Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month’s head start.

The bug, now tracked as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands on Fortinet’s web application firewall product and fully take over vulnerable devices. It’s fully patched in FortiWeb version 8.0.2, but it didn’t even have a CVE assigned to it until Friday, when the vendor admitted to having “observed this to be exploited in the wild.”

[…]

it appears a proof-of-concept (PoC) exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread.

“The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” watchTowr CEO and founder Benjamin Harris told us prior to Fortinet’s security advisory.

“The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers,” he added.

WatchTowr successfully reproduced the vulnerability and created a working PoC, along with a Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments.

Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris.

“Apply patches if you haven’t already,” he advised. “That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised.”

The battering attempts against Fortinet’s web application firewalls date back to October 6, when cyber deception firm Defused published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn’t been disclosed nor did it have a CVE.

[…]

 

Source: Fortinet finally cops to critical bug under active exploit • The Register

Chinese cyber spies used Anthropic’s Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops “succeeded in a small number of cases,” according to a Thursday report from the AI company.

The mid-September operation targeted large tech companies, financial institutions, chemical manufacturers, and government agencies.

The threat actor was able to induce Claude to execute individual components of attack chains

While a human selected the targets, “this marks the first documented case of agentic AI successfully obtaining access to confirmed high-value targets for intelligence collection, including major technology corporations and government agencies,” Anthropic’s threat hunters wrote in a 13-page document [PDF].

It’s also further proof that attackers continue experimenting with AI to run their offensive operations. The incident also suggests heavily funded state-sponsored groups are getting better at autonomizing attacks.

The AI vendor tracks the Chinese state-sponsored group behind the espionage campaign as GTG-1002, and says its operatives used Claude Code and Model Context Protocol (MCP) to run the attacks without a human in the tactical execution loop.

A human-developed framework used Claude to orchestrate multi-stage attacks, which were then carried out by several Claude sub-agents all performing specific tasks. Those chores included mapping attack surfaces, scanning organizations’ infrastructure, finding vulnerabilities, and researching exploitation techniques.

Once the sub-agents developed exploit chains and custom payloads, a human operator spent between two and 10 minutes reviewing the results of the AI’s actions and signing off on the subsequent exploitations.

The sub-agents then got to work finding and validating credentials, escalating privileges, moving laterally across the network, and accessing and then stealing sensitive data. Post-exploitation, the human operator only had to again review the AI’s work before approving the final data exfiltration.

“By presenting these tasks to Claude as routine technical requests through carefully crafted prompts and established personas, the threat actor was able to induce Claude to execute individual components of attack chains without access to the broader malicious context,” according to the report.

Upon discovering the attacks, Anthropic says it launched an investigation that led it to ban associated accounts, mapped the full extent of the operation, notified affected entities, and coordinated with law enforcement.

These attacks represent a “significant escalation” from the firm’s August report that documented how criminals used Claude in a data extortion operation that hit 17 organizations and saw attackers demand ransoms ranging from $75,000 to $500,000 for stolen data. However, “humans remained very much in the loop directing operations,” in that attack, we’re told.

“While we predicted these capabilities would continue to evolve, what has stood out to us is how quickly they have done so at scale,” states Anthropic’s new analysis.

There is a slight silver lining, however, in that Claude did hallucinate during the attacks and claimed better results than the evidence showed.

The AI “frequently overstated findings and occasionally fabricated data during autonomous operations,” requiring the human operator to validate all findings. These hallucinations included Claude claiming it had obtained credentials (which didn’t work) or identifying critical discoveries that turned out to be publicly available information.

Anthropic asserts such errors represent “an obstacle to fully autonomous cyberattacks” – at least for now

Source: Chinese spies used Claude to break into critical orgs • The Register

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.

The coordinated actions led to:

• 1 arrest in Greece
• 11 locations searched (1 in Germany, 1 in Greece, and 9 in the Netherlands)
• Over 1 025 servers taken down or disrupted worldwide
• 20 domains seized

Endgame doesn’t end here – think about (y)our next move

The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100 000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so at politie.nl/checkyourhack and haveibeenpwned.com

There were actions aimed at criminal services and their criminal users. These users were directly contacted by the police and asked to share relevant information regarding infostealers via the Operation Endgame Telegram channel. In addition, the failing criminal services are exposed via the Operation Endgame website.

[…]

Source: End of the game for cybercrime infrastructure: 1025 servers taken down – Operation Endgame’s latest phase targeted the infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium | Europol

North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google’s “Find Hub” service to remotely wipe Android phones belonging to their South Korean targets.

Researchers at South Korean cybersecurity firm Genians said the campaign, attributed to the long-running KONNI group, abused Google’s device management features to trigger factory resets on compromised smartphones and tablets. In several cases, victims’ devices were wiped without authorization, erasing messages, photos, and other data that could have revealed traces of the intrusion.

[…]

According to Genians, the attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims’ profiles on the Find My Device platform. The feature, which allows users to locate lost phones, lock them, or perform a factory reset, became an unwitting tool for sabotage. Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.

The infection chain began with victims being approached via the popular South Korean messaging app KakaoTalk. Attackers sent files masquerading as benign content to victims, lured them into installing signed MSI attachments or ZIPs, and deployed AutoIT scripts that installed RATs such as RemcosRAT, QuasarRAT and RftRAT. These tools harvested Google and Naver account credentials, enabling attackers to manipulate cloud services and use Find My Device to pull the plug.

Immediately after the reset, the attackers reportedly exploited the victim’s still-logged-in KakaoTalk desktop app to send malware-laden files to the victim’s contacts – effectively turning each compromised account into a secondary infection vector. This rapid follow-on phase allowed the KONNI operators to spread their payloads before targets could regain access to their wiped devices.

Additional findings show the attackers used the GPS location feature in Find My Device to identify when a target was outside and less likely to react quickly. In one incident, the attacker executed the wipe command not just once but three times, further delaying device recovery and ensuring the victim remained locked out.

The tactic underscores a growing risk for anyone relying on “lost device” features that are tied to online identity systems. While the ability to remotely reset a stolen phone is designed as a security safeguard, it also offers attackers an easy way to destroy evidence or cause disruption once account credentials are stolen.

[…]

Genians recommends that users of Find My Device tools enable multifactor or biometric authentication. For victims of KONNI’s latest stunt, however, the damage is already done. Once a factory reset is triggered through Google’s own service, there’s no undo button – just a blank phone and the tidy handiwork of a state hacker covering their tracks.

Source: North Korean spies used Google Find Hub as remote-wipe tool • The Register

A previously unknown Android spyware family called LANDFALL exploited a zero-day in Samsung Galaxy devices for nearly a year, installing surveillance code capable of recording calls, tracking locations, and harvesting photos and logs before Samsung finally patched it in April.

The surveillance campaign likely began in July 2024 and abused CVE-2025-21042, a critical bug in Samsung’s image-processing library that affects Galaxy devices running Android versions 13, 14, 15, and 16, according to Palo Alto Networks Unit 42 researchers who discovered the commercial-grade spyware and revealed details of the espionage attacks in a Friday report.

“This was a precision espionage campaign, targeting specific Samsung Galaxy devices in the Middle East, with likely victims in Iraq, Iran, Turkey, and Morocco,” Itay Cohen, a senior principal researcher at Unit 42, told The Register. “The use of zero-day exploits, custom infrastructure, and modular payload design all indicate an espionage-motivated operation.”

According to the cyber sleuths, exploiting CVE-2025-21042 likely involved sending a maliciously crafted image to the victim’s device via a messaging application in a “zero-click” attack, meaning that infecting targeted phones didn’t require any user interaction.

“It’s not clear exactly how many people were targeted or exploited, but in a recent, related campaign, involving iOS and WhatsApp, WhatsApp shared that less than 200 were targeted in that campaign, so we can reasonably expect this could be a similar very targeted volume,” Cohen said.

Unit 42’s cyber sleuths originally uncovered Landfall while investigating these other two similar zero-days. In August, Apple patched a critical out-of-bounds write issue (CVE-2025-43300) in the ImageIO framework used in iPhones and iPads that had already been exploited in “extremely sophisticated” attacks.

That same month, Meta issued its own security advisory warning that attackers may have chained a WhatsApp bug (CVE-2025-55177) with this Apple OS-level flaw “in a sophisticated attack against specific targeted users.”

The Meta and WhatsApp security teams also found and disclosed to Samsung another DNG-related zero-day in Galaxy devices in August, and in September, Samsung patched CVE-2025-21043.

Despite the similarities between all of these attack chains, Unit 42 says it can’t definitively connect Landfall to the three other zero-days.

[…]

Source: Landfall spyware used in 0-day attacks on Samsung phones • The Register

Cyber spies linked to the Chinese government exploited a Windows shortcut vulnerability disclosed in March – but that Microsoft hasn’t fixed yet – to target European diplomats in an effort to steal defense and national security details.

Security firm Arctic Wolf attributed the espionage campaign to UNC6384 (aka Mustang Panda, Twill Typhoon), and in research published Thursday detailed how the suspected PRC spies used social engineering and the Windows flaw to deploy PlugX malware against personnel attending diplomatic conferences in September and October.

“This campaign demonstrates UNC6384’s capability for rapid vulnerability adoption within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational expansion from traditional Southeast Asia targeting to European diplomatic entities,” the Arctic Wolf Labs threat research team said.

[…]

Zero Day Initiative threat hunter Peter Girnus discovered and reported this flaw to Microsoft in March, and said it had been abused as a zero-day as far back as 2017, with 11 state-sponsored groups from North Korea, Iran, Russia, and China abusing ZDI-CAN-25373 for cyber espionage and data theft purposes.

Blame ZDI-CAN-25373

The attacks begin with phishing emails using very specific themed lures around European defense and security cooperation and cross-border infrastructure development. Those emails delivered a weaponized LNK file which exploited ZDI-CAN-25373 (aka CVE-2025-9491), a Windows shortcut vulnerability, to let the attackers secretly execute commands by adding whitespace padding within the LNK file’s COMMAND_LINE_ARGUMENTS structure.

The malicious files, such as one named Agenda_Meeting 26 Sep Brussels.lnk, use diplomatic conference themes as lures along with a decoy PDF document, in this case displaying a real European Commission meeting agenda on facilitating the free movement of goods at border crossing points between the EU and Western Balkan countries.

The LNK file, when executed, invokes PowerShell to decode and extract a tar (tape archive) archive containing three files to enable the attack chain via DLL side-loading, a malware delivery technique favored by several Chinese government crews, including Salt Typhoon.

DLL sideloading exploits the Windows DLL search order by tricking an application into loading a malicious DLL instead of the legitimate one.

The three files include a legitimate, but expired, Canon printer assistant utility with a valid digital signature issued by Symantec. Although the certificate expired in April 2018, Windows trusts binaries whose signatures include a valid timestamp, so this allows the attackers to bypass security tools and deliver malware using DLL sideloading.

The malicious DLL functions as a loader to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.

PlugX, which has been around since at least 2008, is a Remote Access Trojan (RAT) that gives attackers all the remote access capabilities including command execution, keylogging, file uploading and downloading, persistent access, and system reconnaissance.

“This three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions,” the researchers wrote.

[…]

Source: Suspected Chinese snoops weaponize unpatched Windows flaw • The Register

[…] Software provider AppZen said fake AI receipts accounted for about 14 per cent of fraudulent documents submitted in September, compared with none last year. Fintech group Ramp said its new software flagged more than $1mn in fraudulent invoices within 90 days.

About 30 per cent of US and UK financial professionals surveyed by expense management platform Medius reported they had seen a rise in falsified receipts following the launch of OpenAI’s GPT-4o last year.

“These receipts have become so good, we tell our customers, ‘do not trust your eyes’,” said Chris Juneau, senior vice-president and head of product marketing for SAP Concur, one of the world’s leading expense platforms, which processes more than 80mn compliance checks monthly using AI.

Several platforms attributed a significant jump in the number of AI-generated receipts after OpenAI launched GPT-4o’s improved image generation model in March.

[…]

Source: ‘Do not trust your eyes’: AI generates surge in expense fraud

[…] a technique called EtherHiding, hiding malware inside blockchain smart contracts to sneak past detection and ultimately swipe victims’ crypto and credentials, according to Google’s Threat Intelligence team.

A Pyongyang goon squad that GTIG tracks as UNC5342 has been using this method since February in its Contagious Interview campaign, we’re told.

The criminals pose as recruiters, posting fake profiles on social media along the lines of Lazarus Group’s Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the Norks target software developers, especially those working in cryptocurrency and tech, trick them into downloading malware disguised as a coding test, and ultimately steal sensitive information and cryptocurrency, while gaining long-term access to corporate networks.

Hiding on the blockchain

To do this, they use EtherHiding, which involves embedding malicious code into a smart contract on a public blockchain, turning the blockchain into a decentralized and stealthy command-and-control server.

Because it’s decentralized, there isn’t a central server for law enforcement to take down, and the blockchain makes it difficult to trace the identity of whoever deployed the smart contract. This also allows attackers to retrieve malicious payloads using read-only calls with no visible transaction history on the blockchain.

“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google’s threat hunters Blas Kojusner, Robert Wallace, and Joseph Dobson said in a Thursday report.

[…]

“EtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and IPs,” the security researchers wrote. “Malware authors may leverage the blockchain to perform further malware propagation stages since smart contracts operate autonomously and cannot be shut down.”

The good news: there are steps administrators can take to prevent EtherHiding attacks, with the first – and most direct – being to block malicious downloads. This typically involves setting policy to block certain types of files including .exe, .msi, .bat, and .dll.

Admins can also set policy to block access to known malicious websites and URLs of blockchain nodes, and enforce safe browsing via policies that use real-time threat intelligence to warn users of phishing sites and suspicious downloads.

Source: Norks abuse blockchains to scam job seekers, steal wallets • The Register

Hackers stole the personal information of over 17.6 million people after breaching the systems of financial services company Prosper.

Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005.

As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn’t shared what information was exposed beyond Social Security numbers because it’s still investigating what data was affected.

[…]

“We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data.

[…]

While Prosper didn’t share how many customers were affected by this data breach, data breach notification service Have I Been Pwned revealed the extent of the incident on Thursday, reporting that it affected 17.6 million unique email addresses.

The stolen information also includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details.

[…]

Source: Have I Been Pwned: Prosper data breach impacts 17.6 million accounts

Also no mention of how easy it was to perform these “unauthorised queries” on the database, or why the difference between 2m customers and 17.6m records.

Microsoft’s Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.

In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.

The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation “payroll pirate,” a nod to the way crooks plunder staff wages without touching the employer’s systems directly.

Storm-2657’s campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.

Microsoft stresses that the attacks don’t exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.

“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.

In one instance, a phishing message urging recipients to “check their illness exposure status” was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.

[…]

Source: Microsoft warns of ‘payroll pirate’ attacks against US unis • The Register

The US Air Force confirmed it’s investigating a “privacy-related issue” amid reports of a Microsoft SharePoint-related breach and subsequent service-wide shutdown, rendering mission files and other critical tools potentially unavailable to service members.

“The Department of the Air Force is aware of a privacy-related issue,” an Air Force spokesperson told The Register on Wednesday, while declining to answer specific questions about the alleged digital intrusion.

Sign in to sound off

Register for The Register’s Forums here.

The Air Force’s confirmation follows what looks like a breach notification, shared with The Register and on social media, that purports to come from the Air Force Personnel Center Directorate of Technology and Information.

“This message is to inform you of a critical Personally Identifiable Information (PII) and Protected Health Information (PHI) exposure related to USAF SharePoint Permissions,” the notice says. “As a result of this breach, all USAF SharePoints will be blocked Air Force-wide to protect sensitive information.”

Two other Microsoft services, Teams and Power BI dashboards, will also allegedly be blocked because both access SharePoint, the alert continued, adding that restoration may take up to two weeks.

It’s unclear what services, if any, are offline right now. A DAF spokesperson said that the military branch “cannot confirm” that SharePoint and Teams have been disabled. Another person we spoke to on the phone claimed that they were “using it right now” when asked about SharePoint on Tuesday.

A Microsoft spokesperson told The Register that Redmond “has nothing to share at this time,” and declined to answer our specific questions including if the Air Force security snafu is related to July’s SharePoint fiasco.

Chinese government spies, data thieves, and at least one ransomware gang exploited a couple of SharePoint vulnerabilities over the summer, allowing them to hijack on-premises SharePoint servers belonging to more than 400 organizations and remotely execute code.

[…]

Source: Air Force admits SharePoint privacy issue; reports of breach • The Register

Chinese hackers breached email servers of foreign ministers as part of a years-long effort targeting the communications of diplomats around the world, according to researchers at the cybersecurity firm Palo Alto Networks Inc.

Attackers accessed Microsoft Exchange email servers, gaining the ability to search for information at some foreign ministries, said the team at Unit 42, the threat intelligence division of Palo Alto Networks, which has been tracking the group for nearly three years.

Hackers specifically searched in the email servers for key terms related to a China-Arab summit in Riyadh, Saudi Arabia, in 2022, said Lior Rochberger, senior researcher at the company. They also searched for names such as including Chinese President Xi Jinping and his wife, Peng Liyuan, in the context of that summit, the researchers said.

The researchers declined to specifically identify which countries had their systems breached in the hacking campaign, but wrote in the report that the group’s targeting patterns “align consistently with the People’s Republic of China (PRC) economic and geopolitical interests.”

[…]

“When I found them searching for specific diplomatic keywords and then exfiltrating emails from embassies and military operations, I realized this was a serious intelligence collection effort,” Rochberger said.

[…]

Source: Chinese Hackers Breached Foreign Ministers’ Email Servers

So that sounds like it was the Cloud version of Exchange was targeted. You would think that countries would have some respect for their own security and not have their data in the US on a US company servers. But no, their procurement departments are led by idiots who are now complaining that there are no alternatives – probably because they didn’t fund the alternatives that do exist.

The UK government is stepping in with financial support for Jaguar Land Rover, providing it with a hefty loan as it continues to battle the fallout from a cyberattack.

A government-backed loan to the tune of £1.5 billion ($2 billion) will be made available to the carmaker to support its recovery and the companies in its extensive supply chain struggling as JLR brings its invoicing systems back online.

Business secretary Peter Kyle said: “This cyberattack was not only an assault on an iconic British brand, but on our world-leading automotive sector and the men and women whose livelihoods depend on it.

“Following our decisive action, this loan guarantee will help support the supply chain and protect skilled jobs in the West Midlands, Merseyside, and throughout the UK.

“We’re backing our automotive sector for the long term through our modern Industrial Strategy and the landmark trade deals we’ve signed to boost exports, as part of our Plan for Change.”

[…]

JLR’s production plants have remained closed since August 31, and the impact on its suppliers – and local communities – is said to be severe.

Workers and their families fear for their jobs after seeing suppliers, many of which rely on their big JLR contracts, already initiate redundancy proceedings.

Then there are the smaller businesses that serve local communities. With JLR’s main production plants being based in Solihull and Halewood – employing roughly 9,000 and 3,000 workers respectively – businesses such as sandwich shops and cafes have seen a significant loss in revenue.

When these businesses lose out, so do their suppliers, such as bakers and butchers, meaning the impact of JLR’s attack extends far beyond what is typical for such cases.

[…]

It is estimated that the impact of the cyberattack threatens around 120,000 jobs at JLR and companies across its supply chain.

David Bailey, professor of business economics at the University of Birmingham, said JLR could be hemorrhaging between £5-10 million ($6-13 million) for every day that production remains halted.

He estimated that JLR could ultimately lose out on £2.2 billion ($2.9 billion) in revenue and £150 million ($202 million) in profit.

[…]

Source: UK offers JLR landmark £1.5B loan to safeguard suppliers • The Register

A team of suspected Chinese hackers has infiltrated US software developers and law firms in a sophisticated campaign to collect intelligence that could help Beijing in its ongoing trade fight with Washington, cybersecurity firm Mandiant said Wednesday.

The hackers have been rampant in recent weeks, hitting the cloud-computing firms that numerous American companies rely on to store key data, Mandiant, which is owned by Google, said. In a sign of how important China’s hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms’ proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

The FBI is investigating the intrusions and US officials are still trying to understand the full scope of the hacks, sources told CNN.

It’s a fresh five-alarm fire for the FBI’s cyber experts, who at any given time are investigating multiple sophisticated Chinese cyber-espionage campaigns aimed at US government and corporate secrets.

In some cases, the hackers have lurked undetected in the US corporate networks for over a year, quietly collecting intelligence, Mandiant said.

The disclosure comes after the Trump administration escalated America’s trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other’s positions.

[…]

Source: Chinese hackers breach US software and law firms amid trade fight, experts say | CNN Politics

Google confirmed that miscreants created a fraudulent account in its Law Enforcement Request System (LERS) portal, which police and other government agencies use to ask for data about Google users.

“We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account,” a Google spokesperson told The Register on Tuesday. “No requests were made with this fraudulent account, and no data was accessed.”

Google’s admission follows BreachForums posts by Scattered Lapsus$ Hunters – this is the gang allegedly made up of members from three other notorious cybercrime crews, Scattered Spider, ShinyHunters, and Lapsus$. Shortly after announcing their retirement from the ransomware biz, they indicated via screenshots that they had access to Google LERS, as well as the FBI’s National Instant Criminal Background Check System (NICS), a federal system that provides background checks on would-be gun buyers to ensure they aren’t prohibited from owning a firearm. The FBI declined to comment on the extortionists’ claims.

[…]

Source: Google confirms crims accessed its law enforcement portal • The Register

Scammers are extorting small businesses worldwide by threatening to flood their Google Maps profiles with fake one-star reviews or demanding payment to remove reviews already posted, according to The New York Times. Fraudsters target service businesses dependent on online ratings — movers, roofers, contractors — demanding hundreds of dollars per incident. The Times story documents many cases, including of one Los Angeles contractor Natalia Piper, who paid $250 to multiple scammers after her rating plummeted from 5.0 to 3.6 stars.

Industry watchdog Fake Review Watch documented over 150 affected businesses globally. The scammers typically operate from Pakistan and Bangladesh using WhatsApp to contact victims.

Source: Small Businesses Face a New Threat: Pay Up or Be Flooded With Bad Reviews

NB The article says that Google will remove fake reviews, but my experience is that there is a non-transparent review process that takes over half a year and then ends up with no removal (despite all the reviews placed by the reviewers being negative and repetitive, eg. saying things like “does not pay bills”) with absolutely no recourse.

Popular media streaming platform Plex has informed its users of yet another data breach, urging them to change their passwords as soon as possible. 

Criminals often target media streaming platforms because they deal with sensitive information. Plex has fallen victim to a similar intrusion in the past, and a couple of years ago went through a very similar situation.

Now, Plex has revealed that an unauthorized third party gained access to one of its databases, exposing information on a limited number of customers.

The compromised data may include email addresses, usernames, securely hashed passwords, and authentication information. The company underlines that no credit card information has been affected because that type of information is not stored on those kinds of servers.

It’s a relief that the passwords are hashed because it means they are not readable, but it’s still a good idea to change the Plex passwords as quickly as possible.

Containment and response

 

According to Plex, the breach was contained quickly, and the method the attacker used was identified and addressed.

“We sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring,” said the company.

Plex has outlined two actions users must take, depending on their sign-in methods:

Password-based login: Users have to reset their Plex account password immediately via ‘https://plex.tv/reset’. The company recommends checking the option to “Sign out connected devices after password change,” which will log out all devices and require reauthentication with the new password.

SSO login: Users should log out of all active sessions through ‘https://plex.tv/security’ and sign back in as normal.

Plex is also strongly encouraging users to enable two-factor authentication (2FA) for added protection if they haven’t already done so.

Source: Plex tells users to reset passwords after new data breach

Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance.

Marc Benoit, chief information security officer at PAN, confirmed in a note to clients – seen by The Register – that it was informed on August 25 that the “compromise of a third-party application, Salesloft’s Drift, resulted in the access and exfiltration of data stored in our Salesforce environment.”

It immediately disconnected the third-party application from its Salesforce CRM, he said. “The investigation [by the Unit 42 team] confirms that the event was isolated to our Salesforce environment and did not affect any Palo Alto Networks products, systems or services.”

Benoit said it “further confirmed that the data involved includes primarily customer business contact information, such as names and contact info, company attributes, and basic customer support case information. It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration.”

[…]

The breach of the Drift application has led to supply chain attacks at “hundreds” of organizations, including PAN, said Benoit in a blog post. He said the “incident” was “isolated to our CRM platform.”

Google said last week that it didn’t have enough signs to confirm that the recent spate of Salesforce data thefts claimed by ShinyHunters on Google itself, Workday, Allianz, Quantas and LVMH brand Dior were connected to the same group that masterminded the Salesloft attack.

The Unit 42 team at PAN advised organizations to monitor Salesforce and Salesloft updates, and take steps such as token revocation to secure platforms. It recommends conducting a review of all Drift integrations and all authentication activity with third-party systems for evidence of “suspicious connections, credential harvesting and data exfiltration.”

Unit 42 also recommends that you probe your Salesforce log-in history, audit trail, and API access logs from August 8 – when Salesloft says attackers first used “OAuth credentials to exfiltrate data from our customers’ Salesforce instances” – to the present day. It also advises combing over Identity Provider Logs and Network Logs. ®

Source: Stolen OAuth tokens expose Palo Alto customer data • The Register

Credit reporting giant TransUnion has disclosed a data breach affecting more than 4.4 million customers’ personal information.

In a filing with Maine’s attorney general’s office on Thursday, TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers’ personal data for its U.S. consumer support operations.

TransUnion claimed “no credit information was accessed,” but provided no immediate evidence for its claim. The data breach notice did not specify what specific types of personal data were stolen.

In a separate data breach disclosure filed later on Thursday with Texas’ attorney general’s office, TransUnion confirmed that the stolen personal information includes customers’ names, dates of birth, and Social Security numbers.

[…]

TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. It’s the latest U.S. corporate giant to have been hacked in recent weeks following a wave of hacks targeting the insurance, retail, and transportation and airline industries.

[…]

Source: TransUnion says hackers stole 4.4 million customers’ personal information | TechCrunch

Well done Transunion. In 2023 it lost a massive data dump (which they accept and then say no, wasn’t us) and in 2017 it got it’s customers to download malware (and again said, yes it was us but it wasn’t). You would think that at some point they would learn, but the penalties are apparently too small to care.

And considering it actually says that they verify personal identities, and sell identity protection services – and who knows if those “customers” actually know that that they are customers – the quantity and scale of these breaches is simply unacceptable. The company can obviously not handle it’s tasking and should by now be broken down.

China’s Salt Typhoon cyberspies hoovered up information belonging to millions of people in the United States over the course of the years-long intrusion into telecommunications networks, according to a top FBI cyber official.

“There’s a good chance this espionage campaign has stolen information from nearly every American,” Michael Machtinger, deputy assistant director for the FBI’s cyber division, told The Register.

[…]

The Beijing-backed spying campaign began at least in 2019 but wasn’t uncovered by US authorities until last fall. On Wednesday, US law enforcement and intelligence agencies along with those from 12 other countries warned the ongoing espionage activity expanded far beyond nine American telcos and government networks. According to Machtinger, at least 80 countries were hit by the digital intrusions.

Around 200 American organizations were compromised by the espionage activity, Machtinger said, including the previously disclosed telecommunications firms such as Verizon and AT&T.

Yesterday’s joint security alert also pointed the allies’ collective finger at three China-based entities affiliated with Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. These companies, and likely others, provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army, the governments said.

[…]

This indiscriminate targeting, as the FBI and White House security officials have previously noted, allowed Beijing’s snoops to geo-locate millions of mobile phone users, monitor their internet traffic, and, in some cases, record their phone calls. Victims reportedly included President Donald Trump and Vice President JD Vance.

Machtinger declined to confirm whether Trump and Vance were among those surveilled, but did say that victims included more than 100 current and former presidential administration officials.

[…]

Source: FBI cyber cop: Salt Typhoon pwned ‘nearly every American’ • The Register

It’s quite telling that you only have to breach 200 organisations to gain information on 350 million Americans.

Shoppers and merchants in Germany found themselves dealing with billions of euros in frozen transactions this week, thanks to an apparent failure in PayPal’s fraud-detection systems.

According to the Association of German Banks, the problem hit on Monday when banks noticed a slew of recent unauthorized direct debits from PayPal. The body said the banks responded in various ways, which is one way of putting it – the Süddeutsche Zeitung reported that some stopped all PayPal transactions, with the total number of frozen payments likely to be around €10 billion.

A spokesperson for the German Savings Banks Association (DSGV), which represents hundreds of regional banks across the country, confirmed the issue to The Register. The DSGV said PayPal had assured it the problem was resolved, adding that PayPal payments had been running smoothly since Tuesday morning and the US payments platform was informing affected customers “directly.”

The DSGV said the unauthorized payments had a “significant impact on transactions throughout Europe, particularly in Germany.” However, there have been no confirmed reports of the incident being felt outside Germany. Austrian media reported that the banks there had seen no problems.

[…]

PayPal’s reputational hit in Germany is likely to be exacerbated by last week’s reports of hackers offering millions of PayPal credentials that they claimed PayPal had recently exposed in plaintext. The hackers’ claims appear dubious, with PayPal denying any recent breach, but the reports gained significant traction in Germany.

“It’s possible that the data is incorrect or outdated,” read a Wednesday advisory from the German consumer organization Stiftung Warentest, which bundled the leak report with this week’s snafu. “Nonetheless, PayPal users should change their passwords as a precaution.” ®

Source: Euro banks block ‘unauthorized’ PayPal direct debits • The Register

U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks.

Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide.

The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025.

“On May 30, 2025, one of Farmers’ third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor’s databases containing Farmers customer information (the “Incident”),” reads the data breach notification on its website.

[…]

The company says that its investigation determined that customers’ names, addresses, dates of birth, driver’s license numbers, and/or last four digits of Social Security numbers were stolen during the breach.

Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General’s Office, stating that a combined total of 1,111,386 customers were impacted.

[…]

Source: Farmers Insurance data breach impacts 1.1M people after Salesforce attack

“Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time,” the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, “and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone].”

Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication – which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage – Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.

“Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state),” the researchers wrote, “an attacker does not require knowledge of the UE’s credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure.”

That’s a flaw, and one the framework is designed to exploit. The team’s testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent – and delivered, among other things, proof of a novel downgrade attack by which a ne’er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.

As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it’s suited to fingerprinting, denial-of-service attacks, and downgrading.

“To the best of our knowledge,” they wrote in their paper’s introduction [PDF], “Sni5Gect is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB [base station].”

[…]

Not all of the capabilities claimed in the team’s paper have been fully disclosed, however. The team has kept private “other serious exploits leveraging the framework,” in order to “avoid abusing SNI5Gect to launch attacks against people’s smartphones[s].” These exploits, it is claimed, will be made available only to “trusted institutions like universities and research institutions” upon application and verification of their legitimate interest.

[…]

More information, including a link to the open-access paper, is available on the project website.

Source: Boffins release 5G traffic sniffing tool • The Register

Find the git repository here