Daily Security Review

Jaguar Land Rover (JLR), one of the UK’s largest exporters and a key anchor of the nation’s automotive supply chain, has been brought to the brink by a devastating cyberattack. With production lines halted, digital operations crippled, and a data breach confirmed, the UK government stepped in with a massive £1.5 billion support package to stabilize JLR’s finances and protect the 120,000 jobs connected to its supply chain. But the intervention raises serious questions: Did the lack of cyberinsurance and outsourced IT security make JLR uniquely vulnerable? Did reliance on Tata Consultancy Services (TCS)—already linked to other Scattered Spider victims—create a systemic weak point? And most importantly, does a government-backed rescue risk creating a dangerous incentive for cybercriminals to double down on targeting UK companies? In this episode, we break down how JLR’s digital collapse triggered state-level intervention, why experts warn of a “moral hazard” for the future threat landscape, and what this means for corporate leaders, supply chain managers, and the broader UK economy.#JaguarLandRover #Cyberattack #ScatteredSpider #SupplyChain #Cybersecurity #UKGovernment #Bailout #AutomotiveIndustry #DataBreach #Cyberinsurance

The Cybersecurity Information Sharing Act (CISA), first enacted in 2015, is facing a critical expiration deadline in September 2025. Without reauthorization, the law that shields companies from liability when sharing cyber threat data with the federal government and industry peers will vanish, leaving organizations exposed to lawsuits and reputational risks. This episode dives deep into the high-stakes debate surrounding CISA’s renewal, exploring how the law enables a “whole animal” view of cyber threats by combining fragmented intelligence from multiple companies. We’ll examine the political roadblocks in Congress, including competing legislative priorities like the debt ceiling and demands for civil liberties amendments, that threaten to delay or derail renewal. Experts warn that even if CISA is eventually renewed—possibly retroactively—the lapse could create a dangerous “period of limbo” where companies pull back from sharing critical threat intelligence. We’ll also assess the broader operational consequences: siloed defenses, weakened national resilience, and heightened burdens on CISOs and security teams. Finally, we discuss why some see this moment as an opportunity to modernize the framework for today’s expanded digital and AI-driven threat landscape.#CISA #Cybersecurity #ThreatIntelligence #InformationSharing #Congress #NationalSecurity #RiskManagement #AI #CyberLaw

A new and more dangerous variant of the XCSSET macOS malware has been uncovered by Microsoft, revealing an expanded arsenal of capabilities aimed at financial theft and deeper system compromise. Originally known for spreading through malicious Xcode projects, XCSSET has steadily evolved into one of the most persistent malware families targeting Apple’s ecosystem.The latest analysis highlights a refined four-stage infection chain that culminates in the deployment of a powerful AppleScript payload. This payload actively monitors the system clipboard for cryptocurrency wallet addresses and silently swaps them for attacker-controlled addresses—allowing hackers to hijack transactions in real time. Beyond crypto theft, the malware introduces a dedicated info-stealer module for the Firefox browser, adapted from the HackBrowserData project, which enables the theft of passwords, credit card details, browsing history, and cookies.Even more concerning are the malware’s persistence and evasion tactics. It sets up LaunchDaemons to survive reboots, disables macOS security updates—including Rapid Security Response patches—and disguises itself as a fake System Settings app to blend in with normal user activity. These techniques allow it to remain undetected while siphoning off sensitive data and financial assets.Microsoft’s discovery underscores the sophistication of XCSSET’s evolution and the need for vigilance in the macOS community. Working with Apple and GitHub, the company has helped take down repositories distributing the malware, but attacks are ongoing. This latest wave of XCSSET marks a shift toward direct financial exploitation, proving that macOS is far from immune to advanced cyber threats.#XCSSET #macOS #Malware #MicrosoftSecurity #CryptoHijacking #Firefox #Xcode #Cybersecurity #ClipboardHijacking #InfoStealer #Persistence #ThreatIntel

Cybersecurity researchers at Nozomi Networks have uncovered nine high-severity vulnerabilities in several older models of Cognex industrial cameras, including the widely deployed In-Sight 2000, 7000, 8000, and 9000 series. These machine vision systems are vital for modern manufacturing—guiding robots, inspecting products, and ensuring quality control—but the flaws introduce significant risks ranging from hardcoded passwords and authentication bypasses to privilege escalation and denial-of-service attacks.The most concerning detail is that Cognex will not be releasing patches for these vulnerabilities, labeling the affected cameras as “legacy” systems no longer supported for new applications. Yet, these cameras remain active in countless industrial environments worldwide, creating a dangerous gap between vendor policy and operational reality. Without patches, companies are forced to rely on defensive measures like strict network segmentation, limiting exposure, and securing remote access through VPNs.While the vulnerabilities cannot be directly exploited over the internet, an attacker with access to the internal network could intercept credentials, escalate privileges, or disrupt operations—posing serious risks to production lines. The Cybersecurity and Infrastructure Security Agency (CISA) has echoed the call for immediate mitigations, stressing that organizations must adopt compensating controls now while planning long-term migrations to supported models.This episode explores how legacy systems in critical manufacturing create enduring vulnerabilities, why vendor support policies can leave organizations exposed, and what steps asset owners must take to reduce the risk of operational disruption.#Cognex #IndustrialCybersecurity #ICS #Vulnerabilities #Manufacturing #NozomiNetworks #CISA #LegacySystems #MachineVision #CriticalInfrastructure

Microsoft has taken the unprecedented step of cutting off services to an Israeli military unit after internal and external investigations revealed its cloud and AI products were being used for mass surveillance of Palestinians in Gaza and the West Bank. This dramatic reversal came only after sustained reporting by The Associated Press and The Guardian, which uncovered that Israel’s elite cyber intelligence branch, Unit 8200, had dramatically escalated its use of Microsoft Azure services for intelligence gathering and targeting operations.The Associated Press first reported that Microsoft’s systems were being used to process and translate millions of communications for military purposes, sparking questions about how the company’s products were deployed in the conflict. Microsoft initially defended itself, claiming “no evidence” of misuse. But when The Guardian revealed direct ties between Unit 8200 leadership and CEO Satya Nadella, along with evidence that Microsoft cloud data centers in Europe were storing mass surveillance records, the company could no longer deny the reality.Following a second, independent review, Microsoft confirmed violations of its terms of service and disabled access for the unnamed unit. However, critics say this is only a partial victory, as most of Microsoft’s contracts with the Israeli military remain untouched. For activists, the move is a rare but powerful example of how investigative journalism can force accountability from even the largest corporations, while for Israel’s defense establishment, it is seen as a symbolic gesture with little operational impact.This episode examines how the press held Microsoft to account, how corporate technology fuels modern warfare, and why this decision is being hailed as both groundbreaking and insufficient at the same time.#Microsoft #Unit8200 #Palestine #Gaza #Surveillance #CloudComputing #Azure #AI #TheGuardian #AssociatedPress #InvestigativeJournalism #CorporateAccountability #TechEthics #Israel #MiddleEast

Interpol has announced the results of a sweeping cybercrime operation across 14 African nations, leading to the arrest of 260 individuals behind romance scams and sextortion schemes. The crackdown, conducted in July and August, exposed the alarming scale of digital exploitation sweeping the continent. Victims—more than 1,400 in total—were deceived, blackmailed, and financially drained, with total losses nearing $2.8 million.The operation highlighted country-specific cases: Ghanaian police arrested 68 suspects running fake shipping fee scams and blackmail rackets; Senegalese authorities detained 22 individuals posing as celebrities to defraud over 100 victims; and Ivory Coast police apprehended 24 suspects accused of using fake online identities to obtain intimate images for coercion. These arrests reveal a common criminal playbook—deception, emotional manipulation, and coercive sextortion—designed to trap victims in long-term cycles of exploitation.Interpol stressed that digital crimes like romance scams are increasing sharply across Africa, fueled by borderless online platforms and weak national enforcement capabilities. The operation underscores both the emotional and financial devastation inflicted on victims and the critical role of international cooperation in fighting transnational cybercrime. This case demonstrates how intelligence sharing and coordinated action are indispensable tools against an escalating wave of digital fraud and blackmail schemes.#Interpol #Cybercrime #Africa #RomanceScams #Sextortion #OnlineFraud #InterpolArrests #DigitalCrime #Cybersecurity #InternationalPolicing

Britain is facing a troubling wave of cyberattacks that has shaken some of its most high-profile organizations. Harrods, the world-renowned luxury retailer, confirmed that customer names and contact details were compromised after attackers infiltrated a third-party vendor’s system. While account passwords and payment data were spared, the breach highlights the risks of vendor supply chain security gaps. This latest breach follows a May security scare for Harrods and comes amid broader law enforcement activity, with four individuals arrested for cyberattacks against Harrods, Marks & Spencer, and the Co-op.The disruption isn’t confined to retail. Jaguar Land Rover, one of Britain’s most iconic automakers, was forced to halt production after an attack crippled its systems. Even more disturbing was a ransomware attack on Kido, a London nursery chain, where sensitive photos and personal information of children were stolen and posted online. These incidents collectively expose the scale of cybersecurity threats facing the UK, cutting across sectors from luxury retail to automotive manufacturing and childcare services. With data breaches, ransomware, and operational shutdowns on the rise, the need for resilience and rapid response has never been more urgent.#Cybersecurity #DataBreach #Harrods #UKRetail #JaguarLandRover #Ransomware #KidoNursery #Cyberattacks #Privacy #Infosec

What happens when a trusted gaming platform becomes a weapon for cybercriminals? That’s exactly what unfolded with BlockBlasters, a free-to-play platformer on Steam that turned from harmless fun into a malicious cryptocurrency-draining scheme.For nearly two months, BlockBlasters appeared safe, even earning “Very Positive” reviews. But in late August, the developers pushed an update containing a cryptodrainer payload, which siphoned off crypto from unsuspecting players. The most shocking case involved RastalandTV, a Latvian gamer livestreaming a fundraiser for his cancer treatment, who lost $32,000 in crypto live on air. The community rallied in support, with donations from high-profile figures like Alex Becker helping to cover the loss.Researchers estimate attackers stole between $150,000 and $157,000 from hundreds of Steam users. Investigators found malicious components including a dropper batch script to steal Steam login info and IP addresses, a Python backdoor, and the StealC information stealer. Evidence also suggests attackers targeted high-value crypto users identified on Twitter, blending platform abuse with precision social engineering.The incident exposes a broader problem: Steam’s verification system is not enough to stop malicious updates. BlockBlasters joins a list of recent Steam-distributed malware cases, raising questions about Valve’s responsibility to protect users from supply chain attacks embedded in “trusted” games.For players, the advice is urgent—uninstall BlockBlasters immediately, reset Steam credentials, and transfer crypto assets to secure wallets. For the industry, it’s a stark reminder that digital trust can be weaponized, and that gaming platforms are now part of the cybersecurity battlefield.#Steam #BlockBlasters #cryptoscam #cryptodrainer #malware #gamingsecurity #RastalandTV #cryptocurrency #cybercrime #supplychainattack #StealC #infostealer #Valve

Phishing is no longer just an email problem. A new wave of non-email phishing attacks is targeting employees through social media, instant messaging apps, SMS, malicious search engine ads, and even collaboration tools like Slack and Teams. These campaigns are designed to bypass traditional defenses—leaving organizations exposed while attackers exploit overlooked channels of communication.Unlike the inbox-focused phishing most security teams prepare for, these multi-channel attacks are far harder to detect and contain. Threat actors are using sophisticated tactics like compromised social media accounts, conditional payloads, and malvertising campaigns to deliver malicious links. Once an employee clicks, attackers can move laterally into core enterprise platforms, often leveraging Single Sign-On (SSO) to escalate a single compromised account into a full-scale breach.This report reveals how non-email phishing is underreported and underestimated—in part because industry statistics rely heavily on data from email security vendors. The result? Security teams lack visibility into threats spreading across the apps and devices employees use every day.Case studies include LinkedIn spear-phishing campaigns targeting executives and Google Search malvertising attacks traced to Scattered Spider, both showing how attackers use trusted platforms to build credibility and evade defenses. With rapid domain rotation and advanced obfuscation techniques, blocking malicious URLs has become a losing game of cat and mouse.The takeaway is clear: the perimeter is no longer the inbox—it’s the user. To defend against this new era of phishing, organizations must expand detection and response strategies across all communication channels where modern work happens.#phishing #cybersecurity #nonemailphishing #socialengineering #malvertising #SSO #identitysecurity #Slack #Teams #LinkedIn #WhatsApp #smishing #ScatteredSpider #Okta

Automotive giant Stellantis, the world’s fifth-largest automaker, has confirmed a data breach affecting its North American customers after attackers compromised a third-party service provider’s platform. While no financial data was exposed, the company acknowledged that customer contact details were stolen, prompting advisories to remain vigilant against phishing attempts.According to BleepingComputer, the breach is part of a sweeping campaign by the notorious cyber-extortion group ShinyHunters, who claim to have stolen over 18 million Stellantis records and more than 1.5 billion Salesforce records across 760 companies worldwide. Their attack methods include exploiting stolen OAuth tokens from a Salesloft Drift integration, as well as voice phishing to capture credentials. High-profile targets have included Google, Cisco, Cloudflare, Palo Alto Networks, Adidas, Allianz Life, and Farmers Insurance.The FBI has issued an alert warning that ShinyHunters is actively breaching Salesforce environments to steal customer data and extort victims. For Stellantis, the primary concern is not financial fraud but the risk of highly targeted phishing and social engineering attacks, made possible by the exposure of verified customer names and contact details.Stellantis has activated its incident response protocols, notified authorities, and informed affected customers, but the scale of this campaign highlights the systemic risk posed by third-party platforms and the growing vulnerability of enterprise SaaS ecosystems. This episode unpacks how ShinyHunters pulled off the breach, what it means for Stellantis customers, and why Salesforce-linked compromises are becoming a global cybersecurity crisis.#Stellantis #databreach #ShinyHunters #Salesforce #cybersecurity #FBIalert #OAuth #phishing #extortion #cybercrime #SOC #incidentresponse

Cybersecurity firm HoundBytes has officially launched WorkHorse, an automated security analyst designed to solve one of the biggest pain points in modern Security Operations Centers (SOCs): the Tier 1 bottleneck. Overwhelmed by a constant flood of raw alerts, Tier 1 analysts often suffer from burnout and slow triage times, putting organizations at risk. WorkHorse is built to replace these repetitive tasks with intelligent automation, eliminating alert fatigue and enabling analysts to focus on real threats.Unlike traditional Security Orchestration, Automation, and Response (SOAR) platforms, WorkHorse integrates directly with existing Security Information and Event Management (SIEM) systems, requiring no new dashboards, no complex playbooks, and no steep learning curves. Its proprietary stateless, multi-graph machine learning algorithm analyzes more than 50 data points per alert, instantly transforming noise into fully contextualized cases for Tier 2 analysts. This ensures faster response, richer context, and a stronger overall security posture.The product also offers transparent, predictable pricing: $3,500 per month for up to 10,000 alerts, with a scalable model for higher volumes. Developed out of HoundBytes’ own Managed Detection and Response practice, WorkHorse has been tested in real-world SOC conditions before being released as a commercial product.With funding efforts underway to expand research, engineering, and global sales, HoundBytes is positioning WorkHorse as the next evolution of SOC automation—a frictionless alternative to SOAR platforms that promises to change the economics and effectiveness of cyber defense.#cybersecurity #SOCautomation #WorkHorse #HoundBytes #SIEM #SOARalternative #alertfatigue #AIsecurity #Tier1automation #incidentresponse #cyberdefense #machinelearning

Toronto-based cybersecurity startup Mycroft has stepped out of stealth with a bold promise: to give startups and small-to-midsize businesses (SMBs) the kind of enterprise-grade security typically reserved for Fortune 500 companies. Acting as an AI-powered “Security and Compliance Officer,” Mycroft deploys autonomous AI agents that manage an organization’s entire security and IT stack. From cloud and application security to device management, automatic remediation, and compliance auditing, the platform automates the work of a full security team—something smaller companies usually can’t afford.With $3.5 million in seed funding led by Luge Capital and participation from other investors, Mycroft is gearing up for rapid product development and expansion. The company has already attracted over 50 customers, proving that its model resonates in a market where resource-strapped startups face the same cyber risks as multinational enterprises.CEO Mike Kim describes the vision clearly: security should be a superpower, not a burden. Mycroft’s mission is to democratize cybersecurity, ensuring every business—no matter its size—has access to robust, real-time protection from day one. This episode dives deep into how Mycroft is changing the cybersecurity landscape for startups and SMBs, the challenges it addresses, and why its early traction signals a broader shift in how smaller companies approach digital resilience.#cybersecurity #AIsecurity #startupfunding #Mycroft #seedfunding #compliance #cloudsecurity #applicationsecurity #SMBsecurity #AIagents #TorontoTech

The FBI has issued a warning to the public about a cyber campaign impersonating the Internet Crime Complaint Center (IC3), using spoofed websites to trick victims into handing over sensitive information and money. Between December 2023 and February 2025, the agency received more than 100 reports of malicious activity tied to fake IC3 domains. Threat actors behind this scheme employ domain spoofing, making slight alterations to the legitimate IC3 web address, and even using sponsored search results to ensure their fraudulent sites appear prominently in Google and Bing searches.Once victims land on these malicious websites, attackers seek to harvest personally identifiable information (PII) such as names, addresses, phone numbers, emails, and banking details. In some cases, fraudsters attempt direct financial scams, demanding bogus fees for the “recovery” of stolen funds. To bolster credibility, some spoofed sites even replicate IC3’s own fraud warnings to mislead victims further.The FBI stressed that neither FBI employees nor IC3 staff will ever directly contact victims to request payment for fund recovery. As part of its guidance, the agency urges the public to always manually type www.ic3.gov into their browser, avoid sponsored links, and never send money or personal details to individuals they do not know.The threat is part of a broader global trend of law enforcement impersonation scams. Recently, Spanish authorities arrested a group posing as Europol agents and U.K. lawyers to extort crypto fraud victims, echoing an earlier FBI warning about scammers spoofing government phone numbers. These cases underscore a sobering truth: in the digital age, trust has become one of the most exploited attack vectors.#FBI #IC3 #cybercrime #phishing #spoofing #identitytheft #datasecurity #governmentimpersonation #cyberfraud #cybersecurity

A new cyber campaign is actively targeting macOS users with the Atomic Stealer (AMOS) malware, leveraging fake GitHub repositories disguised as legitimate software downloads. Security researchers tracking the campaign report that the operators are impersonating trusted brands such as LastPass, 1Password, Dropbox, Notion, and Shopify to lure unsuspecting victims. Using search engine optimization (SEO) poisoning, attackers ensure that their malicious sites rank highly in Google and Bing results, tricking users searching for software downloads into landing on fraudulent repositories.Once on the fake GitHub pages, victims are presented with step-by-step instructions that encourage them to execute commands in their macOS Terminal. Instead of installing the advertised software, these commands load the Atomic Stealer infostealer, which is capable of exfiltrating sensitive data, including passwords, crypto wallet details, and personal files.The campaign demonstrates remarkable persistence and sophistication. Adversaries are using multiple GitHub accounts to host fraudulent repositories, a tactic that helps them evade takedown attempts and maintain operational resilience. Security teams, including LastPass Threat Intelligence, are actively monitoring the campaign and have already flagged and removed several malicious repositories. Shared Indicators of Compromise (IoCs) are enabling organizations to detect and mitigate this ongoing threat.This attack highlights a dangerous convergence of tactics: exploiting trusted platforms like GitHub and search engines, impersonating widely used brands, and leveraging user trust to deliver malware. For macOS users—long considered less frequent targets—the campaign is a stark reminder that no operating system is immune to sophisticated, trust-based attacks.#AtomicStealer #macOS #AMOS #GitHub #infostealer #LastPass #1Password #Dropbox #Shopify #SEOpoisoning #cybersecurity #threatintel #malware #datasecurity

Netskope, a California-based cybersecurity firm specializing in secure access service edge (SASE) solutions, has officially gone public in one of the largest cybersecurity IPOs of 2025. Trading on the Nasdaq under the ticker symbol NTSK, the company raised more than $908 million by selling shares at $19 each. Investor enthusiasm was evident as the stock climbed 18% on its first day, closing at $22.49 and boosting Netskope’s valuation from $7.3 billion at IPO to approximately $8.6 billion.The company’s strong debut underscores the market’s confidence in SASE and secure service edge technologies, which are becoming indispensable for enterprises navigating cloud adoption, hybrid workforces, and increasing cyber threats. Netskope’s offerings include secure service edge (SSE), firewall, cloud access security, and threat protection, positioning it at the forefront of modern enterprise security architecture.Despite the promising growth story, Netskope remains unprofitable. For the first half of 2025, the company reported $707 million in annual recurring revenue (ARR) but also logged a net loss of $170 million. Like many high-growth technology firms, Netskope is prioritizing market share and product innovation over near-term profitability, banking on the continued expansion of the SASE market to justify its aggressive investments.This IPO highlights the ongoing investor appetite for cloud security companies, even when they operate at a loss, as long as the revenue growth trajectory is compelling. Netskope’s transition from private to public markets not only strengthens its capital base but also reaffirms its role as a bellwether for the cybersecurity industry’s evolution.#NetskopeIPO #cybersecurity #SASE #cloudsecurity #SSE #NTSK #firewall #threatprotection #datasecurity #techIPO #Nasdaq #infosec

A startling new report from AI security platform SPLX reveals how attackers can bypass the built-in guardrails of AI agents like ChatGPT through a sophisticated exploit involving prompt injection and context poisoning. Traditionally, AI models are programmed to refuse solving CAPTCHAs, one of the most widely deployed tools for distinguishing humans from bots. But SPLX researchers demonstrated that a staged, multi-step conversation can manipulate an AI agent into compliance. By first persuading a model in a controlled chat that solving "fake" CAPTCHAs was permissible, and then porting that conversation into a new agent session, they successfully poisoned the context and convinced the AI to carry out CAPTCHA-solving tasks.The results were eye-opening. The AI not only solved advanced CAPTCHA types—including reCAPTCHA Enterprise and reCAPTCHA Callback—but also attempted to refine its methods by mimicking human cursor movements when initial attempts failed. This behavior reveals a deeper risk: once manipulated, AI agents don’t just execute forbidden tasks—they can adapt and evolve to improve their evasion techniques.SPLX concludes that this vulnerability highlights both the fragility of current AI guardrail systems and the declining viability of CAPTCHAs as a reliable security measure. Beyond CAPTCHA bypassing, the exploit points to a much broader threat landscape, where attackers could trick AI agents into leaking sensitive data, generating disallowed content, or bypassing security controls by poisoning their context with fabricated "safe" histories.The incident underscores the urgent need for stronger, context-aware AI security architectures capable of detecting manipulation at the conversational level. Without it, AI systems risk becoming powerful tools in the hands of adversaries who know how to deceive them.#AIsecurity #SPLX #promptinjection #contextpoisoning #CAPTCHA #cybersecurity #ChatGPT #AIsafety #supplychainrisk #AIexploits #datasecurity #automation

A cyberattack on Collins Aerospace, a U.S.-based provider of passenger check-in and baggage handling software, plunged major European airports into chaos over the weekend. Beginning late Friday, the disruption rippled across hubs in Brussels, Berlin, and London, crippling critical check-in systems and forcing a reversion to manual operations. Brussels Airport was hardest hit, canceling nearly half of all Monday departures after the provider admitted it could not yet deliver a secure system update. While self-service kiosks and online check-in remained functional, airports scrambled to deploy backup laptops, extra staff, and handwritten boarding passes to keep operations afloat. The fallout underscored the vulnerability of global aviation to single points of failure in third-party technology providers. Though aviation safety and air traffic control were never compromised, the cascading effects were severe: massive delays, canceled flights, frustrated passengers, and mounting costs for airlines and airports alike. As investigations continue into the source of the cyberattack—whether criminal, independent, or state-sponsored—the incident serves as a sobering reminder of how fragile critical infrastructure becomes when third-party digital supply chains are targeted.#cyberattack #aviationsecurity #CollinsAerospace #BrusselsAirport #flightcancellations #cybersecurity #supplychainrisk #airportsecurity #cyberresilience #airtravel

A new security report has revealed serious, unpatched vulnerabilities in industrial control system (ICS) products manufactured by Novakon, a Taiwan-based subsidiary of iBASE Technology. Security researchers at CyberDanube identified five categories of flaws affecting Novakon’s Human-Machine Interfaces (HMIs), including an unauthenticated buffer overflow that allows remote code execution with root privileges. Other weaknesses include directory traversal, weak authentication, excessive process privileges, and insufficient system protections.What makes this situation particularly alarming is that these flaws can be exploited remotely and without authentication—meaning attackers don’t need credentials or physical access to compromise the devices. Once exploited, adversaries could disrupt production, manipulate industrial processes, disable safety systems, or use the devices as stepping stones for further attacks inside critical environments.The risks are compounded by Novakon’s lack of response. Despite repeated disclosure attempts, the company has ignored most communications from CyberDanube and has released no security patches. This leaves organizations operating these devices with no vendor-supported mitigation, effectively shifting the full burden of protection to asset owners.With an estimated 40,000 Novakon HMIs deployed globally in data centers and critical infrastructure, the potential impact is severe. Researchers stress that asset owners must immediately assess their exposure, ensure Novakon devices are not internet-facing, implement compensating network controls, and develop incident response playbooks.This episode examines the vulnerabilities in detail, the risks they pose to industrial environments, and what organizations can do in the absence of vendor support.#Novakon #ICS #CriticalInfrastructure #CyberSecurity #Vulnerabilities #HMI #iBASE #OTSecurity #CyberDanube #RemoteCodeExecution #DataCenters

The cybercrime group known as RevengeHotels, also tracked as TA558, has launched a new wave of attacks against the hospitality sector, evolving its tactics with the help of Artificial Intelligence (AI) and a powerful new malware strain, VenomRAT. Active since 2015, RevengeHotels has long targeted hotels, travel agencies, and tourism businesses to steal credit card data from guests and travelers. But in 2025, the group has demonstrated a major leap in sophistication.In its latest campaign—observed in Brazil and spreading through Latin America and Europe—RevengeHotels shifted its phishing lures from fake invoices to job application emails containing malicious attachments. Victims who click the links are redirected to attacker-controlled sites hosting AI-generated malicious JavaScript and PowerShell scripts, designed to evade detection and deploy malware in stages.The final payload is VenomRAT, a remote access trojan that gives attackers hidden virtual desktop control, allowing them to harvest sensitive guest data, exfiltrate files, and even propagate via infected USB drives. This new malware marks a significant upgrade from the group’s legacy toolkit of older RATs like NjRAT and NanoCore.Kaspersky researchers warn that RevengeHotels’ adoption of AI for generating code and phishing lures makes its operations more scalable, multilingual, and harder to defend against. With the group’s geographic footprint widening and its technical arsenal advancing, hotels worldwide—especially those in Brazil, Mexico, Spain, and other travel hubs—are now at greater risk of credit card theft and large-scale data compromise.This episode breaks down who RevengeHotels is, how their tactics have evolved, and why AI-driven malware campaigns could reshape the future of cybercrime against the global hospitality sector.#RevengeHotels #TA558 #CyberCrime #VenomRAT #AIThreats #Hospitality #Hotels #CreditCardTheft #Phishing #Brazil #CyberSecurity #Malware #ThreatIntelligence

A groundbreaking new cyberattack dubbed ShadowLeak has been uncovered targeting ChatGPT’s Deep Research capability, marking a dangerous escalation in AI-related threats. Unlike prior exploits such as AgentFlayer and EchoLeak, which operated on the client side, ShadowLeak weaponized OpenAI’s own cloud infrastructure to silently exfiltrate sensitive data—without requiring any user interaction.Discovered by researchers at Radware, the attack began with a specially crafted email containing hidden malicious instructions. When the AI agent processed the email as part of a legitimate research task, it was manipulated into sending stolen information directly from OpenAI’s servers to an attacker-controlled URL. Because the exfiltration request originated from a trusted server rather than the client, the malicious activity left no visible trace in the ChatGPT interface and could bypass traditional enterprise security monitoring.The potential blast radius extended beyond Gmail, including services like Google Drive, Dropbox, Outlook, HubSpot, Notion, Microsoft Teams, and GitHub. Though OpenAI patched the vulnerability between June and August 2025, Radware cautions that the broader threat surface remains large and that more undiscovered vectors likely exist. The firm recommends continuous agent behavior monitoring as a more effective defense, focusing on aligning agent actions with user intent rather than relying solely on reactive patching.This episode explores how ShadowLeak worked, why server-side AI vulnerabilities are uniquely dangerous, and what enterprises must do to prepare for the next wave of AI-targeted cyberattacks.#ShadowLeak #ChatGPT #DeepResearch #OpenAI #Radware #AIsecurity #DataExfiltration #PromptInjection #AgentFlayer #EchoLeak #CyberSecurity #ServerSideAttack #AIThreats

A new critical vulnerability, CVE-2025-9242, has been discovered in WatchGuard Firebox firewalls, putting thousands of networks worldwide at risk. The flaw stems from an out-of-bounds write bug in the Fireware OS’s iked process, which could allow a remote, unauthenticated attacker to execute arbitrary code. If exploited, this would grant full control of a device meant to protect the organization’s perimeter—a worst-case scenario for defenders.The vulnerability specifically affects devices configured with IKEv2 VPNs, including both mobile user VPNs and branch office VPNs (BOVPNs) with dynamic gateway peers. Alarmingly, even devices that have had those configurations deleted may still remain vulnerable if they maintain a BOVPN with a static gateway peer.WatchGuard has released security updates across multiple Fireware OS versions to address the flaw. However, older versions like Fireware 11.x remain end-of-life and require an upgrade to a supported release. For organizations unable to patch immediately, WatchGuard has also provided a temporary workaround—though experts warn it should only be used as a stopgap.Security researchers stress the importance of patching quickly. Firewalls are a high-value target for attackers, and history shows how fast threat actors move to weaponize such vulnerabilities. Past examples include the Akira ransomware gang exploiting SonicWall flaws and earlier CISA directives mandating WatchGuard fixes. With WatchGuard firewalls deployed in more than 250,000 small and midsize businesses, the stakes could not be higher.This episode examines what CVE-2025-9242 is, how it can be exploited, the systems at risk, and what organizations must do right now to stay secure.#CVE20259242 #WatchGuard #Firebox #FirewallVulnerability #RemoteCodeExecution #CyberSecurity #VPN #PatchNow #ThreatIntelligence #CriticalVulnerability

The SystemBC proxy botnet has quietly become one of the most persistent pillars of the cybercrime ecosystem. First detected in 2019, SystemBC is less about stealth and more about scale. It maintains an average of 1,500 compromised commercial virtual private servers (VPS) around the world, providing a powerful, high-bandwidth proxy network for cybercriminal operations.SystemBC enables a wide range of malicious activity: concealing command-and-control (C2) traffic, routing ransomware payloads, supporting brute-force campaigns against WordPress sites, and powering proxy networks like REM Proxy and VN5Socks. Researchers at Lumen’s Black Lotus Labs report that nearly 80% of its nodes are compromised VPS systems riddled with unpatched vulnerabilities—sometimes with more than 100 critical flaws per machine. This prioritization of high volume and long infection lifespans over stealth makes SystemBC a “criminal workhorse” that is hard to shut down.Despite past disruption attempts, including law enforcement takedown operations, SystemBC has proven remarkably resilient. Its operators maintain more than 80 C2 servers and even host all 180 known SystemBC malware samples on a single infrastructure hub. The botnet has been observed pushing over 16 gigabytes of proxy data per IP in just 24 hours, an order of magnitude higher than typical proxy networks.In this episode, we break down how SystemBC operates, who uses it, why it continues to thrive despite international crackdowns, and why it has become a cornerstone of the modern cybercrime economy.#SystemBC #Botnet #Cybercrime #Ransomware #Malware #ProxyNetwork #CyberThreats #VPS #WordPress #ThreatIntelligence #Lumen #BlackLotusLabs

Tiffany and Company, the iconic luxury jeweler under the LVMH umbrella, has confirmed a serious data breach impacting over 2,500 customers across the United States and Canada. On or around May 12, 2025, hackers infiltrated Tiffany’s internal systems, compromising sensitive customer data tied to gift cards. Exposed information includes names, email addresses, postal addresses, phone numbers, sales data, as well as gift card numbers and PINs—data that could be exploited for targeted scams and fraud.This breach stands apart from recent cyberattacks against other LVMH brands that involved third-party Salesforce systems. Instead, Tiffany has disclosed that its own internal systems were directly accessed. While no ransomware group has publicly claimed responsibility, the nature of the breach raises questions about whether it is linked to the broader wave of attacks targeting luxury brands—or if it represents a separate campaign.In this episode, we break down exactly what happened, what data was compromised, who was affected, and how this breach fits into the bigger picture of rising cyberattacks against global luxury houses.#Tiffany #DataBreach #CyberSecurity #LVMH #LuxuryRetail #Hackers #GiftCards #US #Canada #CyberAttack #Privacy #CustomerData

In a major strategic move, Check Point Software Technologies has announced the acquisition of Lakera, a Zurich and San Francisco–based AI security firm founded by former Google and Meta AI researchers. Valued at around $300 million, the acquisition will close in late 2025 and serve as the foundation for Check Point’s new Global Center of Excellence for AI Security. This comes at a critical time, as enterprises increasingly embed generative AI, large language models (LLMs), and autonomous agents into their workflows—introducing powerful new attack surfaces that traditional defenses struggle to protect.Lakera brings cutting-edge technology to Check Point’s platform, including Lakera Red, which stress-tests AI systems pre-deployment, and Lakera Guard, which delivers runtime protections against threats like prompt injection and data leakage. Its proprietary adversarial AI engine, Gandalf, continuously trains defenses against novel attacks, evolving as fast as the threat landscape itself.This deal highlights the AI security arms race, coinciding with CrowdStrike’s acquisition of Pangea. By integrating Lakera, Check Point is positioning its Infinity architecture as the industry’s first end-to-end AI lifecycle security platform, capable of defending everything from model creation to live deployment. CEO Nadav Zafrir framed the move as a way to ensure that enterprises can embrace AI innovation without exposing themselves to catastrophic risk.In this episode, we break down what Lakera brings to the table, how Check Point plans to integrate its technology, and why this acquisition cements Check Point as a frontline player in the rapidly escalating battle for AI security dominance.#CheckPoint #Lakera #AIsecurity #GenerativeAI #LLMsecurity #AIarmsrace #GandalfAI #PromptInjection #DataLeakage #Cybersecurity #InfinityArchitecture #EnterpriseAI

A major supply chain attack is underway in the npm ecosystem. Dubbed Shai-Hulud, this worm-style campaign began with the compromise of the popular @ctrl/tinycolor package and has since infected at least 187 npm packages, including some published under CrowdStrike’s official account. The malware, designed to spread automatically, abuses the legitimate security tool TruffleHog to scan for API keys, tokens, and cloud credentials, then exfiltrates them while creating rogue GitHub Actions workflows to ensure persistence.The incident was first flagged publicly by engineer Daniel Pereira, whose warning triggered a rapid investigation by firms like Socket, Aikido, and StepSecurity. Researchers confirmed the malware’s propagation method: it hijacks compromised developer accounts, modifies package.json files, injects a malicious bundle.js payload, and republishes trojanized packages. This creates a cascading effect, compromising downstream projects that unknowingly pull the infected updates.The impact has been significant. CrowdStrike confirmed some of its npm packages were compromised, though it emphasized that its Falcon platform remains unaffected. Google also acknowledged potential risks to users of its Gemini CLI tool installed via npm during the attack window. These assurances underscore a troubling truth: even when core systems remain secure, users can still be exposed through the software supply chain.The Shai-Hulud campaign follows closely on the heels of other high-profile supply chain incidents, including the s1ngularity GitHub attack and the phishing-driven compromise of the chalk and debug packages. Together, they reveal a pattern of escalating, ecosystem-wide threats that exploit the inherent fragility of modern open-source infrastructure.In this episode, we unpack how Shai-Hulud works, why the use of a legitimate tool like TruffleHog makes detection harder, and what this means for developers, enterprises, and the future of open-source security.#ShaiHulud #npm #SupplyChainAttack #CrowdStrike #GoogleGemini #TruffleHog #OpenSourceSecurity #JavaScript #s1ngularity #Chalk #Debug #SoftwareSupplyChain

A critical vulnerability has been uncovered in ChatGPT’s new calendar integration, exposing how attackers could exfiltrate sensitive user data—particularly emails—through a deceptively simple exploit. Security researchers at EdisonWatch, led by Eito Miyamura, demonstrated how a malicious calendar invitation could contain hidden instructions that ChatGPT would execute when a user checked their calendar. Shockingly, the victim doesn’t even need to accept the invite: the moment ChatGPT reads it, the hidden commands can instruct the model to retrieve and send private inbox data to an attacker’s address.This type of AI-driven attack exploits the Model Context Protocol (MCP) that allows ChatGPT to connect with personal and enterprise tools. While the exploit currently requires developer mode and user approval, Miyamura highlights how “decision fatigue” makes users more likely to click approve repeatedly, paving the way for exploitation.Importantly, this is not an isolated issue. Similar flaws have been reported in other AI assistants like Gemini, Copilot, and Salesforce Einstein, underscoring a systemic weakness in how LLMs interact with third-party applications. Past demonstrations have shown these vulnerabilities can be weaponized not just to steal emails, but also to delete events, reveal locations, or even manipulate smart devices.To address the risk, EdisonWatch has released an open-source security solution designed to enforce policy-as-code and monitor AI interactions, providing a safeguard against these integration-based attack vectors.This episode explores how the exploit works, why approval fatigue is the real vulnerability, and what this means for the future of AI-native security in enterprise environments.#ChatGPT #EdisonWatch #AIsecurity #CalendarIntegration #DataExfiltration #LLMsecurity #Gemini #Copilot #SalesforceEinstein #PromptInjection #DecisionFatigue #EnterpriseSecurity

At Fal.Con 2025, CrowdStrike announced one of its boldest moves yet: the acquisition of AI security startup Pangea. The deal signals CrowdStrike’s intent to redefine the future of cybersecurity by protecting not just endpoints and networks, but the entire AI lifecycle. Pangea, founded in 2021, is known for cutting-edge tools like AI Guard, which prevents sensitive data leaks from generative AI applications, and Prompt Guard, which blocks prompt injection and jailbreak attacks. These technologies will now be integrated into CrowdStrike’s Falcon platform as part of a new security category: AI Detection and Response (AIDR).This acquisition isn’t just about adding features—it’s about shaping the cybersecurity narrative for the AI era. As enterprises embed generative AI and large language models into critical workflows, attackers are exploiting fresh vulnerabilities. CrowdStrike’s CEO George Kurtz framed the deal as a way to “secure the entire AI lifecycle,” from model training to real-world deployment.The move also comes amid intensifying competition. On the same day, Check Point announced its own AI security acquisition, highlighting how urgently the industry views this space. By bringing Pangea into its ecosystem, CrowdStrike is aiming to establish market leadership, expand Falcon’s capabilities, and set new security standards for enterprise AI adoption.In this episode, we unpack the acquisition, the technology behind Pangea, and why this move positions CrowdStrike at the forefront of the AI security race.#CrowdStrike #Pangea #FalCon2025 #AIsecurity #AIDR #ArtificialIntelligence #LLMsecurity #GenerativeAI #PromptInjection #Cybersecurity #EnterpriseAI #FalconPlatform

Microsoft and Cloudflare have successfully dismantled RaccoonO365, a global phishing-as-a-service (PhaaS) operation that had been running for over a year. This criminal platform, marketed on Telegram and used by up to 200 subscribers, enabled attackers to craft realistic Microsoft 365 phishing campaigns, complete with fake login pages, email lures, and QR code traps. The operation facilitated the theft of more than 5,000 user credentials across 94 countries, with healthcare organizations being disproportionately targeted, raising serious public safety concerns.What set RaccoonO365 apart was its abuse of Cloudflare Workers to hide phishing sites from researchers and automated scanners, making the attacks harder to detect. The takedown involved a multi-front response: Microsoft filed a lawsuit with Health-ISAC, seized over 330 malicious domains, and identified the alleged mastermind, Nigerian programmer Joshua Ogundipe. Meanwhile, Cloudflare suspended accounts, removed malicious scripts, and blocked domains linked to the operation. Together, these actions not only dismantled the phishing infrastructure but also exposed the growing risks of PhaaS models, which lower the barrier for entry into cybercrime.This episode unpacks how the takedown unfolded, why healthcare was such a critical target, and what this operation reveals about the evolving cybercrime economy.#Microsoft #Cloudflare #RaccoonO365 #PhishingAsAService #PhaaS #Cybercrime #HealthcareCybersecurity #CredentialTheft #Microsoft365 #CloudflareWorkers #JoshuaOgundipe

Social engineering has reclaimed center stage as today’s most reliable intrusion vector—and it’s not just email anymore. Recent warnings from law enforcement and national cyber centers underscore how adversaries exploit human psychology to “log in, not hack in,” bypassing hardened perimeters with phishing, vishing (voice phishing) against IT help desks, smishing, and polished impersonation. These campaigns pair urgency, intimidation, and empathy ploys with modern twists like deepfake audio/video and LLM-written lures that mirror a target’s tone, role, and business context. Once a foothold is gained, operators ride legitimate tools (PowerShell, RDP, admin consoles), blend into normal traffic, and quietly harvest high-value data.Meanwhile, ransomware has evolved from smash-and-grab encryption to multi-stage extortion. The Ransomware-as-a-Service (RaaS) and broader Cybercrime-as-a-Service (CaaS) markets have slashed barriers to entry: core developers lease turnkey kits, affiliates handle intrusion and extortion, and specialists sell initial access, phishing kits, or data leak hosting. Tactics now include data theft before encryption, countdown leak sites, direct calls to victims and their customers, public shaming, and even leveraging mandatory incident-reporting laws to increase pressure. Technical tradecraft has kept pace: dual-strain deployments, remote/hybrid encryption, uncommon languages to dodge signatures, and “living off the land” to evade EDR.A headline development is the consolidation of high-impact crews into the “Scattered LAPSUS$ Hunters”—an identity-centric operation that perfects the art of help-desk social engineering, MFA fatigue, SIM swapping, and OAuth consent abuse to capture credentials and session tokens. Post-compromise, they move fast: disabling EDR, exfiltrating from SharePoint, code repos, and cloud data lakes (think Snowflake and Amazon S3), even abusing backup tooling for stealthy transfers. The result is a repeatable pipeline from initial phone call to full enterprise data theft. Despite a public “going dark” message, analysts expect quiet continuity or rebranding.Layered atop financially motivated crews are state-sponsored operators from China, Russia, and Iran, who blend espionage, IP theft, and influence ops with social engineering to seed access in critical sectors. They pivot through edge devices (VPNs, firewalls), route traffic via compromised domestic infrastructure to avoid scrutiny, and exploit the global vendor concentration of cloud and SaaS providers—turning a single supplier weakness into systemic risk.What actually works against all this? Start with people. Targeted, scenario-based security awareness (vishing drills, help-desk playbooks, deepfake recognition) remains the highest-ROI control. Pair it with strong identity security: phishing-resistant MFA (FIDO2/WebAuthn), tight help-desk identity proofing, session management and token binding, rapid disablement paths, and least-privilege by default. Architect for failure with Zero Trust and segmentation, harden edge devices, and close the loop with intelligence-led hunting for RMM misuse, unusual admin activity, and data-exfil patterns. Finally, rehearse extortion-resilient incident response: legal, comms, and executive teams need scripts for leak-site deadlines, customer notifications, and negotiation decisions—before attackers make the first call.Bottom line: social engineering is the reliable front door, ransomware is the business model, AI is the force multiplier, and consolidated, identity-focused crews are the operators. Defenders that invest equally in human, identity, and architectural controls will be the ones to break the kill chain.#SocialEngineering #Phishing #Vishing #Smishing #Deepfakes #Ransomware #RaaS #CaaS #MFABypass #SIMSwapping #OAuthAbuse #LivingOffTheLand #DataExfiltration #DoubleExtortion #SupplyChainAttack #CriticalInfrastructure #ZeroTrust #SecurityAwareness #ThreatIntelligence #IncidentResponse #ScatteredLAPSUSHunters #China #Russia #Iran #LLM #AIEnabledAttacks #HelpDeskFraud #EDREvasion #BackupAbuse #VendorConcentration

The infamous Rowhammer vulnerability, long thought to be contained by new DRAM protections, has resurfaced with devastating force. Academic researchers, working with Google, have unveiled the Phoenix attack, a breakthrough Rowhammer variant that shatters the defenses of DDR5 memory chips. Despite the industry’s investment in Target Row Refresh (TRR) and Error Correcting Codes (ECC), Phoenix exploits “blind spots” in SK Hynix DDR5 DIMMs—the world’s leading DRAM manufacturer—using novel hammering patterns and a self-correcting synchronization technique. In real-world tests, Phoenix achieved privilege escalation in as little as 109 seconds, giving attackers full root access on commodity DDR5 systems.The implications are staggering: Phoenix enables arbitrary memory access via page-table entry manipulation, compromises cryptographic keys like RSA-2048 in SSH, and even tampers with system binaries such as sudo. Beyond immediate system exploits, clustered bit flips open the door to new attack vectors, from recovering private keys in OpenSSL to corrupting tokenizer dictionaries in large language models—potentially disabling AI safety guardrails.The attack, assigned CVE-2025-6202, underscores the inadequacy of probabilistic defenses like TRR. AMD has issued BIOS updates in response, but effectiveness remains unverified. Google, meanwhile, is advocating for a more principled solution: the Per Row Activation Counting (PRAC) standard for DDR5 and LPDDR6, offering deterministic protection against hammering patterns.Phoenix is more than a vulnerability—it’s a wake-up call for the memory industry. With 36% of the global DRAM market impacted and escalating risks to cryptographic integrity and AI systems, the need for robust, future-proof defenses has never been more urgent.#Rowhammer #PhoenixAttack #DDR5 #TRR #ECC #SKHynix #AMD #Google #BIOSUpdate #PrivilegeEscalation #CVE20256202 #Cryptography #OpenSSL #LLMSecurity #PRAC #MemorySecurity #HardwareExploits

Cybercriminals aren’t just breaking in—they’re borrowing your brand to do it. This episode dives into the critical intersection of brand protection, threat intelligence, and external attack surface management (EASM) and lays out a practical, intelligence-driven blueprint you can start applying today.We begin with the state of brand abuse: a sharp year-over-year surge in online scams ranging from HR recruitment fraud to “money-flipping” schemes and look-alike social accounts. Why it matters: your brand is the first—and often only—trust signal customers and candidates use. One exposure to a toxic impersonation can drive nearly half of your audience to disengage, and repeated incidents permanently erode trust. We unpack a proven five-step defense: (1) audit every branded asset, including domains, logos, executives, shadow sub-brands, and “gray space” like Reddit, marketplaces, and the dark web; (2) get proactive with trademark/domain registrations (including typos and homoglyphs) and claim social handles preemptively; (3) stand up continuous monitoring that automates takedown triggers across malicious domains, fake accounts, and credential-stuffing chatter; (4) pair that automation with human analysts who can triage signal from noise, validate threats, and read adversary intent; and (5) execute adversary disruption—fast, repeatable takedowns; block-listing; and workflowed remediations that actually remove the threat, not just alert on it.Next, we zoom out to EASM: your real attack surface now spans cloud, SaaS, subsidiaries, forgotten assets, and exposed IoT. We break down how managed EASM inventories unknown assets, contextualizes business impact, pressure-tests exposure (e.g., OWASP-aligned checks at scale), and prioritizes fixes based on exploitability and value to attackers. Done right, EASM compresses “find to fix” timelines and gives SOC teams repeatable coverage without burning cycles.Then, proactive threat intelligence and hunting: waiting for alerts misses the 20% of threats that slip past controls. We walk through IOFA™ (Indicators of Future Attack)—spotting malicious infrastructure before it’s used—plus the hunt tradecraft that works: hypothesis-driven hunts on DNS, network, identity and SaaS telemetry; baselining to catch subtle anomalies; and ML-aided clustering to surface coordinated campaigns. We also compare platform approaches with examples like Silent Push (preemptive infrastructure mapping, DNS/IPv4/IPv6 telemetry, enrichment over 70+ attributes, massive API surface) and ZeroFox (digital risk/brand protection, takedown operations, dark web monitoring)—and where each fits in a modern stack alongside SIEM/SOAR/TIP.Finally, we go regional. In the Middle East & Africa, cybersecurity demand is surging on the back of Vision-scale national programs, digital banking, OT exposure, and sovereign-cloud mandates—yet teams face talent constraints and fragmented regulation, accelerating the shift to managed services. Across APAC, especially Taiwan and Thailand, we outline the rising tempo and sophistication of ransomware crews and nation-state espionage (supply chain intrusions, telecom/semiconductor targeting, dark-web tradecraft), plus why external attack surface blind spots and exposed IoT make these ecosystems high-leverage targets.Takeaways you can use this week:Map your brand and external surface together (logos to DNS), not in silos.Automate the boring parts (discovery, monitoring, templated takedowns) and reserve human time for adjudication, escalation, and intel production.Measure success by time-to-takedown, time-to-patch, and reduction in re-registration of malicious domains—then reinvest those wins into deeper hunt coverage.#Cybersecurity #BrandProtection #ThreatIntelligence #EASM #DigitalRisk #Typosquatting #Impersonation #Ransomware #DarkWeb #ThreatHunting #SIEM #SOAR #TIP #SilentPush #ZeroFox #MEA #APAC #Taiwan #Thailand #OTSecurity #ExternalAttackSurface

California’s Assembly Bill 566 (AB 566) has become one of the most hotly contested pieces of privacy legislation in the country. The bill would require universal “opt-out preference signals” in web browsers and mobile operating systems, allowing consumers to automatically block the sale and sharing of their personal data across the internet. Proponents—including the California Privacy Protection Agency, Consumer Reports, and Mozilla—hail the measure as a long-overdue step to simplify consumer privacy choices and push back against the relentless surveillance economy.But opposition is fierce. Tech industry groups, the California Chamber of Commerce, and front groups like the Connected Commerce Council argue that AB 566 could devastate small businesses reliant on targeted advertising, cause job losses, and diminish consumers’ online experiences by pushing more sites toward paywalls. Critics also point to technical ambiguities in the bill, arguing that implementation challenges could create confusion and harm innovation.At the center of the controversy is Google. While not publicly opposing AB 566, Google is accused of orchestrating a shadow lobbying campaign through “astroturfing”—funding and leveraging groups like the Connected Commerce Council to manufacture the appearance of grassroots opposition. Emails sent to small businesses on Google’s mailing lists warned of dire consequences if the bill passed, urging them to sign petitions against it. This covert strategy, critics argue, undermines democratic debate and hides the real corporate interests at play.The debate over AB 566 reveals the fault lines between consumer rights, corporate power, and the future of digital privacy. Is California moving toward a fairer internet where individuals control their data, or are powerful corporations rewriting the rules to protect their profits? This episode explores the stakes of the bill, the role of astroturf lobbying, and what it all means for the future of online privacy.#AB566 #CaliforniaPrivacy #ConsumerData #Google #Astroturfing #DigitalPolicy #SurveillanceCapitalism #ConnectedCommerceCouncil #SmallBusiness #TargetedAds #DataPrivacy #TechLobbying #CPPA

FinWise Bank is facing a double crisis—one of data security and another of public trust. Nearly 700,000 customers of American First Finance (AFF), a FinWise partner, were impacted by a massive data breach after a former employee improperly accessed sensitive records. The bank has responded with offers of free credit monitoring, but the damage to consumer trust is already done.At the same time, FinWise Bank is the subject of intense scrutiny from the National Consumer Law Center and other leading advocacy groups, who accuse the institution of serving as a “rent-a-bank” for predatory lenders. These groups point to FinWise’s partnerships with American First Finance, Elevate Credit’s Rise brand, and OppFi—companies notorious for offering loans with annual percentage rates (APRs) soaring as high as 160%. The allegations are damning: deceptive sales practices, unaffordable repayment structures, identity theft, harassment in debt collection, and inaccurate credit reporting.Consumer complaints paint a disturbing picture—borrowers paying nearly four times their original loan principal, victims of fraudulent accounts opened in their names, military families charged unlawful APRs, and debt collectors harassing consumers with threats and repeated calls. Under federal guidance, banks are responsible for the risks of their third-party partnerships, and advocates are urging regulators to downgrade FinWise’s Community Reinvestment Act (CRA) rating to reflect the harm inflicted on vulnerable communities.This episode unpacks the data breach, the allegations of systemic consumer harm, and the wider implications for “rent-a-bank” schemes designed to evade state interest rate laws. Is FinWise Bank enabling predatory lending under the guise of financial innovation, or will regulatory pressure finally rein in these abusive practices?#FinWiseBank #DataBreach #PredatoryLending #ConsumerProtection #CommunityReinvestmentAct #OppFi #RiseCredit #AmericanFirstFinance #IdentityTheft #DebtCollection #FinancialRegulation

In late August 2025, the open-source software ecosystem was rocked by a sophisticated two-phase supply chain attack, now known as “s1ngularity.” The incident began when attackers exploited a flaw in GitHub Actions workflows for the Nx repository, stealing an NPM publishing token and using it to release malicious versions of Nx packages. These packages carried a hidden malware script—telemetry.js—that targeted developer machines, searching for GitHub tokens, NPM tokens, API keys, SSH keys, crypto wallets, and .env files, then uploading the stolen secrets into public GitHub repositories labeled s1ngularity-repository.The breach didn’t stop there. In Phase 2, the attackers used the compromised credentials to infiltrate hundreds of GitHub accounts, flipping over 6,700 private repositories to public, exposing sensitive intellectual property, AI service credentials, and cloud platform secrets. In some cases, they even modified shell startup files to crash developer systems. Most alarming of all, this attack marked the first documented weaponization of AI coding assistants—including Claude, Gemini, and Amazon Q—as automated data-harvesting tools. The attackers issued detailed prompts through AI CLIs, instructing them to search recursively for sensitive data, effectively turning trusted developer AI tools into accomplices.While many compromised GitHub tokens have since been revoked, a worrying percentage of stolen NPM tokens remain valid, extending the potential blast radius. The s1ngularity incident underscores the growing risks in today’s software supply chain, where open-source dependencies, developer machines, CI/CD pipelines, and AI assistants all create new points of vulnerability.This episode unpacks how the attack unfolded, why it’s being called a watershed moment in AI-driven cybercrime, and what organizations must do to defend against similar threats. From secret management and secure pipelines to AI usage policies and SBOM adoption, we explore the urgent measures needed to secure the future of software development against the next evolution of supply chain attacks.#s1ngularity #SupplyChainAttack #Nx #NPM #GitHub #AIExfiltration #Claude #Gemini #Cybersecurity #OpenSourceSecurity #SecretsManagement #CI_CD #SoftwareSupplyChain #DevSecOps

Wealthsimple, one of Canada’s largest online investment platforms, has confirmed a data breach that exposed the sensitive information of fewer than 1% of its three million clients. The incident, detected on August 30, 2025, originated from a supply chain attack: a trusted third-party vendor’s compromised software package served as the entry point for attackers. While Wealthsimple quickly contained the breach and confirmed that no client funds were accessed or stolen, the compromised data includes Social Insurance Numbers (SINs), government IDs, financial account numbers, IP addresses, dates of birth, and contact details—a treasure trove for identity thieves.Wealthsimple has assured clients that all accounts remain secure, but the exposure of SINs and government IDs raises significant concerns about long-term risks such as fraud, account takeovers, and tax-related identity theft. To mitigate these risks, the company is offering two years of free credit monitoring, dark-web surveillance, and identity theft protection services to those impacted. Clients have also been urged to enable two-factor authentication, remain vigilant for phishing scams, and regularly check financial and credit reports for suspicious activity.This breach highlights the growing threat of supply chain attacks, where adversaries exploit vulnerabilities in trusted third-party providers to compromise downstream organizations. Such attacks have become increasingly common—infamously seen in SolarWinds, Kaseya, and ASUS incidents—because they bypass traditional defenses and provide attackers with broad access at scale. Canadian regulators, including privacy and financial authorities, have been notified in line with breach reporting obligations.Beyond Wealthsimple, this incident is a stark reminder for organizations to strengthen vendor risk management, conduct ongoing security reviews of third-party partners, and adopt proactive defense strategies such as zero-trust frameworks, software integrity checks, and continuous monitoring. For individuals, it underscores the importance of maintaining strong password hygiene, avoiding reuse across accounts, and staying alert to potential fraud attempts long after the initial breach.#Wealthsimple #DataBreach #SupplyChainAttack #Cybersecurity #IdentityTheft #Canada #FinancialSecurity #SINFraud #ThirdPartyRisk #Privacy #InvestmentSecurity

In a year when cybercrime is projected to cost the world over $10.5 trillion, FireCompass has emerged as one of the most closely watched AI-driven cybersecurity innovators. The startup, founded in 2019, just secured $20 million in new funding—bringing its total raised to nearly $30 million. Backed in part by EC-Council’s Cybersecurity Innovation Fund, this investment is aimed at accelerating research and development, scaling global operations, and strengthening its talent base in an industry where skilled professionals remain in short supply.FireCompass offers a unified AI-powered offensive security platform designed to outpace adversaries by simulating real-world attacks at machine speed. Using its patented Agentic AI foundation, the platform chains vulnerabilities, conducts lateral movement, and validates risks across networks—mirroring the playbook of advanced attackers. With thousands of attack scenarios aligned to the MITRE ATT&CK framework, FireCompass continuously identifies exploitable risks before criminals can act, boasting over 2.5 million real attack paths uncovered to date and reducing customer remediation timelines by 40%.The funding comes at a pivotal moment for the cybersecurity industry. Venture capital investment in 2025 is increasingly concentrated on AI-native platforms as organizations grapple with the growing sophistication of threats, the rise of automated attacks, and the chronic shortage of cybersecurity talent. FireCompass’s expansion signals not only a bet on AI as the future of security but also a recognition that offensive, continuous threat exposure management (CTEM) is becoming mission-critical for enterprises worldwide.This episode explores how FireCompass plans to use its latest funding to transform global cybersecurity, why offensive security is becoming essential in an era of AI-powered threats, and how innovations like microsegmentation, lateral movement detection, and MITRE ATT&CK alignment are shaping the next generation of defense.#FireCompass #Cybersecurity #AI #OffensiveSecurity #MITREATTACK #CTEM #PenTesting #AgenticAI #ECcouncil #Cybercrime #ThreatExposureManagement #Automation #VentureCapital

A newly uncovered critical vulnerability, tracked as CVE-2025-42957, is sending shockwaves through the enterprise technology world. Affecting all SAP S/4HANA deployments, both on-premise and in private cloud environments, this ABAP code injection flaw carries a near-maximum CVSS score of 9.9. What makes it especially dangerous is its low complexity: attackers armed with only low-privileged credentials can remotely inject code and achieve a full system takeover—no user interaction required.Discovered by SecurityBridge and patched by SAP in August 2025, the vulnerability is already being actively exploited in the wild. Attackers have been observed manipulating business data, creating new privileged SAP users, stealing password hashes, and modifying core business processes. In the worst cases, compromised systems could face fraud, espionage, massive data theft, or devastating ransomware attacks capable of halting operations across entire enterprises.SAP systems sit at the heart of global businesses, managing financials, supply chains, HR, and more. A compromise here can not only disrupt operations but also undermine strategic decisions by quietly altering key data. The danger is amplified by the speed with which attackers can reverse-engineer SAP’s patch, making unpatched environments an open door to compromise.Experts stress that applying SAP’s August security notes (3627998 and 3633838) is non-negotiable. Yet patching complex, highly customized ERP landscapes isn’t easy—often requiring rigorous testing before production deployment. In the meantime, organizations must harden their defenses by restricting authorizations, monitoring RFC activity, segmenting networks, and practicing incident response drills.This episode breaks down how CVE-2025-42957 works, why it matters, and what organizations must do now to prevent catastrophic breaches. With SAP systems increasingly interconnected and cloud-driven, this vulnerability is a stark reminder that ERP security must be continuous, holistic, and relentlessly proactive.#SAP #S4HANA #CVE202542957 #ERP #Cybersecurity #Ransomware #DataTheft #EnterpriseSecurity #SecurityBridge #PatchManagement #SAPSecurity #ABAPInjection

North Korean cybercriminals have escalated their social engineering operations, deploying a wave of sophisticated campaigns designed to infiltrate cryptocurrency and decentralized finance (DeFi) organizations. At the center of these operations is the “Contagious Interview” campaign, where hackers impersonate recruiters and trick job seekers into downloading malicious software under the guise of skill assessments or interview tasks. Victims are often lured into copying commands from fabricated error messages, unknowingly executing malware that grants attackers access to sensitive systems.But the threat doesn’t stop there. Hackers are also posing as investment institution employees on platforms like Telegram, exploiting trust and urgency to gain persistent access to financial networks. These operations leverage advanced malware—like InvisibleFerret and BeaverTail—capable of keylogging, remote desktop control, credential theft, and long-term persistence through encrypted channels. Backed by the Lazarus Group and other North Korean units, these cyber campaigns are not random attacks but coordinated efforts to steal billions in digital assets, bypass international sanctions, and fund Pyongyang’s regime.Experts warn that these campaigns are becoming more effective because they target the weakest point in cybersecurity: the human element. With phishing responsible for 68% of reported breaches in 2024, the rise of fake interviews, insider threats, and RMM tool abuse poses a growing danger to the crypto industry and beyond. This episode explores the psychology behind social engineering, the tactics North Korean operatives are using, and the critical defenses organizations and individuals must adopt to stay ahead.#NorthKorea #Cybercrime #ContagiousInterview #SocialEngineering #CryptoHacks #DeFi #Phishing #LazarusGroup #Malware #Cybersecurity

Cato Networks, a leader in Secure Access Service Edge (SASE), has made its first acquisition, purchasing Aim Security, an AI security startup founded in 2022. The acquisition, valued at an estimated $300–350 million, represents a major step in addressing the growing risks tied to generative AI adoption in enterprises.As organizations increasingly embrace AI, a phenomenon known as “shadow AI” has emerged, with employees feeding sensitive company data into public tools like ChatGPT and Microsoft Copilot — often via personal accounts. This uncontrolled use of AI presents enormous security challenges, from exposing customer data and intellectual property to bypassing corporate compliance frameworks. Aim Security specializes in addressing these threats, offering a platform that secures employee use of public AI, internal private AI applications and agents, and the entire AI development lifecycle through AI Security Posture Management (AI-SPM).Cato Networks will integrate Aim’s inspection technology directly into the Cato SASE Cloud Platform, enabling real-time monitoring of AI prompts, responses, agent workflows, and model outputs. This move positions Cato to deliver a comprehensive AI security layer at the network’s control point, reinforcing SASE as the standard for secure enterprise connectivity in the AI era.The acquisition coincides with Cato’s broader momentum: the company has surpassed $300 million in annual recurring revenue (ARR) and expanded its Series G funding round with an additional $50 million, bringing its total funding to over $409 million. CEO Shlomo Kramer underscored the strategic vision, declaring that AI transformation will eclipse digital transformation as the defining force for enterprises over the next decade.Cato’s acquisition is part of a broader AI security arms race in cybersecurity, with major players like SentinelOne, Palo Alto Networks, and Tenable also acquiring AI security firms. The deal signals both the urgency and the opportunity in safeguarding enterprises against the new attack surface created by AI tools. For businesses, it’s a reminder that AI adoption without security is unsustainable — and that securing AI must become as fundamental as securing endpoints, networks, and the cloud.#CatoNetworks #AimSecurity #SASE #AIsecurity #shadowAI #generativeAI #AISPM #ShlomoKramer #ARR #funding #SeriesG #cybersecurity #acquisition #enterprisetech #AItransformation

Cybersecurity startup Tidal Cyber, founded in 2022 by three former MITRE experts, has raised $10 million in Series A funding, bringing its total capital to $15 million. The funding will accelerate the company’s product innovation and expansion, advancing its mission to operationalize the MITRE ATT&CK framework and empower organizations with threat-informed defense.Unlike traditional security approaches that rely on compliance checklists or vulnerability counts, Tidal Cyber focuses on real-world adversary behavior. Its platform maps tactics, techniques, and procedures (TTPs) used by threat actors, providing defenders with actionable intelligence that goes far beyond indicators of compromise. A standout feature is its Procedures Library, an industry-first repository of real-world adversary actions curated from thousands of technical reports, delivering granular detail on how attackers actually operate.Tidal Cyber also introduces a rigorous approach to residual risk management, helping organizations understand exposures that persist even after security controls are applied. By continuously calculating residual risk for each adversarial technique, the platform enables defenders to prioritize resources and close gaps against the most relevant threats. This aligns cybersecurity strategy with real adversary tradecraft, rather than abstract frameworks or outdated compliance models.The funding comes at a time when venture capital in cybersecurity is surging, particularly for AI-powered solutions. With attackers leveraging AI and increasingly sophisticated methods, defenders need platforms that can adapt dynamically. Tidal Cyber’s blend of MITRE ATT&CK operationalization, AI-driven procedural insights, and proactive risk management positions it as a leading player in this transformation.CEO Rick Gordon emphasizes the shift: “Tidal Cyber flips the security model, putting adversary behavior at the center of defense. Organizations can move beyond assumptions and checkbox compliance toward a truly threat-led defense.”As organizations grapple with fast-evolving threats, Tidal Cyber’s rise signals a broader industry move toward continuous, proactive, and intelligence-driven security — a necessary evolution in a landscape where attackers innovate daily.#TidalCyber #MITREATTACK #cybersecurity #SeriesA #startupfunding #residualrisk #threatinformeddefense #TTPs #ProceduresLibrary #AIsecurity #proactivesecurity #threatleddefense #RickGordon #venturecapital

Disney has reached a $10 million settlement with the U.S. Federal Trade Commission (FTC) after being found in violation of the Children’s Online Privacy Protection Act (COPPA). At the heart of the case is Disney’s failure to properly label child-directed content on YouTube as “Made for Kids” (MFK). Instead, many videos — including clips from Frozen, Moana, Cars, Tangled, Toy Story, and other beloved franchises — were incorrectly designated as “Not Made for Kids” (NMFK), enabling YouTube to collect personal data from viewers under 13 for targeted advertising without parental consent.This mislabeling occurred despite earlier enforcement actions, such as the 2019 $170 million Google/YouTube COPPA settlement, and even after YouTube directly alerted Disney in 2020 about hundreds of mislabeled videos. Disney failed to change its corporate policy, which defaulted to channel-level audience designations instead of reviewing each video individually.Under the settlement terms, Disney must not only pay the $10 million penalty but also implement a parental notification system and a robust program to ensure proper video designation going forward. This includes actively reviewing uploads to determine whether they fall under COPPA’s child-directed classification, moving beyond blanket defaults that left children vulnerable to data tracking.The case highlights persistent challenges in COPPA compliance, where content creators, platforms, and major studios alike struggle to navigate the distinctions between “child-directed,” “family-friendly,” and general audience content. Missteps can lead to severe penalties, while proper classification often reduces monetization opportunities, creating tension between profit motives and child privacy rights.The Disney settlement also reflects larger concerns about the datafication of children online, as minors increasingly engage with digital platforms that monetize personal information. With the 2025 COPPA Rule updates — including expanded definitions of personal information, mandatory opt-in parental consent for targeted advertising, and stricter retention policies — companies face growing regulatory pressure. Proposed laws like COPPA 2.0 and the Kids Online Safety Act (KOSA) may soon expand protections further, raising the age threshold to 16 and banning targeted ads to minors altogether.For businesses, this enforcement action serves as a wake-up call: compliance must be proactive and operationalized, not treated as a checkbox exercise. For families, it underscores the importance of parental awareness, media literacy, and privacy education, ensuring children are better protected in a digital ecosystem increasingly built on surveillance and data monetization.#Disney #FTC #COPPA #childprivacy #MadeForKids #YouTube #dataprivacy #targetedadvertising #Frozen #Moana #ToyStory #Encanto #childrensafety #privacyregulation #digitalrights

Google has released its September 2025 Android security patches, addressing a staggering 111 unique vulnerabilities, including two actively exploited zero-day flaws that are already being used in targeted attacks. These zero-days — CVE-2025-38352, a Linux kernel race condition, and CVE-2025-48543, a flaw in the Android Runtime — allow attackers to escalate privileges and potentially take control of devices. Both issues require no special permissions or user interaction to exploit, making them especially dangerous.The update also fixes a critical remote code execution (RCE) vulnerability in the System component (CVE-2025-48539) that attackers could abuse without elevated privileges. Combined, these vulnerabilities highlight the urgency of updating devices immediately to at least the 2025-09-05 security patch level, which contains the full set of fixes.Beyond phones, the patch covers the broader Android ecosystem — including Pixel devices, Wear OS smartwatches, Pixel Watches, and Android Automotive OS systems. Updates also address 32 Qualcomm component vulnerabilities, three of which are critical. Google notes that the update strengthens memory safety in the Android Runtime and enhances Google Play Protect, providing additional defense against spyware and privilege escalation threats.The bulletin also underscores the growing risks of privilege escalation in mobile applications, whether through sideloaded apps, OEM pre-installed apps, or abuse of the Accessibility API. Attackers are increasingly exploiting over-permissioned apps, droppers, and even built-in OEM utilities to gain control of devices and exfiltrate sensitive data.For enterprises and everyday users alike, this update is essential. Security experts warn that attackers are already leveraging these zero-days in limited, targeted campaigns, likely linked to spyware operations. Organizations should push the update across managed fleets via MDM tools, while individuals should confirm their devices read "2025-09-05" or later under system settings.Failure to update leaves devices exposed to remote exploitation, spyware, and system takeover. This release is not just another monthly patch cycle — it’s a critical security moment for Android users worldwide.#Android #Google #securityupdate #CVE202538352 #CVE202548543 #CVE202548539 #Linuxkernel #AndroidRuntime #zeroDay #RCE #Pixel #WearOS #AutomotiveOS #Qualcomm #PlayProtect #privilegeescalation #mobilemalware #cybersecurity

A critical zero-day vulnerability, CVE-2025-53690, is being actively exploited in the wild, targeting Sitecore Experience Manager (XM) and Experience Platform (XP) systems deployed with outdated ASP.NET machine keys. Google and Microsoft threat intelligence teams have confirmed that attackers are leveraging ViewState deserialization attacks to achieve remote code execution (RCE), enabling full compromise of vulnerable IIS servers.Once inside, attackers deploy WeepSteel malware, a reconnaissance and data exfiltration tool that blends into normal traffic by disguising exfiltrated information as benign ViewState responses. Post-exploitation activity includes creating stealthy administrator accounts (e.g., asp$, sawadmin), harvesting credentials, dumping registry hives, and installing persistence mechanisms such as DWAgent remote access tools. Attackers also use open-source utilities like EARTHWORM for covert tunneling and SharpHound for Active Directory reconnaissance, enabling lateral movement across enterprise networks.The tactics observed mirror state-sponsored threat actor behavior, showing a high degree of sophistication and stealth, including in-memory malware execution and cleanup of disk-resident tools. With over 3,000 machine keys publicly disclosed in repositories, the attack surface is vast, making this a severe supply-chain style risk for organizations that adopted outdated Sitecore deployment guides.Sitecore has issued mitigation guidance and strongly advises all customers to rotate machine keys, upgrade to supported versions, and perform forensic investigations to ensure no persistence mechanisms remain. Security experts emphasize the urgency of patching, hardening IIS servers, enforcing ViewState MAC validation, and monitoring for suspicious administrator account creation or exfiltration attempts.This episode unpacks how something as simple as a copied sample machine key can escalate into a full-blown compromise, what security teams should look for in their environments, and why this vulnerability highlights the ongoing dangers of insecure defaults and deserialization flaws.#cybersecurity #Sitecore #CVE202553690 #ViewState #ASPdotNET #WeepSteel #malware #RCE #Microsoft #Google #threatactors #infosec #zeroday #supplychainsecurity #databreach

A new and highly sophisticated Android malware campaign, dubbed Brokewell, has emerged as one of the most dangerous mobile threats of 2024–2025. First spotted in April 2024 disguised as fake browser updates, Brokewell has since evolved into a fully featured spyware and remote access trojan (RAT), delivered through deceptive Meta (Facebook) advertisements. The latest campaign, active since July 2024, lures unsuspecting users with fraudulent promises of a premium version of the popular trading platform TradingView. Victims who sideload the malicious app are unknowingly giving attackers near-total control over their devices.Brokewell is no ordinary piece of malware—it is built for comprehensive surveillance, data theft, and financial fraud. Once installed, it abuses Android Accessibility permissions to trick users into revealing their lock screen PINs and then escalates privileges for persistence. Its capabilities include:Financial theft and fraud: Brokewell can drain cryptocurrency wallets, intercept banking credentials, and harvest sensitive financial identifiers.Two-Factor Authentication (2FA) bypass: By scraping Google Authenticator codes and intercepting SMS-based OTPs, it undermines one of the most widely used security measures.Full device takeover: Attackers can remotely control infected phones, stream screens in real time, perform swipes and clicks, and even uninstall apps or disable Google Play Protect.Comprehensive surveillance: The malware records keystrokes, captures screen activity, steals cookies, and accesses personal data from calls, messages, geolocation, and even the device camera.Researchers warn that Brokewell’s sophistication places it alongside the most advanced Android threats seen in the wild. Its modular design, daily updates, and public availability of droppers that bypass Android 13+ restrictions suggest that this malware family will continue to expand—potentially even being rented as a service to other cybercriminals.The implications for users, especially those in the financial and crypto sectors, are severe. With the ability to bypass authentication, steal sensitive tokens, and exfiltrate large volumes of data, Brokewell is a potent threat to personal privacy and enterprise security alike.Experts strongly urge users to avoid sideloading apps, verify URLs before downloading, and only install software from trusted sources like the Google Play Store. Additionally, mobile users should scrutinize app permissions, enable Google Play Protect, adopt phishing-resistant MFA methods such as passkeys, and consider reputable security software for mobile threat detection.The Brokewell campaign illustrates the dangers of malvertising on trusted platforms and the growing professionalization of cybercrime targeting mobile devices. With financial theft, identity compromise, and corporate espionage at stake, Brokewell signals a dangerous new chapter in Android malware evolution.#Brokewell #AndroidMalware #TradingView #Malvertising #MetaAds #Spyware #RemoteAccessTrojan #2FAbypass #CryptoTheft #AccessibilityAbuse #MobileSecurity #ThreatFabric #Cybercrime

Aviation safety and geopolitics collided when multiple flights carrying high-ranking European and UK officials were hit by suspected Russian GPS jamming. European Commission President Ursula von der Leyen’s flight to Bulgaria experienced a severe GPS outage, forcing a manual landing. EU officials immediately pointed the finger at Moscow, calling the incident “blatant interference.” Around the same time, UK Defence Secretary Grant Shapps’s jet lost GPS and communications while flying near Russia’s heavily militarized Kaliningrad enclave, an area long associated with electronic warfare testing.These incidents underscore a growing pattern of Russian electronic warfare tactics in the Baltic region and beyond. Russia has invested heavily in advanced jamming and spoofing systems such as Pole-21, Krasukha, and Murmansk-BN, capable of degrading navigation, communication, and targeting systems. While jamming simply blocks GPS signals, spoofing is more dangerous—it feeds aircraft false positional data, potentially misleading pilots or corrupting onboard systems. Reports show spoofing incidents rose 500% last year, with thousands of cases logged across Poland, Lithuania, Latvia, and Estonia in early 2025 alone.For Russia, GPS interference serves multiple purposes: disrupting military drones in Ukraine, intimidating Western officials, signaling anti-access/area denial (A2/AD) capabilities, and normalizing hybrid warfare tactics short of direct conflict. By targeting flights of figures like von der Leyen and Shapps, Moscow sends a chilling political message while gathering valuable data on Western responses.Although pilots are trained to navigate without GPS—using inertial systems, VOR/DME, ILS, and dead reckoning—the loss of satellite navigation increases workload, reduces precision, and introduces new risks, especially in poor weather or congested airspace. Spoofing, in particular, can trigger false ground proximity warnings, raising the danger of catastrophic misjudgments.In response, the EU and UK are accelerating countermeasures. Brussels is considering boosting satellite-based detection, expanding low Earth orbit monitoring, and even pushing sanctions against Russian electronic warfare units. The UK is investing millions into anti-jamming projects like Project Wayfind. Airlines are also adapting—avoiding known hot zones, upgrading receivers, and training crews to detect and respond to interference.With about 1,500 flights a day experiencing GPS disruption globally, experts warn that electronic warfare in the skies is becoming a normalized risk. As Russia continues to weaponize the radio spectrum, the EU, NATO, and airlines face the urgent task of hardening aviation navigation systems and securing the skies against the invisible threat of signal interference.#Russia #GPSJamming #GPSSpoofing #ElectronicWarfare #VonDerLeyen #GrantShapps #Kaliningrad #AviationSecurity #HybridWarfare #EUSecurity #UKDefence #BalticRegion #NATO #AirlineSafety

In August 2025, the largest SaaS breach of the year shook the enterprise world when a newly identified threat actor, UNC6395, orchestrated a supply-chain attack through compromised Salesloft Drift and Drift Email applications. By stealing OAuth tokens, the attackers gained unauthorized access to Salesforce and Google Workspace environments of more than 700 companies—an attack scale ten times greater than previous Salesforce breaches.The attackers exfiltrated sensitive business data, including Salesforce account records, customer contacts, support cases, and opportunity details. More alarmingly, they actively searched for credentials such as AWS access keys, Snowflake tokens, VPN logins, and passwords, putting critical infrastructure at risk. Victims included some of the world’s most prominent organizations—Google, Palo Alto Networks, Zscaler, and Nutanix—underscoring the breadth and severity of the compromise.UNC6395 demonstrated advanced operational security by deleting forensic traces and using automated Python tools, Tor exit nodes, and cloud infrastructure to obfuscate their origins. This campaign highlights how SaaS-to-SaaS integrations—often granted over-permissive access without rigorous review—have become a new frontier for attackers. Because OAuth tokens can bypass MFA and often don’t expire, they represent a powerful backdoor into enterprise systems.In response, affected companies revoked compromised tokens, rotated credentials, and implemented new security controls. Salesloft confirmed it notified all impacted customers and took immediate steps to contain the damage, but the long-term risks from stolen data remain under investigation.This incident is a wake-up call for enterprises relying heavily on SaaS integrations. Security experts emphasize the urgent need for continuous monitoring of third-party app connections, strict least-privilege access controls, and real-time detection of anomalous SaaS activity. The UNC6395 campaign makes clear: cloud identity and SaaS-to-SaaS integrations are now the primary battleground for enterprise cybersecurity.#UNC6395 #SalesloftDrift #SupplyChainAttack #SalesforceBreach #GoogleWorkspace #OAuthTokens #SaaSSecurity #DataExfiltration #AWSKeys #SnowflakeTokens #PaloAltoNetworks #Zscaler #Nutanix #CloudIdentity #SaaSIntegration #Cybersecurity

A pair of newly discovered zero-day vulnerabilities—CVE-2025-43300 in Apple’s ImageIO framework and CVE-2025-55177 in WhatsApp—have been confirmed as part of a sophisticated spyware campaign targeting both iPhone and Android users. Security researchers revealed that attackers chained these flaws together in seamless zero-click exploits, requiring no user interaction to compromise devices. The Apple vulnerability, which exploited flaws in how Digital Negative (DNG) files were processed, enabled arbitrary code execution, while the WhatsApp flaw allowed attackers to force devices to fetch malicious content from arbitrary URLs.Amnesty International reports that these vulnerabilities were used against civil society members, journalists, and other high-value targets, echoing past spyware campaigns such as Pegasus’ infamous FORCEDENTRY and BLASTPASS exploits. Apple has labeled the attacks “extremely sophisticated” and confirmed that targeted individuals were specifically chosen. WhatsApp has patched the flaw, pushed updates across its platforms, and notified roughly 200 affected users.The implications of these chained exploits are severe: attackers could potentially gain access to messages, calls, photos, microphones, cameras, and location data—all without the victim clicking a single link. This marks another escalation in the ongoing arms race between advanced spyware developers and the security defenses of major tech platforms.Both Apple and WhatsApp urge immediate patching to the latest versions. Security experts also recommend enabling Apple’s Lockdown Mode or Android’s Advanced Protection Mode for those at heightened risk. As spyware continues to evolve with zero-click capabilities, civil society groups, journalists, and human rights defenders remain on the front lines of digital surveillance.#AppleZeroDay #WhatsAppZeroDay #CVE202543300 #CVE202555177 #ZeroClickExploit #SpywareCampaign #Pegasus #NSOGroup #AmnestyInternational #iOSSecurity #AndroidSecurity #MobileSpyware #Cybersecurity

Sweden is reeling from one of the largest public sector cyber incidents in its history. A ransomware attack on Miljödata, an IT services provider supporting nearly 80% of Sweden’s municipalities and several regions, has left critical systems inaccessible and raised fears of a massive leak of sensitive personal data. The stolen information could include medical certificates, labor law cases, rehabilitation data, and records of workplace injuries, placing thousands of citizens at risk.The attackers are demanding 1.5 Bitcoin (≈1.5 million SEK, $168,000) to return the stolen data—an extortion tactic that has become a hallmark of modern ransomware. This crisis echoes the 2024 Tietoevry Akira ransomware attack, which caused major disruptions across Sweden, underscoring how single points of failure in IT providers can cascade into widespread national consequences.Beyond the immediate ransom demand, the Miljödata breach exposes the systemic vulnerabilities in public sector cybersecurity. Municipalities and regions, often resource-constrained, rely heavily on external IT providers and lack the formalized Cybersecurity Situational Awareness (CSA) frameworks needed to detect, understand, and respond to such attacks. Studies show many public organizations still depend on manual data collection and ad-hoc decision-making, leaving them blind to evolving threats.This episode explores:The mechanics of ransomware and why modern extortion attacks involve both encryption and data exfiltration.The cascading impact of one vendor compromise across hundreds of municipalities.Why CSA is essential for critical infrastructure—how structured monitoring, inter-organizational cooperation, and standardized reporting can dramatically improve resilience.The role of ISACs, CERTs, and legal frameworks in facilitating secure information sharing across municipalities, regions, and states.EU’s NIS2 directive and how new mandates on reporting and information sharing could strengthen defenses.Lessons from the U.S. power utilities’ Cyber Incident Response Playbook, including tiered response teams, legal considerations, and communication strategies.The growing challenge of smart city cyber risk, where interconnected services multiply the attack surface.The Miljödata ransomware incident is more than a localized crisis—it is a warning for governments worldwide. As public administrations digitalize, cybersecurity situational awareness and coordinated response planning are no longer optional—they are essential for protecting public trust, sensitive data, and critical services.#Miljödata #Ransomware #Cyberattack #Sweden #PublicSectorCybersecurity #CriticalInfrastructure #CybersecuritySituationalAwareness #CSA #ISAC #CERTSE #SmartCities #NIS2 #CyberResilience

The cybersecurity world has entered a new era: AI-powered ransomware. Researchers recently uncovered PromptLock, a proof-of-concept malware that uses OpenAI’s gpt-oss:20b model and Lua scripting to autonomously generate malicious code, encrypt data, and exfiltrate files across Windows, Linux, and macOS. While still experimental, PromptLock demonstrates just how quickly artificial intelligence can be weaponized for cybercrime—and how it drastically lowers the barrier to entry, enabling even low-skilled attackers to launch sophisticated attacks.PromptLock’s design highlights the dual-use nature of AI models. By embedding hard-coded prompts, it can dynamically generate Lua scripts that decide in real time which files to target. This flexibility makes detection far more difficult: unlike traditional ransomware, the indicators of compromise (IoCs) vary with every execution, complicating signature-based defenses. Researchers warn that scripting languages like Lua, if not properly sandboxed, present another dangerous vector, since they can access system resources and execute harmful commands.The arrival of PromptLock isn’t an isolated case. Just weeks earlier, Ukraine’s CERT reported LameHug, an AI-powered malware attributed to Russia’s APT28, which uses Hugging Face and Alibaba’s Qwen-2.5-Coder models to generate Windows shell commands for data theft. Alongside dark web tools like FraudGPT and WormGPT, these developments signal a rapid professionalization of AI-driven cybercrime, making once-advanced techniques widely accessible for just a few dollars.The security implications are profound:Lowered entry barriers mean more actors can launch ransomware campaigns without advanced coding skills.Adaptive, AI-generated code undermines static defenses, requiring intelligent, behavior-based detection.Cross-platform compatibility increases the reach and scale of potential attacks.Nation-state adoption of AI malware raises the stakes for international security.Encryption choices, like PromptLock’s use of NSA-developed SPECK, reveal proof-of-concept intent but also highlight how AI can experiment with unconventional cryptographic approaches.Experts emphasize that while AI isn’t creating entirely new threats, it is amplifying existing ones—making them faster, more scalable, and harder to stop. Addressing this challenge requires international collaboration, stronger security frameworks, adaptive AI-driven defenses, and careful regulation of how open-weight AI models are shared and deployed.The emergence of AI malware like PromptLock is a wake-up call: the future of ransomware is not just automated—it’s intelligent, evasive, and global.#PromptLock #AIpoweredMalware #Ransomware #LameHug #APT28 #Cybercrime #FraudGPT #WormGPT #LuaScripting #OpenAI #gptoss20b #AIThreats #DataExfiltration #SaaSsecurity #Cybersecurity

The 2025 Purple Knight Report paints a stark picture of enterprise identity security: the average security assessment score for hybrid Active Directory (AD) and Entra ID environments has plummeted to just 61%—a failing grade and an 11-point decline since 2023. This troubling trend underscores the persistent challenges organizations face in protecting their most critical authentication and authorization infrastructure.Meanwhile, financially motivated groups like Storm-0501 are exploiting these weaknesses with cloud-native ransomware tactics. Once focused on on-premises attacks, Storm-0501 now leverages compromised credentials, misconfigurations, and hybrid cloud pivot points to exfiltrate data, destroy backups, and encrypt Azure resources. Their attacks don’t rely on traditional malware deployment—instead, they weaponize legitimate Microsoft APIs, wipe Recovery Services vaults, mass-delete storage accounts, and even deliver extortion demands through compromised Microsoft Teams accounts.The findings highlight glaring gaps:AD Certificate Services (ADCS) remains the weakest area of infrastructure security, repeatedly targeted by APT29/Midnight Blizzard and often misconfigured.Entra Connect Sync accounts provide a dangerous pivot: if compromised, attackers can reset Entra ID passwords for any hybrid account.Federated domain abuse enables adversaries to impersonate any user, bypass MFA, and establish persistence.Government agencies and mid-sized organizations are the most vulnerable, with the lowest average security scores, due to resource constraints and limited Entra ID expertise.Yet there is hope. Organizations using Purple Knight’s remediation guidance reported an average 21-point improvement in security posture, showing that proactive measures can reverse the downward trend. The updated Incident Response Playbook for Ransomware Attacks (2025) offers a structured approach—preparation, detection, containment, remediation, recovery, and lessons learned—that aligns with modern hybrid cloud threats.Best practices for defense include:Identity security first: enforce phishing-resistant MFA, adopt privileged identity management, and continuously audit privileged accounts.Backup resilience: follow the 3-2-1 rule, enable Azure Soft Delete, and require multi-user authorization for critical backup operations.Continuous monitoring: ingest AD and Entra ID logs, configure conditional access policies, and actively hunt for anomalous activity.Employee training: equip staff to recognize social engineering tactics, especially those used by Storm-0501 and Scattered Spider.As threat actors pivot to hybrid identity environments, the security battle is moving squarely into the realm of cloud-native ransomware. Organizations that fail to adapt risk catastrophic data loss and extortion. Those that invest in strong identity practices, robust backups, and a tested response playbook will be better prepared to withstand the evolving threat landscape.#ActiveDirectory #EntraID #PurpleKnightReport #Storm0501 #HybridIdentitySecurity #CloudNativeRansomware #MicrosoftTeams #ADCS #MFABypass #AzureSecurity #IncidentResponse #Cybersecurity