Information Security News | AI Aggregator

Please be mindful of possible hallucinations. Verify information prior to taking action.
Risky Bulletin: Major EoT/HoT vulnerability can bring trains to sudden stops
Date: 2025-07-14 | Source: Risky.Biz
A major vulnerability in the End-of-Train (EoT) protocol, identified as CVE-2025-1727, allows attackers to send commands that can abruptly engage train brakes across North America. Discovered by Neil Smith in 2012, the issue involves weak authentication using a BCH checksum. The Association of American Railroads plans to replace over 75,000 EoT devices with a more secure protocol, expected to take 5-7 years and cost $7-10 billion. CISA has issued an advisory on the vulnerability.
Risky Bulletin: Major EoT/HoT vulnerability can bring trains to sudden stops
2025-07-14 | Cybersecurity Dive: Major railroad-signaling vulnerability could lead to train disruptions
A newly disclosed vulnerability, CVE-2025-1727, in train braking systems could allow hackers to remotely stop trains, potentially causing derailments. The flaw involves weak authentication in the protocol for sending brake commands. CISA warns that exploitation could lead to operational disruptions. The Association of American Railroads is developing new systems, expected by 2027. Experts stress the need for enhanced cybersecurity measures in the rail industry, which is critical for logistics and safety.
2025-07-14 | The Register: A software-defined radio can derail a US train by slamming the brakes on remotely
CISA issued CVE-2025-1727, highlighting a vulnerability in the end-of-train to head-of-train protocol, allowing remote control of train brakes via spoofed commands. Discovered by researcher Neil Smith in 2012, the issue stems from weak authentication in the FRED system. No immediate solution exists, and the AAR plans to replace the outdated system with 802.16t by 2027. Meanwhile, freight operators are advised to segment networks, though this may not prevent exploitation with inexpensive equipment.
2025-07-15 | 404 Media: Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
A vulnerability exists in U.S. trains allowing hackers to remotely trigger brakes, discovered by researcher Neil Smith in 2012. The issue stems from the EOT/HOT protocol, designed for safety but exploitable via radio frequencies. Despite awareness for over a decade, the railroad industry has not fixed it. CISA acknowledges the vulnerability's significance but states that exploiting it requires physical proximity and specialized knowledge. No timeline for a fix has been provided, and the vulnerability remains unaddressed.
Google Gemini flaw hijacks email summaries for phishing
Date: 2025-07-13 | Source: BleepingComputer
A vulnerability in Google Gemini for Workspace allows attackers to exploit email summaries, generating seemingly legitimate content that includes malicious instructions directing users to phishing sites. This prompt-injection technique, disclosed by researcher Marco Figueroa through Mozilla's bug bounty program, utilizes hidden directives in emails. Recommendations for mitigation include removing hidden content and implementing filters for urgent messages. Google stated they are enhancing defenses against such attacks but reported no incidents exploiting this flaw.
Google Gemini flaw hijacks email summaries for phishing
2025-07-14 | Tomsguide: Google Gemini flaw exploited to turn AI-powered email summaries into the perfect phishing tool — everything you need to know
A vulnerability in Google Gemini for Workspace allows hackers to exploit hidden malicious instructions in email summaries, directing users to phishing sites. This is achieved by embedding invisible directives using HTML and CSS, which evade detection by antivirus software. Although Google is aware and working on mitigations, no evidence of real-world exploitation has been reported. Recommendations include filtering hidden content and flagging urgent messages for review. Caution is advised when using Gemini for email summaries.
2025-07-14 | TechRadar: Google Gemini can be hijacked to display fake email summaries in phishing scams
Cybercriminals can exploit Google Gemini in Workspace to execute "prompt-injection" attacks, displaying fake email summaries that trick users into revealing sensitive information. Researchers warn that hidden prompts in emails can manipulate Gemini to show phishing messages, increasing the likelihood of successful scams. To mitigate risks, organizations should ensure email clients ignore hidden content, implement filters for urgent messages, and educate employees about the limitations of Gemini's summaries.
NVIDIA shares guidance to defend GDDR6 GPUs against Rowhammer attacks
Date: 2025-07-11 | Source: BleepingComputer
NVIDIA warns users to enable System Level Error-Correcting Code (ECC) to protect GDDR6 GPUs against Rowhammer attacks, following research demonstrating such an attack on the A6000 GPU. Rowhammer can cause data corruption or privilege escalation by flipping adjacent memory bits. ECC is crucial for data integrity in GPUs handling large datasets. Affected products include various models from Ampere, Ada, Hopper, Blackwell, Turing, and Volta series. Newer GPUs have built-in ECC protection.
NVIDIA shares guidance to defend GDDR6 GPUs against Rowhammer attacks
2025-07-12 | The Hacker News: GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs
NVIDIA has issued an advisory regarding GPUHammer, a new RowHammer attack variant affecting its GPUs, including the A6000 model. This exploit can degrade AI model accuracy from 80% to less than 1% by causing bit flips in GPU memory. To mitigate risks, users are advised to enable System-level Error Correction Codes (ECC), though this may slow inference workloads by up to 10% and reduce memory capacity by 6.25%. Newer GPUs like H100 and RTX 5090 are not affected due to on-die ECC.
2025-07-13 | The Register: Nvidia warns its GPUs – even Blackwells – need protection against Rowhammer attacks
Nvidia warned customers to enable System-Level ECC on its GPUs, including Blackwell and Hopper, to protect against Rowhammer attacks, following a successful exploit on the A6000 model. The exploit can corrupt memory through repeated access. Additionally, a chained Bluetooth attack, PerfektBlue, affects vehicles from Mercedes-Benz and others, allowing remote code execution via four CVEs. Bitcoin Depot disclosed a breach affecting 27,000 users, with attackers accessing personal data, after a year-long investigation.
2025-07-14 | TechRadar: Nvidia warns users some GPUs could be at risk of damaging cyberattack - here's what we know
Nvidia has warned users that older GPUs are vulnerable to Rowhammer attacks, which exploit a flaw in dynamic RAM (DRAM) to cause bit flips, potentially leading to privilege escalations and data tampering. Researchers from the University of Toronto demonstrated this vulnerability, degrading machine-learning model accuracy from 80% to 1%. Nvidia recommends users activate System Level Error-Correcting Code mitigation to protect against these attacks. Newer GPUs are not affected.
2025-07-14 | Ars Technica: Nvidia chips become the first GPUs to fall to Rowhammer bit-flip attacks
Nvidia has acknowledged a vulnerability in its RTX A6000 GPUs, which are susceptible to Rowhammer bit-flip attacks, allowing hackers to corrupt data in memory. To mitigate this risk, Nvidia recommends a performance-degrading fix that may reduce efficiency by up to 10%. The researchers demonstrated the exploit, termed GPUhammer, which can severely impact machine learning models, degrading accuracy from 80% to 0.1%. This vulnerability may extend to other Nvidia GPU models as well.
2025-07-14 | The Register: Nvidia A6000 GPUs flip memory bits if beaten by GPUHammer
Nvidia issued a security advisory regarding the GPUHammer attack, which exploits Rowhammer vulnerabilities in Nvidia A6000 GPUs with GDDR6 memory. Researchers from the University of Toronto demonstrated that this attack can significantly degrade the accuracy of AI models by up to 80%. While newer GPUs like the H100 and RTX 5090 are not affected, Nvidia recommends enabling Error Correction Codes (ECC) as a mitigation, though this incurs a 10% performance hit and reduces memory capacity by 6.25%.
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
Date: 2025-07-11 | Source: The Hacker News
A critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812 (CVSS score: 10.0), allows remote code execution due to improper handling of null bytes in the web interface. Exploited via anonymous FTP accounts, attackers can inject arbitrary Lua code, enabling them to execute system commands with high privileges. Active exploitation was first observed on July 1, 2025. Users are urged to update to version 7.4.4 or later to mitigate risks.
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
2025-07-11 | The Register: CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn
Huntress researchers reported exploitation of a CVSS 10.0 RCE vulnerability (CVE-2025-47812) in Wing FTP Server within 24 hours of its public disclosure on July 1. The flaw, due to improper handling of null bytes in usernames, allows Lua code injection. Despite only one known exploit attempt, attackers demonstrated inexperience, failing to execute commands effectively. Users are urged to update to version 7.4.4 to mitigate risks. The incident highlights the security challenges of legacy protocols like FTP.
2025-07-12 | BleepingComputer: Hackers are exploiting critical RCE flaw in Wing FTP Server
Hackers are exploiting a critical RCE vulnerability (CVE-2025-47812) in Wing FTP Server, allowing unauthenticated remote code execution with root privileges. The flaw, linked to unsafe handling of null-terminated strings and Lua code injection, was detailed by researcher Julien Ahrens on June 30. Following its disclosure, attacks were observed on July 1, targeting vulnerable servers. Companies are urged to upgrade to version 7.4.4 or restrict access and monitor for suspicious activity if an upgrade is not feasible.
2025-07-14 | Cybersecurity Dive: Hackers exploiting flaw in widely used Wing FTP Server
Hackers are exploiting a critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812, which allows for root-level remote code execution via a null byte and Lua injection flaw. First observed on July 1, the vulnerability affects approximately 10,000 customers, with around 2,000 computers identified as potentially vulnerable. Wing FTP has advised customers to upgrade to mitigate risks. The flaw could lead to total server compromise, allowing attackers to access sensitive data and potentially deploy ransomware.
2025-07-14 | Recorded Future: Exploited Wing file transfer bug risks ‘total server compromise,’ CISA warns
A vulnerability in Wing FTP Server, identified as CVE-2025-47812, has been actively exploited, prompting CISA to add it to the Known Exploited Vulnerabilities catalog. The bug, with a severity score of 10, poses a risk of total server compromise. Federal agencies must patch it by August 4. Active exploitation attempts have been observed, with attackers trying to execute malicious files and install monitoring software. Over 8,100 Wing FTP Server instances are exposed, with many potentially vulnerable.
Risky Bulletin: Two billion eSIMs receive crucial security patch
Date: 2025-07-11 | Source: Risky.Biz
Security updates are being distributed to mobile operators globally to address vulnerabilities in over two billion eSIMs, specifically affecting Kigen's eUICC software. Discovered by Security Explorations, these vulnerabilities allow attackers with physical access to extract a default secret key, enabling malicious applet deployment and potential data interception. Kigen issued a patch with two mitigations, while Oracle has not addressed a related 2019 vulnerability. Kigen rewarded Security Explorations with $30,000 for their findings.
Risky Bulletin: Two billion eSIMs receive crucial security patch
2025-07-14 | The Hacker News: eSIM Vulnerability in Kigen's eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks
A vulnerability in Kigen's eUICC cards exposes over two billion IoT devices to attacks, allowing the installation of non-verified applets. The flaw is linked to GSMA TS.48 Generic Test Profile versions 6.0 and earlier, enabling attackers with physical access to extract identity certificates and modify profiles without detection. Kigen has released a mitigation in TS.48 v7.0. Security Explorations received a $30,000 bounty for the discovery, which builds on prior vulnerabilities in Oracle Java Card technology.
2025-07-14 | TechRadar: A major security flaw in top eSIM system could put billions of devices at risk - here's what we know
A vulnerability in eSIM technology, affecting over two billion devices, was discovered by Security Explorations. The flaw allowed attackers with physical access to install malicious applets via the GSMA TS.48 Generic Test Profile (v6.0 and earlier). Kigen has released a patch with GSMA TS.48 v7.0, which blocks RAM key access, prohibits applet installation on test profiles, and enhances OS security. The vulnerability's exploitation is complex, requiring specific conditions. Security Explorations received a $30,000 reward for the discovery.
PerfektBlue Bluetooth flaws impact Mercedes, Volkswagen, Skoda cars
Date: 2025-07-10 | Source: BleepingComputer
Four vulnerabilities, named PerfektBlue, in the OpenSynergy BlueSDK Bluetooth stack can lead to remote code execution in vehicles from Mercedes-Benz, Volkswagen, and Skoda. Discovered by PCA Cyber Security, the flaws allow attackers to exploit infotainment systems, potentially accessing sensitive data. OpenSynergy issued patches in September 2024, but many automakers have not yet implemented them. The vulnerabilities require user interaction for exploitation, with specific conditions for successful attacks.
PerfektBlue Bluetooth flaws impact Mercedes, Volkswagen, Skoda cars
2025-07-11 | The Hacker News: PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
Cybersecurity researchers identified four vulnerabilities in OpenSynergy's BlueSDK Bluetooth stack, named PerfektBlue, which could enable remote code execution on vehicles from Mercedes-Benz, Volkswagen, and Skoda, among others. The vulnerabilities (CVE-2024-45434, CVE-2024-45431, CVE-2024-45433, CVE-2024-45432) allow attackers to exploit infotainment systems to access sensitive vehicle functions. Patches were released in September 2024 following responsible disclosure in May 2024.
2025-07-11 | TechRadar: Bluetooth security flaws could affect thousands of Mercedes, Volkswagen, Skoda cars - here's what we know
Security researchers identified four vulnerabilities in the BlueSDK Bluetooth stack, affecting Mercedes, Volkswagen, and Skoda vehicles, which can be exploited for remote code execution (RCE) in an attack dubbed "PerfektBlue." The vulnerabilities, tracked as CVE-2024-45434, CVE-2024-45431, CVE-2024-45433, and CVE-2024-45432, require user interaction for exploitation. A fix was deployed in September 2024, but manufacturers have yet to implement it. Volkswagen is currently investigating the issue.
2025-07-11 | Cyberscoop: Researchers identify critical vulnerabilities in automotive Bluetooth systems
Cybersecurity researchers identified four critical vulnerabilities, named PerfektBlue, in OpenSynergy’s BlueSDK Bluetooth stack, affecting Mercedes-Benz, Volkswagen, and Skoda vehicles. The vulnerabilities, including a critical use-after-free flaw (CVE-2024-45434, CVSS 8.0), could allow remote code execution via Bluetooth. Despite patches developed by OpenSynergy in September 2024, some manufacturers had not implemented them by June 2025. Exploitation could grant access to GPS, audio, and contact information, highlighting automotive cybersecurity complexities.
French police arrest Russian pro basketball player on behalf of US over ransomware suspicions
Date: 2025-07-10 | Source: Cyberscoop
French police arrested Russian basketball player Daniil Kasatkin in Paris at the request of the U.S. over allegations of involvement in a ransomware ring that targeted 900 institutions, including two U.S. federal entities, from 2020 to 2022. He reportedly negotiated ransomware payments for the group. His lawyer claims he is innocent, stating he is not skilled with computers and may have unknowingly purchased a compromised device. Kasatkin has been in extradition custody since June 21.
French police arrest Russian pro basketball player on behalf of US over ransomware suspicions
2025-07-10 | TechCrunch: French police arrest Russian basketball player accused of ransomware: Report
French authorities arrested Russian basketball player Daniil Kasatkin at Charles de Gaulle Airport on June 21, accused of being part of a ransomware gang. U.S. authorities allege he engaged in ransomware hacking. Kasatkin's lawyer claims his client is innocent, stating he purchased a used computer and is not skilled with technology, suggesting the device may have been hacked or sold by someone else.
2025-07-10 | BleepingComputer: Russian pro basketball player arrested for alleged role in ransomware attacks
Russian basketball player Daniil Kasatkin was arrested in France on June 21 at the request of the U.S. for allegedly negotiating for a ransomware gang. He faces charges of "conspiracy to commit computer fraud" and "computer fraud conspiracy." His lawyer claims he is innocent, asserting that he bought a second-hand computer and has no computer skills. The ransomware gang is linked to attacks on over 900 companies, including federal agencies, and is speculated to be the Conti gang.
2025-07-10 | Ars Technica: Pro basketball player and 4 youths arrested in connection to ransomware crimes
Authorities in Europe arrested five individuals, including former Russian basketball player Daniil Kasatkin, linked to ransomware crime syndicates. Kasatkin was detained on June 21 in France at the request of US authorities and faces charges of conspiracy to commit computer fraud related to 900 breaches. His attorney claims he is innocent, stating he is inexperienced with computers and may have unknowingly acquired a hacked device. Extradition proceedings are underway.
2025-07-11 | The Register: French cops cuff Russian pro basketball player on ransomware charges
Daniil Kasatkin, a 26-year-old Russian basketball player, was arrested at Charles de Gaulle Airport on June 21, accused of negotiating for a ransomware gang that targeted around 900 organizations, including two US federal agencies, between 2020 and 2022. He faces extradition to the US for conspiracy to commit computer fraud. His lawyer claims he is innocent and lacks computer skills, while the Russian embassy protests his detention. No evidence has been released by US authorities.
2025-07-11 | TechRadar: Russian basketball player arrested on suspicion of carrying out ransomware attacks
On June 21, 2025, French police arrested Russian basketball player Daniil Kasatkin at Charles de Gaulle Airport under suspicion of involvement in ransomware attacks, at the request of US authorities. His lawyer claims Kasatkin, who is described as PC-illiterate, bought a used computer that may have been hacked. The French court denied him bail, and he faces extradition to the US. The ransomware group he allegedly worked with reportedly targeted over 900 organizations from 2020 to 2022.
Four arrested in connection with M&S and Co-op cyber-attacks
Date: 2025-07-10 | Source: BBC News
Four individuals have been arrested in connection with cyber-attacks on M&S and the Co-op, which began in mid-April. The arrests, made by the National Crime Agency, include a 20-year-old woman and three males aged 17 to 19, suspected of offences under the Computer Misuse Act, blackmail, and money laundering. The attacks caused significant operational disruptions, with M&S estimating £300 million in lost profits. Electronic devices were seized during the arrests.
Four arrested in connection with M&S and Co-op cyber-attacks
2025-07-10 | Recorded Future: Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
Four individuals were arrested by the UK's National Crime Agency for their suspected involvement in ransomware attacks on Marks & Spencer, Co-op, and Harrods in April. The suspects, aged 17 to 20, face charges related to the Computer Misuse Act, blackmail, and money laundering. Their electronic devices have been seized for forensic analysis. The NCA emphasizes the importance of collaboration with businesses in reporting cyber incidents to aid investigations.
2025-07-10 | The Register: NCA arrests four in connection with UK retail ransomware attacks
The UK's National Crime Agency (NCA) arrested four individuals on June 10, suspected of involvement in ransomware attacks on M&S, Co-op, and Harrods. The suspects include two men aged 17 and 19 from the West Midlands, a 19-year-old from London, and a 20-year-old woman from Staffordshire. They face charges under the Computer Misuse Act, blackmail, money laundering, and organized crime participation. The NCA is analyzing seized electronic devices for further evidence.
2025-07-10 | The Hacker News: Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
Four individuals were arrested by the U.K. National Crime Agency in connection with cyber attacks on Marks & Spencer, Co-op, and Harrods, with financial impacts estimated between £270 million and £440 million. The suspects, aged 17 to 20, face charges related to the Computer Misuse Act, blackmail, and money laundering. The attacks are linked to the organized crime group Scattered Spider, known for social engineering and ransomware tactics. Recommendations include enhancing identity verification and deploying phishing-resistant MFA.
2025-07-10 | DIGIT: Four Arrested in Investigation Into UK Retail Cyber-attacks
Four individuals were arrested in the UK in connection with cyber-attacks on Marks and Spencer, Co-op Group, and Harrods in April 2025. The suspects, aged 17 to 20, were apprehended at their homes, and electronic devices were seized for forensic analysis. They face charges under the Computer Misuse Act, including blackmail and money laundering. The investigation, prioritized by the NCA, suggests involvement of social engineering tactics, potentially targeting a third-party supplier, causing significant operational disruptions.
2025-07-10 | BleepingComputer: Four arrested in UK over M&S, Co-op, Harrod cyberattacks
Four individuals were arrested in the UK for their involvement in cyberattacks on Marks & Spencer, Co-op, and Harrods between late April and early May. The suspects, aged 17 to 20, face charges including Computer Misuse Act offenses and blackmail. The attacks caused significant disruptions, with M&S reporting a potential $402 million profit impact and customer data theft. The threat actors, linked to the group Scattered Spider, attempted to deploy DragonForce ransomware, successfully affecting M&S.
2025-07-10 | BleepingComputer: Four arrested in UK over M&S, Co-op, Harrods cyberattacks
Four individuals were arrested in the UK for their involvement in cyberattacks on Marks & Spencer, Co-op, and Harrods, causing significant disruptions. The suspects, aged 17 to 20, face charges under the Computer Misuse Act, blackmail, and money laundering. The attacks, attributed to the group Scattered Spider, included attempts to deploy DragonForce ransomware, successfully affecting M&S. The incidents are estimated to impact M&S profits by $402 million. Investigations continue as the NCA prioritizes the case.
2025-07-10 | ABC News: UK arrests four people over cyber attacks on Marks & Spencer, Co-op and Harrods
UK police arrested four individuals linked to cyberattacks on Marks & Spencer, Co-op, and Harrods. The suspects, aged 17 to 20, face charges including blackmail and violations of the Computer Misuse Act. Marks & Spencer reported a £300 million loss due to disrupted online orders. Co-op experienced personal data theft and payment disruptions, while Harrods restricted online access after being unable to process orders in May.
2025-07-10 | Cybersecurity Dive: UK authorities arrest 4 people in probe of retail cyberattack spree
Four individuals were arrested in the U.K. as part of a National Crime Agency investigation into a cyberattack spree in April targeting Harrods, Marks & Spencer, and Co-op. The suspects, linked to the cybercrime gang Scattered Spider, face charges including violations of the Computer Misuse Act and money laundering. The NCA, with assistance from regional crime units, continues to investigate and collaborate internationally to combat cybercrime, emphasizing the significant impact of these attacks on organizations.
2025-07-10 | Cyberscoop: UK arrests four for cyberattacks on major British retailers
Three teenagers and a 20-year-old woman were arrested by the U.K.’s National Crime Agency for alleged cyberattacks on retailers Marks & Spencer, Co-op, and Harrods. The attacks, which occurred in April, disrupted online services and resulted in customer data theft. The group responsible, Scattered Spider, has targeted over 100 businesses since 2022. The suspects face charges under the Computer Misuse Act, blackmail, money laundering, and organized crime participation.
2025-07-10 | TechCrunch: Authorities arrest four hackers linked to UK retail hacking spree
U.K. authorities arrested four individuals, including a 20-year-old woman, two 19-year-old men, and a 17-year-old youth, for hacking incidents targeting British retailers like Marks & Spencer, Harrods, and the Co-op. The National Crime Agency linked the suspects to hacking, blackmail, and money laundering. The group, known as Scattered Spider, exploited impersonation tactics to gain access, allowing the ransomware gang DragonForce to deploy malware on Marks & Spencer, while the Co-op mitigated the attack by shutting down its network.
2025-07-10 | Krebs on Security: UK Arrests Four in ‘Scattered Spider’ Ransom Group
Authorities in the UK arrested four alleged members of the "Scattered Spider" ransomware group, known for targeting companies like Marks & Spencer and Harrods using social engineering tactics. The suspects include two 19-year-olds, a 17-year-old, and a 20-year-old female. One suspect, Owen David Flowers, is linked to the MGM Casino cyberattack. Thalha Jubair, another key member, has a history with the LAPSUS$ group and SIM-swapping schemes. The group recruits minors for risky activities, raising concerns about early intervention in cybercrime.
2025-07-11 | TechRadar: UK police arrest four following cyberattacks on M&S, Co-op, Harrods
The UK National Crime Agency (NCA) arrested four individuals, aged 17 to 20, in connection with cyberattacks on M&S, Co-op, and Harrods in late April and early May 2025. The suspects face charges under the Computer Misuse Act, blackmail, and money laundering. M&S experienced operational disruptions, while Co-op had sensitive customer data stolen by a group named "DragonForce." The NCA emphasizes the importance of collaboration with businesses in reporting cyber incidents.
McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
Date: 2025-07-09 | Source: Wired
An AI hiring bot used by McDonald's, developed by Paradox.ai, exposed personal data of up to 64 million applicants due to basic security flaws, including the use of the password "123456." Security researchers Ian Carroll and Sam Curry accessed the backend of the chatbot platform, revealing vulnerabilities that allowed them to query sensitive data. Paradox.ai confirmed the findings and announced a bug bounty program to enhance security. McDonald's expressed disappointment in Paradox.ai's oversight and mandated immediate remediation.
McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
2025-07-10 | The Age: Personal information of McDonald’s job applicants exposed online
Thousands of Australian McDonald's job applicants had their personal information exposed due to a security vulnerability in the AI chatbot "Olivia," used for screening candidates. Researchers accessed 64 million chat records with the simple credentials "123456," revealing applicants' names, email addresses, and phone numbers. McDonald's Australia, a major employer, hires over 11,000 workers annually. The chatbot was developed by US-based Paradox, which faced criticism for inadequate security measures.
2025-07-10 | Times Now: McDonald’s Data Breach: AI Hiring Tool Exposes Millions Of Records With Password ‘123456’, All Details
McDonald's AI hiring tool, McHire.com, suffered a data breach exposing approximately 64 million records, including names, email addresses, and phone numbers, due to weak security practices, such as the use of the password '123456'. Security researchers Sam Curry and Ian Carroll identified vulnerabilities that could facilitate phishing attacks. Paradox.ai, the managing company, acknowledged the breach and is implementing resolutions, including a bug bounty program to enhance security.
2025-07-10 | TechRadar: McDonald’s AI recruiting platform had a really embarrassing security flaw - and it left millions of users open to attack
McDonald's AI recruiting platform, McHire, suffered a significant security flaw exposing sensitive data of 64 million applicants. Researchers Ian Carroll and Sam Curry accessed the backend using weak passwords, revealing personally identifiable information (PII) such as names, emails, and phone numbers. This data could facilitate phishing attacks and other cybercrimes. Paradox.ai, the platform's partner, was notified and promptly addressed the vulnerability, claiming only a fraction of accessed records contained PII.
2025-07-11 | TechCrunch: AI chatbot’s simple ‘123456’ password risked exposing personal data of millions of McDonald’s job applicants
Security researchers discovered that a simple password, "123456," allowed access to the personal data of 64 million McDonald's job applicants via the McHire AI chatbot, provided by Paradox.ai. The vulnerabilities included an internal API flaw that exposed applicants' names, email addresses, home addresses, and phone numbers. Paradox.ai stated that the issues were resolved within hours and confirmed that no candidate information was leaked online. The findings were initially reported by Wired.
2025-07-11 | BleepingComputer: '123456' password exposed info for 64 million McDonald’s job applicants
A vulnerability in McDonald's McHire chatbot job application platform exposed personal information of over 64 million applicants. Discovered by researchers Ian Carroll and Sam Curry, the flaw involved weak default credentials ("123456") and an Insecure Direct Object Reference (IDOR) vulnerability that allowed unauthorized access to sensitive data. The issue was reported on June 30, 2023, and was promptly addressed by McDonald's and Paradox.ai, who implemented a fix the same day.
2025-07-11 | BleepingComputer: '123456' password exposed chats for 64 million McDonald’s job applicants
A vulnerability in McDonald's McHire chatbot platform exposed chats of over 64 million job applicants due to weak admin credentials ("123456") and an Insecure Direct Object Reference (IDOR) flaw. Researchers Ian Carroll and Sam Curry discovered that by manipulating the lead_id parameter, they accessed sensitive applicant data. The issue was reported on June 30, 2023, and McDonald's quickly disabled the default credentials and mandated a fix from Paradox.ai, which confirmed the vulnerability was mitigated.
2025-07-11 | BleepingComputer: '123456' password exposed chats for 64 million McDonald’s job applications
A vulnerability in McDonald's McHire chatbot platform exposed chat transcripts and personal data of over 64 million job applicants due to weak default credentials ("123456:123456") and an Insecure Direct Object Reference (IDOR) flaw. Discovered by researchers Ian Carroll and Sam Curry, the issue was reported on June 30, 2023, leading to a prompt fix by Paradox.ai. McDonald's acknowledged the vulnerability and mandated immediate remediation, which was completed the same day.
2025-07-11 | BleepingComputer: '123456' password exposed chats for 64 million McDonald’s job chatbot applications
A vulnerability in McDonald's McHire chatbot job application platform exposed chat transcripts and personal data from over 64 million applications due to weak admin credentials ("123456") and an Insecure Direct Object Reference (IDOR) flaw. Discovered by researchers Ian Carroll and Sam Curry, the issue was reported on June 30, 2023. McDonald's and Paradox.ai quickly addressed the vulnerability, disabling default credentials and deploying a fix. Paradox is reviewing its systems to prevent future issues.
AMD warns of new Meltdown, Spectre-like bugs affecting CPUs
Date: 2025-07-09 | Source: The Register
AMD has identified a new side-channel attack, the Transient Scheduler Attack (TSA), affecting various AMD processors, including 3rd and 4th gen EPYC chips. The TSA comprises four vulnerabilities, with two rated medium-severity and two low-severity. Successful exploitation requires local access and arbitrary code execution. The vulnerabilities could lead to information leakage from the OS kernel and other applications. AMD recommends updating to the latest Windows builds for mitigation, though performance may be impacted.
AMD warns of new Meltdown, Spectre-like bugs affecting CPUs
2025-07-10 | The Hacker News: AMD Warns of New Transient Scheduler Attacks Impacting a Wide Range of CPUs
AMD has issued a warning regarding Transient Scheduler Attacks (TSA), which affect various CPUs and could lead to information disclosure. These vulnerabilities, identified in a study by Microsoft and ETH Zurich, exploit speculative execution timing. Four CVEs have been assigned, with CVSS scores ranging from 3.8 to 5.6. Affected processors include multiple AMD Ryzen and EPYC models. AMD has released microcode updates to mitigate these vulnerabilities, which require local access and arbitrary code execution to exploit.
2025-07-10 | TechRadar: AMD warns worrying new Spectre, Meltdown-esque flaw could affect top CPUs - here's what we know
AMD has identified four vulnerabilities (CVE-2024-36349, CVE-2024-36348, CVE-2024-36357, CVE-2024-36350) that can be exploited in a Transient Scheduler Attack (TSA), leading to potential information disclosure. While individually low in severity, when combined, they could leak OS kernel information and other data. A patch is available, and AMD recommends updating systems promptly. A workaround exists but may impact performance. Affected chips include EPYC, Ryzen, and others, detailed in AMD's advisory.
New ServiceNow flaw lets attackers enumerate restricted data
Date: 2025-07-09 | Source: BleepingComputer
A new vulnerability in ServiceNow, identified as CVE-2025-3648, allows low-privileged users to extract sensitive data due to misconfigured Access Control Lists (ACLs). Discovered by Varonis Threat Labs in February 2025, the flaw enables users to enumerate restricted data by manipulating URL filters. ServiceNow has introduced 'Deny Unless' ACLs and Query ACLs to mitigate the issue. Customers are advised to review their ACL configurations to prevent exploitation. No evidence of active exploitation has been reported.
New ServiceNow flaw lets attackers enumerate restricted data
2025-07-10 | The Hacker News: ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs
A high-severity vulnerability in ServiceNow's platform, CVE-2025-3648 (CVSS 8.2), could lead to unauthorized data exposure via misconfigured ACLs, allowing users to infer sensitive information. Discovered by Varonis, it affects all ServiceNow instances with weak ACL configurations. ServiceNow has introduced new security measures to mitigate this risk. Additionally, CVE-2025-1729 in Lenovo's TrackPoint software allows local privilege escalation via DLL hijacking, while CVE-2025-47978 in Windows Kerberos enables denial of service attacks against domain controllers.
2025-07-10 | TechRadar: Worrying ServiceNow security flaw could let hackers steal private table data
A security flaw in ServiceNow, tracked as CVE-2025-3648 with a severity score of 8.2/10, allowed unauthorized access to sensitive data due to faulty Access Control Lists (ACLs). Users could gain access if they satisfied just one ACL, potentially exposing private table data. ServiceNow has since implemented new controls, including a “Deny Unless ACL,” requiring users to meet all ACL conditions for access. Users are advised to review their tables and ACLs to prevent excessive permissions.
Treasury slaps sanctions on people, companies tied to North Korean IT worker schemes
Date: 2025-07-08 | Source: Cyberscoop
On Tuesday, the Treasury Department sanctioned North Korean national Song Kum Hyok, linked to the hacking group Andariel, for facilitating an IT worker scheme that generates revenue for the DPRK. This scheme involved recruiting DPRK nationals with falsified identities to work at companies, sometimes introducing malware into networks. Sanctions were also placed on Russian national Gayk Asatryan and four companies involved in employing these workers. This action highlights ongoing efforts to counter DPRK's funding for WMD programs.
Treasury slaps sanctions on people, companies tied to North Korean IT worker schemes
2025-07-08 | Recorded Future: Treasury sanctions key player behind North Korean IT worker scheme
The U.S. Treasury sanctioned Song Kum Hyok, a senior official in North Korea's Reconnaissance General Bureau, for facilitating an IT worker scheme using stolen U.S. identities. This scheme, involving Russian national Gayk Asatryan and four companies, allowed North Korean IT workers to pose as U.S. citizens while working remotely, generating illicit revenue and potentially introducing malware into networks. The sanctions aim to disrupt North Korea's funding for weapons programs.
2025-07-09 | The Hacker News: U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme
The U.S. Treasury sanctioned North Korean hacker Song Kum Hyok for his role in a fraudulent IT worker scheme, using stolen U.S. identities to employ North Koreans as remote workers. This follows recent DOJ actions against the scheme, resulting in arrests and seizures. Sanctions were also imposed on Russian entities involved in facilitating this operation. The scheme, linked to the Lazarus Group, aims to fund North Korea's WMD programs through illicit earnings and cryptocurrency transactions.
2025-07-09 | BleepingComputer: Treasury sanctions North Korean over IT worker malware scheme
The U.S. Department of the Treasury sanctioned Song Kum Hyok for his role in North Korea's Andariel hacking group, which conducts financially motivated cyber operations. He facilitated a scheme using stolen U.S. identities to employ DPRK nationals in remote IT jobs, generating revenue for North Korea's WMD programs. The sanctions include asset freezes and transaction bans. Additional parties linked to this scheme were also sanctioned. This follows recent U.S. actions against North Korean IT worker operations.
2025-07-09 | The Register: US sanctions alleged North Korean IT sweatshop leader
The US Treasury sanctioned Song Kum Hyok, a North Korean linked to hacking attempts and the Andariel cyber group, for employing foreign tech workers under stolen identities to fund North Korea's weapons program. Between 2022 and 2023, he allegedly created aliases for these workers to apply for US jobs. Additionally, Russian national Gayk Asatryan was sanctioned for employing North Korean IT workers. These actions aim to combat North Korean IT scams affecting US companies.
Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed Including 41 RCE
Date: 2025-07-08 | Source: Cyber Security News
Microsoft's July 2025 Patch Tuesday addressed 130 CVEs, including 41 Remote Code Execution (RCE) vulnerabilities. Key critical vulnerabilities include CVE-2025-47981 (CVSS 9.8) affecting Windows SPNEGO and CVE-2025-49717 (CVSS 8.5) for SQL Server. Other affected products include Windows Kernel, Microsoft Office, and Azure services. No zero-day or actively exploited vulnerabilities were reported. Recommendations include applying patches promptly to mitigate risks associated with these vulnerabilities.
Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed Including 41 RCE
2025-07-08 | BleepingComputer: Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws
Microsoft's July 2025 Patch Tuesday addresses 137 vulnerabilities, including one zero-day in Microsoft SQL Server (CVE-2025-49719) that allows unauthorized data access. The update includes 14 critical vulnerabilities, primarily remote code execution flaws in Microsoft Office and SharePoint. Recommendations include updating SQL Server and installing the latest OLE DB Driver. Notably, fixes for Microsoft Office LTSC for Mac will be released soon.
2025-07-08 | Cisco Talos: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
Microsoft's July 2025 Patch Tuesday addresses 132 vulnerabilities, including 14 critical ones, with none actively exploited. Key vulnerabilities include CVE-2025-49735 (RCE in Windows KDC Proxy, CVSS 8.1), CVE-2025-49704 (RCE in SharePoint, CVSS 7.7), and CVE-2025-47981 (RCE in NEGOEX, CVSS 9.8). Talos released Snort rules to detect exploitation attempts. Recommendations include updating security rulesets for Cisco Security Firewall and Snort users.
2025-07-08 | Cyberscoop: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited
Microsoft's Patch Tuesday addressed 130 vulnerabilities, with none actively exploited. Notable vulnerabilities include CVE-2025-49719, a high-severity SQL Server information disclosure flaw (CVSS 7.5), and CVE-2025-47981, a critical remote code execution vulnerability in Windows SPNEGO (CVSS 9.8). The latter allows unauthenticated remote code execution, posing significant risks for enterprise networks. Microsoft advises prompt patching, especially for vulnerabilities affecting Microsoft Office products.
2025-07-08 | The Register: Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
Microsoft's July Patch Tuesday includes 130 patches, with no active exploits reported. The critical CVE-2025-47981, with a CVSS score of 9.8, affects SPNEGO protocols, allowing remote code execution. Office has four critical flaws, including CVE-2025-49696, exploitable via the Preview Pane. Other critical issues include CVE-2025-49717 in SQL and vulnerabilities in BitLocker. Adobe released critical patches for ColdFusion and Experience Manager Forms, while SAP issued 27 updates, including a CVSS 10 vulnerability.
2025-07-09 | Krebs on Security: Microsoft Patch Tuesday, July 2025 Edition
Microsoft's July 2025 Patch Tuesday addressed 137 vulnerabilities, including 14 rated as critical. Notably, CVE-2025-49719, an information disclosure flaw in SQL Server, is a priority due to its potential for exploitation without authentication. CVE-2025-47981, a remote code execution vulnerability, affects Windows 10 and Server. Other critical flaws were patched in Office. Adobe also released updates for various software. Users are advised to back up data before applying patches.
2025-07-09 | The Hacker News: Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server
Microsoft's January 2025 Patch Tuesday addressed 130 vulnerabilities, including critical flaws in SPNEGO (CVE-2025-47981, CVSS 9.8) and SQL Server (CVE-2025-49719, CVSS 7.5). The SPNEGO flaw allows remote code execution via a network message. SQL Server's issue could leak sensitive data from uninitialized memory. Other significant vulnerabilities include remote code execution in Windows KDC Proxy (CVE-2025-49735, CVSS 8.1) and Hyper-V (CVE-2025-48822, CVSS 8.6). SQL Server 2012 will end support on July 8, 2025.
2025-07-10 | Sophos: July Patch Tuesday offers 127 fixes
Microsoft's July Patch Tuesday released 127 patches across 14 product families, addressing 9 critical vulnerabilities, including CVE-2025-47981, a remote code execution flaw with a CVSS score of 9.8. Notably, 17 CVEs are likely to be exploited within 30 days. Additionally, 12 Adobe Reader fixes were issued, with four critical vulnerabilities. The patches cover various products, including Windows, Office, and SQL Server, with a focus on remote code execution and elevation of privilege vulnerabilities.
Android malware Anatsa infiltrates Google Play to target US banks
Date: 2025-07-08 | Source: BleepingComputer
The Anatsa banking trojan infiltrated Google Play via a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, tracking users of North American banking apps and displaying a fake maintenance message to obscure its activities. Threat Fabric reported this campaign, noting previous infiltrations with significant downloads. The malicious app was removed by Google, and users are advised to uninstall it, run a full system scan, and reset banking credentials. Caution is urged when downloading apps.
Android malware Anatsa infiltrates Google Play to target US banks
2025-07-08 | Cyber Security News: Anatsa Android Banking Malware from Google Play Targeting Users in the U.S. and Canada
ThreatFabric researchers have identified a new campaign by the Anatsa banking trojan targeting mobile banking customers in the U.S. and Canada, marking its third major offensive. The malware, disguised as legitimate apps on Google Play, has over 50,000 downloads. Anatsa employs device takeover tactics, including overlay attacks and keystroke logging. It targets over 650 financial institutions, including major banks. Experts urge financial institutions to alert customers about app risks and enhance monitoring for unusual activity.
2025-07-08 | The Hacker News: Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play
Cybersecurity researchers have identified the Anatsa Android banking Trojan targeting 90,000 users in North America through a malicious app disguised as a "PDF Update." This malware, which has been active since 2020, employs deceptive overlays to steal banking credentials. The app, published by "Hybrid Cars Simulator," was available on Google Play from May 7 to June 30, 2025. Organizations in the financial sector are advised to assess potential risks and impacts on their systems and customers.
2025-07-08 | Recorded Future: Anatsa mobile malware returns to victimize North American bank customers
The Anatsa mobile malware has resurfaced, targeting North American bank customers by embedding itself in a legitimate-looking file reader app on the Play Store. This campaign, occurring from June 24-30, involved a malicious update that installed Anatsa, capable of stealing banking credentials and executing fraudulent transactions. The app gained over 50,000 downloads before removal. ThreatFabric warns of evolving tactics, including AI-personalized malware and attempts to bypass multi-factor authentication.
2025-07-08 | Tomsguide: This dangerous banking trojan now uses scheduled maintenance to hide its malicious activities — don’t fall for this
The Anatsa banking trojan has resurfaced, infecting over 50,000 Android users through a malicious app disguised as a PDF viewer on the Google Play Store. Discovered by Threat Fabric, the trojan employs overlay attacks to steal credentials from popular banking apps. The app was removed, but users are advised to uninstall it, run a full system scan with Google Play Protect, and reset bank credentials. Recommendations include scrutinizing app ratings, limiting installed apps, and using trusted developers.
2025-07-09 | TechRadar: Dangerous Android malware targets US banking apps - 50,000 people already affected, make sure you're not next
A banking trojan named Anatsa was found in the Android app 'Document Viewer – File Reader', which had over 50,000 downloads before being updated to include the malware. It scans for North American banking apps and overlays them to steal credentials while displaying a maintenance message. The app has been removed from the Play Store. Users are advised to uninstall it, run a full system scan with Play Protect, and reset banking credentials. Google confirmed the app's removal and ongoing protection measures.
Marks & Spencer chair refuses to say if retailer paid hackers after ransomware attack
Date: 2025-07-08 | Source: TechCrunch
Marks & Spencer's chairman, Archie Norman, did not confirm whether the company paid a ransom to the hacking group DragonForce following a ransomware attack earlier this year. The attack resulted in the theft of customer data, including names, addresses, and order histories, and disrupted operations for weeks. Recovery efforts are ongoing and expected to continue until October or November. Norman emphasized that discussing ransom details is not in the public interest due to law enforcement considerations.
Marks & Spencer chair refuses to say if retailer paid hackers after ransomware attack
2025-07-08 | BleepingComputer: M&S confirms social engineering led to massive ransomware attack
M&S confirmed that a sophisticated social engineering attack led to a DragonForce ransomware incident, with initial access gained on April 17 through impersonation of an employee to reset a password via a third-party, Tata Consultancy Services. The attack, attributed to Scattered Spider, resulted in the encryption of VMware ESXi servers and the theft of approximately 150GB of data. M&S opted not to engage directly with the threat actors, leaving negotiations to professionals, and has not disclosed if a ransom was paid.
2025-07-09 | TechRadar: M&S thinks it might finally know what caused cyberattack - but still won't say if it paid a ransom
M&S chairman Archie Norman attributes a recent ransomware attack to DragonForce, a group believed to be based in Asia or Russia. The breach occurred through social engineering, with attackers impersonating an M&S employee to reset a password. Approximately 150GB of sensitive data was stolen, including personal information. M&S has not confirmed if a ransom was paid, and recovery efforts are expected to conclude by late 2025. Norman advocates for greater transparency in reporting cyberattacks.
2025-07-09 | DIGIT: M&S Boss Claims Major UK Hacks Are Going Unreported
Marks & Spencer's chairman, Archie Norman, reported significant losses of £300 million due to a cyber-attack attributed to the threat group DragonForce, which began on April 17. The attack exploited social engineering and involved third-party vulnerabilities. M&S has increased cyber staff and security spending but faces challenges from legacy systems and a large attack surface. Norman highlighted that many serious attacks go unreported, suggesting a need for regulatory requirements to notify the National Cyber Security Centre.
2025-07-09 | Cybersecurity Dive: M&S chairman calls for mandatory disclosure of material cyberattacks
M&S chairman Archie Norman urged the British government to mandate the disclosure of significant cyberattacks, citing a recent social-engineering attack on the company. He highlighted that two major U.K. firms may have faced attacks without public acknowledgment, creating intelligence gaps. The M&S incident caused over $400 million in operational impact. Norman identified the ransomware group DragonForce as responsible, suggesting collaboration with Scattered Spider.
Malicious Chrome extensions with 1.7M installs found on Web Store
Date: 2025-07-08 | Source: BleepingComputer
Researchers at Koi Security identified nearly a dozen malicious Chrome extensions with 1.7 million downloads that can track users and redirect them to unsafe sites. Many extensions masquerade as legitimate tools and were found to have malicious code introduced via updates. Users are advised to remove specific extensions, clear browsing data, check for malware, and monitor accounts for suspicious activity. Similar malicious extensions were also found in the Microsoft Edge store, affecting over 2.3 million users combined.
Malicious Chrome extensions with 1.7M installs found on Web Store
2025-07-08 | Tomsguide: Nearly 2 million people hit by malicious Chrome installations that can track you — what to do now
Nearly 1.7 million downloads of malicious Chrome extensions were reported, allowing tracking of user activity and potential redirection to malware sites. Discovered by Koi Security, these extensions include tools like VPNs and weather apps. Some have been removed, but others remain. The malicious code was introduced via updates, utilizing the Chrome Extensions API to capture URLs and exfiltrate data. Users are advised to remove the extensions, clear browsing data, and scan for malware.
2025-07-08 | The Register: Massive browser hijacking campaign infects 2.3M Chrome, Edge users
A browser hijacking campaign named RedDirection has infected over 2.3 million users of Chrome and Edge through 18 malicious extensions, including a color picker from Geco. These extensions, initially clean, were updated to include malware that tracks browsing activity and sends data to remote servers. Users are advised to uninstall the affected extensions and monitor their accounts for suspicious activity. The extensions masquerade as legitimate tools, complicating detection.
2025-07-09 | TechRadar: Malicious Google Chrome and Edge extensions downloaded more than 2 million times - here's how to stay safe from being tracked online
Security researchers from Koi Security discovered 18 malicious browser add-ons for Google Chrome and Microsoft Edge, collectively downloaded over 2.3 million times, that tracked user activity and communicated with remote C2 servers. Named Operation RedDirection, these add-ons, initially benign, were likely hijacked. Users are advised to remove these add-ons, clear browsing data, run antivirus scans, and change stored passwords. Many affected add-ons remain available through third-party sources.
Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage
Date: 2025-07-08 | Source: BleepingComputer
A Chinese national, Xu Zewei, was arrested in Milan on July 3rd, linked to the state-sponsored Silk Typhoon hacking group, also known as Hafnium. He is accused of involvement in cyberespionage attacks against U.S. organizations, particularly targeting COVID-19 vaccine research in 2020. The group has also been linked to attacks on the U.S. Treasury's OFAC. Xu is currently held in prison as the U.S. seeks his extradition for trial.
Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage
2025-07-08 | The Register: Suspected Chinese cybersnoop grounded in Italy after US tipoff
A man named Zewei Xu, alleged to be part of the Chinese cyberespionage group Silk Typhoon, was arrested in Milan on July 3 following a US tip-off. Xu is accused of spying on vaccine development at the University of Texas during the COVID-19 pandemic and is linked to the Hafnium group, known for the 2020 Microsoft Exchange attack. A US extradition request is pending, with charges expected to include computer intrusions and identity theft.
2025-07-08 | Recorded Future: Chinese national arrested in Milan after US issues arrest warrant for Hafnium attacks
Xu Zewei, a 33-year-old Chinese national, was arrested in Milan on July 3, 2023, following a U.S. warrant for his involvement in the Hafnium hacking campaign. He is accused of targeting a Texas university to steal COVID-19 vaccine research and conducting cyberattacks from February 2020 to June 2021. The Justice Department's indictment includes charges of wire fraud and unauthorized access to protected computers. Xu faces 77 years in prison if convicted; his co-defendant, Zhang Yu, remains at large.
2025-07-08 | Cyberscoop: Italian authorities arrest Chinese man over Microsoft Exchange Server hack, targeting of COVID-19 researchers
Italian authorities arrested Xu Zewei, a Chinese national, at the request of the U.S. for his involvement in the Microsoft Exchange Server hack from 2020-2021. The indictment alleges he stole COVID-19 research for the Chinese government, targeting U.S. universities and researchers. Xu, part of the HAFNIUM group, exploited vulnerabilities affecting over 60,000 U.S. entities. He faces multiple charges, including conspiracy to commit wire fraud and aggravated identity theft.
2025-07-08 | TechCrunch: US government confirms arrest of Chinese national accused of stealing COVID research and mass-hacking email servers
The U.S. Justice Department confirmed the arrest of Xu Zewei, a Chinese national accused of stealing COVID-19 research and conducting mass hacks of Microsoft Exchange servers. Xu, arrested in Italy, faces nine charges related to hacking U.S. universities in February 2020 and compromising over 60,000 Exchange servers starting March 2021. He is linked to the hacking group Hafnium, which has initiated a new campaign called Silk Typhoon targeting large companies and government agencies.
2025-07-08 | Cybersecurity Dive: Suspected contractor for China’s Hafnium group arrested in in Italy
Italian authorities and the FBI arrested Xu Zewei, 33, in Milan on July 3, accused of aiding China's Hafnium group in cyberattacks targeting U.S. COVID-19 research and exploiting Microsoft Exchange vulnerabilities in 2020-2021. Xu faces charges of wire fraud and conspiracy, with a potential 20-year prison sentence. Another suspect, Zhang Yu, remains at large. The attacks prompted a CISA emergency warning and affected numerous organizations, including government agencies.
2025-07-08 | Cybersecurity Dive: Suspected contractor for China’s Hafnium group arrested in Italy
Italian authorities and the FBI arrested Xu Zewei, 33, for allegedly aiding China's Hafnium group in cyberattacks targeting U.S. COVID-19 research and exploiting Microsoft Exchange vulnerabilities in 2020-2021. Xu, linked to Shanghai Powerock Network Co. Ltd., faces charges of wire fraud and conspiracy, with a potential 20-year prison sentence. Another suspect, Zhang Yu, remains at large. The attacks prompted a CISA emergency warning and affected numerous Microsoft customers, including government entities.
2025-07-09 | The Hacker News: Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks
Xu Zewei, a 33-year-old Chinese national, was arrested in Milan for alleged ties to the Silk Typhoon hacking group and cyber attacks against U.S. entities from February 2020 to June 2021. Charged with wire fraud and identity theft, he exploited zero-day vulnerabilities in Microsoft Exchange Server during the Hafnium campaign, affecting over 60,000 U.S. organizations. Xu is also linked to espionage efforts targeting vaccine research. His extradition is contested, citing mistaken identity.
2025-07-09 | TechRadar: US arrests Silk Typhoon hacker accused of stealing Covid research and mass email hacking
Italian law enforcement arrested Zewei Xu, a 33-year-old Chinese national, accused of cyber-espionage for the Chinese government, specifically targeting COVID vaccine research at the University of Texas in 2020. Xu is linked to the Silk Typhoon hacking collective, which allegedly compromised thousands of computers globally. He faces charges of wire fraud and aggravated identity theft, with a potential maximum sentence of 25 years. A hearing will determine his extradition to the U.S.
Call of Duty takes PC game offline after multiple reports of RCE attacks on players
Date: 2025-07-07 | Source: Cyberscoop
The PC version of Call of Duty: World War 2 was taken offline following reports of a remote code execution (RCE) vulnerability allowing hackers to take control of players' computers during multiplayer matches. The game was removed from the Microsoft Store on July 5 for investigation. Players reported incidents of their PCs being compromised, including unauthorized command executions and system disruptions. The issue is linked to the transition from dedicated servers to peer-to-peer networking in older games.
Call of Duty takes PC game offline after multiple reports of RCE attacks on players
2025-07-08 | TechCrunch: Activision took down Call of Duty game after PC players hacked, says source
Activision took down the Microsoft Store version of "Call of Duty: WWII" due to a remote code execution (RCE) exploit that allowed hackers to compromise players' PCs. This decision followed reports of players being hacked while playing. The affected version contained an old flaw that had been patched in other versions. Activision is currently investigating the issue and has not provided further comments. The game remains offline as of the publication date.
2025-07-09 | The Verge: Activision pulls Call of Duty game after PC players are hacked
Activision has removed Call of Duty: WWII from the Microsoft Store and PC Game Pass due to reports of PC hacks affecting players. The game was taken offline for investigation after multiple incidents where players experienced remote code execution (RCE) vulnerabilities, allowing hackers to control their devices. The outage is limited to Microsoft platforms, while the game remains available on Steam and other consoles.
Atomic macOS infostealer adds backdoor for persistent attacks
Date: 2025-07-07 | Source: BleepingComputer
A new version of the Atomic macOS info-stealer (AMOS) has been discovered, featuring a backdoor that allows attackers persistent access to compromised systems. Analyzed by Moonlock, this malware can execute remote commands, survive reboots, and maintain control indefinitely. It targets macOS files and user passwords, with campaigns affecting over 120 countries. The backdoor uses LaunchDaemons for persistence and can log keystrokes or introduce additional payloads, indicating a shift towards more sophisticated attacks on macOS users.
Atomic macOS infostealer adds backdoor for persistent attacks
2025-07-08 | Tomsguide: This Mac malware just got a major upgrade which makes it even harder to delete — how to stay safe
An upgraded version of the Atomic Stealer malware for Mac has been identified, capable of creating a persistent backdoor on infected systems. This malware, which targets sensitive data like passwords and cryptocurrency, is distributed through cracked software and spear phishing campaigns. The backdoor, facilitated by a hidden binary file and a persistent script, allows remote command execution. Users are advised to avoid pirated software, be cautious with personal information, and consider additional antivirus solutions for protection.
2025-07-08 | TechRadar: One of the biggest security threats to Apple systems just got a major upgrade - here's what we know
Atomic Stealer (AMOS), a significant infostealer malware targeting macOS, has been upgraded to include a backdoor and persistence mechanism, allowing attackers to maintain access and deploy additional malware. This new variant was identified by Moonlock, with the potential to compromise thousands of Mac devices globally. AMOS has been used in major hacking campaigns, capable of extracting sensitive data and bypassing macOS security features. Recent campaigns have affected over 120 countries, notably the US, France, and the UK.
'Batavia' Windows spyware campaign targets dozens of Russian orgs
Date: 2025-07-07 | Source: BleepingComputer
A spyware campaign named 'Batavia' is targeting numerous Russian industrial organizations through phishing emails disguised as contract attachments. Active since at least July 2022, the campaign intensified in early 2025. The attack begins with a malicious Visual Basic Encoded script that profiles the system and downloads further payloads, including a Delphi-based malware for data collection and a C++ data stealer. The operation may indicate espionage focused on Russia's industrial sector.
'Batavia' Windows spyware campaign targets dozens of Russian orgs
2025-07-08 | The Hacker News: Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms
Researchers have identified a new Windows spyware named Batavia, targeting Russian organizations since July 2024. The attack begins with phishing emails containing malicious links leading to a Visual Basic Encoded script that exfiltrates system information. Batavia collects various document types and screenshots, transmitting data to a remote server. Over 100 users across multiple organizations received these phishing emails. The article also mentions a separate malware, NordDragonScan, which similarly exfiltrates sensitive data.
2025-07-08 | Recorded Future: New spyware strain steals data from Russian industrial companies
Hackers are targeting Russia's industrial sector with a new spyware strain named Batavia, which began its campaign in July 2024. The malware is delivered via phishing emails disguised as contracts, leading victims to download malicious files. Batavia exfiltrates sensitive documents, system logs, and takes screenshots, sending data to a remote server. Over 100 victims across various Russian organizations have been affected. The operation may involve state-sponsored groups or organized cybercriminals amid rising geopolitical tensions.
Hackers abuse leaked Shellter red team tool to deploy infostealers
Date: 2025-07-07 | Source: BleepingComputer
Hackers have exploited a leaked copy of Shellter Elite, a commercial AV/EDR evasion loader, to deploy infostealer malware. The misuse began in April 2023, with threat actors using YouTube comments and phishing emails for distribution. Shellter confirmed the leak originated from a customer who purchased licenses. An update (version 11.1) has been released for vetted customers, while Elastic Security Labs developed detections for the exploited version. Shellter criticized Elastic for not notifying them earlier about the abuse.
Hackers abuse leaked Shellter red team tool to deploy infostealers
2025-07-08 | TechRadar: This top security platform is being hacked to carry out malware threats
Elastic Security Labs reported that the pentesting tool Shellter Elite was abused for malware delivery after a license leak. Threat actors used it to deploy infostealers and evade antivirus defenses. The Shellter Project confirmed the leak and criticized Elastic for not disclosing the issue sooner. Following the incident, they identified the leaker and released a patch to prevent further abuse. The new version 11.1 will only be available to vetted customers, excluding the malicious entity.
2025-07-08 | The Hacker News: Hackers Use Leaked Shellter Tool License to Spread Lumma Stealer and SectopRAT Malware
Hackers are exploiting a leaked Shellter tool license to distribute Lumma Stealer and SectopRAT malware. The Shellter Project confirmed that a recent license leak allowed malicious actors to weaponize the tool for infostealer campaigns. Since April 2025, multiple campaigns have used Shellter Elite version 11.0 to evade detection. The malware employs self-modifying shellcode and polymorphic obfuscation. The Shellter Project criticized Elastic for not promptly notifying them about the misuse.
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
Date: 2025-07-06 | Source: Wiz
On June 17 and 25, 2025, Citrix disclosed three critical vulnerabilities in NetScaler ADC and Gateway: CVE-2025-5349 (Improper Access Control, CVSS 8.7), CVE-2025-5777 (Memory Overread, CVSS 9.3), and CVE-2025-6543 (Memory Overflow, CVSS 9.2). CVE-2025-5777 has been exploited in the wild, with a proof-of-concept available. Affected versions include 12.1, 13.1, and 14.1. Organizations are urged to upgrade to patched versions and terminate active sessions post-upgrade.
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
2025-07-07 | The Register: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
Multiple exploits for CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway (rated 9.3 CVSS), are being actively exploited. This flaw allows remote attackers to read sensitive information, including session tokens, enabling them to bypass MFA and hijack sessions. Despite a patch being issued, many users remain unpatched. Security firms have released proof-of-concept exploits, indicating a high risk of exploitation. Organizations are urged to follow Citrix's recommendations to mitigate this vulnerability.
2025-07-07 | BleepingComputer: Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
Researchers have released public exploits for a critical Citrix NetScaler vulnerability, CVE-2025-5777 (CitrixBleed2), which can steal user session tokens via malformed POST requests. This flaw affects Citrix NetScaler ADC and Gateway devices, allowing attackers to leak memory contents. Citrix claims no active exploitation is occurring, but evidence suggests otherwise. Patches are available, and organizations are urged to apply them immediately while reviewing active sessions for suspicious activity.
2025-07-08 | TechRadar: CitrixBleed 2 exploits are now in the wild, so patch now
CitrixBleed 2, a critical vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway, allows session hijacking and is actively exploited. Discovered in June 2025, many instances remain unpatched despite available fixes. Security researchers warn of ongoing exploitation campaigns, urging immediate updates. Citrix's communication is unclear, stating no evidence of exploitation while emphasizing the need for urgent patching. Users are advised to secure their systems due to the vulnerability's severity and potential for abuse.
2025-07-09 | Ars Technica: Critical CitrixBleed 2 vulnerability has been under active exploit for weeks
A critical vulnerability, CVE-2025-5777, in Citrix's NetScaler devices allows bypassing multifactor authentication and has been actively exploited since at least June 23, 2023. This vulnerability, similar to the previous CitrixBleed (CVE-2023-4966), has a severity rating of 9.2. Citrix released a patch on June 17 but initially claimed no evidence of exploitation. Researchers criticized Citrix for not providing indicators for customers to assess potential attacks.
2025-07-10 | The Register: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
CISA has confirmed that CVE-2025-5777, known as CitrixBleed 2, is actively exploited, allowing remote attackers to read sensitive information from NetScaler devices. This critical vulnerability, rated 9.3 CVSS, enables session hijacking and bypassing multi-factor authentication. Citrix issued a fix on June 17, but researchers reported exploits as early as June 23. Akamai noted increased scanning for vulnerable targets, emphasizing the risk of unauthorized access to internal systems. The scope of affected organizations remains unclear.
2025-07-11 | The Hacker News: CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
CISA has added CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway, to its KEV catalog, confirming active exploitation. This flaw (CVSS 9.3) allows attackers to bypass authentication due to insufficient input validation. Exploitation efforts have been traced to multiple IP addresses across several countries, targeting enterprises in the U.S., France, Germany, India, and Italy. Organizations are advised to upgrade to patched versions and terminate active sessions to mitigate risks.
2025-07-11 | BleepingComputer: CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
CISA has confirmed the active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway, giving federal agencies until June 11 to apply patches. This critical memory safety flaw allows unauthenticated access to restricted memory areas. Affected versions include those prior to 14.1-43.56 and 13.1-58.32. Users are advised to upgrade firmware and disconnect active sessions. Despite CISA's warning, Citrix has not updated its bulletin regarding exploitation evidence.
2025-07-11 | Recorded Future: CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’
CISA has mandated that all federal civilian agencies immediately patch the critical vulnerability CVE-2025-5777, known as "Citrix Bleed 2," affecting NetScaler ADC and Gateway products. This vulnerability, rated 9.2/10 in severity, poses an "unacceptable risk" and has been actively exploited. Agencies have just 24 hours to address it, the shortest deadline ever issued. The vulnerability could allow attackers to hijack sessions and bypass MFA, raising significant security concerns, especially for critical infrastructure.
2025-07-11 | Cybersecurity Dive: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
A critical vulnerability in Citrix Netscaler, tracked as CVE-2025-5777, is actively being exploited, leading to concerns similar to past ransomware attacks against Citrix customers. The flaw, due to insufficient input validation, can cause memory overread when configured as a Gateway. Exploitation attempts began on June 26, 2023, with CISA adding it to its catalog of known exploited vulnerabilities. Citrix has issued guidance for mitigation and acknowledged another unrelated vulnerability, CVE-2025-6543.
2025-07-11 | TechCrunch: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
CISA has confirmed that hackers are actively exploiting a critical vulnerability known as "Citrix Bleed 2" in Citrix NetScaler, which is used for remote access to internal networks. The flaw allows remote extraction of sensitive credentials, posing a significant risk to federal systems. CISA has mandated that federal agencies patch affected devices within one day. Citrix has not acknowledged the exploitation but advises customers to update their devices promptly.
2025-07-14 | TechRadar: CISA warns hackers are actively exploiting critical CitrixBleed 2
CISA has added CVE-2025-5777, a critical-severity vulnerability (9.3/10) in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities catalog, warning of active exploitation. Discovered in June 2025, it allows attackers to extract sensitive data without authentication. Despite a patch being available, many instances remain unpatched. CISA has mandated a 24-hour deadline for FCEB agencies to apply the patch or cease using the affected software.
2025-07-14 | Cyberscoop: CitrixBleed 2 beckons sweeping alarm as exploits spread across the globe
A critical vulnerability, CVE-2025-5777, affecting Citrix NetScaler products has been actively exploited since its disclosure on June 17, 2025. CISA added it to its exploited vulnerabilities catalog on July 10, urging agencies to patch within 24 hours. The vulnerability has a CVSS score of 9.3 and has led to over 11.5 million attack attempts, primarily targeting financial services. Researchers criticize Citrix for the vulnerability's ease of exploitation and call for improved software testing processes.
Qantas attack reveals one phone call is all it takes to crack cybersecurity’s weakest link: humans
Date: 2025-07-05 | Source: The Guardian
Cybercriminals accessed Qantas' systems via an offshore IT call center, compromising personal data of up to 6 million customers. This breach highlights vulnerabilities in human factors, particularly through social engineering techniques like vishing. The Australian Information Commissioner reported a rise in breaches from social engineering, with finance and health sectors most affected. The Australian Prudential Regulation Authority warned of increasing cyber threats to superannuation funds, emphasizing the need for improved cybersecurity measures.
Qantas attack reveals one phone call is all it takes to crack cybersecurity’s weakest link: humans
2025-07-07 | BleepingComputer: Qantas is being extorted in recent data-theft cyberattack
Qantas confirmed it is being extorted following a cyberattack that potentially exposed data for 6 million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. No financial information or passwords were compromised. The airline is advising customers to be vigilant against scams and phishing attempts. The attack is linked to threat actors known as Scattered Spider, who have previously targeted other sectors. Qantas is collaborating with cybersecurity experts and law enforcement for the investigation.
2025-07-08 | The Register: Suspected Scattered Spider domains target everyone from manufacturers to Chipotle
Check Point researchers identified 500 domains linked to the Scattered Spider group, targeting various sectors, including manufacturing, medical tech, and Chipotle. These domains mimic legitimate corporate login portals, suggesting potential phishing infrastructure. The group is known for social engineering tactics, including fake IT helpdesk calls. Recent attacks have also affected airlines, with Qantas disclosing a data breach impacting 6 million customers. The FBI has issued alerts regarding these threats.
2025-07-08 | DIGIT: Over 500 Scattered Spider Phishing Domains Ready for Attack
Scattered Spider, a sophisticated cyber gang, has over 500 phishing domains prepared for future attacks, targeting industries such as retail and aviation. Researchers at Check Point identified domains following Scattered Spider's naming conventions, including examples like chipotle-sso[.]com and gemini-servicedesk[.]com. The group has previously disrupted M&S and Co-op and is linked to attacks on Hawaiian Airlines and Qantas. They employ social engineering techniques and tools like Fleetdeck.io and BlackCat ransomware-as-a-service.
2025-07-09 | The Register: Qantas begins telling some customers that mystery attackers have their home address
Qantas reported a cyberattack on a third-party platform affecting approximately 5.7 million customers. The breach exposed personal information, including names, email addresses, and frequent flyer numbers. For about 1 million customers, additional data such as physical addresses, dates of birth, and phone numbers were accessed. Qantas has implemented enhanced security measures and advised affected customers to remain vigilant against scams. The nature of the attack remains unclear, and no data has been confirmed on the dark web.
2025-07-09 | Cybersecurity Dive: Qantas says cyberattack affected 5.7 million customers
Qantas confirmed that a cyberattack on a vendor affected 5.7 million passengers, with compromised data including names, email addresses, and frequent-flyer numbers. The airline is notifying affected customers and advising on support services. No credit card or sensitive financial information was accessed. Qantas has enhanced internal security measures and warned customers about potential fraudulent communications. The attack may be linked to the Scattered Spider group, though attribution remains unconfirmed.
2025-07-09 | BleepingComputer: Qantas confirms data breach impacts 5.7 million customers
Australian airline Qantas confirmed a data breach affecting 5.7 million customers, detected on June 30, 2023. The breach involved a third-party platform and is linked to the threat group Scattered Spider. Exposed data includes names, email addresses, Frequent Flyer details, addresses, birth dates, phone numbers, and meal preferences. No financial or login information was compromised. Qantas is notifying affected customers and enhancing cybersecurity measures while warning against phishing attempts related to the breach.
2025-07-10 | Recorded Future: Qantas says 5.7 million affected by breach, leaked info not enough to access frequent flyer accounts
Qantas reported that a cyberattack exposed data of 5.7 million customers, including names, email addresses, and Frequent Flyer numbers. The breach occurred at a contact center, with 2.8 million customers affected by the leak of sensitive information. No credit card or passport details were compromised. Qantas is cooperating with national cyber and police agencies for the investigation. The airline warned customers about potential scams and confirmed hackers were expelled from the system.
2025-07-11 | TechRadar: Qantas confirms 5.7 million customers impacted by data breach
Qantas confirmed that a cyberattack in June 2025 impacted 5.7 million customers, with attackers exfiltrating names, email addresses, and other personal information, but not passwords or payment data. The breach involved a call center and a third-party customer service platform. The hacking group Scattered Spider is suspected, though they have not claimed responsibility. Qantas is notifying affected customers and advising vigilance against unsolicited communications. No evidence of data being released has been found.
Bluesky X Buy Me a Coffee RSS Feed