Iran-linked hackers threaten to release Trump aides' emails
Hackers say they might try to sell emails from Trump aides Group leaked documents from Republican president's campaign last year US has said group known as Robert works for Iran's Revolutionary Guards WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election. In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
ICC detects and contains new sophisticated cyber security incident
Press release: 30 June 2025 Late last week, the International Criminal Court (“ICC” or “the Court”) detected a new, sophisticated and targeted cyber security incident, which has now been contained. This incident, the second of this type against the ICC in recent years, was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms. A Court-wide impact analysis is being carried out, and steps are already being taken to mitigate any effects of the incident. The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges. Such support ensures the Court’s capacity to implement its critical mandate of justice and accountability, which is a shared responsibility of all States Parties.
Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft
July 1, 2025 WASHINGTON Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK. “Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.” Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries. AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem. Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States. OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators. Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group. Servers BPH.
Introducing FileFix – A New Alternative to ClickFix Attacks
A new browser attack vectors just dropped, and it’s called FileFix — an alternative to the well-known ClickFix attack. This method, discovered and shared by mrd0x, shows how attackers can to execute commands right from browser, without requesting target to open cmd dialog. Quick Recap: What’s the ClickFix Attack? First, let's quickly recap ClickFix, the
Qantas can confirm that a cyber incident has occurred in one of its contact centres impacting customer data. The system is now contained. We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available. The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform. There is no impact to Qantas’ operations or the safety of the airline. What we know On Monday, we detected unusual activity on a third party platform used by a Qantas airline contact centre. We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure. There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers. Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed. Actions we are taking While we conduct the investigation, we are putting additional security measures in place to further restrict access and strengthen system monitoring and detection. Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues. Qantas has established a dedicated customer support line as well as a dedicated page on qantas.com to provide the latest information to customers. We will continue to share updates including via our website and social channels. Qantas Group Chief Executive Officer Vanessa Hudson said: “We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously. “We are contacting our customers today and our focus is on providing them with the necessary support. “We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
Chrome 0-Day Flaw Exploited in the Wild to Execute Arbitrary Code
Google has issued an urgent security update for its Chrome browser, addressing a critical zero-day vulnerability that is being actively exploited by attackers. The flaw, tracked as CVE-2025-6554, is a type confusion vulnerability in Chrome’s V8 JavaScript engine, which underpins the browser’s ability to process web content across Windows, macOS, and Linux platforms. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025. According to Google, attackers have already developed and deployed exploits targeting this flaw in the wild, prompting the company to act quickly.
Vulnerability Advisory: Sudo chroot Elevation of Privilege
The Sudo utility is a privileged command-line tool installed on Linux systems that allows a permitted user to execute a command as the superuser, or another user, as specified by the security policy. It is commonly used to implement the least privilege model by delegating administrative tasks that require elevated privileges without sharing the root password, while also creating an audit trail in the system log. The Stratascale Cyber Research Unit (CRU) team discovered two local privilege vulnerabilities in Sudo. These vulnerabilities can result in the escalation of privileges to root on the impacted system. The research focused on infrequently used command-line options. This blog explores how the Sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no Sudo rules are defined for that user. The default Sudo configuration is vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed. The following versions are known to be vulnerable. Note: Not all versions within the range have been tested. Stable 1.9.14 - 1.9.17 Note: The legacy versions of Sudo (currently 1.8.32) are not vulnerable because the chroot feature does not exist. Exploitation has been verified on: Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2 Fedora 41 Server; Sudo 1.9.15p5
Established in 2024, the People's Liberation Army Cyberspace Force merges cyber and electronic warfare to disrupt, deter, and dominate in future conflicts. With the launch of its Cyberspace Force, China has elevated the digital domain to a theatre of war. The Cyberspace Force of the People’s Liberation Army (PLA) is China’s newest military branch, launched on 19 April 2024. Based in Haidian District, Beijing, and with five antennas across the country, it operates under the direct authority of the Central Military Commission (CMC). Its creation followed the dissolution of the Strategic Support Force (SSF) and shows a broader shift in China’s approach to modern warfare. The force is tasked with both defending and attacking in the cyber domain. Additionally, it covers: Network security Electronic warfare Information dominance The Cyberspace Force plays a central role in China’s preparation for future conflicts, particularly in what the PLA calls “informatised warfare”, a doctrine focused on controlling the flow of information across all domains. By placing the unit directly under the CMC, China ensures centralised control, operational discipline, and strategic reach in cyberspace. On 19 April 2024, the CMC formally dissolved the SSF and created three independent forces: Cyberspace Force Aerospace Force * Information Support Force This marked the first time China designated cyberspace as an independent warfare domain with dedicated command, personnel, and budgetary autonomy. The Cyberspace Force now operates as a Corps Leader-grade service, headquartered in Beijing. It is led by Lieutenant General Zhang Minghua, with Lieutenant General Han Xiaodong serving as its political commissar. Its emergence reflects a shift from fragmented technical capabilities to centralised, strategic integration of cyber warfare into China’s military planning.
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching
Today, Microsoft Threat Intelligence Center is excited to announce the release of RIFT, a tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly become a tool for creating malware, especially among financially motivated groups and nation-state entities. This shift has introduced new challenges for malware analysts as the unique characteristics of Rust binaries make static analysis more complex. One of the primary challenges in reverse engineering malware developed with Rust lies in its layers of abstraction added through features such as memory safety and concurrency handling, making it more challenging to identify the behavior and intent of the malware. Compared to traditional languages, Rust binaries are often larger and more complex due to the incorporation of extensive library code. Consequently, reverse engineers must undertake the demanding task of distinguishing attacker-written code from standard library code, necessitating advanced expertise and specialized tools. To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. RIFT underscores the growing need for specialized tools as cyber threat actors continue to leverage Rust’s features to evade detection and complicate analysis. The adoption of Rust by threat actors is a stark reminder of the ever-changing tactics employed in the cyber domain, and the increasing sophistication required to combat these threats effectively. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis.
Swiss government affected by cyberattack on health foundation
Switzerland says a ransomware attack on the non-profit health foundation Radix that involved data being stolen and encrypted had also affected the federal administration. The Radix Foundation, a not-for-profit organisation active in the field of health promotion, has been the victim of a ransomware attack, it was confirmed on Monday. The criminals stole and encrypted data, which they then published on the darknet. The foundation contacted the National Cybersecurity Centre (NCSC) after carrying out an initial analysis of the situation, it announced on Monday. Radix’s clientele also includes various administrative units of the federal administration. The aim is to determine which services and data are actually affected by the cyber attack. At no time were the hackers able to penetrate the systems of the federal administration, as the Radix Foundation itself does not have such direct access, the centre pointed out.
Dozens of pro-Indy accounts go dark after Israeli strikes
On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.” Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity. What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
A cartel affiliate notified an FBI agent about a hacker who infiltrated cameras and phones to track an FBI official’s meetings, the DOJ inspector general said. A hacker working on behalf of the Sinaloa drug cartel infiltrated cameras and phones to track an FBI official in Mexico investigating the drug lord El Chapo, then used data from that surveillance to kill and intimidate potential sources and witnesses the agent was meeting with, a Justice Department watchdog report revealed. An FBI case agent learned about the hacker from someone affiliated with the cartel in 2018, according to the inspector general report released Friday. “That individual said the cartel had hired a ‘hacker’ who offered a menu of services related to exploiting mobile phones and other electronic devices,” the report states. “According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified ‘people of interest’ for the cartel, including the FBI Assistant Legal Attache (ALA T), and then was able to use the ALA T’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone.
Norwegian Dam Valve Forced Open for Hours in Cyberattack
Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second. The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway. Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.
50 Customers of French Bank Hit by Insider SIM Swap Scam
An intern at Société Générale is believed to have facilitated the theft of more than EUR1mn (USD1.15mn) from the bank's customers. A business student who was interning at Société Générale, a leading multinational bank headquartered in France, is believed to have fed information to SIM swappers who stole from 50 customers of the bank, reports Le Parisien. The intern’s arrest prompted officers from France’s fraud police (La Brigade des Fraudes aux Moyens de Paiement, BFMP) to identify a series of alleged accomplices, including one person who specialized in taking control of the phone service of victims. Using information provided by the intern, the SIM swapper would call the comms providers that provided service to customers of Société Générale. He would pretend to be the legitimate phone user, and that his phone had been lost so a replacement SIM would be issued to him. Having taken control of the victim’s phone service, the SIM swapper would then receive the one-time passwords sent to those numbers by Société Générale. With these codes, the gang were able to withdraw money from the bank accounts of victims. In total, it is believed that more than EUR1mn (USD1.15mn) was stolen this way.
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access. Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan. Rclone was used to exfiltrate data to a remote server using SFTP. The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.
DeepSeek faces ban from Apple, Google app stores in Germany | Reuters
Germany's data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere. Germany says DeepSeek illegally transfers user data to China Apple and Google must now review Germany's request * Italy blocked DeepSeek app earlier this year FRANKFURT, June 27 (Reuters) - Germany's data protection commissioner has asked Apple (AAPL.O), opens new tab and Google (GOOGL.O), opens new tab to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere. Commissioner Meike Kamp said in a statement on Friday that she had made the request because DeepSeek illegally transfers users' personal data to China. The two U.S. tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe. Google said it had received the notice and was reviewing it. DeepSeek did not respond to a request for comment. Apple was not immediately available for comment. According to its own privacy policy, opens new tab, DeepSeek stores numerous pieces of personal data, such as requests to its AI programme or uploaded files, on computers in China. "DeepSeek has not been able to provide my agency with convincing evidence that German users' data is protected in China to a level equivalent to that in the European Union," Kamp said. "Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies," she added.
Denmark to tackle deepfakes by giving people copyright to their own features
The Danish government is to clamp down on the creation and dissemination of AI-generated deepfakes by changing copyright law to ensure that everybody has the right to their own body, facial features and voice. The Danish government said on Thursday it would strengthen protection against digital imitations of people’s identities with what it believes to be the first law of its kind in Europe. Having secured broad cross-party agreement, the department of culture plans to submit a proposal to amend the current law for consultation before the summer recess and then submit the amendment in the autumn. It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice. The Danish culture minister, Jakob Engel-Schmidt, said he hoped the bill before parliament would send an “unequivocal message” that everybody had the right to the way they looked and sounded. He told the Guardian: “In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.” He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.” The move, which is believed to have the backing of nine in 10 MPs, comes amid rapidly developing AI technology that has made it easier than ever to create a convincing fake image, video or sound to mimic the features of another person. The changes to Danish copyright law will, once approved, theoretically give people in Denmark the right to demand that online platforms remove such content if it is shared without consent.
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack. Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems. "Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said. "Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available." A banner on the airline's website notes that the incident hasn't impacted flights in any way and that travel hasn't been affected. The same alert is also displayed on the Alaska Airlines website, which is owned by Alaska Air Group, a company that acquired Hawaiian Airlines last year.
Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication. The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes. This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation). Vulnerability Analysis Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism. The server fails to properly validate date values in JSON input, leading to: Complete server crashes without authentication in v7.0 and v8.0 deployments Post-authentication DoS in v6.0 environments Critical disruption of database operations through invariant failures The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact. MongoDB has classified this as CWE-20 (Improper Input Validation). Mitigation and Updates Administrators should immediately upgrade to patched versions: MongoDB v6.0 → 6.0.21 or later MongoDB v7.0 → 7.0.17 or later MongoDB v8.0 → 8.0.5 or later For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
New Guidance Released for Reducing Memory-Related Vulnerabilities
This joint guide highlights important considerations for organizations seeking to transition toward more secure software development practices Today, CISA, in partnership with the National Security Agency (NSA), released a joint guide on reducing memory-related vulnerabilities in modern software development. Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design. CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users. This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs. In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov. Please share your thoughts with us via our anonymous product survey; we welcome your feedback.
Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds
As Scale AI seeks to reassure customers that their data is secure following Meta's $14.3 billion investment, leaked files and the startup's own contractors indicate it has some serious security holes. Scale AI routinely uses public Google Docs for work with Google, Meta, and xAI. BI reviewed thousands of files — some marked confidential, others exposing contractor data. * Scale AI says it's conducting a "thorough investigation." Scale AI routinely uses public Google Docs to track work for high-profile customers like Google, Meta, and xAI, leaving multiple AI training documents labeled "confidential" accessible to anyone with the link, Business Insider found. Contractors told BI the company relies on public Google Docs to share internal files, a method that's efficient for its vast army of at least 240,000 contractors and presents clear cybersecurity and confidentiality risks. Scale AI also left public Google Docs with sensitive details about thousands of its contractors, including their private email addresses and whether they were suspected of "cheating." Some of those documents can be viewed and also edited by anyone with the right URL.
More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. Around 170 patients have suffered harm as a result of a cyber attack on blood services at London hospitals and GP surgeries, reports suggest. Pathology services provider Synnovis was the victim of a ransomware attack by a Russian cyber gang in June last year. As a result more than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. And a significant number of GP practices in London were unable to order blood tests for their patients. Now the Health Service Journal (HSJ) has reported that there were nearly 600 “incidents” linked to the attack, with patient care suffering in 170 of these.
Microsoft 365 'Direct Send' abused to send phishing as internal users
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials. Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company. However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain. Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down.. "We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft. "You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication." The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA says a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software, which enables attackers to hijack and brick servers, is currently under active exploitation. CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks. The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers. This authentication bypass security flaw (tracked as CVE-2024-54085) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.
Chine/France : Près de Toulouse, les "grandes oreilles" chinoises soupçonnées d'espionner les satellites français
L'antenne secrète, Airbus et la Chine (1/2) – Les services de renseignement français suspectent qu'une petite société de télécommunications chinoise ait déployé une station d'écoute à proximité de sites d'Airbus. Si une enquête judiciaire est ouverte, l'affaire mobilise fortement les espions hexagonaux. Révélations. C'est une rue étroite qui coupe la "plus belle avenue du monde". À une centaine de mètres des Champs-Élysées, à Paris, entre une immense boutique du géant français du prêt-à-porter Lacoste et un ancien restaurant irakien, apparaît le 17 rue du Colisée. Ce centre d'affaires sans charme héberge un cabinet d'avocats, un groupe spécialisé dans les semi-conducteurs et une entreprise de production musicale. Depuis le 1er janvier 2025, l'immeuble compte un nouvel occupant : la société chinoise SATHD Europe, spécialisée dans les télécommunications par satellite. Alors que ses statuts juridiques l'attestent, l'entreprise ne figure pas sur la plaque mentionnant les locataires. Ces derniers affirment par ailleurs n'avoir constaté aucun signe de présence de cette mystérieuse entité entre les murs. SATHD Europe existe pourtant bel et bien. La société est même soupçonnée par les services de renseignement hexagonaux d'être à l'origine de l'une des plus grandes opérations d'espionnage ayant visé la France ces dernières années. Après plusieurs mois d'enquête, Intelligence Online est en mesure de révéler une affaire de longue haleine, dans laquelle les regards convergent vers la Chine. Village idéalement situé dans le cône de réception satellitaire Début 2022. Les officiers de la Direction du renseignement et de la sécurité de la défense (DRSD), service de contre-ingérence du ministère des armées, repèrent une antenne suspecte qui dépasse du balcon d'un immeuble de Boulogne-sur-Gesse, petite commune rurale de Haute-Garonne. Celle-ci ressemble à peu de chose près à une parabole permettant de recevoir la télévision par satellite. Les contre-espions français sont toutefois sur leurs gardes. Ce village se situe à environ 71 kilomètres en ligne droite du téléport d'Issus Aussaguel. Ce centre de télécommunications, au sud de Toulouse, pilote les satellites d'observation de la Terre du Centre national d'études spatiales (CNES), notamment les Pléiades fabriqués par Airbus Group et les SWOT conçus par le français Thales Alenia Space (TAS) et l'américain Jet Propulsion Laboratory.
OWASP Agentic AI Top 10 Vulnerability Scoring System (AIVSS) & Comprehensive AI Security Framework
Developing a rigorous scoring system for Agentic AI Top 10 vulnerabilities, leading to a comprehensive AIVSS framework for all AI systems. Key Deliverables Agentic AI Top 10 Vulnerability Scoring System: A precise and quantifiable scoring methodology tailored to the unique risks identified in the OWASP Agentic AI Top 10. Clear rubrics and guidelines for assessing the severity and exploitability of these specific vulnerabilities. Comprehensive AIVSS Framework Package: Standardized AIVSS Framework: A scalable framework validated across a diverse range of AI applications, including and extending beyond Agentic AI. AIVSS Framework Guide: Detailed documentation explaining the metrics, scoring methodology, and application of the framework. AIVSS Scoring Calculator: An open-source tool to automate and standardize the vulnerability scoring process. AIVSS Assessment Report Templates: Standardized templates for documenting AI vulnerability assessments.
Piratage Adecco : le procès XXL de Lyon jugera le siphonnage de 76 000 fiches d’intérimaires
Le procès de seize personnes impliquées dans le siphonnage des données bancaires et personnelles de 76 000 intérimaires Adecco débute ce lundi à Lyon. Le préjudice estimé atteint 1,6 million d’euros. Le procès de seize personnes débute à Lyon pour le siphonnage de données de 76 000 intérimaires Adecco, causant un préjudice de 1,6 million d'euros. Un alternant d'Adecco a permis l'accès aux données via le darkweb, entraînant des prélèvements frauduleux orchestrés par une société écran. * Les victimes, exposées à des risques d'usurpation d'identité, s'inquiètent des conséquences à long terme de cette fraude. En 2022, des intérimaires d’Adecco découvrent sur leur relevé bancaire un débit de 49,85 euros. Le nom affiché ne leur dit rien. Rapidement, l’affaire fait tache d'huile. Comme on vous l'avait raconté sur Clubic à cette époque, plusieurs milliers de personnes se rendent compte du problème en même temps. Les prélèvements se répètent, toujours pour le même montant. Les victimes échangent sur un groupe Facebook. Le point commun se confirme. Elles réalisent qu'elles ont toutes travaillé pour le leader du travail temporaire en France. Adecco lance un audit interne. Très vite, le lien se fait avec ses propres fichiers. Le géant suisse, pays pourtant considéré comme sanctuaire des données personnelles, comprend qu’un vaste piratage vient de toucher ses bases de données.
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Details The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows: CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCwo99449 CVE ID: CVE-2025-20281 Security Impact Rating (SIR): Critical CVSS Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCwp02821 CVE ID: CVE-2025-20282 Security Impact Rating (SIR): Critical CVSS Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Workarounds There are no workarounds that address these vulnerabilities.
Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace
If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States’ fragmented, risk-averse acquisition model with China’s outsourced and funnel-like approach. Key findings: Zero-day exploitation is becoming more difficult, opaque, and expensive, leading to “feast-or-famine” contract cycles. Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes (FVEYs) market, while eroding trust between buyers and sellers. China’s domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia. The United States relies on international talent for its zero-day capabilities, and its domestic talent investment is sparse – focused on defense rather than offense. The US acquisition processes favor large prime contractors, and prioritize extremely high levels of accuracy, trust, and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements. China’s acquisition processes use decentralized contracting methods. The Chinese Communist Party (CCP) outsources operations, shortens contract cycles, and prolongs the life of an exploit through additional resourcing and “n-day” usage. US cybersecurity goals, coupled with “Big Tech” market dominance, are strategic counterweights to the US offensive capability program, demonstrating a strategic trade-off between economic prosperity and national security. China’s offensive cyber industry is already heavily integrated with artificial intelligence (AI) institutions, and China’s private sector has been proactively using AI for cyber operations. * Given the opaque international market for zero-day exploits, preference among government customers for full exploit chains leveraging multiple exploit primitives, and the increase in bug collisions, governments can almost never be sure they truly have a “unique capability.”
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543
Description of Problem A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details. Affected Versions The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46 NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP NetScaler ADC 12.1-FIPS is not affected by this vulnerability. Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities. This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Details NetScaler ADC and NetScaler Gateway contain the vulnerability mentioned below: CVE-ID Description Pre-conditions CWE CVSSv4 CVE-2025-6543 Memory overflow vulnerability leading to unintended control flow and Denial of Service NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer CVSS v4.0 Base Score: 9.2 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L) What Customers Should Do Exploits of CVE-2025-6543 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1 NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support - https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue. Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
