The cyberattack was announced on September 2, 2025, forcing the British carmaker to shut down production at major plants and send its staff home. A follow-up statement confirmed that data had been stolen during the cyberattack, which was claimed on Telegram by the cybercrime Scattered Lapsus$ Hunters.

The disruption continued for weeks, stressing the company's financial and market position and raising risks for it and some of its suppliers, who faced severe liquidity issues.

On September 29, 2025, the UK Government intervened to pull JLR out of its dire position, approving a £1.5 billion loan guarantee to help restore its supply chain and quickly restart production.

Production restarted by October 8, 2025, following a phased approach.

Based on the financial results JLR has now published, the cyberattack, which halted production and disrupted sales, also created a significant dent in its profits.

"Loss before tax and exceptional items was £(485)m for Q2 and £(134)m for H1, down from a profit of £398m and £1.1bn respectively a year ago," stated the company.

"EBIT margin was (8.6)% for the second quarter, down from 5.1% a year ago, and (1.4)% for H1, down from 7.1% in H1 last year."

"This decrease in profitability is largely due to the cyber incident, the continuing impact of US tariffs, reduced volumes as referenced above and increased VME."

In its Monetary Policy Report published earlier this week, the Bank of England declared that the country's GDP was weaker than expected in Q3 2025, mentioning the cyberattack at Jaguar Land Rover as one of the key reasons.

Despite all that, JLR states that its operations have now stabilized, with wholesale, parts logistics, and supplier financing now fully restored.

The company also highlighted that investment spending has not been cut despite the disruptions, and it is expected to remain at £18 billion over the five years from FY24.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 16 November 2025 at 4:49 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

In recent months, Google has promised to inject generative AI into the online shopping experience, and now it’s following through. The previously announced shopping features of AI Mode search are rolling out, and Gemini will also worm its way into Google’s forgotten Duplex automated phone call tech. It’s all coming in time for the holidays to allegedly make your gifting more convenient and also conveniently ensure that Google gets a piece of the action.

At Google I/O in May, the company announced its intention to bring conversational shopping to AI Mode. According to Google, its enormous “Shopping Graph” or retailer data means its AI is uniquely positioned to deliver useful suggestions. In the coming weeks, users in the US will be able to ask AI Mode complex questions about what to buy, and it will deliver suggestions, guides, tables, and other generated content to help you decide. And since this is gen AI, it comes with the usual disclaimers about possible mistakes.

AI Mode shopping features.

You’re probably wondering where you’ll see sponsored shopping content in these experiences. Google says some of the content that appears in AI Mode will be ads, just like if you look up shopping results in a traditional search. Shopping features are also coming to the Gemini app, but Google says it won’t have sponsored content in the results for the time being.

Google is also releasing a feature called “agentic checkout,” a term used only in passing when the company announced the feature alongside AI Mode shopping at I/O. Google is really leaning into the agentic angle now, though. The gist is you can set a price threshold for a product in search, and Google will let you know if the item reaches that price. That part isn’t new, but there’s now an AI twist. After getting the alert, you can authorize an automatic purchase with Google Pay. However, it’s currently only supported at a handful of retailers like Chewy, Wayfair, and some Shopify merchants. It’s not clear whether this qualifies as agentic anything, but it might save you some money regardless.

AI Mode shopping and agentic checkout are beginning their rollout now, and Google says they will be available widely in time for the holiday shopping season.

Somehow, Duplex returned

Before the current AI craze, Google was fond of demoing Duplex, an Assistant-based AI designed to carry out real-world tasks on the phone. Google thought people would be willing to trust the AI to check business hours and make appointments, but it never gained much traction. The Duplex prompts slowly disappeared from Assistant over the years.

Now, Duplex is back with what Google calls a “big Gemini model upgrade.” It won’t be making appointments for you, but Google does still plan to use the updated Duplex to allow you to call businesses. This time, Duplex is aimed at saving you from calling stores to check on stock availability. Instead, you can tell the robot what you want, and it will check for you.

Duplex is back, baby.

Google says when you search for certain products near you, you’ll see an option to “Let Google Call.” You’ll have to indicate what specific product you want, and the robot will begin calling around. The robot will identify itself as such when it places calls, which will only happen during business hours and after a reasonable cooldown. If businesses get too annoyed, they’re liable to opt out of Duplex calls, which is still an option.

Eventually, you’ll get an email or text message with AI summaries of the calls that could help you decide where to go. These messages may also include local inventory data from other nearby stores based on Google’s Shopping Graph. That sounds like it could mean more sponsored links, but it’s unclear. This feature is beginning its rollout today in categories like toys, cosmetics, and electronics. Unsurprisingly, this one is also US-only.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 14 November 2025 at 3:57 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Unlike recent supply chain attacks on NPM, the code used in this campaign does not steal credentials or data, but abuses the ecosystem for spam.

SourceCodeRed, which calls the malware ‘the IndonesianFoods worm’, has identified over 43,900 malicious NPM packages associated with 11 accounts, all named using a scheme involving Indonesian names and foods.

The malicious code was designed to generate random names, modify the package.json files to make the packages public and add random version numbers, and publish the packages to the NPM registry.

According to SourceCodeRed, the code repeats the same steps in an infinite loop, publishing a new package every 7 seconds, constantly spamming the NPM registry.

“This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages. The malware disguises itself as a legitimate Next.js application to avoid detection,” SourceCodeRed notes.

The activity was also observed by JFrog, which identified over 80,000 self-replicating packages named using a similar random name generation scheme. In addition to the custom wordlist that includes names and foods, the dictionary also uses adjectives, colors, and animal names.

According to JFrog, which named the campaign Big Red, the malware reuses a victim user’s stored NPM credentials to publish newly generated packages to the registry at a fast pace.

“The result is a tight, fully automated loop that can flood the npm ecosystem with large numbers of superficially legitimate packages, all derived from the same code template and differentiated only by randomized metadata,” JFrog notes.

The 80,000 malicious packages were published across 18 user accounts and contain only the self-replicating publishing logic.

The exact purpose of the campaign remains unclear, but JFrog hypothesizes that it could be “a dry run for a future campaign where the same infrastructure and naming scheme could be reused to deliver real malicious payloads for the campaigns with self-replicated code”. 

Source

Microsoft has disclosed a dangerous security vulnerability that is already keeping IT teams on high alert.

The flaw, tracked as CVE-2025-60703, stems from a fundamental coding error where the system fails to properly validate memory pointers before using them.

CVE-2025-60703 impacts multiple Windows releases, including Windows 10, 11, and various Server editions with RDS components enabled. Office desktops, critical servers, the backbone of many businesses, all at risk of privilege escalation right now.

An “authorized attacker” could exploit this weakness to gain elevated privileges, potentially reaching SYSTEM-level access. The attacker could exploit this weakness to gain elevated privileges, potentially reaching SYSTEM-level access, essentially complete control. Imagine a standard user jumping the fence and running arbitrary code with admin rights.

Technical details

Under the hood, the flaw is straightforward and severe. CVE-2025-60703 falls under CWE-822: Untrusted Pointer Dereference, where the software fails to validate a pointer before dereferencing it. The system trusts memory addresses without checking them, creating a clean path for attackers to steer execution.

The timing makes it worse. This disclosure comes amid a surge in Windows-targeted threats, including recent zero-day vulnerabilities in other Microsoft products. Attackers are already dialed in on Windows infrastructure, so rapid patching is not optional, it is urgent.

Remote Desktop Services have become a favorite hunting ground. Three weeks ago, CVE-2025-59230, another Remote Access Connection Manager vulnerability, was added to CISA’s Known Exploited Vulnerabilities Catalog. Two months back, researchers disclosed CVE-2025-53798 affecting Windows Routing and Remote Access Service with information disclosure capabilities.

Earlier this year, CVE-2025-50171 received a critical CVSS score of 9.1, and CVE-2025-21297 in Remote Desktop Gateway was actively exploited in the wild.

Urgent patching

Microsoft has started shipping fixes. Updates are being distributed via Windows Update, with organizations relying on RDS for virtual desktop infrastructure urged to prioritize deployment. The affected range is huge, from legacy Windows Server 2008 versions still under Extended Security Updates through current Windows 11 versions.

While patches land, teams are tightening defenses. They are recommending enforcing least-privilege principles, monitoring for unusual privilege escalations, and segmenting networks to limit lateral movement.

This fits a broader pattern. Over the past 10 months, Microsoft has been tackling a wave of remote desktop flaws, from the high-severity CVE-2025-48817 disclosed four months ago to the heap overflow in CVE-2025-29966 reported 10 months ago. 

Immediate action required

Patch management and risk assessment need to kick in now. Security teams are advised to review Microsoft’s full advisory and test patches in staging environments to avoid disruptions. But it is not just about clicking Update.

Inventory every Remote Desktop Services deployment, then watch for suspicious privilege escalations. While CVE-2025-60703 serves as a reminder of enduring challenges in securing remote access protocols, it also underscores the need for a broader, layered security strategy.

Although Microsoft reports no public disclosure or evidence of active exploitation yet, history shows that unlikely exploitability can flip overnight once details are public. In the past six months, more than one RDS flaw started life with a low-risk label, then researchers proved reliable exploitation.

Source

Over the past year, scammers have ramped up a new way to infect the computers of unsuspecting people. The increasingly common method, which many potential targets have yet to learn of, is quick, bypasses most endpoint protections, and works against both macOS and Windows users.

ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

One line is all it takes

Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it—all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

“This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors,” researchers from CrowdStrike wrote in a report documenting a particularly polished campaign designed to infect Macs with a Mach-O executable, a common binary that runs on macOS. “Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.”

The primary piece of malware installed in that campaign is a credential-stealer tracked as Shamos. Other payloads included a malicious cryptocurrency wallet, software for making the Mac part of a botnet, and macOS configuration changes to allow the malware to run each time the machine reboots.

Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel’s account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled.

The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare. The proof the notification requires for confirmation that there’s a human behind the keyboard is to copy a string of text and paste it into the Windows terminal. With that, the machine is infected with malware tracked as PureRAT.

Push Security, meanwhile, reported a ClickFix campaign with a page “adapting to the device that you’re visiting from.” Depending on the OS, the page will deliver payloads for Windows or macOS. Many of these payloads, Microsoft said, are LOLbins, the name for binaries that use a technique known as living off the land. These scripts rely solely on native capabilities built into the operating system. With no malicious files being written to disk, endpoint protection is further hamstrung.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious.

The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users’ minds, the precaution doesn’t extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard.

With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 12 November 2025 at 12:58 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The new protections will initially be available only in Private Browsing Mode and Enhanced Tracking Protection (ETP) Strict mode. After testing and optimization, they will be enabled by default in the Firefox web browser.

Fingerprinting is a tracking technique that allows tracking users' browsing activity and identifying them across websites and browser sessions, even when cookies are blocked or with private browsing active.

Subtle identifiers, like timezone, hardware and browser details, can be used to create a unique digital signature to identify users on the internet.

This type of data can be your browser's version, operating system, screen resolution and color depth, system language, installed fonts, time zone, GPU rendering behavior, CPU cores, touchscreen capabilities, and device memory.

Firefox’s existing anti-fingerprinting system, part of the software’s ‘Enhanced Tracking Protection’ mechanism, blocks many known tracking and fingerprinting scripts, most of which are intrinsically pervasive and not related to improving the user’s experience.

“Since 2021, Firefox has been incrementally advancing fingerprinting protections, covering the most pervasive fingerprinting techniques,” explains Mozilla.

“These include things like how your graphics card draws images, which fonts your computer has, and even tiny differences in how it performs math.”

These anti-fingerprinting blocks, which Mozilla marks as ‘Phase 1 Protections’ reduced trackability to roughly 35%, compared to the baseline 65% for now protections at all.

Now, ‘Phase 2’ protections are being rolled out, which block requests to discover installed fonts, hardware details, number of processor cores, multi-touch support, and dock/taskbar dimensions.

Specifically, the new protections constitute the following:

• Random noise is added to background images only when a site reads them back, not when they are just displayed.
• Only standard OS fonts are used; local fonts are blocked, except for key language fonts like Japanese, Thai, Arabic, Chinese, Korean, and Hebrew.
• Touch support is reported as 0, 1, or 5.
• The available screen resolution is the screen height minus 48 pixels.
• Processor cores are always reported as 2.

As a result of these additional measures, only 20% of users can still be uniquely fingerprinted and persistently tracked.

Mozilla explained that it cannot aggressively block everything to reduce trackability further, as this would eventually lead to usability issues that break legitimate website features.

Various productivity tools rely on actual real-time and location data to provide the intended functionality, so a portal of exchange needs to be maintained, even if its size is shrinking.

Those who are facing usability problems with the new layers of protection are given the option to disable them on specific sites.

Firefox 145 will be officially released tomorrow, but users can already download an installer for their OS from Mozilla’s FTP server.

Note that this is the first release that doesn’t offer a 32-bit Linux version, which Mozilla deprecated due to waning user demand not making its development and testing worthwhile anymore.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 11 November 2025 at 12:44 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The Washington Post has confirmed it fell victim to a large-scale cybercrime campaign that targeted Oracle's business applications, joining Harvard University and American Airlines-owned carrier Envoy, which announced similar breaches last month.

The news, first reported by Reuters, comes after Google said in October that it believes around 100 companies were affected by the hacking campaign, and that “large amounts of customer data” were stolen in an operation it said may have begun in July. Google said that it involved hackers taking advantage of a vulnerability in Oracle's E-Business Suite platform, a widely adopted piece of ERP software which businesses use to manage their operations.

Oracle said in a security notice that several of its customers have faced extortion attempts in relation to the attack. The Post didn’t provide much detail regarding the nature of the recent breach, such as what, if any, data had been lost. According to Google's researchers, Oracle patched the vulnerability in early October and directed all the product’s users to update their software immediately.

The true perpetrator of the attack is still unknown, but a cybercrime group known as Cl0p has claimed it was responsible for the breach on its website, claiming that the newspaper “doesn’t care about its security.” The Russian-speaking Cl0p, which was first observed in 2020, specializes in ransomware attacks.

More data breaches linked to the incident could still come to light. Certis Foster, senior threat hunter lead at Deepwatch, told SC Media that “Many haven't been disclosed yet because Cl0p tends to wait a few weeks before posting data to put pressure on ransom payments.”

Gaining access to a company's ERP systems can potentially give hackers access to a wide range of their data. Heath Renfrow, co-founder and chief information security officer at Fenix24, said that when hackers get access to ERP systems “they gain privileged access to financial data, HR records, supplier systems, and core operational workflows.”

Source

YouTube is waging an unending war against ad blockers, and today, there seems to be a big update that is causing many users to assume that YouTube has gone down entirely.

Looking at Down Detector's graph, YouTube outage reports began spiking around 12 AM EST but didn't take off until about 6 AM. Thousands of reports have flooded in, making it seem like YouTube has indeed gone offline in some regions (via Tom's Guide).

The root of the issue, however, seems to lie in an anti-ad blocker update.

The YouTube subreddit has been flooded with screenshots of grey panels where the regular YouTube web UI should be, with many others asking if YouTube is down.

Most of these posts are followed up with the same comments: YouTube is working fine. It's your ad blocker that's getting in the way.

This is far from the first time that YouTube has cracked down on the use of ad blockers, which can effectively remove ads on the page and from popping up to interrupt your streamed videos.

The battle has been going on for years, but in June 2025, YouTube effectively doubled down on its battle, closing some loopholes that allowed viewing with an ad blocker enabled. At the same time, it began to intentionally slow down the loading of videos for users who were still able to get through with an ad blocker enabled.

The document is one of the few completely transparent technical report from a federal government in the U.S. on a cybersecurity incident, describing all the steps of the attacker and setting an example on how cybersecurity incidents should be handled.

The incident impacted more than 60 state government agencies and disrupted essential services, from websites and phone systems to online platforms. 28 days later, without paying a ransom, the state recovered 90% of the impacted data that was required to restore affected services.

In a report today, the State of Nevada details with full transparency how the initial compromise occurred, the threat actor's activity on its network, and the steps taken after detecting the malicious activity.

Ransomware attack unfolding

Although the breach was discovered on August 24, the hacker had gained initial access on May 14, when a state employee used a trojanized version of a system administration tool.

According to the report, a State employee searched Google for a system administration tool to download and was instead shown a malicious advertisement that led to a fraudulent website impersonating the legitimate project.

This fake website offered a malware-laced version of the admin utility, which deployed a backdoor on the employee's device.

Threat actors have increasingly begun to use search advertisements to push malware disguised as popular system administration tools, like WinSCP, Putty, RVTools, KeePass, LogMeIn, and AnyDesk. However, malware is installed instead of the desired program, giving threat actors initial access to corporate networks.

As these tools are designed for system administrators, the threat actors hope to gain elevated access on the network by targeting these IT employees.

Once executed, the malware configured a hidden backdoor that automatically connected to the attacker’s infrastructure upon user login, providing them with persistent remote access to the state’s internal network.

On June 26, Symantec Endpoint Protection (SEP) identified and quarantined the malicious tool, and then deleted it from the infected workstation, but the persistence mechanism resisted, and hackers could still reach the environment.

On August 5, the attacker installed a commercial remote-monitoring software on a system, which enabled them to perform screen recording and keystroke logging. A second infection with that tool occurred ten days later.

Between August 14 and 16, the attacker deployed a custom, encrypted network tunnel tool to bypass security controls and established Remote Desktop Protocol (RDP) sessions across multiple systems.

This type of remote access allowed them to move laterally between critical servers, including the password vault server, from where they retrieved credentials of 26 accounts, then wiped event logs to hide their actions.

Mandiant's incident response team confirmed that the attacker accessed 26,408 files across multiple systems and prepared a six-part .ZIP archive with sensitive info.

The investigation found no evidence that the attacker exfiltrated or published the data.

On August 24, the attacker authenticated to the backup server and deleted all backup volumes to disable recovery potential, and then logged into the virtualization management server as root to modify security settings to allow the execution of unsigned code.

At 08:30:18 UTC, the attacker deployed a ransomware strain on all servers that hosted the state’s virtual machines (VMs).

The Governor’s Technology Office (GTO) detected the outage roughly 20 minutes later (01:50 AM), marking the start of the 28-day statewide recovery effort.

Paying overtime, not a ransom

The State of Nevada maintained a firm stance against paying ransom and relied on its own IT staff and overtime payments to restore the impacted system and services.

Cost analysis shows that the 50 state employees worked a total of 4,212 overtime hours, incurring a wage cost of $259,000 to the state.

This response allowed timely payroll processing, kept public safety communications online, and quick re-establishment of citizen-facing systems, and saved the state an estimated $478,000 when compared to standard ($175/hour) contractor rates.

The costs for external vendor support during the incident response period amounted to a little over $1.3 million, and are broken down in the table below.

It should be noted that the ransomware actor has not been named. BleepingComputer did not see any major gangs claiming the intrusion on extortion sites.

The incident demonstrates Nevada’s cyber-resilience, comprising decisive and swift “playbook” action, and also brought up a level of transparency that is commendable.

Despite the recovery costs and effort, the State of Nevada has also improved its cybersecurity defenses at the advice of trusted vendors.

"The GTO focused on securing the most sensitive systems first, ensuring that access was limited to essential personnel," the report notes.

Some of the technical and strategic actions included removing old or unnecessary accounts, resetting passwords, and removing outdated security certificates. Additionally, system rules and permissions were reviewed to ensure that only authorized users have access to sensitive settings.

However, the state admits that there is plenty of room for improvement and realizes the importance of investing in cybersecurity, to improve monitoring and response capabilities in particular, as threat actors also evolve their tactics, techniques, and procedures.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 7 November 2025 at 1:01 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

In a statement shared with BleepingComputer, CBO spokesperson Caitlin Emma confirmed the "security incident" and said the agency acted quickly to contain it.

"The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency's systems going forward," Emma told BleepingComputer.

"The incident is being investigated and work for the Congress continues. Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats."

The Washington Post first reported the breach, stating that officials discovered the hack in recent days and are now concerned that emails and exchanges between congressional offices and the CBO's analysts may have been exposed.

While officials have reported told lawmakers they believe the intrusion was detected early, some congressional office have allegedl halted emails with the CBO out of security concerns.

The CBO is a nonpartisan agency that provides lawmakers with economic analysis and cost estimates for proposed legislation. A breach of the agency could potentially expose draft reports, economic forecasts, and internal communications.

The attack on the CBO is the latest in a series of cyber incidents that have targeted government agencies over the past year.

In December 2024, the U.S. Treasury Department confirmed a breach through the third-party remote support platform, BeyondTrust.

The Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, was also breached by the same attackers.

The attacks were attributed to the Chinese state-sponsored Advanced Persistent Threat (APT) group known as Silk Typhoon.

Silk Typhoon became widely known in early 2021 after exploiting the ProxyLogon zero-day flaws impacting Microsoft Exchange Server, compromising an estimated 68,500 servers before security patches were released. 

Source

Troy Hunt, who created HIBP, said that the data comes from credential stuff lists, originating from prior data breaches, and then bundled and redistributed by criminals. He said that this data is different from the 183 million Synthient stealer log email addresses mentioned before.

To verify if the data was correct, Hunt verified his own exposed data and reached out to a mix of HIBP subscribers to verify their data too. Many of them confirmed the exposed passwords were real, including some that were still being actively used. The passwords varied in age, with some being used 10-20 years ago. The exposed passwords ranged from weak to strong, so if you find yours, you should change your passwords just in case.

HIBP has added the passwords from this stash to its Pwned Passwords service. These are added without any association to the email address for security. Checking a standalone password is enough, if you find yours there, you should not use it ever again. Hunt says that users should check the Pwned Passwords search page, the k-anonymity API, or password managers like 1Password’s Watchtower to check their exposure.

There have been rumors of a Gmail breach online recently, but this is false, Gmail has not been breached. Troy Hunt reiterated this saying that this corpus contains 32 million different email domains. While gmail.com is the largest at 394 million addresses, 80% of the data has nothing to do with Gmail, and the Gmail addresses are not due to any security vulnerability on Google’s part.

This corpus is almost three times the size of the previous largest breach loaded by HIBP. Hunt said that loading and manipulating the data in Azure SQL Hyperscale was extremely hard and expensive, maxing out resources for two weeks. Simple SQL update commands often crashed or had to be killed, meaning batch processing was resorted to. Sending notifications to 2.9 million affected subscribers was also slow as delivery had to be controlled to avoid being throttled or blacklisted by mail servers.

As for advice to end users, Hunt said that you should get a password manager to store unique passwords, pick strong or unique passwords and use passkeys, and enable multi-factor authentication. Most web browsers come with a password manager that you can sync across devices including Google Chrome and Firefox.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 6 November 2025 at 3:00 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

•     Curly COMrades deployed Alpine Linux VMs on Windows hosts to hide reverse-shell malware activity
•     VM traffic tunneled via host IP, bypassing traditional EDR and masking outbound communications
•     Targets included Georgian and Moldovan institutions; operations align with Russian geopolitical interests

Russian hackers known as Curly COMrades have been seen hiding their malware in Linux-based virtual machines (VM) deployed on Windows devices, experts have warned.

Security researchers from Bitdefender after analyzing the latest activities together with the Georgian Computer Emergency Response Team (CERT), found Curly COMrades first started targeting their victims in July 2025, when they ran remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface.

Then, they used the feature to download a lightweight Alpine Linux-based VM containing multiple malware implants.

Russian attackers

The malware deployed in this campaign is called CurlyShell and CurlCat, both of which provide a reverse shell. The hackers also deployed PowerShell scripts which granted remote authentication and arbitrary command execution capabilities.

To hide the activity in plain sight, they configured the VM to use the Default Switch network adapter in Hyper-V. That way, all of the VM’s traffic went through the host’s network stack using Hyper-V’s internal network.

"In effect, all malicious outbound communication appears to originate from the legitimate host machine's IP address," the researchers explained. "By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections."

Curly COMrades were first spotted in 2024 and while their activities align with the interests of the Russian Federation, a direct link was not found. In August 2025, Bitdefender reported that their victims included government and judicial organizations in Georgia, and energy companies in Moldova. The victims in this incident were not named.

Bitdefender stressed that there are no strong overlaps with known Russian APT groups, but Curly COMrades’ operations “align with the geopolitical goals of the Russian Federation."

Ever since Russia’s attention turned towards Ukraine in 2014 with the annexation of Crimea, countries on its eastern border have lost the spotlight. Georgia, however, is in a similar position to Ukraine, with two regions declaring independence with the help of the Russian military - South Ossetia, and Abkhazia. Therefore, it would make sense that Russia’s cyberspies would like to keep tabs on neighboring countries and their diplomatic efforts.

Source

Microsoft has announced an update coming to its Edge web browser on Windows 11 that introduces support for syncing passkeys to the cloud via your Microsoft Account for use across multiple devices. "We’re thrilled to share that passkeys can now be securely saved and synced across your Windows desktop devices using Microsoft Password Manager in Edge," says Microsoft.

Passkeys are a relatively new way of secure way of storing login information for online accounts and apps using the 'Fast IDentity Online 2' (FIDO2) open standard. Passkeys don't require a password, instead relying on your device's built-in security methods such as fingerprint, face unlock, or numeric PIN. It makes signing in quicker, binding login information directly to the device.

Frustratingly, most platforms that can handle passkeys don't support syncing them across devices. This means that if you ever lose that device, you lose the ability to sign into that account unless you have a recovery method set up. I've often factory reset my PC and forgot to back up my passkeys, resulting in me losing access to some online accounts.

That's finally changing with Microsoft Edge, which will now let you sync passkeys using your Microsoft Account. That means you can sign into Edge on any Windows 11 PC, and have your passkeys carried with you across devices so that you never lose access to them, even if you lose access to one particular device.

Miljödata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin to not leak it.

The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås.

Because of the large impact, the state monitored the situation from the time of disclosure, with CERT-SE and the police starting to investigate immediately..

According to IMY, the attacker exposed on the dark web data that corresponds to 1.5 million people in the country, creating the basis for investigating potential General Data Protection Regulation (GDPR) violations.

"The Miljödata leak meant that a large portion of Sweden's population had their personal data published on the Darknet — in many cases, even sensitive information," stated IMY's head, Jenny Bård.

"The leak raises a number of questions about the level of security and what types of personal data were stored in the systems."

"Our main focus is to investigate any shortcomings that could provide lessons going forward, in order to reduce the risk of similar incidents happening again."

Due to the extensive impact, IMY has decided to prioritize investigation targets in accordance to the criticality of their operations, limiting it to Miljödata, the City of Gothenburg, the Municipality of Älmhult, and the Region of Västmanland.

Miljödata will be investigated in relation to security measures, while the municipalities will be examined for their data handling practices, with particular focus on children's data, protected identity subjects, and former employees.

Additional entities may be investigated in the future, but there are no such plans for now.

Although no ransomware groups had claimed the attack when Miljödata disclosed the incident, BleepingComputer found that the threat group Datacarry posted the stolen data on its dark web portal on September 13.

The threat actors, who list an additional 12 victims on their website, provide a 224MB archive with data allegedly stolen from Miljödata.

Have I Been Pwned has also added to its database the leaked Miljödata information, which contains names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth.

The data breach alerting service reports that the leaked data corresponds to 870,000 people, which is roughly half the figure provided by IMY.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 5 November 2025 at 4:08 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The malicious activity was detected by Wordfence, a WordPress security firm, after blocking multiple exploit attempts against its clients over the past 24 hours.

JobMonster, created by NooThemes, is a premium WordPress theme used by job listing sites, recruitment/hiring portals, candidate search tools, etc. The theme has over 5,500 sales on Envato.

The exploited vulnerability is identified as CVE-2025-5397 and has a critical-severity score of 9.8. It is an authentication bypass problem that imapcts all versions of the theme up to 4.8.1.

“[The flaw] is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them,” reads the flaw’s description.

“This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts.”

To exploit CVE-2025-5397, social login needs to be enabled on sites using the theme; otherwise, there’s no impact.

Social login is a feature that enables users to sign in to a website using their existing social media accounts, such as “Sign in with Google,” “Login with Facebook,” and “Continue with LinkedIn.”

JobMonster trusts the external login data without verifying it properly, allowing attackers to fake admin access without holding valid credentials.

Typically, an attacker would also need to know the target administrator’s account username or email.

CVE-2025-5397 has been fixed in JobMonster version 4.8.2, currently the most recent, so users are advised to move to the patched release immediately.

If urgent action is impossible, consider the mitigation of disabling the social login function on affected websites.

It is also advisable to enable two-factor authentication for all administrator accounts, rotate credentials, and check access logs for suspicious activity.

WordPress themes have been at the epicenter of malicious activity in recent months.

Last week, Wordfence reported about malicious activity targeting the Freeio premium theme leveraging CVE-2025-11533, a critical privilege escalation flaw.

In early October, threat actors targeted CVE-2025-5947, a critical authentication bypass problem in the Service Finder WordPress theme, allowing them to log in as administrators.

In July 2025, it was reported that hackers targeted the WordPress theme 'Alone' to achieve remote code execution and perform a full site takeover, with Wordfence blocking over 120,000 attempts at the time.

WordPress plugins and themes must be updated regularly to ensure the latest security fixes are active on the sites. Patch delaying gives threat actors opportunities for successful attacks, sometimes a full year later.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 5 November 2025 at 4:06 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The Louvre Museum in Paris, victim of an audacious burglary involving a furniture lift last month, has been struggling for over a decade to upgrade outdated software, including that controlling its video surveillance systems, according to a French newspaper report.

Thieves used a furniture lift to break in through a second-floor window on October 19, stealing eight items of jewelry. Alarm systems on the window and on the display case holding the jewelry functioned as expected, according to the French Ministry of Culture, and police were on the scene within three minutes. The raid prompted a top-to-bottom review of security at the museum.

The Inspectorate General of Cultural Affaires (IGAC) submitted its first conclusions last week, prompting the Minster of Culture to recommend new governance rules and security policies, the installation of additional security cameras around the building perimeter, and an urgent update of all security protocols and procedures by year-end. The details of the report remain confidential.

IT problems date back over a decade

But numerous IT problems related to security systems were already evident as long ago as 2014 and 2017, according to earlier confidential audits of security systems seen by French newspaper Libération.

The museum was still running Windows 2000 on its office automation network when the French National Agency for the Security of Information Systems (ANSSI) conducted its 2014 audit, the newspaper reported  — although Microsoft had stopped providing security updates for that version of its operating system three years earlier, in July 2010. The audit report also highlighted a video surveillance server with the password “LOUVRE” and a video surveillance application made by Thales with the password “THALES,” the newspaper said.

ANSSI naturally recommended using more complex passwords, migrating software to versions supported by the developers, and patching vulnerabilities. Libération said the museum declined to respond when asked if it had followed these recommendations.

Clearly, though, some of them were not followed.

A second audit took place in 2017, conducted this time by the French National Institute of Advanced Studies in Security and Justice (INHESJ). “Certain workstations have obsolete operating systems (Windows 2000 and Windows XP) which no longer guarantee effective security (no antivirus updates, no passwords or session lock…),” Libération quoted the audit as saying. Microsoft ended extended support for Windows XP in 2014.

No updates for eight security applications

The newspaper also examined calls for tender and other public procurement documents issued by the musem in the years since the audits.

Twenty years of technical debt weighed heavily on security at the Louvre, as it steadily accumulated systems for analogue video surveillance, digital video surveillance, intrusion detection, and access control, some of them with dedicated servers or proprietary applications. Some of these became obsolete over time and needed updating or replacing

Thales supplied one such system, Sathi, to the Louvre in 2003, but it was no longer supporting it by February 2019, according to public procurement documents seen by the newspaper. As recently as the middle of this year, eight Sathi publications appeared on a museum list of “software that cannot be updated”.

The Louvre’s Windows problems continued at least through 2021, when another document noted it was using Sathi on a machine still running Microsoft Windows Server 2003, which reached the end of extended support in 2015.

There’s no indication that the Louvre’s longstanding software problems were implicated in the recent burglary, but IGAC’s report last week did highlight a number of security failures, including insufficient surveillance systems and an underestimate of the risks of intrusion stretching back 20 years.

Source

Microsoft Edge stores all your passkeys in your Microsoft Account and protects them with a Microsoft Password Manager PIN, which you will be prompted to create when making the first passkey. Once everything is set up, Microsoft Edge will offer to generate passkeys on websites that support them. Existing passkeys can be used by authenticating with Windows Hello using your fingerprint, face, or PIN.

For now, the ability to save and sync passkeys in Microsoft Edge is only available on Windows PCs. You will need a computer with Windows 10 and newer, Edge 142 and newer, and a Microsoft Account. In the future, Microsoft will bring passkey improvements to Edge on other platforms as well. Another thing worth mentioning is that currently, you can only use passkeys on websites in Microsoft Edge. Microsoft says that a dedicated plugin will soon let you use passkeys stored in Edge in third-party apps and browsers.

Microsoft adds that Edge's password manager can still be used for regular passwords with all the existing features. Although passkeys are considered a better and safer authentication method (Microsoft now uses them by default for new accounts), those who want to log in with standard passwords can continue to do so without any changes. Passkey support in Edge does not affect existing passwords.

If you want to learn more about passkey support in Microsoft Edge 142, you can check out the official announcement post and frequently asked questions, such as how to change the passkey PIN, what happens when you switch to another device, Microsoft Entra support, and more.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 4 November 2025 at 12:57 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

One of our favorite password managers is KeePass. The main version of the program is available for Windows, but the format that it uses is widely used and apps, for instance KeePassXC, are available for more or less any system you can think of. Add plugin support to the mix, and you get a password manager that is very powerful, yet keeps you in full control all the time.

KeePass 2.60: here is what is new

KeePass 2.60 is the latest version of the 2.x branch of the password manager. You can download it from the developer website and upgrade existing versions that way. While KeePass does include update notifications, updating is not integrated nor automatic.

Just run the installer after the download to upgrade the installation. Portable users can copy the data into the portable folder to update.

So what is new in the release? The official blog post lists a large number of new features and improvements.

Here are the main changes:

• Press Ctrl-A in list view that supports multiple selections to select all items at once.
• Press Delete when you have items selected to delete them, provided that the view supports deletion.
• French-speaking users may see a warning because of a conflict between the global auto-type hotkey Ctrl-Alt-A and the French Standard AZERTY layout.
• The clearing countdown for the Clipboard now shows the remaining time in seconds. Previously, it only showed a bar.
• Support for importing Firefox 143 CSV password files was added.
• When importing Bitwarden JSON data, "totp" fields that consist of only Base32 characters are now treated as "a shared secret for time-based one-time password generation".
• Added support for parsing Unix timestamps in milliseconds.
• New search option: search for group paths.
• Option new main entry list columns "Group Path" and "Group Name".

As for improvements, there is a significant amount listed. You may notice that the auto-complete of the quick search box is not showing any suggestions anymore. This is caused by a bug that is affecting the display when running new searches.

You can check out the remaining improvements, which address quite a few bugs and issues for the most part.

Now You: do you use a password manager? If so, what is your favorite program for the job and why? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 4 November 2025 at 5:05 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

As I browse the web in 2025, I rarely encounter captchas anymore. There’s no slanted text to discern. No image grid of stoplights to identify.

And on the rare occasion that I am asked to complete some bot-deterring task, the experience almost always feels surreal. A colleague shared recent tests where they were presented with images of dogs and ducks wearing hats, from bowler caps to French berets. The security questions ignored the animal’s hats, rudely, asking them to select the photos that showed animals with four legs.

Other puzzles are hyper-specific to their audience. For example, the captcha for Sniffies, a gay hookup site, has users slide a jockstrap across their smartphone screen to find the matching pair of underwear.

So, where have all the captchas gone? And why are the few existing challenges so damn weird? I spoke with cybersecurity experts to better understand the current state of these vanishing challenges and why the future will probably look even more peculiar.

Bot Friction, Human Frustration

“When the captcha was first invented, the idea was that this was literally a task a computer could not do,” says Reid Tatoris, who leads Cloudflare’s application security detection team. The term captcha—Completely Automated Public Turing test to tell Computers and Humans Apart—was coined by researchers in 2003 and presented as a way to protect websites from malicious, nonhuman users.

The initial test most users saw online contained funky characters, usually a combo of warped letters and numbers you had to replicate by typing them into a text field. Computers couldn’t see what the characters were; humans could, even if most of us had to squint to get it right.

Financial companies like PayPal and email providers like Yahoo used this iteration to ward off automated bots. More websites eventually added audio readouts of the correct answer after receiving pressure from Blind and low-vision advocacy groups, whose members were indeed humans browsing the web but could not complete a vision-based challenge.

What if, rather than just a test to keep out bots, the challenge could generate useful data? That was a core idea behind the release of reCaptcha in 2007. With reCaptcha, users identified words that machine learning algorithms could not read at the time. This sped up the process of transferring print media into an online form. The tech was quickly acquired by Google, and reCaptcha was instrumental in the company’s efforts to digitize books.

As machine learning capabilities improved—and they learned to read funky text—online security checkpoints adapted to be more difficult for malicious bots to circumvent. The next iteration reCaptcha challenges included grids of images where users were asked to select specific options, like photos containing a motorcyclist. Google used the data collected here to improve its online maps.

At the same time as the difficulty of online security challenges ramped up, so did users' frustration as they were asked increasingly complex and esoteric questions to prove their humanity. Online users were asked to select all of the “smiling dogs” in image labeling questions from hCaptcha, a privacy-focused alternative to Google’s service. How baffling!

“Completely Invisible”

Google’s launch of reCaptcha v3 in 2018 was a major shift toward decreasing how often people see challenges at all online.

“Instead of interrupting a user, our technology analyzes signals and behavior during an interaction to generate a risk score on which actions can be taken by the website owner,” says Tim Knudsen, a director of product management at Google Cloud, in an email to WIRED. This switch, which accurately sniffed for which users were flesh and which were silicon, made this generation of bot-blocking tech “completely invisible” for most web surfers.

A few years later, in 2022, Cloudflare dropped Turnstile, another reCaptcha alternative. It was an additional major move away from human-completed tests and toward pattern-based usage analysis. Similar to the standard version of reCaptcha, Turnstile can be added to websites for free.

You might not remember the name, but you’ve likely encountered one of these Turnstile challenges before. It’s the random-seeming request to click on a box to prove you’re human.

On the user end, Turnstile appears sometimes as a basic checkbox, but it’s more complicated than that. “Clicking the button doesn't at all mean you pass,” says Tatoris. “That is a way for us to gather more information from the client, from the device, from the software to figure out what's going on.” After gathering data, then a decision is made about whether the user is allowed to access the site.

Leading companies have a clear reason for the gratis implementation of their security software. “Cloudflare gives Turnstile away for free to the whole internet because we want more training data,” says Tatoris. “We see 20 percent of all HTTP requests across the internet. So, getting that massive training data set helps us know what a human looks like on the page versus what a bot does.”

Google’s Knudsen says he anticipates visual challenges to stick around but continue becoming a less critical and less frequent aspect of website protection.

Odd Tasks

Even though most bot-deterring methods no longer need much input on the user end, if any at all, the unhinged captcha lives on, even as a rarity.

Another, more recent, entry into the captcha game is Arkose Labs, and the security company’s paid MatchKey service isn’t necessarily about blocking bots at all. “We have challenges which are what you would define as a captcha as one of our products,” says Kevin Gosschalk, Arkose’s CEO and founder. “But the intent is to be cost-proofing, not human-proofing.”

The goal of his challenges is to make it so expensive to attack a website that it’s no longer a profitable endeavor. The puzzles are tailored to disincentivize attacks within specific contexts. For example, if someone is getting paid to solve security challenges manually, Arkose may detect that and serve them a time-intensive task to complete and occasionally reject their answer no matter what.

As part of Arkose’s “cost-proofing” measures, the company also sells a version of MatchKey designed to thwart attacks coming from people using large language models or other generative AI tools. “You defeat an LLM by giving it novel, unusual things that it has no business knowing or have previously been asked,” says Gosschalk. He gives an example of having users answer questions about a strange collage, like a fake photo of a frog in a pond that has the head of a bird and the reflection of a horse. The mishmashed image is not something that an AI model has likely seen before.

For the odd cases when you do still encounter an online security challenge in the coming months and years, don’t expect the puzzles ever to return to that initial iteration. Goodbye distorted jumble of letters and numbers, I didn’t realize I’d miss you until you were already gone.

Familiar challenge structures may also eventually go by the wayside. “While the classic visual puzzle is well-known, we are actively introducing new challenge types—like prompting a user to scan a QR code or perform a specific hand gesture,” says Google’s Knudsen. This allows the company to still add friction without confusing the user with an impossible task.

The success of security measures like these is not wholly measured in stopping existing threats to websites. It hinges on how fast companies can detect and prevent the ever-shifting waves of nascent attacks. “We know that the new detections will have to spin up two years from now are totally different from what we have in place now,” says Cloudflare’s Tatoris.

Whatever comes next for security challenges, with their increasing weirdness and behind-the-scenes signals, I just hope I’m always able to prove my humanness online. I’ve never been that good at taking tests.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 4 November 2025 at 5:03 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The problem with accepting that favor is that, by default, browser password managers lack certain security features, as they are not built to protect information as robustly as dedicated password managers. Browsers like Chrome and Edge store passwords in the local browser profile folders and then sync them to Google and Microsoft servers. They do not employ the end-to-end encrypted vault or servers that a dedicated password manager would, offering only OS-level encryption at best.

The reason this isn't good enough is that it leaves your passwords at risk to anyone who logs into your account or has access to it. So, if your account is compromised or suffers a malware attack, your passwords are as good as an open secret, and even your more complicated passwords can be vulnerable. Then there are phishing attacks and malicious extensions, where browsers can autofill passwords into websites that merely look legitimate. What you'll want is a dedicated password manager since it uses a master password or key that you create and control. That way, you alone can have access to your credentials even in the instance of an account compromise or a cyber attack.

Why a dedicated password manager might serve you better

In general, there are several ways you can benefit from using a password manager. But using one that is dedicated to being just that and only that has even more upside than using the free Google Password Manager, for instance. The main advantage is that dedicated password managers use advanced encryption and zero-knowledge architecture. They typically use AES-256 or similar encryption standards, keeping encrypted databases separate from browser access. With these password managers, you can decrypt passwords only when needed and only on your local device, reducing your exposure to compromise and malware.

Speaking of which, dedicated password managers are outstanding when it comes to resisting malware theft, cyber attacks, and providing breach alerts. Malware such as RedLine Stealer and Raccoon, which are designed to harvest saved browser passwords, have been proven to struggle against the encrypted vaults of password managers. These dedicated password managers also reduce the risk that autofill subsystems pose to phishing scams by verifying domain names before filling data. Additionally, password managers actively monitor for data breaches using their integrated breach-checking tools, which adds a layer of defense that your browser won't.

You should know that although Google uses the same high-standard AES technology that dedicated password managers use, you'll still need to sync with your device's security, such as Windows Hello, to enjoy its benefits. Also, Apple's Keychain (or Passwords app) stands somewhat apart. It uses end-to-end encryption across Apple devices, meaning even Apple cannot access your passwords. Keychain is more secure than standard browser managers, but still not quite as specialized or transparent as dedicated ones.

What to do if you decide to stick to your browser's password manager

If the convenience your web browser offers is too great to pass up, then you can take certain measures to ensure you're using it more securely. One way to do this is by enabling on-device encryption available on the Google Password Manager. Google's on-device encryption gives you and only you the encryption keys to manage your passwords by integrating your device's screen lock. It's like an extra bit of protection that will be exclusive to your device, but also means you risk losing your passwords when you lose your Google login.

You can also restrict your browser from autofilling passwords. To do this on Chrome, click the three dots at the top right corner, go to "Settings," click "Autofill and passwords," and then select "Google password manager." From there, go to "Settings" and toggle off "Offer to save passwords." For Microsoft Edge, open "Settings" and select "Passwords and autofill." Then, go to "More Settings" and toggle off "Autofill Passwords and Passkeys." On Safari for macOS Catalina 10.15 and later, go to "File," then "Export," and click "Passwords." Once there, click "Export Passwords" and enter your Mac's password to save the file.

Another thing you can do is enable two-factor authentication (2FA) on every online account which you have saved its password in your browser. This is separate from integrating your device's security, such as PINs, biometrics, and passwords, into your password manager. Lastly, take time to go through and review your saved passwords and delete the ones you consider too sensitive to risk.

Source

Microsoft Exchange Server Security Best Practices

This isn’t the first time that U.S. security agencies have warned about the dangers of attacks targeting Microsoft Exchange Servers, and likely will not be the last. It is, however, a long-overdue acceptance of the need for official guidance when it comes to Microsoft Exchange Server security best practices. Not just for government agencies, but all enterprises. Sure, there’s plenty of such advice already out there, not least from Microsoft itself, but the added weight of CISA and the NSA certainly isn’t to be sniffed at.

Thankfully, for such things, the document itself is relatively short and to the point at just 10 pages of Microsoft Exchange Server security guidance. The brevity is noted by the NSA and CISA within the introductory paragraph: “This document outlines several security best practices, but is not an all-inclusive hardening guide. Active monitoring for compromises and planning for potential incidents and recovery, while not discussed in this guidance, are equally important areas for Exchange.”

So, what does the guidance cover then?

While you are, rather obviously, recommended to go and read the entire best practices guidance yourself, here’s the bullet point summary:

•     Maintain security updates and patching cadence
•     Migrate end-of-life Exchange Servers
•     Ensure Emergency Mitigation Service remains enabled
•     Apply security baselines
•     Enable built-in protections
•     Restrict administrative access
•     Harden authentication and encryption
•     Configure Transport Layer Security
•     Configure Extended Protection
•     Configure Kerberos and SMB instead of NTLM
•     Configure Modern Authentication and multifactor authentication
•     Configure certificate-based signing of PowerShell serialization
•     Configure Strict Transport Security
•     Configure Download Domains
•     Use role management and split permissions
•     Use P2 FROM header manipulation detection

Look, nobody said that security was easy, OK? But as the NSA concluded, “securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions.” By using the best practices outlined above, you can help reduce the risk to your organization from Microsoft Exchange Server attackers.

Source

What Happened: Heads up, everyone. There’s a really nasty new scam making the rounds, and it’s targeting anyone searching for Microsoft Teams.

• A ransomware gang called Rhysida has been buying up ad space on search engines, especially Bing. So, when you search for “Microsoft Teams,” their fake ad might be the first thing you see. It looks totally legit, like it’s pointing right to the real Microsoft download page.
• But it’s a trap. When you click it, it sends you to a bogus website (one that’s probably spelled almost like the real one, a tactic called “typosquatting”).
• You download what you think is the Teams installer, but it’s actually a piece of malware called OysterLoader. Once that’s on your system, it can let the hackers in to eventually lock up all your files with ransomware.

EThamPhoto / Getty Images / EThamPhoto / Getty Images

Why This Is Important: This is a scarily smart campaign. These guys, who have been linked to over 200 data leaks, are part of a “ransomware-as-a-service” network (yep, that’s a real thing).

• To make the scam work, they’re using a bunch of digital certificates – those little things that are supposed to tell Windows, “Hey, this software is legit and safe.”
• Because the malware has a (likely stolen) certificate, your computer trusts it, and your antivirus program might not even flag it. One security firm said that at first, almost no antivirus tools were catching this thing, giving the hackers plenty of time to get in.
• Microsoft is in a high-stakes game of whack-a-mole; they’ve already revoked over 200 of these fake certificates, but the bad guys just keep evolving.

Why Should I Care: This isn’t just a problem for big companies. They are hitting individuals, schools, and small businesses – anyone who might be looking for popular software.

• If you’ve downloaded Microsoft Teams (or any popular app, really) from a search ad recently, you could be at risk.
• Clicking that one wrong link could be all it takes to get your entire computer – all your photos, documents, and personal files – encrypted and held for ransom.

TheDigitalWay/Pixabay / Pixabay

What’s Next: Security experts are all over this, and Microsoft is fighting back, but these groups adapt fast. The best defense for you? It’s pretty simple:

• Never, ever download software from a search ad.
• Seriously, just don’t. Always go directly to the official website yourself (like typing in microsoft.com by hand).
• Using an ad blocker on your browser is also a fantastic idea, as it will probably stop you from even seeing these malicious ads in the first place. Stay safe out there.

Source

CVE-2025-9491 Is Now Being Exploited by Attackers in the Wild — No Fix Available from Microsoft

Just as you might have thought that things were improving on the security front as far as Windows users were concerned, with new admin protections announced, and another year of free security updates for Windows 10, comes the latest hammer blow: an active and widespread cyber espionage campaign exploiting what is now a critical vulnerability, with no Microsoft security patch to fix it.

A detailed and highly technical analysis from the cybersecurity boffins at Arctic Wolf Labs has confirmed that threat actors affiliated with China are currently exploiting a Windows remote code execution vulnerability, CVE-2025-9491, first reported in March, yes, March, in ongoing attacks.

The attacks appear to be targeting “European diplomatic entities in Hungary, Belgium, and additional European nations,” the analysis determined, but now that the exploit cat is out of the bag, it would not be at all surprising were this vulnerability to be used in much broader campaigns until Microsoft can fix it. So do not think that it does not concern you; it most certainly could.

The current attacks use a chain of phishing emails with an embedded URL that ultimately leads to malicious LNK files, or Windows shortcuts, being delivered to the target. By exploiting the vulnerability that allows obfuscated PowerShell commands to be executed and “extract and deploy a multi-stage malware chain,” Arctic Wolf said, “culminating in PlugX remote access trojan deployment,” the cyber damage is then done.

I have approached Microsoft for a statement and will update this article as soon as I hear back, but in the meantime, with no readily available security patch to apply, Windows users are advised to block .lnk files from any untrusted source within their Windows Explorer settings.

Source

Called Aardvark, the artificial intelligence (AI) company said the autonomous agent is designed to help developers and security teams flag and fix security vulnerabilities at scale. It's currently available in private beta.

"Aardvark continuously analyzes source code repositories to identify vulnerabilities, assess exploitability, prioritize severity, and propose targeted patches," OpenAI noted.

It works by embedding itself into the software development pipeline, monitoring commits and changes to codebases, detecting security issues and how they might be exploited, and proposing fixes to address them using LLM-based reasoning and tool-use.

Powering the agent is GPT‑5, which OpenAI introduced in August 2025. The company describes it as a "smart, efficient model" that features deeper reasoning capabilities, courtesy of GPT‑5 thinking, and a "real‑time router" to decide the right model to use based on conversation type, complexity, and user intent.

Aardvark, OpenAI added, analyses a project's codebase to produce a threat model that it thinks best represents its security objectives and design. With this contextual foundation, the agent then scans its history to identify existing issues, as well as detect new ones by scrutinizing incoming changes to the repository.

Once a potential security defect is found, it attempts to trigger it in an isolated, sandboxed environment to confirm its exploitability and leverages OpenAI Codex, its coding agent, to produce a patch that can be reviewed by a human analyst.

OpenAI said it's been running the agent across OpenAI's internal codebases and some of its external alpha partners, and that it has helped identify at least 10 CVEs in open-source projects.

The AI upstart is far from the only company to trial AI agents to tackle automated vulnerability discovery and patching. Earlier this month, Google announced CodeMender that it said detects, patches, and rewrites vulnerable code to prevent future exploits.

The tech giant also noted that it intends to work with maintainers of critical open-source projects to integrate CodeMender-generated patches to help keep projects secure.

Viewed in that light, Aardvark, CodeMender, and XBOW are being positioned as tools for continuous code analysis, exploit validation, and patch generation. It also comes close on the heels of OpenAI's release of the gpt-oss-safeguard models that are fine-tuned for safety classification tasks.

"Aardvark represents a new defender-first model: an agentic security researcher that partners with teams by delivering continuous protection as code evolves," OpenAI said. "By catching vulnerabilities early, validating real-world exploitability, and offering clear fixes, Aardvark can strengthen security without slowing innovation. We believe in expanding access to security expertise."

Source

Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation.

"Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads."

The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is capable of capturing screenshots and harvesting cookies, browser history, bookmarks, and screenshots from web browsers. It's believed that the threat actors are leveraging a stolen certificate to sign some of the artifacts.

Unit 42 said the .NET variant of Airstalk is equipped with more capabilities than its PowerShell counterpart, suggesting it could be an advanced version of the malware.

The PowerShell variant, for its part, utilizes the "/api/mdm/devices/" endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker.

Once launched, the backdoor initializes contact by sending a "CONNECT" message and awaits a "CONNECTED" message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type "ACTIONS." The output of the execution is sent back to the threat actor using a "RESULT" message.

The backdoor supports seven different ACTIONS, including taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, obtaining browser bookmarks of a given profile, collecting the browser history of a given Chrome profile, enumerating all files within the user's directory, and uninstalling itself from the host.

"Some tasks require sending back a large amount of data or files after Airstalk is executed," Unit 42 said. "To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob."

The .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser, while attempting to mimic an AirWatch Helper utility ("AirwatchHelper.exe"). Furthermore, it supports three more message types -

•     MISMATCH, for flagging version mismatch errors
•     DEBUG, for sending debug messages
•     PING, for beaconing

In addition, it uses three different execution threads, each of which serves a unique purpose: to manage C2 tasks, exfiltrate the debug log, and beacon to the C2 server. The malware also supports a broader set of commands, although one of them appears not to have been implemented yet -

•     Screenshot, to take a screenshot
•     UpdateChrome, to exfiltrate a specific Chrome profile
•     FileMap, to list the contents of the specific directory
•     RunUtility (not implemented)
•     EnterpriseChromeProfiles, to fetch available Chrome profiles
•     UploadFile, to exfiltrate specific Chrome artifacts and credentials
•     OpenURL, to open a new URL in Chrome
•     Uninstall, to finish the execution
•     EnterpriseChromeBookmarks, to fetch Chrome bookmarks from a specific user profile
•     EnterpriseIslandProfiles, to fetch available Island browser profiles
•     UpdateIsland, to exfiltrate a specific Island browser profile
•     ExfilAlreadyOpenChrome, to dump all cookies from the current Chrome profile

Interestingly, while the PowerShell variant uses a scheduled task for persistence, its .NET version lacks such a mechanism. Unit 42 said some of the .NET variant samples are signed with a "likely stolen" certificate signed by a valid certificate authority (Aoteng Industrial Automation (Langfang) Co., Ltd.), with early iterations featuring a compilation timestamp of June 28, 2024.

It's currently not known how the malware is distributed, or who may have been targeted in these attacks. But the use of MDM-related APIs for C2 and the targeting of enterprise browsers like Island suggest the possibility of a supply chain attack targeting the business process outsourcing (BPO) sector.

"Organizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers," it said. "Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely."

"The evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly true if the malware is running within a third-party vendor's environment. This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients."

Source