The attack occurred on September 20 and affected “a limited number of users” who interacted with Discord’s customer support and/or Trust and Safety teams.

Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats, and video calls.

According to the platform’s statistics, more than 200 million people are using Discord every month.

Hackers demanded a ransom

In the notification to affected users, the messaging company says that the attack occurred on September 20 and “an unauthorized party gained limited access to a third-party customer service system used by Discord.”

On Friday, Discord disclosed the incident publicly, saying that it took immediate action to isolate the support provider from its ticketing system and started an investigation.

This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement - Discord

The attack appears to be financially motivated, as the hackers demanded a ransom from Discord in exchange for not leaking the stolen information.

Exposed data includes personally identifying information such as real names and usernames, email addresses, and other contact details provided to the support team.

The social communication service says IP addresses, messages and attachments sent to customer service agents were also compromised.

The hackers also accessed photos of government-issued identification documents (driver’s license, passport) for a small number of users.

Partial billing info, like payment type, the last four credit card digits, and purchase history associated with the compromised account, were exposed as well.

VX-Underground security group notes that the type of data stolen from Discord users represents “literally peoples [sic] entire identity.”

Alon Gal, Chief Technology Officer at threat intelligence company Hudson Rock, believes that if the hackers release the Discord data, it could provide crucial information to help uncover or solve crypto hacks and scams.

“I’ll just say that if it leaks, this db is going to be huge for solving crypto related hacks and scams because scammers don’t often remember using a burner email and VPN and almost all of them are on Discord,” says Alon Gal, Chief Technology Officer at Hudson Rock

Currently, it is unclear how many Discord users are affected, and the name of the third-party provider or the access vector has not been disclosed publicly.

However, the Scattered Lapsus$ Hunters (SLH) threat group claimed the attack saying that they breached a Zendesk instance used by Discord for customer support.

An image the hackers posted online shows a Kolide access control list for Discord employees with access to the admin console. Kolide is a device trust solution that connects to Okta cloud-based Identity and Access Management (IAM) service for multi-factor authentication.

SLH confirmed to BleepingComputer that it was a Zendesk breach that allowed them to steal the Discord user data.

BleepingComputer contacted Discord with a request for more details about the attack, but a comment from the social communications platform was not immediately available.

It is worth noting that hundreds of companies had their Salesforce instances compromised after the ShinyHunters extortion group accessed them using stolen Salesloft Drift OAuth tokens.

Last month, the hackers claimed to have stolen more than 1.5 billion Salesforce records from 760 companies.

More recently, ShinyHunters launched a data leak site listing more than three dozen victims.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 5 October 2025 at 3:47 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The sneaky prompt injection attack plays out in the form of a malicious link that, when clicked, triggers the unexpected behavior unbeknownst to the victims.

Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity's agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.

The sneaky prompt injection attack plays out in the form of a malicious link that, when clicked, triggers the unexpected behavior unbeknownst to the victims.

"CometJacking shows how a single, weaponized URL can quietly flip an AI browser from a trusted co-pilot to an insider threat," Michelle Levy, Head of Security Research at LayerX, said in a statement shared with The Hacker News.

"This isn't just about stealing data; it's about hijacking the agent that already has the keys. Our research proves that trivial obfuscation can bypass data exfiltration checks and pull email, calendar, and connector data off-box in one click. AI-native browsers need security-by-design for agent prompts and memory access, not just page content."

The attack, in a nutshell, hijacks the AI assistant embedded in the browser to steal data, all while bypassing Perplexity's data protections using trivial Base64-encoding tricks. The attack does not include any credential theft component because the browser already has authorized access to Gmail, Calendar, and other connected services.

It takes place over five steps, activating when a victim clicks on a specially crafted URL, either sent in a phishing email or present in a web page. Instead of taking the user to the "intended" destination, the URL instructs the Comet browser's AI to execute a hidden prompt that captures the user's data from, say, Gmail, obfuscates it using Base64-encoding, and transmits the information to an endpoint under the attacker's control.

The crafted URL is a query string directed at the Comet AI browser, with the malicious instruction added using the "collection" parameter of the URL, causing the agent to consult its memory rather than perform a live web search.

While Perplexity has classified the findings as having "no security impact," they once again highlight how AI-native tools introduce new security risks that can get around traditional defenses, allow bad actors to commandeer them to do their bidding, and expose users and organizations to potential data theft in the process.

In August 2020, Guardio Labs disclosed an attack technique dubbed Scamlexity wherein browsers like Comet could be tricked by threat actors into interacting with phishing landing pages or counterfeit e-commerce storefronts without the human user's knowledge or intervention.

"AI browsers are the next enterprise battleground," Or Eshed, CEO of LayerX, said. "When an attacker can direct your assistant with a link, the browser becomes a command-and-control point inside the company perimeter. Organizations must urgently evaluate controls that detect and neutralize malicious agent prompts before these PoCs become widespread campaigns."

Source

Nextron Systems security researchers, who identified the malware and dubbed it "Plague," describe it as a malicious Pluggable Authentication Module (PAM) that uses layered obfuscation techniques and environment tampering to avoid detection by traditional security tools.

This malware features anti-debugging capabilities to thwart analysis and reverse engineering attempts, string obfuscation to make detection more difficult, hardcoded passwords for covert access, as well as the ability to hide session artifacts that would normally reveal the attacker's activity on infected devices.

Once loaded, it will also scrub the runtime environment of any traces of malicious activity by unsetting SSH-related environment variables and redirecting command history to /dev/null to prevent logging, eliminating audit trails and login metadata, and erasing the attacker's digital footprint from system history logs and interactive sessions.

"Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces.

Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools," threat researcher Pierre-Henri Pezier said.

"The malware actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging."

While analyzing the malware, the researchers also discovered compilation artifacts indicating active development over an extended period, with samples compiled using various GCC versions across different Linux distributions.

Additionally, although multiple variants of the backdoor have been uploaded to VirusTotal over the past year, none of the antivirus engines have flagged them as malicious, suggesting that the creators of the malware have been operating undetected.

"The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence," Pezier added. "Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods."

In May, Nextron Systems discovered another malware exploiting the flexibility of the PAM (Pluggable Authentication Modules) Linux authentication infrastructure, which enables its creators to steal credentials, bypass authentication, and gain stealthy persistence on compromised devices.

Source

Though Gmail already encrypts your data in transit using TLS, this is a different beast entirely. Client-side encryption on Gmail means additional encryption is handled by the browser before your data ever hits Google's servers. This locks down the email body, including images and attachments, while the header, which contains the subject line and recipients, will not have that extra layer of security.

By "anyone", Google means even those with a different email provider, like Outlook or a custom domain. This new system gets around the old, painful requirement of manually exchanging S/MIME security certificates between sender and recipient. Instead of that technical headache, an external recipient gets an email notification. To read the message, they simply use a link to sign in through a secure portal with a temporary Google guest account.

If you're ever on the receiving end of these encrypted emails, you'd notice that the email does not contain the message itself, but a notification. To read it, you click the encrypted message notification, then "View message". You will have to verify your email address by having a code sent to you, and after entering it, follow the on-screen instructions to get access.

Sending an E2EE email via Gmail is also simple. First, click "Compose" to start a new email. In the corner of the message window, there should be a "Message security" button. Click that, find the "Additional encryption" option, and click "Turn on". Just make sure you do this before you start drafting your email. If you turn encryption on after you have already started writing, Gmail will delete your draft and open a new, blank one.

For admins, the ability to send CSE emails externally is turned off by default and must be enabled at the OU and Group level.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 5:05 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Jokes aside, the timing couldn't be worse. Yesterday, Meta announced that it will be updating its privacy policy by December 16. Why? Because Meta says that it will use the data collected from user interactions with its AI, to sell targeted ads across its social networks. So, how is this going to work, privacy-wise? Well, that's another story.

In his "myth busting video",  Mosseri says that he has had a lot of conversations about devices listening to users. He says that even his wife discussed this with him a few times. Mosseri asserted that Instagram does not listen to users, it does not use the microphone. He said eavesdropping would be a gross violation of privacy. Mosseri went on to explain that users would notice that their phone's battery was draining, or notice the mic light on their phone (or icon) that indicates the mic is being used.

He said that users may see relevant ads when they tapped on something or searched for the product online, before the conversation even took place. Mosseri also explained that the company was working with advertisers to sell targeted ads to those who visited websites. That's not uncommon. Instagram ads could also be displayed if it thinks they could be something the user is interested in, or if their friend likes a product, or has similar people in their friends circle who share similar interests. He also said that people may be misremembering things, and that they may have actually seen the ad previously while scrolling past it. Mosseri says that such relevant ads could also be due to random chance, coincidence.

There have been reports about microphones on devices listening and being used to deliver targeted ads in the past. I don't normally write articles about Instagram or Facebook, but this time I was keen on it. Because, this "my phone is listening to my conversation" thing has happened to my friends quite a few times, and I have been directly involved in some of those.

A couple of years ago, a friend and I were making plans for visiting the local Book Fair that's held in our city. There was no Google Maps or search involved during the conversation. We started discussing the topic because we saw a real-life banner about the fair, and made plans to visit the place. A few minutes later, my friend handed me his phone with the Facebook app open, and it had some ads for books. Coincidence? I asked him if he shared anything about Books on Facebook recently, his reply was "never".

Here's another anecdote from August 2025, which was way too similar to the previous experience. I like traditional wristwatches, and have a decent collection. I was talking to a friend explaining about a watch that I had bought recently. A while later he opened Instagram on his computer, not on his phone, and guess which ads he got? Watches, there were like 20 reels continuously about watches. (Ignore my friend's typo: he meant ad blocker. Swiftkey users know the pain)

I don't have Facebook or Instagram, and didn't know how to help him. We were both amused and kind of shocked that Instagram targeted him with ads for watches, a topic that he isn't usually interested in, he said he had never searched about watches on his devices, he doesn't even wear smartwatches, let alone traditional ones. Aren't reels supposed to be based on trends or your viewing history? My friend said that maybe Instagram was open on his phone, and was listening in on us. Not the words I wanted to hear, and definitely not comforting.

Regular readers may know that I use Firefox. I have containers for various things, my shopping, reading habits are confined to unique containers, so cross-site tracking is protected. Even search engines don't have access to the websites I use, I watch YouTube without signing in, and that's in a separate container which is isolated from my Google container. The fact that there is no explanation for the random-yet-accurate Facebook/Instagram ads is, has me vexed. I want a logical explanation, not guesswork, or so-called coincidences.

Just to be clear, I'm not anti-Facebook or Instagram, I just don't like their privacy practices. I don't go around preaching against social networks, because I know people rely on these apps to stay in touch with their family and friends. The fact these companies are exploiting users (and those around them, like me) without their knowledge, is what troubles me. Some of you have criticized my anti-AI stance, well this is partly why, it's more of a pro-privacy thing.

Have you experienced similar incidents when your phone was listening to you?

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 4:18 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The flaw, tracked identified as CVE-2025-10547, was reported to the vendor on July 22 by ChapsVision security researcher Pierre-Yves Maes.

"The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI)," reads DrayTek's security advisory.

"Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances could allow remote code execution."

DrayTek noted that WAN exposure can be reduced by disabling remote WebUI/SSL VPN access or restricting it with ACLs/VLANs. However, the WebUI remains reachable over LAN, exposed to local attackers.

Maes told BleepingComputer that the root cause for CVE-2025-10547 is an uninitialized stack value that can be leveraged to cause the free() function to operate on arbitrary memory locations, also known as arbitrary free(), to achieve remote code execution (RCE).

The researcher successfully tested his findings by creating an exploit and running it on DrayTek devices.

DrayTek's security bulletin does not mention ongoing exploitation, but it is recommended to mitigate the risk.

Below are the models impacted by CVE-2025-10547, and the recommended firmware version upgrade target to mitigate the flaw:

• Vigor1000B, Vigor2962, Vigor3910/3912 → 4.4.3.6 or later (some models 4.4.5.1)
• Vigor2135, Vigor2763/2765/2766, Vigor2865/2866 Series (incl. LTE & 5G), Vigor2927 Series (incl. LTE & 5G) → 4.5.1 or later
• Vigor2915 Series → 4.4.6.1 or later
• Vigor2862/2926 Series (incl. LTE) → 3.9.9.12 or later
• Vigor2952/2952P, Vigor3220 → 3.9.8.8 or later
• Vigor2860/2925 Series (incl. LTE) → 3.9.8.6 or later
• Vigor2133/2762/2832 Series → 3.9.9.4 or later
• Vigor2620 Series → 3.9.9.5 or later
• VigorLTE 200n → 3.9.9.3 or later

DrayTek routers, especially Vigor models, are very common in prosumer and small to medium business (SMB) environments. The list of impacted models covers a broad range, from flagship models to older routers used in DLS/telecom environments.

System administrators are recommended to apply the available firmware security updates as soon as possible. Maes says he will disclose the full technical details for CVE-2025-10547 tomorrow.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 4:17 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

In a service alert seen by BleepingComputer, Redmond said that this known issue affects Dell devices and is caused by a Defender for Endpoint logic bug.

"Microsoft have identified that a code bug in the Microsoft Defender for Endpoint logic that fetches vulnerabilities for Dell devices is causing impact," the company said earlier today.

"Your organization is affected by this event, and some users receiving Microsoft Defender for Endpoint alerts for the BIOS version of their Dell devices are impacted."

While the company has already developed a fix for this bug and is currently preparing it for deployment, it has yet to disclose the regions and the number of customers impacted by these ongoing Defender XDR issues.

Today, Microsoft engineers have also fixed black screen crashes impacting macOS devices that were updated after September 29, due to a deadlock in the Apple enterprise security framework that occurs when multiple security providers are listening to events.

Earlier this month, Redmond fixed another false positive that was causing an anti-spam service to erroneously block Microsoft Teams and Exchange Online users from opening URLs.

Microsoft stated at the time that the issue was caused by the anti-spam engine incorrectly flagging URLs contained within other URLs as potentially malicious, which also resulted in some emails being quarantined.

Since the start of the year, it has also addressed machine-learning bugs that mistakenly flagged Adobe emails in Exchange Online as spam, one that caused anti-spam systems to quarantine some Exchange Online users' emails incorrectly, and a third that led to emails from Gmail accounts being tagged as spam in Exchange Online by mistake.

This is a developing story...

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 4:16 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

For context, last month, BoF sued Meta, the parent company of Facebook and Instagram, for violating the Digital Services Act (DSA). If you're not familiar, Bits of Freedom is a Dutch non-profit advocacy group that fights for privacy and digital rights. The organization has this annual event, the Big Brother Awards, where it names and shames the year's biggest privacy violators (check out last year's winners here).

In its lawsuit against Meta, the digital human rights organization argued that Meta fails to give users the choice to permanently opt out of its algorithmic feeds. This is something that it sees as a problem during election periods, like the one leading up to the Dutch elections on October 29.

In Instagram's case, the option for a chronological feed was hidden behind the Instagram logo. On Facebook, you'd have to go all the way to a different menu to find it. The court's ruling called this implementation a forbidden "dark pattern" under Article 25 of the DSA, because it creates "choice fatigue" by constantly resetting the user's selection.

The DSA was proposed by the EU alongside the Digital Markets Act (DMA) back in 2020. This law forces platforms to get their act together by establishing rules for tackling illegal content, giving users the right to challenge moderation decisions, and demanding transparency about the algorithms they use, and specifically targets "Very Large Online Platforms" (VLOPs) and "Very Large Online Search Engines" (VLOSEs), services that have over 45 million monthly active users in the EU.

Companies that have pushed back against these regulations include Meta itself, which has warned that the rules could lead to censorship, and X, where Elon Musk has resisted the EU's content moderation policies.

Following the court order, Meta has two weeks to make the user's choice for a non-profiled, chronological feed persistent and more accessible. This means the setting must be saved even if you close the app or navigate to a different section. If Meta fails to comply, it will face a penalty of €100,000 per day for failure to do so, with a maximum fine of €5,000,000.

Meta is also required to pay BoF's legal fees. Maartje Knaap, spokesperson for BoF, said it is "absolutely unacceptable that a handful of American tech billionaires determine how we see the world" and that the decision "shows that Meta is not untouchable."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 4:15 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Facebook, Instagram, and WhatsApp users may want to be extra careful while using Meta AI, as Meta has announced that it will soon be using AI interactions to personalize content and ad recommendations without giving users a way to opt out.

Meta plans to notify users on October 7 that their AI interactions will influence recommendations beginning on December 16. However, it may not be immediately obvious to all users that their AI interactions will be used in this way.

The company's blog noted that the initial notification users will see only says, "Learn how Meta will use your info in new ways to personalize your experience." Users will have to click through to understand that the changes specifically apply to Meta AI, with a second screen explaining, "We'll start using your interactions with AIs to personalize your experience."

Ars asked Meta why the initial notification doesn't directly mention AI, and Meta spokesperson Emil Vazquez said he "would disagree with the idea that we are obscuring this update in any way."

"We're sending notifications and emails to people about this change," Vazquez said. "As soon as someone clicks on the notification, it's immediately apparent that this is an AI update."

In its blog post, Meta noted that "more than 1 billion people use Meta AI every month," stating its goals are to improve the way Meta AI works in order to fuel better experiences on all Meta apps. Sensitive "conversations with Meta AI about topics such as their religious views, sexual orientation, political views, health, racial or ethnic origin, philosophical beliefs, or trade union membership "will not be used to target ads, Meta confirmed.

"You're in control," Meta's blog said, reiterating that users can "choose" how they "interact with AIs," unlink accounts on different apps to limit AI tracking, or adjust ad and content settings at any time. But once the tracking starts on December 16, users will not have the option to opt out of targeted ads based on AI chats, Vazquez confirmed, emphasizing to Ars that "there isn't an opt out for this feature."

Meta likens recommendations based on AI chats to those based on liking a photo or following a page. But consider how much more Meta can glean from a user interacting with AI about their love of hiking than it can from a user liking a photo or following a hiking group page.

Many reports document that people tend to overshare with AI, which many ChatGPT users regretted after their private chats temporarily started appearing in Google search results. Meta faced a similar controversy when users realized that the Meta AI app's Discover tab "was full of conversations with a chatbot that people didn't realize had been posted to a public feed," Business Insider reported, noting, "That was really bad! A huge privacy headache!" For that reason, Meta users who don't want to see targeted content and ads based on more revealing chats may want to alter their habits.

Most Meta users globally will be impacted by the update, which also applies to Meta wearables, like its "expanding line of smart glasses," which offer Meta AI a rich data source of voice recordings, images, and videos, MediaPost reported. Only regions with strict data laws—like the European Union, the United Kingdom, and South Korea—will be spared.

Meta insists AI is the future of Facebook, but not in EU

Notably, last year, Meta faced backlash in the EU, where it was accused of using "dark patterns" to discourage AI opt-outs. At that time, head of Facebook Tom Alison described "the future of Facebook" as being all about developing "the world’s best recommendation technology" and "building one of the world’s best collections of open models, tools, and resources for generative AI." More recently, Mark Zuckerberg suggested that social media users would likely find AI content more engaging than their friends, then released a "Vibes" feed on the Meta AI app that critics slammed as a flood of "AI slop."

With Meta's announcement this week, it seems like the company is moving ahead with its AI mission in every market that allows it. At the same time, the EU's Digital Service Act (DSA) has won EU users even more freedom to control their feeds on Meta apps.

On Thursday, Bits of Freedom—a Netherlands-based advocacy group specially focused on privacy and freedom of communication—announced that a judge ruled Meta must respect users' choice to avoid invasive personalized feeds. Within two weeks, Meta must update its apps to allow EU users the choice of sticking with a chronological feed that is not based on profiling.

Bits of Freedom sued Meta under the DSA, reminding the court that "one of the core elements of the DSA is that users must have greater influence over the information they see."

Ultimately, the judge agreed, ruling that Meta—which Bits of Freedom said used "subtle design tricks" to steer users to feeds "where it can show as many interest and behavior based ads as possible"—must promptly make changes to comply with the DSA.

Meta declined to comment on the ruling, while Bits of Freedom warned that areas with weak privacy laws could be facing threats to democracy as tech companies strive for greater control over what content shows up in social media feeds.

"For many people, and especially for young people, social media platforms are a major source of news and information," Bits of Freedom said. "Therefore, it is crucial that users themselves can decide which content appears on their feed. Without that freedom of choice, participation in the public debate is seriously hampered."

Maartje Knaap, a spokesperson for Bits of Freedom, said it's "regrettable that we need to go to court to ensure Meta complies with the law," noting that users especially need to control their feeds ahead of elections.

"It is absolutely unacceptable that a handful of American tech billionaires determine how we see the world," Knaap said. "That concentration of power poses a risk to our democracy."

In the US, where data privacy laws are less strict, advocates are similarly concerned about social media feeds coming under the control of a handful of billionaires—particularly after Donald Trump said he wants TikTok to be tweaked to be "100 percent MAGA" under US ownership. Last year, Meta came under fire for boosting AI posts that researchers linked to misinformation, NPR reported. And a future where AI distorts feeds and helps misinformation spread faster remains a concern, especially after Trump used his own social media platform, Truth Social, to post "a 35-second AI-generated video filled with crude insults, racial overtones, and bizarre conspiracy theories," Ars noted earlier this week.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 3 October 2025 at 4:14 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users’ data, despite US claims that Britain had abandoned all attempts to break the tech giant’s encryption.

The UK Home Office demanded in early September that Apple create a means to allow officials access to encrypted cloud backups, but stipulated that the order applied only to British citizens’ data, according to people briefed on the matter.

A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations’ efforts to secure a trade agreement.

In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK.

“Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users,” Apple said on Wednesday. “We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

It added: “As we have said many times before, we have never built a back door or master key to any of our products or services and we never will.”

The Home Office said: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices.

“We will always take all actions necessary at the domestic level to keep UK citizens safe.”

Both Apple and the Home Office are restricted from discussing TCNs by law.

Privacy campaigners say that any attempt to force Apple to compromise the security of its systems could put at risk global customers’ private information, including passwords, message history and health data, which can all be stored in iCloud.

Caroline Wilson Palow, legal director of the campaign group Privacy International, said the new order might be “just as big a threat to worldwide security and privacy” as the old one.

She said: “If Apple breaks end-to-end encryption for the UK, it breaks it for everyone. The resulting vulnerability can be exploited by hostile states, criminals, and other bad actors the world over.”

Apple made a complaint to the Investigatory Powers Tribunal over the original demand, backed by a parallel legal challenge from Privacy International and Liberty, another campaign group. That case was due to be heard early next year, but the new order may restart the legal process.

TCNs are issued under the UK Investigatory Powers Act, which the government maintains is needed by law enforcement to investigate terrorism and child sexual abuse.

Key figures in Donald Trump’s administration, including vice-president JD Vance and director of national intelligence Tulsi Gabbard, had pressured the UK to retract the January TCN. President Donald Trump has likened the UK’s request to Chinese state surveillance.

In August, Gabbard told the Financial Times that the UK had “agreed to drop” its demand that Apple enable access to “the protected encrypted data of American citizens.”

A person close to the Trump administration said at the time that the request for Apple to break its encryption would have to be dropped altogether to be faithful to the agreement between the two countries. Any back door would weaken protections for US citizens, the person said.

UK Prime Minister Sir Keir Starmer last month hosted Trump for a state visit, during which the two world leaders announced that US tech companies would invest billions of dollars to build artificial intelligence infrastructure in Britain.

Members of the US delegation raised the issue of the request to Apple around the time of Trump’s visit, according to two people briefed on the matter. However, two senior British government figures said the US administration was no longer leaning on the UK government to rescind the order.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 2 October 2025 at 4:29 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Visitors to the site are now shown a message stating, "Content not available in your region," with a link going to help page explaining why the content was blocked.

"From September 30, 2025, access to Imgur from the United Kingdom is no longer available," explains the Imgur help page.

"UK users will not be able to log in, view content, or upload images. Imgur content embedded on third-party sites will not display for UK users."

While Imgur has not issued a statement, the geoblock comes after the UK's data watchdog, the Information Commissioner's Office (ICO), announced in March that it was investigating whether TikTok, Reddit, and Imgur were appropriately protecting children's data and assessing the age of those from the country under the Online Safety Act (OSA).

The ICO states that it has completed its investigation and issued a notice of intent to impose a monetary fine on MediaLab regarding these concerns on September 10.

"We reached our provisional findings on this investigation, and we issued a notice of intent to impose a monetary penalty on MediaLab on 10 September 2025," reads a statement from the ICO.

"Our findings are provisional and the ICO will carefully consider any representations from MediaLab before taking a final decision whether to issue a monetary penalty."  

In response, Imgur decided to geoblock the entire country, no longer allowing people in the UK to access its site or any content hosted from its servers.

However, the ICO warns that blocking users from the UK does not exempt the organization from paying a previously imposed fine.

As one of the largest media-sharing sites in the world, this geoblock has had a widespread impact.

On websites that allow users to embed images, such as Steam Workshop and discussion forums, people from the UK are now seeing purple rectangles stating, "Content not viewable in your region".

Currently, the only workaround is to use a VPN, which enables you to connect from an IP address in another country.

However, this will likely impact users' experience while on the Internet due to slower speeds and potentially other georestrictions at other sites.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 October 2025 at 5:11 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Tracked as CVE-2025-30247, the flaw is an OS command injection in the user interface of My Cloud and can be leveraged through specially crafted HTTP POST requests sent to vulnerable endpoints.

The vulnerability was reported to Western Digital by a security researcher using the alias “w1th0ut.” The storage device maker released firmware version 5.31.108 to address the issue that impacts all previous versions for the following models:

• My Cloud PR2100
• My Cloud PR4100
• My Cloud EX4100
• My Cloud EX2 Ultra
• My Cloud Mirror Gen 2
• My Cloud DL2100
• My Cloud EX2100
• My Cloud DL4100
• My Cloud WDBCTLxxxxxx-10

It is worth noting that two of the devices, My Cloud DL4100 and My Cloud DL2100, have reached end of support (EoS) and updates may not be available, as the security advisory from the company does not provide mitigation action for EoS products.

My Cloud is Western Digital’s network-attached storage (NAS) are typically used by small businesses, home offices, and individuals that want to store data on a personal cloud and access it from any device.

While not intended for use in critical or enterprise environments, they are popular among the general consumer audience for providing easy remote access to files via mobile apps or browsers, media streaming, and automated backups.

Exploitation of CVE-2025-30247 to run shell commands could result in unauthorized file access, modification, deletion, user enumeration, configuration changes, or even binary execution.

In the past, hackers have exploited similar flaws on NAS devices to harvest sensitive data, built botnets, use them as proxies, or deploy ransomware and then extort users.

My Cloud users should prioritize patching to 5.31.108 as soon as possible. If immediate action cannot be taken, users are recommended to take the device offline until they can apply the update.

Even if offline, My Cloud devices can still work as local storage centers in LAN mode, though files stored on Western Digital’s cloud service will not be available.

Users who have enabled automatic updates on their device settings should have received the update since September 23, 2025. Checking to ensure you’re running the latest version is recommended.

Manual updates are possible (instructions here) by sourcing the correct firmware image for your device model from here and then navigating to Settings > Firmware Update > Update From File > select the downloaded BIN file.

A reboot of the device will be required for the update to take effect, and the device must remain plugged in throughout the process to prevent data corruption.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 October 2025 at 6:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, describing it as “an inclusion of functionality from untrusted control sphere.”

CISA has given federal agencies until October 20 to apply the official mitigations or discontinue the use of sudo.

A local attacker can exploit this flaw to escalate privileges by using the -R (--chroot) option, even if they are not included in the sudoers list, a configuration file that specifies which users or groups are authorized to execute commands with elevated permissions.

Sudo (“superuser do”) allows system administrators to delegate their authority to certain unprivileged users while logging the executed commands and their arguments.

Officially disclosed on June 30, CVE-2025-32463 affects sudo versions 1.9.14 through 1.9.17 and has received a critical severity score of 9.3 out of 10.

“An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file,” explains the security advisory.

Rich Mirch, a researcher at cybersecurity services company Stratascale who discovered CVE-2025-32463, noted that the issue impacts the default sudo configuration and can be exploited without any predefined rules for the user.

On July 4, Mirch released a proof-of-concept exploit for the CVE-2025-32463 flaw, which has existed since June 2023 with the release of version 1.9.14.

However, additional exploits have circulated publicly since July 1, likely derived from the technical write-up.

CISA has warned that the CVE-2025-32463 vulnerability in sudo is being exploited in real-world attacks, although the agency has not specified the types of incidents in which it has been leveraged.

Organizations worldwide are advised to use CISA’s Known Exploited Vulnerabilities catalog as a reference for prioritizing patching and implementing other security mitigations.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 October 2025 at 6:34 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

It is also worth noting that TPM 2.0 is no longer the thing that only Windows 11 requires. Some of the most popular games now mandate a Trusted Platform Module and Secure Boot for their anti-cheat software. Without such things, games like Call of Duty: Black Ops 7 and Battlefield 6 simply refuse to start. As such, more users are forced to learn about TPM and Secure Boot.

How to check if my computer supports TPM 2.0?

There are several ways to check TPM 2.0 support on a Windows PC. The quickest and probably the easiest is using Windows Terminal because it can show not only if TPM is enabled, but whether it is supported as well.

1. Press Win + R and type wt.
2. Press Ctrl + Enter to execute the command as Administrator. Note that you need elevated privileges to perform this action.
3. Type get-tpm and press Enter.

   

4. Look out for TPMPresent and TPMEnabled values. If both are "true," there is nothing to worry about, since your computer has the Trusted Platform Module enabled. If TPMEnabled says "false," you need to enable TPM in your motherboard's UEFI settings; more on that in the second part of the article.

Another way to check TPM on a Windows PC is to press Win + R and type tpm.msc. Windows will open a new window where you should find the "The TPM is ready for use" message. There will also be a TPM Manufacturer section where you can find your module's version, such as 2.0 (Windows 11's requirement). If TPM is missing or is not enabled, you will see a "Compatible TPM cannot be found" message.

There is more. Open Task Manager and expand the Security Devices section. If TPM is present and enabled, you will see a "Trusted Platform Module 2.0" entry there.

Finally, you can check if your PC has a TPM chip in the Windows Security app:

1. Open Start menu and type Windows Security or open the app from the All Apps list.
2. Go to the Device Security tab.

   

3. Click Security Processor Details. You will not find this option if TPM is missing or not enabled.

   

Finally, it is worth noting that Steam will soon be able to run TPM and Secure Boot checks for you. By the time of publishing this guide, the ability to see whether your PC has TPM and Secure Boot is available in the latest Beta version of the client.

How to enable Trusted Platform Module (TPM) on a Windows PC?

The funny thing about modern PCs is that some manufacturers still ship motherboards with TPM or Secure Boot disabled by default. This is not a problem for those building a new Windows 11 PC, as the operating system will not allow itself to be installed without enabling TPM and Secure Boot first. However, if you have a Windows 10-based PC, you might have a Windows installation with TPM disabled. In such a case, you have to dig into your computer's UEFI settings to enable the Trusted Platform Module.

The problem with enabling TPM in UEFI/BIOS (some people still call it BIOS, even though it is technically incorrect) is that different motherboards have different menus and user interfaces. Therefore, the TPM switch is not located in one unified place. However, the rule of thumb is that you need to find and enable fTPM if your PC has an AMD processor or PTT (Intel Platform Trust Technology) setting.

While I cannot list menus from all motherboard manufacturers, on GIGABYTE's AORUS motherboards with AMD sockets, TPM settings are buried in Settings > Miscellaneous > Trusted Computing 2.0 or AMD CPU fTPM. You might also need to enter "Advanced" or "Expert" mode in your BIOS settings, as most modern motherboards have simplified versions of their UEFI settings for less experienced users. Either way, the best option is to refer to your mobo's user manual.

Once found, enable TPM and restart your system. Turning it on will not affect your existing Windows installation or data.

That is how you check if your computer has TPM and whether it is enabled or not.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 29 September 2025 at 4:25 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

On day three of the two-week remedies trial in the Justice Department’s ad tech case against Google, Judge Leonie Brinkema boiled down the argument to one key issue: trust. Brinkema interrupted testimony from a DOJ expert with a hypothetical: should she issue a strict order modifying Google’s behavior, could it resolve the issues at hand if “you had confidence that Google would actually act in complete good faith?”

The question felt particularly pointed, given how the Google trial Brinkema presided over last year unfolded. Over three weeks, the DOJ repeatedly presented examples of Google employees allegedly using chat messages to avoid leaving a paper trail for discovery. Brinkema later said the practice represented “systemic disregard of the evidentiary rules.” While she opted not to sanction Google for its lax approach to preserving evidence, she warned not to take its decision as condoning the behavior.

Soon, Brinkema will decide how hard to crack down on the monopoly that she ruled Google holds in ad tech. That decision may hinge on whether she thinks it will follow the rules this time.

Google’s remedies proposal involves a court order banning specific business practices and requiring it to engage in the ad auction process in ways similar to its rivals. But the DOJ says that leaves it easily capable of monopolizing the market again. The government wants to take power out of Google’s hands altogether by making it spin off ad exchange AdX and open source part of (and possibly even sell) its DFP tool for web publishers.

It’s the second time in just a few months that a judge has faced the question of breaking up Google. In a separate case over Google’s search monopoly, Judge Amit Mehta declined to do so, opting for lower-lift remedies like banning anticompetitive practices and sharing data. The facts that led Mehta to decide against a break up have no bearing on this case, the government argued in its opening statement. Still, Brinkema’s ruling could be an indicator of how widely judges share Mehta’s caution, as more cases against Big Tech companies roll toward a trial.

The DOJ was still in the midst of its case-in-chief on Friday, but Google’s attorneys were already driving at their core argument: that the government is underselling how difficult and risky its asks are. Google advertising executive Tim Craycroft testified that the DOJ’s proposals were “naive” and “incoherent.” This line of thinking seemed to land with the judge by mid-week. “The devil is in the details,” she said during the testimony of Jonathan Weissman, the DOJ’s expert witness on the technical feasibility of a break up. After he compared changing Google’s ad tech tools to changing tires on a car, Brinkema noted that a change to snow tires could result in a “bumpier” ride for the user.

But during Craycroft’s testimony, Brinkema appeared to entertain an even more extreme option the government hadn’t asked for: shutting down AdX altogether. This was apparently something Google itself considered within the past few years in an analysis it called “Project Monday,” Craycroft said.

“Why is that not a very simple and elegant solution?” Brinkema asked, after Craycroft noted that another Big Tech company could buy AdX and create its own monopoly. Though several ad exchanges exist today, the court found they’ve been denied a level playing field because of tactics like reserving full real-time bidding access to Google’s huge advertiser base through its own tools. Publishers testified in the liability trial that made it nearly impossible to leave, even though AdX was charging a supracompetitive take rate of 20 percent on transactions. Craycroft told the judge that deprecating AdX could be an elegant solution, but that would also get rid of other helpful features in the product.

Brinkema made clear she wants to learn what’s actually possible, as she considers options for leveling the playing field without harming publishers and advertisers who rely on Google products.

Google found a so-called business divestiture of AdX would be feasible within two years, Craycroft said, including offloading IP, moving customer contracts, and providing reference code to guide the buyer through duplicating product functions in its own systems. But he stressed Google couldn’t realistically provide source code guaranteed to work in an unknown buyer’s tech stack, as the DOJ requests. Former Facebook capacity engineer Goranka Bjedov, who helped migrate Instagram and WhatsApp during their acquisitions, testified that the reference source code would be sufficient for a full migration. If Brinkema finds a divestiture is possible, she’ll have to decide if she trusts Google enough not to force one.

Even after helping Google’s attorneys craft their remedies proposals, Craycroft told DOJ attorney Matthew Huppert that he could not commit to lowering AdX’s 20 percent take rate, which the judge had ruled to be above a competitive level, and said a tie between DFP and access to AdX real-time bidding, a sticking point for publishers, was “just how the product was built.”

The answer to Brinkema’s question about trust wasn’t necessarily reassuring for Google. Robin Lee, the Harvard economist she asked, said the problem was how many different ways Google could get around the intentions behind a court order. Lee said there’s an almost unpredictably exhaustive list of methods for tilting the scales in Google’s favor, and it’s got every incentive to take them.

Longtime Google critics were disappointed after Mehta’s ruling didn’t include a breakup. If Brinkema reaches a similar conclusion, The Trade Desk Chief Revenue Officer Jed Dederick testified, “I think there will be a sense that they got away with it.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 28 September 2025 at 2:07 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

As many as 2 million Cisco devices are susceptible to an actively exploited zero-day that can remotely crash or execute code on vulnerable systems.

Cisco said Wednesday that the vulnerability, tracked as CVE-2025-20352, was present in all supported versions of Cisco IOS and Cisco IOS XE, the operating system that powers a wide variety of the company’s networking devices. The vulnerability can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code that runs with unfettered root privileges. It carries a severity rating of 7.7 out of a possible 10.

Exposing SNMP to the Internet? Yep

“The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised,” Wednesday’s advisory stated. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.

To execute malicious code, the remote attacker must have possession of read-only community string, an SNMP-specific form of authentication for accessing managed devices. Frequently, such strings ship with devices. Even when modified by an administrator, read-only community strings are often widely known inside an organization. The attacker would also require privileges on the vulnerable systems. With that, the attacker can obtain RCE (remote code execution) capabilities that run as root.

“If you get RCE as root, you’re getting higher than admin privileges,” independent researcher Kevin Beaumont wrote in an online interview. “You’re not supposed to be able to get root on those devices.”

To perform a DOS, all an attacker needs is the read-only community string or valid SNMPv3 user credentials.

Making SNMP devices accessible to Internet interfaces is frowned upon because it unnecessarily exposes networks to precisely these sorts of risks. As Beaumont noted on Mastodon, however, the Shodon search engine indicates that more than 2 million devices around the world do just that.

The best protection against exploitation is to install an update Cisco has released. For those who can’t do so right away, they can mitigate the risk by allowing only trusted users to have SNMP access and to monitor Cisco devices using the snmp command in the terminal window. There are no workarounds. There are also no additional details about in-the-wild exploitation.

CVE-2025-20352 is one of 14 vulnerabilities Cisco patched in its September update release. Eight of the vulnerabilities carried severity ratings ranging from 6.7 to 8.8.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 26 September 2025 at 3:56 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Amazon has agreed to settle a Federal Trade Commission lawsuit accusing the e-commerce giants of tricking customers into signing up for Prime and then making it frustratingly hard to cancel.

In a press release Thursday, the FTC confirmed that, pending court approval, Amazon will pay a $1 billion civil penalty and provide $1.5 billion in refunds to an estimated 35 million customers "harmed by their deceptive Prime enrollment practices." Former FTC chair Lina Khan initiated the lawsuit, accusing customers of trapping customers in a “labyrinthine” Prime cancellation process the company named after Homer’s Iliad.

The civil penalty, the FTC noted, is "the largest ever in a case involving an FTC rule violation," and the refunds to customers are "the second-highest restitution award ever obtained by FTC action."

Amazon also agreed to stop "unlawful enrollment and cancellation practices for Prime," meaning it will soon be easier than ever to unsubscribe.

The FTC specified that means that Amazon must display "a clear and conspicuous button for customers to decline Prime" and stop using a button deterring cancellations that said, "No, I don’t want Free Shipping."

Amazon must also post prominent disclosures describing how auto-renewals and cancellations work, as well as offer "an easy way for consumers to cancel Prime, using the same method that consumers used to sign up."

"The process cannot be difficult, costly, or time-consuming," the FTC said.

Moving forward, Amazon must also pay for "an independent, third-party supervisor to monitor Amazon’s compliance" with the distribution of customer refunds.

Celebrating the victory after a 3–0 vote approving the settlement, FTC chairman Andrew Ferguson described Amazon's $2.5 billion payout as a "record-breaking, monumental win for the millions of Americans who are tired of deceptive subscriptions that feel impossible to cancel."

The press release cited internal documents in which Amazon executives and employees "knowingly discussed" how hard it was to cancel Prime, exchanging messages admitting that "subscription driving is a bit of a shady world" and suggesting that forcing unwanted subscriptions was “an unspoken cancer.”

"The evidence showed that Amazon used sophisticated subscription traps designed to manipulate consumers into enrolling in Prime and then made it exceedingly hard for consumers to end their subscription," Ferguson said. "Today, we are putting billions of dollars back into Americans’ pockets and making sure Amazon never does this again."

Amazon did not immediately respond to Ars' request to comment.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 26 September 2025 at 3:54 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

In an email sent out to users and seen by Neowin, LinkedIn has informed customers that from November 3, 2025, data belonging to users in the European Union (EU), European Economic Area (EEA), Switzerland, Canada, and Hong Kong will be processed for training AI models that are used to generate content. The company says that this will enhance your LinkedIn experience and connect you to more relevant opportunities on the platform.

The data used to train models will include your profile and any public content that you post on LinkedIn. Fortunately, LinkedIn will not access your private messages. Another thing to keep in mind is that this data will be used by all LinkedIn affiliates, which include LinkedIn Corp., LinkedIn Ireland, and Microsoft. Affiliates will be able to use your data by default unless you toggle this capability off through the dedicated setting here.

Moreover, users in the U.S. will be sharing their LinkedIn data with Microsoft by default for targeted advertising. LinkedIn says:

LinkedIn may use information that we receive from others about your engagement with their sites and services, in order to improve our tools for targeting ads. While we do not use your off-LinkedIn engagement data to predict your interests at an individual level, we do use it to improve our tools for targeting ads overall. Many U.S. states consider ads selected based on an individual’s activities outside of a company’s own websites or applications to be “targeted advertising” and provide you a right to opt out of having your data used for this purpose.

The option to disable data sharing with Microsoft can be found here while the ability for LinkedIn to use data from other sites for targeted advertising can be toggled off here.

Other updates to the ToS clarify some terms and violations such as the use of deep fakes and impersonation. You can find out more details here, before they officially come into effect on November 3, 2025.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 25 September 2025 at 3:45 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The EU is set to scrutinize if Apple, Google, and Microsoft are failing to adequately police financial fraud online, as it steps up efforts to police how Big Tech operates online.

The EU’s tech chief Henna Virkkunen told the Financial Times that on Tuesday, the bloc’s regulators would send formal requests for information to the three US Big Tech groups as well as global accommodation platform Booking Holdings, under powers granted under the Digital Services Act to tackle financial scams.

“We see that more and more criminal actions are taking place online,” Virkkunen said. “We have to make sure that online platforms really take all their efforts to detect and prevent that kind of illegal content.”

The move, which could later lead to a formal investigation and potential fines against the companies, comes amid transatlantic tensions over the EU’s digital rulebook. US President Donald Trump has threatened to punish countries that “discriminate” against US companies with higher tariffs.

Virkkunnen stressed the commission looked at the operations of individual companies, rather than where they were based. She will scrutinize how Apple and Google are handling fake applications in their app stores, such as fake banking apps.

She said regulators would also look at fake search results in the search engines of Google and Microsoft’s Bing. The bloc wants to have more information about the approach Booking Holdings, whose biggest subsidiary Booking.com is based in Amsterdam, is taking to fake accommodation listings. It is the only Europe-based company among the four set to be scrutinized.

The EU’s tech chief said online fraud losses exceeded €4 billion annually across the bloc. She said financial scams could cause mental issues, while the rise of artificial intelligence had made detecting the practice more challenging.

Virkkunen’s move follows an ongoing investigation into Meta’s Facebook and Instagram for potential breaches of the Digital Services Act—a landmark law designed to police how tech giants operate online—to flag illegal content.

Brussels is also looking into whether Chinese companies Temu and Shein comply with the DSA when it comes to handling illegal products on their marketplaces.

After focusing in the last couple of months on the protection of minors, online shopping and election integrity, tackling financial scams would be a new priority under the DSA, Virkkunen said.

Brussels is facing criticism over dragging its feet in the enforcement of its digital rulebook, especially its investigation into Elon Musk’s X platform. Brussels was expected to finalise its probe into the social media platform before summer.

Without discussing specific investigations, the Finnish politician said that there were a lot of DSA probes in the pipeline and that “in the coming weeks and months we are able to make decisions.”

Under the DSA, companies that fail to curb illegal content and disinformation face penalties of up to 6 percent of their annual global turnover.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 24 September 2025 at 5:13 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

DDoS attacks typically exhaust either system or network resources, aiming to make services slow or unavailable to legitimate users.

Record-breaking DDoS attacks are becoming more frequent, as just three weeks ago, Cloudflare disclosed that it mitigated a massive 11.5 Tbps and 5.1 Bpps attack, the largest publicly announced at the time.

Two months before that, the company dealt with another ecord attack that peaked at 7.3 Tbps. In April, the internet giant warned that it was dealing with a record number of DDoS attacks this year.

The latest DDoS incident, also volumentric, lasted 40 seconds and is by far the largest ever mitigated.

Despite the short assault period, the volume of traffic directed at the victim was enormous, roughly equivalent to streaming one million 4K videos simultaneously.

The packet rate of 10.6 Bpps can be translated to roughly 1.3 web page refreshes per second from every person on the planet.

The large volume of packets makes it particularly difficult for firewalls, routers, and load balancers to process the requests, even if the total bandwidth is manageable.

Although Cloudflare has not shared many details about the last two DDoS attacks, XLab research division at Chinese cybersecurity company Qi'anxin attributed an 11.5 Tb DDoS attack to the AISURU botnet.

According to the researchers, AISURU has infected more than 300,000 devices worldwide, with a sudden increase occuring in April 2025 after the compromise of a Totolink router firmware update server.

The botnet also targets vulnerabilities in IP cameras, DVRs/NVRs, Realtek chips, and routers from T-Mobile, Zyxel, D-Link, and Linksys.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 24 September 2025 at 5:12 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

The US Secret Service announced this morning that it has located and seized a cache of telecom devices large enough to "shut down the cellular network in New York City." And it believes a nation-state is responsible.

According to the agency, "more than 300 co-located SIM servers and 100,000 SIM cards" were discovered at multiple locations within the New York City area. Photos of the seized gear show what appear to be "SIM boxes" bristling with antennas and stuffed with SIM cards, then stacked on six-shelf racks. (SIM boxes are often used for fraud.) One photo even shows neatly stacked towers of punched-out SIM card packaging, suggesting that whoever assembled the system invested some quality time in just getting the whole thing set up.

The gear was identified as part of a Secret Service investigation into "anonymous telephonic threats" made against several high-ranking US government officials, but the setup seems designed for something larger than just making a few threats. The Secret Service believes that the system could have been capable of activities like "disabling cell phone towers, enabling denial of services attacks, and facilitating anonymous, encrypted communication between potential threat actors and criminal enterprises."

So many empty SIM card packages...

Secret Service

 

Close-up of a SIM box.

Secret Service

 

Just another random bedroom... stuffed with spy gear.

Secret Service

 

Secret Service

 

Secret Service

Secret Service

 

Analysis of data from so many devices will take time, but preliminary investigation already suggests that "nation-state threat actors" were involved; that is, this is probably some country's spy hardware. With the UN General Assembly taking place this week in New York, it is possible that the system was designed to spy on or disrupt delegates, but the gear was found in various places up to 35 miles from the UN. BBC reporting suggests that the equipment was "seized from SIM farms at abandoned apartment buildings across more than five sites," and the ultimate goal remains unclear.

While the gear has been taken offline, no arrests have yet been made, and the investigation continues.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 24 September 2025 at 5:10 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Among the airports suffering technical difficulties are Heathrow in London, Brussels Airport, and Brandenburg in Berlin. Cork and Dublin airports in Ireland also experienced difficulties, but the impact was minor.

The attack started on Friday night, according to Brussels Airport, and targeted “Collins Aerospace, the external provider of check-in and boarding systems.”

Hackers targeted the MUSE (Multi-User System Environment) system, which is used by multiple airlines to share check-in desks and boarding gate positions, as a solution to having their own dedicated infrastructure.

“Following a cyberattack on the American company Collins Aerospace, the external provider of check-in and boarding systems, there are disruptions to check-in operations at several European airports,” Brussels Airport says on its website.

Ransomware attack confirmed

The European Union Agency for Cybersecurity (ENISA) told The Guardian in a statement on Monday that a ransomware attack caused the disruptions.

The incident impacted a significant number of flights, as more than 100were either delayed or cancelled, and thousands of passengers had to be processed manually.

Brussels Airport said that disruptions continued on Monday and advised passengers to check the status of their flight before coming to the airport.

Collins Aerospace has been working to restore the system as soon as possible at impacted airports.

Law enforcement is also involved in the investigation, according to a spokesperson for the National Cyber Security Centre (NCSC) in the U.K.

“We are working with Collins Aerospace and affected UK airports, alongside Department for Transport and law enforcement colleagues, to fully understand the impact of an incident,” the NCSC states.

The agency is urging all organizations to turn to its free guidance, services, and tools to improve their security stance and reduce the risk of a cyberattack.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 23 September 2025 at 12:30 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Google is back in court, hoping to avoid a painful breakup of its advertising business. US District Judge Leonie Brinkema has already ruled that Google operated an illegal monopoly in digital advertising, and now it's time to learn the consequences of that behavior. Google's had mixed luck with antitrust rulings lately, but it's not a great sign that Google has so many legal woes that it can be hard to keep them all straight.

The case that just got underway is the remedy phase of the AdTech trial, in which the DOJ secured a ruling against Google several months ago. The remedy phase of the search trial wrapped up recently, which ended with Google holding on to Chrome but pledging an appeal to overturn the verdict. There's also the Google Play antitrust case, which was brought by Epic Games. In this case, Google has already lost its appeal, putting some major app changes on the table as it plans yet another appeal.

The Department of Justice (DOJ) and Google are squaring off in Virginia federal court for the next two weeks or so, and there are no surprises in opening arguments. The government says the only way to deal with a monopolist like this is to break it up, but Google says it has already made numerous changes, and there's no way to excise it from online advertising without breaking the market.

The AdTech remedy trial could mirror the search trial to a great degree. Indeed, the DOJ has pulled some language from that case, in which Judge Mehta opted not to force a divestment of Chrome. Mehta ruled that forcing a Chrome sale was a poor fit for the remedies as Chrome was not part of the illegal conduct.

However, government lawyers are hoping the AdTech case will turn out differently. The DOJ is asking the court to force Google to spin off Google Ad Manager (formerly Ad Exchange or AdX), the marketplace through which advertisers buy ads on Google's platform. The government was able to convince the court that Google's control of Ad Manager gave it an unfair advantage that boosted its own services, but is a breakup the proper remedy?

In its opening arguments in the AdTech case, the government claims Ad manager was intimately tied to the antitrust behavior, and its proposed remedies would pass muster under the standard Mehta employed. Government lawyers contend that remedies must be designed to restore competition, and Google's iron grip on online display ads can only be solved in one way. "Nothing short of a structural divestment is sufficient to bring meaningful change," said the DOJ's Julia Tarver Wood.

Google déjà vu

Google has come up with its own proposal for remedies, which is really just a formality. Google doesn't plan to accept any penalty and will appeal the case after the remedy phase. The company's proposal is just shy of nothing, suggesting it could make real-time bid amounts visible to everyone in auctions and end unified pricing rules to allow publishers to set different floors. Google also promises not to use "first look" and "last look" dynamics, which gave Google a major advantage in auctions. The company ended this practice several years ago, but it won't start again under the proposal.

Google is not exactly treading new ground with its arguments in this case—you could almost copy-paste "Chrome" in place of "Ad Manager" to get right back to Google's position in the search case. According to Google council Karen Dunn, the government's proposals are extreme and will cause "disruption and damage" to the advertising industry by shutting Google out. The company believes it has made enough changes of its own volition to resolve the issues cited in the case.

Google has also continued to draw on the AI explosion to reframe the case. Since the charges were filed in 2023, generative AI has become the primary focus at countless companies. In the search case, Google argued that AI was reshaping how people find information online, and therefore, structural remedies were unnecessary. Similarly, Google now says that AI ad tools like those developed by Meta and Perplexity show that digital advertising is still a vibrant market. Google's lawyers suggested that the DOJ is trying to rework an industry that has already been transformed.

It will be months before we learn what Brinkema has decided, but Google's headaches aren't over even if it comes out ahead in this case. The European Union is also going after the company's advertising business, recently issuing a hefty fine. Regulators say a breakup is on the table in Europe if Google doesn't come up with a proposal to address its market dominance.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 23 September 2025 at 12:29 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Stellantis is a multinational corporation formed in 2021 after the merger of the PSA Group (Peugeot Société Anonyme) and Fiat Chrysler Automobiles (FCA). Stellantis is currently one of the largest automotive companies globally by revenue and the world's fifth-largest automaker by volume.

The company owns 14 major automotive brands, including Alfa Romeo, Chrysler, Citroën, Dodge, DS Automobiles, Fiat, Jeep, Lancia, Maserati, Opel, Peugeot, Ram, and Vauxhall, and it operates manufacturing facilities across Europe, North America, South America, and other regions, with operations in over 130 countries.

According to a statement published over the weekend, the attackers only stole customer contact information during the breach since the compromised platform was not used to store financial or other sensitive personal information.

"We recently detected unauthorized access to a third-party service provider's platform that supports our North American customer service operations," Stellantis said.

"Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers."

The auto giant also advised customers to be cautious of potential phishing attempts and to refrain from clicking suspicious links or sharing personal information when receiving unexpected emails, texts, or calls.

BleepingComputer reached out to Stellantis with questions about the incident, but a response was not immediately available.

Salesforce data breach claimed by ShinyHunters

Although Stellantis didn't share more information regarding this attack, BleepingComputer has learned that it is part of a recent wave of Salesforce data breaches linked with the ShinyHunters extortion group, which has affected numerous high-profile companies.

Earlier today, ShinyHunters claimed responsibility for the Stellantis data breach and told BleepingComputer that they had stolen over 18 million Salesforce records, including names and contact details, from the company's Salesforce instance.

Since the start of the year, the extortion group has been targeting Salesforce customers in data theft attacks using voice phishing attacks, impacting companies such as Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance, Workday, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

ShinyHunters also claims they used stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to steal sensitive information, such as passwords, AWS access keys, and Snowflake tokens, after gaining access to customers' Salesforce instances.

Using this method, they claimed to have stolen customer information from Google, Cloudflare, Zscaler, Tenable, Palo Alto Networks, CyberArk, Nutanix, Qualys, Rubrik, Elastic, BeyondTrust, Proofpoint, JFrog, Cato Networks, and many more.

Last week, the FBI released a Flash alert sharing IOCs discovered during the attacks and warning about threat actors breaching organizations' Salesforce environments to steal data and extort victims. Meanwhile, the extortion group told BleepingComputer that they had stolen over 1.5 billion Salesforce records from 760 companies, using compromised Salesloft Drift OAuth tokens.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 23 September 2025 at 12:28 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix

Ads prominently displayed on search engines are impersonating a wide range of online services in a bid to infect Macs with a potent credential stealer, security companies have warned. The latest reported target is users of the LastPass password manager.

Late last week, LastPass said it detected a widespread campaign that used search engine optimization to display ads for LastPass macOS apps at the top of search results returned by search engines, including Google and Bing. The ads led to one of two fraudulent GitHub sites targeting LastPass, both of which have been taken down. The pages provided links promising to install LastPass on MacBooks. In fact, they installed a macOS credential stealer known as Atomic Stealer, or alternatively, Amos Stealer.

Dozens targeted

“We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts, and to also share indicators of compromise (IoCs) to help other security teams detect cyber threats,” LastPass said in the post.

LastPass is hardly alone in seeing its well-known brand exploited in such ads. The compromise indicators LastPass provided listed other software or services being impersonated as 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. Typically, the ads offer the software in prominent fonts. When clicked, the ads lead to GitHub pages that install versions of Atomic that are disguised as the official software being falsely advertised.

The malicious installers sometimes offer to install the stealer through the downloading of a file in the Mac-proprietary .dmg format. After Apple added a detection to Gatekeeper—the malware protection built into macOS that blocks the installation of known malware—attackers started using a new method that bypassed it. This method masqueraded as a CAPTCHA, ostensibly to prove the user wasn’t a bot, by requiring the copying of a text string and pasting it into the Mac terminal window. In reality, the string was a command to download and install the malicious .dmg with no intervention from Gatekeeper. Researchers have warned of this Gatekeeper-bypassing technique for at least the past 20 months.

Despite attempts to raise awareness about Atomic, people have continued to use it widely, an indication that it remains effective. The post linked immediately above reports it being used against users of Homebrew, a tool that’s indispensable for many developers of macOS-compatible apps.

People should download software only from links provided on a site’s official webpage. In the event they view an ad and decide they want to install the app being promoted, they should open a new tab and visit the official website directly, rather than clicking on the download link in the ad. More information about Atomic is available here and here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 23 September 2025 at 12:25 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048

RIP Matrix