Newsletters

A new vulnerability in the HTTP/2 protocol can allow threat actors to launch nearly unlimited DDoS attacks to exhaust memory and crash servers.

The new attack is named MadeYouReset, was discovered by researchers at Deepness Lab, and is a variation of a previous attack known as HTTP/2 Rapid Reset.

The Rapid Reset attack was discovered in October 2023 after it was used to launch some of the largest DDoS attacks seen that year (Google, Amazon, and Cloudflare).

One by one, US federal government agencies are learning that the sensitive but unclassified information they hold is susceptible to theft by hackers. Unfortunately, education-by-breach is very costly.

Last week, Politico reported the electronic case filing system used by the federal judiciary had been breached in a "sweeping cyber intrusion". Hackers breached the Case Management/Electronic Case Files (CM/ECF) system that legal professionals use to upload and manage case documents. They also breached PACER, the system that gives the public limited access to some of the same data. 

The hack sounds just about as bad as can be, with officials concerned that Latin American drug cartels have obtained sensitive court data. Per Politico's follow-up reporting:

Crypto-thieves have found a new package repository to terrorize, and it's Open VSX, an independent database of Visual Studio Code extensions managed by the Eclipse Foundation.

While the VS Code editor has its official marketplace, Microsoft changed its licensing terms this year to block third-party code editors based on the original VS Code from using its marketplace to pull their extensions.

The change in policy, understandably, came after several AI-powered IDEs started cutting into VS Code's market share, all while Microsoft was paying to run and keep the VS Code marketplace online.

Google has awarded a massive $250,000 reward to a bug bounty hunter for discovering a novel sandbox escape in the company's Chrome web browser.

The bug was reported in April and patched a month later, in May, with fixes also going out to the other Chromium browsers, such as Edge, Opera, Vivaldi, Brave, and others.

Tracked as CVE-2025-4609, the vulnerability resides in the ipcz library of Mojo, a Chrome component for managing how the browser's internal processes talk to each other.

CISA has released a rare emergency directive ordering federal agencies to patch a new attack vector in Microsoft Exchange email servers.

Federal agencies have four days, until August 11, to address the issue and apply mitigations shared by Microsoft on Wednesday.

The guidance addresses a vulnerability (actually more of a design flaw) in hybrid environments, where Exchange on-premise servers sync data to an Exchange Online instance.

The Russian government is planning to designate enterprise resource planning (ERP) software as "critical information infrastructure" and require all Russian businesses to migrate to a domestic solution.

The move comes after Russia updated its critical infrastructure law in April this year. The government ordered the operators of all critical infrastructure to migrate to Russian software by September this year.

The government also gave itself the power to designate new items as "critical information infrastructure." This is software large enough to cause nationwide disruptions in the case of a cyberattack, and ERP systems appear to be the first item classified in this new category.

The Chinese government accused the US last week of trying to sneak backdoors into NVIDIA chips and of using Microsoft zero-days to hack and steal its military secrets.

Both accusations came via the Cyberspace Administration of China (CAC), the country's cybersecurity agency and internet regulator.

On Thursday, the CAC summoned American chipmaker NVIDIA to provide details of an alleged backdoor mechanism that could be embedded on chips sold in China.

Russian intelligence services are hacking and spying on foreign embassies and their staff by tampering with their internet connections.

Russian espionage units are using the SORM traffic interception system installed at local ISPs to alter traffic and deliver malware payloads to embassy staff.

According to Microsoft, the campaign has been ongoing since at least last year. The company attributed the attacks to a group it tracks as Secret Blizzard, but more widely known as Turla.

The exploitation of Microsoft SharePoint vulnerabilities by Chinese hackers is a near-exact re-run of the 2021 Microsoft Exchange server mass compromise event. 

The 2021 incident elicited a strong international diplomatic response, but this SharePoint saga makes it clear these efforts failed to deter China from embarking on a similarly damaging campaign again, four years later. A different, bigger picture, approach is needed. 

In both cases:

The FBI has seized around $2.4 million worth of Bitcoin from the relatively new Chaos ransomware group.

According to the US Justice Department, the funds were seized back in April, but only now announced. The funds were taken from a crypto-wallet owned by a Chaos member going by the name of Hors.

This seizure is interesting for one very particular reason—namely, that the Chaos ransomware is a new group. We have rarely seen the FBI crack down and go after a group within months of its launch.