According to a new report by cybersecurity firm Symantec, the hackers gained access to the Russian company’s software build and code-repository systems between January and May 2025 — suggesting the breach may have been an attempted software supply-chain attack aimed at the firm’s customers.

Symantec refers to the group as Jewelbug, and says its operations focus on long-term espionage rather than financial gain. Also tracked as Earth Alux, the threat actor has been active since mid-2023, targeting government and corporate networks across South America, South and Southeast Asia, and Taiwan. 

IT service providers are especially attractive targets because they often have deep access to clients’ systems and can push software updates across multiple networks at once. This means the latest breach could have opened the door for attackers to infiltrate dozens of Russian companies, enabling widespread cyber-espionage or potentially disruptive operations, Symantec said.

The attackers used Yandex Cloud, a legitimate Russian cloud platform, to exfiltrate data — likely to avoid detection. “Yandex is a legitimate and commonly used cloud service in Russia. For this reason, it is unlikely to be blocked by Russian enterprises, and its use is less likely to raise suspicions,” researchers said.

Beyond Russia, Jewelbug has compromised a South American government agency, a Taiwanese software company, and an IT provider in South Asia over the past year, Symantec said. In some of these intrusions, the researchers spotted a new backdoor that appeared to still be under development — signaling an expansion of the group’s technical capabilities.

The campaign suggests “Russia is not out of bounds” for Chinese cyber-espionage operations. Moscow and Beijing are generally viewed as strategic partners.

Symantec’s report follows a series of findings pointing to growing Chinese cyber activity against Russian entities.

The New York Times, citing cybersecurity analysts and a leaked document from Russia’s FSB security agency, recently reported that since Russia’s full-scale invasion of Ukraine, China has repeatedly carried out cyberattacks on Russian government agencies and defense companies to steal military intelligence.

Last year, Moscow-based Kaspersky identified intrusions into Russian government and tech networks involving tools linked to Chinese groups APT31 and APT27. Earlier this year, Politico reported that Chinese state-sponsored hackers — including those tracked as Mustang Panda and Tonto Team — targeted Russian aerospace and defense firms.

“Jewelbug, as a relatively new Chinese APT group, is one to watch,” Symantec said. “It has the skills to develop its own malware and maintain a long-term, stealthy presence on networks.” 

Source

Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest of them.

The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025's Patch Tuesday update.

The two Windows zero-days that have come under active exploitation are as follows -

• CVE-2025-24990 (CVSS score: 7.8) - Windows Agere Modem Driver ("ltmdm64.sys") Elevation of Privilege Vulnerability
• CVE-2025-59230 (CVSS score: 7.8) - Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability

Microsoft said both issues could allow attackers to execute code with elevated privileges, although there are currently no indications on how they are being exploited and how widespread these efforts may be. In the case of CVE-2025-24990, the company said it's planning to remove the driver entirely, rather than issue a patch for a legacy third-party component.

The security defect has been described as "dangerous" by Alex Vovk, CEO and co-founder of Action1, as it's rooted within legacy code installed by default on all Windows systems, irrespective of whether the associated hardware is present or in use.

"The vulnerable driver ships with every version of Windows, up to and including Server 2025," Adam Barnett, lead software engineer at Rapid7, said. "Maybe your fax modem uses a different chipset, and so you don't need the Agere driver? Perhaps you've simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator."

According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-59230 is the first vulnerability in RasMan to be exploited as a zero-day. Microsoft has patched more than 20 flaws in the component since January 2022.

The third vulnerability that has been exploited in real-world attacks concerns a case of Secure Boot bypass in IGEL OS before 11 (CVE-2025-47827, CVSS score: 4.6). Details about the flaw were first publicly disclosed by security researcher Zack Didcott in June 2025.

"The impacts of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension, then tamper with the Virtual Desktops, including capturing credentials," Kev Breen, senior director of threat research at Immersive, said.

"It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that 'evil-maid' style attacks are the most likely vector affecting employees who travel frequently."

All three issues have since been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by November 4, 2025.

Some other critical vulnerabilities of note include a remote code execution (RCE) bug (CVE-2025-59287, CVSS score: 9.8) in Windows Server Update Service (WSUS), an out-of-bounds read vulnerability in the Trusted Computing Group (TCG) TPM2.0 reference implementation's CryptHmacSign helper function (CVE-2025-2884, CVSS score: 5.3), and an RCE in Windows URL Parsing (CVE-2025-59295, 8.8).

"An attacker can leverage this by carefully constructing a malicious URL," Ben McCarthy, lead cybersecurity engineer at Immersive, said. "The overflowed data can be designed to overwrite critical program data, such as a function pointer or an object's virtual function table (vtable) pointer."

"When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the program's execution flow to a memory address controlled by the attacker. This allows the attacker to execute arbitrary code (shellcode) on the target system."

Two vulnerabilities with the highest CVSS score in this month's update relate to a privilege escalation flaw in Microsoft Graphics Component (CVE-2025-49708, CVSS score: 9.9) and a security feature bypass in ASP.NET (CVE-2025-55315, CVSS score: 9.9).

While exploiting CVE-2025-55315 requires an attacker to be first authenticated, it can be abused to covertly get around security controls and carry out malicious actions by smuggling a second, malicious HTTP request within the body of their initial authenticated request.

"An organization must prioritize patching this vulnerability because it invalidates the core security promise of virtualization," McCarthy explained regarding CVE-2025-49708, characterizing it as a high-impact flaw that leads to a full virtual machine (VM) escape.

"A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker can then access, manipulate, or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases, or production applications.

Source

Microsoft has clarified that Microsoft Defender will continue to receive updates even on legacy systems like Windows 10 to the "extent possible". What this means is that detection and protection capabilities will continue to be added, but if they rely on features not present in Windows 10, then they won't really make an impact. So you're inherently less secure than you would be as compared to a supported system, but it's still better than not having any security at all. This isn't really surprising because Microsoft Defender for Endpoint supports Windows versions much older than Windows 10 already.

Similarly, here is an update for customers who use Windows 10 without Defender:

For Windows 10 customers without Defender, Microsoft will continue to provide security intelligence updates for the built-in Microsoft Defender Antivirus protection through October 2028. Of course, Defender Antivirus alone isn't a comprehensive risk mitigation posture without Microsoft Defender detection and response deployed across your digital estate.

That said, Microsoft has strongly recommended customers to upgrade to Windows 11 to stay as secure as they can. If that is not possible, the next best option is Windows 10 with ESU, as it will at least guarantee the delivery of security updates, which may be critical for protection. Do keep in mind that enterprise customers who leverage Windows 10 to access Windows 11 Cloud PCs through the Windows 365 service get ESU at no extra cost.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 15 October 2025 at 12:44 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The findings are part of a rise in state-sponsored hacks targeting businesses and individuals a mid global tensions, outlined in the Australian Signals Directorate's latest Cyber Threat Report.

Concerningly, hackers are turning to artificial intelligence in their cyberattacks on major companies, which include banks, telcos, power and water suppliers.

For small and medium companies, the average cost of cybercrime over the past financial year rose by 55 per cent to $97,000.

But for big firms, the average cost is up by 220 per cent, or about $203,000.

The ASD also warns hackers are hijacking employees' home technology and exploiting them without the owners' knowledge, through hidden networks known as a botnet.

"State-sponsored cyber actors have also compromised home devices connected to the internet, such as home routers, to create botnets that support further targeting around the globe."

Home internet routers, firewalls and VPNs were among the "edge devices" targeted by hackers linked with China, the ASD said.

Once network defences were overcome, the criminals were able to access other connected hardware, such as computers and phones.

"By successfully exploiting such technologies, malicious cyber actors can gain an initial foothold on a network for follow-on activity."

The ASD report was published today after the personal information of 5.7 million Qantas customers was released onto the dark web by hackers.

Qantas was one of 40 companies caught up in the hack, alongside the likes of Disney and IKEA, when the hacker group Scattered Lapsus$ Hunters stole almost 1 billion records of customer data from cloud technology company Salesforce in July.

Source

When you search on Google, you may have noticed that the sponsored results show up first on the top. These come from vendors who have paid the company for a top spot on relevant search results. While they can be useful sometimes, there is often an element of mistrust surrounding paid search results, which is why most people just ignore them.

Now, roughly a couple of decades after the launch of sponsored search results, Google has realized that its customers actually want to seamlessly get to the information they are looking for. To that end, it is revamping the UI for paid search results.

All sponsored text-based results will not be clubbed under a single Sponsored results label. Google hopes that this bigger labeling will more prominently label ads, in alignment with industry standards. In addition, it is also releasing a button that allows you to hide sponsored search results with a single click. However, this button is placed below all the sponsored search results, which means that you'll technically have to see the ads before you can hide them. There doesn't seem to be a way yet to apply this change globally too, so that you don't need to do it each time.

While it's impossible for Google to completely do away with ads in Search considering that they're a significant money-maker, it's still encouraging to see at least a little more native control over the browsing experience. Google has begun rolling out this revamp on Chrome for mobile and desktop users globally and you should see it soon.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 14 October 2025 at 6:13 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Satellites beam data down to the Earth all around us, all the time. So you might expect that those space-based radio communications would be encrypted to prevent any snoop with a satellite dish from accessing the torrent of secret information constantly raining from the sky. You would, to a surprising and troubling degree, be wrong.

Roughly half of geostationary satellite signals, many carrying sensitive consumer, corporate, and government communications, have been left entirely vulnerable to eavesdropping, a team of researchers at UC San Diego and the University of Maryland revealed today in a study that will likely resonate across the cybersecurity industry, telecom firms, and inside military and intelligence agencies worldwide.

For three years, the UCSD and UMD researchers developed and used an off-the-shelf, $800 satellite receiver system on the roof of a university building in the La Jolla seaside neighborhood of San Diego to pick up the communications of geosynchronous satellites in the small band of space visible from their Southern California vantage point. By simply pointing their dish at different satellites and spending months interpreting the obscure—but unprotected—signals they received from them, the researchers assembled an alarming collection of private data: They obtained samples of the contents of Americans’ calls and text messages on T-Mobile’s cellular network, data from airline passengers’ in-flight Wi-Fi browsing, communications to and from critical infrastructure such as electric utilities and offshore oil and gas platforms, and even US and Mexican military and law enforcement communications that revealed the locations of personnel, equipment, and facilities.

“It just completely shocked us. There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted,” says Aaron Schulman, a UCSD professor who co-led the research. “And just time and time again, every time we found something new, it wasn't.”

The group’s paper, which they’re presenting this week at an Association for Computing Machinery conference in Taiwan, is titled “Don’t Look Up”—a reference to the 2021 film of that title but also a phrase the researchers say describes the apparent cybersecurity strategy of the global satellite communications system. “They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security,” Schulman says. “They just really didn't think anyone would look up.”

The researchers say that they’ve spent nearly the past year warning companies and agencies whose sensitive data they found exposed in satellite communications. Most of them, including T-Mobile, moved quickly to encrypt those communications and protect the data. Others, including some owners of vulnerable US critical infrastructure whom the researchers alerted more recently—and declined to name to WIRED—have yet to add encryption to their satellite-based systems. Researchers have pointed to the surveillance dangers of unencrypted satellite connections before, but the scale and scope of the new disclosures appear unrivaled.

The researchers’ work looked at only a small fraction of geostationary satellites whose signals they could pick up from San Diego—roughly 15 percent of those in operation, by the researchers’ estimate. This suggests vast amounts of data are likely still being exposed over satellite communications, says Matt Green, a computer science professor at Johns Hopkins University who focuses on cybersecurity and reviewed the study. Large swaths of satellite data will likely be vulnerable for years to come, too, as companies and governments grapple with whether and how to secure outdated systems, Green says.

“It's crazy. The fact that this much data is going over satellites that anyone can pick up with an antenna is just incredible,” Green says. “This paper will fix a very small part of the problem, but I think a lot of it is not going to change.”

“I would be shocked,” Green adds, “if this is something that intelligence agencies of any size are not already exploiting.”

Half Conversations, Broadcast From Space

The phone calls and text messages the researchers obtained, in particular, were exposed due to telecoms’ often overlooked use of satellite communications for offering cellular coverage to normal phone users who connect to cell towers in remote locations. Some towers in desert or mountainous regions of the US, for instance, connect to a satellite that relays their signals to and from the rest of a telecom’s core cellular network, the internal communications of the network known as “backhaul” traffic.

Anyone who sets up their own satellite receiver in the same broad region as one of those remote cell towers—often as far as thousands of miles away—can pick up the same signals meant for that tower. Doing so allowed the research team to obtain at least some amount of unencrypted backhaul data from the carriers T-Mobile, AT&T Mexico, and Telmex.

The T-Mobile data was particularly significant: In just nine hours of recording T-Mobile backhaul satellite communications from their single dish, the researchers collected the phone numbers of more than 2,700 users as well as all the phone calls and text messages the researchers received during that time. They could, however, only read or hear one side of those conversations: the content of the messages and calls sent to T-Mobile’s remote towers, not sent from them to the core cell network, which would have required another satellite dish near the one T-Mobile intended to receive the signal on the other end.

“When we saw all this, my first question was, did we just commit a felony? Did we just wiretap?” says Dave Levin, a University of Maryland computer science professor who co-led the study. In fact, he says, the team didn’t actively intercept any communications, only passively listened to what was being sent to their receiver dish. “These signals are just being broadcast to over 40 percent of the Earth at any point in time,” Levin says.

Mexican telecom Telmex also transmitted unencrypted voice calls, the researchers found. The researchers further discovered that AT&T Mexico transmitted raw data over satellites that included users’ internet traffic—most of which was encrypted with HTTPS by the apps or browsers they used—but also some calling and texting metadata. They also found decryption keys that the researchers believe could likely have been used to decipher other sensitive information the AT&T Mexico network transmitted—though they didn’t attempt this.

Starting in December 2024, the researchers began contacting the affected telecoms. T-Mobile responded by encrypting its satellite transmissions within weeks, but responses from other cell carriers were mixed.

“Last year, this research helped surface a vendor's encryption issue found in a limited number of satellite backhaul transmissions from a very small number of cell sites, which was quickly fixed,” a T-Mobile spokesperson says, adding the issue was “not network-wide” and that the company has taken steps to “make sure this doesn't happen again.”

A spokesperson for AT&T says the company “promptly” fixed the issue. "A satellite vendor misconfigured a small number of cell towers in a remote region of Mexico,” they say. Telmex did not respond to WIRED’s request for comment.

Whether other cellular carriers around the US and world—outside the visibility of the researchers’ satellite dish—have encrypted their satellite-based network backhaul data remains an open question. The researchers say they didn’t see any unencrypted Verizon or AT&T US traffic from their dish.

The AT&T spokesperson says that its US and Mexico networks are separate, and it is “rare” to use satellites for cellular backhaul. "We typically route traffic on our closed, secure backhaul network,” the spokesperson says. “On those rare instances where data must be transmitted outside our closed network, it is our policy to encrypt it." Verizon did not respond to WIRED’s request for comment.

Beyond just cell towers in remote locations, it’s possible that a lack of encryption for cellular backhaul data could make anyone on the same network vulnerable, points out Johns Hopkins’ Green. Hackers might be able to perform a so-called relay attack with a spoofed cell tower—using the surveillance hardware sometimes called a stingray or IMSI catcher—and route any victim’s data to a cell tower that connects to a satellite uplink. “The implications of this aren't just that some poor guy in the desert is using his cell phone tower with an unencrypted backhaul,” says Green. “You could potentially turn this into an attack on anybody, anywhere in the country.”

Military Helicopters and Power Grids, Exposed

The researchers’ satellite dish also pulled down a significant collection of unprotected military and law enforcement communications. They obtained, for instance, unencrypted internet communications from US military sea vessels, as well as the vessels’ names. (A spokesperson for the US Defense Information Systems Agency acknowledged WIRED’s request for comment but had not provided a response at the time of writing).

For Mexican military and law enforcement, the exposures were far worse: The researchers say they found what appeared to be unencrypted communications with remote command centers, surveillance facilities, and units of the Mexican military and law enforcement. In some cases, they saw the unprotected transmission of sensitive intelligence information on activities like narcotics trafficking. In others, they found military asset tracking and maintenance records for aircraft like Mil Mi-17 and UH-60 Black Hawk helicopters, sea vessels, and armored vehicles, as well as their locations and mission details. “When we started seeing military helicopters, it wasn’t necessarily the sheer volume of data, but the extreme sensitivity of that data that concerned us,” says Schulman. The Mexican military did not immediately respond to WIRED’s requests for comment.

Just as sensitive, perhaps, were industrial systems communications from critical infrastructure like power grids and offshore oil and gas platforms. In one case, they found that the Comisión Federal de Electricidad (CFE), Mexico’s state-owned electric utility with nearly 50 million customers, was transmitting its internal communications in the clear—everything from work orders that included customers’ names and addresses to communications about equipment failures and safety hazards. (A CFE spokesperson acknowledged WIRED’s request for comment but didn't provide a response before publication.)

In other cases they have yet to publicly detail, the researchers say they also warned US infrastructure owners about unencrypted satellite communications for industrial control system software. In their phone calls with those infrastructure owners, some owners even expressed concerns that a malicious actor might have the ability to not only surveil the control systems of their facilities, but also, with enough sophistication, potentially disable or spoof them to tamper with the facility’s operation.

The researchers obtained a vast grab bag of other miscellaneous corporate and consumer data: They pulled down in-flight Wi-Fi data for Intelsat and Panasonic systems used by 10 different airlines. Within that data, they found unencrypted metadata about users’ browsing activities and even the unencrypted audio of the news programs and sports games being broadcast to them. They also obtained corporate emails and inventory records of Walmart’s Mexican subsidiary, satellite communications to ATMs managed by Santander Mexico, as well as the Mexican banks Banjercito and Banorte.

A spokesperson for Panasonic Avionics Corporation said they “welcome the findings” from the researchers, but claim it “has found that several statements attributed to us are either inaccurate or misrepresent our position.” When asked, the spokesperson did not specify what the company considered was inaccurate. “Our satellite communications systems are designed so that every user data session follows established security protocols,” the spokesperson says.

“Generally, our users choose the encryption that they apply to their communications to suit their specific application or need,” says a spokesperson for SES, the parent company of Intelsat. “For SES’s inflight customers, for example, SES provides a public Wi-Fi hot spot connection similar to the public internet available at a coffee shop or hotel. On such public networks, user traffic would be encrypted when accessing a website via HTTPS/TLS or communicating using a virtual private network.”

The researchers reported the swaths of unencrypted satellite communications from the Mexican government and Mexican organizations to CERT-MX, the country’s incident response team, which is part of the government’s National Guard, in April this year, before separately contacting companies. CERT-MX did not respond to WIRED’s repeated requests for comment.

A spokesperson for Santander Mexico says that no customer information or transactions were compromised, but confirmed that the exposed traffic was linked to a “small group” of ATMs used in remote areas of Mexico where using satellite connections is the only option available. “Although this traffic does not pose a risk to our customers, we took the report as an opportunity for improvement, implementing measures that reinforce the confidentiality of technical traffic circulating through these links,” the spokesperson says.

“While we cannot share specifics, we can confirm that our communications lines have been evaluated and confirmed secure,” a spokesperson for Walmart says. (The researchers confirm that they observed Walmart had encrypted its satellite communications in response to their warning.)

“The information of our customers and infrastructure is not exposed to any vulnerability,” a spokesperson for Grupo Financiero Banorte says. Banjercito could not be reached for comment.

“SIA and its members remain diligent in monitoring the threat landscape and continue to participate in various security efforts with government agencies, industry working groups, and international standards bodies,” says Tom Stroup, the president of the Satellite Industry Association, adding that it does not comment on specific company issues.

Time to Look Up

The amount of Mexico-related data in the researchers’ findings is, of course, no coincidence. Although their satellite dish was technically able to pick up transmissions from around a quarter of the sky, much of that swath included the Pacific Ocean, which has relatively few satellites above it, and only a small fraction of the transponders on the satellites it did see were transmitting data in the direction of its dish. The result, the researchers estimate, was that they examined only 15 percent of global satellite transponder communications, mostly in the western US and Mexico.

That suggests anyone could set up similar hardware somewhere else in the world and likely obtain their own collection of sensitive information. After all, the researchers restricted their experiment to only off-the-shelf satellite hardware: a $185 satellite dish, a $140 roof mount with a $195 motor, and a $230 tuner card, totaling less than $800.

“This was not NSA-level resources. This was DirecTV-user-level resources. The barrier to entry for this sort of attack is extremely low,” says Matt Blaze, a computer scientist and cryptographer at Georgetown University and law professor at Georgetown Law. “By the week after next, we will have hundreds or perhaps thousands of people, many of whom won’t tell us what they’re doing, replicating this work and seeing what they can find up there in the sky.”

One of the only barriers to replicating their work, the researchers say, would likely be the hundreds of hours they spent on the roof adjusting their satellite. As for the in-depth, highly technical analysis of obscure data protocols they obtained, that may now be easier to replicate, too: The researchers are releasing their own open-source software tool for interpreting satellite data, also titled “Don’t Look Up,” on Github.

The researchers’ work may, they acknowledge, enable others with less benevolent intentions to pull the same highly sensitive data from space. But they argue it will also push more of the owners of that satellite communications data to encrypt that data, to protect themselves and their customers. “As long as we’re on the side of finding things that are insecure and securing them, we feel very good about it,” says Schulman.

There’s little doubt, they say, that intelligence agencies with vastly superior satellite receiver hardware have been analyzing the same unencrypted data for years. In fact, they point out that the US National Security Agency warned in a 2022 security advisory about the lack of encryption for satellite communications. At the same time, they assume that the NSA—and every other intelligence agency from Russia to China—has set up satellite dishes around the world to exploit that same lack of protection. (The NSA did not respond to WIRED’s request for comment).

“If they aren't already doing this,” jokes UCSD cryptography professor Nadia Heninger, who co-led the study, “then where are my tax dollars going?”

Heninger compares their study’s revelation—the sheer scale of the unprotected satellite data available for the taking—to some of the revelations of Edward Snowden that showed how the NSA and Britain’s GCHQ were obtaining telecom and internet data on an enormous scale, often by secretly tapping directly into communications infrastructure.

“The threat model that everybody had in mind was that we need to be encrypting everything, because there are governments that are tapping undersea fiber optic cables or coercing telecom companies into letting them have access to the data,” Heninger says. “And now what we're seeing is, this same kind of data is just being broadcast to a large fraction of the planet.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 14 October 2025 at 6:10 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Rachel Lord, YouTube's Senior Manager of Government Affairs in Australia, appeared before a parliamentary hearing on Monday to clarify Google's stance on the proposed bill and its potential impact on children's safety. According to Google's representative, the bill to ban children under 16 from using social media "may be well-intentioned but in practice risks unintended consequences."

Although YouTube was initially exempted from the legislation due to its popularity among teachers, it was added to the list of covered websites in July. Lord also described the bill as "extremely difficult to enforce" and stated that it would fail to achieve its goal of making children safer online. She further concluded that YouTube is not a social media platform, but rather a video streaming service that Australians use as a content library and learning resource.

"YouTube has invested heavily in designing age-appropriate products and industry-leading content controls and tools that allow parents to make choices for their families," Lord added. "Forcing kids to use YouTube without an account removes the very parental controls and safety filters built to protect them."

Australian Prime Minister Anthony Albanese is scheduled to meet Donald Trump in Washington next week, and Australian lawmakers are already concerned about Google's lobbying efforts there. According to Stef Lovett, Google Australia's Director of Government Affairs, Google's executives in the US are aware of the challenges the company is facing in Australia. Still, their response remains to be seen (via Reuters).

Australia passed the Online Safety Amendment in November 2024, giving social media companies one year to comply. The bill aims to make it illegal for children under 16 to use social media platforms and requires these platforms to deactivate the accounts of underage users.

The main challenge, however, is the age verification. Under the bill, social media platforms are required to use NLP (natural language processing)-analyzed and behavioral data to determine a user's age, rather than relying on government-issued ID.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 14 October 2025 at 3:07 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

"Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer's JavaScript engine (Chakra) to gain access to victim devices," the Microsoft Browser Vulnerability Research team said in a report published last week.

In the attack chain documented by the Windows maker, the threat actors have been found to trick unsuspecting users into visiting an seemingly legitimate website and then employ a flyout on the page to instruct them into reloading the page in IE mode.

Once the page is reloaded, the attackers are said to have weaponized an unspecified exploit in the Chakra engine to obtain remote code execution. The infection sequence culminates with the adversary using a second exploit to elevate their privileges out of the browser in order to seize complete control of the victim's device.

The activity is concerning, not least because it subverts modern defenses baked into Chromium and Microsoft Edge by launching it in a less secure state using Internet Explorer, effectively allowing the threat actors to break out of the confines of the browser and perform various post-exploitation steps, including malware deployment, lateral movement, and data exfiltration.

Microsoft did not disclose any details regarding the nature of the vulnerabilities, the identity of the threat actor behind the attacks, and the scale of the efforts.

However, in response to evidence of active exploitation and the security risk posed by the feature, the company said it has taken steps to remove the dedicated toolbar button, context menu, and the hamburger menu items.

Users who wish to enable IE mode will now have to explicitly enable it on a case-by-case basis via Edge browser settings -

•     Navigate to Settings > Default Browser
•     Locate the option labeled Allow sites to be reloaded in Internet Explorer mode and set it to Allow
•     After enabling this setting, add the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list
•     Reload the site

The Windows maker noted that these restrictions to launching IE mode are necessary to balance security and the need for legacy support.

"This approach ensures that the decision to load web content using legacy technology is significantly more intentional," Microsoft said. "The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers to overcome."

Source

"Threat actors are authenticating into multiple accounts rapidly across compromised devices," it said. "The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing."

A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73.

The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access numerous local Windows accounts.

The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. The breach, according to the latest update, affects all customers who have used SonicWall's cloud backup service.

"Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," Arctic Wolf said. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates."

Huntress, however, noted that there is no evidence at this stage to link the breach to the recent spike in compromises.

Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service are advised to reset their credentials on live firewall devices to avoid unauthorized access.

It's also recommended to restrict WAN management and remote access where possible, revoke any external API keys that touch the firewall or management systems, monitor logins for signs of suspicious activity, and enforce multi-factor authentication (MFA) for all admin and remote accounts.

The disclosure comes amid an increase in ransomware activity targeting SonicWall firewall devices for initial access, with the attacks leveraging known security flaws (CVE-2024-40766) to breach target networks for deploying Akira ransomware.

Darktrace, in a report published this week, said it detected an intrusion targeting an unnamed U.S. customer in late August 2025 that involved network scanning, reconnaissance, lateral movement, privilege escalation using techniques like UnPAC the hash, and data exfiltration.

"One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology," it said.

"This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released."

Source

In an update to its Apple Security Bounty program, the Cupertino firm has announced that it is doubling its top reward to $2 million, usually offered for very sophisticated mercenary-type attacks that don't require user interaction. However, this reward can go further up to $5 million if it is chained with other bonuses like a Lockdown Mode bypass. Similarly, you will be rewarded a $1 million bonus for "broad unauthorized access" of iCloud, since that has never happened before.

In addition, Apple is adding more categories for rewards as well as "target flags" that will accelerate your payout, as they will enable faster evaluation based on the concrete criteria being met.

Attached below are the new bounties, which will go into effect from November 2025:

There are other changes in store too, such as a $100,000 reward for a macOS Gatekeeper bypass and a $1,000 bounty for low impact reports. Since the launch of the Apple Security Bounty program in 2020, the tech giant has paid over $35 million to more than 800 security researchers. The company hopes that with the higher payouts and more categories for attack surfaces, it will be able to encourage more white hat hackers to find flaws in its products that it can promptly fix.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 11 October 2025 at 3:46 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Google is facing multiple antitrust actions in the US, and European regulators have been similarly tightening the screws. You can now add the UK to the list of Google's governmental worries. The country's antitrust regulator, known as the Competition and Markets Authority (CMA), has confirmed that Google has "strategic market status," paving the way to more limits on how Google does business in the UK. Naturally, Google objects to this course of action.

The designation is connected to the UK's new digital markets competition regime, which was enacted at the beginning of the year. Shortly after, the CMA announced it was conducting an investigation into whether Google should be designated with strategic market status. The outcome of that process is a resounding "yes."

This label does not mean Google has done anything illegal or that it is subject to immediate regulation. It simply means the company has "substantial and entrenched market power" in one or more areas under the purview of the CMA. Specifically, the agency has found that Google is dominant in search and search advertising, holding a greater than 90 percent share of Internet searches in the UK.

In Google's US antitrust trials, the rapid rise of generative AI has muddied the waters. Google has claimed on numerous occasions that the proliferation of AI firms offering search services means there is ample competition. In the UK, regulators note that Google's Gemini AI assistant is not in the scope of the strategic market status designation. However, some AI features connected to search, like AI Overviews and AI Mode, are included.

According to the CMA, consultations on possible interventions to ensure effective competition will begin later this year. The agency's first set of antitrust measures will likely expand on solutions that Google has introduced in other regions or has offered on a voluntary basis in the UK. This could include giving publishers more control over how their data is used in search and "choice screens" that suggest Google alternatives to users. Measures that require new action from Google could be announced in the first half of 2026.

Problems across the pond

Google's woes in the UK follow increased regulatory scrutiny in the rest of Europe. The European Union's Digital Markets Act designates Google as a "gatekeeper," along with companies like Apple and Meta. These companies are labeled as such because they have an outsize role in digital markets, necessitating more restrictions to ensure fairness for all.

Google has repeatedly claimed that the DMA is harming business and recently called for the law to be "reset." Google's response to the UK's application of strategic market status is bringing up a lot of the same feelings at Google. The company said in a statement that its handling of UK operations has been a boon to the country, noting that it usually releases new features in the UK before the rest of Europe. "As a result, they see significant value: Google Search contributes billions of pounds a year to the UK economy—£118 billion in 2023 alone," Google said.

The company says the UK's preferential treatment is thanks to its decision not to pursue what Google calls "costly restrictions on popular services." If the UK continues down this path, Google suggests it may have to lump it in with the rest of Europe. That could mean slower access to new features, most of which are now based on generative AI. UK consumers may not see that as the threat it once was, though. Debbie Weinstein, Google's EMEA president, recently used the delayed EU rollout of AI Overviews as an example of how Europeans are missing out due to the continent's more aggressive regulation.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 11 October 2025 at 3:44 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Last week, Amazon launched a major update of its line of Alexa-enabled Echo smart speakers and displays. The redesign — led by former Microsoft design chief Ralf Groene, whom Amazon Devices & Services head Panos Panay coaxed out of retirement — included two new Echo Show smart displays. According to Panay, these new models are the first step on a road to building “products that customers love.”

But there’s one big barrier to customers loving their Echo Shows: ads.

In recent months, full-screen display ads with the tag “sponsored” have been appearing on current Echo Shows, and users are not happy. They just started popping up on my device this week, and they are very intrusive, appearing between photos when the Show is set to Photo Frame mode or between content if it’s set to show different categories (such as music, recipes, news).

As I type, the last-gen Echo Show 8 on my desk showed an ad for an herbal supplement between a snapshot of my daughter dancing at her aunt’s wedding and a baby picture of my son. The ad reappeared two photos later, and then again. And again.

This ad appeared while my Show 8 was set to Photo Frame.

Photo by Jennifer Pattison Tuohy / The Verge

 

I long-pressed on it, clicked the thumbs-down button, and got the option to provide feedback.

Photo by Jennifer Pattison Tuohy / The Verge

 

While advertising has been part of Alexa on Echo devices for a while, in the form of Alexa’s “By the way” feature, the Show’s Shopping category (which you can disable), and the occasional product ad, it’s never been so blatant.

As these new “sponsored” ads become more pervasive, it feels like a bait and switch. There was no indication on the packaging that you were buying an ad-supported product. There’s no discount for buying an Echo Show with ads, as there is with Kindles. And, because these ads are there almost constantly, they’re more intrusive than the voice assistant suggesting a service or product you might want after you just engaged with it. (Don’t get me wrong, that’s annoying, but this is worse.)

On top of that, Alexa Plus — the company’s big update to its voice assistant — is now also throwing in full-screen ads for its own services. The Echo Show has become a rotating billboard in my office.

According to the Amazon Ads website, Alexa Native ads launched back in November 2023. But a new Home Screen Display ad program arrived this summer as part of the rollout of Alexa Plus. CEO Andy Jassy touted the new service as a revenue stream for the troubled Devices & Services division during an investor earnings call this summer.

While currently the ad programming seems to be limited — they haven’t appeared on any other Show devices I have, and some Reddit users report that they don’t see them at all — it’s clear they’re coming. I first heard about full-screen ads appearing in the wild several months ago from a reader who sent me pictures of their Show 15 displaying one. Then, last month, the Alexa subreddit exploded with complaints about them. Many are reporting they’ve unplugged their Shows, and some are claiming to have successfully received refunds from Amazon after complaining about the ads.

The full-screen ads segue into smaller widget ads and appear on all the Echo Show devices, as this promotional image from Amazon for advertisers demonstrates.

Image: Amazon

 

At Amazon’s hardware event last month, I asked Panay how ads fit into his mission to build products customers love. He said that if it’s relevant, it’s not an ad, “it’s an add-on.” “There are moments on the product where ads aren’t always bad,” he told me, explaining that if the customer is looking for something specific, and the ad gets them to that faster, it can be a good thing. However, he conceded that some of “the randomness” of the current ad experiences is not great. “It’s about how you elegantly make sure you’re elevating the information that a customer needs.”

My experience of these ads has not been that they’re an “add-on.” They’re intrusive and annoying, showing me products I’m not even slightly interested in, such as elderberry herbal supplements, Quest sports chips, and tabletop picture frames. (Well, the last one might be an option if I remove the Show from my desk.) And, unlike some of the previous ad experiences on the Show, they cannot be turned off.

I asked Amazon if they can be disabled, and spokesperson Lauren Raemhild replied via email, saying, “Advertising is a small part of the experience, and it helps customers discover new content and products they may be interested in. If customers don’t like a suggestion, they can swipe to skip to the next screen card, or directly provide feedback by tapping the Information icon or pressing the screen.”

I tried this, selected “irrelevant ad” from the list of suggested feedback, and got a message saying it had “paused the ad.” But that didn’t stop another ad from appearing. Echo Show users have been trying all sorts of workarounds — from switching to Canadian English (the ads aren’t in Canada — yet) to enabling Kids Mode. But ultimately, if you have to hobble a device to make it usable, why use it at all?

I believe the smart home has a lot of potential, but the current landscape is increasingly feeling like a collection of compromises. Amazon has a very good voice assistant, but can’t stop trying to sell you stuff. Google occasionally reminds itself that it has a smart home division, but my faith in its continued existence is slim. Apple Home is the best experience, but it’s expensive, locked in, and, well, Siri. Yes, there are other solutions available — Home Assistant, SmartThings — but these require more work than most people are willing to put in, and their voice-control options are limited compared to the competition.

With Alexa Plus, the long-promised ambient smart home is finally within reach. It’s time for Amazon to focus on delivering real value — and stop trying to sell us out.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 10 October 2025 at 1:01 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

According to a service alert seen by BleepingComputer, this bug has been impacting Microsoft Defender XDR customers with SQL Server 2017 and 2019 since at least Wednesday morning.

While Defender flagged the software as no longer supported, SQL Server 2019 is supported until January 2030, while SQL Server 2017 reaches the end of extended support in October 2027, two years from now.

The company has already deployed a fix to address the bug and said the root cause is a code issue introduced by a recent change to end-of-support software.

"Users with SQL Server 2019 and 2017 installed may see inaccurate tagging within Threat and Vulnerability Management. Users may experience inaccurate end-of-life tagging for SQL Server within Microsoft Defender for Endpoint management," Microsoft said on Thursday morning, almost 24 hours after the issue was confirmed.

"We're continuing to deploy a fix that's designed to reverse the offending change that introduced the code issue and will provide a timeline for its completion as one becomes available."

Although Microsoft noted that this issue may affect "all users that have SQL Server 2017 and 2019 installed," it has not yet provided more details on the extent of the issue. 

However, this ongoing incident has been tagged as an advisory, a designation commonly used to describe a service issue typically involving limited scope or impact.

Last week, the company resolved another bug that caused Defender for Endpoint to incorrectly mark the BIOS firmware on some Dell devices as outdated, prompting users to update it.

Microsoft engineers have also fixed black-screen crashes affecting macOS devices updated after September 29, triggered by a deadlock in the Apple enterprise security framework and occurring when multiple security providers listened to events.

In early September, Redmond mitigated another false positive that was causing an anti-spam service to quarantine emails and erroneously block Exchange Online and Microsoft Teams users from opening URLs.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 10 October 2025 at 1:00 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

•     Attackers use fake Fortinet dialogs and social engineering to trick users into executing malware
•     Cache smuggling hides malware in browser cache, bypassing download and PowerShell detection tools
•     Malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe

Hackers are using a combination of social engineering, cache smuggling, identity theft, and straight-up bluffing, to bypass common security protections and deploy malware onto victim’s computers, experts have said.

Security researchers Expel, as well as an independent researcher with the alias P4nd3m1cb0y, observed websites pretending to be a pop-up dialog from Fortinet VPN’s “Compliance Checker”.

There seems to be no such thing, other than the ability to configure the FortiClient Compliance Profile within FortiOS. In any case, that dialog instructs the victim to copy what appears to be a path to a file installed on the hard drive, and paste it in File Explorer.

Used by ransomware actors

The path is actually padded with more than 100 spaces, to hide its true purpose - to run a PowerShell command. At the same time, the phishing website executed a JavaScript that instructed the browser to fetch an image and cache it on the file system. This file is not an actual image, but rather hidden malware.

"This technique, known as cache smuggling, enables the malware to bypass many different types of security products," the researchers explained.

"Neither the webpage nor the PowerShell script explicitly download any files. By simply letting the browser cache the fake "image," the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests."

"As a result, any tools scanning downloaded files or looking for PowerShell scripts performing web requests wouldn't detect this behavior."

The script then scans each cache file for content that’s actually a .ZIP file stored in the fake image, and extracts it to FortiClientComplianceChecker.exe - the actual malware. There was very little talk about who the attackers were, or the victims, but apparently some ransomware actors have already started deploying this tactic in their attacks.

Source

Google said on Thursday that dozens of companies have been affected by an ambitious hacking campaign that targeted Oracle's suite of business products, an early assessment that could portend wide-ranging damage.

Google, a unit of Alphabet, said in a statement that "mass amounts of customer data" were stolen in an operation it said may have begun as early as three months ago.

"This level of investment suggests the threat actor(s) responsible for the initial intrusion likely dedicated significant resources to pre-attack research," the email said.

Google said the hackers targeted Oracle's E-Business Suite of applications, which Oracle clients use to manage customers, suppliers, manufacturing, logistics, and other business processes.

Oracle did not immediately return an email seeking comment. Previouisly, the company had confirmed that there was extortion activity aimed at its clients.

Google noted in a blog post on Thursday that the group believed to be at the center of the intrusions, CL0P, has a long history of wide-ranging compromises against third party software or service providers.

"This latest campaign targeting Oracle EBS marks a continuation of this successful and high-impact operational model," the blog said.

CL0P did not immediately respond to an email seeking comment. Previously, the hacker group said it would soon be clear that Oracle had "bugged up their core product." 

Source

The Discord user data breach offers yet another argument against the UK government’s authoritarian plans for Digital ID. A sensible government would consider the implications before forcing people to risk information with a stunt like this.

So, what happened? 

The online speculation is that millions of government ID data items might have been stolen in an attack against an identity verification service used by Discord. Discord says it has “identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.” 

It also said it is communicating with users affected by the hack and is working with law enforcement to investigate the matter.

What happened at Discord?

“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams,” the company said in a statement.

The leaked information included:

• Name, Discord username, email and other contact details provided to Discord customer support.
• Payment type, last four digits of credit cards, and purchase history if associated with an account.
• IP addresses.
• Customer service agent messages.
• Limited corporate data (training materials, internal presentations).
• A small number of government‑ID images (e.g., driver’s licenses or passports) from users who had appealed an age determination.

The data did not include passwords, authentication data, full credit card numbers, CCV codes or messages shared on Discord, beyond those with customer support.

This is completely predictable

While I think the phrase “a small number” might be doing a lot of work here, the attack is completely predictable. It seems inevitable that once governments — such as the current UK administration — force users to share high-level security data simply to use social media, the unregulated services that verify those ID documents will become attractive targets for attack.

This is precisely what happened at Discord. That company turned to a third party to handle inquiries of this kind, that third party was hacked, and valuable data was stolen. This isn’t even the first such attack. A year ago, an attack against US ID verification service AU10TIX exposed names, dates of birth, nationality, identification numbers, the type of documents uploaded (such as a drivers’ license) and images of those documents. 

It is completely anti-intuitive to expect Discord will be the only ID verification partner facing attacks, and it is futile to believe for one iota of a second that this will be the only such partner to succumb to those attacks. That the ID provision companies are subject to only light regulation makes this a massive threat to digital security — particularly given potential links between them and foreign intelligence agencies.

Surveillance and security, UK style

This is a big challenge for UK users, so recently forced to share such information with social media services in response to the UK’s so-called Online Safety Act (a piece of legislation that leaves us all less safe then before). Anyone in the UK who shared this information with Discord’s ID verification service in response to that Act has been left exposed by the government’s ineptitude. It’s not as if experts on online privacy and security did not warn of the potential consequences, but the government chose not to listen, preferring to maintain its addiction to state surveillance. 

Every UK subject who finds their personal information compromised as a result of sharing ID documents — just to keep visiting their favorite online gaming community on Discord — has only one entity to blame, and it’s not Discord. It’s the UK government.

The big picture

This absolutely won’t be the last big break-in for this kind of user data. Quite apart from financial fraud, criminals also know how to use legitimate passport data to create fake IDs. And the net result of hacks like this will be deep security exposure for UK citizens and a whole flotilla of fake documentation to be shared across criminal groups, hostile nation states, and refugees seeking safety. 

Indeed, far from making the online or physical world any safer, UK ineptitude has effectively created a big dollop of insecurity we haven’t even felt the impact of yet. As more such services are hacked, more damage will be done. 

Prepare for worse

With the UK committed to forcing Digital ID on an unwilling nation, there is a high probability it will become a target. That would matter less if online security could be guaranteed, but it can’t. And these days, every business doing digital business has adopted a “when” not “if” approach to security.

In other words, they know they will be hacked or attacked one day, and will have plans in place for what to do when it happens. The UK ID experiment might approach security in a similar way, but it is certain it will be attacked, some attacks will succeed, and data stolen in those attacks will be abused. 

Discord’s misfortune is a warning of what’s to come. It is certainly an indication that before people are forced to use third-party verification services, a set of regulatory standards and a legal apparatus for generous compensation if a user is impacted should be in place.

At present, this does not exist, which means these systems leave us more exposed to fraud and other online harms than we were before.

Source

Given the catchy name ‘Mic-E-Mouse’ (Microphone-Emulating Mouse), the ingenious technique outlined in Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors is based on the discovery that some optical mice pick up incredibly small sound vibrations reaching them through the desk surfaces on which they are being used.

These vibrations could then be captured by different types of software on PC, Mac or Linux computers, including non-privileged ‘user space’ programs such as web browsers or games engines or, failing that, privileged components at OS kernel level.

Although the captured signals were inaudible at first, the team were able to enhance them using Wiener and neural network statistical filtering to boost signal strength relative to noise.

As the video demonstration of this process shows, this made it possible to extract spoken words from an eavesdropped data stream that at first sounded impossibly muffled.

“Through our Mic-E-Mouse pipeline, vibrations detected by the mouse on the victim user’s desk are transformed into comprehensive audio, allowing an attacker to eavesdrop on confidential conversations,” the researchers wrote.

Moreover, they said, this type of attack would be undetectable by defenders: “This process is stealthy since the vibrations signals collection is invisible to the victim user and does not require high privileges on the attacker’s side.”

Side channel weakness

The technique is the latest example of a side channel attack as evidenced by a growing body of research looking at how components used for one purpose — a mouse, say — can inadvertently leak information in an unintended way.

But is an attack based on this methodology possible under real-world conditions?

What makes this attack practical is the sensitivity of today’s mice, both their high polling rate (the frequency at which they sample movement, measured in kHz), and the resolution with which they detect movement, measured in dots per inch (DPI).

The higher the polling rate and resolution, the more sensitive the mice become to sound. “Ultimately, these developments entail an increased usage of vulnerable mice by consumers, companies, and government entities, expanding the attack surface of potential vulnerabilities in these advanced sensor technologies,” said the researchers.

However, there are important caveats that limit the scope of Mic-E-Mouse. The noise level of the environment being eavesdropped upon must be low, with desks no more than 3cm thick, and with the mouse mostly stationary to isolate voice vibrations.

The researchers also used mice with a DPI of at least 20,000, significantly above that of the average mouse in use today.

Under real-world conditions, extracting voice data would be possible but challenging. Attackers would likely only be able to capture some conversation, rather than everything being said.

Another weakness is that defending against it wouldn’t be difficult: using a rubber pad or mouse mat under a mouse would stop vibrations from being picked up.

Nevertheless, the technique demonstrates that mice should now be added to the growing list of computer peripherals susceptible to side channel data extraction under specific circumstances.

Previous research on audio side-channel attacks has largely focused on moving data the other way, from electrical signals to sound, as a way to escape air-gapped networks — for example through the use of speakers as both transmitters and receivers, or controlling the sounds generated by computer power supplies (PSUs).

Conventional eavesdropping techniques involve placing incredibly small sensors in valuable locations, which is why Papal Conclaves have for at least 20 years carefully swept all objects in the Sistine Chapel for covert listening devices.

Source

ZDNET's key takeaways

• The new program focuses on vulnerabilities related to AI products.
• Rewards range from $500 to $30,000.
• Aaims to tackle past confusion concerning in-scope bugs and problems.

Google has launched a new bug bounty program aimed at addressing security flaws and bugs in products related to artificial intelligence (AI).

On Monday, Google security engineering managers Jason Parsons and Zak Bennett said in a blog post that the new program, an extension of the tech giant's existing Abuse Vulnerability Reward Program (VRP), will incentivize researchers and bug bounty hunters to focus on "high-impact abuse issues and security vulnerabilities" in Google products and services.

Researchers have earned more than $430,000 since 2023, when Google's bug bounties expanded to include AI-related issues. Now, it is hoped that a standalone program will encourage even more reports -- which could be crucial for the tech giant as it continues to integrate AI into its digital product suite.

What qualifies as an acceptable AI-related bug bounty? 

Google has separated potentially acceptable reports into the following areas:

• Rogue actions: Attacks that modify accounts or data with a security impact. For example, the use of an indirect prompt to force Google Home to unlock a door.
• Sensitive data theft: Attacks leading to the theft of sensitive user data. These could include indirect prompt injections that send email summaries to a threat actor without user consent.
• Phishing enablement: Phishing attack vectors on Google websites that include persistent, cross-user HTML injections.
• Model theft: Security problems that could allow attackers to steal complete, confidential model parameters, such as exposed Google APIs.
• Context manipulation: Issues leading to the persistent manipulation of an AI environment without significant user interaction.
• Access control bypass: Attacks leading to data exfiltration from resources that shouldn't be accessible.

In addition, Google will consider reports detailing AI-related issues such as unauthorized product usage, cross-user denial of service, and other forms of abuse.

Products included in the new bug bounty program include Gemini, Google Search, AI Studio, and Google Workspace.

There are some caveats

The Google engineers have been careful to point out specific out-of-scope items. These include jailbreaks, content-based issues, and AI hallucinations. The team noted at the end of last year that while some of these areas are of great interest to researchers, there can be difficulties in replicating the findings. For example, a jailbreak may only impact a user's own session.

"The team is aware of the community interest and continues to reassess our program scope around these issues," Google said.

Furthermore, issues found in Vertex AI or other Google Cloud products are not in scope for this program and should be reported via the company's Google Cloud VRP.

Payouts

Reports accepted by Google provide different financial rewards and incentives, with payouts for most reports ranging from $500 to $20,000. For example, a bug bounty describing a severe rogue action could earn a researcher up to $10,000, whereas an access control bypass might pay out up to $2,500.

However, more cash may be on offer depending on the quality of reports and the "novelty" factor of reported vulnerabilities. The new program adopts the same approach as Google's wider VRP, and a bonus of up to $10,000 -- bringing the total to $30,000 -- for novel attacks is available.

"We're excited to be launching this new program, and we hope our valued researchers are too!" the engineers said.

Source

Microsoft published a report on Monday analyzing exploitation activity in multiple organizations involving CVE-2025-10035 — a critical vulnerability in Fortra's GoAnywhere managed file transfer solution.

The researchers attributed the activity to a cybercriminal group they call Storm-1175, noting that the threat actors are known for deploying the Medusa ransomware and for exploiting public-facing applications for initial access. 

“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” the company said.

After using the vulnerability for initial access, the hackers used the remote monitoring and management tools SimpleHelp and MeshAgent before moving laterally across systems within the compromised network. 

The researchers said they saw the successful deployment of Medusa ransomware in one compromised environment.

Fortra initially warned the public about the bug on September 18, saying they discovered it the week before, but the company has continually declined to say if they are aware of it being exploited by cybercriminals. According to Microsoft, exploitation was observed on September 11, the same day Fortra said they discovered the bug. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) also confirmed that the vulnerability has been exploited and ordered all federal civilian agencies to patch the bug by October 20. 

For weeks prior to CISA’s notice, cybersecurity experts at the security firm watchTowr warned GoAnywhere users that the vulnerability was being exploited. Company CEO Benjamin Harris told Recorded Future News that organizations running the file transfer tool “have effectively been under silent assault since at least September 11, with little clarity from Fortra.” 

Fortra did not respond to requests for comment. 

“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers,” Harris said. “What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long?” 

The Medusa ransomware has been used to attack more than 300 organizations in critical infrastructure sectors since emerging in 2021, according to CISA and the FBI. 

Medusa drew widespread attention in 2023 for an attack on Minneapolis Public Schools that exposed troves of sensitive student documents impacting more than 100,000 people. 

In addition to attacks on the Pacific island nation of Tonga, it has targeted municipalities in France and government agencies in the Philippines as well as a technology company created by two of Canada’s largest banks. 

Government bodies in Illinois and Texas have also been affected by the group’s attacks. The group most recently took credit for an attack on NASCAR.  

Source

New research has claimed smaller firms continue to face threats in the digital space, with ransomware attacks in particular hitting hard.

The latest Hiscox Cyber Readiness Report found out of nearly 6,000 businesses surveyed, well over half (59%) said they had been hit by some form of cyber attack over the past year.

Financial penalties followed for a third of those affected, with many reporting operational disruption, reputational damage, and even staff burnout.

Troubling reality of ransomware payments

Ransomware remains a major source of damage, and the report reveals that 27% of respondents had experienced such an attack, of which 80% admitted to paying a ransom.

Despite this, recovery was far from guaranteed as only 60% managed to regain all or part of their data, while nearly a third were asked to pay again after the initial transaction.

The findings suggest that paying attackers creates little certainty and may only encourage more extortion attempts.

Calls are growing for greater transparency, with 71% of respondents stating that companies should be required to disclose ransom payments and the amounts involved.

The report notes that criminal groups are increasingly targeting sensitive business data such as contracts, executive emails, and financial information.

These items can be priced according to reputational value, making them easier to monetize than stolen personal details.

"Cyber criminals are now much more focused on stealing sensitive business data. Once stolen, they demand payment…pricing threats based on reputational damage,” said Eddie Lamb, Global Head of Cyber at Hiscox.

“This change has exposed gaps in some companies’ data loss prevention controls, which attackers are readily exploiting.”

At the same time, over half of respondents said they had suffered incidents linked to AI-related vulnerabilities, ranging from deepfakes to weaknesses in third-party AI applications.

Although nealry two-thirds (65%) still regard AI as more of an opportunity than a threat, the findings point to new risks that may not yet be fully understood by business leaders.

To counter these threats, firms are increasing their security budgets and adopting measures that include staff training and new technical safeguards.

Businesses are turning to layered defenses such as ransomware protection, automated malware removal, and comprehensive antivirus systems.

These solutions often combine firewalls, password managers, and secure backup tools to reduce vulnerabilities and strengthen overall resilience.

While these measures can reduce exposure, the scale of attacks suggests that no system is foolproof.

Source

Unity is a cross-platform game engine and development platform that provides rendering, physics, animation, and scripting tools for developers to create titles for Windows, macOS, Android, iOS, consoles, and the web.

A large number of mobile games are built with Unity, as well as indie and mid-tier PC/console titles. The platform is also used in non-gaming industries for real-time 3D applications.

Valve and Microsoft warn users

In response to the risk, Steam has taken action by releasing a new Client update that blocks the launching of custom URI schemes to prevent exploitation through its distribution platform.

At the same time, Valve recommends that publishers rebuild their games using a safe Unity version, or plug a patched version of the ‘UnityPlayer.dll’ file right into their existing builds.

Microsoft has also published a bulletin to warn about the issue, recommending users to uninstall vulnerable games until new versions that address CVE-2025-59489 become available.

The company said that popular game titles are vulnerable, including Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs.

Unity recommends developers to update the editor to the latest version branch and then recompile and redeploy their games or applications.

Patch extended to some unsupported versions

The vulnerability is tracked as CVE-2025-59489 and affects the Runtime component. It allows unsafe file loading and local file inclusion, and could lead to code execution and information disclosure.

GMO Flatt Security’s researcher ‘RyotaK’ discovered the vulnerability in May, at the Meta Bug Bounty Researcher Conference and says that it affects all games built on versions of the engine starting 2017.1.

“[The vulnerability] could allow local code execution and access to confidential information on end user devices running unity-built applications,”  Unity warns in its security bulletin.

“Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.”

In a technical writeup, RyotaK showed that Unity’s handling of Android Intents allows any malicious app installed on the same device as the vulnerable game to load and execute an attacker-supplied native library.

This enables the attacker to achieve arbitrary code execution with the target game’s privileges.

While Ryotak discovered the issue on Android, the root cause - Unity’s handling of the -xrsdk-pre-init-library command line argument without proper validation or sanitization, is also present on Windows, macOS, and Linux operating platforms.

There are different input paths on these systems that can feed untrusted arguments or modify library search paths on the targeted application, so when conditions are met, exploitation is possible.

Unity states that it has observed no active exploitation as of the publication of its bulletin on October 2nd.

Fixes are available and the remediation steps include updating "the Unity Editor to the newest version then rebuild and redeploy the application" and replacing the Unity runtime binary with a patched version.

Unity has released fixes to out-of-support versions starting 2019.1 and later. Older versions that are no longer supported will not receive the patch.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 7 October 2025 at 6:14 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Nowadays, Meta expanded the functionality of its AI, which can now summarize content on Whatsapp among other things. It still cannot be disabled entirely, however.

Soon, all your interactions with AI may be used for personalizating content on all Meta platforms. Meta announced the change officially last week. It plans to use your interactions with AI to power advertisement and recommendations that it says will become more personal as a consequence.

• Meta users who use Facebook, Instagram, or WhatsApp will be informed about the change from October 7 onward.
• The change lands on December 16, 2025 for users from most regions and country.

While Meta does not provide a list of exceptions, it appears that users from the United Kingdom, South Korea, and the European Union won't have their AI chats used for those purposes at that time. The rollout may be delayed, just like the initial rollout of Meta AI was delayed in those regions.

Meta says that this helps provide more relevant content (and ads) to users. Currently, Meta uses interactions for the very purpose. When users like or post, this content may be used to push what Meta believes are related posts or ads into a user's feed.

The interactions with Meta AI will become another signal that Meta uses for the delivery of ads and for recommendations. For example, when you ask about a vacation destination, you might get ads around that, such as hotels in the location, day trips, or transfers.

There is no opt-out, similarly to how it is not possible to turn off Meta AI entirely at this time. However, users may continue to ignore the AI by not interacting with it to avoid giving Meta yet another signal for ads and personalization.

Meta says that it is blocking certain sensitive topics automatically from being used for the purpose. Topics such as religion, politics, or health won't be used for advertising on the company's platforms.

Meta users may add certain topics to a list of ads that they do not want to see. This may not prevent them entirely, but Meta claims that doing so will reduce the frequency in which these ads are shown.

Now You: Have you used Meta's AI in the past already or are using it regularly? Or do you prefer an AI-free environment? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 7 October 2025 at 6:13 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

ExplainingComputers (1.13M subscribers)

October 5, 2025

Video length: 18m 57s

How to keep your Linux PC secure, by automating updates, turning on a firewall, running appropriate antivirus and wider antimalware software, user account control, and appropriate user behaviour.

00:00 Titles & Intro 

00:56 Security Components 

02:09 Security Updates 

06:15 Firewalls 

10:30 Antivirus & Antimalware 

14:30 User Account Management 

16:43 Appropriate User Behaviour

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 6 October 2025 at 2:45 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

But the broader education sector is well used to being a target.

According to a UK government survey, educational institutions are more likely to face a cyber-attack or security breach than private businesses.

Six out of 10 secondary schools have suffered an attack or breach over the past 12 months, rising to eight out of 10 for further education colleges and nine out of 10 for higher education institutions. By comparison, four out of 10 businesses have faced a breach or attack – roughly the same proportion as primary schools.

Toby Lewis, the global head of threat analysis at the cybersecurity firm Darktrace, says the UK education sector is not necessarily being targeted deliberately. “They are just getting caught up in the dragnet of cybercrime attacks that are out there,” he says, adding that there is an “element of randomness and opportunism” in the targeting of cybercrime victims.

The BBC reported last week that Kido, the nursery business targeted by a hacking group calling itself Radiant, was targeted after an “initial access broker” sold access to Kido’s systems to Radiant, a common scenario in cybercrime circles.

The government data, from its annual cyber security breaches survey, is based on a survey of nearly 300 secondary and primary schools in the UK as well as more than 30 higher education institutions, including universities. It defines a cyber-attack as an “attempt” to breach a target’s IT systems, which includes sending “phishing” emails that attempt to trick the recipient into handing over sensitive information such as a password.

A phishing email was the most common form of attack for universities and schools.

Ransomware attacks have become a well-known form of cybercrime in the UK. Attackers typically encrypt a target’s IT systems and steal data – then demand a payment in bitcoin for decrypting the systems and destroying or returning the data.

West Lothian council’s education network was hit by a ransomware attack this year that resulted in data being taken from some schools, while universities hit by cyber attacks in recent years include Newcastle University, the University of Manchester and the University of Wolverhampton.

Lewis adds that state schools might be more vulnerable to attacks because of pressure on funding and a lack of specialist expertise, while universities are vulnerable because they have thousands of young students who might not be cyber security-literate, as well as having computer networks that are designed to foster academic cooperation.

Universities appear to be popular targets. Further and higher education institutions are affected most regularly, with three out of 10 reporting a breach or attack on a weekly basis, according to the government. Despite of, or perhaps because of, the number of attacks the education sector is more aware of government initiatives on preventing cybercrime than businesses and charities.

Pepe Di’lasio, the general secretary of the UK association of school and college leaders, said ransomware attacks were a “major risk” to the sector and a “great deal of work” was going on to protect systems and data.

James Bowen, assistant general secretary at the national association of head teachers, said additional government funding to help school leaders spot and respond to cyber threats would “certainly be welcome”.

The Department for Education said its support for schools included a dedicated team for responding to cyber incidents and working closely with the UK’s National Cyber Security Centre to offer free training for school staff. “We take the cybersecurity of our schools seriously, understanding the significant disruption attacks can cause, and there is a range of support on offer for schools,” said its spokesperson.

Kido’s hackers have deleted the data they took from the company, including profiles of children, following a backlash against the hack.

Government data, however, shows that the wider education sector remains a target. Ministers are preparing to ban schools, the NHS and local councils from making ransomware payments under government proposals to tackle hackers, which might help dissuade assailants. In the meantime, the attacks continue.

Source

• Outlook stops showing inline SVG images to limit phishing and malware risks
• Microsoft continues retiring risky features across Office and Windows platforms for protection
• Company balances user impact with security, ensuring SVG attachments remain fully supported

Malicious use of SVG files has become more and more common in recent years, with attackers relying on the format to deliver malware and build phishing pages.

In response, Microsoft is changing how Outlook handles this type of content and will now prevent inline SVG images from appearing in Outlook for Web or in the new Outlook for Windows.

In a Microsoft 365 Message Center update, the tech giant said, "Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows. Instead, users will see blank spaces where these images would have appeared."

A small impact

Microsoft won't fully be blocking SVG files however.

"SVG images sent as classic attachments will continue to be supported and viewable from the attachment well. This update helps mitigate potential security risks, such as cross-site scripting (XSS) attacks," the company added.

Microsoft says fewer than 0.1% of images in Outlook use this method, so the impact on typical communication should be minor.

The decision is part of Microsoft’s wider strategy to reduce the number of features that attackers can abuse.

Over the past several years, the company has retired or restricted functions in both Office and Windows that have been used in phishing or malware campaigns.

Earlier in 2025, Outlook Web and the Outlook for Windows began blocking .library-ms and .search-ms files which Bleeping Computer notes had had been exploited in attacks against government targets since at least 2022.

Microsoft has also implemented protections against macros and add-ins in its productivity software. Changes include blocking VBA Office macros by default, adding protection for Excel 4.0 macros, disabling untrusted XLL add-ins and ActiveX controls in Microsoft 365 and Office 2024 apps, and removing support for VBScript.

The full list of formats now blocked is available to view in Microsoft’s documentation here.

Source