Alright team, it's been a packed 24 hours in the cyber world! We've got updates on some serious breaches, evolving malware, critical vulnerabilities, and a fair bit of regulatory action. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- Japanese semiconductor supplier Advantest is responding to a ransomware attack that impacted several company systems, highlighting a trend of increased targeting of industrial organisations.
- Criminals stole over $20 million in 2025 through ATM jackpotting, using malware like Ploutus to force cash dispensing, a cyber-physical attack on the rise.
- Abu Dhabi Finance Week inadvertently exposed passport details and other identity information of approximately 700 VIP attendees, including former British Prime Minister David Cameron, due to an unprotected cloud storage system.
- A supply chain attack on the `cline` npm package for an AI coding tool silently installed the OpenClaw AI framework on users' systems, exploiting a prompt injection vulnerability.
- A Ukrainian national was sentenced to five years in prison for facilitating a North Korean scheme to hire remote IT workers at US companies, funnelling funds to North Korea's munitions programs.
- Microsoft 365 Copilot had a bug that allowed it to summarise confidential emails from Sent Items and Drafts, bypassing Data Loss Prevention (DLP) policies, which has since been fixed.
- Polish authorities have detained a 47-year-old man suspected of ties to the Phobos ransomware group, part of Europol's ongoing Operation Aether.
- A Nigerian man was sentenced to eight years for using Warzone RAT to hack Massachusetts tax firms, stealing client data and filing over 1,000 fraudulent returns for $1.3 million.

🗞️ The Record | https://therecord.media/leading-japanese-semiconductor-supplier-ransomware
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/crims_atm_jackpotting/
🌑 Dark Reading | https://www.darkreading.com/cyber-risk/abu-dhabi-finance-week-leaked-vip-passport-details
🌑 Dark Reading | https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users
🤫 CyberScoop | https://cyberscoop.com/doj-ukrainian-north-korea-remote-worker-scheme-facilitator-sentenced/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nigerian-man-gets-eight-years-in-prison-for-hacking-tax-firms/

New Threat Research & Tradecraft 🔬

- ESET discovered PromptSpy, the first Android malware to use generative AI (Google Gemini) to adapt its persistence across different devices by interpreting UI elements. It functions as spyware, offering remote control, screen recording, and credential interception.
- Proofpoint uncovered "TrustConnect," a fake Remote Monitoring and Management (RMM) vendor selling a Remote Access Trojan (RAT) as a service (RATaaS), using a legitimate code-signing certificate and an AI-generated website to appear credible. RMM abuse surged 277% in 2025.
- "Starkiller" is a sophisticated Phishing-as-a-Service (PhaaS) tool that bypasses MFA by proxying legitimate login pages in real-time, stealing credentials and session tokens. Threat actors are also using device code vishing with legitimate Microsoft OAuth flows to compromise Microsoft Entra accounts, bypassing MFA.
- Chinese state-backed Volt Typhoon remains active and embedded in US critical infrastructure, aiming to pre-position for destructive attacks. SYLVANITE, another group, gains initial access to OT systems across various sectors before handing off to Volt Typhoon.
- North Korea's "Contagious Interview" campaign now includes a MetaMask backdoor, a lightweight JavaScript component, to steal wallet passwords from IT professionals in cryptocurrency, Web3, and AI sectors.
- LockBit 5.0 ransomware has evolved, now targeting Windows, Linux, ESXi, and Proxmox with advanced evasion techniques. "ClickFix" campaigns continue to use nested obfuscation and typosquatting (e.g., fake Homebrew sites) to deliver info-stealers and RATs like Matanbuchus 3.0, AstarionRAT, and Cuckoo Stealer.
- Kerberos delegation has been found to apply to machine accounts, not just human users, posing a significant risk if adversaries leverage it for Domain Administrator-equivalent privileges.
- Threat actors are weaponising inadvertently exposed vulnerable training applications (e.g., OWASP Juice Shop) in cloud environments to plant web shells and cryptocurrency miners. Atlassian Jira Cloud trials are also being abused for automated spam campaigns.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/genai_malware_android/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/
🌑 Dark Reading | https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/
🗞️ The Record | https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html

Vulnerabilities & Active Exploitation ⚠️

- CISA has ordered federal agencies to patch a maximum-severity hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint within three days, as it's been actively exploited since mid-2024 by Chinese group UNC6201.
- Critical Ivanti Endpoint Manager Mobile (EPMM) flaws (CVE-2026-1281, CVE-2026-1340) are being actively exploited to deploy reverse shells, web shells, and malware like Nezha and cryptocurrency miners.
- A critical (CVSS 9.3) unauthenticated RCE flaw (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows remote attackers to gain root privileges and silently eavesdrop on calls.
- Microsoft patched a high-severity privilege escalation (CVE-2026-26119) in Windows Admin Center, allowing an authenticated attacker to elevate privileges over a network.
- OpenSSL fixed a stack buffer overflow (CVE-2025-15467) that could lead to Remote Code Execution (RCE) under certain conditions in its Cryptographic Message Syntax data processing.
- Researchers discovered 16 vulnerabilities in Foxit and Apryse PDF tools, potentially enabling account takeover, session hijacking, data exfiltration, and arbitrary JavaScript execution.
- CISA added an actively exploited GitLab Server-Side Request Forgery (SSRF) vulnerability (CVE-2021-22175) to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 11.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-dell-flaw-within-3-days/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/flaw-in-grandstream-voip-phones-allows-stealthy-eavesdropping/
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-patches-cve-2026-26119.html
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html

Threat Landscape Commentary 🌐

- MIT CSAIL's 2025 AI Agent Index highlights that AI agents are becoming more capable but lack consensus on behaviour and safety standards. Most developers prioritise features over safety, and many agents ignore `robots.txt`, indicating traditional web protocols are insufficient.
- The proliferation of IoT devices in homes and offices presents significant security risks, with many lacking sufficient security features and storing unencrypted data at rest. Enterprises should segment IoT devices on separate networks and use dedicated accounts to prevent lateral movement.
- Google blocked over 1.75 million apps from the Play Store in 2025 due to policy violations, leveraging generative AI for improved detection. However, new research warns that LLM-generated passwords are fundamentally insecure due to their predictable nature.
- Dragos reports a sharp rise in ransomware groups targeting industrial organisations, with a 49% increase in 2025, impacting 3,300 industrial entities globally.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/ai_agents_abound_unbound_by/
🌑 Dark Reading | https://www.darkreading.com/iot/connected-compromised-iot-devices-turn-threats
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/google-blocked-over-175-million-play-store-app-submissions-in-2025/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html

Regulatory Issues & National Security ⚖️

- The UK government plans to mandate online platforms remove non-consensual intimate images within 48 hours, treating them with the same severity as child sexual abuse material (CSAM) and terrorism content, with significant fines for non-compliance.
- Texas is suing TP-Link for deceptive marketing and alleged Chinese hacking risks, claiming its products, despite "Made in Vietnam" labels, rely on Chinese components and could be compelled to share user data with the CCP. Poland has also banned Chinese-made vehicles with data-recording technology from military facilities due to similar national security concerns.
- Following the 2024 Change Healthcare attack, HHS is focusing heavily on identifying and mitigating security risks from third-party vendors in the health sector, recognising their potential for outsized impact.
- West Virginia has sued Apple, alleging iCloud facilitates CSAM distribution and storage, citing Apple's decision to abandon CSAM detection tools and its significantly lower reporting numbers compared to other tech giants.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/uk_intimate_images_online/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/texas-sues-tp-link-over-chinese-hacking-risks-user-deception/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
🤫 CyberScoop | https://cyberscoop.com/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors/
🗞️ The Record | https://therecord.media/apple-csam-west-virginia-lawsuit

Government Cybersecurity Initiatives 🏛️

- The US State Department is pushing for unified public-private sector efforts to transition to quantum-resistant encryption by 2035, emphasising that these long-term plans must outlive political leadership cycles to counter nation-state data harvesting.
- The Trump administration aims to accelerate the secure implementation of AI for cyber defence (detection, diversion, deception) while ensuring it doesn't expand the attack surface. This includes promoting US AI cybersecurity standards and strengthening the cyber workforce by consolidating existing training initiatives.

🤫 CyberScoop | https://cyberscoop.com/post-quantum-state-department-transition-plans-outlive-leadership-cycles/
🤫 CyberScoop | https://cyberscoop.com/trump-administration-ai-cybersecurity-oncd-strategy/

#CyberSecurity #ThreatIntelligence #Ransomware #Malware #Vulnerabilities #ZeroDay #ActiveExploitation #AI #Phishing #MFA #SupplyChainAttack #IoT #CriticalInfrastructure #NationalSecurity #DataPrivacy #RegulatoryCompliance #InfoSec #CyberAttack #IncidentResponse

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got updates on several significant breaches, some deep dives into nation-state tradecraft, critical actively exploited vulnerabilities, and important regulatory shifts. Let's get stuck in:

Recent Cyber Attacks and Breaches ⚠️

- Spain's Ministry of Science has partially shut down its IT systems following a "technical incident". A threat actor, 'GordonFreeman', claimed responsibility, alleging an Insecure Direct Object Reference (IDOR) vulnerability granted them full admin access and allowed the exfiltration of personal records, emails, and application data.
- Romania's national oil pipeline operator, Conpet, confirmed a cyberattack disrupted parts of its IT infrastructure and took its website offline. While oil transport operations (OT systems) remained functional, the Qilin ransomware group has claimed responsibility, listing Conpet on their leak site and alleging the theft of nearly one terabyte of data.
- Photo-sharing platform Flickr is notifying users of a potential data breach stemming from a vulnerability in a third-party email service provider. The incident may have exposed users' real names, email addresses, Flickr usernames, IP addresses, general location data, and account activity, though passwords and payment card numbers were not compromised.
- An Illinois man, Kyle Svara, pleaded guilty to hacking nearly 600 women's Snapchat accounts between May 2020 and February 2021. He used social engineering to phish access codes, then downloaded private photos, which he kept, sold, or traded online. Svara also admitted to hacking accounts at the request of a former university track coach previously convicted of sextortion.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/
🗞️ The Record | https://therecord.media/romania-conpet-oil-pipeline-ransomware-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/flickr-discloses-potential-data-breach-exposing-users-names-emails/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/flickr_emails_users_about_data_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-nearly-600-womens-snapchat-accounts/
🗞️ The Record | https://therecord.media/illinois-man-pleads-guilty-snapchat-nude-photo-hacks

New Threat Research on Threat Actors, Malware, and Techniques 🛡️

- Palo Alto Networks Unit 42 has uncovered TGR-STA-1030, a previously undocumented Asian state-backed cyber espionage group that has breached at least 70 government and critical infrastructure organisations across 37 countries since January 2024. The group uses phishing to deliver a dual-stage Diaoyu Loader, which then deploys Cobalt Strike, and also exploits N-day vulnerabilities in various software.
- Norway's domestic security agency (PST) confirmed that the Chinese state-sponsored espionage campaign, Salt Typhoon, has compromised network devices within Norwegian organisations. This campaign, known for targeting telecommunications and critical infrastructure, highlights an increasing threat from foreign intelligence services, particularly from China, Russia, and Iran, which are employing hybrid tactics to undermine Norway's resilience.
- Cisco Talos researchers have detailed DKnife, a China-nexus gateway-monitoring and adversary-in-the-middle (AitM) framework active since at least 2019. This Linux-based toolkit, comprising seven implants, performs deep packet inspection, manipulates traffic, and delivers malware like ShadowPad and DarkNimbus via routers and edge devices, primarily targeting Chinese-speaking users.
- Threat actors are weaponising a Windows kernel driver from the legitimate forensic tool EnCase to disable security products, despite its digital certificate being revoked over a decade ago. This bring-your-own-vulnerable-driver (BYOVD) technique exploits gaps in Windows' Driver Signature Enforcement, allowing older, unsigned drivers to load and terminate EDR processes before detection.
- Germany's domestic intelligence agency (BfV) and Federal Office for Information Security (BSI) are warning of suspected state-sponsored threat actors targeting high-ranking individuals in Germany and Europe through Signal account hijacking. These attacks use social engineering, not malware, to trick targets into sharing Signal PINs for full account takeover or scanning QR codes to link attacker-controlled devices for chat monitoring.

📰 The Hacker News | https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html
🗞️ The Record | https://therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks
📰 The Hacker News | https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework-targets-routers-for-traffic-hijacking-malware-delivery.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/encase-driver-weaponized-edr-killers-persist
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/

Vulnerabilities and Active Exploitation 🚨

- CISA is warning that ransomware actors are actively exploiting CVE-2026-24423, a critical remote code execution (RCE) vulnerability in SmarterMail (versions prior to build 9511). The flaw allows unauthenticated RCE via the ConnectToHub API, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch or remove the product by February 26, 2026.
- The experimental AI agent social platform 'Moltbook' publicly exposed its entire user database, including secrets, PII, and API keys, due to an unsecured internal database. Furthermore, the underlying OpenClaw agent platform's 'ClawHub' marketplace was found to contain 283 skills (7.1% of the total) that leak sensitive credentials via prompt injection, and 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration.
- Indirect prompt injection attacks against OpenClaw agents have been demonstrated, allowing attackers to backdoor user machines and steal sensitive data or perform destructive operations. This is particularly concerning due to AI agents' integrations with productivity tools like Google Workspace and Slack, enabling attackers to deliver malicious prompts that can lead to the deployment of C2 beacons for long-term remote access.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks/
🕶️ Dark Reading | https://www.darkreading.com/cyber-risk/agentic-ai-moltbook-security-risks
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security/

Threat Landscape Commentary 🌍

- Cloudflare reported a significant surge in DDoS attacks in Q4 2025, with volumes jumping 31% from the previous quarter and 58% year-over-year, totalling 47.1 million attacks. The UK experienced an unwelcome leap of 36 places to become the world's sixth-most targeted location, with financial services, telecoms, IT, and gambling/gaming sectors being primary targets.
- A new tool, KEV Collider, has been developed by Tod Beardsley (former CISA KEV section chief) to help security teams better triage CISA's Known Exploited Vulnerabilities (KEV) Catalog. The tool combines KEV data with other metrics like CVSS and EPSS scores, and Metasploit automation status, to provide a more relevant and prioritised view of vulnerabilities, acknowledging that the KEV list isn't a universal "must-patch" for all organisations.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/data-tool-triage-exploited-vulnerabilities-make-kev-catalog-more-useful

Regulatory Issues and Changes 🏛️

- CISA has issued Binding Operational Directive 26-02, mandating U.S. Federal Civilian Executive Branch (FCEB) agencies to identify and remove end-of-life (EOL) network edge devices that no longer receive security updates from manufacturers. Agencies have three months to inventory these devices and 12-18 months to decommission and replace them, aiming to mitigate significant risks posed by advanced threat actors exploiting unsupported hardware.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-replace-end-of-life-edge-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html

AI for Vulnerability Discovery 🤖

- Anthropic's latest large language model (LLM), Claude Opus 4.6, has demonstrated impressive capabilities by discovering over 500 previously unknown high-severity security flaws in major open-source libraries, including Ghostscript, OpenSC, and CGIF. The model was able to identify these vulnerabilities without task-specific tooling or specialised prompting, showcasing its advanced coding, code review, and debugging skills.

📰 The Hacker News | https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity-flaws-across-major-open-source-libraries.html

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #Vulnerability #RCE #ActiveExploitation #AI #DataBreach #SocialEngineering #DDoS #IncidentResponse #InfoSec #CISA #EDR #BYOVD #SupplyChainSecurity

It's been a busy 24 hours in the cyber world with critical zero-day and n-day vulnerabilities under active exploitation, new threat actor tradecraft, a significant cyberattack on critical infrastructure, and important discussions around data privacy and AI's impact on security. Let's dive in:

Poland's Power Grid Hit by Coordinated Cyberattack ⚡
- A coordinated cyberattack in late December compromised control and communications systems at approximately 30 facilities linked to Poland's distributed energy generation.
- While the attack, attributed to Russia's Sandworm group, didn't cause power outages, it disabled key equipment beyond repair and prevented remote monitoring/control of systems.
- This incident highlights the growing targeting of distributed energy systems, which often have less cybersecurity investment than centralised infrastructure, by sophisticated adversaries.

🗞️ The Record | https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Mustang Panda Updates CoolClient Backdoor with Infostealers 🐼
- Chinese espionage group Mustang Panda has updated its CoolClient backdoor, now capable of stealing browser login data and monitoring clipboards.
- The new variant, observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan, was deployed via legitimate Sangfor software, a shift from previous DLL side-loading tactics.
- It features enhanced core functions, a new clipboard monitoring module, active window title tracking, HTTP proxy credential sniffing, and deploys infostealers using hardcoded API tokens for services like Google Drive to evade detection.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/

Fake Python Spellcheckers Deliver RATs on PyPI 🐍
- Two malicious packages, "spellcheckerpy" and "spellcheckpy," were found on PyPI, masquerading as legitimate spellcheckers but delivering a full-featured Python Remote Access Trojan (RAT).
- The payload was cleverly hidden within a Basque language dictionary file, base64-encoded, and triggered upon importing the "SpellChecker" module in versions 1.2.0 and later.
- The RAT downloads from a domain linked to Cloudzy, a hosting provider with a history of serving nation-state groups, and is suspected to be from the same actor behind a similar "spellcheckers" campaign in November 2025.

📰 The Hacker News | https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on-pypi-delivered-hidden-remote-access-trojan.html

'Bizarre Bazaar' Operation Hijacks Exposed LLM Endpoints 🤖
- A new cybercrime campaign, dubbed 'Bizarre Bazaar', is actively targeting exposed Large Language Model (LLM) service endpoints to commercialise unauthorised access to AI infrastructure.
- Attackers exploit misconfigurations like unauthenticated Ollama endpoints (port 11434) and OpenAI-compatible APIs (port 8000) within hours of them appearing on Shodan/Censys.
- This operation involves a criminal supply chain for resource theft (crypto mining), reselling API access on darknet markets, data exfiltration from prompts, and lateral movement into internal systems via Model Context Protocol (MCP) servers.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/

Fortinet FortiCloud SSO Zero-Day Under Active Exploitation (CVE-2026-24858) ⚠️
- Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability (CVE-2026-24858, CVSS 9.4) affecting FortiOS, FortiManager, and FortiAnalyzer.
- Attackers are using FortiCloud accounts and registered devices to log into other customers' devices via FortiCloud SSO, creating rogue admin accounts (e.g., [email protected]) and exfiltrating configurations.
- Fortinet has implemented server-side mitigations by blocking SSO connections from vulnerable firmware versions, and patches are currently in development. Admins should still consider disabling FortiCloud SSO if not strictly necessary and review logs for compromise indicators.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/
📰 The Hacker News | https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/28/fortinet_forticloud_vuln/

WinRAR Path Traversal Flaw (CVE-2025-8088) Widely Exploited 🎯
- A six-month-old, high-severity WinRAR path traversal vulnerability (CVE-2025-8088, CVSS 8.8) is under widespread active exploitation by both nation-state actors (Russia, China) and financially motivated cybercriminals.
- The exploit method involves crafting malicious RAR archives that, when opened, silently drop a malicious payload into critical system locations like the Windows Startup folder, often using decoy files and Alternate Data Streams (ADS).
- Google Threat Intelligence Group (GTIG) reports that Russian groups like RomCom, Sandworm, Gamaredon, and Turla are targeting Ukrainian military and government entities, while cybercriminals deploy commodity RATs and infostealers globally. Patching WinRAR to version 7.13 or later is crucial.

🤫 CyberScoop | https://cyberscoop.com/winrar-defect-active-exploits-google-threat-intel/
📰 The Hacker News | https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/28/winrar_bug_under_attack/

Critical RCE and Sandbox Escape Flaws in Node.js vm2 and n8n 💻
- A critical sandbox escape vulnerability (CVE-2026-22709, CVSS 9.8) in the Node.js vm2 library allows attackers to run arbitrary code outside the sandboxed environment due to improper Promise handler sanitisation. Update to vm2 version 3.10.3 immediately.
- The n8n workflow automation platform is also affected by two critical vulnerabilities: CVE-2026-1470 (JavaScript AST sandbox escape) and CVE-2026-0863 (Python AST sandbox escape), both leading to full RCE on the main n8n node, even for authenticated non-admin users.
- These flaws highlight the inherent difficulty in safely sandboxing dynamic languages like JavaScript and Python; self-hosted n8n instances should update to versions 1.123.17, 2.4.5, 2.5.1 (for CVE-2026-1470) and 1.123.14, 2.3.5, 2.4.2 (for CVE-2026-0863) respectively.

📰 The Hacker News | https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox-escape-and-arbitrary-code-execution.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-sandbox-escape-flaw-exposes-n8n-instances-to-rce-attacks/

SolarWinds Web Help Desk Plagued by Critical RCE and Auth Bypass Flaws 🛠️
- SolarWinds has released patches for multiple critical vulnerabilities in its Web Help Desk (WHD) software, including authentication bypass flaws (CVE-2025-40552, CVE-2025-40554) and remote code execution (RCE) bugs (CVE-2025-40553, CVE-2025-40551).
- These RCE flaws, stemming from untrusted data deserialisation, can be exploited by unauthenticated attackers to run commands on vulnerable hosts, while authentication bypasses allow remote unauthenticated access.
- Given WHD's widespread use in critical sectors and a history of its vulnerabilities being actively exploited, admins should upgrade to Web Help Desk 2026.1 without delay.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

AI's Impact on Zero-Trust and Data Accuracy 🤖
- Gartner predicts that by 2028, 50% of organisations will adopt a zero-trust data governance posture due to the rise of "unverified AI-generated data," leading to "model collapse" where LLMs degrade by training on their own erroneous outputs.
- This degradation can lead to confident-yet-plausible errors in critical tasks like code reviews and security triaging, eroding guardrails and creating prompt injection opportunities.
- To combat this, organisations need to identify and tag AI-generated data, establish active metadata practices, and filter out synthetic or toxic data from training inputs, treating human-generated data as the "gold standard."

🌑 Dark Reading | https://www.darkreading.com/application-security/ai-death-accuracy-zero-trust

Latin America Becomes Riskiest Region for Cyberattacks 📈
- Latin America and the Caribbean now lead globally in cyberattack frequency, experiencing an average of 3,065 attacks per week last year, a 26% year-over-year increase.
- Attacks are driven by a shift towards data-leak extortion, credential-stealing campaigns, exploitation of edge devices, and increased use of AI by attackers, with ransomware activity expected to accelerate further.
- The region's rapid digitalisation, valuable yet vulnerable industries, and increased interest from major cyber powers (including China-linked espionage) contribute to its elevated risk profile, urging improved ransomware resilience and GenAI governance.

🌑 Dark Reading | https://www.darkreading.com/cyber-risk/surging-cyberattacks-latin-america-riskiest-region

Moltbot AI Assistant Raises Data Security Concerns 🧠
- The viral open-source Moltbot (formerly Clawdbot) AI assistant, popular for local hosting and deep system integration, is raising significant data security concerns due to insecure enterprise deployments.
- Careless configurations, especially behind reverse proxies, often lead to exposed admin interfaces allowing unauthenticated access, credential theft, conversation history leaks, and even root-level command execution.
- Security researchers warn that info-stealing malware will likely adapt to target Moltbot's local storage, stressing the importance of isolating AI instances in virtual machines with strict firewall rules rather than running them directly on host OS with broad permissions.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/viral-moltbot-ai-assistant-raises-concerns-over-data-security/

WhatsApp Rolls Out 'Strict Account Settings' for High-Risk Users 🔒
- Meta's WhatsApp is introducing "Strict Account Settings," a new one-click lockdown mode designed to provide extreme safeguards for high-risk individuals like journalists and public figures against sophisticated cyberattacks, including spyware.
- This feature, found under Settings > Privacy > Advanced, automatically enables two-step verification, blocks media from unknown senders, silences calls from unknown numbers, turns off link previews, and restricts access to profile information.
- The move comes as WhatsApp also transitions to the Rust programming language for media processing to boost security, following past incidents of zero-day exploits and spyware attacks targeting its users.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/whatsapp_strict_account_settings_meta_rust/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/whatsapp-gets-new-lockdown-feature-that-blocks-cyberattacks/

FBI Seizes RAMP Cybercrime Forum 🚨
- The FBI has seized the RAMP cybercrime forum, a notorious platform known for openly allowing the promotion of ransomware operations and advertising various malware and hacking services.
- Both the forum's Tor site and clearnet domain (ramp4u.io) now display an FBI seizure notice, indicating law enforcement has likely gained access to significant user data, including emails, IP addresses, and private messages.
- RAMP was launched in July 2021 by "Orange" (later identified as Mikhail Matveev, indicted by the U.S. DOJ for ransomware involvement) after other major Russian-speaking forums banned ransomware promotion, becoming a hub for gangs to recruit affiliates and sell network access.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #ActiveExploitation #WinRAR #Fortinet #NodeJS #SolarWinds #ThreatActors #MustangPanda #Malware #RAT #LLMjacking #AI #DataPrivacy #Regulatory #Darknet #Cybercrime #IncidentResponse

It's been a busy 24 hours in the cyber world with significant updates on active exploitation of zero-days, widespread cyberattacks from sophisticated threat actors, and important discussions around data privacy and government initiatives. Let's dive in:

Recent Cyber attacks or breaches

ShinyHunters' SSO Vishing Spree Continues ⚠️
- The ShinyHunters group is actively targeting around 100 organisations, including major players like Canva, Atlassian, Epic Games, and Panera Bread, using evolved voice-phishing (vishing) techniques to compromise Okta, Microsoft, and Google SSO credentials.
- These attacks involve real-time phishing kits that mimic legitimate login pages and MFA requests, tricking employees into providing credentials and enrolling threat actor-controlled devices into MFA solutions.
- The group has claimed data theft from SoundCloud (29.8 million accounts), Betterment, Crunchbase, Panera Bread (14 million records), CarMax (500k+), and Edmunds (millions), often followed by extortion demands.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
🤫 CyberScoop | https://cyberscoop.com/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft/

Russian Security Firm Delta Hit by Cyberattack 🚨
- Delta, a major Russian provider of alarm and security systems for homes, businesses, and vehicles, suffered a "large-scale, coordinated" cyberattack attributed to an unspecified "hostile foreign state."
- The attack caused widespread service outages, with customers reporting issues like car alarms not deactivating, vehicles locking unexpectedly, and home systems switching to emergency mode.
- While Delta denies personal data compromise, an unidentified Telegram channel claiming responsibility has published an archive of alleged stolen data, the authenticity of which is unverified.
🗞️ The Record | https://therecord.media/russia-delta-security-alarm-company-cyberattack

Nike Investigates 1.4TB Data Leak by WorldLeaks 👟
- Sportswear giant Nike is investigating a potential cyber incident after the WorldLeaks extortion group claimed to have leaked over 1.4 terabytes of internal company data.
- The alleged stolen data includes internal documents, archives from 2020-2026, R&D assets, product creation details (technical packs, prototypes), supply chain information, and internal business presentations.
- WorldLeaks, believed to be a rebrand of the Hunters International ransomware group, briefly listed Nike on its leak site before removing the entry, suggesting potential negotiations or payment.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nike-investigates-data-breach-after-extortion-gang-leaks-files/
🗞️ The Record | https://therecord.media/nike-probes-alleged-cyber-incident
🕶️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/worldeaks-extortion-group-stole-1.4tb-nike-data

Ploutus ATM Jackpotting Ring Busted 💸
- US authorities have charged an additional 31 individuals, bringing the total to 87 members of the Venezuelan gang Tren de Aragua (TdA), for their involvement in a multi-million dollar ATM jackpotting scheme.
- The gang allegedly stole at least $5.4 million from 63 ATMs by physically accessing machines to replace hard drives or connect USBs, deploying Ploutus malware to force cash dispensing.
- TdA has been designated a Foreign Terrorist Organization by the U.S. Department of the Treasury, highlighting the increasing convergence of transnational organised crime and cyber-enabled financial fraud.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/
🗞️ The Record | https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm

China-linked Hackers Accused of Years-Long UK Government Espionage 🇨🇳
- Chinese state-linked hackers, identified as Salt Typhoon, are accused of years-long access to the phones of senior Downing Street officials, potentially exposing private communications.
- The espionage focused on aides to former UK Prime Ministers and leveraged intrusions into telecommunications providers to skim metadata and communications without direct handset installation.
- This incident, discovered in 2024, underscores the persistent threat of nation-state espionage targeting critical government infrastructure and sensitive communications.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/

New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft

ClickFix Attacks Evolve with App-V and Steganography 🎣
- A new ClickFix campaign is using fake CAPTCHA prompts to trick users into executing a command that abuses the signed Microsoft App-V script, SyncAppvPublishingServer.vbs, as a living-off-the-land (LoL) binary.
- This method proxies PowerShell execution through a trusted Microsoft component, making detection harder, and delivers the Amatera infostealer, which retrieves configuration from a public Google Calendar file and uses steganography to hide payloads in PNG images.
- The campaign is highly evasive, with checks for sandbox environments and a focus on enterprise-managed systems, reflecting a broader trend of ClickFix evolution into variants like GlitchFix and ClearFake, leveraging trusted web infrastructure for malware delivery.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-clickfix-attacks-abuse-windows-app-v-scripts-to-push-malware/
📰 The Hacker News | https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

'Stanley' MaaS Guarantees Malicious Chrome Extensions 😈
- A new malware-as-a-service (MaaS) called 'Stanley' is being advertised, promising to bypass Google's review process and publish malicious phishing extensions to the Chrome Web Store.
- These extensions can overlay full-screen iframes with phishing content over legitimate webpages, silently auto-install on Chrome, Edge, and Brave, and support custom tweaks, C2 polling, and geographic targeting.
- This offering highlights the ongoing challenge of securing browser extension platforms and the commoditisation of sophisticated phishing techniques, urging users to be vigilant about extension installations and publishers.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/

Chinese Networks Dominate Illicit Crypto Laundering 💰
- Chinese money laundering networks processed an estimated $16.1 billion in illicit cryptocurrency in 2025, accounting for 20% of all laundered funds globally.
- These operations are highly professionalised, using Telegram groups, "guarantee" platforms for escrow protection, and offering services like "Black U" for hacking proceeds and crypto swapping.
- The continued resilience of these networks, despite crackdowns, underscores the global challenge of combating crypto-enabled financial crime and its links to transnational organised crime groups.
🗞️ The Record | https://therecord.media/chinese-money-launderers-moved-more-crypto-2025

Vulnerabilities, especially any mentioning Remote Code Exploitation (RCE), Active Exploitation, or Zero-Days

Microsoft Office Zero-Day Under Active Exploitation (CVE-2026-21509) 🚨
- Microsoft has issued an emergency out-of-band patch for CVE-2026-21509, a high-severity security feature bypass zero-day in Microsoft Office that is actively being exploited in the wild.
- The flaw bypasses OLE mitigations, allowing attackers to execute arbitrary code by convincing a user to open a specially crafted Office file; the preview pane is not an attack vector.
- CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches or implement registry-based mitigations for older Office versions by February 16.
📰 The Hacker News | https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/office_zeroday_exploited_in_the/

SmarterMail Servers Vulnerable to RCE via Auth Bypass (CVE-2026-23760) 🛡️
- Over 6,000 SmarterMail servers remain exposed online and are likely vulnerable to automated attacks exploiting CVE-2026-23760, a critical authentication bypass flaw.
- This vulnerability in the password reset API allows unauthenticated attackers to hijack admin accounts and achieve remote code execution (RCE) on affected servers.
- CISA has added CVE-2026-23760 to its KEV catalog, urging federal agencies to patch by February 16, as mass exploitation attempts have already been observed in the wild.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/

Critical Sandbox Escape in vm2 Node.js Library (CVE-2026-22709) 💻
- A critical sandbox escape vulnerability, CVE-2026-22709, has been discovered in the popular vm2 Node.js library, allowing arbitrary code execution on the host system.
- The flaw stems from improper sanitisation of Promise callbacks, enabling attackers to bypass the secure context designed to isolate untrusted JavaScript code.
- Despite the project being previously discontinued due to similar issues, vm2 remains widely used, and users are strongly advised to upgrade to version 3.10.3 immediately due to the trivial nature of exploitation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/

WinRAR Path Traversal Flaw Actively Exploited (CVE-2025-8088) 📦
- The high-severity WinRAR path traversal vulnerability, CVE-2025-8088, continues to be actively exploited by both state-sponsored and financially motivated threat actors since July 2025.
- Attackers leverage Alternate Data Streams (ADS) to conceal malicious files within decoy archives, dropping payloads like LNK, HTA, or script files into Windows Startup folders for persistence.
- Google Threat Intelligence reports observing groups like RomCom, APT44, TEMP.Armageddon, Turla, and China-linked actors using this flaw to deliver various malware, highlighting the commoditisation of such exploits.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/

Data Privacy

Google Settles Voice Recording Lawsuit for $68 Million 🎤
- Google has agreed to a $68 million settlement in a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared private conversations with third parties for targeted advertising.
- Plaintiffs claimed Google Assistant improperly triggered and recorded their words, leading to unwanted targeted ads, with the settlement funds to be distributed to Google device purchasers since May 2016.
- While Google settled without admitting wrongdoing, the case underscores ongoing concerns about privacy in voice-activated technologies and the use of personal data.
🗞️ The Record | https://therecord.media/google-settles-millions-privacy-recording

WhatsApp Introduces 'Strict Account Settings' for Spyware Protection 🔒
- WhatsApp is rolling out a new "Strict Account Settings" feature designed to combat sophisticated spyware attacks by allowing users to block attachments and media from non-contacts.
- This "lockdown-style" feature is specifically aimed at high-risk users like journalists and public figures, drawing parallels with similar protections offered by Apple and Google.
- The move follows WhatsApp's legal battles against NSO Group over Pegasus spyware, reinforcing the platform's commitment to user privacy and defence against advanced surveillance tools.
🤫 CyberScoop | https://cyberscoop.com/whatsapp-strict-account-settings-lockdown-style-spyware-protection/
🗞️ The Record | https://therecord.media/whatsapp-spyware-anti-lockdown

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #ActiveExploitation #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #SSO #MFA #Phishing #Vishing #PQC #DigitalSovereignty

It's been a busy 24 hours in the cyber world with significant updates on actively exploited vulnerabilities, evolving social engineering tactics, and some notable cyberattacks. Let's dive in:

London Boroughs Still Recovering Months After Cyberattack 🏙️
- Hammersmith & Fulham Council is slowly restoring services, two months after a cyberattack affected multiple London boroughs. Online payments have resumed, but some account balances may not be current.
- Westminster City Council and Kensington & Chelsea also remain impacted, with the latter confirming criminal intent and data compromise, and warning that full system restoration could take months.
- This incident highlights the ongoing threat to local authorities, with the NCSC recently warning about pro-Russia hacktivist attacks causing costly disruption to such targets.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/landmark_milestone_as_hammersmith_fulham/

Dresden Museum Network Hit by Cyberattack 🖼️
- Germany's Dresden State Art Collections (SKD), one of Europe's oldest museum networks, has suffered a targeted cyberattack that disrupted significant parts of its digital infrastructure.
- The attack, discovered on Wednesday, has limited digital and phone services, with online ticket sales and the museum shop unavailable, and on-site payments restricted to cash.
- While security systems protecting the collections remain intact, the incident underscores a growing trend of cultural institutions becoming targets for cybercriminals, as seen with recent attacks on national art museums and libraries.

🗞️ The Record | https://therecord.media/dresden-state-art-collections-cyberattack

ATM Jackpotting Ring Busted in US 💰
- Two Venezuelan nationals have been convicted and will be deported for an ATM jackpotting scheme that stole hundreds of thousands of dollars from US banks across several states.
- The attackers connected laptops to older ATM models and installed Ploutus malware to bypass security protocols, forcing machines to dispense all available cash directly from the banks.
- This operation is linked to a larger conspiracy, with Nebraska authorities indicting 54 individuals, including alleged leaders of the Venezuelan Tren de Aragua gang, for similar multi-million dollar thefts.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-to-deport-venezuelans-who-emptied-bank-atms-using-malware/

Vishing and AitM Phishing Attacks on the Rise 🎣
- Okta has warned about custom vishing (voice phishing) kits, sold as a service, actively targeting Okta, Google, and Microsoft SSO accounts, as well as cryptocurrency platforms.
- These kits feature adversary-in-the-middle (AitM) capabilities, allowing attackers to manipulate phishing page content in real-time during a call, effectively bypassing push-based MFA, including number matching.
- Microsoft also reported a multi-stage AitM phishing and BEC campaign targeting energy firms, abusing SharePoint for phishing payloads and creating inbox rules for persistence and evasion. Post-compromise, attackers leverage stolen session cookies and internal identities for large-scale intra-organizational and external phishing.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
🚨 The Hacker News | https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html

RMM Tools Weaponised for Persistent Access 🛠️
- A new dual-vector campaign is leveraging stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software, specifically LogMeIn Resolve, for persistent remote access.
- The attack starts with fake Greenvelope invitation emails to harvest Microsoft Outlook, Yahoo!, or AOL.com login details. These stolen credentials are then used to register with LogMeIn and generate RMM access tokens.
- A malicious executable, "GreenVelopeCard.exe," signed with a valid certificate, silently installs LogMeIn Resolve, alters its service settings for unrestricted access, and creates hidden scheduled tasks to maintain persistence.

🚨 The Hacker News | https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html

Malicious AI Extensions Steal Developer Data 💻
- Two malicious extensions in Microsoft's Visual Studio Code (VSCode) Marketplace, "ChatGPT – 中文版" (1.34M installs) and "ChatMoss (CodeMoss)" (150k installs), are exfiltrating developer data to China-based servers.
- Part of a campaign dubbed 'MaliciousCorgi,' these extensions, while providing advertised AI coding assistance, covertly monitor and transmit the entire contents of opened files, including changes, encoded in Base64.
- They also perform server-controlled harvesting of up to 50 files from a victim's workspace and use commercial analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) for user profiling and device fingerprinting, exposing sensitive source code, configuration files, and credentials.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-ai-extensions-on-vscode-marketplace-steal-developer-data/

Fortinet FortiGate SSO Flaw Still Exploitable ⚠️
- Fortinet has confirmed that a critical FortiCloud SSO authentication bypass vulnerability (CVE-2025-59718), supposedly patched in December, is still being actively exploited via a new attack path.
- Threat actors are compromising fully patched FortiGate firewalls, creating generic accounts with VPN access, and exfiltrating firewall configurations within seconds, indicating automated activity.
- Fortinet advises customers to restrict administrative access to management interfaces, disable the FortiCloud SSO feature, and rotate all credentials if any indicators of compromise are detected, as the issue applies to all SAML SSO implementations.

👁️ Dark Reading | https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/fortinet_fortigate_patch/

Pwn2Own Automotive Uncovers 76 Zero-Days 🚗
- The Pwn2Own Automotive 2026 competition concluded with security researchers earning over $1 million for exploiting 76 zero-day vulnerabilities in automotive technologies.
- Targets included in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems like Automotive Grade Linux.
- Vendors have 90 days to patch these newly disclosed flaws before TrendMicro's Zero Day Initiative publicly releases the details.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-get-1-047-000-for-76-zero-days-at-pwn2own-automotive-2026/

CISA Adds Four Actively Exploited Bugs to KEV 🚨
- CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with four actively exploited flaws impacting enterprise software. Federal Civilian Executive Branch (FCEB) agencies must patch these by February 12, 2026.
- The vulnerabilities include a PHP remote file inclusion in Synacor Zimbra Collaboration Suite (CVE-2025-68645), an authentication bypass in Versa Concerto SD-WAN (CVE-2025-34026), and an improper access control flaw in Vite Vitejs (CVE-2025-31125).
- Also added is CVE-2025-54313, an embedded malicious code vulnerability in `eslint-config-prettier`, stemming from a supply chain attack that hijacked several npm packages to deliver an information stealer.

🚨 The Hacker News | https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-confirms-active-exploitation-of-four-enterprise-software-bugs/

Critical Telnetd Auth Bypass Exploited for Root Access 🔓
- A coordinated campaign is exploiting CVE-2026-24061, an 11-year-old critical authentication bypass vulnerability in the GNU InetUtils telnetd server.
- The flaw allows attackers to gain root access by leveraging unsanitized environment variable handling, specifically by setting the USER variable to "-f root" when connecting via telnet.
- While Telnet is a legacy component, its prevalence in industrial, legacy, and embedded devices (IoT/OT) makes this easily exploitable bug a concern, with GreyNoise observing automated and some "human-at-keyboard" exploitation attempts.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-telnetd-auth-bypass-flaw-to-get-root/

Chinese Electric Buses Raise National Security Concerns 🚌
- Australia's government is reviewing whether Chinese-made Yutong electric buses, currently in use in major cities, pose a national security risk due to potential remote control capabilities.
- Research from Oslo's public transport authority found that Yutong maintains an over-the-air (OTA) connection, allowing the manufacturer remote access to the Controller Area Network (CAN) bus, which controls driving systems.
- While no "kill switch" or invasive data collection was explicitly found, the inherent risks of connected IoT devices, coupled with China's national intelligence laws, raise concerns about data exfiltration, surveillance, or broader fleet compromise.

👁️ Dark Reading | https://www.darkreading.com/cyber-risk/chinese-electric-buses-aussie-govt

AI-Powered Cyberattack Kits on the Horizon 🤖
- Google's VP of Security Engineering, Heather Adkins, warns CISOs to prepare for a "really different world" where cybercriminals will reliably automate cyberattacks at scale using AI.
- While currently used for small tasks like phishing copy and C2 development, it's "just a matter of time" before full, end-to-end AI toolkits emerge, potentially leading to a "Metasploit moment" for AI-driven threats.
- This shift could mean attackers gain a significant first-mover advantage, forcing defenders to redefine success not by preventing breaches, but by limiting dwell time and damage, potentially through real-time, AI-enabled defensive disruptions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/ai_cyberattack_google_security/

Microsoft Provided BitLocker Keys to FBI 🔒
- Microsoft reportedly provided the FBI with BitLocker encryption keys to unlock laptops of Windows users charged in a fraud indictment, marking the first publicly known instance of such disclosure.
- By default, Microsoft "typically" backs up BitLocker recovery keys to its servers when the service is set up with an active Microsoft account, giving Redmond access to these keys.
- This highlights a trade-off between data recoverability and privacy, as users who choose to store keys with Microsoft relinquish total control over access to their encrypted data, a stark contrast to Apple's Advanced Data Protection where Apple holds fewer keys.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/surrender_as_a_service_microsoft/

Ireland to Legalise Law Enforcement Spyware 🇮🇪
- The Irish government plans to draft legislation to legalise the use of spyware by law enforcement to combat serious crime and security threats.
- The proposed bill would require court authorisation for interception requests and include provisions for electronic scanning equipment to track mobile device identifier data.
- This move aims to strengthen "lawful interception powers" and create a legal basis for "covert surveillance software," with robust safeguards promised to ensure necessity and proportionality.

🗞️ The Record | https://therecord.media/ireland-plans-law-enforcement-spyware

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ActiveExploitation #ZeroDay #Phishing #Vishing #AitM #SocialEngineering #Malware #RMM #SupplyChain #DataPrivacy #Fortinet #CISA #KEV #IoT #AI #NationalSecurity #Geopolitics #InfoSec #CyberAttack #IncidentResponse

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new malware evasion techniques, and a reminder about the ever-evolving privacy landscape. Let's take a look:

Anchorage Police & Canadian Investment Regulator Breaches 🚨

- The Anchorage Police Department took servers offline and disabled third-party access after a cyberattack on their data migration provider, Whitebox Technologies. While no evidence of APD system compromise or data acquisition exists, the incident highlights third-party risk.
- Canada's Investment Regulatory Organization (CIRO) confirmed a sophisticated phishing attack last August impacted approximately 750,000 investors. Compromised data includes dates of birth, SINs, government IDs, and investment account numbers, though no evidence of misuse has been found.
- These incidents underscore the critical importance of supply chain security and robust incident response, especially for organisations handling sensitive public or financial data.

🗞️ The Record | https://therecord.media/anchorage-police-takes-servers-offline-after-third-party-attack
🗞️ The Record | https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach

China-Linked APTs Target Critical Infrastructure & US Policy 🇨🇳

- Cisco Talos identified "UAT-8837," a China-backed APT, targeting North American critical infrastructure using compromised credentials and exploiting vulnerabilities like CVE-2025-53690 in SiteCore products, suggesting access to zero-day exploits.
- Another China-linked group, Mustang Panda (aka UNC6384, Twill Typhoon), used Venezuela-themed spear phishing lures to target US government agencies and policy organisations, deploying a new DLL-based backdoor called Lotuslite for espionage.
- Meanwhile, the GootLoader malware has evolved its evasion tactics, using malformed ZIP archives with 500-1,000 concatenated archives and truncated EOCD records to bypass security tools, while remaining readable by Windows' default unarchiver.

🗞️ The Record | https://therecord.media/china-hackers-apt-cisco-talos
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
📰 The Hacker News | https://thehackernews.com/2026/01/lotuslite-backdoor-targets-us-policy.html
📰 The Hacker News | https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html

Black Basta Ring Leader Hunted 💰

- German and Ukrainian authorities have identified two Ukrainians as "hash crackers" for the Russia-linked Black Basta ransomware group and placed the alleged ringleader, Oleg Evgenievich Nefekov (aka 'tramp', 'Washingt0n'), on an international most-wanted list.
- Nefekov, 35, is accused of founding and leading Black Basta, responsible for extorting over $100 million from approximately 700 organisations worldwide since 2022.
- This coordinated law enforcement action highlights ongoing efforts to dismantle ransomware operations and hold key individuals accountable, with seized digital assets and cryptocurrency indicating active investigations.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/black_basta_boss_wanted/
🗞️ The Record | https://therecord.media/police-raid-homes-of-alleged-black-basta-hackers

Critical Vulnerabilities Under Active Exploitation ⚠️

- Cisco has finally patched CVE-2025-20393, a maximum-severity RCE zero-day in AsyncOS for Secure Email Gateway and Secure Email and Web Manager, which was actively exploited by China-linked APT UAT-9686 since late November 2025.
- A critical RCE flaw (CVE-2025-37164) in HPE OneView, a data centre management platform, is now being exploited at scale by the RondoDox botnet, with over 40,000 automated attack attempts observed globally, primarily targeting government, financial, and industrial sectors.
- AMD CPUs are vulnerable to "StackWarp" (CVE-2025-29943), a low-severity flaw in SEV-SNP secure virtualisation, allowing malicious hypervisors to access VM secrets, recover private keys, and escalate privileges by manipulating the stack pointer when SMT is enabled. Patches are available.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/
📰 The Hacker News | https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/

More Vulnerabilities and IoT Risks 🔒

- CISA's own "Software Acquisition Guide: Supplier Response Web Tool" was found to have a simple cross-site scripting (XSS) vulnerability, highlighting that even tools promoting secure development can have basic flaws.
- A bankrupt Estonian e-scooter startup, Äike, left all its devices vulnerable by shipping them with a single, default private key, allowing any scooter within Bluetooth range to be unlocked by reverse-engineering the Android app.
- These incidents serve as a stark reminder that fundamental security practices, from input validation to proper key management, remain crucial across all software and IoT deployments.

🤫 CyberScoop | https://cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/

AI for Defence & Initial Access Brokers 🛡️

- The Pacific Northwest National Laboratory (PNNL) has developed ALOHA, an AI-based system using Agentic LLMs to significantly reduce attack reconstruction time from weeks to hours, aiding purple teams in quickly testing defences against new threats.
- A Jordanian initial access broker (IAB) operating as "r1z" pleaded guilty to selling access to 50 company networks and powerful EDR-killing malware for $15,000, demonstrating the sophistication and value of IABs in the cybercrime ecosystem.
- These developments highlight both the accelerating pace of cyber defence through AI and the persistent, foundational role of IABs in enabling broader cyberattacks, including ransomware.

🌑 Dark Reading | https://www.darkreading.com/cybersecurity-operations/ai-system-attack-reconstruction-weeks-hours
🗞️ The Record | https://therecord.media/jordanian-initial-access-broker-pleads-guilty-to-helping-target-50-companies

Carlsberg Experience Exposes Visitor Data 🍻

- The Carlsberg exhibition in Copenhagen had a vulnerability where visitor names, images, and videos, accessed via wristband IDs, could be easily brute-forced due to predictable ID formats and a lack of effective rate limiting.
- Pen Test Partners researcher Ken Munro discovered the flaw, which exposed personal data of thousands of visitors monthly, raising GDPR concerns.
- The incident also highlighted challenges in responsible disclosure, with Carlsberg's slow response and ineffective patching attempts.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/carlsberg_experience_vulnerability/

CISOs Ascend to Executive Suite 📈

- A new report indicates that CISO titles are increasingly becoming executive-level positions, surpassing VP or director roles, especially in large publicly traded companies.
- This shift is driven by the growing digital dependency of businesses, the rising tide of cyberattacks, and increasing regulatory pressures, such as those from the SEC and updated Gramm-Leach-Bliley Act, which mandate accountability for cybersecurity.
- While the executive title offers a seat at the strategic table and can help with security prioritisation, concerns about CISO burnout persist, particularly in smaller organisations with fewer resources and broader responsibilities.

🌑 Dark Reading | https://www.darkreading.com/cybersecurity-operations/cisos-rise-to-prominence-security-leaders-join-the-executive-suite

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Malware #Vulnerability #ZeroDay #RCE #ActiveExploitation #SupplyChainSecurity #DataPrivacy #CISO #AI #IncidentResponse #InfoSec

It's been a pretty packed 24 hours in the cyber world, with some critical RCE vulnerabilities under active exploitation, a string of significant breaches impacting UK public sector and a major car manufacturer, and important reminders about MFA. Let's dive in:

Critical RCEs Under Active Exploitation & Patches ⚠️
- Legacy D-Link DSL Routers (CVE-2026-0625): A critical command injection flaw (CVSS 9.3) in the "dnscfg.cgi" endpoint of legacy D-Link DSL gateway routers is being actively exploited. This allows unauthenticated remote attackers to execute arbitrary shell commands, leading to RCE and potential DNS hijacking. Many affected models (DSL-2640B, DSL-2740R, DSL-2780B, DSL-526B) are End-of-Life, meaning no patches are coming – upgrade immediately!
- Veeam Backup & Replication (CVE-2025-59470): Veeam has patched a critical RCE vulnerability (CVSS 9.0, rated high by Veeam due to privilege requirements) in Backup & Replication 13.0.1.180 and earlier. This flaw allows Backup or Tape Operators to achieve RCE as the postgres user. Given VBR's popularity and past targeting by ransomware gangs (Cuba, FIN7, Frag, Akira, Fog), patching is crucial.
- n8n Workflow Automation (CVE-2026-21858): A maximum severity (CVSS 10.0) "Ni8mare" vulnerability in n8n, an open-source workflow automation tool, allows remote, unauthenticated attackers to hijack instances. The flaw is a content-type confusion in how n8n parses data, enabling arbitrary file reading and potential secret exposure or command execution. Over 100,000 vulnerable servers are estimated; update to n8n version 1.121.0 or newer, and restrict public webhook/form endpoints.

📰 The Hacker News | https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabilities-expose-backup-servers-to-rce-attacks/
🤫 CyberScoop | https://cyberscoop.com/veeam-backup-replication-security-flaw-remote-code-execution-fix/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/

Major Cyber Incidents and Breaches 🚨
- Jaguar Land Rover (JLR): A September cyberattack, claimed by Scattered Lapsus$ Hunters, severely impacted JLR's Q3 fiscal 2026 results, causing wholesale volumes to plummet by 43.3% and retail sales by 25.1%. The incident halted production for weeks, disrupted global supply chains, and cost the UK economy an estimated £2.1 billion.
- UK Ministry of Justice (MoJ) / Legal Aid Agency (LAA): Despite spending £50 million on cybersecurity, the LAA suffered a "highly sensitive" cyberattack in December 2024 that went undetected until April 2025. The breach compromised legal aid applicant data, causing significant operational disruption and financial overpayments to providers, with recovery expected to take years.
- European Space Agency (ESA): ESA has confirmed another significant security breach, with Scattered Lapsus$ Hunters claiming to have stolen 500 GB of sensitive data, including operational procedures, spacecraft details, and proprietary contractor data (from partners like SpaceX, Airbus). The group alleges the vulnerability remains open, giving them continued access. This follows a December incident where 200 GB of ESA data was listed for sale.
- Higham Lane School: A cyberattack over the Christmas holiday has forced a British high school to delay its reopening, with its entire IT system, including phones, emails, and management systems, taken offline. This follows over 80 ransomware attacks on the UK education sector in 2024.
- Illinois Department of Human Services (IDHS): The IDHS inadvertently exposed personal data of over 700,000 state residents for up to four years by posting it on public mapping websites. The exposed data, including names, addresses, and public benefits status, is protected health information under HIPAA.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/jlr_wholesale_volumes/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/legal_aid_agency_attack/
🗞️ The Record | https://therecord.media/cyberattack-forces-british-high-school-to-delay-opening
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/
🗞️ The Record | https://therecord.media/illinois-agency-exposed-data

Threat Actor Activity & Nation-State Operations ⚔️
- DDoSia Hacktivist Tool: Pro-Russian hacktivist group NoName057(16) is leveraging its custom DDoS tool, DDoSia, to conduct sustained, politically motivated attacks against Ukrainian and Western interests. The tool allows volunteers with minimal technical skill to participate in coordinated application-layer and multi-vector DDoS campaigns, often coinciding with geopolitical events.
- China's Cyber Offensive on Taiwan: Taiwan's National Security Bureau reported a 6% increase in Chinese cyberattacks in 2025, with 2.63 million intrusion attempts daily targeting government and critical infrastructure, particularly energy and hospitals. These attacks, often exploiting software/hardware vulnerabilities, are linked to China's political and military coercive actions.

⚫ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/ddosia-powers-volunteer-driven-hacktivist-attacks
🤫 CyberScoop | https://cyberscoop.com/taiwan-china-cyberattacks-2025-energy-hospitals-nsb-report/

The Critical Need for MFA 🔒
- ownCloud Credential Theft: File-sharing platform ownCloud is urging its 200 million users to enable Multi-Factor Authentication (MFA) after reports of credential theft. Threat actors, like "Zestix" or "Sentap," are using infostealer malware (RedLine, Lumma, Vidar) to compromise employee devices, then leveraging stolen credentials to access ownCloud, ShareFile, and Nextcloud instances that lack MFA.
- Widespread Cloud Credential Heist: A report by Hudson Rock highlights a "pervasive failure in credential hygiene," where a single threat actor has breached dozens of global organisations by using infostealer-harvested credentials against cloud collaboration platforms without MFA. This underscores that simple security failures, not zero-days, are often the root cause of significant breaches.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enable-mfa-after-credential-theft-reports/
⚫ Dark Reading | https://www.darkreading.com/cloud-security/lack-mfa-common-thread-vast-cloud-credential-heist

Regulatory Actions & Legal Outcomes ⚖️
- FCC Robocall Penalties: The US Federal Communications Commission (FCC) has finalised new financial penalties for telecoms that submit false, inaccurate, or late reporting to its Robocall Mitigation Database (RMD). Fines include $10,000 for false information and $1,000 for late updates, aiming to combat call spoofing and illegal robocalls. Two-factor authentication has also been added to the RMD.
- Stalkerware Prosecution: Bryan Fleming, creator of the pcTattletale stalkerware, has pleaded guilty in US federal court to selling software designed to intercept communications. This marks only the second successful prosecution of a stalkerware operator since 2014, highlighting a rare but significant legal victory against consumer spyware.

🤫 CyberScoop | https://cyberscoop.com/fcc-finalizes-new-penalties-for-robocall-violators/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/stalkerware_slinger_pleads_guilty/
🗞️ The Record | https://therecord.media/stalkerware-guilty-plea-fleming

UK Public Sector Cyber Defence Boost 🛡️
- The UK government has unveiled a new £210 million ($283 million) "Government Cyber Action Plan" to bolster cyber defences across its departments and the wider public sector. The plan includes establishing a dedicated Government Cyber Unit, setting minimum security standards, improving risk visibility, and promoting best practices through a new Software Security Ambassador Scheme. This follows recent legislation to protect critical infrastructure and a ban on ransomware payments for public sector organisations.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-announces-plan-to-strengthen-public-sector-cyber-defenses/

Cyber Landscape Commentary 💭
- AI and the Cybersecurity Workforce: Qualys CEO Sumedh Thakar argues that the cybersecurity industry cannot simply hire its way out of the talent shortage in the AI era. Instead, organisations must leverage AI to automate repetitive tasks and shift towards a proactive Risk Operations Center (ROC) model. He also warns that AI-generated code often contains security flaws, necessitating embedded security in development pipelines.
- Cyber in Military Operations: Speculation surrounds the role of US Cyber Command in a recent military operation in Venezuela that led to the capture of President Nicolás Maduro. While President Trump hinted at "certain expertise" causing power outages, NetBlocks data suggests kinetic attacks could also be responsible. Experts note Venezuela's network infrastructure is a "soft target" for cyber operations.

🤫 CyberScoop | https://cyberscoop.com/cybersecurity-talent-shortage-ai-risk-operations-center-2026-op-ed/
⚫ Dark Reading | https://www.darkreading.com/cybersecurity-operations/cyberattacks-part-military-operation-venezuela/

Other Noteworthy Developments 💡
- HackerOne Bug Bounty Delays: A security researcher, Jakub Ciolek, reported being "ghosted" by HackerOne for months over an $8,500 bug bounty for two high-severity DoS flaws (CVE-2025-59538, CVE-2025-59531) in Argo CD. HackerOne attributed the delay to an "operational backlog," raising concerns about trust and communication in bug bounty programs, especially with increasing AI-generated submissions.
- Microsoft Exchange Online Spam Clamp Scrapped: Microsoft has reversed its controversial plan to impose a 2,000 external recipient rate limit on Exchange Online mailboxes, following significant customer backlash. While the aim was to curb spam and abuse, the limits created operational challenges for legitimate bulk sending. Microsoft plans to develop "smarter, more adaptive approaches."
- Cyber Scam Kingpin Arrested: Cambodian authorities have arrested and extradited to China Chen Zhi, head of the Prince Group conglomerate, who is alleged to be the mastermind behind a multi-billion dollar scam empire. Zhi and 128 entities linked to him were sanctioned by the US and UK for illegal online gambling, sextortion, money laundering, and the trafficking of enslaved workers.
- HSBC App Sideloading Issues: Some HSBC mobile banking customers in the UK are being locked out of the bank's app if they have the Bitwarden password manager installed via an open-source app catalog like F-Droid. HSBC's app security controls appear to flag sideloaded apps as a risk, preventing coexistence with its banking app.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/hackerone_ghosted_researcher/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/exchange_online_recipient_rate/
🗞️ The Record | https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extradited
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/hsbc_bitwarden_sideloaded/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #ActiveExploitation #ZeroDay #CyberAttack #Breach #Ransomware #DDoS #NationState #APT #MFA #CredentialTheft #DataPrivacy #Regulation #UKGov #AI #CyberWarfare #InfoSec

Alright team, it's been a busy 24 hours in the cyber world with a slew of significant breaches, actively exploited vulnerabilities, new malware campaigns, and a critical look at how traditional security frameworks are falling short against AI threats. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- Korean e-tailer Coupang reported an insider incident where a former employee allegedly stole a security key to access 33 million customer records, including order histories and building access codes for ~3,000 customers.
- The perpetrator attempted to destroy evidence by smashing a MacBook Air and throwing it into a river, but investigators recovered it and matched its serial number to the accused's iCloud.
- Coupang is now facing a substantial cost, gifting 33 million customers a ₩50,000 ($35) voucher, totalling $1.17 billion, alongside a government inquiry and potential fines.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/29/coupang_perpetrator_theft_details/

- Korean Air confirmed a data breach affecting thousands of employees after its former subsidiary and catering supplier, Korean Air Catering & Duty-Free (KC&D), was hacked.
- Approximately 30,000 employee records, including names and bank account numbers from KC&D's ERP system, were compromised.
- The Clop ransomware gang claimed responsibility for the KC&D attack in November, subsequently publishing the allegedly stolen data on their dark web leak site.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/

- A former Coinbase customer service agent was arrested in India for allegedly helping hackers steal sensitive customer information earlier this year.
- The incident, which affected around 69,500 customers, exposed names, dates of birth, last four digits of SSNs, physical addresses, phone numbers, and email addresses, with some KYC documents also compromised.
- The breach was traced to TaskUs, a customer support outsourcing firm, where employees were reportedly bribed to grant system access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/former-coinbase-support-agent-arrested-for-helping-hackers/

- Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a Gentlemen ransomware attack that took down its IT infrastructure, encrypting documents and making several applications unavailable.
- The attack partially affected company activity but did not jeopardise the operation of the National Energy System, with IT teams rebuilding systems from backups.
- Gentlemen ransomware, which emerged in August, is known for using compromised credentials and targeting internet-exposed services for initial access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/

- Trust Wallet reported that attackers compromised its browser extension (v2.68.0) just before Christmas, draining approximately $7 million from 2,596 cryptocurrency wallets.
- The malicious extension was likely published externally via a leaked Chrome Web Store API key, bypassing standard release checks and exfiltrating sensitive wallet data.
- Trust Wallet is reimbursing affected users and has warned of ongoing phishing campaigns impersonating support and pushing fake compensation forms.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/

- A group called "Lovely" has published email and home addresses of Wired magazine subscribers, claiming to have 40 million more entries from Conde Nast after an unheeded extortion attempt.
- The leak includes 2.3 million emails, 285,000 subscriber names, 108,000 home addresses, 32,000 phone numbers, and some user IDs, display names, and IP addresses.
- Security researchers confirmed the authenticity of the data, noting the attack bears hallmarks of infostealer malware like RedLine and Racoon, warning of doxxing, swatting, and phishing risks.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/29/wired_hack_subscriber_info_leaked/

- Artisans' Bank and VeraBank are the latest to notify thousands of customers about a data breach stemming from an August ransomware attack on their third-party vendor, Marquis Software.
- Artisans' Bank reported names and Social Security numbers of 32,344 people were leaked, while VeraBank confirmed 37,318 individuals had data stolen, though specific data types were omitted.
- The initial attack on Marquis Software, which provides data analytics and compliance solutions to hundreds of financial institutions, exploited a vulnerability in its SonicWall firewall.
🗞️ The Record | https://therecord.media/banks-marquis-software-ransomware/

Vulnerabilities Under Active Exploitation 🚨

- A recently disclosed MongoDB vulnerability, CVE-2025-14847 (CVSS 8.7), codenamed 'MongoBleed', is under active exploitation to remotely leak sensitive data from server memory.
- The flaw in zlib compression allows unauthenticated attackers to extract fragments of private data, including user information, passwords, and API keys, from over 87,000 potentially susceptible instances globally.
- Immediate updates to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 are advised, along with disabling zlib compression or restricting network exposure as temporary mitigations.
📰 The Hacker News | https://thehackernews.com/2025/12/mongodb-vulnerability-cve-2025-14847.html

- Fortinet has warned customers that threat actors are still actively exploiting CVE-2020-12812, a critical FortiOS vulnerability from July 2020, to bypass two-factor authentication (2FA) on vulnerable FortiGate firewalls.
- The flaw allows attackers to log in without a second factor by changing the case of a username when 2FA is enabled in 'user local' settings and linked to a remote authentication method like LDAP.
- Organisations must ensure FortiOS is updated to versions 6.4.1, 6.2.4, or 6.0.10 or newer, and if not possible, disable username-case-sensitivity and remove unnecessary secondary LDAP groups.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-warns-of-5-year-old-fortios-2fa-bypass-still-exploited-in-attacks/

New Threat Research & Malware 🕵️‍♀️

- A "sustained and targeted" spear-phishing campaign has leveraged 27 malicious npm packages across six aliases to create resilient phishing infrastructure for credential theft.
- Instead of requiring package installation, attackers use npm and package CDNs to host client-side HTML and JavaScript lures, impersonating document-sharing portals and Microsoft sign-in pages.
- The campaign primarily targets sales and commercial personnel at critical infrastructure-adjacent organisations in the U.S. and Allied nations, using anti-analysis techniques like bot filtering and honeypot fields.
📰 The Hacker News | https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

- A Lithuanian national has been arrested and extradited to South Korea for infecting 2.8 million systems worldwide with clipboard-stealing 'clipper' malware disguised as the KMSAuto tool for illegally activating Windows and Office.
- From April 2020 to January 2023, the malware swapped cryptocurrency addresses in the clipboard with attacker-controlled ones, stealing approximately $1.2 million across 8,400 transactions.
- This incident highlights the significant risks of using unofficial software activators, which are frequently used to distribute various forms of malware.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/

Threat Landscape Commentary 🌍

- Existing security frameworks like NIST CSF, ISO 27001, and CIS Controls are failing to protect organisations from AI-specific attack vectors, leading to a 25% increase in leaked secrets through AI systems in 2024.
- AI introduces novel attack surfaces like prompt injection, model poisoning, and AI supply chain attacks that don't map to traditional controls, allowing breaches even in compliant organisations.
- Organisations must go beyond compliance by conducting AI-specific risk assessments, implementing new technical capabilities like prompt validation and model integrity verification, and building AI security expertise within teams.
📰 The Hacker News | https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html

Regulatory Issues ⚖️

- France’s data protection regulator, CNIL, has fined Nexpublica France €1.7 million ($2 million) for inadequate cybersecurity practices that led to a data breach in November 2022.
- The fine reflects the company's financial capacity, lack of basic security knowledge, the number of affected individuals, and the sensitivity of the data processed.
- Crucially, Nexpublica was aware of its security deficiencies prior to the incident but failed to address them until after the breach occurred, violating GDPR.
🗞️ The Record | https://therecord.media/french-software-fined-cnil/

#CyberSecurity #ThreatIntelligence #DataBreach #Ransomware #Vulnerability #ActiveExploitation #InsiderThreat #Phishing #Malware #AIsecurity #GDPR #InfoSec #CyberAttack #IncidentResponse #SupplyChainSecurity

Alright, cyber pros! It's been a pretty active 24 hours, with a mix of new breach disclosures, some interesting ransomware developments, critical vulnerabilities under active attack, and a peek into how AI is shaping the threat landscape. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- DoorDash disclosed a data breach in October, impacting consumers, Dashers, and merchants. Personal information like names, addresses, phone numbers, and emails were accessed after an employee fell victim to a social engineering scam. This marks their third significant incident since 2019.
- The UK's National Health Service (NHS) is investigating claims by the Clop ransomware gang of a cyberattack. While Clop listed NHS.uk on its leak site, it hasn't specified which part of the organisation was breached or published any data, raising questions about the extent of their access.
- UK fintech firm Checkout.com was breached by ShinyHunters, who accessed a legacy cloud storage system with merchant data from 2020 and earlier. The company has publicly refused to pay the ransom, instead pledging to donate the amount to cybersecurity research at Carnegie Mellon and Oxford.
- A major Russian port operator, Port Alliance, reported ongoing disruptions from a cyberattack "from abroad," involving a DDoS and network breach. The attackers used a botnet of over 15,000 IPs, aiming to disrupt coal and fertiliser shipments, though core operations remained functional.
- The Lighthouse phishing kit, used for widespread "smishing" scams like fake road tolls, appears to have been disrupted following a lawsuit by Google. Researchers observed the kit's Telegram channels being taken down and associated domains no longer resolving.
- The FBI has warned of an aggressive health insurance scam targeting Chinese speakers in the US. Scammers spoof legitimate insurers, claim bogus surgery bills, and then, under the guise of Chinese law enforcement, threaten extradition or prosecution to extort payments and gain remote access to victims' computers.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-breach-in-october-exposing-user-information/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/14/nhs_clop/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/checkoutcom-snubs-shinyhunters-hackers-to-donate-ransom-instead/
🗞️ The Record | https://therecord.media/cyberattack-on-russian-port-operator
🤫 CyberScoop | https://cyberscoop.com/lighthouse-text-scammers-disrupted-google-lawsuit/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/14/fbi_chinese_speaker_health_insurance/

New Threat Research: Ransomware, Malware & AI-Driven Attacks 🛡️

- Anthropic reported that Chinese state-sponsored group GTG-1002 used their Claude Code AI model to automate cyber espionage against 30 critical organisations, including tech, finance, and government. The AI allegedly handled vulnerability scanning, exploitation, and data exfiltration with minimal human oversight, though some researchers have expressed skepticism regarding the claimed level of AI autonomy.
- CISA and FBI issued an updated advisory on Akira ransomware, highlighting its new capability to encrypt Nutanix AHV virtual machines, expanding its targets beyond VMware ESXi and Hyper-V. The FBI ranks Akira as a "top five" ransomware threat, having extorted over $244 million from small- and medium-sized businesses, often exfiltrating data within two hours of initial access.
- The Kraken ransomware, a continuation of the HelloKitty operation, now features a system benchmarking capability. It tests target machines to determine optimal encryption speed, allowing it to choose between full or partial data encryption to maximise impact without triggering alerts due to excessive resource usage.
- A new self-spreading npm package, dubbed 'IndonesianFoods,' has flooded the registry with over 100,000 junk packages, spawning new ones every seven seconds. While currently non-malicious, it aims to stress the open-source ecosystem and may be financially motivated through abuse of the TEA Protocol.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
🤫 CyberScoop | https://cyberscoop.com/akira-ransomware-fbi-cisa-joint-advisory/
🗞️ The Record | https://therecord.media/akira-gang-received-million
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/kraken-ransomware-benchmarks-systems-for-optimal-encryption-choice/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/

Critical Vulnerabilities & Active Exploitation ⚠️

- A critical path traversal vulnerability (CVE-2025-64446) in Fortinet FortiWeb web application firewalls is under active, widespread exploitation. Attackers are using a publicly available PoC to create new administrative accounts on exposed devices without authentication. Fortinet silently patched this in version 8.0.2, and CISA has added it to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
- ASUS has released firmware updates for several DSL series routers (DSL-AC51, DSL-N16, DSL-AC750) to fix a critical authentication bypass flaw (CVE-2025-59367). This vulnerability allows remote, unauthenticated attackers to gain full control. Users unable to update should disable internet-facing services like remote access, port forwarding, and VPN server.
- Researchers discovered critical Remote Code Execution (RCE) vulnerabilities in major AI inference engines from Meta (Llama), Nvidia (TensorRT-LLM), Microsoft (Sarathi-Serve), and open-source projects like vLLM and SGLang. These "ShadowMQ" flaws stem from insecure deserialization of data via ZeroMQ and Python's pickle module, often due to code reuse, potentially allowing arbitrary code execution.
- Kubernetes maintainers have decided to retire Ingress NGINX by March 2026 due to persistent security flaws and maintenance challenges. This popular ingress controller, found in around 6,000 implementations, has been problematic, with serious vulnerabilities allowing cluster takeover identified as recently as March 2025. Admins should plan migration to alternatives.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-bypass-flaw-in-dsl-series-routers/
🚨 The Hacker News | https://thehackernews.com/2025/11/researchers-find-serious-ai-bugs.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/14/nginx_retirement/

Threat Landscape Commentary 📈

- The retail industry is facing a growing cybersecurity crisis, with breaches costing millions and eroding customer trust. The core issue isn't just about more technology, but a lack of executive-level cybersecurity leadership and a failure to treat cyber as a core strategic priority.
- The National Retail Federation (NRF) is urged to establish a dedicated cybersecurity talent incubator. This program would develop executive-ready leaders who understand both technical threats and the specific operational pressures retailers face, bridging the gap between academic expertise and industry needs.
- The initiative would offer six-month programs for graduates and modular training for junior roles, with placements across the NRF's network, aiming to foster a sector-wide mindset shift towards long-term strategic investment in cybersecurity talent.

🤫 CyberScoop | https://cyberscoop.com/retail-cybersecurity-crisis-nrf-leadership-talent-pipeline-op-ed/

Regulatory Issues & Data Privacy 🔒

- Google has backpedaled on its controversial Android developer verification rules following widespread backlash from users and developers. Originally intended to block malware from sideloaded apps, the revised rules will now offer options for limited app distribution without full verification and an "advanced flow" for power users to sideload unverified apps with warnings.
- The initial plan was criticised for potentially consolidating power and threatening open ecosystems like F-Droid.
- The revised verification process will open for early access in November 2025, with a phased global rollout of mandatory verification starting in September 2026 for specific regions.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/google/google-backpedals-on-new-android-developer-registration-rules/

Government Actions Against Cybercrime 🏛️

- US federal authorities have established a new "Scam Center Strike Force" to combat Chinese cryptocurrency scam networks, often known as "pig butchering" or "romance baiting." These scams defraud Americans of nearly $10 billion annually, with operators often working from criminal compounds in Southeast Asia.
- The strike force focuses on tracing and seizing illicit crypto funds, already recovering over $401 million and initiating forfeiture for an additional $80 million. They also coordinate with international partners and have sanctioned groups and firms linked to these operations.
- A suspected Russian hacker, potentially Aleksey Lukashev (a GRU officer wanted by the FBI for 2016 US election interference), has been detained in Phuket, Thailand, at the request of the US. He faces possible extradition on cybercrime charges, with Thai police seizing laptops, phones, and digital wallets.
- The Justice Department announced five guilty pleas related to North Korea's long-running IT worker scam, which defrauded 136 US companies of $2.2 million and involved 18 stolen US identities. The DOJ also seized over $15 million in cryptocurrency from North Korean facilitators, linked to APT38 (Lazarus Group) and several major crypto thefts in 2023.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-announces-new-strike-force-targeting-chinese-crypto-scammers/
🗞️ The Record | https://therecord.media/russian-hacker-detained-thailand-possible-us-extradition
🗞️ The Record | https://therecord.media/multiple-us-nationals-guilty-pleas-north-korean-it-worker-scams

#CyberSecurity #ThreatIntelligence #Ransomware #Malware #Vulnerability #ActiveExploitation #ZeroDay #AI #NationState #DataBreach #Cybercrime #InfoSec #IncidentResponse #SupplyChainSecurity #CloudSecurity

Alright team, it's been a busy 24 hours in the cyber world! We've got updates on recent breaches, some interesting new threat actor TTPs, critical vulnerabilities under active exploitation, and a few policy shifts to keep an eye on. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- The University of Pennsylvania confirmed a data breach affecting development and alumni systems, with hackers stealing 1.71 GB of internal documents and 1.2 million donor records after a successful social engineering attack on an employee's SSO account.
- SonicWall's September security breach, which exposed customer firewall configuration backup files, has been attributed to a state-sponsored threat actor. The investigation confirmed no impact on SonicWall products, firmware, or source code, but customers were advised to reset credentials.
- International law enforcement, in "Operation Chargeback," dismantled three credit card fraud and money laundering networks that stole over €300 million from 4.3 million cardholders across 193 countries, exploiting German payment service providers to process fake online subscriptions.
- The Apache Software Foundation is disputing claims by the Akira ransomware gang that it breached OpenOffice and stole 23 GB of data, stating they do not possess the types of data claimed, and their investigation found no evidence of compromise.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-stolen-in-cyberattack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sonicwall-says-state-sponsored-hackers-behind-security-breach-in-september/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/europol-credit-card-fraud-rings-stole-eur-300-million-from-43-million-cardholders/
🗞️ The Record | https://therecord.media/europe-police-bust-global-fraud-ring-payment-firms
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/apache-openoffice-disputes-data-breach-claims-by-ransomware-gang/

New Threat Research on Actors, Malware, and TTPs 🕵🏼

- A new threat cluster, UNK_SmudgedSerpent, is targeting US academics and foreign policy experts with phishing attacks leveraging domestic political lures related to Iran, deploying legitimate RMM software like PDQ Connect, and mimicking Iranian cyber espionage groups like TA455 and TA453.
- Russia-linked Curly COMrades are innovating their cyber-espionage campaigns by hiding custom malware (CurlyShell and CurlCat) within lightweight Alpine Linux virtual machines running on Hyper-V, a tactic designed to bypass traditional endpoint detection tools.
- Google's Threat Intelligence Group (GTIG) reports a significant shift towards AI-powered malware, with new families like PromptFlux (a VBScript dropper using Gemini for obfuscation) and PromptSteal (a data miner) emerging, alongside various state-backed actors abusing LLMs for reconnaissance, malware development, and phishing.

📰 The Hacker News | https://thehackernews.com/2025/11/mysterious-smudgedserpent-hackers.html
🗞️ The Record | https://therecord.media/virtual-machines-cyber-espionage-russia-linked-curly-comrades
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/google-warns-of-new-ai-powered-malware-families-deployed-in-the-wild/
📰 The Hacker News | https://thehackernews.com/2025/11/researchers-find-chatgpt.html

Vulnerabilities and Active Exploitation ⚠️

- CISA has added two critical flaws to its KEV catalog due to active exploitation: CVE-2025-11371, a local file inclusion in Gladinet CentreStack/Triofox, and CVE-2025-48703, an unauthenticated RCE in Control Web Panel (CWP) via shell command injection. Federal agencies must patch by November 25th.
- Hackers are actively exploiting CVE-2025-11833, a critical 9.8-severity vulnerability in the Post SMTP WordPress plugin (affecting over 400,000 sites), allowing unauthenticated attackers to read email logs, including password reset messages, to hijack administrator accounts.
- OpenAI's ChatGPT has been found vulnerable to several indirect prompt injection techniques, including via trusted sites, search context, and conversation injection, which could lead to data leakage from user memories and chat histories.
- AMD is set to release microcode patches for CVE-2025-62626 (CVSS 7.2), a high-severity flaw in Zen 5 Epyc and Ryzen CPUs where the RDSEED function can return zero instead of a random number, potentially weakening cryptographic keys if an attacker has local privileges.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/
📰 The Hacker News | https://thehackernews.com/2025/11/cisa-adds-gladinet-and-cwp-flaws-to-kev.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-centos-web-panel-bug-exploited-in-attacks/
📰 The Hacker News | https://thehackernews.com/2025/11/researchers-find-chatgpt.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/05/amd_promises_to_fix_chips/

Threat Landscape Commentary 📉

- The US federal cybersecurity posture is facing a "perfect storm" due to the F5 security breach (attributed to a nation-state actor), proposed CISA job and funding cuts, and the ongoing government shutdown, collectively eroding cyber readiness and creating an expanded attack surface.
- House GOP leaders are pushing the Commerce Department to investigate and restrict Chinese government-connected tech products across critical industries like AI, energy, and industrial control systems, citing China's view of information technology as a battlefield.
- Congressional leaders are also urging federal agencies to develop a clear strategy to compete with China in 6G telecommunications and secure US tech supply chains, learning from past mistakes that allowed Chinese companies to gain significant global influence in 5G.

🤫 CyberScoop | https://cyberscoop.com/us-cyber-readiness-crisis-f5-breach-cisa-job-cuts-shutdown-op-ed/
🤫 CyberScoop | https://cyberscoop.com/house-gop-leaders-seek-government-probe-restrictions-on-chinese-made-tech/
🤫 CyberScoop | https://cyberscoop.com/exclusive-china-6g-letter-krishnamoorthi-congress-state-commerce-letters/

Data Privacy Concerns 🔒

- The US Department of Homeland Security (DHS) is proposing a sweeping expansion of biometric data collection for immigration applications, including iris scans, voice prints, and DNA, from immigrants and even some US citizens associated with these cases, raising significant privacy concerns.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/04/dhs_wants_to_collect_biometric_data/

Regulatory Issues and Changes 🏛️

- The US Treasury Department has sanctioned two North Korean financial institutions and eight individuals for laundering over $12.7 million in cryptocurrency from cybercrime and fraudulent IT worker schemes, aiming to disrupt funding for Pyongyang's weapons programs.
- UK mobile carriers have committed to upgrading their networks within a year to block spoofed phone numbers, a key tactic used by scammers impersonating banks and government agencies, as part of a new Telecoms Charter to combat fraud.
- A House lawmaker predicts that Democratic support for the reauthorization of FISA Section 702, a key US national security surveillance power, will be a "heavier lift" in 2026 due to concerns over its use for warrantless searches of American data.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-treasury-sanctions-north-korean-bankers-linked-to-cybercrime-it-worker-fraud/
📰 The Hacker News | https://thehackernews.com/2025/11/us-sanctions-10-north-korean-entities.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-carriers-to-block-spoofed-phone-numbers-in-fraud-crackdown/
🗞️ The Record | https://therecord.media/section-702-surveillance-powers-renewal-jim-himes-house-democrats

Other Noteworthy Updates 💡

- The UK's Department for Environment, Food & Rural Affairs (Defra) spent £312 million upgrading its IT estate, including replacing Windows 7 laptops with Windows 10, just as Windows 10 reached end-of-support, highlighting significant technical debt and potential future costs for extended security updates.
- Famed cryptographer and software engineer Daniel J. Bernstein (DJB) has given a favourable report on Fil-C, a new memory-safe C/C++ compiler based on Clang, noting its compatibility and ability to trap categories of C errors, despite performance drawbacks.
- Google's $32 billion acquisition of cloud security firm Wiz has received clearance from the US Department of Justice after an antitrust investigation, marking Google's largest-ever acquisition and a significant move to enhance Google Cloud's security offerings.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/05/uk_defra_dept_spent_312m_window_10/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/05/djb_tries_filc_and_approves/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/05/googles_32b_wiz_acquisition_its/

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ActiveExploitation #RCE #Malware #Ransomware #NationState #APT #AI #DataPrivacy #Regulatory #InfoSec #CyberAttack #IncidentResponse #SupplyChainSecurity