The Google Threat Intelligence Group (GTIG) has explained what happened on Google's blog. It worked with Citizen Lab, which is known for its investigative reports, to probe the incident.

GITG had observed that hackers had crafted a sophisticated, personal, social engineering attack to target Keir Giles, a prominent British researcher on Russia. Google's team has labeled the threat actor as UNC6293, a likely Russia state-sponsored cyber actor, and links them with low confidence to APT29 / ICECAP (also called Cozy Bear), which has ties to Russia's Foreign Intelligence Service (SVR).

We have seen phishing attacks that involved messaging apps, and mercenary spyware such as Pegasus, but these hackers used a new technique. They had taken precautions to prevent Mr. Giles from getting suspicious. On May 22, 2025, the attackers impersonated a U.S. State Department official, "Claudie S. Weber", in an email that invited Mr. Giles for a private online consultation to discuss something in his field of expertise. The hacker simply used a Gmail address, but had CC-ed 4 @state.gov email addresses, likely to pose as a legitimate sender, and they had sent the email during Washington D.C. working hours too. In reality, the .gov addresses likely do not exist. Citizen Lab says that the language and grammar seems to suggest that the hackers had used a large language model or some similar AI tools to craft the emails.

Mr. Giles replied that the date may not work for him, to which the attacker replied inviting him to register for an account the State Department’s “MS DoS Guest Tenant” platform, where he would be able to attend future meetings with ease, wherever they take place. About 10 email exchanges later, the hacker sent the victim a PDF file with details on how to register for the said account. The PDF in question was carefully crafted to look like an official document and contained markings, revision history.

This is where the mystery unfolded, as the PDF contained instructions to create an app-specific password for his Gmail account. Google says that this threat actor had targeted prominent academics and critics of Russia from early April to June 2025, building rapport, luring them to set up app specific passwords (ASPs), which they then exploit to gain persistent access to the victim's mailbox. Unfortunately, Mr. Giles was tricked by the patient, clever hackers, into creating ASPs for his accounts.

Google says it identified the attack and managed to lock down the impacted accounts, while blocking the attacker's emails. This is when Mr. Giles had discovered that a suspicious login attempt had been made in early June. An extensive report of the incident has been published by the security researches at Citizen Lab.

GITG says there was a similar-crafted attack that involved a campaign with a Ukrainian theme and a Microsoft ASP, where the attackers directed the target to share the app specific password with them, to set up a mail client and spy on their email correspondence.

This is a rare case scenario in which attackers targeted a person of interest. I'm not saying this won't happen to us commoners, but the fact that app specific passwords were used to hack the account is concerning. Just be careful which app you're signing in to using ASPs, or avoid them altogether and use OAuth to sign in to apps with your Google account, or Apple's, etc. In case you fear being state sponsored attacks, you can enable Lockdown Mode on your iPhone, or Advanced Protection Mode on Android.

While we are on the topic of security, there are reports circling around which state that 16 Billion passwords were exposed in a data breach, and that this data includes user credentials for Google, Facebook, Apple, etc. Bleeping Computer says this wasn't a breach at all, rather this is just a dataset, i.e. a collection of previous data breaches.

Google recently advised users to stop using passwords in favor of passkeys, and social sign-ins. I think this story provides some better context to its recommendation.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

During the February 2025 incident, Salt Typhoon exploited the CVE-2023-20198 flaw, a critical Cisco IOS XE vulnerability allowing remote, unauthenticated attackers to create arbitrary accounts and gain admin-level privileges.

The flaw was first disclosed in October 2023, when it was reported that threat actors had exploited it as a zero-day to hack over 10,000 devices.

Despite a significant period having passed, at least one major telecommunications provider in Canada still hadn't patched, giving Salt Typhoon an easy way to compromise devices.

"Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025," reads the bulletin.

"The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network."

In October 2024, following Salt Typhoon breaches on multiple American broadband providers, the Canadian authorities flagged reconnaissance activity that targeted dozens of key organizations in the country.

No actual breaches were confirmed at the time, and despite the calls to elevate security, some critical service providers didn't take the required action.

The Cyber Centre notes that, based on separate investigations and crowd-sourced intelligence, activity likely tied to Salt Typhoon extends beyond the telecommunications sector, targeting multiple other industries.

In many cases, the activity is limited to reconnaissance, though the data stolen from internal networks can be used for lateral movement or supply chain attacks.

The Cyber Centre warned that the attacks against Canadian organizations "will almost certainly continue" over the next two years, urging critical organizations to protect their networks.

Telecommunication service providers who handle valuable data, such as call metadata, subscriber location data, SMS contents, and government/political communications, are prime targets for state-sponsored espionage groups.

Their attacks typically target edge devices at the network perimeter, routers, firewalls, and VPN appliances, while MSPs and cloud vendors are also targeted for indirect attacks on their customers.

The Cyber Centre's bulletin lists resources providing edge device hardening instructions for critical infrastructure operators.

Salt Typhoon attacks have impacted multiple telecom companies in dozens of countries, including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream.

Last week, Viasat also confirmed that Salt Typhoon had breached them, but customer data was not impacted.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

DDoS attacks flood targets with massive amounts of traffic with the sole aim to overwhelm servers and create service slowdowns, disruptions, or outages.

This new attack, which is 12% larger than the previous record, delivered a massive data volume of 37.4 TB in just 45 seconds. This is the equivalent of about 7,500 hours of HD streaming or 12,500,000 jpeg photos.

Cloudflare, a web infrastructure and cybersecurity giant specializing in DDoS mitigation, offers a network-layer protection service called 'Magic Transit,' which was used by the targeted customer.

The attack came from 122,145 source IP addresses spread across 161 countries, with the majority based in Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine.

The "garbage" data packages were delivered across multiple destination ports on the victim's system, averaging 21,925 ports per second and peaking at 34,517 ports/second.

This tactic of scattering traffic helps overwhelm firewall or intrusion detection systems, but Cloudflare claims to have ultimately been able to mitigate the attack without human intervention.

Cloudflare's anycast network dispersed attack traffic to 477 data centers in 293 locations, leveraging key technologies such as real-time fingerprinting and intra-data center gossiping for real-time intelligence sharing and automated rule compilation.

Though nearly the entire attack volume came from UDP floods, accounting for 99.996% of the total traffic, there were multiple other vectors involved, including:

• QOTD reflection
• Echo reflection
• NTP amplification
• Mirai botnet UDP flood
• Portmap flood
• RIPv1 amplification

Each vector exploited legacy or poorly configured services. While this was only a tiny percentage of the attack, it served as part of the attackers' evasion and effectiveness strategy and could also help probe for weaknesses and misconfigurations.

Cloudflare says valuable IoCs from this attack were timely included in its DDoS Botnet Threat Feed, a free service that helps organizations block malicious IP addresses preemptively.

Over 600 organizations have subscribed to this feed, and the internet giant calls any others at risk of massive DDoS attacks to do the same and block the attacks before they reach their infrastructure.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Major platforms were recently hit by what cybersecurity experts are calling "the largest data breach." The Cybernews research team uncovered a whopping 16 billion leaked login credentials, including passwords to Facebook, Google, and Apple accounts buried under massive datasets (via Forbes).

The number of cybersecurity threats threatening the safety and privacy of your confidential data is on the rise, with bad actors leveraging sophisticated tools like generative AI to deploy their deceptive ploys.

Now, Cybernews has been looking into this issue since the beginning of the year, discovering "30 exposed datasets containing from tens of millions to over 3.5 billion records each."

Perhaps more concerning, none of the exposed datasets had been previously reported, further elaborating the magnitude of the data breach. However, there might be an exception for the 184 million record “mysterious database” uncovered by security researchers, as reported by WIRED.

According to the research team:

"This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing."

"What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale."

A new report from POLITICO confirms that Meta, which owns the messaging service, has informed Ireland's privacy regulator that the new advertising model will not roll out in the European Union for quite some time, even as it appears elsewhere in the coming months. This is not some charitable act, of course. The delay gives European regulators time to scrutinize the plan, which involves using ad preferences from linked Facebook and Instagram accounts to target users.

This situation follows a pattern of other "wins" for EU users, like the changes in iOS 17.4 that finally enabled sideloading. This opened the door for alternative app stores and the (temporary) return of games like Fortnite to iPhones in the region. Similarly, we are seeing Microsoft finally back off from shoving Edge down the throats of EU users, all thanks to the Digital Markets Act. This legislation has put pressure on big tech companies to operate more "fairly" within the bloc, leading to changes that users everywhere else can only dream of for now.

These regulations are precisely what companies like Apple hate. Remember, Apple has issued a warning to Australia, telling the country not to follow Europe's lead on these matters because it would create massive security and privacy risks. Apple argues that its control over the ecosystem keeps users safe, so any attempt to break that open is dangerous.

The Irish Data Protection Commission will be meeting with WhatsApp to discuss the matter further. According to Commissioner Des Hogan, they plan to discuss the ad model with other European data protection authorities to gather any collective concerns.

Commissioner Dale Sunderland noted that discussions with the company are "still early days", and it is too soon to identify what, if any, specific "red line issues" might exist with Meta's advertising plans. For now, Europeans can continue using their ad-free messenger, while the rest of the world prepares for the inevitable.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

DuckDuckGo is a privacy-focused web browser and search engine that doesn't track users' searchers or browsing history.

The browser, which became available as a public beta for macOS and Windows in October 2022 and June 2023, respectively, blocks all trackers by default, does not engage in personalized search profiling, and offers powerful anonymity tools.

Scam Blocker has been a component of the browser's privacy toolkit since its launch in 2018, protecting users attempting to visit known malware distribution and phishing URLs.

As part of the latest update, in addition to blocking phishing sites and malware, Scam Blocker now also detect and block the following:

• Fake e-commerce stores
• Scam investment and crypto trading sites
• Survey scams with false cash rewards
• Scareware (fake virus alerts prompting bogus tech support)
• Malvertising (malicious tracker-powered ads)

When the user attempts to load a webpage, the tool scans the URLs locally against a continually updated (every 20 minutes) threat list supplied by cybersecurity firm Netcraft.

Rare or unknown threats are checked against DuckDuckGo servers using an anonymous cryptographic process, ensuring that this process doesn't compromise user privacy.

When a scam site is detected, users are served a prominent warning message giving them the option to leave or ignore it and proceed to the risky site.

DuckDuckGo notes that, unlike Chrome, Safari, or Firefox, which rely on Google Safe Browsing and hence share data with Google, Scam Blocker offers privacy-first protection with no external data sharing.

Scam Blocker is activated in the browser by default and requires no account to work effectively.

Privacy Pro subscribers get a significant perk, as Scam Blocker will work across any internet apps on their devices when the DuckDuckGo VPN is active, covering other browsers as well.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

DENVER—Most smart TV operating system (OS) owners are in the ad sales business now. Software providers for budget and premium TVs are honing their ad skills, which requires advancing their ability to collect user data. This is creating an “inherent conflict” within the industry, Takashi Nakano, VP of content and programming at Samsung TV Plus, said at the StreamTV Show in Denver last week.

During a panel at StreamTV Insider’s conference entitled “CTV OS Leader Roundtable: From Drivers to Engagement and Content Strategy,” Nakano acknowledged the opposing needs of advertisers and smart TV users, who are calling for a reasonable amount of data privacy.

“Do you want your data sold out there and everyone to know exactly what you’ve been watching … the answer is generally no,” the Samsung executive said. “Yet, advertisers want all of this data. They wanna know exactly what you ate for breakfast."

Nakano also suggested that the owners of OSes targeting smart TVs and other streaming hardware, like streaming sticks, are inundated with user data that may not actually be that useful or imperative to collect:

I think that there's inherent conflict in the ad ecosystem supplying so much data. … We're fortunate to have all that data, but we're also like, ‘Do we really want to give it all, and hand it all out?’ There's a constant conflict around that, right? So how do we create an ecosystem where we can serve ads that are pretty good? Maybe it's not perfect ...

Today, connected TV (CTV) OSes are largely built around not just gathering user data, but also creating ways to collect new types of information about viewers in order to deliver more relevant, impactful ads. LG, for example, recently announced that its smart TV OS, webOS, will use a new AI model that informs ad placement based on viewers’ emotions and personal beliefs.

However, at a certain point, OS operators may be gathering more data than is truly helpful, which crosses viewers’ boundaries. Nakano said:

I think we have to get comfortable between the advertiser, the operating system, and the systems in between to create more efficiencies. Because I do think it’s broken. I do think that there's so many different hops that these requests go through that aren't likely necessary and that they're a byproduct of inefficiencies that we try to patch.

The executive added that he thinks the industry needs to "look at our ad ecosystem holistically and say, 'Okay, how can we make this work?'" because knowing everything about a particular streaming user is "not realistic."

Spotlight on software

The ability for streaming OSes to generate revenue is increasingly important to TV and streaming hardware makers such as Samsung, Amazon, LG, Roku, Vizio, and Walmart, which struggle with low margins and growing unit sales and seek more reliable growth from software’s ability to advertise to and track users.

In a forecast shared this month, WPP Media (formerly GroupM) predicted that streaming TV will represent about 27 percent of TV advertising revenue in 2025 at $41.8 billion. The world’s biggest media investment firm expects streaming ad revenue to reach $71.9 billion by 2030. In January, research firm eMarketer predicted that CTV display ad spend would reach $33.35 billion this year and show double-digit annual growth rates to reach $46.89 billion in 2028. That gives OS operators a strong incentive to build software that can extract useful data from viewers and determine the types of ads that viewers will pay attention to.

However, viewers aren’t demonstrating as much focus on the software of their streaming hardware. TV brands that Ars has spoken with have frequently pointed to picture quality and price as the top considerations for users. During the StreamTV Show panel, Nakano pointed to brand and picture quality as the top factors for people. He noted, however, that those “who buy Samsung TVs generally use the operating system, and that's how they navigate through the UI.”

Katherine Pond, Vizio’s group VP of platform content and partnerships, noted during the panel that once someone buys a TV, OS operators are “not really in competition anymore.” However, OEMs still try to ensure that customers use their OSes, so that viewers are engaged for ads and potentially buy more devices from that brand.

“You have to create a fitting, and you create a fitting by getting people into content that they love as soon as they can, or helping with discovery [and] helping search,” Jennifer Vaux, VP of content acquisition and programming at Roku Media, said during the panel.

As TVs progress toward a battle of data, ads, and tracking over hardware sales and panel advancements, TV brands are largely invested in driving OSes that can serve advertisers’ needs. But there’s also a demand for navigable OSes that help users maximize their TV’s usage and find content they’ll enjoy. Here, we see another conflict facing TV OS owners. However, without ensuring that TV OSes serve users as well as they serve corporations, viewers are likely to replace their hardware’s software with slicker alternatives, like an Apple TV box.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The first flaw (tracked as CVE-2025-6018) was found in the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing local attackers to gain the privileges of the "allow_active" user.

The other security bug (CVE-2025-6019) was discovered in libblockdev, and it enables an "allow_active" user to gain root permissions via the udisks daemon (a storage management service that runs by default on most Linux distributions).

While successfully abusing the two flaws as part of a "local-to-root" chain exploit can let attackers quickly gain root and completely take over a SUSE system, the libblockdev/udisks flaw is also extremely dangerous on its own.

"Although it nominally requires 'allow_active' privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable," said Qualys TRU senior manager Saeed Abbasi.

"Techniques to gain 'allow_active,' including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort."

The Qualys Threat Research Unit (TRU), which discovered and reported both flaws, has also developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems.

Admins urged to patch immediately

The Qualys Security Advisory team has shared more technical details regarding these two vulnerabilities here and linked to security patches in this Openwall post.

"Root access enables agent tampering, persistence, and lateral movement, so one unpatched server endangers the whole fleet. Patch both PAM and libblockdev/udisks everywhere to eliminate this path," Abbasi added.

"Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay."

In recent years, Qualys researchers have discovered several other Linux security vulnerabilities that let attackers hijack unpatched Linux systems, even in default configurations.

Security flaws they discovered include a flaw in Polkit's pkexec component (dubbed PwnKit), one in glibc's ld.so dynamic loader (Looney Tunables), another in the Kernel's filesystem layer (dubbed Sequoia), and one in the Sudo Unix program (aka Baron Samedit).

Shortly after the Looney Tunables flaw was disclosed, proof-of-concept (PoC) exploits were released online. One month later, attackers began exploiting it to steal cloud service provider (CSP) credentials using Kinsing malware.

Qualys also recently found five LPE vulnerabilities introduced over 10 years ago in the needrestart utility used by default in Ubuntu Linux 21.04 and later.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Google is on a bit of a crusade against ad blockers. Last week, the tech giant started showing warning messages stating, “Ad blockers are not allowed on YouTube.”

Another prompt stating "Ad blockers violate YouTube’s terms of service" will also appear in some cases if you try to block ads while watching YouTube videos.

Now, it appears that YouTube is throttling videos and slowing down the user experience if an ad blocker is enabled.

A user on the Brave browser forum shared the following:

"Hi, been using brave to block YouTube ads and it’s technically working but most videos will be black screen for the length of an ad or two with YouTube saying “experiencing interruptions” on the bottom left corner, and one of the possible reasons being ad blockers from what it is saying, is there anything I can do."

Some users have been prevented from viewing videos altogether unless ad blockers are disabled.

The push appears to be part of an effort to convince users to subscribe to YouTube Premium, which removes ads but costs $14 per month.

Apart from ads in Statuses, Meta is also letting people pay to promote their Channels. This means businesses and creators can pay to get their broadcast channels discovered by more users. A few will even be able to charge for subscriptions to their channels for exclusive content. The company says it will not take a fee from these subscriptions at first, but that is probably not going to last forever. Meta is a business, after all, not a charity.

Meta has tried to calm everyone down by saying your personal chats and calls will remain encrypted and untouched. The company claims it only uses general information like your country and language, plus the channels you follow, to figure out which ads to show you. However, if you have linked your WhatsApp to Meta's Account Center, then your ad preferences from Facebook and Instagram will follow you.

This entire plan certainly excited Wall Street. After the news broke, Meta's stock climbed 2.8% in pre-market trading, as investors salivated over the prospect of finally monetizing WhatsApp's 2 billion+ users.

Ads in messaging apps are not new at all. Take Telegram, for example. The app shows sponsored messages in large public channels, but it also gives users a way out. For a monthly fee, you can get Telegram Premium, and all those ads disappear (plus a bunch of advanced paid features). Maybe, in the future, WhatsApp will offer a similar premium service for people willing to pay to escape the ads.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Google is seemingly ramping up its campaign against ad blockers on YouTube. Over the past few years, it's become increasingly annoying to watch content on the social video sharing platform, as many videos are rife with multiple unskippable ads.

Last week, reports emerged about Google preventing playback on YouTube videos for users with ad-blockers installed on their devices. “Ad blockers violate YouTube’s terms of service,” added Google.

Google's aggressive campaign against ad-blockers in YouTube has now taken a turn for the worse, after reigning down on the remaining few loopholes in browsers and third-party extensions that allowed users to enjoy ad-free videos without necessarily getting the $14/month YouTube Premium subscription.

Users have flagged a new issue, indicating that Google is intentionally slowing down YouTube videos for users with ad-blockers installed on their devices (via PCWorld). According to a user on the Brave browser forum:

"Hi, been using brave to block YouTube ads and it’s technically working but most videos will be black screen for the length of an ad or two with YouTube saying “experiencing interruptions” on the bottom left corner, and one of the possible reasons being ad blockers from what it is saying, is there anything I can do."

Some users have even indicated that they received a three-video countdown asking them to disable their ad-blockers or get blocked from watching YouTube videos. Failure to disable the third-party software resulted in users being barred from watching videos until they updated and restarted their browsers. Users have shared accounts of experiencing a 5 to 10 second pause on every video with an "Experiencing interruptions? Find out why" popup.

YouTube users with ad-blockers installed on their devices are redirected to a technical support page by Google that directs them on how to troubleshoot YouTube video errors:

Reddit is launching a new feature for advertisers that slots positive posts from Reddit users right under their ads.

The new alpha feature, called Conversation Summary Add-ons, “dynamically integrates positive content from Reddit users directly below an advertiser’s creative, putting community conversations front-and-center in the user experience and blending AI-driven efficiency with real human perspectives,” according to a post from Reddit.

As shown by Reddit, you’ll be able to scroll through the posts that appear under an ad. You’ll also see a short summary of what Reddit users are saying about the advertiser. Jackbox Games and Lucid are alpha testers of the feature.

GIF: Reddit

Powering this new feature is an “engine” Reddit calls Reddit Community Intelligence. According to the company, Reddit Community Intelligence can turn the platform’s more than 22 billion posts and comments “into structured intelligence for smarter marketing decisions.”

As part of today’s announcements, which Reddit is making alongside the Cannes Lions festival, the company is also introducing a “scalable, AI-powered social listening tool” called Reddit Insights. “Informed by proprietary metadata, it provides precise, real-time insights that help marketers confidently plan campaigns, validate creative ideas, and make smarter business decisions,” Reddit says.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10.

It could be exploited to bypass authorization and affects the AsIO3.sys of the Armoury Crate system management software.

Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates.

To perform all these functions and provide low-level system monitoring, the software suite uses the kernel driver to access and control hardware features.

Cisco Talos' researcher Marcin "Icewall" Noga reported CVE-2025-3464 to the tech company.

According to a Talos advisory, the issue lies in the driver verifying callers based on a hardcoded SHA-256 hash of AsusCertService.exe and a PID allowlist, instead of using proper OS-level access controls.

Exploiting the flaw involves creating a hard link from a benign test app to a fake executable. The attacker launches the app, pauses it, and then swaps the hard link to point to AsusCertService.exe. 

When the driver checks the file's SHA-256 hash, it reads the now-linked trusted binary, allowing the test app to bypass authorization and gain access to the driver.

This grants the attacker low-level system privileges, giving them direct access to physical memory, I/O ports, and model-specific registers (MSRs), opening the path to full OS compromise.

It is important to note that the attacker must already be on the system (malware infection, phishing, compromised unprivileged account) to exploit CVE-2025-3464.

However, the extensive deployment of the software on computers worldwide may represent an attack surface large enough for exploitation to become attractive.

Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0.

To mitigate the security problem, it is recommended to apply the latest update by opening the Armoury Crate app and going to "Settings"> "Update Center"> "Check for Updates"> "Update."

Cisco reported the flaw to ASUS in February but no exploitation in the wild has been observed so far. However, "ASUS strongly recommends that users update their Armoury Crate installation to the latest version."

Windows kernel driver bugs that lead to local privilege escalation are popular among hackers, including ransomware actors, malware operations, and threats to government agencies.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The fact that a Microsoft work email account was potentially hacked strongly suggests The Washington Post utilizes Microsoft 365, which makes us question the security of Microsoft’s widely used enterprise services. Given that Microsoft 365 is very popular, it is a hot target for attackers.

Microsoft's enterprise security offerings and challenges

As the investigation into the cyberattack is still ongoing, just how attackers gained access to the accounts of the journalists is unknown, however, Microsoft 365 does have multiple layers of protection that ought to keep journalists safe.

One of the security tools is Microsoft Defender for Office 365. If the hackers tried to gain access with malicious links, Defender provides protection against any malicious attachments, links, or email-based phishing attempts with the Advanced Threat Protection feature. Defender also helps to protect against malware that could be used to target journalists at The Washington Post.

Another security measure in place is Entra ID which helps enterprises defend against identity-based attacks. Some key features of Entra ID include multi-factor authentication which protects accounts even if a password is compromised, and there are granular access policies that help to limit logins from outside certain locations, unknown devices, or limit which apps can be used.

While Microsoft does offer plenty of security technologies with M365, hacks can still take place due to misconfiguration, user-error, or through the exploitation of zero-day vulnerabilities. Essentially, it requires efforts from both Microsoft and the customer to maintain security.

Lessons for organizations using Microsoft 365

The incident over at The Washington Post serves as a stark reminder that all organizations, not just news organizations, should audit and strengthen their security setups. Some of the most important security measures you can put in place include mandatory multi-factor authentication (MFA) for all users, especially for privileged accounts; strong password rules such as using letters, numbers, and symbols; regular security awareness training; and installing any security updates in a timely manner.

Many of the cyberattacks that we learn about from companies like Microsoft involve hackers taking advantage of the human in the equation, such as being tricked into sharing passwords or sharing sensitive information due to trickery on behalf of the hackers. This highlights that employee training is crucial in protecting systems and that Microsoft’s technologies, as advanced as they are, can’t mitigate all attacks 100 percent of the time.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The incident was discovered on Thursday evening and the publication started an investigation. On Sunday, June 15, an internal memo was sent to employees, informing them of a “possible targeted unauthorized intrusion into their email system.”

According to The Wall Street Journal, the memo was signed by Executive Editor Matt Murray and informed that Microsoft accounts of a limited number of journalists were affected.

Owned by Amazon founder Jeff Bezos, The Washington Post is one of the most influential newspaper publications in the United States.

Internal sources told The Wall Street Journal that the attack targeted journalists writing on national security and economic policy topics, as well as some who write about China.

Advanced persistent threats (APTs), or state-sponsored actors, often target email systems like Microsoft Exchange. Two years ago, Chinese hackers leveraged insecure Exchange endpoints to breach email accounts of two dozen government agencies globally, accessing extremely sensitive and confidential data.

But Chinese threat groups have a long history of exploiting Exchange vulnerabilities in highly organized campaigns. They targeted U.S. government agencies in 2020, and multiple NATO members in 2021.

Last year, Microsoft warned that hackers were exploiting a critical privilege elevation bug in Exchange as a zero-day to perform NTLM relay attacks.

ESET cybersecurity company also discovered in 2021 multiple Chinese threat groups, including APT27, Bronze Butler, and Calypso, exploiting zero-day vulnerabilities in Microsoft Exchange.

Washington Post has not shared publicly any details about the attack.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Tracked under ID "CVE-2025-2884" (AMD is tracking it as "AMD-SB-4011"), the vulnerability allows an attacker to exploit the vulnerability by sending malicious commands to read data stored in the TPM via an information disclosure flaw or potentially impact TPM availability on systems through a denial of service attack. This is a type of out-of-bound read security flaw.

The TCG notes that the flaw occurs in the CryptHmacSign function due to improper validation of a message digest or hash via the hash-based message authentication code (HMAC) signature scheme, leading to an out-of-bounds situation. TCG explains in its VRT0009 advisory:

The reference code did not implement appropriate consistency check in CryptHmacSign() resulting in potential out-of-bound read. The out-of-bound read occurs on the buffer passed to the ExecuteCommand() entry point. CVE-2025-2884 may allow an attacker to read up to 65535 bytes past the end of that buffer.

The Common Vulnerability Scoring System (CVSS) score of the flaw is 6.6 indicating a medium level of severity. This is typically the case for most local-level attacks as in order to exploit such a flaw, the threat actor must have physical access to a device. Regardless, AMD has issued firmware to patch the vulnerability on Ryzen 7000, 8000 (Zen 4) and Ryzen 9000 (Zen 5) parts.

AMD has confirmed that AGESA (AMD Generic Encapsulated Software Architecture) firmware Combo PI (Platform Initialization) 1.2.0.3e mitigates the flaw. The company notes that the said firmware fixes "ASP fTPM + Pluton TPM" issue. If you are wondering, ASP refers to AMD Secure Processor which is "a dedicated hardware component embedded in every system-on-a-chip."

AMD's motherboard vendor partners like Asus and MSI have already begun rolling out the firmware update. MSI has a blog post about the 1.2.0.3e Combo PI as it mentions several new upcoming features including support for new CPUs, better memory compatibility, and more. MSI writes:

This update not only adds support for upcoming new CPU, but also enables all AM5 motherboards to support large-capacity 64GBx4 DRAM chips. .... Even with four 64GB DRAM fully installed, the system can still achieve a stable overclocking speed of 6000MT/s, and even up to 6400MT/s.

 

In addition, this update optimizes 2DPC 1R capability and includes overclocking enhancements specifically for Samsung's 4Gx8 chips.

Interestingly, Asus notes that this firmware update is irreversible as it is a major release. Thus one would hope that it is a very stable release and given that this is the "e" stepping of the firmware, there are pretty good chances of that.

Other vendors like Gigabyte and ASRock are yet to release their updates.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The company operates around 1,380 retail stores in nearly 70 countries and has reported net sales of $1.353 billion for the first quarter of 2025, with a forecasted net sales range of up to $6.3 billion for the year.

In a Thursday filing with the U.S. Securities and Exchange Commission, the company disclosed that all restored critical systems are now fully operational and that it's working with external experts to assess the cyberattack's impact.

It also believes the incident will likely have no material impact on its yearly fiscal results, even though it may continue to incur expenses related to the attack.

"We immediately enacted our response protocols to contain and eradicate unauthorized network access, and third-party experts were engaged. All critical systems are restored and fully operational," Victoria's Secret said.

"We continue to assess the full scope and impact of the incident. This incident has not caused a material disruption to our operations to date and we do not believe it will have a material impact to our fiscal year 2025."

Quarterly earnings release delayed

As the company revealed after disclosing the incident last month, it was forced to take down corporate systems, some in-store services, and the e-commerce website as a precaution on May 26.

A Victoria's Secret spokesperson told BleepingComputer that the fashion retail giant was working to restore operations and had hired external experts to investigate the breach.

In a June 3 press release, Victoria's Secret added that it had to postpone releasing financial results for the first quarter because systems needed during this process were unreachable after the attack.

"The restoration process has prevented employees from accessing certain systems and information needed to support the Company's release of its financial results for the first quarter ended May 3, 2025," it stated. "As a result, the Company is postponing the date of its previously announced first quarter 2025 earnings release and earnings call webcast."

Victoria's Secret didn't reply to an email from BleepingComputer requesting more details on the nature of the incident, and no ransomware operations have claimed responsibility for the attack since then.

This security incident follows a series of attacks targeting other fashion companies in recent weeks, including French luxury fashion brands Cartier and Dior. German sportswear giant Adidas was also breached last month, with the threat actors stealing some of its customers' data after hacking into a customer service provider's systems.

Starting in April, a campaign linked to Scattered Spider threat actors and the DragonForce ransomware gang has also targeted multiple retailers across the United Kingdom, including Marks & Spencer, Co-op, and Harrods.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The flaw affects nearly every system that trusts Microsoft's "UEFI CA 2011" certificate, which is pretty much all hardware that supports Secure Boot.

Binarly researcher Alex Matrosov discovered the CVE-2025-3052 flaw after finding a BIOS-flashing utility signed with Microsoft's UEFI signing certificate.

The utility was originally designed for rugged tablets but as it was signed with Microsoft's UEFI certificate, it can run on any Secure Boot-enabled system.

Further investigations discovered that the vulnerable module had been circulating in the wild since at least late 2022 and later uploaded to VirusTotal in 2024, where Binarly spotted it.

Binarly disclosed the flaw to CERT/CC on February 26, 2025, with CVE-2025-3052 being mitigated today as part of the Microsoft June 2025 Patch Tuesday.

However, during this process, Microsoft determined that the flaw impacted 13 other modules, which were added to the revocation database.

"During the triage process, Microsoft determined that the issue did not aect just a single module as initially believed, but actually 14 dierent modules," explains Binarly.

"For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes."

The Secure Boot bypass

The flaw is caused by a legitimate BIOS update utility signed with Microsoft's UEFI CA 2011 certificate, which is trusted on most modern systems utilizing UEFI firmware.

This utility reads a user-writable NVRAM variable (IhisiParamBuffer) without validating it. If an attacker has admin rights to an operating system, they can modify this variable so arbitrary data is written to memory locations during the UEFI boot process. This is done before the operating system, or even the kernel, is loaded.

Using this vulnerability, Binarly created a proof-of-concept exploit to zero out the 'gSecurity2' global variable, which is used to enforce Secure Boot.

"For our proof of concept (PoC), we chose to overwrite the global variable gSecurity2," explains the Binarly report.

"This variable holds a pointer to the Security2 Architectural Protocol, which the LoadImage function uses to enforce Secure Boot. By setting it to zero, we eectively disable Secure Boot, allowing the execution of any unsigned UEFI modules."

Once disabled, attackers can install bootkit malware that can hide from the operating system and turn off further security features.

To fix CVE-2025-3052, Microsoft has added the affected module hashes to the Secure Boot dbx revocation list. Binarly and Microsoft urge users to install the updated dbx file immediately through today's security updates to protect their devices.

Also today, another Secure Boot bypass affecting UEFI-compatible firmware based on Insyde H2O was disclosed by Nikolaj Schlej. The flaw, dubbed Hydroph0bia and tracked as CVE-2025-4275, was reported to Insyde and patched 90 days after disclosure.

Binarly has shared a video demonstrating how their PoC can disable Secure Boot and cause a message to display before the operating system boots.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The message reads "Ad blockers violate YouTube's Terms of Service", followed by three reasons why video playback may not be working and why ads are great. Also, why YouTube Premium is an option for users who want to go ad-free (not YouTube Premium Lite, which requires payment but still shows you ads, and soon even more ads).

The prompt, displayed on top of the video page itself, offers several options. The two core buttons -- allow YouTube ads and Try YouTube Premium -- are the solutions that Google suggests. The first has users disable their content blocker on YouTube. Means, ads will play, but so will the videos. The second is a monthly subscription option to get rid of advertisement on YouTube without using an ad blocker.

There is also an option to "report an issue", which may be useful if you get the message without using an ad blocker. Some users may also get an option to close the prompt using an x-button displayed in the top right corner. It is possible that this option is limited and going away after some time.

I received the prompt (in German) when I used Brave Browser to watch a video on YouTube. Notice the x-icon in the top right corner.

I did not get the warning prompt in Edge or Firefox with uBlock Origin installed. Google is likely showing the prompt to a low percentage of YouTube users who use ad blockers.

When I turned on a VPN and opened YouTube in Incognito Mode, I got the same prompt in English.

What you can do about it immediately

Here are a few suggestions that may help you deal with the issue without subscribing to YouTube Premium or turning off your ad blocker on YouTube.

• Try the browser's private browsing mode. Sometimes, this is enough to get the ball rolling again. Downside is that you are not signed in to your account in that mode by default.
• Try a different browser. I did not get the prompt in any of the other browsers that I tried.
• Update the content blocker or filter list of the content blocker.
• Some content blockers are better than others, try uBlock Origin.

Good content blockers may receive updates quickly that deal with the modified anti-ad-blocking prompt when you open YouTube. It is a cat and mouse game that seemingly never ends.

Now You: do you use YouTube? If so, have you encountered such a prompt before? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

A future update for Microsoft Edge will allow the browser to use AI to look through your browser history. The feature will make it possible to find sites you have visited even if you can't remember the exact URL, site name, or have a typo in your search query. It is also a feature many may want to disable right away.

It's important to note that AI-powered History search uses an on-device model. It's trained using your data, but that data never leaves your device and isn't sent to Microsoft. But some are leery of AI.

Windows Recall, which passively captures screen activity, also keeps your data on your device and runs locally, but the feature has drawn criticism since its initial announcement. Microsoft had to delay Recall and add several security features in response to questions and concerns.

The new AI-powered History search could run into similar skepticism from users. Luckily, just like Recall, the new browser feature can be disabled. Admins can also control the feature through a policy.

AI-powered History search is in testing in Microsoft Edge version 138.0.3351.14, which is now in testing among Edge Beta.

That same update adds a media control center similar to the one found in Google Chrome. Microsoft outlines the changes in a set of release notes.

Feature Updates

• Use Primary work profile as default profile to open external links. Microsoft Edge currently opens external links using the “Last Used” profile by default. While for enterprise users, the Primary Work Profile (signed in with a Microsoft Entra ID for enrolling the device) is normally the best profile for opening external links. With this feature, for Windows, Edge will check if it the Primary Work Profile exists and make it the default profile for opening external links if available. For Mac and Linux, if only one work profile signed in with a Microsoft Entra ID account is found, it’s treated as the Primary Work Profile. Admins can control availability to this feature using the EdgeOpenExternalLinksWithPrimaryWorkProfileEnabled policy. Note: This is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.
• Media control center. With media control center in Microsoft Edge, users can easily manage and control multiple media sources from any website, all in one place. Quickly access videos in picture-in-picture mode, cast media to other devices, and control music, video, or any other sounds playing in Edge. Simply click on the media control center icon, depicted as a music note icon, found to the right of the address bar when media with sounds are playing to get started.
• New Autofill Personal Information Settings Configuration. A web form field collection consent toggle will be available in Autofill settings (edge://settings/autofill/personalInfo). This will allow users to consent to Microsoft Edge collecting web form field labels (e.g., "First Name," "Email") to improve Autofill suggestion accuracy. Only field labels are collected and not user-entered data. The web field labels are stored securely per Microsoft's privacy standards.
• This new setting is manageable via existing policies in Autofill e.g., AutofillAddressEnabled, EdgeAutofillMlEnabled. AutofillAddressEnabled is the parent setting for EdgeAutofillMlEnabled. The EdgeAutofillMlEnabled policy is the parent of this new setting, thus turning off the EdgeAutofillMlEnabled policy will turn off this setting. Note: This feature is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.
• AI-powered History search. Enhanced search finds sites in your History even when you use a synonym, phrase, or typo. After this feature is turned on, sites you visit will be shown in enhanced history search results. An on-device model is trained using your data, which never leaves your device and is never sent to Microsoft. Admins can control availability to this feature using the EdgeHistoryAISearchEnabled policy. Note: This is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.
• Adding support for viewing Sensitivity labels applied to a Microsoft Information Protection (MIP) Protected PDF. Enterprise customers can view sensitivity labels applied to MIP protected PDF to be well informed of the data classification to enable them to handle such sensitive documents. This change is available in the new Microsoft Edge built-in PDF reader. Note: This is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.
• Microsoft 365 Copilot Chat Summarization in Microsoft Edge Context Menu. Microsoft Edge is introducing a Microsoft 365 Copilot Chat summarization menu item to our context menu. This feature will help users quickly unpack and ask questions about their open page. Note: This feature is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.
• Improvements to surfacing performance notifications. Microsoft Edge is making improvements to how users can learn about and improve their browser's responsiveness. Performance and Extensions Detector notifications may appear in the Settings and more menu when Edge's performance slows. Note: This feature is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.

Running AI locally

As Copilot+ PCs with dedicated Neural Processing Units (NPUs) become common, you should expect to see more AI features that run locally. There are also some AI features that can run on-device even if a PC lacks an NPU.

ISPs may sell DNS data, they may offer services that do not offer good performance, or they may block access to certain content.

Public DNS servers promise to do better. There are plenty out there, and while many promise better performance, they too may be used to collect and sell data, or use data otherwise.

DNS4EU

DNS4EU is a new DNS resolver that has been co-funded by the European Union. It is privacy-compliant. The IP address of the user is "fully anonymized" and no "private data is collected anywhere". This means that it aligns fully with the GDPR and other European data protection regulations.

One downside is that it supports locations in Europe only, from Spain to Greece, and Ireland to Poland. That is fine if you connect from one of these locations, but performance may suffer if you connect from other locations.

With that out of the way,  here are the five IP addresses that you may set up:

1. Protective Resolution - IP address 86.54.11.1
2. Protective + Child Protection - IP address 86.54.11.12
3. Protective + Ad blocking - IP address 86.54.11.13
4. Protective + Child Protection + Ad blocking - IP address 86.54.11.11
5. Unfiltered Resolution-  IP address 86.54.11.100

The unfiltered resolution is the only option that does not block anything. Protective resolution adds threat intelligence and protections to the DNS. Put plainly, it blocks known malicious IP addresses, and thus sites, automatically.

Connections fail automatically, if an IP address is on the blacklist. It features threat intelligence and real-time updates, makes use of artificial intelligence, and has a focus on regional threat intelligence to better protect European users.

Child protection and ad blocking are the two content filtering options.

Child protection aims to block access to child-inappropriate content such as sexual content, weapons, drugs, terrorism, racism, or violence.  Ad-blocking blocks advertisement, similarly to how AdGuard DNS does it.

The website includes instructions that explain how to change the DNS on devices. It covers Windows, macOS, Linux, Android, iOS, home routers, and browsers.

How fast are the DNS4EU DNS servers?

I downloaded the latest version of the free DNS Benchmark software by Gibson Research, added the five DNS server IP addresses to it, and ran the test.

Here is the result.

The unfiltered DNS server finished in second place, the protective and child protection server in fourth. That is a good result, but you need to remember that your mileage may vary if you connect from outside the EU.

Closing Words

DNS4EU adds another option for Internet users when it comes to switching from their ISP's DNS servers to better ones. While it works best from a European location, it does allow connections from locations outside of the European Union. Performance suffers then, however, so that most users may want to pick a better performing DNS server instead.

Tests need to show how well the content blocking, child protecting, and malware blocking really works. You can skip all of that if you use the unfiltered server though.

Now you: what is your take on this? Would you use the DNS server from the EU, or do you favor another one? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices.

"The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," warns the FBI.

These devices come preloaded with the BADBOX 2.0 malware botnet or become infected after installing firmware updates and through malicious Android applications that sneak onto Google Play and third-party app stores.

"Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," explains the FBI.

"Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity."

Once infected, the devices connect to the attacker's command and control (C2) servers, where they receive commands to execute on the compromised devices, such as:

• Residential Proxy Networks: The malware routes traffic from other cybercriminals through victims' home IP addresses, masking malicious activity.
• Ad Fraud: BADBOX can load and click ads in the background, generating ad revenue for the threat actors.
• Credential Stuffing: By leveraging victim IPs, attackers attempt to access other people's accounts using stolen credentials.

BADBOX 2.0 evolved from the original BADBOX malware, which was first identified in 2023 after it was found pre-installed in cheap, no-name Android TV boxes like the T95.

Over the years, the malware botnet continued expanding until 2024, when Germany's cybersecurity agency disrupted the botnet in the country by sinkholing the communication between infected devices and the attacker's infrastructure, effectively rendering the malware useless.

However, that did not stop the threat actors, with researchers saying they found the malware installed on 192,000 devices a week later. Even more concerning, the malware was found on more mainstream brands, like Yandex TVs and Hisense smartphones.

Unfortunately, despite the previous disruption, the botnet continued to grow, with HUMAN's Satori Threat Intelligence stating that over 1 million consumer devices had become infected by March 2025.

This new larger botnet is now being called BADBOX 2.0 to indicate a new tracking of the malware campaign.

"This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.

"The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide."

Researchers at HUMAN estimate that the BADBOX 2.0 botnet spans 222 countries, with the highest number of compromised devices in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).

In a joint operation led by HUMAN's Satori team and Google, Trend Micro, The Shadowserver Foundation, and other partners, the BADBOX 2.0 botnet was disrupted again to prevent over 500,000 infected devices from communicating with the attacker's servers.

However, even with that disruption, the botnet continues to grow as consumers purchase more compromised products and connect them to the Internet.

A list of devices known to be impacted by the BADBOX malware are listed below:

Symptoms of a BADBOX 2.0 infection include suspicious app marketplaces, disabled Google Play Protect settings, TV streaming devices advertised as being unlocked or able to access free content, devices from unknown brands, and suspicious Internet traffic.

Furthermore, this malware is commonly found on devices not Google Play Protect certified.

The FBI strongly advises consumers to protect themselves from the botnet by following these steps:

• Assess all IoT devices connected to home networks for suspicious activity.
• Never download apps from unofficial marketplaces offering "free streaming" apps.
• Monitor Internet traffic to and from home networks.
• Keep all devices in your home updated with the latest patches and updates.

Finally, if you suspect your device is compromised, you should isolate it from the rest of the network and restrict its Internet access, effectively disrupting the malware.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

Earlier this year, in April, a federal judge decreed that Apple must allow developers to include web links in their iOS apps, remove restrictions on link formatting, and enable external payment methods without taking a commission on transactions. Apple immediately appealed and sought an injunction to delay implementation of the order while the case progressed.

However, the United States Court of Appeals has now refused Apple’s emergency request to stay the district court’s order. In its decision, the panel held that Apple had not demonstrated a sufficient likelihood of success on appeal, nor that it would suffer irreparable harm if the order were enforced. The court also considered potential prejudice to other parties and the public interest, concluding that an immediate suspension was not warranted. This ruling makes it much harder for Apple to overturn the April decision, which came from a lawsuit initiated by Epic Games.

Epic first sued Apple’s App Store policies in 2020, claiming that the company’s restrictions harmed competition. While Epic did not prevail on every count, the court did rule that Apple must allow developers to inform users of alternative purchasing options at better prices. Despite that narrow victory, Apple repeatedly failed to conform to the terms from the original 2021 ruling, prompting the judge in April to issue a more detailed order outlining precisely how the App Store must be “opened up”.

In response to the April ruling, prominent third-party apps have swiftly implemented web-based purchasing links. Both Spotify and Amazon’s Kindle app now include buttons directing users to purchase subscriptions via their websites, bypassing Apple’s in-app payments. Additionally, Fortnite has made a comeback on iOS after around five years, presenting users with the choice between Apple’s in-app payment system and Epic’s own payment and rewards mechanism. According to Epic CEO Tim Sweeney, there is presently a 60:40 split in usage favouring Apple’s system over Epic’s, though the gap appears to be narrowing.

An Apple spokesperson, Olivia Dalton, issued a statement expressing the company’s disappointment:

We are disappointed with the decision not to stay the district court’s order, and we will continue to argue our case during the appeals process. As we have said before, we strongly disagree with the district court’s opinion. Our goal is to ensure that the App Store remains an outstanding opportunity for developers and a safe, trusted experience for our users.

For now, Apple must comply with the existing injunction. Unless the Appeals Court later overturns the ruling, developers can continue to include web payment links, and Apple’s longstanding monopoly over iOS payment processing may continue to erode. The ultimate resolution will depend on the outcome of the ongoing appeals, which could set a significant precedent for how app marketplaces operate in the future.

Source: The Verge

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

"Due to malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers, among other things," BfDI said on Thursday.

BfDI imposed a €15 million fine on Vodafone GmbH for failing to monitor partner agencies whose employees made unauthorized contract changes or tricked customers into signing fictitious contracts.

The British multinational telecommunications company was hit with a second €30 million fine for authentication vulnerabilities of its MeinVodafone ("My Vodafone") and the company's hotline, which allowed attackers to access customer eSIM profiles.

"Where data breaches take place, sanctions must be imposed. However, with my work, I also want to ensure that data breaches do not occur in the first place. Companies that want to comply with data protection law must be empowered to do so," added Prof. Dr. Louisa Specht-Riemenschneider, the Federal Commissioner for Data Protection and Freedom of Information.

"I would like to point out that Vodafone has cooperated with me continuously and without restriction throughout the entire proceedings and has also disclosed circumstances that have incriminated the company."

Vodafone has updated its processes and systems, replacing some of them to mitigate future risks. The company has also updated procedures for selecting and auditing partner agencies, and it has severed ties with partners linked to fraudulent activities.

The telecom giant has already paid the fines and donated several million euros to organizations that promote data protection, media literacy, and combating cyberbullying, the BfDI said.

Vodafone offers mobile and fixed services to over 330 million customers in 15 countries across Europe, Asia, Africa, and Oceania. Its financial technology businesses also serve nearly 83 million customers in seven African countries.

A Vodafone spokesperson was not immediately available for comment when contacted by BleepingComputer today.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend  

As reported in Microsoft Blog, the program aims to bolster the European government's ability to repel cyber attacks, especially those driven by generative AI. This cybersecurity enhancement program is said to be free of charge. However, such collaborations could improve Microsoft's relationship with European governments and enhance the company's footprint in European cyber defense programs.

While the surge in weaponizing AI for malicious activities is concerning, Microsoft believes in the potential of AI as a defense tool. The company also proactively monitors and addresses any malicious use of its AI models and tools.

The Microsoft's European Security Program aims to increase AI-based threat intelligence sharing with European governments, bolster cybersecurity capacity and resilience, and expand partnerships to disrupt cyberattacks.

Microsoft also says it has worked with European law enforcement agencies to take down Lumma infostealer malware, which is used to steal passwords, financial data, and crypto wallets. According to Microsoft, Lumma could infect nearly 400,000 devices globally in just two months, and many of its victims were in Europe. The company added the operation could seize or block over 2,300 command-and-control domains.

Over the past few years, there has been a massive surge in AI-driven cyber attacks, with criminals employing generative AI and commercial AI tools to target users and organizations. Large Language Models (LLMs) are modified for malicious purposes, allowing bad actors to exploit vulnerabilities with less effort.

Scammers and criminals even leverage AI tools like ChatGPT to create phishing emails, impersonate companies and individuals, and make deepfake videos. In another case, ChatGPT was used to plan the attack on Trump Hotel.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend