The first department to bite the bullet will be the French Inter-Ministerial Directorate of Digital Affairs (DINUM). The agency is the unofficial IT department for the French government, and this is very likely a test of how a migration could happen at a larger scale.

The decision was announced last week at a seminar between several French government ministries, which also pledged to prepare plans for their own migrations and the alternatives they might need.

LA CAO hack: The Los Angeles city attorney’s office has been hacked and sensitive data has been published online. Stolen data included sensitive case details and the personal information of LA police officers. Witness names, medical records, and internal affairs investigation are also part of a trove of 7.7TB published online this week. [KTLA]

Ransomware hits key Dutch hospital provider: A ransomware attack has hit a major software provider for the Dutch healthcare sector. The incident impacted ChipSoft, the maker of an electronic patient record management platform named HiX. According to reports, the platform is used by roughly 70% of all Dutch hospitals but it's unclear if it was affected. The incident didn't impact the platform's availability. [NLTimes]

When it shut down its counter-propaganda office, the US government essentially left the detection of coordinated disinformation campaigns to private companies, at least some of which either don't care or are actively taking extreme positions: X is now a cesspool of disinformation. 

Last week, though, Rubio sent a memo to global US diplomatic posts directing them to launch their own campaigns combatting foreign propaganda. Per The Guardian:

Investment scams were again the top category in terms of losses, with $8.6 billion reported stolen, and almost $6.2 billion of that sum being stolen as cryptocurrency.

Cyber-enabled fraud accounted for 85% of last year's losses, almost $17.7 billion.

The new bill passed unanimously in the National Assembly and Senate and was sent to the country's king to be signed into law. It comes after major international pressure from both China and the US for the local government to crack down on its sprawling cyber scam ecosystem.

The law introduces tiered penalties depending on a suspect's roles in the scam operation, such as if they acted alone or part of a larger cybercrime syndicate.

The new requirements will include higher license fees, larger minimum operational capital, and mandatory deployment of the FSB's SORM traffic interception equipment.

According to reports from Izvestia and RBC, the new proposed rules would give the Russian Ministry of Digital Development, Communications, and Mass Media the power to revoke licenses without a court order for those who fail to comply.

In the last week or so we've seen a stream of reports demonstrating a sudden step-change in the cyber capabilities of Anthropic's models. 

In early February Anthropic announced that it had used its latest model, Opus 4.6, to find and validate more than 500 high-severity vulnerabilities in open source software. These vulnerabilities were in well-tested code and some had been present for decades. The company said Opus 4.6 reasons about code the way a human researcher would. It looks at past bug fixes to find similar issues that weren't addressed, spots risky patterns and understands logic to determine what inputs would break software. Opus 4.6 was "notably better" at finding these vulnerabilities than previous models, even "without task-specific tooling, custom scaffolding, or specialized prompting". 

While password spraying campaigns are a dime a dozen, this one stood out to Check Point researchers because it targeted Israeli and UAE municipalities that were hit by Iranian drone and missile strikes.

The campaign started in early March, just as Iran began mustering its comeback after initial US and Israeli strikes that killed Iranian leader Ali Khamenei and tens of high-ranking government, military,  and intelligence officials in late February.

The feature was silently added to macOS 26.4, released last week.

It works by showing a popup on the screen whenever a user tries to copy-paste commands from a browser into the Terminal window.

The Russian government is working on a law that would require all mobile operators to use a custom domestically-developed encryption algorithm for the country's 5G mobile network.

If the bill passes, all phones sold in Russia going forward will have to support the NEA-7 algorithm or they will not be able to connect to Russian mobile networks.

When specifically asked about buying location data, Patel said the Bureau purchases information, "that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us". 

We have seen US local law enforcement agencies using this kind of data to track people, but this is new for the FBI. In 2023, the Bureau's Director at the time, Christopher Wray, said it had once used commercial location data in a national security pilot program but had no further plans to use it. 

Intellexa CEO Tal Dillian is pissed out of his mind after a Greek court sentenced him, his wife, and two executives to more than 126 years in prison last month on generic charges of "violating the confidentiality of telephone communications."

The sentence is related to a major Greek political scandal known in Greece as Predatorgate, which this newsletter first covered back in December 2024.

What started as an infrequent sighting in early 2024 is now at the center of an increasing number of infosec and malware reports.

The tactic is usually the same. A threat actor would take a legitimate repository, add malware to the files—typically an infostealer or a remote access trojan— and then upload the boobytrapped repo back on GitHub.

The attack was first described by cloud engineer Ian Mckay in 2019. It happens when an attacker abuses the predictable naming conventions in AWS bucket names to register buckets that have expired or have been deleted by their original owners.

If traffic still flows to the old buckets, this allows attackers to collect data from internal networks or public-facing apps, leading to serious security incidents.

Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the US bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organisations.

Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organisation won't trouble senior US policymakers. 

Sanctions were imposed on Iranian cyber contractor Emennet Pasargad for its hack of French satirical magazine Charlie Hebdo, the 2024 Paris Olympic Games, and a Swedish SMS service.

This is the same group that also meddled in the 2020 US Presidential Election and was later sanctioned three times by the US as well, in 2021, and September and December 2024.

The Facebook and Instagram accounts were used to recruit youth for drug trafficking and drug dealing, to advertise drugs, and to organize violence and extortion operations.

Meta says it used AI to detect the coded language typically used by cartels and also to identify photos of drugs posted on its platforms. Human reviewers also confirmed the findings before accounts were removed.

The service had been running since 2021 and rented access to more than 369,000 different IP addresses across its lifetime.

According to the FBI, Europol, and Dutch Police, SocksEscort was a front for a malware operation that infected modems and home routers. Lumen's Black Lotus Labs linked it to a botnet it discovered in 2023, named AVRecon.

The strategy, released last Friday, one-ups the Biden era equivalent, at least superficially. Rather than five pillars, this one has six:

The strategy's overall vibe is dominated by that first pillar: "Shape Adversary Behaviour". President Trump's foreword describes using cyber power for "disrupting and disorienting our adversaries". He concludes that "American Power will finally stand up in cyberspace". 

Gen. Rudd was confirmed in a 71-29 vote on Tuesday.

He will replace Army Lt. Gen. William Hartman, who is serving as interim chief for both agencies.

Scam-related crimes, such as business email compromise and investment fraud, have been at the top of the FBI's list of most damaging forms of cybercrime for over half-a-decade.

In 2024 alone, Americans lost $12.5 billion to cyber-enabled fraud schemes, a figure that will likely be surpassed when the 2025 numbers come out in April.

The scans spiked on Monday, when Iran launched missile and drone strikes in response to an Israeli and US military operation that bombed and killed its political leadership over the weekend.

Security firm Check Point says the scans targeted Hikvision and Dahua security cameras and included attempts to exploit old vulnerabilities. Scans targeted Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus, the exact same countries where Iran carried out kinetic strikes.

At a press briefing on Monday, Joint Chiefs of Staff Chairman Gen. Dan Caine said US Cyber Command was involved in "coordinated space and cyber operations [that] effectively disrupted communications and sensor networks… leaving the adversary without the ability to see, coordinate or respond effectively".

The overall goal, he said, was to "disrupt, disorient and confuse the enemy". 

"The first movers were US CyberCom and US SpaceCom, layering non-kinetic effects, disrupting and degrading and blinding Iran's ability to see, communicate, and respond," Joint Chiefs of Staff Chairman Gen. Dan Caine said in a press conference on Monday.

"Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively," he added.

The new method works even if targets use different pseudonyms across multiple platforms. It can link real identities to hidden accounts and online activity, and vice versa.

The LLMs basically work by analyzing past activity and creating user profiles. Once enough data points are available, connections can be made between similar profiles based on shared vocabulary and other clues revealed online, such as locations, hobbies, age, and so on.

Ruslan Satuchin was detained in October of last year and has remained in custody after authorities extended his arrest warrant in December.

According to Russian news outlet RBC, the suspect contacted a Conti member in September of 2022, claiming he could prevent the FSB from investigating them for a bribe.

At issue for the Department of Defense are safeguards intended to prevent accidental or malicious use of AI. The Pentagon argues that AI is no different from any other technology and decisions about how it is used should be left to the military. 

In mid-January, Hegseth spoke about accelerating AI deployment within the War Department and eliminating barriers that prevent deploying the technology to the battlefield. Hegseth railed against "equitable AI, and other DEI and social justice infusions that constrain and confuse our employment of this technology… We will not employ AI models that won't allow you to fight wars."

The criminal probe was revealed in a long piece published on Tuesday by the official newspaper of the Russian government, the Rossiyskaya Gazeta.

Russian officials have accused Durov of choosing a "path of violence and permissiveness" by not cooperating with its law enforcement agencies.

The campaign began at the start of the year, around January 11, according to the AWS security team.

The attacker didn't exploit zero-days or older vulnerabilities. Instead, they targeted FortiGate devices that had their management ports exposed online, used weak passwords, and didn't have MFA enabled.

A new research paper that will be presented next week at the Network and Distributed System Security (NDSS) Symposium looks at a type of server that is part of the RPKI infrastructure known as PP, standing for Publishing Point, and how attacking these servers can prevent routers from validating routing information.

The topic of internet routing and its security protocols is a complex one, so here are the main acronyms and terms that we'll be using and what they mean:

Last week, speaking on the sidelines of the Munich Security Conference, the European Commission's Executive Vice President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, told Politico that "it's not enough that we are just defending ... We also have to have offensive capacity". 

At the same conference, other European officials, including intelligence chiefs expressed similar sentiments. NATO Deputy Secretary General Radmila Shekerinska said that collectively, the alliance's objective should be, "to take action and to be able to strike back" against cyber threats. Shekerinska called out Russia and China as significant threats. 

The firmware images were infected with a new backdoor named Keenadu.

Spotted and analyzed by Kaspersky in a report released on Tuesday, the backdoor is injected in Zygote, the central core process of the Android operating system from where it cannot be removed without a full device flash and reinstall.

The government says it raided 190 locations in January alone, and arrested more than 2,500 suspects.

More than 110,000 foreigners who used to work in the scam compounds, by force or voluntary, have also been freed and left the country already, according to the country's Commission for Combating Online Scams (CCOS).

The unnamed suspect bribed Ukrainian cops to falsify a dead man's documents and issue a death certificate in his name.

This happened in April 2024, a month before Europol and the FBI seized IcedID servers during Operation Endgame—suggesting there was either a leak in the investigation or that the suspect saw law enforcement agencies probing his servers.

Last week, CEO Satya Nadella announced that Microsoft's Executive Vice President of Security Charlie Bell had been replaced by Hayete Gallot, who was most recently President of customer experience at Google Cloud. Bell is stepping back from leading Microsoft's security organisation to become an individual contributor engineer. 

Now that Bell has gone, it appears the guise of "security first" has been tossed aside, and we fear the company may slip back into being a security disaster.

The Cyber Security Agency of Singapore (CSA) attributed the attacks to a group tracked as UNC3886.

The breaches took place last year and the agency spent 11 months with industry groups investigating and evicting the hackers from the compromised networks.

The incident took place at the end of last month, on January 29.

The Warlock ransomware group breached 30 email servers running on the company's office network and inside a data center used for quality control testing.

The recruits will work "to compromise the opponents’ networks and obtain information for the benefit of Denmark’s security," the Forsvarets Efterretningstjeneste (Danish Defence Intelligence Service, or DDIS) said in a press release last week.

The new recruits will go through a five-month training course at the agency's hacker academy.

Residential proxy networks sell the ability to route traffic through home and business IP addresses so attackers can evade IP blocklists. Traffic in these networks is routed through everything from compromised smart devices to home users' computers. Sometimes the home users actually opt in to joining these networks, willingly installing the enabling software to earn "passive income" from their spare bandwidth. Most of the time, however, device owners are unaware. The proxy functionality is pre-loaded on devices or inadvertently installed via malware or trojanised software.

When it comes to IPIDEA, one way it acquired proxies was to pay developers to embed its software into applications via malicious SDKs. These applications would then proxy traffic for IPIDEA in addition to carrying out their main function, typically without the knowledge or consent of end users. 

A threat actor inserted malicious code in five of the organization's repositories but the modifications were spotted before they made it to any official release.

The incident was traced back to a single developer's account.

Administrators said this wasn't the first time the same agent tried to hack or disrupt their systems.

The latest incident took place on Friday when users started receiving SMS alerts warning them to uninstall the app.

The incident took place last week, on January 20, and only lasted for about an hour, according to reports from rival security firms Morphisec and Kaspersky, both of which spotted the malware being delivered to customer systems.

The final payload in the attack was a new backdoor hidden in the Reload.exe file that modified the eScan configuration to disable future updates and established a scheduled task for persistence on the infected host.

These kinds of voluntary, non-binding standards are all well and good, but relatively useless without strong government action.

CyberScoop has a good wrap of issues raised at a Chatham House discussion about the process in Washington DC last weekend. The topics included who the rules would apply to, plus "how to incentivize and measure compliance and what to do with companies with a chequered past". 

Per reports in local media, car owners using Delta's alarm system couldn't unlock cars or stop active alarms. In some cases, owners couldn't start engines or their engines jammed while driving.

The company confirmed the incident but did not provide other details besides calling it a "large-scale external attack."

The new intergroup was set up last week in the aftermath of the Paragon spying scandal in Italy by Sandro Ruotolo, an Italian journalist and current member of the European Parliament for the Group of the Progressive Alliance of Socialists and Democrats.

According to WIRED Italy, Ruotolo will be joined by three other MEPs.

Security firm Arctic Wolf says hackers are bypassing Single Sign-On (SSO) authentication using generic usernames, creating their own admin account for future access, and stealing the device's current configuration file.

Since the attacks were first being reported online, Fortinet has confirmed in private emails to some customers that the attackers have found a new way to exploit CVE-2025-59718.

During the shutdown some Iranians have been using SpaceX's Starlink satellite service to connect with the outside world. According to the New York Times, this didn't happen by chance. It was the result of deliberate planning:

Compared to domestic ISPs that the Iranian government can force to stop internet access, blocking Starlink is much more difficult. So far the government’s measures have included warnings to the public that possessing Starlink systems is a crime, using drones to find and confiscate terminals, and electronic jamming, possibly using Russian-provided equipment. In addition to jamming the frequencies Starlink operates on, GPS spoofers degrade the service, as terminals rely on accurate location information to direct their antennas correctly. The efforts have proven partly effective.

At least two developer accounts have been hijacked using this technique, also known as a domain resurrection attack, namely for Snap packages published using email addresses from storewise.tech and vagueentertainment.com.

According to Linux expert and former Canonical dev Alan Pope, the threat actor behind this campaign is a group he believes are located in Croatia.

The primary intent of the new law is to free up the Bundesnachrichtendienst (BND) from relying on the US National Security Agency (NSA) for threat information and bring its interception capabilities on par with other European countries, such as France, Italy, the Netherlands, and the UK.

According to a draft of the new law obtained by German media, the BND will have the power to intercept full internet communications and not just metadata as it is allowed today.

Powerful DRAM is a crucial component for the manufacturing of modern next-gen firewalls, a staple in the cybersecurity defense of any major enterprise.

Investment advisory firm Wedbush says firewall companies will see thinner margins this year due to the rising DRAM costs. This will impact their bills of materials, with the extra costs being passed down to customers as product price increases. This will likely lead to lower sales, smaller profit margins, and weaker investor yields.

Last week authorities announced that an alleged scam kingpin, Chen Zhi, had been arrested by Cambodian authorities and extradited to China. Chen is the founder of the Prince Group, which is ostensibly a Cambodian corporate conglomerate, but which US authorities allege was a transnational criminal organisation that operated forced-labour scam compounds engaging in various fraud schemes. 

US authorities had taken action against Chen Zhi. Back in October of last year, he was sanctioned and indicted and had a whopping USD$15 billion worth of cryptocurrency seized by the US. But China had the regional clout to actually get him in handcuffs. 

These systems work by injecting random noise in voice audio recordings in order to prevent AI-based cloning technology from copying a user's voice. Voice cloning attacks are still possible, but they produce low quality output that can be easily detected and flagged by both manual reviewers and automated systems.

But three researchers from the University of Texas, in San Antonio, say that these systems are not complex enough and can be easily bypassed if attackers account for the added noise.

The exploit was used against several Apex streamers over the past week.

Hackers emptied their inventory (backpack) and moved their in-game avatar off the map, ending their games.

Jaguar sales slump after cyberattack: Jaguar Land Rover says its sales fell by 43% in Q3 following a ransomware attack that stopped production at its factories last fall for almost a month.

Sedgwick ransomware incident: IT company Sedgwick has confirmed that a ransomware attack has impacted its government contracting subsidiary over the New Year's Eve. The incident was claimed by the TridentLocker ransomware gang. [The Record]

Conde Nast gets hacked: A hacker breached news powerhouse Conde Nast and leaked the data of 2.3 million WIRED subscribers. The newest data points are from September 2024, the date of the presumed breach. Conde Nast has yet to confirm due to the winter holiday break. [DataBreaches.net]

ESA breach: Hackers breached the JIRA and Bitbucket servers of the European Space Agency (ESA). [BleepingComputer]

Piracy group leaks Spotify song database: A piracy and open-source group named Anna's Archive has leaked 256 million Spotify tracks. Spotify said it found and suspended the accounts that scraped its site.

TikTok signs divest deal: Chinese social media network TikTok has signed a deal to divest and sell its US division to a group of Trump allies. More than half the company is now owned by tech company Oracle, private equity firm Silver Lake, and Emirati-backed investment firm MGX. ByteDance and existing shareholders hold the rest. [CNN]

The ResidentBat spyware was spotted this year after a reporter who was interrogated by the Belarusian KGB intelligence service started receiving malware alerts on his device, days after being questioned by authorities.

The spyware can collect call logs, record through the microphone, take screen captures, collect SMS messages and messages from encrypted messaging apps, and exfiltrate local files.

The history and activities of the CyberArmyofRussia_Reborn (CARR) and NoName057(16) (NoName), were described in indictments and sanctions announced by the US Department of Justice and Treasury respectively, and in a joint advisory published by CISA. 

The US says that the CARR was "founded, funded and directed" by Russian military intelligence (the GRU) as an unattributable way of deterring anti-Russia rhetoric. The group was founded in early 2022 shortly after Russia's invasion of Ukraine, started out with DDoS attacks and over time has escalated to attacks on operational technology (OT) systems. 

The study, from the Catholic University in Leuven, Belgium (KU Leuven), looked at browsers that ship with smart TVs, e-readers, gaming consoles, and other modern hardware.

All five e-readers that were tested, and 24 of 35 smart TV models, used embedded browsers that were at least three years behind current versions.

The network has been active for more than six months and was run by Russia-based entities, the company said in its quarterly security report [PDF].

The network ran over 65 accounts and 70 pages that mimicked legitimate news outlets and published content critical of France and the US and promoted Russian geopolitical narratives.

According to a survey by the EU's cybersecurity agency, candidates don't have the necessary skills or the employers don't have the proper training programs.

Cyber experts who leave companies cite excessive workloads, burnout, and the lack of competitive salaries and bonuses.

Support for PCI Express Link Encryption will roll out with the upcoming release of the Linux kernel, version 6.19.

The new feature was developed together by representatives from chipmakers Intel, AMD, and Arm.

Attacks began within hours after the vulnerability, tracked as CVE-2025-55182 and named React2Shell, was disclosed last Wednesday.

The AWS security team has linked the attacks to two groups tracked as Earth Lamia and Jackpot Panda.

The author thinks that more concrete definitions of responsible behaviour would help guide states and prevent dangerous conduct.  

It's a commendable effort, but we don't think the architects of cyber operations really care about norms, and a German think tank writing down its preferred rules on a piece of paper won't make any difference to state behaviour. 

French Football Federation breach: The French Football Federation says hackers gained access to a software panel used by French football clubs to manage their licenses.

West London ransomware attack: A ransomware attack on a shared IT provider has brought down the networks of three city councils in West London—Royal Borough of Kensington and Chelsea, London Borough of Hammersmith and Fulham, and Westminster City Council. [MyLondon]

CrowdStrike's testing compared the security of code produced by DeepSeek with that of other state-of-the-art Large Language Models (LLMs). In the baseline test, the models were given straightforward prompts to produce code to carry out a particular task. 

They were then given the same base prompt with additional information that CrowdStrike described as a "contextual modifier" and/or a "geopolitical trigger".

CrowdStrike fires malicious insider: Security firm CrowdStrike has fired an employee who was feeding information to the Scattered Lapsus$ Hunters hacking group. The company discovered the insider after screenshots of its internal systems were posted on the group's Telegram channel. [BleepingComputer]

SitusAMC hack impacts Wall Street: Hackers have stolen sensitive data from fintech company SitusAMC. Its main customers include banks and real estate loan platforms. [CNN]

In the report, Anthropic detailed its discovery of the campaign that used AI "not just as an advisor, but to execute the cyberattacks themselves". 

Anthropic believes the threat actor was a Chinese state-sponsored group whose goals align with those of the Chinese Ministry of State Security. The group attempted to infiltrate "roughly thirty" typical victims: large tech companies, financial institutions, chemical manufacturing companies and government agencies. It succeeded in a small number of cases. 

Cyberattack disrupts Russian port operator: A cyberattack has crippled the operations of Port Alliance, a Russian company that manages cargo terminals at six Russian ports. The incident lasted days and disrupted Russian coal and fertilizer shipments. [The Record]

NHS impacted by Oracle zero-days: The UK National Health Service (NHS) has joined a long list of companies that were hacked using an Oracle EBS zero-day this summer. [SecurityWeek]

Authorities say the three malware strains infected hundreds of thousands of users and stole millions of credentials. The stolen credentials were later used to deploy ransomware or steal cryptocurrency.

The takedown was part of Operation Endgame, an Europol-led project that began in 2023 and targets criminal infrastructure that is used to enable ransomware attacks.

The report is based on a cache of documents reviewed by Reuters.

In one of those documents, Meta's safety staff estimated that the company's platforms were "involved" in a third of all successful scams in the US. That's a stunning figure. But we do wonder how much of that involvement is simply WhatApp being used to talk to victims. If advertisements weren't the bait that lured victims, it hardly seems fair to blame Meta for running an end-to-end encrypted messaging app. 

The files were uploaded last week on GitHub by an unknown individual and later removed before the repo got any widespread circulation.

According to analyses from Mrxn and NetAskari, who got their hands on the leak, the most recent documents are from 2023. This suggests this was likely when the files were stolen/exfiltrated from the company's network, or at least someone intentionally truncated the leak to keep the most recent files for themselves.

Aleksei Olegovich Volkov went online under the hacker name of chubaka.kor, and worked as an initial access broker (IAB) for the Yanluowang ransomware.

Volkov used various techniques to breach a corporate employee's account, escalate access to the employer's network, and then sold that access to other cyber criminals.

Eighteen suspects were arrested for defrauding users of more than €300 million since 2016.

According to Europol and Eurojust, the group stole credit card data, created accounts on online websites with the stolen information, and subscribed users to premium services.

Sources told CNN that during Trump's first term a CIA operation to disable the computer network of Maduro's intelligence service was perfectly successful. A separate Cyber Command operation interrupted the satellite communications of Wagner Group mercenaries who were sent to Venezuela to protect Maduro.   

This adds to previous reporting from Wired late last year that revealed the CIA had temporarily disrupted the Venezuelan military's payroll system in the same campaign. 

According to court documents, charges have been levied against Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity company Sygnia.

The two worked with a third suspect to hack into US companies, steal their data, encrypt computers, and then ask for huge ransoms in the realm of millions of US dollars.

According to a report from local newspaper Aftenposten, the agency, Ruter, tested and took two electric bus models inside a Faraday cage room.

Ruter found that electric buses from Chinese company Yutong could be remotely disabled via remote control capabilities found in the bus software, diagnostics module, and battery and power control systems.

The suspects were arrested this week in the Moscow metropolitan area, according to Russia's Interior Ministry. A video from the raids is available on the Ministry's media portal.

The Ministry's spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region.

The broker claims to buy exploits from developers and resell them to non-NATO buyers, including the Russian government.

Williams, an Australian national, was previously employed by Australia's signals intelligence agency ASD, from around 2007 to the mid-2010s. He later joined Linchpin Labs, which was acquired alongside Azimuth Security to form what eventually became L3Harris Trenchant, the vulnerability and exploit development subsidiary of L3Harris. By the time of his arrest, Williams had become the general manager there.

Memento Labs has targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations.

The company operates a spyware platform named Dante, through which it deploys infrastructure, exploits, and its final payload—the LeetAgent implant/agent.

The bill is currently being discussed among lawmakers, and no official draft is available. It is part of Russia's efforts to regulate its white-hat ecosystem, a process officials began back in 2022.

All previous efforts failed, with the most recent one being knocked down in the Duma in July on the grounds that it did not take into account the special circumstances and needs of reporting bugs in government and critical infrastructure networks.

According to iPhone forensics and investigations firm iVerify, Apple is now rewriting the shutdown.log file after every device reboot, instead of appending new data at the end.

This is removing older log entries that contain indicators of compromise with spyware families such as NSO's Pegasus and Intellexa's Predator.

The authors convened 30 experts from government, industry and academia to analyse the current state of play in "offensive cyber" and make recommendations. "Offensive cyber" was defined very broadly as pretty much anything including tool development, acquiring access, espionage and even disruptive or destructive operations. 

The report assumes that US policymakers want both a higher operational tempo of cyber operations and to more effectively take advantage of the country's private sector.  

It is the second such threat after the Shai-Hulud worm that hit the npm JavaScript package repo in mid-September.

GlassWorm was spotted by Koi Security. It was first seen on the unofficial OpenVSX marketplace for VS Code extensions, but later spread to the official Microsoft VS Code store as well.

The incident took place in August and continued through October.

From various reports in Romanian media and a statement released by the national penitentiary police union, the incident appears to have originated in the city of Dej, in Romania's Transilvania region, at a prison hospital complex, where prisoners are sent to treat illnesses and then return to finish their sentence at their normal jails.

Details about the breach have been in flux since it was disclosed, so we put together a list with all we know happened so far.

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm!

A collaborative media investigation kicked off by Lighthouse Reports looked at First Wap, a company that began as a mobile phone messaging service in 1999. The company soon pivoted to phone tracking after being asked by an unnamed law enforcement agency to support its counterterrorism efforts. 

First Wap's surveillance product Altamides, short for Advanced Location Tracking and Deception System, exploits vulnerabilities in Signalling System 7 (SS7) to locate phones and even redirect text messages or phone calls. Because it exploits vulnerabilities in phone network protocols, Altamides does not require the deployment of malware to target devices. 

The OS won't receive any new security updates unless users or companies enroll in the Extended Security Updates (ESU) program.

Because Windows 10 is still installed on around 40% of all Windows systems, Microsoft has made this ESU the first one available to home consumers—ESUs were initially introduced to provide extended paid support for larger enterprises.

The attacks have been going on since at least August, according to the Microsoft Edge security team.

The Internet Explorer legacy mode, or IE Mode, is a separate website execution environment in Edge. It works by reloading a web page but running its code inside the old Internet Explorer engines.

The project was supposed to be put to a vote on Tuesday, October 14, during a meeting of interior ministers of EU member states.

Denmark, which currently holds the EU presidency and was backing the legislation, scrapped the vote, according to reports on Austrian and German media.

Stealing data to extort companies is not good, but it is a hell of a lot better than systems getting locked up with encrypting ransomware, leading to weeks of factory shutdowns. Right now, from a government perspective, it would be a win if every campaign looked like Clop's.  

The group has been active since 2019, making it one of the longer-lasting ransomware gangs. It initially deployed standard encrypting ransomware, but in 2020 it was one of the first groups to experiment with 'double extortion'. 

The vulnerability is as bad as it gets and impacts all Redis versions released over the past 13 years.

The vulnerability is tracked as CVE-2025-49844, but the Google Wiz team that discovered it calls it RediShell.

The vulnerability was discovered by RyotaK, a researcher for GMA Flatt Security, who has quite a few of these high-impact bugs to his name.

The bug is tracked as CVE-2025-59489, and it allows malicious apps on the same device to add command-line arguments to Unity-based games that load malicious code together with a game.

Five other individuals received suspended death sentences for two years, 11 others received life sentences, and 12 more got prison terms ranging from five to 24 years.

The suspects were members of the infamous Ming crime family. They were arrested in November of 2023, when the Chinese government first started seriously cracking down on scam compounds targeting its citizens.

Foreign intelligence services are experimenting with new ways of using domestic proxies to facilitate overseas operations. 

In the Netherlands, two teenagers have been arrested after reportedly being recruited by pro-Russian hackers on Telegram to assist with cyber espionage operations. Dutch authorities allege that the pair were tasked with Wi-Fi collection along a route in The Hague that went past Europol, Eurojust and the Canadian embassy.  

According to French security firm Sekoia, the campaign has been silently going on without detection since at least February 2022.

The attackers are targeting a feature of Milesight routers that lets admins configure to receive SMS alerts. Such a feature is common in industrial routers that connect remote equipment to a larger network via a cellular modem, with admins receiving alerts when the equipment connection goes offline and may not be in a state where it can be managed.

The underwrite was approved on Sunday after a visit from UK Business Secretary Peter Kyle to the headquarters of JLR and its main supply chain firm Webasto this week.

JLR fell victim to a ransomware attack—supposedly from the HellCat group—on August 31. Production lines at all JLE factories have been shut down ever since, and are expected to last into October.

These are security updates that Microsoft will provide to users after the Windows 10 operating system reaches end-of-life on October 14, less than three weeks away.

Normally, ESUs are available to enterprise customers, but last year, Microsoft took the novel step of providing the first-ever ESUs to home consumers. For $30, half the sum a company would pay, Windows 10 home users could have received security updates for an extra year.

Over the last decade, cybercrime's reach has broadened, it's become more lucrative and more violent. Governments need to attack and disrupt this funnel at all levels, instead of solely focussing on prosecuting these kids after the damage is done.

Bloomberg has described the path that turned one key individual associated with Scattered Spider from a self-described "weird kid" into an inmate, having been sentenced to ten years in prison. Noah Urban, now 20 years old, stole more than USD$13 million in cryptocurrency after becoming involved in SIM swapping when he was 15. 

Officials seized 300 SIM servers running more than 100,000 SIM cards.

Officials began investigating the SIM farms after they were used earlier this year to make anonymous threats against senior US officials. According to the NYT, two White House and one Secret Service official were on the receiving end of some of those threats.