Starting today, Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. Users who don't want their previous settings to be overridden may have to take action.

An email Google sent recently informing users of the change linked to a notification page that said that “human reviewers (including service providers) read, annotate, and process” the data Gemini accesses. The email provides no useful guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours.

An email Google recently sent to Android users.

No, Google, it’s not good news

The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible. At one point, it says the changes “will automatically start rolling out” today and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” A few sentences later, the email says, “If you have already turned these features off, they will remain off.” Nowhere in the email or the support pages it links to are Android users informed how to remove Gemini integrations completely.

Compounding the confusion, one of the linked support pages requires users to open a separate support page to learn how to control their Gemini app settings. Following the directions from a computer browser, I accessed the settings of my account’s Gemini app. I was reassured to see the text indicating no activity has been stored because I have Gemini turned off. Then again, the page also said that Gemini was “not saving activity beyond 72 hours.”

I got similarly tripped up while trying to follow the guidance on my Pixel 7. Google support said to access the mobile Gemini app from my device. I tried, but the app was nowhere to be found.

Nowhere in the email or any of the Support pages did Google say how to remove all Gemini integrations from my phone. All of this left me wondering: Was Gemini completely disabled or not? When I discussed the lack of clarity on Mastodon, I quickly learned I wasn't the only one asking this question.

I then emailed Google PR and included a link to the Mastodon thread. I asked if someone could provide actionable guidance for my readers who want to ensure Gemini integrations are completely disabled. Instead of answering the question, the person responding to my email wrote, in part: “This update is good for users: they can now use Gemini to complete daily tasks on their mobile devices like send messages, initiate phone calls, and set timers while Gemini Apps Activity is turned off. With Gemini Apps Activity turned off, their Gemini chats are not being reviewed or used to improve our AI models.” The representative included a link to one of the same unclear support pages mentioned above.

A researcher at Tuta, a cloud-based provider of a privacy-focused email and calendar service, on Monday attempted to fill the void of actionable guidance. The immediate takeaway seems to be that Google may be bolting Gemini into Android in much the way Microsoft did with Internet Explorer into Windows, a move that landed the software maker in a protracted antitrust suit with the federal government and a dozen states, commonwealths, or districts in the late 1990s.

The Tuta post says disabling Gemini app activity is likely to prevent data collection beyond the activity temporarily stored for 72 hours. It goes on to say that if the Gemini app isn't installed already, it will not be installed after the change takes effect. That likely means my phone is safe, since Gemini isn't installed. I'm not sure if the absence of Gemini from my device is the result of me manually removing the app at some point and forgetting I had done so, or if, for some reason, it was never installed in the first place.

The Tuta post goes on to say that another remedy is to completely uninstall Gemini from the device. Of course, Google doesn't make this easy for people who aren't comfortable mucking around with a command-line terminal and making under-the-hood changes to their Android settings. This can be done by using the Android debug bridge that Google makes available to developers. Once it's installed (not easy for the faint of heart), users must uninstall the app by entering the adb shell pm uninstall com.google.android.apps.bard command. When I tried this, the operating system returned a message saying Failure [DELETE_FAILED_INTERNAL_ERROR. I'm not sure if that means the package can't be removed or it was never on my Pixel in the first place.

Google is no doubt correct in saying that many Android users will find Gemini integrations useful. Google marketers may claim the integration is good news, and for these users, this is likely to be true. A significant number of others, however, don't want Gemini or other AI engines anywhere near their devices. For the time being, these users are being left completely in the dark.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

The ransomware group linked to the recent cyberattacks on UK retailers Marks and Spencer, Harrods, and the Co-Op has begun a turf war with its rivals, triggering a battle within the industry that could bring more hacks and further fallout for corporate victims.

DragonForce, a group of largely Russian-speaking cyber criminals behind a spate of high-profile attacks this year, has clashed with one of its biggest competitors RansomHub, according to cybersecurity experts tracking the battle to dominate the booming criminal ransomware sector.

They warn that the conflict between the two groups, which operate in the ransomware-as-a-service (RaaS) market, could increase risks for companies, including the potential of being extorted twice.

Toby Lewis, global head of threat analysis at Darktrace, said there was “no honor among thieves” in the hacking world.

“Most cybercrime groups have an ingrained need for kudos and one-upmanship that could lead them to attempt to ‘outcompete’ each other by trying to attack and extort the same target,” he added.

RaaS gangs function by selling the tools and infrastructure needed to access the internal systems of companies and extort them for money. They operate on the dark web where they battle to sell services to those seeking to commit cybercrime, known as “affiliates,” such as Scattered Spider, which has been linked to the M&S attack and last week’s hack on Australian airline Qantas.

The relationship between DragonForce and RansomHub soured after the former rebranded itself as a “cartel” in March, which widened the services it offered and expanded its reach to attract more affiliate partners.

In the same month, RansomHub’s site was taken down with a marker left stating “R.I.P 3/3/25”, believed to be a hostile takeover by DragonForce, according to cybersecurity group Sophos. In retaliation, a RansomHub member defaced DragonForce’s site, labelling them “traitors.”

Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group, said DragonForce could be attempting to attract RansomHub’s affiliates. The hacking group is also believed to be behind attacks on the pages of other rivals, including BlackLock and Mamona, according to Sophos.

Stark warned that whatever the motive, the fallout brings with it an increased risk of cyberattacks. “Instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims,” she said.

While double extortions remain rare, US company UnitedHealth Group was the victim of one last year due to a fallout between hacking groups.

In that case, RansomHub was approached by affiliate hacker group, Notchy, to try to extort a second ransom payment after an initial $22 million fee was stolen by Notchy’s original RaaS partner, which faked its disappearance in order to avoid splitting the proceeds, according to cybersecurity experts.

A person familiar with the UnitedHealth hack said multiple extortion attempts were commonplace in cyberattacks, but that follow-up attempts were often opportunistic and lacked credibility.

Rafe Pilling, director of threat intelligence at Sophos, said in a worst-case scenario, the conflict between DragonForce and RansomHub could see them both target the same victim in a battle for business.

“Cybercriminals are a ruthless bunch, and a betrayal between partners can result in a situation where the victim gets extorted twice,” he added.

The global cost of cybercrime is estimated to reach $10 trillion in 2025, according to Cybersecurity Ventures. The figure—which is up from $3 trillion in 2015—comes as hacker groups have increasingly looked to maximise profit through their attacks.

DragonForce, which was first identified in August 2023, listed a total of 82 victims on its dark-web site in the following 12 months, according to cybersecurity firm Group-IB, while RansomHub—which also came to prominence in 2023—reported about 500 victims on its site in 2024.

Jake Moore, global cybersecurity adviser at ESET, warned that the volatility of the situation could make companies’ defence and response tactics more vulnerable.

“Remember this is a Wild West, lawless environment where normal competition rules simply do not apply,” he said.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.

Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues.

BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices.

The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack.

It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.

Do you have information about this or another cyberattack? If you want to share the information, you can contact us securely and confidentially on Signal at LawrenceA.11, via email at lawrence.abrams@bleepingcomputer.com, or by using our tips form.

Sources have told BleepingComputer that it is believed the threat actors breached Ingram Micro through its GlobalProtect VPN platform.

Once the attack was discovered, employees in some locations were told to work from home. The company also shut down internal systems, telling employees not to use the company's GlobalProtect VPN access, which was said to be impacted by the IT outage.

Systems that are impacted in many locations include the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform. However, BleepingComputer was told that other internal services, such as Microsoft 365, Teams, and SharePoint, continue to operate as usual.

As of yesterday, Ingram Micro has not disclosed the attack publicly or to its employees, only stating there are ongoing IT issues, as indicated by company-wide advisories shared with BleepingComputer.

The SafePay ransomware gang is a relatively new operation that was first seen in November 2024, accumulating over 220 victims since then.

The ransomware operation has been previously observed breaching corporate networks through VPN gateways using compromised credentials and password spray attacks.

BleepingComputer contacted Ingram Micro yesterday and today about the outages and ransomware attack, but did not receive a response to our emails.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

All other major Meta services have already been inundated with a steady stream of ads — think Instagram, Facebook Messenger, and the latest addition to the Meta family, Threads, which got ads not long after its birth. So, the fact that WhatsApp still didn’t have ads as of 2025 felt like an oddity — something that ran counter to Meta’s entire ad-driven business model.

And, although the eventual arrival of ads in WhatsApp was a long time coming and is in line with what Meta has been doing before, we can't help but regret this development.

Where will the ads be?

In its announcement, Meta said that WhatsApp will be getting ads in just one tab — Updates, which combines Status and Channels. Status is the tab designed for posting Status updates, similar to Instagram or Telegram Stories. While it may not be generating as much buzz as its Instagram lookalike (probably because it is mostly reserved to sharing content with close contacts), according to WhatsApp itself, the Updates tab is used by 1.5 billion people daily across the globe.

The ads will appear in several places, but perhaps the most potentially annoying slot is among the status updates posted by your family and friends.

Source: WhatsApp

The ads will also sneak into the Channels section. Channels are a one-way broadcasting feature that lets people follow posts from individuals or organizations they're interested in. Now, if you want to explore channels you might like, the promoted ones will appear at the top of the selection.

How bad is it for privacy?

The first question that comes to mind for privacy-conscious users is what data WhatsApp will use to target ads and whether it’s possible to opt out.

When it comes to data collection, WhatsApp claims it will use “limited info” — such as your country, city, language, the channels you follow, and how you interact with the ads. If you’ve chosen to integrate WhatsApp with Meta’s Accounts Center, then the app will not just stop at your basic location or interests.

If you've ever logged into WhatsApp using your Facebook or Instagram account, or if you've linked your WhatsApp account to your Facebook profile, you're essentially integrating WhatsApp with Meta’s Accounts Center.

This means that WhatsApp could also tap into your ad preferences and behavioral data across the Meta ecosystem, enabling the company to serve even more targeted ads.

As for the possibility to opt out, there is none. Not even for money. Unlike Telegram, which places ads in public channels but offers the option to buy Telegram Premium for an ad-free experience, WhatsApp doesn’t have any of this — yet, or maybe forever.

Can these ads be blocked?

When it comes to blocking WhatsApp's new ads, it’s not completely unfeasible, but it's more complex than it may seem, especially on mobile.

On the web, there’s a better chance of blocking these ads. Put simply, if you use a browser-based version of WhatsApp on your computer, it will most likely be possible to filter out the ads using AdGuard or any other ad-blocking solution. However, things get way less clear-cut when using WhatsApp on your phone.

The reason for this is that, much like with other Meta platforms, these ads will likely be delivered through special domains used for both advertising and other content. In theory, it still makes it possible to block them, but in practice, it’s a long shot. Unlike web-browsing environments, mobile platforms such as iOS and Android make it far more challenging to intercept traffic at a granular level. With mobile apps, the traffic is typically encrypted via HTTPS, which complicates matters since it's not possible to easily decrypt or analyze this traffic. While it may be possible to route the traffic through certain proxies, the lack of decryption often means that the payload—i.e., the ads—remain hidden from the filter.

As an ad blocker, you would need to continuously analyze the app’s traffic to ensure that new ad delivery mechanisms don’t slip through the filters. However, without full access to the encrypted content, even the most advanced filtering solutions can only block a portion of the ads. In short, while blocking WhatsApp’s is possible on the web, it’s highly unlikely to work effectively on mobile devices due to the constraints of iOS and Android operating systems, which are designed to prevent such interception of traffic.

Final thoughts

WhatsApp says that it’s rolling out ads with your privacy in mind, meaning it won’t harvest data from your private conversations or use information from your private statuses, phone calls, or the groups you’re in to target ads to you. “Your personal messages, calls, and statuses remain end-to-end encrypted, meaning no one (not even us) can see or hear them,” WhatsApp says.

Likewise, the fact that WhatsApp will only place ads in two places (for now) might sound like no big deal — something we can live with.

The thing is, though, this might just be the beginning. While the new ad experience doesn’t sound too intrusive (at least on paper), it could turn out to be. Moreover, Meta may decide to place ads in more places over time, with the current update serving as a trial run.

Source

"After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang says in a statement published on its dark web leak earlier today.

"As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms."

The threat actors also removed all entries from the extortion portal and added that companies whose systems were encrypted in Hunters International ransomware attacks can request decryption tools and recovery guidance on the gang's official website.

While the ransomware group doesn't explain what "recent developments" it refers to, today's announcement follows a November 17 statement saying that Hunters International will soon shut down because of increased law enforcement scrutiny and declining profitability.

Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks, and had launched a new extortion-only operation known as "World Leaks."

"Unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool," Group-IB said at the time, adding that the new tool appears to be an upgraded version of the Storage Software exfiltration tool used by Hunters International's ransomware affiliates.

Hunters International emerged in late 2023 and was flagged by security researchers and ransomware experts as a potential rebrand of Hive due to code similarities. The ransomware group's malware targets a wide range of platforms, including Windows, Linux, FreeBSD, SunOS, and ESXi (VMware servers), and it also comes with support for x64, x86, and ARM architectures.

Over the last two years, Hunters International has targeted companies of all sizes, with ransom demands ranging from hundreds of thousands to millions of dollars, depending on the size of the breached organization.

The ransomware gang has claimed responsibility for almost 300 attacks worldwide, making it one of the most active ransomware operations in recent years.

Notable victims claimed by Hunters International include the U.S. Marshals Service, Japanese optics giant Hoya, Tata Technologies, North American automobile dealership AutoCanada, U.S. Navy contractor Austal USA, and Integris Health, Oklahoma's largest not-for-profit healthcare network.

In December 2024, Hunters International also hacked the Fred Hutch Cancer Center, threatening to leak the stolen data of over 800,000 cancer patients if they were not paid.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Interestingly, MSRC partnered with a 13-year-old, identified as "Dylan", a few years ago, and has been working with him to fix vulnerabilities across various products. In terms of background, Dylan has worked with technical tools and languages from a very young age. Starting from Scratch, the teenager eventually familiarized himself with HTML and other programming languages and began analyzing the source code of educational platforms.

Dylan's first foray into the world of professional cybersecurity was when his school disabled the ability for students to create chats in Microsoft Teams during the COVID-19 pandemic. After nine months of research and development, along with trial and error, Dylan discovered a vulnerability that allowed him to take over any Teams group. The teenager promptly reported this security hole to Microsoft, which actually had to update the terms and conditions of its Bug Bounty Program to enable people as young as 13 to participate.

Since then, Dylan has been working directly with MSRC to discover other vulnerabilities, too. The ethical hacker reported a security vulnerability in the Authenticator Broker service, too. He is known for his articulate communication skills and for not staying silent when he disagrees with MSRC's initial assessments.

The prodigy, who was also MSRC's youngest researcher, is now a junior in high school. He submitted 20 vulnerabilities reports last summer alone, which is impressive considering that he had only submitted six in total before that. You can read more about Dylan's journey here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Some of the extensions pretend to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and include malicious code that sends stolen information to attacker-controlled servers.

Researchers at Koi security found the risky extensions along with evidence indicating that behind the campaign is a Russian-speaking threat group.

In a report shared with BleepingComputer, the researchers say that many of these browser add-ons are clones of open-source versions of legitimate wallets with added malicious logic.

Koi security presents examples of ‘input’ and ‘click’ event listeners in the code, which monitor for sensitive data inputs from the victim.

The code checks for input strings that are longer than 30 characters to filter for realistic wallet keys/seed phrases, and exfiltrates the data to the attackers.

Error dialogs are hidden from the user by setting the opacity to zero for any elements that might alert the user of the activity.

Seed phrases (recovery/mnemonic phrase) are master keys typically comprising multiple words, allowing users to recover or port wallets to new devices.

Obtaining someone’s seed phrase makes it possible to steal all the cryptocurrency assets in the wallet. The theft appears as a legitimate transaction and is irreversible.

The campaign has been active since at least April and new extensions appear to be added to the Firefox store constantly. The researchers say that the newest malicious entries are as recent as last week.

To build trust, the threat actors use the real logos of the brands they impersonate while many of the extensions have hundreds of fake five-star reviews. Some of them also have a large number of one-star reviews reporting the scam, likely from users that lost their cryptocurrency.

Although most of the user reviews are obviously fake (they surpass the installation figure by far), many users not paying attention to the details could still be tricked into installing them and risk their seed phrases being stolen.

Mozilla has developed an early detection system for crypto scam extensions. It relies on automated indicators for assessing the risk level. If a threshold is reached, human reviewers analyze the submission and block it if it's malicious.

Koi Security told BleepingComputer that they reported the findings to the Firefox store using the official reporting tool, but the fake extensions continue to be available at the time of writing.

BleepingComputer has reached out to Mozilla for a comment on the matter but a statement wasn’t immediately available.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Recipients may receive a single-use access code via a separate email to open an encrypted message in Gmail, Yahoo, or other email clients without a Microsoft 365 subscription. This OTP message allows them to view the encrypted email on the Office 365 Message Encryption portal.

However, as the company explains in a new service alert published in the admin center, some users may not receive OTP emails because of a known Domain Name System (DNS) record misconfiguration.

"Some users expecting to receive OTP email messages for encrypted email messages in Exchange Online may be impacted," Microsoft said.

"DNS records for the domain that provides OTP email messages to encrypted messages became misconfigured, which is causing impact. We've corrected the DNS record configurations for the affected domain and are reaching out to a sample of affected users to confirm whether the impact is remediated."

In a previous update regarding this incident, Microsoft noted that the OTP delivery problems are due to the removal of DNS records for the domain that generates access codes for encrypted messages.

It also added that the known issue specifically affects users who have a process set up to perform DNS checks on incoming email messages.

While Microsoft has yet to provide detailed information about the extent of the incident, the company has identified it as a critical service issue in the Microsoft 365 admin center, indicating that it has a significant impact on users.

In February, Microsoft resolved a widespread issue causing Entra ID DNS authentication failures, which were triggered by a DNS change that resulted in DNS resolution failures for the autologon.microsoftazuread.sso.com domain.

In recent years, Microsoft has had to address outages and incidents caused by DNS issues, including one in August 2023 that was triggered by a misconfigured DNS SPF record, resulting in worldwide Hotmail email delivery failures.

Two years earlier, in April 2021, a code defect was responsible for a global outage that affected many Microsoft servicesdue to overloaded Azure DNS servers.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

"Google is aware that an exploit for CVE-2025-6554 exists in the wild," the browser vendor said in a security advisoryissued on Monday. "This issue was mitigated on 2025-06-26 by a configuration change pushed out to Stable channel across all platforms."

The company fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux users (138.0.7204.96) one day after the issue was reported to Google.

The bug was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG), a collective of security researchers focused on defending Google customers from state-sponsored and other similar attacks.

Google TAG frequently discovers zero-day exploits deployed by government-sponsored threat actors in targeted attacks to infect high-risk individuals, including opposition politicians, dissidents, and journalists, with spyware.

Although the security updates patching CVE-2025-6554 could take days or weeks to reach all users, according to Google, they were immediately available when BleepingComputer checked for updates earlier today.

Users who prefer not to update manually can also rely on their web browser to automatically check for new updates and install them after the next launch.

The zero-day bug fixed today is a high-severity type confusion weakness in the Chrome V8 JavaScript engine. While such flaws generally lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to execute arbitrary code on unpatched devices.

Even though Google stated that this vulnerability was exploited in the wild, the company has yet to share technical details or additional information regarding these attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," Google said.

This is the fourth actively exploited Google Chrome zero-day fixed since the start of the year, with three more patched in March, May, and June.

The first, a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky's Boris Larin and Igor Kuznetsov, was used in espionage attacks targeting Russian government organizations and media outlets with malware.

Google released another set of emergency security updates in May to address a Chrome zero-day (CVE-2025-4664) that can allow attackers to hijack accounts. One month later, the company addressed an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine discovered by Google TAG's Benoît Sevens and Clément Lecigne.

In 2024, Google patched a total of 10 zero-day vulnerabilities that were either exploited in attacks or demoed during Pwn2Own hacking competitions.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Last year, internet infrastructure firm Cloudflare launched tools enabling its customers to block AI scrapers. Today the company has taken its fight against permissionless scraping several steps further. It has switched to blocking AI crawlers by default for its customers and is moving forward with a Pay Per Crawl program that lets customers charge AI companies to scrape their websites.

Web crawlers have trawled the internet for information for decades. Without them, people would lose vitally important online tools, from Google Search to the Internet Archive’s invaluable digital preservation work. But the AI boom has produced a corresponding boomlet in AI-focused web crawlers, and these bots scrape web pages with a frequency that can mimic a DDoS attack, straining servers and knocking websites offline. Even when websites can handle the heightened activity, many do not want AI crawlers scraping their content, especially news publications that are demanding AI companies to pay to use their work. “We’ve been feverishly trying to protect ourselves,” says Danielle Coffey, the president and CEO of the trade group News Media Alliance, which represents several thousand North American outlets.

So far, Cloudflare’s head of AI control, privacy, and media products, Will Allen, tells WIRED, over 1 million customer websites have activated its older AI-bot-blocking tools. Now millions more will have the option of keeping bot blocking as their default. Cloudflare also says it can identify even “shadow” scrapers that are not publicized by AI companies. The company noted that it uses a proprietary combination of behavioral analysis, fingerprinting, and machine learning to classify and separate AI bots from “good” bots.

A widely used web standard called the Robots Exclusion Protocol, often implemented through a robots.txt file, helps publishers block bots on a case-by-case basis, but following it is not legally required, and there’s plenty of evidence that some AI companies try to evade efforts to block their scrapers. “Robots.txt is ignored,” Coffey says. According to a report from the content licensing platform Tollbit, which offers its own marketplace for publishers to negotiate with AI companies over bot access, AI scraping is still on the rise—including scraping that ignores robots.txt. Tollbit found that over 26 million scrapes ignored the protocol in March 2025 alone.

In this context, Cloudflare’s shift to blocking by default could prove a significant roadblock to surreptitious scrapers and could give publishers more leverage to negotiate, whether through the Pay Per Crawl program or otherwise. “This could dramatically change the power dynamic. Up to this point, AI companies have not needed to pay to license content, because they've known that they can just take it without consequences,” says Atlantic CEO (and former WIRED editor in chief) Nicholas Thompson. “Now they'll have to negotiate, and it will become a competitive advantage for the AI companies that can strike more and better deals with more and better publishers.”

AI startup ProRata, which operates the AI search engine Gist.AI, has agreed to participate in the Pay Per Crawl program, according to CEO and founder Bill Gross. “We firmly believe that all content creators and publishers should be compensated when their content is used in AI answers,” Gross says.

Of course, it remains to be seen whether the big players in the AI space will participate in a program like Pay Per Crawl, which is in beta. (Cloudflare declined to name current participants.) Companies like OpenAI have struck licensing deals with a variety of publishing partners, including WIRED parent company Condé Nast, but specific details of these agreements have not been disclosed, including whether the agreement covers bot access.

Meanwhile, there’s an entire online ecosystem of tutorials about how to evade Cloudflare’s bot blocking tools aimed at web scrapers. As the blocking default rolls out, it’s likely these efforts will continue. Cloudflare emphasizes that customers who do want to let the robots scrape unimpeded will be able to turn off the blocking setting. “All blocking is fully optional and at the discretion of each individual user,” Allen says.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Microsoft will soon no longer let you use its Authenticator app to store or autofill passwords. Starting in July, you won’t be able to autofill saved passwords using Authenticator, and you’ll have to use Microsoft Edge or another password management solution instead.

Microsoft also plans on deleting your saved payment information in Authenticator this July before erasing passwords in August. Last month, Microsoft Authenticator stopped accepting new passwords as part of plans to consolidate its password autofilling feature within Edge.

Microsoft will automatically sync saved passwords to your account, allowing you to access them in Edge. You can set Edge as your device’s default autofill provider by finding the option in your device’s settings and selecting Edge instead of Authenticator. If you don’t want to use Edge, make sure to export your passwords to another service by August.

Microsoft Authenticator launched as a multifactor authentication solution in 2016, and it added support for password storage in 2020. Though Microsoft Authenticator is ending support for passwords, it will continue to support passkeys, the solution that lets you use your device’s authentication method to sign into accounts, such as a PIN, fingerprint, or face scan.

You can find more information about how to export your passwords or make Edge your default autofilling provider from Microsoft’s website.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Researchers confirmed that 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel are affected.

The list of impacted products includes speakers, earbuds, headphones, and wireless microphones.

The security problems could be leveraged to take over a vulnerable product and on some phones, an attacker within connection range may be able to extract call history and contacts.

Snooping over a Bluetooth connection

At the TROOPERS security conference in Germany, researchers at cybersecurity company ERNW disclosed three vulnerabilities in the Airoha systems on a chip (SoCs), which are widely used in True Wireless Stereo (TWS) earbuds.

The issues are not critical and besides close physical proximity (Bluetooth range), their exploitation also requires “a high technical skill set.” They received the following identifiers:

• CVE-2025-20700 (6.7, medium severity score) - missing authentication for GATT services
• CVE-2025-20701 (6.7, medium severity score) -  missing authentication for Bluetooth BR/EDR
• CVE-2025-20702 (7.5, high severity score) - critical capabilities of a custom protocol

ERNW researchers say they created a proof-of-concept exploit code that allowed them to read the currently playing media from the targeted headphones.

While such an attack may not present a great risk, other scenarios leveraging the three bugs could let a threat actor hijack the connection between the mobile phone and an audio Bluetooth device and use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone.

“The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls” - ERNW

The researchers were able to trigger a call to an arbitrary number by extracting the Bluetooth link keys from a vulnerable device’s memory.

They say that depending on the phone’s configuration, an attacker could also retrieve the call history and contacts.

They were also able to initiate a call and "successfully eavesdrop on conversations or sounds within earshot of the phone."

Furthermore, the vulnerable device’s firmware could potentially be rewritten to enable remote code execution, thereby facilitating the deployment of a wormable exploit capable of propagating across multiple devices.

Attack restrictions apply

Although the ERNW researchers present serious attack scenarios, practical implementation at scale is constrained by certain limitations.

“Yes — the idea that someone could hijack your headphones, impersonate them towards your phone, and potentially make calls or spy on you, sounds pretty alarming.”

“Yes — technically, it is serious,” the researchers say, adding that “real attacks are complex to perform.”

The necessity of both technical sophistication and physical proximity confines these attacks to high-value targets, such as those in diplomacy, journalism, activism, or sensitive industries.

Airoha has released an updated SDK incorporating necessary mitigations, and device manufacturers have started patch development and distribution.

Nevertheless, German publication Heise says that the most recent firmware updates for more than half of the affected devices are from May 27 or earlier, which is before Airoha delivered the updated SDK to its customers.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The decision to end the expiration notification email service was implemented as of June 4, 2025, but Let's Encrypt has now communicated it via a blog post to raise awareness and prevent unexpected disruptions.

Let's Encrypt is a nonprofit Certificate Authority (CA) that provides free, automated, and open digital certificates to enable HTTPS (SSL/TLS) on websites. In terms of size, they are among the largest CAs in the world, issuing hundreds of millions of certificates to billions of websites.

Let's Encrypt is a transparent CA that has minimized data retention wherever possible. Its root certificate is included in all major browsers and OS trust stores, while it enjoys support from prominent tech firms such as Google, Cisco, Mozilla, EFF, Facebook, and Akamai.

The organization utilizes an automated protocol called ACME (Automatic Certificate Management Environment), which enables websites and server software to automate the issuance, installation, and renewal of certificates with minimal or no human intervention.

According to the latest announcement, the existence of this automation is the primary reason why the email notification service is being sunset, as its need is diminishing.

The adoption of automated renewal solutions has been further accelerated by standards changes, such as the CA/Browser Forum's recent announcement to reduce certificate lifespans to 47 days by 2029.

This decision made manual management impractical, if not impossible, strongly incentivizing the adoption of automation to stay compliant and avoid outages.

A second key reason for the decision to drop the email service is the cost of running it, which Let's Encrypt estimates to be "tens of thousands of dollars per year."

The organization believes it would be far more beneficial to allocate this money to other aspects of its infrastructure, which is also unnecessarily strained by handling email distribution activities.

"Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made," explained Let's Encrypt.

"Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified."

Finally, the organization has user data privacy concerns, as it now has to retain, manage, and protect a sizable database of email addresses linked to issuance records to notify the appropriate parties.

The key takeaway for potentially impacted users is to adopt tools that support the ACME protocol if they haven't already done so and to stop relying on Let's Encrypt's notification emails.

If you need to receive renewal alerts, consider setting up an external notification service in a different manner.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Our water, health, and energy systems are increasingly vulnerable to cyberattack.

Now, when tensions escalate — like when the US bombed nuclear facilities in Iran this month — the safety of these systems becomes of paramount concern. If conflict erupts, we can expect it to be a “hybrid” battle, Joshua Corman, executive in residence for public safety & resilience at the Institute for Security and Technology (IST), tells The Verge.

Battlefields now extend into the digital world, which in turn makes critical infrastructure in the real world a target. I first reached out to IST for their expertise on this issue back in 2021, when a ransomware attack forced the Colonial Pipeline — a major artery transporting nearly half of the east coast’s fuel supply — offline for nearly a week. Since then, The Verge has also covered an uptick in cyberattacks against community water systems in the US, and America’s attempts to thwart assaults supported by other governments.

It’s not time to panic, Corman reassures me. But it is important to reevaluate how we safeguard hospitals, water supplies, and other lifelines from cyberattack. There happen to be analog solutions that rely more on physical engineering than putting up cyber firewalls.

This interview has been edited for length and clarity.

As someone who works on cybersecurity for water and wastewater, healthcare, food supply chains, and power systems — what keeps you up at night?

Oh, boy. When you look across what we designate as lifeline critical functions, the basic human needs — water, shelter, safety — those are among some of our most exposed and underprepared. With great connectivity comes great responsibility. And while we’re struggling to protect credit card cards or websites or data, we continue to add software and connectivity to lifeline infrastructure like water and power and hospitals.

We were always prey. We were just kind of surviving at the appetite of our predators, and they’re getting more aggressive.

How vulnerable are these systems in the US?

You might have seen the uptick in ransomware starting in 2016. Hospitals very quickly became the number one preferred target of ransomware because they’re what I call “target rich, but cyber poor.” The unavailability of their service is pretty dire, so the unavailability can be monetized very easily.

You have this kind of asymmetry and unmitigated feeding-frenzy, where it’s attractive and easy to attack these lifeline functions. But it’s incredibly difficult to get staff, resources, training, budget, to defend these lifeline functions.

If you’re a small, rural water facility, you don’t have any cybersecurity budget. We often usher platitudes of ‘just do best practices, just do the NIST framework.’ But they can’t even stop using end of life, unsupported technology with hard-coded passwords.

It’s about 85 percent of the owners and operators of these lifeline critical infrastructure entities that are target rich and cyber poor.

Take water systems, for example. Volt Typhoon has been found successfully compromising US water facilities and other lifeline service functions, and it’s sitting there in wait, prepositioning. [Editor’s note: Volt Typhoon is a People’s Republic of China state-sponsored cyber group]

China specifically has intentions toward Taiwan as early as 2027. They basically would like the US to stay out of their intentions toward Taiwan. And if we don’t, they’re willing to disrupt and destroy parts of these very exposed, very prone facilities. The overwhelming majority don’t have a single cybersecurity person, haven’t heard of Volt Typhoon, let alone know if and how they should defend themselves. Nor do they have the budget to do so.

Turning to recent news and the escalation with Iran, is there anything that is more vulnerable at this moment? Are there any unique risks that Iran poses to the US?

Whether it’s Russia or Iran or China, all of them have shown they are willing and able to reach out to water facilities, power grids, hospitals, etc. I am most concerned about water. No water means no hospital in about four hours. Any loss of pressure to the hospital’s pressure zone means no fire suppression, no surgical scrubbing, no sanitation, no hydration.

What we have is increasing exposure that we volunteered into with smart, connected infrastructure. We want the benefit, but we haven’t paid the price tag yet. And that was okay when this was mostly criminal activity. But now that these points of access can be used in weapons of war, you could see pretty severe disruption in civilian infrastructure.

Now, just because you can hit it doesn’t mean you will hit it, right? I’m not encouraging panic at the moment over Iran. I think they’re quite busy, and if they’re going to use those cyber capabilities, it’s a safer assumption they would first use them on Israel.

Different predators have different appetites, and prey, and motives.

Sometimes it’s called access brokering, where they’re looking for a compromise and they lay in wait for years. Like in critical infrastructure, people don’t upgrade their equipment, they use very old things. If you believe that you’ll have that access for a long time, you can sit on it and wait patiently until the time and the place of your choosing.

Think of this a little bit like Star Wars. The thermal exhaust port on the Death Star is the weak part. If you hit it, you do a lot of damage. We have a lot of thermal exhaust ports all over water and healthcare specifically.

What needs to be done now to mitigate these vulnerabilities?

We’re encouraging something called cyber-informed engineering.

What we’ve found is if a water facility is compromised, abrupt changes in water pressure can lead to a very forceful and damaging surge of water pressure that could burst pipes. If you were to burst the water main for a hospital, there would be no water pressure to the hospital. So if you wanted to say, ‘let’s make sure the Chinese military can’t compromise the water facility,’ you’d have to do quite a bit of cybersecurity or disconnect it.

What we’re encouraging instead, is something much more familiar, practical. Just like in your house, you have a circuit breaker, so if there’s too much voltage you flip a switch instead of burning the house down. We have the equivalent of circuit breakers for water, which are maybe $2,000, maybe under $10,000. They can detect a surge in pressure and shut off the pumps to prevent physical damage. We’re looking for analog, physical engineering mitigation.

If you want to reduce the likelihood of compromise, you add cybersecurity. But if you want to reduce the consequences of compromise, you add engineering.

If the worst consequences would be a physically damaging attack, we want to take practical steps that are affordable and familiar. Water plants don’t know cyber, but they do know engineering. And if we can meet them on their turf and help explain to them the consequences and then co-create affordable, realistic, temporary mitigations, we can survive long enough to invest properly in cybersecurity later.

Federal agencies under the Trump administration have faced budget and staffing cuts, does that lead to greater vulnerabilities as well? How does that affect the security of our critical infrastructure?

Independent of people’s individual politics, there was an executive order from the White House in March that shifts more of the balance of power and responsibility to states to protect themselves, for cybersecurity resilience. And it’s very unfortunate timing given the context we’re in and that it would take time to do this safely and effectively.

I think, without malice, there has been a confluence of other contributing factors making the situation worse. Some of the budget cuts in CISA, which is the national coordinator across these sectors, is not great. The Multi-State Information Sharing and Analysis Center is a key resource for helping the states serve themselves, and that too lost its funding. And as of yet, the Senate has not confirmed a CISA director.

We should be increasing our public private partnerships, our federal and state level partnerships and there seems to be bipartisan agreement on that. And yet, across the board, the EPA, Health and Human Services, Department of Energy and CISA have suffered significant reduction in budget and staff and leadership. There’s still time to correct that, but we are burning daylight on what I see as a very small amount of time to form the plan, to communicate the plan, and execute the plan.

Whether we want this or not, more responsibility for cyber resilience and defense and critical functions is falling to the states, to the counties, to the towns, to individuals. Now is the time to get educated and there is a constellation of nonprofit and civil society efforts — one of them is the good work we’re doing with this Undisruptable27.org, but we also participate in a larger group called Cyber Civil Defense. And we recently launched a group called the Cyber Resilience Corps, which is a platform for anyone who wants to volunteer to help with cybersecurity for small, medium, rural, or lifeline services. It’s also a place for people to find and request these volunteers. We’re trying to reduce the friction of asking for help and finding help.

I think this is one of those moments in history where we want and need more from governments, but cavalry isn’t coming. It’s going to fall to us.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

In the summer of 2024, corporate anti-malware provider CrowdStrike pushed a broken update to millions of PCs and servers running some version of Microsoft's Windows software, taking down systems that both companies and consumers relied on for air travel, payments, emergency services, and their morning coffee. It was a huge outage, and it caused days and weeks of pain as the world's permanently beleaguered IT workers brought systems back online, in some cases touching each affected PC individually to remove the bad update and get the systems back up and running.

The outage was ultimately CrowdStrike's fault, and in the aftermath of the incident, the company promised a long list of process improvements to keep a bad update like that from going out again. But because the outage affected Windows systems, Microsoft often had shared and sometimes even top billing in mainstream news coverage—another in a string of security-related embarrassments that prompted CEO Satya Nadella and other executives to promise that the company would refocus its efforts on improving the security of its products.

The CrowdStrike crash was possible partly due to how anti-malware software works in Windows. Security vendors and their AV products generally have access to the Windows kernel, the cornerstone of the operating system that sits between your hardware and most user applications. But most user applications don't have kernel access specifically because a buggy app (or one hijacked by malware) with kernel access can bring the entire system down rather than just affecting the app. The bad CrowdStrike update was bad mostly because it was being loaded so early in Windows' boot process that many systems couldn't check for and download CrowdStrike's fix before they crashed.

As part of a wide-ranging security blog post earlier this week, Microsoft announced a seemingly minor change that could have a big impact: "a private preview of the Windows endpoint security platform" that "will allow [endpoint security vendors] to start building their solutions to run outside the Windows kernel."

"This means security products like anti-virus and endpoint protection solutions can run in user mode just as apps do," wrote David Weston, Microsoft's VP of Enterprise and OS Security. "This change will help security developers provide a high level of reliability and easier recovery resulting in less impact on Windows devices in the event of unexpected issues."

This preview will be delivered to companies that participate in Microsoft's Microsoft Virus Initiative (MVI), a list that includes CrowdStrike, Bitdefender, ESET, SentinelOne, Trellix, Trend Micro, and WithSecure. Those companies all have representatives quoted in Microsoft's blog post, all offering some version of (to paraphrase) "security is important and we are pleased to be working with Microsoft to make it better."

Microsoft's language says that security vendors can develop security apps that operate in user mode but not that they must do so. It's not clear whether this announcement is a first step toward booting third-party security companies out of the Windows kernel entirely or if it's simply a new, more foolproof option for companies whose software doesn't need that level of access.

An idea with some baggage

Microsoft's attempts to restrict third-party security companies from accessing the Windows kernel have been contentious in the past. Back in 2006, when Microsoft was simultaneously developing Windows Vista and building the foundation for what would become today's 64-bit editions of Windows, Microsoft wanted to restrict security companies from patching the kernel as they'd been able to in 32-bit editions of Windows, insisting that they do so using more restricted security APIs instead.

But Microsoft was also beginning to offer its own antivirus products at the time, including the first version of Windows Defender. Companies like Symantec argued that restricting their access to the kernel was anti-competitive and that it would give Microsoft's own security products capabilities that third parties couldn't provide.

Working with third-party companies to define these standards and address those companies' concerns seems to be Microsoft's way of trying to avoid that kind of controversy this time around.

"We will continue to collaborate deeply with our MVI partners throughout the private preview," wrote Weston.

Death comes for the blue screen

Microsoft's post outlines a handful of other security-related Windows tweaks, including some that take alternate routes to preventing more CrowdStrike-esque outages.

Multiple changes are coming for the "unexpected restart screen," the less-derogatory official name for what many Windows users know colloquially as the "blue screen of death." For starters, the screen will now be black instead of blue, a change that Microsoft briefly attempted to make in the early days of Windows 11 but subsequently rolled back.

The unexpected restart screen has been "simplified" in a way that "improves readability and aligns better with Windows 11 design principles, while preserving the technical information on the screen for when it is needed."

But the more meaningful change is under the hood, in the form of a new feature called "quick machine recovery" (QMR).

If a Windows PC has multiple unexpected restarts or gets into a boot loop—as happened to many systems affected by the CrowdStrike bug—the PC will try to boot into Windows RE, a stripped-down recovery environment that offers a handful of diagnostic options and can be used to enter Safe Mode or open the PC's UEFI firmware. QMR will allow Microsoft to "broadly deploy targeted remediations to affected devices via Windows RE," making it possible for some problems to be fixed even if the PCs can't be booted into standard Windows, "quickly getting users to a productive state without requiring complex manual intervention from IT."

QMR will be enabled by default on Windows 11 Home, while the Pro and Enterprise versions will be configurable by IT administrators. The QMR functionality and the black version of the blue screen of death will both be added to Windows 11 24H2 later this summer. Microsoft plans to add additional customization options for QMR "later this year."

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Smartphones contain a treasure trove of personal data, which makes them a worthwhile target for hackers. However, law enforcement is not above snooping on cell phones, and their tactics are usually much harder to detect. Cell site simulators, often called Stingrays, can trick your phone into revealing private communications, but a change in Android 16 could allow phones to detect this spying.

Law enforcement organizations have massively expanded the use of Stingray devices because almost every person of interest today uses a cell phone at some point. These devices essentially trick phones into connecting to them like a normal cell tower, allowing the operator to track that device's location. The fake towers can also shift a phone to less secure wireless technology to intercept calls and messages. There's no indication this is happening on the suspect's end, which is another reason these machines have become so popular with police.

However, while surveilling a target, Stingrays can collect data from other nearby phones. It's not unreasonable to expect a modicum of privacy if you happen to be in the same general area, but sometimes police use Stingrays simply because they can. There's also evidence that cell simulators have been deployed by mysterious groups outside law enforcement. In short, it's a problem. Google has had plans to address this security issue for more than a year, but a lack of hardware support has slowed progress. Finally, in the coming months, we will see the first phones capable of detecting this malicious activity, and Android 16 is ready for it.

An example of the network notifications that could appear on future Android phones.

Credit: Android Authority

As part of Google's mobile network security features, Android phones will be able to detect when a network requests a unique identifier or attempts to force an unencrypted connection. This produces a "network notification" to warn of the potential attack. This settings page will also include a toggle to disable insecure 2G networks, which is already supported in Android.

The problem, however, is that no current phones can do this. To unmask fake cell towers, Android phones need to have version 3.0 of Google's IRadio hardware abstraction layer, which has to be supported at the modem level. Even Google's latest Pixel phones lack support, so the network security settings page is hidden in current builds of Android 16.

The Stingray, made by Harris Corp., is now so ubiquitous in law enforcement that it has become a generic term for cell site simulators.

Credit: US Patent and Trademark Office

According to Android Authority, Google allows OEMs to lock in certain hardware features at the time of a phone's release. So it's unlikely any current phone will be updated with modem drivers that are capable of Stingray detection. Phones that launch on Android 16 later this year, like the Pixel 10, will be the first to call out fake cell towers. In the meantime, you can still disable 2G connections to limit the impact of cell site simulators.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.

It has reported yearly net sales of over $104 billion last year and it operates under a wide range of brands, including Food Lion, Stop & Shop, Giant Food, and Hannaford in the American market, and Delhaize, Maxi, Mega Image, Albert, bol, Alfa Beta, Gall & Gall, and Profi in Europe.

"This issue and subsequent mitigating actions have affected certain Ahold Delhaize USA brands and services including a number of pharmacies and certain e-commerce operations," said Ahold Delhaize in November, when it disclosed the incident.

In a Thursday filing with Maine's Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company's internal U.S. business systems on November 6, 2024.

While it didn't confirm whether customers' information was also affected, Ahold Delhaize stated that the stolen files may have included internal employment records with personal information obtained while working with current and former Ahold Delhaize USA companies.

The company added that the stolen items vary for each affected individual and that the stolen documents contain a combination of:

• personal information such as name, contact information (e.g., postal and email address and telephone number), date of birth, government-issued identification numbers (e.g., Social Security, passport, and driver's license numbers),
• financial account information (e.g., bank account number),
• health information (e.g., workers' compensation information and medical information contained in employment records),
• and employment-related information.

Although the company has yet to name the cybercrime group behind the breach, the INC Ransom ransomware group added Ahold Delhaize to its dark web extortion portal in April, leaking samples of documents allegedly stolen from the company's compromised systems.

Ahold Delhaize told BleepingComputer in April that attackers had stolen data from its U.S. business systems but didn't comment on whether the ransomware gang was involved in the breach.

Today, an Ahold Delhaize spokesperson once again refused to comment when asked to confirm that INC Ransom was behind the attack, if any systems were encrypted during the attack, and whether the company had been in contact with the attackers about paying a ransom.

"It’s important to note that based on our investigation, we have no indication that customer payment or pharmacy systems were compromised in connection with the issue, and the company identified no customer credit card numbers contained in the affected files. Beyond this, we are not providing any additional details on the systems affected," BleepingComputer was told.

INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023 and has since targeted organizations in both the public and private sectors.

Its list of more than 250 victims claimed over the last two years includes government, healthcare, educational, and industrial entities, such as Scotland's National Health Service (NHS), Yamaha Motor Philippines, and the U.S. division of Xerox Business Solutions (XBS).

In April, the ransomware gang also claimed responsibility for an attack on the State Bar of Texas, which later warned over 100,000 members that hackers had stolen their sensitive data.

INC Ransom has recently shifted its focus to organizations in the United States, with one of its members, tracked by Microsoft as 'Vanilla Tempest,' specifically targeting U.S. healthcare providers.

Update June 27, 13:32 EDT: Added Ahold Delhaize statement.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Hackers are exploiting a maximum-severity vulnerability that has the potential to give them complete control over thousands of servers, many of which handle mission-critical tasks inside data centers, the US Cybersecurity and Infrastructure Security Agency is warning.

The vulnerability, carrying a severity rating of 10 out of a possible 10, resides in the AMI MegaRAC, a widely used firmware package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn't functioning. These motherboard-attached microcontrollers, known as baseboard management controllers (BMCs), give extraordinary control over servers inside data centers.

Administrators use BMCs to reinstall operating systems, install or modify apps and make configuration changes to large numbers of servers, without physically being on premises and, in many cases, without the servers being turned on. Successful compromise of a single BMC can be used to pivot into internal networks and compromise all other BMCs.

We don’t need no stinkin’ credentials

CVE-2024-54085, as the vulnerability is tracked, allows for authentication bypasses by making a simple web request to a vulnerable BMC device over HTTP. The vulnerability was discovered by security firm Eclypsium and disclosed in March. The disclosure included proof-of-concept exploit code allowing a remote attacker to create an admin account without providing any authentication. At the time of the disclosure, there were no known reports of the vulnerability being actively exploited.

On Wednesday, CISA added CVE-2024-54085 to its list of vulnerabilities known to be exploited in the wild. The notice provided no further details.

In an email on Thursday, Eclypsium researchers said the scope of the exploits has the potential to be broad. That scope includes:

• Attackers could chain multiple BMC exploits to implant malicious code directly into the BMC’s firmware, making their presence extremely difficult to detect and allowing them to survive OS reinstalls or even disk replacements.
• By operating below the OS, attackers can evade endpoint protection, logging, and most traditional security tools.
• With BMC access, attackers can remotely power on or off, reboot, or reimage the server, regardless of the primary operating system's state.
• Attackers can scrape credentials stored on the system, including those used for remote management, and use the BMC as a launchpad to move laterally within the network
• BMCs often have access to system memory and network interfaces, enabling attackers to sniff sensitive data or exfiltrate information without detection
• Attackers with BMC access can intentionally corrupt firmware, rendering servers unbootable and causing significant operational disruption

With no publicly known details of the ongoing attacks, it's unclear which groups may be behind them. Eclypsium said the most likely culprits would be espionage groups working on behalf of the Chinese government. All five of the specific APT groups Eclypsium named have a history of exploiting firmware vulnerabilities or gaining persistent access to high-value targets.

Eclypsium said the line of vulnerable AMI MegaRAC devices uses an interface known as Redfish. Server makers known to use these products include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm. Some, but not all, of these vendors have released patches for their wares.

Given the damage possible from exploitation of this vulnerability, admins should examine all BMCs in their fleets to ensure they aren't vulnerable. With products from so many different server makers affected, admins should consult with their manufacturer when unsure if their networks are exposed.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The flaw, tracked under CVE-2024-51978, is part of a set of eight vulnerabilities discovered by Rapid7 researchers during a lengthy examination of Brother hardware.

This crucial vulnerability can be chained with other vulnerabilities discovered by Rapid7 to determine the admin password, take control of devices, perform remote code execution, crash them, or pivot within the networks they're connected to.

Not all of the flaws affect every one of the 689 Brother printer models, but other manufacturers, including Fujifilm (46 models), Konica Minolta (6), Ricoh (5), and Toshiba (2), are impacted as well.

Insecure password generation

The default password in the impacted printers is generated during manufacturing using a custom alogirthm based on the device's serial number.

According to a detailed technical analysis by Rapid7, the password generation algorithm follows an easily reversible process:

1. Take the first 16 characters of the serial number.
2. Append 8 bytes derived from a static "salt" table.
3. Hash the result with SHA256.
4. Base64-encode the hash.
5. Take the first eight characters and substitute some letters with special characters.

Attackers can leak the serial number of the target printer using various methods or by exploiting CVE-2024-51977. They can then use the algorithm to generate the default admin password and log in as admin.

From there, they may reconfigure the printer, access stored scans, read address books, exploit CVE-2024-51979 for remote code execution, or exploit CVE-2024-51984 to harvest credentials.

Rapid7 began its disclosure process in May 2024 and was aided by JPCERT/CC in coordinating disclosures to other manufacturers.

Although all flaws have been fixed in firmware updates made available by impacted manufacturers, the case with CVE-2024-51978 is complicated in terms of risk management.

The vulnerability is rooted in the password generation logic used in hardware manufacturing, and hence, any devices made before its discovery will have predictable passwords unless users change them.

"Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models," explains Rapid7 regarding CVE-2024-51978.

Users of existing Brother printers listed in the impacted models should consider their devices vulnerable and immediately change the default admin password, followed by applying the firmware updates.

In general, it is recommended to restrict access to the printer's admin interfaces over unsecured protocols and external networks.

Security bulletins with instructions on what users should do are available for Brother, Konica Minolta, Fujifilm, Ricoh, and Toshiba.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

To deal with the evolving threat landscape, new Windows features, and community feedback, Microsoft is planning to revise the Windows Server baseline more frequently in the future. Windows Server security baselines are a collection of Microsoft-recommended configuration settings that help administrators establish secure and consistent Windows Server environments.

This is the first security baseline update for Windows Server 2025 since January, a summary of the changes is presented in this table:

Of these changes, the removal of WDigest Authentication and the addition of Include command line in process creation events are significant.

Microsoft said it removed WDigest Authentication from the security baseline because it is no longer necessary for Windows Server 2025. The policy was originally enforced so that WDigest couldn’t store plaintext passwords in memory, which was a significant theft risk. Since the 24H2 update in Windows Server 2022, the policy has been deprecated, so there’s no need to enforce this setting.

The update also adds Include command line in process creation events to improve the visibility of how processes are executed across the system. By capturing the command-line arguments, it makes it easier to detect and investigate malicious activity that may otherwise seem legitimate.

If you want to learn more about the other changes in a bit more depth, refer to Microsoft’s announcement of this security baseline update.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Ubuntu users could see up to a 20 percent boost in graphics performance on Intel-based systems under a change that will turn off security mitigations for blunting a class of attacks known as Spectre.

Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task.

By using code that forces a CPU to execute carefully selected instructions, Spectre attacks can extract confidential data that the CPU would have accessed had it carried out the ghost instructions. Over the past seven years, researchers have uncovered multiple attack variants based on the architectural flaws, which are unfixable. CPU manufacturers have responded by creating patches in both micro code and binary code that restrict speculative execution operations in certain scenarios. These restrictions, of course, usually degrade CPU performance.

When the investment costs more than the return

Over time, those mitigations have degraded graphics processing performance by as much as 20 percent, a member of the Ubuntu development team recently reported. Additionally, the team member said, Ubuntu will integrate many of the same mitigations directly into its Kernel, specifically in the Questing Quokka release scheduled for October. In consultation with their counterparts at Intel, Ubuntu security engineers have decided to disable the mitigations in the device driver for the Intel Graphics Compute Runtime.

“After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu developer Shane McKee wrote. He continued:

At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.

McKee went on to say that as a result, “Users can expect up to 20% performance improvement.”

The developer acknowledged that the change could open security holes or introduce bugs but said that both Ubuntu and Intel have confidence that disabled versions will be safe.

Most of the researchers Ars consulted agreed. They reasoned that the mitigations built into the kernel are likely to protect against most if not all Spectre attack scenarios. They also noted that there are no known reports of Spectre attacks ever being actively used in the wild.

“Nobody bothers attacking these vulns because it takes a lot of engineering time to implement attacks against them to any useful level of rigor, and getting any interesting data back outside very targeted scenarios is very unlikely (plus it's noisy due to the number of iterations you need to do on these types of side-channels),” independent researcher Graham Sutherland wrote on Mastodon. “The economics just don't stack up for attackers, especially when there are so many lower-effort higher-reward attack approaches they can throw at stuff.”

“From the user perspective it’s risk/reward too,” a researcher going by the handle demize added. “Probably don’t disable side-channel mitigations on multitenant servers. ...” But for typical users, “you have a much higher threat from downloading malware that does literally anything else.”

Ultimately, cryptography engineer Sophie Schmieg said, the benefit of the mitigations isn't worth the performance costs to GPU performance, where predicting instruction branches is more critical than for CPU performance.

“The system can effectively parallelize a lot more actions without requiring expensive synchronization points between the cores,” Schmieg said. “If anything, something massively parallel like a GPU wants to do branch prediction even more liberally than a CPU.”

One thing Ubuntu users should know is that the change will only provide performance boosts when GPUs are handling workloads running the OpenCL framework or the OneAPI Level Zero interface. That likely means that people using games and similar apps will see no benefit.

Ubuntu users who run a custom Linux kernel without Spectre GPU mitigations should keep the compute runtime level mitigations on, a spokesman for Ubuntu developer Canonical said. These users can build a Compute Runtime themselves with the NEO_DISABLE_MITIGATIONS=false flag added.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The flaw tracked as CVE-2025-6218 and assigned a CVSS score of 7.8 (high severity), was discovered by security researcher whs3-detonator who reported it through Zero Day Initiative on June 5, 2025.

It affects only the Windows version of WinRAR, from version 7.11 and older, and a fix was released in WinRAR version 7.12 beta 1, which was made available yesterday.

"When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path," read the changelog notes.

A malicious archive could contain files with crafted relative paths tricking WinRAR into "silently" extracting those to sensitive locations like system directories and auto-run or startup folders.

If the archive's contents are malicious, these files could launch automatically and trigger dangerous code execution the next time the user logs into Windows.

Although the programs will run with user-level access rather than administrative or SYSTEM rights, they can still steal sensitive data like browser cookies and saved passwords, install persistence mechanisms, or provide remote access for further lateral movement.

The risk of CVE-2025-6218 is contained by the fact that user interaction is required for its exploitation, like opening a malicious archive or visiting a specially crafted page.

However, it is very common for users to utilize old versions of WinRar, and as there are so many ways to distribute malicious archives, the risk remains very high.

Besides CVE-2025-6218, WinRAR 7.12 beta 1 also addresses an HTML injection in report generation problem reported by Marcin Bobryk, where archived file names containing < or > could be injected into the HTML report as raw HTML tags. This could enable HTML/JS injection if reports are opened in a web browser.

Two more minor issues fixed in the latest WinRAR release include incomplete testing of recovery volumes and timestamp precision loss for Unix records.

Although CVE-2025-6218 does not impact Unix versions, Android, and portable UnRAR source code, all users of WinRAR, regardless of the platform, are recommended to upgrade to the latest version immediately.

Currently, there are no reports about CVE-2025-6218, but given the widespread deployment of WinRAR globally and the history of hackers targeting the software, users should update to the latest version immediately.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

News of the arrests come from Le Parisien, which claims the law enforcement operation was carried out by the cybercrime unit (BL2C) of the Paris police department on Monday.

According to reporters, the police carried out simultaneous raids in the regions of Hauts-de-Seine (Paris), Seine-Maritime (Normandy), and Réunion (overseas).

During this action, they have arrested four hackers known online by the handles "ShinyHunters," "Hollow," "Noct," and "Depressed."

For months, rumors circulated that another well-known threat actor, "IntelBroker," had also been arrested. Le Parisien reports that IntelBroker was also arrested by French authorities in February 2025.

The BreachForums hacking forums have gone through numerous iterations over the years but acted as a community for cybercriminals to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services.

In 2023, the original BreachForums shut down after its operator, Conor Brian FitzPatrick (aka Pompompurin), was arrested.

Soon after, other threat actors in the community launched BreachForums v2, which was led by threat actors known as ShinyHunters, Baphomet, and, later, IntelBroker.

The five threat actors that were arrested were reportedly involved in the operation of this new launch of the site.

ShinyHunters and IntelBroker were admins/owners of the site, and archived posts show Hollow acting as a moderator.  It is unclear what involvement "depressed" and "noct" had in the operation of the site.

Those cybercriminals are accused of having direct involvement in data breaches against French entities like Boulanger, SFR, France Travail, and the French Football Federation.

The attack against France Travail (formerly Pôle Emploi) was particularly notable for compromising the sensitive details of an estimated 43 million individuals.

IntelBroker rose to notoriety for his involvement in highly publicized breaches at Europol,  General Electric, Weee!, AMD, HPE, Nokia, and Cisco. However, the threat actor entered the spotlight after breaching DC Health Link, the organization that administers the health care plans of U.S. House members, their staff, and their families.

ShinyHunters is the most notorious among those arrested, as the alias has been linked to multiple high-profile data breaches and attacks, including those against Salesforce and PowerSchool, and the SnowFlake attacks, which impacted Santander, Ticketmaster, AT&T, Advance Auto Parts, Neiman Marcus, and Cylance.

The ShinyHunters threat actors have also been involved in a large number breaches in 2025, with the group believed to consist of multiple threat actors operating under the same name.

BreachForums v2 went offline in April 2025 after the site was allegedly breached by a MyBB zero-day vulnerability. The forum never returned online.

BleepingComputer has contacted the Paris police and ANSSI to comment on the validity and accuracy of the reports, but we have not received a response yet.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The UK’s competition regulator is proposing to loosen Google’s control of its search engine in the first application of Britain’s tough new digital market rules.

The Competition and Markets Authority said on Tuesday that Google could be required to implement new “fair ranking” measures in its search results and give publishers more control over how it uses their content, including in output generated by artificial intelligence.

The CMA said it was minded to hand Google “strategic market status”—a label introduced under new digital market laws this year—in light of its dominant position in search and search advertising, which would require the tech giant to abide by a number of such conduct rules. A final decision will be made by October following a public consultation.

The Big Tech giant became the first company to be targeted under strict new UK digital laws that require businesses with an outsized impact in certain digital markets to be granted the SMS label and subjected to specific rules.

The CMA’s investigation, which was opened in January, examined whether Google’s position in search and advertising was “delivering good outcomes” for consumers and businesses in the UK.

“Google is the world’s leading search tool and plays an important role in all our lives, with the average person in the UK making five to 10 searches a day,” said Sarah Cardell, the CMA’s chief executive. “Our investigation so far suggests there are ways to make these markets more open, competitive and innovative.”

Other conduct rules that the CMA is considering include requirements in how it ranks its search results and for Google’s distribution partners such as Apple to offer “choice screens” to help consumers switch more easily between search providers.

The CMA said Alphabet-owned Google’s dominance made the cost of search advertising “higher than would be expected” in a more competitive market.

Google on Tuesday slammed the proposals as “broad and unfocused” and said they could threaten the UK’s access to its latest products and services.

Oliver Bethell, Google’s senior director for competition, warned that “punitive regulations” could change how quickly Google launches new products in the UK.

“Proportionate, evidence-based regulation will be essential to preventing the CMA’s road map from becoming a roadblock to growth in the UK,” he added.

Bethell’s warning of the potential impact of any regulations on the wider UK economy comes after the government explicitly mandated the CMA to focus on supporting growth and investment while minimizing uncertainty for businesses.

Google said last year that it planned to invest $1 billion in a huge new data center just outside London.

The CMA’s probe comes after Google lost a pair of historic US antitrust cases over its dominance of search and its lucrative advertising business.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend