry, enables users to securely access their Keeper Vault with passkeys protected by biometrics or PINs across multiple platforms, including Windows devices via Windows Hello and […]

The post Keeper Security Launches Biometric Login with Passkeys appeared first on IT Security Guru.

Workday Discloses Data Breach Following CRM-Targeted Social Engineering Attack

Workday, a leading provider of human resources and financial management software, has confirmed that it fell victim to a data breach stemming from a social engineering attack targeting a third-party Customer Relationship Management (CRM) system. According to the company, the breach did not impact its customer tenants or the secure data therein; instead, the compromised […]

The post Workday Discloses Data Breach Following CRM-Targeted Social Engineering Attack appeared first on IT Security Guru.

Black Duck Debuts GitHub App to Automate Security Scans at Scale

Black Duck has released a new GitHub App designed to make it easier for development and security teams to automate security testing across their repositories. Now available in the GitHub Marketplace, the Black Duck Security GitHub App integrates with Polaris, Black Duck SCA, and Coverity, streamlining both onboarding and continuous synchronisation of GitHub repositories. The […]

The post Black Duck Debuts GitHub App to Automate Security Scans at Scale appeared first on IT Security Guru.

How Online Poker Platforms Are Reinventing Cybersecurity Standards for Digital Gaming

The threat of cybercrime is continuously growing online. Developing technology can certainly be a great tool for societal improvement. However, it has its ramifications. The most obvious is that new technologies mean that bad actors have the ability to more effectively threaten those who are just looking for a good time. The concern regarding cybersecurity […]

The post How Online Poker Platforms Are Reinventing Cybersecurity Standards for Digital Gaming appeared first on IT Security Guru.

Innovator Spotlight: ManageEngine

 Unifying IT Management and Security with ManageEngine In today’s digital landscape, IT can feel like juggling flaming torches, one wrong move and the consequences can be costly. From managing endpoints,...

The post Innovator Spotlight: ManageEngine appeared first on Cyber Defense Magazine.

Why Enterprises Need Preemptive Cybersecurity to Combat Modern Phishing

Phishing isn’t what it used to be. It’s no longer fake emails with bad grammar and sketchy links. With AI, modern phishing attacks have become slicker, more convincing, and dangerously...

The post Why Enterprises Need Preemptive Cybersecurity to Combat Modern Phishing appeared first on Cyber Defense Magazine.

Cyber Security Simulation Training Mistakes That CISOs Must Avoid

Your team’s ability to identify phishing attempts in their inboxes has the potential to make or break your entire security posture, which is why having an effective training program in...

The post Cyber Security Simulation Training Mistakes That CISOs Must Avoid appeared first on Cyber Defense Magazine.

With Ransomware Attacks Surging, Eliminate Silos and Tap Genai to Strengthen Threat Intelligence

After a brief lull in ransomware attacks following the LockBit disruption earlier this year, ransomware attacks spiked again in the second quarter of 2024 and are showing no signs of abating. Extortion...

The post With Ransomware Attacks Surging, Eliminate Silos and Tap Genai to Strengthen Threat Intelligence appeared first on Cyber Defense Magazine.

You Can’t Protect What You Can’t See

A business ecosystem is a borderless entity. Where organizations operate across vast, global networks, achieving a comprehensive view of their digital operations is a major challenge. Security leads, faced with...

The post You Can’t Protect What You Can’t See appeared first on Cyber Defense Magazine.

Innovator Spotlight: CSide

Securing the Browser’s Blind Spot By Victoria Hargrove, CDM Reporter What CSide Does Most security stacks fortify servers, databases, and internal apps. CSide (Client-side Development, Inc. aka c/side) targets the...

The post Innovator Spotlight: CSide appeared first on Cyber Defense Magazine.

Cross-domain Solutions: The Present and Future of a Growing Industry

Cross-domain solutions (CDS) consist of the secure exchange of information between security domains. This type of solution, which emerged as a technological answer to the need to share data between...

The post Cross-domain Solutions: The Present and Future of a Growing Industry appeared first on Cyber Defense Magazine.

CMMC 2.0 Final Rule Released – Get Prepared Now!

In a significant step to secure the defense industrial base (DIB), the Department of Defense (DoD) has officially released the long-anticipated Cybersecurity Maturity Model Certification (CMMC) Final Rule, which was...

The post CMMC 2.0 Final Rule Released – Get Prepared Now! appeared first on Cyber Defense Magazine.

Black Hat Ignites Under Vegas Lights

Driving through the quiet, endless beauty of the Nevada desert, I let the raspy voice of Jim Morrison carry me forward. “The End” played as the final song before I...

The post Black Hat Ignites Under Vegas Lights appeared first on Cyber Defense Magazine.

Is the Cyber Resilience Act the Biggest Thing to Hit Compliance Since GDPR?

There’s a lot of noise around compliance. New regulations seem to pop up every year, each promising to fix the ever-growing list of security problems that come with the digital...

The post Is the Cyber Resilience Act the Biggest Thing to Hit Compliance Since GDPR? appeared first on Cyber Defense Magazine.

CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities

Key Takeaways

• Two zero-day vulnerabilities discovered in on-premise Microsoft SharePoint servers, tracked as CVE‑2025‑53770 and CVE‑2025‑53771.
• Affected versions include: Subscription Edition – KB5002768, SharePoint 2019 – KB5002754, SharePoint 2016 – KB5002760. 
• If exploited, these vulnerabilities could allow for remote code execution (RCE). 
• Cybereason has observed ongoing active exploitation attempts of these vulnerabilities through our Global SOC monitoring. 
• With this exploit, we recommend taking an “assume compromised” posture, immediately patching impacted versions, and conducting incident response historical look back. 

BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption

Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

Deploying NetSupport RAT via WordPress & ClickFix

In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT). 

Introducing the Cybereason TTP Briefing: Frontline Threat Intelligence Insights

Gain insight into the latest attack trends, techniques, and procedures our Incident Response experts are actively facing with the brand new TTP Briefing, a report built on frontline threat intelligence from our global incident response (IR) investigations, enriched by noteworthy detections from our SOC. 

Ransomware Gangs Collapse as Qilin Seizes Control

The ransomware landscape is undergoing a turbulent realignment, marked by collapses, takeovers, and unexpected internal betrayals.

Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe

Cybereason issues Threat Alerts to inform customers of emerging impacting threats, critical vulnerabilities and attacker campaigns. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.

Genesis Market - Malicious Browser Extension

Cybereason GSOC has identified a malware infection exhibiting strong similarities to the previously reported Genesis Market malicious campaign that was dismantled by law enforcement in early 2023.

CVE-2025-32433: Unauthenticated RCE Vulnerability in Erlang/OTP’s SSH Implementation

Key Takeaways

• A critical vulnerability has been discovered in Erlang/OTP, tracked as CVE-2025-32433,  and has a CVSS score of 10 (critical). 
• This critical remote code execution (RCE) vulnerability affects the SSH server within the Erlang/OTP software platform.
• This vulnerability allows unauthenticated attackers to gain full system access by sending crafted SSH packets before any login or credentials are provided. 
• Systems running Erlang/OTP’s native SSH server are at risk and may be embedded in telecom, IoT, cloud platforms, databases, etc.
• We recommend patching impacted systems immediately. 

From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets

This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer".

A Class Above: Expert Support for Data Breach Class Action Defense

Between 2022 and 2024, data breach-related class actions in the United States surged by over 146%, with the top 10 settlements in 2024 averaging 15% higher than in 2023. As organizations grapple with increasingly aggressive litigation stemming from cybersecurity incidents, class action lawsuits have become a major risk vector—one that now rivals the breach itself in terms of financial, operational, and reputational impact, underscoring the importance of both proactive cybersecurity posture and a strong defensive strategy in litigation. Whether it’s demonstrating reasonable security practices or disputing claims of harm resulting from cybersecurity incidents, the involvement of technical experts has become critical.

How to spot a holiday shopping scam: Fake deals, trick surveys & bogus gift cards

Scammers, fraudsters, and phishers take advantage of every season. But the holiday shopping season - which includes Black Friday, Cyber Monday, and Christmas - may be their favorite.

As retailers rush to capitalize on what is generally their most profitable time of year, they will generally flood email boxes with great offers that are often time sensitive and may even seem too-good-to-be-true. Meanwhile, consumers also feel the urgency to get their shopping done, along with the stresses of work and family. Add in the financial pressure of an inflationary economy and the likelihood of making a quick mistake keeps increasing. Read on for some simple yet effective ways to ruin the scammers' fun as you celebrate the season of giving.

Soon�

Posted by Sean @ 12:52 GMT

Our "construction project" is progressing nicely.



And it should resolve this…



Fix mobile usability issues?

Translation: your site doesn't help us sell more Android phones and ads.

But whatever, the "issues" should be fixed soon enough.

On 18/08/15 At 12:52 PM

Work In Progress

Posted by Sean @ 13:25 GMT

Regular readers will have noticed it's been slow here of late.


Under Construction

We're finally undertaking an upgrade from Greymatter 1.7.3. This may be the world's oldest Greymatter blog… that will now change.

More info coming soon.

In the meantime, you can still catch us on Twitter.

On 13/08/15 At 01:25 PM

"IOS Crash Report" Update: Safari Adds Block Feature

Posted by Sean @ 09:53 GMT

Ask, and sometimes, you shall receive.

Last Friday, we wrote about call center scammers targeting iOS. And today, Apple released a new (beta) feature that should help.

Apple released iOS 9 Public Beta 2:



And it appears that one of Safari's new features allows people to block fraud-focused JavaScript.



We tested a scam-site and after a few attempts to dismiss the JavaScript dialog, Safari included a prompt to "Block Alerts". We were then easily able to close the page.

Kudos Apple! Looking forward to seeing this in iOS 9's general release.

Big hat tip to Rosyna Keller.

On 23/07/15 At 09:53 AM

Duke APT group's latest tools: cloud services and Linux support

Posted by Artturi @ 11:59 GMT

Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.

Linux support added with the cross-platform SeaDuke malware

Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms.


An example of the cross-platform support found in SeaDuke.

A new set of solutions with the CloudDuke malware toolset

Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as "solutions" with names such as "DropperSolution", "BastionSolution" and "OneDriveSolution". A list of PDB strings we have observed is below:

� C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb
� c:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb
� c:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb
� c:\OneDriveSolution\Shells\Projects\OneDrive2\OneDrive\obj\x64\Release\OneDrive.pdb

The first of the CloudDuke components we have observed is a downloader internally called "DropperSolution". The purpose of the downloader is to download and execute additional malware on the victim's system. In most observed cases, the downloader will attempt to connect to a compromised website to download an encrypted malicious payload which the downloader will decrypt and execute. Depending on the way the downloader has been configured, in some cases it may first attempt to log in to Microsoft's cloud storage service OneDrive and retrieve the payload from there. If no payload is available from OneDrive, the downloader will revert to the previously mentioned method of downloading from compromised websites.

We have also observed two distinct trojan components in the CloudDuke toolset. The first of these, internally called "BastionSolution", is the trojan that Palo Alto Networks described in their research into "MiniDionis". Interestingly, BastionSolution appears to functionally be an exact copy of SeaDuke with the only real difference being the choice of programming language. BastionSolution also makes significant use of a code framework that is apparently internally called "Z". This framework provides classes for functionality such as encryption, compression, randomization and network communications.


A list of classes in the BastionSolution trojan, including multiple classes from the "Z" framework.

Classes from the same "Z" framework, such as the encryption and randomization classes, are also used by the second trojan component of the CloudDuke toolset. This second component, internally called "OneDriveSolution", is especially interesting because it relies on Microsoft's cloud storage service OneDrive as its command and control channel. To achieve this, OneDriveSolution will attempt to log into OneDrive with a preconfigured username and password. If successful, OneDriveSolution will then proceed to copy data from the victim's computer to the OneDrive account. It will also search the OneDrive account for files containing commands for the malware to execute.


A list of classes in the OneDriveSolution trojan, including multiple classes from the "Z" framework.

All of the CloudDuke "solutions" use the same loader, a piece of code whose primary purpose is to decrypt the embedded, encrypted solution, load it in memory and execute it. The Duke group has often employed loaders for their malware but unlike the previous loaders they have used, the CloudDuke loader is much more versatile with support for multiple methods of loading and executing the final payload as well as the ability to write to disk and execute additional malware components.

CloudDuke spear-phishing campaigns and similarities with CozyDuke

CloudDuke has recently been spread via spear-phishing emails with targets reportedly including organizations such as the US Department of Defense. These spear-phising emails have contained links to compromised websites hosting zip archives that contain CloudDuke-laden executables. In most cases, executing these executables will have resulted in two additional files being written to the victim's hard disk. The first of these files has been a decoy, such as an audio file or a PDF file while the second one has been a CloudDuke loader embedding a CloudDuke downloader, the so-called "DropperSolution". In these cases, the victim has been presented with the decoy file while in the background the downloader has proceeded to download and execute one of the CloudDuke trojans, "OneDriveSolution" or "BastionSolution".


Example of one of the decoy documents employed in the CloudDuke spear-phishing campaigns. It has apparently been copied by the attackers from here.

Interestingly, however, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a "US letter fax test page" (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the "BastionSolution" component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns.


The "US letter fax test page" decoy employed in both CloudDuke and CozyDuke spear-phishing campaigns.

Increasingly using cloud services to evade detection

CloudDuke is not the first time we have observed the Duke group use cloud services in general and Microsoft OneDrive specifically as part of their operations. Earlier this spring we released research on CozyDuke where we mentioned observing CozyDuke sometimes either directly use a OneDrive account to exfiltrate stolen data or alternatively CozyDuke downloading Visual Basic scripts that would copy stolen files to a OneDrive account and sometimes even retrieve files containing additional commands from the same OneDrive account.

In these previous cases the Duke group has only used OneDrive as a secondary communication channel but still relied on more traditional C&C channels for most of their actions. It is therefore interesting to note that CloudDuke actually enables the Duke group to rely solely on OneDrive for every step of their operation from downloading the actual trojan, passing commands to the trojan and finally exfiltrating stolen data.

By relying solely on 3rd party web services, such as OneDrive, as their command and control channel, we believe the Duke group is trying to better evade detection. Large amounts of data being transferred from an organization's network to an unknown web server easily raises suspicions. However, data being transferred to a popular cloud storage service is normal. What better way for an attacker to surreptitiously transfer large amounts of stolen data than the same way people are transferring that same data every day for legitimate reasons. (Coincidentally, the implications of 3rd party web services being used as command and control channels is also the subject of an upcoming talk at the VirusBulletin 2015 conference).

Directing limited resources towards evading detection and staying ahead of defenders

Developing even a single multipurpose malware toolset, never mind many, requires time and resources. Therefore it seems logical to attempt to reuse code such as supporting frameworks between different toolsets. The Duke group, however, appear to have taken this a step further with SeaDuke and the CloudDuke component BastionSolution, by rewriting the same code in multiple programming languages. This has the obvious benefits of saving time and resources by providing two malware toolsets, that while similar on the inside, appear completely different on the outside. This way, the discovery of one toolset does not immediately lead to the discovery of the second toolset.

The Duke group, long suspected of ties to the Russian state, have been running their espionage operation for an unusually long time and - especially lately - with unusual brazenness. These latest CloudDuke and SeaDuke campaigns appear to be a clear sign that the Duke's are not planning to stop any time soon.

Research and post by Artturi (@lehtior2)

F-Secure detects CloudDuke as Trojan:W32/CloudDuke.B and Trojan:W64/CloudDuke.B

Samples:

04299c0b549d4a46154e0a754dda2bc9e43dff76
2f53bfcd2016d506674d0a05852318f9e8188ee1
317bde14307d8777d613280546f47dd0ce54f95b
476099ea132bf16fa96a5f618cb44f87446e3b02
4800d67ea326e6d037198abd3d95f4ed59449313
52d44e936388b77a0afdb21b099cf83ed6cbaa6f
6a3c2ad9919ad09ef6cdffc80940286814a0aa2c
78fbdfa6ba2b1e3c8537be48d9efc0c47f417f3c
9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f
bfe26837da22f21451f0416aa9d241f98ff1c0f8
c16529dbc2987be3ac628b9b413106e5749999ed
cc15924d37e36060faa405e5fa8f6ca15a3cace2
dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8
e33e6346da14931735e73f544949a57377c6b4a0
ed0cf362c0a9de96ce49c841aa55997b4777b326
f54f4e46f5f933a96650ca5123a4c41e115a9f61
f97c5e8d018207b1d546501fe2036adfbf774cfd

Compromised servers used for command and control:

hxxps://cognimuse.cs.ntua.gr/search.php
hxxps://portal.sbn.co.th/rss.php
hxxps://97.75.120.45/news/archive.php
hxxps://portal.sbn.co.th/rss.php
hxxps://58.80.109.59/plugins/search.php

Compromised websites used to host CloudDuke:

hxxp://flockfilmseries.com/eFax/incoming/5442.ZIP
hxxp://www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP
hxxp://files.counseling.org/eFax/incoming/150721/5442.ZIP

On 22/07/15 At 11:59 AM

'Zero Days', The Documentary

Posted by Mikko @ 12:40 GMT

VPRO (the Dutch public broadcasting organization) produced a 45-minute documentary about hacking and the trade of zero days. The documentary has now been released in English on YouTube.



The documentary features Charlie Miller, Joshua Corman, Katie Moussouris, Ronald Prins, Dan Tentler, Eric Rabe (of Hacking Team), Felix Lindner, Rodrigo Branco, Ben Nagy, The Grugq, and many others.

On 20/07/15 At 12:40 PM

IOS Crash Report: Blocking "Pop-Ups" Doesn't Really Help

Posted by Sean @ 10:15 GMT

The Telegraph published an article on Thursday about a scam targeting iOS users. Here's the gist: scammers are using JavaScript generated dialogs to display warnings of so-called "IOS Crash" reports prompting people to call for tech support. Near the end of the Telegraph's article, the following advice is offered:

"To prevent the issue happening again, go to Settings -> Safari -> Block Pop-ups."

Unfortunately, this advice is incorrect. And perhaps even more unfortunately, some security and tech pundits are now repeating the bad advice on numerous websites. How do we know the advice is wrong? Because we actually tested it…

First of all, this "IOS Crash Report" scam is a variation of the technical support scam, cases of which have been documented as early as 2008. In the past, cold-calls originated directly from call centers in India. But more recently, web-based lures are used to prompt potential victims into contacting the scammers.

A Google Search returns several live scam sites with this text:

"Due to a third party application in your phone, IOS is crashed."

Here's one of the sites as viewed with iOS Safari on an iPad:



Safari's "Fraudulent Website Warning" and "Block Pop-ups" features didn't prevent the page from loading.

What looks like a pop-up on the image above is actually a JavaScript generated dialog. One which will continuously re-spawn itself and can be very difficult to dismiss. Turning off JavaScript in Safari is the quickest way to regain control. Unfortunately, leaving JavaScript disabled will significantly impact a large number of legitimate websites.

Here's the same site as viewed with Google Chrome for Windows:



Notice the additional text in the image above: prevent this page from creating additional dialogs. Current versions of Chrome and Firefox (for Windows, at least) will inject this option into re-spawning dialogs, allowing the user to break the loop. Sadly, Internet Explorer and Safari do not. (We tested with IE for Windows / Windows Phone, and iOS Safari.)

Wouldn't be great if all browsers supported this prevention feature?

Yeah, we think so, too.

But it's not just browsers, apps with browser functionality can also be affected.

Here's an example of a JavaScript dialog displayed via Cydia.



The end of the Telegraph's article included the following advice from City of London police:

"Never give your iCloud username and password or your bank details to someone over the phone."

Indeed! Giving somebody your iCloud password could quickly turn a support scam into a data hijacking and extortion scheme. We attempted to call several of the scammer telephone numbers to see if they would ask for our iCloud credentials — only to discover that the numbers we tried are currently not in service.

Hopefully they stay that way. (They won't.)

On 17/07/15 At 10:15 AM

Hacking Team 0-day Flash Wave with Exploit Kits

Posted by Patricia @ 12:29 GMT

After Hacking Team was compromised, a lot of information were publicly disclosed beginning 5th of July, particularly its business clients and a zero-day vulnerability for the Adobe Flash Player that they have been using.

Since the info about the first zero-day was made freely available, we knew attackers would swiftly move into using it. As expected, the flash exploit was integrated into exploit kits such as Angler, Magnitude, Nuclear, Neutrino, Rig, and HanJuan as reported by Kafeine.

Based on our telemetry, there was a rise in Flash exploits beginning 6th and continued until 9th.




Here are the stats for each exploit kit:




The security advisory for CVE-2015-5119 zero-day was released on 7th July and the patch was made available on 8th. So the hits started to decline about two days after the patch.

But just when people have started updating their systems, there was yet another spike from the Angler flash exploit hits:




Apparently, two more flash vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were discovered. These vulnerabilities are still waiting to be patched. According to Kafeine, one of the two vulnerabilities were added into the Angler exploit kit.

As a side note related to Angler exploit kit, if you noticed in the second chart above, Angler and HanJuan share the same statistics. This was due to the fact that our detections for Angler Flash exploits were also hitting on HanJuan Flash exploits.

We have verified this after discovering that there was a different URL pattern being detected by Angler:




We looked at the flash exploit used by both kits, and the two are very much identical.

Angler Flash Exploit:




HanJuan Flash Exploit:




There were already speculations that there seem to be strong connections between the actors behind the two exploits kits. For example, both have used �fileless� delivery of payload and even similar encryption methods. Perhaps at some point we will see HanJuan supporting this new flash 0 day as well.

In the meantime, since there hasn�t been a patch out yet for these new ones, our users remain protected from the effects of the exploit kits through Browsing Protection as well as these detections:

Exploit:SWF/AnglerEK.L
Exploit:SWF/NeutrinoEK.C
Exploit:SWF/NeutrinoEK.D
Exploit:SWF/NuclearEK.H
Exploit:SWF/NuclearEK.J
Exploit:SWF/Salama.H
Exploit:SWF/Salama.R
Exploit:JS/AnglerEK.D
Exploit:JS/NuclearEK.I
Exploit:JS/MagnitudeEK.A

UPDATE: Adobe has released patches for the recent two vulnerabilities: CVE-2015-5122 and CVE-2015-5123. Users are recommended to update to the latest version of Adobe Flash Player.

On 13/07/15 At 12:29 PM

The Trusted Internet: Who governs who gets to buy spyware from surveillance software companies?

Posted by FSLabs @ 02:31 GMT

When hackers get hacked, that's when secrets are uncovered. On July 5th, Italian-based surveillance technology company Hacking Team was hacked. The hackers released a 400GB torrent file with internal documents, source code, and emails to the public - including the company's client list of close to 60 customers.

The list included countries such as Sudan, Kazakhstan and Saudi Arabia - despite official company denials of doing business with oppressive regimes. The leaked documents strongly implied that in the South-East Asian region, government agencies from Singapore, Thailand and Malaysia had purchased their most advanced spyware, referred to as a Remote Control System (RCS).

According to security researchers Citizen Lab, this spyware is extraordinarily intrusive, with the ability to turn on microphone and cameras on mobile devices, intercept Skype and instant messages, and use an anonymizer network of proxy servers to prevent harvested information from being traced back to the command and control servers.

Based on images of the client list posted to pastebin the software was purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC), Malaysia Intelligence (MI) and the Prime Minister's Office (PMO):



Additional images of leaked invoices posted to medium.com indicated the spyware was sold through a locally-based Malaysian company named Miliserv Technologies (M) Sdb Bhd (registered with the Ministry of Finance Malaysia), which specializes in providing digital forensics, intelligent gathering and public security services:





Why the Prime Minister's Office would need surveillance software remains puzzling. Mind you, professional grade spyware ain't cheap - a license upgrade could cost you MYR400, 000 and maintenance renewal will set you back about MYR160,000.

According to reports of the incident in Malaysian alternative media, Malaysian government agencies have probably been using the spyware even before discovery of the FinFisher malware that was detected in the run-up to the 2013 General Elections.

Coincidentally, Malaysia has also been the frequent host of the annual ISS World Asia tradeshow, where companies promote their arsenal of 'lawful' surveillance software to law enforcement agencies, telco service provider or government employees. During the 2014 event, the Hacking Team was present and the associate lead sponsor of the event.

MiliServ Technologies is currently involved in the upcoming 2015 ISS World Asia in Kuala Lumpur. The event is invitation-only � though it may be interesting to see if Hacking Team will make it there this year.


Post by – Su Gim

On 08/07/15 At 02:31 AM

Problematic Wassenaar Definitions

Posted by Sean @ 13:25 GMT

The Wassenaar Arrangement, a multilateral export control regime, defines "intrusion software" as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device. Intrusion software is used to: extract data or information, or to modify system or user data; or to modify the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Wassenaar states that monitoring tools are software or hardware devices that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.


(Source)


So… what we at F-Secure (and the rest of the antivirus industry) call "malware" appears to easily fit Wassenaar's definition of intrusion software.

Why is this interesting?

Well, the US Bureau of Industry and Security (BIS), part of the US Department of Commerce, has proposed updating its rules to require a license for the export of intrusion software.

And according to the Dept of Commerce, "an export" is –any– item that is sent from the United States to a foreign destination. "Items" include among other things, software and technology.

The Paradox

So… if malware is intrusion software, and any item is an export, how exactly are US-based customers supposed to submit a malware sample to their European antivirus vendor? Seriously, customers send us zero-day using malware all the time. Not to mention the samples that we routinely exchange with other trusted AV vendors from around the globe.

Unintended Consequences

The text associated with the BIS proposal says the scope includes penetration testing products that use intrusion software in what looks like an attempt to limit "hacking" tools, but there is nothing about what is excluded from the scope. So the BIS might not intend to limit customers from uploading malware samples to their AV vendor, but that could be the effect if this new rule is adopted and arbitrarily enforced. Or else it could just force people to operate in a legal limbo. Is that what we want?

The BIS is taking comments until July 20th.

On 09/06/15 At 01:25 PM

Found Item: UK Wi-Fi Law?

Posted by Sean @ 13:27 GMT

I visited the UK last Thursday, found a coffee shop offering "free" Wi-Fi, and read this…

"UK Law states that we must know who is using our Wi-Fi at all times."

Now I'm not a lawyer — but that seems like quite the disingenuous claim.



Mobile number, post code, and date of birth??

I wonder how many people fall for this type of malarkey.

Post by — @Sean

On 08/06/15 At 01:27 PM

SMS Exploit Messages

Posted by Sean @ 13:56 GMT

There's an iOS vulnerability affecting iPhone, iPad, and even Apple Watch that allows for a denial of service.

Crashing a phone with an SMS? That's so 2008.


S60 SMS Exploit Messages

Unlike 2008, this time kids are reportedly using the vulnerability to harass others.

Apple is working on a security update. But unfortunately… that update very likely won't be available for older iPhones.

Updated to add:

Here's the "Effective Power" exploit crashing an iPhone 6:


Effective Power Unicode iOS hack on iPhone 6

And this… is Effective Power crashing the iOS Twitter app:


Effective Power Unicode iOS hack vs Twitter

On 28/05/15 At 01:56 PM

Ransomware Spam E-Mails Targeting Users in Italy and Spain

Posted by FSLabs @ 03:17 GMT

In the past few days, we received some cases from our customers in Italy and Spain, regarding malicious spam e-mails that pointed to Cryptowall or Cryptolocker ransomware.

The spam e-mails pretended to come from a courier/postal service, regarding a parcel that was waiting to be collected. The e-mails offer a link to track that parcel online:



When we did the initial investigation of the e-mails from our standard test system, the link redirected to Google:



So, no malicious behavior? Well, we noted that the first two URLs were PHP. Since PHP code is executed on the server side, not locally on the client, it is possible that the servers were 'deciding' whether to redirect the user to Google or to serve malicious content, based on some preset conditions.

Since this particular spam e-mail is written in Italian - perhaps only a customer based in Italy would be able to see the malicious payload? Fortunately, we have Freedome, so we can travel to Italy for a little while to experiment.

So we turned on Freedome, set the location to Milan and clicked the link in the e-mail again:



Now we see the bad stuff. If the user is (or appears to be) located in Italy, the server will redirect them to a malicious file hosted on a cloud storage server.

The e-mail spam sent to Spanish users is similar, though in those cases, a CAPTCHA challenge is included to make the site seem more authentic. If the link in the e-mail is clicked by a user located outside Spain, again we end up in Google:



If the site is visited instead from an Spanish IP, we get to the CAPTCHA screen:



And then to the malware itself:



This spam campaign doesn't use any exploits (so far), just old-fashioned social engineering; infection only occurs if the user manually downloads and executes the files offered on the malicious URLs. For our customers, the URLs are blocked and the files are detected.

(malware SHA1s: 483be8273333c83d904bfa30165ef396fde99bf2, 295042c167b278733b10b8f7ba1cb939bff3cb38)

Post by — Victor

On 19/05/15 At 03:17 AM

Mac Hack Demonstration

Posted by Sean @ 12:46 GMT

Securing your SSH password is very important. Otherwise, you might be pwned by a little girl with her Raspberry Pi.



Don't worry, it's an authorized hack, she asked her mom for permission.

On 15/05/15 At 12:46 PM

Email Security Considerations for Microsoft 365 Users

The post Email Security Considerations for Microsoft 365 Users appeared first on GreatHorn.

Email Security Considerations for Google Workspace Users

The post Email Security Considerations for Google Workspace Users appeared first on GreatHorn.

Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates

The post Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates appeared first on GreatHorn.

Universities and Colleges Face Multi-faceted Email Security Challenges

The post Universities and Colleges Face Multi-faceted Email Security Challenges appeared first on GreatHorn.

Spam vs Phish: The Problem with User-Reported Phish Buttons

The post Spam vs Phish: The Problem with User-Reported Phish Buttons appeared first on GreatHorn.

Phishing for Google Impersonation Attacks

Bad actors around the globe go phishing in emails twenty-four hours a day, seven days a week. Whether they are “guppies” like your local bakery down the street or big “fish” like Google, no one is immune to their attacks. Google, one of the largest, most well-known – and used – applications, will always be […]

The post Phishing for Google Impersonation Attacks appeared first on GreatHorn.

GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes

The post GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes appeared first on GreatHorn.

Native vs SEG vs ICES: What You Need to Know About Email Security

The shift from on-premise email platforms to cloud email platforms has taken shape, with the majority (70%) of organizations. Microsoft 365 and Google Workspace remain the predominant email platforms for organizations. However, a significant change has occurred in the past year. With an estimated 40% of ransomware attacks that start through email, and BEC and […]

The post Native vs SEG vs ICES: What You Need to Know About Email Security appeared first on GreatHorn.

Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security

In cybersecurity, buzzwords come and go, often being replaced with new buzzwords while the market is still attempting to realize the benefits of the former. Today, every technology vendor is talking about Artificial Intelligence (AI). In reality, Machine Learning (the method to one day achieve AI) is still the predominant technical solution deployed within vendor […]

The post Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security appeared first on GreatHorn.

Global Supply Chain: Attackers Targeting Business Deliveries

Our global supply chain includes all the people, companies and countries that need to work cohesively to manufacture, process and ship goods. Disruptions in the global supply chain are increasingly impacting organizations, with logistical problems crossing most industries.  As a result, the continued strain on the supply chain puts added pressure on businesses as they […]

The post Global Supply Chain: Attackers Targeting Business Deliveries appeared first on GreatHorn.

Colt Technology Services Breached – Warlock Gang Claims Attack

This week in cyber we’ve got a SaaS breach impacting Workday, a malicious ChatGPT app making the rounds, double trouble for telecom providers, and the takedown of a botnet-for-hire service. Cybersecurity Advisor Adam Pilton is here with useful insights on the attacks and safety advice. Workday SaaS Breach Sparks Third-Party Risk Concerns Workday has confirmed […]

The post Colt Technology Services Breached – Warlock Gang Claims Attack appeared first on Heimdal Security Blog.

Fortinet VPNs Under Coordinated Attack

Time for your Weekly Cyber Snapshot with Adam Pilton, former Cybercrime Investigator, currently Cybersecurity Advisor. The five major cyber stories this week go from North Korea’s cyber playbook getting leaked to the silent burnout creeping up on MSPs. Let’s go. North Korean Cyber Ops Get Hacked Hackers using the names Saber and Cyborg claim to […]

The post Fortinet VPNs Under Coordinated Attack appeared first on Heimdal Security Blog.

Attack Surface Management: Why MSPs Don’t Need Another Tool

MSPs are being told they need dedicated attack surface management solutions when what they really need is better visibility from the tools they already have. The security industry keeps introducing new categories of tools that promise to solve visibility problems. Attack Surface Management is the latest. But for most MSPs, adding another specialized platform creates […]

The post Attack Surface Management: Why MSPs Don’t Need Another Tool appeared first on Heimdal Security Blog.

Should MSPs Stop Chasing Leads and Start Solving Problems?

What I learned from listening to an engineer who spent six years burning money before discovering the truth about MSP sales. “I was afraid of sales. I was afraid of rejection. I was afraid of someone saying no to me. But that slippery slope led to complete failure.” Michael Bakaic laughing about it now, but […]

The post Should MSPs Stop Chasing Leads and Start Solving Problems? appeared first on Heimdal Security Blog.

Agent Fatigue Crisis Hits 89% of MSPs as Security Tools Backfire

COPENHAGEN, Denmark  – August 11, 2025 – Security tools meant to protect managed service providers are instead overwhelming them. A new study from Heimdal and FutureSafe reveals that 89% of MSPs struggle with tool integration while 56% experience alert fatigue daily or weekly. The research exposes a dangerous paradox. MSPs experiencing high alert fatigue are […]

The post Agent Fatigue Crisis Hits 89% of MSPs as Security Tools Backfire appeared first on Heimdal Security Blog.

Complete Protection Guide for Cybersecurity in Energy and Utilities

In May 2023, hackers struck 22 Danish energy companies simultaneously. The coordinated attack breached Denmark’s critical infrastructure in just days, potentially linked to Russia’s Sandworm group. Attackers exploited firewall vulnerabilities with surgical precision, forcing energy companies to disconnect from the national grid and operate in emergency “island mode.” This attack reveals how cyber threats have […]

The post Complete Protection Guide for Cybersecurity in Energy and Utilities appeared first on Heimdal Security Blog.

The MSP Who Paid His Client’s Ransom and Tripled His Business

Most MSPs will tell you their worst nightmare is getting a call that a client has been breached. Dan Di Pisa lived that nightmare and then did something extraordinary. He paid his client’s $30,000 ransom demand out of his own pocket. The result? He tripled Fusion Cyber Group’s revenue in two to three years without […]

The post The MSP Who Paid His Client’s Ransom and Tripled His Business appeared first on Heimdal Security Blog.

Your Protection Guide For Cybersecurity in Manufacturing

Cybersecurity in manufacturing businesses is unique. The sector faces several challenges that other industries don’t have to contend with. And the impacts of any disruption are unusually high.  What is more, manufacturers are increasingly finding themselves in the crosshairs of cybercriminals. In 2024, there was a 71% increase in attacks targeting the sector.  In this […]

The post Your Protection Guide For Cybersecurity in Manufacturing appeared first on Heimdal Security Blog.

Your Protection Guide for Cybersecurity in Retail and Ecommerce

It’s surely the biggest fear of any e-commerce site manager. You try logging into your CRM, CMS or inventory management system one morning, only to be greeted by a ransomware note:  “Your system has been locked. Pay into this crypto wallet to release your data”.  Ecommerce and retail businesses face a range of unique threats […]

The post Your Protection Guide for Cybersecurity in Retail and Ecommerce appeared first on Heimdal Security Blog.

Attack Surface Management Software: Top 10 Vendors

Key Takeaways: What is attack surface management? Why is attack surface management important? What are the best ASM vendors? Over the last few years, attack surface management (ASM) has become an increasingly common category within cybersecurity. The term describes a set of tools that help organizations to identify their IT assets and the vulnerabilities associated […]

The post Attack Surface Management Software: Top 10 Vendors appeared first on Heimdal Security Blog.

Scattered Spider Breached Allianz Life – How to Prevent This Threat

Scattered Spider is on the news again – this time they breached Allianz Life. This week’s headlines range from ransomware-ready flaws to physical CCTV vulnerabilities, cloud outages, insurance data breaches, and unfinished patch jobs. Follow cybersecurity advisor Adam Pilton to find out what were the most important threats of the week and how you can […]

The post Scattered Spider Breached Allianz Life – How to Prevent This Threat appeared first on Heimdal Security Blog.

AI impersonation scams are exploding: Here’s how to spot and stop them

The conversational AI market is exploding. Grand View Research suggests it’s set to jump from $11.58 billion in 2024 to $41.39 billion by 2030, a massive 23.7% annual growth rate. While businesses use AI to boost customer service, cybercriminals are jumping in too, launching slick impersonation scams. These scams are spreading fast. A report from […]

The post AI impersonation scams are exploding: Here’s how to spot and stop them appeared first on Heimdal Security Blog.

Microsoft SharePoint Zero-Day Disrupts Servers Worldwide

Hey, it’s that time of week again. Cybersecurity Advisor Adam Pilton rips through the five biggest cyber headlines shaking up the internet right now. From a critical SharePoint zero-day vulnerability to ransomware policy overhauls he explains what happened and gives you the actionable steps you need to stay safe. SharePoint zero-day (CVE-2025-53770) under active exploitation […]

The post Microsoft SharePoint Zero-Day Disrupts Servers Worldwide appeared first on Heimdal Security Blog.

Heimdal® Achieves Fifth Consecutive ISAE 3000 SOC 2 Type II Certification

COPENHAGEN, Denmark, July 23, 2025 – Heimdal is proud to announce that it has once again secured the ISAE 3000 SOC 2 Type II certification, marking the fifth consecutive achievement of this rigorous accreditation. This milestone reflects Heimdal’s long‑standing commitment to data security, operational integrity, and transparency for all customers. Why independent verification matters As […]

The post Heimdal® Achieves Fifth Consecutive ISAE 3000 SOC 2 Type II Certification appeared first on Heimdal Security Blog.

Inside the Heimdal Labs Deep Dive: A Closer Look at Remote Access Protection

Cybercriminals don’t break in, they log in. From exposed RDP ports to compromised VPN credentials and abused remote tools, remote access remains one of the most common and dangerous entry points for threat actors. It’s the silent doorway that, once opened, can lead to full domain compromise, data exfiltration, and devastating ransomware attacks. That’s why […]

The post Inside the Heimdal Labs Deep Dive: A Closer Look at Remote Access Protection appeared first on Heimdal Security Blog.

ISC Stormcast For Friday, August 29th, 2025 https://isc.sans.edu/podcastdetail/9592, (Fri, Aug 29th)

No summary available.

Increasing Searches for ZIP Files, (Thu, Aug 28th)

I noticed recently that we have more and more requests for ZIP files in our web honeypot logs. Over the last year, we have had a substantial increase in these requests.

ISC Stormcast For Thursday, August 28th, 2025 https://isc.sans.edu/podcastdetail/9590, (Thu, Aug 28th)

No summary available.

Interesting Technique to Launch a Shellcode, (Wed, Aug 27th)

In most attack scenarios, attackers have to perform a crucial operation: to load a shellcode in memory and execute it. This is often performed in a three-step process:

ISC Stormcast For Wednesday, August 27th, 2025 https://isc.sans.edu/podcastdetail/9588, (Wed, Aug 27th)

No summary available.

Getting a Better Handle on International Domain Names and Punycode, (Tue, Aug 26th)

International domain names (IDN) continue to be an interesting topic. For the most part, they are probably less of an issue than some people make them out to be, given that popular browsers like Google Chrome are pretty selective in displaying them. But on the other hand, they are still used legitimately or not, and keeping a handle on them is interesting.

ISC Stormcast For Tuesday, August 26th, 2025 https://isc.sans.edu/podcastdetail/9586, (Tue, Aug 26th)

No summary available.

ISC Stormcast For Monday, August 25th, 2025 https://isc.sans.edu/podcastdetail/9584, (Mon, Aug 25th)

No summary available.

Reading Location Position Value in Microsoft Word Documents, (Mon, Aug 25th)

While studying for the GX-FE &#;x26;#;x5b;1&#;x26;#;x5d;, I started exploring the "Position" value in the registry that helps to tell Microsoft Word where you "left off". It&#;x26;#;39;s a feature many people that use Word have seen on numerous occasions and is explored in FOR500: Windows Forensic Analysis &#;x26;#;x5b;2&#;x26;#;x5d;.

The end of an era: Properly formated IP addresses in all of our data., (Sun, Aug 24th)

The Internet Storm Center and DShield websites are about 25 years old. Back in the day, I made some questionable decisions that I have never quite cleaned up later. One of these decisions was to use a "15 character 0-padded" format for IP addresses. This format padded each byte in the IP address with leading 0&#;x26;#;39;s, ensuring that they were all 15 characters long (including the &#;x26;#;39;.&#;x26;#;39;).

New Phishing Kit Bypasses MFA to Steal Microsoft 365 Credentials

Attackers are using a newly discovered phishing-as-a-service (PhaaS) platform dubbed “Salty 2FA” to target a wide range of industries across North America and Europe, according to researchers at ANYRUN.

Report: Cybercriminals are Hiring Social Engineering Talent

ReliaQuest has published a report on the cybercriminal recruitment ecosystem, finding that fluent English speakers with social engineering skills are highly sought-after.

Back to School: Cybersecurity Education for All Ages

By: John N Just, Ed.D. & Ben Syn

It’s that exhilarating time of year again! Summer is winding down, and the back-to-school season is in full swing—a truly fantastic time to focus on the power of education, not just in the traditional sense, but especially in the ever-evolving digital world.

CyberheistNews Vol 15 #34 [Watch Out] That Urgent Payroll Update Alert? It's a Phishing Attack

Threat Actors Are Increasingly Abusing Generative AI Tools for Phishing

Cybercriminals are increasingly abusing AI-assisted website generators to quickly craft convincing phishing sites, according to researchers at Palo Alto Networks’ Unit 42.

The Technical Sophistication Behind the "Free" Gift Scam: Evading Detection

Below is an example of a sophisticated survey scam phishing email that KnowBe4’s Threat Lab team has been monitoring as discussed in “The Hidden Cost of "Free" Gifts: How Survey Scams Are Evolving to Steal Financial Data”.

The Hidden Cost of "Free" Gifts: How Survey Scams Are Evolving to Steal Financial Data

You've probably seen them: enticing online offers for free products from brands you trust, like a Yeti beach chair from Costco or an emergency car kit from AAA.

Warning: Social Engineering is a Growing Threat to the Industrial Sector

Social engineering attacks are a growing threat to operational technology (OT) environments, Industrial Cyber reports.

Phishing Attacks Target Brokerage Accounts to Manipulate Stock Prices

Professional phishing groups are targeting customers of brokerage firms in order to manipulate stock prices, KrebsOnSecurity reports. The attackers use a technique called “ramp and dump” to profit from the scheme.

New Homoglyph Phishing Campaign Impersonates Booking.com

Attackers are using a Japanese Unicode character to replace forward slashes in phishing URLs, BleepingComputer reports.

News alert: Halo Security’s custom dashboards give security teams control while streamlining workflows

Miami, Aug. 28, 2025, CyberNewswire — Halo Security, a leading provider of external risk management solutions, today announced significant platform enhancements designed to give security teams greater flexibility and control within the platform.

The new features include custom dashboards, … (more…)

The post News alert: Halo Security’s custom dashboards give security teams control while streamlining workflows first appeared on The Last Watchdog.

News alert: SquareX finds browser flaw undermining passkeys while exposing banking and SaaS apps

Palo Alto, Calif., Aug. 28, 2025, CyberNewswire — It is no secret that passwords are highly susceptible to phishing and brute force attacks.

This led to the mass adoption of passkeys, a passwordless authentication method leveraging cryptographic key pairs that … (more…)

The post News alert: SquareX finds browser flaw undermining passkeys while exposing banking and SaaS apps first appeared on The Last Watchdog.

News alert: Global security leaders to convene at OpenSSL 2025 — final week for early-bird rates

Newark, N.J., Aug. 25, 2025, CyberNewwire — Only 7 days left to secure the Early Bird registration at the OpenSSL Conference 2025, October 7 – 9 in Prague.

The event will bring together lawyers, regulators, developers, and entrepreneurs to … (more…)

The post News alert: Global security leaders to convene at OpenSSL 2025 — final week for early-bird rates first appeared on The Last Watchdog.

News alert: Attaxion launches agentless traffic monitoring to flag threats and prioritize risk

Dover, Del., Aug. 25, 2025, CyberNewswire—Attaxion announces the addition of the Agentless Traffic Monitoring capability to its exposure management platform.

Agentless Traffic Monitoring is a new capability designed to give cybersecurity teams actionable visibility into network traffic flowing to … (more…)

The post News alert: Attaxion launches agentless traffic monitoring to flag threats and prioritize risk first appeared on The Last Watchdog.

News alert: Link11 warns of rising API and bot attacks, launches integrated WAAP platform

Frankfurt, Germany, Aug. 20, 2025, CyberNewswire — Link11, a Germany-based global IT security provider, has released insights into the evolving cybersecurity threat landscape and announced the capabilities of its Web Application and API  (WAAP) platform, designed to provide multi-layered … (more…)

The post News alert: Link11 warns of rising API and bot attacks, launches integrated WAAP platform first appeared on The Last Watchdog.

BLACK HAT FIRESIDE CHAT: Straiker extends ‘red teaming’ to the AI layer as AI attacks surge

The enterprise software model that defined the past two decades — SaaS — is being rapidly eclipsed by a new center of gravity: AI-native systems. These are autonomous agents wired directly into company data, tools, and workflows.

Related: LLMs fuel … (more…)

The post BLACK HAT FIRESIDE CHAT: Straiker extends ‘red teaming’ to the AI layer as AI attacks surge first appeared on The Last Watchdog.

EMERGING TRENDS Q&A: Pentesting goes continuous as Plainsea joins wave reshaping security

Penetration testing has long served as a cornerstone of cybersecurity—a red-team exercise, often once or twice a year, designed to surface exploitable weaknesses. But in today’s dynamic threat landscape, that model is showing its age.

Related: Pentesting in the AI … (more…)

The post EMERGING TRENDS Q&A: Pentesting goes continuous as Plainsea joins wave reshaping security first appeared on The Last Watchdog.

SHARED INTEL Q&A: Rethinking Zero Trust to close the widening gap on file-borne threats

For years, “Zero Trust” has reshaped cybersecurity architecture — pushing organizations to move beyond the perimeter and reframe everything around identity, access control, and segmentation.

Related: The Zero-Trust revolution

These shifts are overdue. But as the frameworks mature, a critical … (more…)

The post SHARED INTEL Q&A: Rethinking Zero Trust to close the widening gap on file-borne threats first appeared on The Last Watchdog.

CRITICAL INSIGHT Q&A: The high-stakes push to safeguard ‘FirstNet’ broadband spectrum

First responders have long depended on calling for backup and clearing the airwaves. Since its launch in 2018, FirstNet—America’s public safety broadband network—has become indispensable.

Related: The FirstNet petition

With over 7.5 million connections, support for more than 30,000 … (more…)

The post CRITICAL INSIGHT Q&A: The high-stakes push to safeguard ‘FirstNet’ broadband spectrum first appeared on The Last Watchdog.

Black Hat Fireside Chat: Automation takes center stage as TLS lifespans grow ever shorter

The countdown is on for security teams still managing digital certificates with spreadsheets and manual workarounds.

Related: Preparing for the quantum future

Starting in 2026, TLS certificate lifespans will begin dropping sharply — from 398 days to just 47 by … (more…)

The post Black Hat Fireside Chat: Automation takes center stage as TLS lifespans grow ever shorter first appeared on The Last Watchdog.

Microsoft wants to automatically save your Word docs to the cloud

Microsoft is rolling out a feature that defaults to saving your documents to the cloud. Consumers are divided.

“No place in our networks”: FCC hangs up on thousands of voice operators in robocall war

The FCC has disconnected over a thousand voice operators from the public telephone network for not doing their part to stop robocallers.

Claude AI chatbot abused to launch “cybercrime spree”

Anthropic—maker of AI coding chatbot Claude—says cybercriminals have abused Claude to automate and orchestrate sophisticated attacks.

Developer verification: a promised lift for Android security

To reduce the number of harmful apps targeting Android users, Google is making some changes.

More vulnerable stalkerware victims’ data exposed in new TheTruthSpy flaw

TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.

77 malicious apps removed from Google Play Store

Researchers have found 77 malicious apps in the official Google Play Store, ranging from adware to state of the art banking Trojans.

AI browsers could leave users penniless: A prompt injection warning

Prompt injection attacks could be coming to an AI browser near you. Read on to understand what these attacks do and how to stay safe.

A week in security (August 18 – August 24)

A list of topics we covered in the week of August 18 to August 24 of 2025

How a scam hunter got scammed (Lock and Code S06E17)

This week on the Lock and Code podcast, we speak with Julie-Anne Kearns about what it felt like, as a scam hunter, to fall for a scam.

Clickjack attack steals password managers’ secrets

A clickjack attack was revealed this summer that can steal the credentials from password managers that are integrated into web browsers.

Grok chats show up in Google searches

Grok AI chats that users wanted to share with individual people were in fact shared with the broader web and searchable by everyone.

All Apple users should update after company patches zero-day vulnerability in all platforms

Apple has released security updates to patch a zero-day vulnerability tracked as CVE-2025-43300 for all platforms

Google settles YouTube lawsuit over kids’ privacy invasion and data collection

Google has settled a lawsuit against YouTube for $30 million but did not admit collecting the data of minors for targeted advertising.

AI-powered stuffed animals: A good alternative for screen time?

Startups are ready to bring AI powered toys to the market as an alternative for screen time. But is that really progress?

How to spot the latest fake Gmail security alerts

Fake Gmail security alerts are tricking users into inadvertently handing over control of their accounts to scammers. Here's what to look for.

Instagram Map: What is it and how do I control it?

Meta has introduced Instagram Map. How can you control what others can see about your location? An explainer.

A week in security (August 11 – August 17)

A list of topics we covered in the week of August 11 to August 17 of 2025

Italian hotels breached for tens of thousands of scanned IDs

A cybercriminal was found selling scanned IDs that were stolen from guests at Italian hotels on underground forums, warned CERT-AGID.

National Public Data returns after massive Social Security Number leak

National Public Data has changed ownership. Does this mean your personal information has changed hands too?

Romance scammers in Ghana charged with more than $100 million in theft

Four men from Ghana were extradited for their alleged role in stealing more than $100 million through romance scams and BEC.

Cyber Essentials: The 5 Cost-Effective Security Controls Everyone Needs

Cyber Essentials is a UK government scheme that outlines steps organisations can take to secure their systems. It contains five controls that cover the basics of effective information and cyber security. Anyone familiar with the scheme can implement the controls, regardless of their information security knowledge. And although the controls are only basic – not to mention economical – they’re hugely beneficial to anyone who certifies. If implemented correctly, these five technical controls can prevent about 80% of cyber attacks. This blog explains the five Cyber Essentials controls and how they keep organisations safe. In this blog How does Cyber

The post Cyber Essentials: The 5 Cost-Effective Security Controls Everyone Needs appeared first on IT Governance Blog.

Nine Steps to SOC 2 Compliance – Including a SOC 2 Readiness Checklist

SOC (System and Organization Controls) audits provide an independent assessment of the risks associated with using service organisations and other third parties. SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). A SOC 2 report is generally aimed at existing or prospective clients, and is used to assess how well an organisation safeguards customer data and how effectively its internal controls operate. This blog outlines nine steps that will help you understand what SOC 2 requires, prepare your controls and documentation, and approach your

The post Nine Steps to SOC 2 Compliance – Including a SOC 2 Readiness Checklist appeared first on IT Governance Blog.

Global Data Breaches and Cyber Attacks in July 2025

Summary Total number of incidents disclosed: 29 Total number of known breached records: 14.9 million Welcome to another monthly round-up of monthly cyber attack and data breach news. At least 29 publicly disclosed incidents were reported worldwide in July 2025, spanning sectors from retail and travel to telecoms, healthcare, government and cryptocurrency. Based on confirmed figures, a minimum of 14.9 million records were breached this month. This is a lower-bound figure, as several major incidents did not provide confirmed counts but likely involved significant volumes of personal data. Top 5 incidents by number of records affected 1. Co-op (update) 2. Qantas

The post Global Data Breaches and Cyber Attacks in July 2025 appeared first on IT Governance Blog.

Data Protection Enforcement: Your Cookie Compliance Questions Answered

ICO cookie compliance crackdown Earlier this year, the ICO (Information Commissioner’s Office) announced its intention to tackle cookie compliance across the UK’s top 1,000 websites. We were subsequently contacted by a company that operates one of those websites and which the ICO had contacted about its cookie compliance. The ICO gave the company two weeks’ notice to rectify its cookie compliance before reviewing the site and, if necessary, taking action. So, we performed a cookie compliance assessment on the website to help the company ensure its compliance ahead of the ICO’s review. Our recent webinar Cookie Law in 2025: What

The post Data Protection Enforcement: Your Cookie Compliance Questions Answered appeared first on IT Governance Blog.

A Guide to TOMs (technical and organisational measures) under the GDPR

The GDPR (General Data Protection Regulation) references “appropriate technical and organisational measures” nearly 100 times – yet it stops short of providing a precise definition of the term. This article examines what TOMs are, how they align with the GDPR’s overall objectives, what kinds of controls they typically involve, and how to ensure they’re “appropriate”. What are technical and organisational measures? The GDPR requires data controllers and processors to implement security controls to safeguard personal data against unauthorised access, alteration or destruction. These safeguards are known collectively as technical and organisational measures, or TOMs. TOMs are controls that reduce the

The post A Guide to TOMs (technical and organisational measures) under the GDPR appeared first on IT Governance Blog.

What are the Different Types of Penetration Test?

And how do you choose the right one for your needs? Penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) offers a vital tool for identifying gaps and opportunities to strengthen your security programme. We asked our head of security testing, James Pickard, to explain the different types of test. In this interview Is your security programme effective? Hi James. What are key challenges when implementing a security programme? Resources and costs are often top of the list. Many organisations have a tight budget for security, and lack in-house specialist skills – which doesn’t combine well with the fact

The post What are the Different Types of Penetration Test? appeared first on IT Governance Blog.

The Six Data Processing Principles of the UK GDPR Explained

Article 5 of the UK GDPR (General Data Protection Regulation) sets out six key data processing principles – sometimes informally referred to as data protection principles. These underpin all personal data processing and serve as a practical framework for ensuring compliance. This blog post outlines each of the six principles, explains how they apply in practice and offers guidance on how to demonstrate compliance. What are the GDPR data processing principles? Lawfulness, fairness and transparency Organisations must process personal data in a way that is: These obligations require you to think about how you collect data, what individuals are told

The post The Six Data Processing Principles of the UK GDPR Explained appeared first on IT Governance Blog.

The 4 CRISC Domains Explained

The CRISC® (Certified in Risk and Information Systems Control®) certification from ISACA® is a globally recognised credential for IT and business professionals. Launched in 2010, it has become the benchmark for validating expertise in enterprise risk governance and control management. CRISC is aimed at those operating in or aspiring to work in IT risk management roles, such as risk analysts, control professionals, IT managers and compliance officers. It bridges technical knowledge and strategic risk governance capability. Over 30,000 professionals hold CRISC certifications today. What are the 4 CRISC domains? The CRISC exam tests candidates across four domains, structured to reflect

The post The 4 CRISC Domains Explained appeared first on IT Governance Blog.

What Are ISO 27017 and ISO 27018, and What Are Their Controls?

Extending your ISMS to address Cloud security risks ISO 27001 sets out the specification for an ISMS (information security management system). But did you know you can extend your ISO 27001 ISMS to cover specific aspects of Cloud security? Let’s take a closer look at both ISO 27017 and ISO 27018. Note: The current versions of ISO 27017 and ISO 27018, ISO/IEC 27017:2015 and ISO/IEC 27018:2019, are aligned to the previous (2013) edition of ISO 27002. The ISO 27001:2022 standard completely reorganises the control set, adding 11 new controls, including 5.23: Information security for use of Cloud services. No old

The post What Are ISO 27017 and ISO 27018, and What Are Their Controls? appeared first on IT Governance Blog.

The 9 CISMP Domains Explained

The CISMP (Certificate in Information Security Management Principles) is one of the UK’s most widely recognised entry-level qualifications for information security professionals. Accredited by BCS, The Chartered Institute for IT, it provides a comprehensive foundation in cyber security and information security management. CISMP is designed for individuals working in, or aspiring to work in, security-related roles – particularly those seeking to progress into management or governance positions. It is also suitable for business professionals who need a broader understanding of information security as part of their wider operational responsibilities. It is frequently cited as the first step towards more advanced

The post The 9 CISMP Domains Explained appeared first on IT Governance Blog.