Today's Cybersecurity Pulse
Google sues Chinese cybercrime network for AI‑driven scam campaign
Google has filed a civil lawsuit against the Chinese group Outsider Enterprise, accusing it of using the Gemini generative‑AI model to mass‑produce phishing sites and send millions of fraudulent text messages. The operation deployed roughly 9,000 fake websites, a million malicious domains and dispatched 2.5 million scam texts in two weeks, scamming hundreds of thousands and causing losses in the millions of dollars. Google says the suit aims to dismantle the network and prevent further AI‑enabled abuse.
Also developing:
NDSS 2025 – ReThink: Reveal The Threat Of Electromagnetic Interference On Power Inverters
Researchers from Zhejiang University presented at NDSS 2025 a study exposing electromagnetic interference (EMI) threats to photovoltaic (PV) power inverters. They found that current and voltage sensors inside inverters are vulnerable to EMI at frequencies of 1 GHz or higher despite existing EMC measures. By emitting crafted EMI signals, the team induced denial‑of‑service, physical damage, or power‑output damping on five off‑the‑shelf inverters and a live microgrid, using only 20 W of power from 1–1.5 m away. The paper also outlines hardware and software countermeasures to harden inverter security.
GenDigital Research Exposes AuraStealer Infostealer Tactics
GenDigital researchers detailed AuraStealer, a modular malware‑as‑a‑service infostealer targeting Windows 7‑11 systems. The threat spreads through “scam‑yourself” TikTok videos and cracked software, then harvests credentials, session tokens, and financial data. AuraStealer employs advanced evasion such as exception‑driven API hashing, Heaven’s...
135% Surge: Inside the Holiday Bot Attacks of December 2025
In December 2025, malicious bot traffic surged 135% year‑over‑year, turning the holiday season into a cyber‑fraud hotspot. AI‑enhanced bots mimicked human browsing, generated high‑fidelity synthetic identities, and performed adaptive reconnaissance, making detection harder. The spike spanned vulnerability scanning, credential stuffing,...
Securing MCP Servers at Scale: How to Govern AI Agents with an Enterprise Identity Fabric
Enterprises are witnessing a rapid, uncontrolled rollout of Model Context Protocol (MCP) servers, with research showing 15.28% of a 10,000‑person workforce running an average of two servers each. Most deployments use full‑privilege personal access tokens, store credentials in plaintext, and...
When the Vendor Becomes the Customer: Building Internal Tools on an Agentic IAM Platform
Aembit’s test automation team built an internal dashboard to aggregate nightly test results from Qase.io and Slack, using the Aembit Workload IAM platform for runtime credential injection. By centralizing access policies, the Flask‑Vue service never handled static API keys, eliminating...
US Man Jailed After FBI Traced 1,100 IP Addresses in Cyberstalking Case
A 25‑year‑old Montana man, Jeremiah Daniel Starr, received a 46‑month federal prison sentence for a three‑year cyberstalking campaign that escalated into a fake shooting inside the victim's apartment. Investigators uncovered his use of more than 50 phone numbers and NordVPN...
How to Protest Safely in the Age of Surveillance
Protests erupted after a federal officer killed Renee Nicole Good in Minneapolis, sparking nationwide unrest against the Trump administration's immigration policies. Activists warn that modern surveillance tools—from IMSI catchers to facial‑recognition cameras—are being deployed to monitor and suppress dissent. The...
Texas Court Blocks Samsung From Tracking TV Viewing, Then Vacates Order
A Texas district court issued a temporary restraining order (TRO) on Jan. 5 prohibiting Samsung from collecting audio and visual data from smart‑TVs using Automated Content Recognition (ACR). The order cited deceptive enrollment practices and alleged Chinese Communist Party access to...
Texas Court Blocks Samsung From Collecting Smart TV Viewing Data
Texas a district court issued a temporary restraining order prohibiting Samsung from collecting, selling, or transferring audio‑visual data from smart TVs owned by Texas residents. The order targets Samsung’s Automated Content Recognition (ACR) system, which captures screenshots every 500 milliseconds...
New Zero-Click Attack Lets ChatGPT User Steal Data
Researchers at Radware disclosed a new prompt‑injection method called ZombieAgent that lets ChatGPT exfiltrate data from integrated services such as Gmail, Outlook, Google Drive, and GitHub. The technique sidesteps OpenAI’s recent URL‑modification guardrails by using pre‑built static URLs, leaking information...
China-Linked UAT-7290 Targets Telecom Networks in South Asia
Cisco Talos has identified a long‑running cyber‑espionage campaign, designated UAT‑7290, targeting high‑value telecommunications infrastructure across South Asia since at least 2022. The group compromises public‑facing edge devices using one‑day vulnerabilities and SSH brute‑force techniques, deploying a suite of Linux‑based tools...
The Myth of Linux Invincibility: Why Automated Patch Management Is Key to Securing the Open Source Enterprise
The article debunks the myth that Linux’s inherent security makes it invulnerable, emphasizing that unpatched vulnerabilities are a growing risk for enterprises. Recent SANS and NVD data show rising ransomware, kernel exploits, and misconfigurations targeting Linux workloads. Automated, autonomous patch...
CISA Warns of Attacks on PowerPoint and HPE Vulnerabilities
CISA has added two high‑severity flaws to its 2026 Known Exploited Vulnerabilities (KEV) catalog: CVE‑2025‑37164, a code‑injection bug in Hewlett Packard Enterprise OneView rated 10.0, and CVE‑2009‑0556, a 9.3‑severity remote‑code‑execution issue in legacy Microsoft PowerPoint 2000‑2004. Rapid7 published a proof‑of‑concept...
Attackers Don’t Guess and Defenders Shouldn’t Either
Enterprises now juggle an average of 45 cybersecurity products, yet breach reductions remain modest. Organizations that adopt continuous threat exposure management see far better outcomes than those relying on larger toolsets. The article argues that security teams often base defenses...
Zero-Knowledge Compliance: How Privacy-Preserving Verification Is Transforming Regulatory Technology
Zero-knowledge proofs are emerging as a privacy-preserving alternative to traditional compliance reporting, allowing firms to demonstrate regulatory adherence without revealing sensitive data. The article highlights adoption in finance, healthcare, and cybersecurity, noting that ZK‑SNARKs and ZK‑STARKs each offer distinct trade‑offs...
Stop Leaking API Keys: The Backend for Frontend (BFF) Pattern Explained
The article warns that any API key embedded in a frontend—web, mobile, or desktop—can be extracted, citing studies where over half of Android apps and 71 % of iOS apps leaked credentials. It recommends the Backend for Frontend (BFF) pattern, which...
CrowdStrike to Buy Identity Security Firm SGNL for $740 Million in Cash
CrowdStrike announced a $740 million cash acquisition of identity‑security startup SGNL, aiming to embed real‑time, AI‑aware access controls into its platform. SGNL’s identity‑first solution eliminates static credentials and continuously grants or revokes permissions for human, non‑human and AI agents. The deal,...
The Boardroom Case for Penetration Testing
Cybersecurity has shifted from an IT concern to a material business risk, with 43% of UK firms reporting breaches in the past year and average losses of £3.29 million per incident. Boards now face pressure to demonstrate proactive risk management, and...
China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes
A China‑linked threat group identified as UAT‑7290 has been conducting espionage‑focused intrusions against telecom providers in South Asia and, more recently, organizations in southeastern Europe. The actor performs extensive reconnaissance before exploiting one‑day vulnerabilities and SSH brute‑force to compromise edge...
Upwind Choppy AI Simplifies Cloud Security Exploration and Investigation
Upwind has launched Choppy AI, an add‑on that embeds generative‑AI capabilities throughout its Cloud‑Native Application Protection Platform (CNAPP). The tool converts natural‑language commands into visible, editable queries and security rules, letting teams investigate inventories, policies, and vulnerabilities without opaque black‑box...
Cybersecurity at the Edge: Securing Rugged IoT in Mission-Critical Environments
Edge computing is now integral to defense, utilities and public safety, relying on rugged IoT devices that operate in extreme, disconnected environments. These deployments break traditional cybersecurity assumptions such as continuous connectivity and frequent patching, exposing critical infrastructure to heightened...
New DocuSign-Themed Phishing Scam Delivers Stealth Malware to Windows Devices
Researchers have uncovered a sophisticated phishing campaign that impersonates DocuSign to deliver the Vidar information‑stealing malware to Windows computers. The attack uses a look‑alike domain and a fake installer signed with a legitimate Chinese code‑signing certificate to bypass reputation filters....
Methodist Homes of Alabama and Northwest Florida Is Notifying Residents and Employees of Its Second Data Breach in Seven Months.
Methodist Homes of Alabama and Northwest Florida disclosed a second data breach, stemming from a compromised employee email account accessed between May 8 and May 21, 2025. The breach exposed personal identifiers such as Social Security numbers, dates of birth, Medicare numbers, and...
Embracing Uncertainty with AI Agents: Vulnerability Assessment Using Pydantic AI
The article demonstrates how AI agents built with Pydantic AI can use union‑type structured output to manage uncertainty in software vulnerability triage. By allowing the model to return either a detailed CriticalVulnerability record or an UnableToAssess response, agents avoid hallucinating fields...
How to Automate Safe Removal of Unused Code
Azul Intelligence Cloud now integrates with the open‑source OpenRewrite engine to automatically identify, flag, and safely remove unused or dead Java code. The solution combines runtime visibility from Azul Code Inventory with rule‑based refactoring, applying incremental annotations before code deletion....
ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories
This week’s ThreatsDay bulletin highlighted a surge in cyber threats across multiple fronts. CISA expanded its KEV catalog by 245 high‑risk flaws, while a critical hard‑coded token in RustFS exposed clusters to remote takeover. OpenAI faced a court order to...
Microsoft Exchange Online Outage Blocks Access to Mailboxes via IMAP4
Microsoft confirmed an Exchange Online outage that intermittently blocks mailbox access via IMAP4, first reported at 23:35 UTC on Wednesday. The issue stems from a code conflict that introduced an authentication misconfiguration, while other connection methods remain functional. Microsoft has deployed...
Researchers Expose WHILL Wheelchair Safety Risks via Remote Hacking
Security researchers from QED Secure Solutions uncovered a critical Bluetooth authentication flaw in WHILL’s Model C2 and Model F electric wheelchairs (CVE‑2025‑14346). The vulnerability allows attackers within range to pair with the device, seize control of movement, override speed limits,...
Fifth of Breaches Take Two Weeks to Recover From
A new Absolute Security report, based on a poll of 750 CISOs in the US and UK, finds that endpoint disruptions from cyber‑attacks often require 3‑6 days to remediate, with 19% taking up to two weeks. The average cost to...
Microsoft to Enforce MFA for Microsoft 365 Admin Center Sign-Ins
Microsoft announced that starting next month it will require multi‑factor authentication for every user who signs into the Microsoft 365 admin center. The policy applies to all admin‑level accounts, regardless of organization size or licensing tier. Existing MFA configurations will...
Creating a Safe Learning Environment in K-12 Schools Without Adding Complexity
Today's K‑12 schools must protect students across physical spaces, emotional climate, psychological trust, and digital platforms. Research shows that safety directly boosts engagement, participation, and academic achievement. Districts ignoring any safety dimension risk lower attendance, disrupted instruction, and eroding community...
React2Shell Vulnerability Hit by 8.1 Million Attack Attempts
The React Server Components “Flight” protocol remote code execution flaw (CVE‑2025‑55182), known as React2Shell, has become the focus of a massive exploitation campaign. GreyNoise has logged over 8.1 million attack sessions, with daily volumes stabilizing at 300‑400 k after a December peak...
The State of Trusted Open Source
Chainguard’s quarterly “State of Trusted Open Source” report analyzes usage of over 1,800 container images across its customer base, revealing that Python is the most popular image and that the majority of production workloads rely on a long‑tail of less‑common...
PoC Released for Unauthenticated RCE in Trend Micro Apex Central (CVE-2025-69258)
Trend Micro issued a critical patch (Build 7190) for its on‑premise Apex Central platform, addressing three remotely exploitable flaws disclosed by Tenable. The most severe, CVE‑2025‑69258, enables unauthenticated attackers to inject a malicious DLL into MsgReceiver.exe and gain SYSTEM‑level code execution....
Report: China Breached Email Systems Used by U.S. Congressional Staff
According to a Financial Times investigation, Chinese state‑linked hackers breached email systems used by staff of several influential House committees. The intrusion gave the actors access to legislative drafts, policy discussions and potentially classified briefings. U.S. officials highlighted the vulnerability...
Bridging the Gap Between SRE and Security: A Unified Framework for Modern Reliability
Site reliability engineering (SRE) and security teams traditionally operate in separate silos, creating friction that stalls reliability initiatives and slows security controls. The article proposes a unified framework that merges reliability goals, risk budgets, joint observability, and integrated incident response...
US To Leave Global Forum on Cyber Expertise
The Trump administration signed an executive order on Jan. 7 withdrawing the United States from 66 international bodies, including the Global Forum on Cyber Expertise (GFCE) and the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE). Both organizations coordinate...
Trump Orders US Exit From Global Cyber and Hybrid Threat Coalitions
President Donald Trump signed a memorandum ordering the United States to withdraw immediately from three major cyber‑security coalitions: the European Centre of Excellence for Countering Hybrid Threats, the Global Forum on Cyber Expertise, and the Freedom Online Coalition. The exits...
How Attackers Hide Processes by Abusing Kernel Patch Protection
Researchers disclosed a new Windows rootkit technique that hides malicious processes by using the legitimate PsSetCreateProcessNotifyRoutineEx API to repair ActiveProcessLinks just before the kernel’s PspProcessDelete validation runs. This timing‑based bypass evades both PatchGuard and Hypervisor‑Protected Code Integrity, allowing processes to...
Credential Stuffing: What It Is and How to Protect Yourself
Credential stuffing exploits reused passwords by feeding leaked username‑password pairs into login forms across services. The technique surged as data breaches and infostealer malware supply vast credential caches, with 62% of Americans admitting frequent reuse. High‑profile incidents—35,000 PayPal accounts in...
Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances
Cybersecurity researchers disclosed eleven critical‑severity flaws in Coolify, an open‑source self‑hosting platform, that enable authenticated users to execute arbitrary commands as root and even escape containers. The vulnerabilities, catalogued as CVE‑2025‑66209 through CVE‑2025‑59158, carry CVSS scores from 9.4 to 10.0....
Cisco Warns of Identity Service Engine Flaw with Exploit Code
Cisco has released patches for a critical vulnerability (CVE‑2026‑20029) in its Identity Services Engine (ISE) that allows administrators to read arbitrary files via malformed XML uploads. A proof‑of‑concept exploit is publicly available, prompting Cisco to advise immediate upgrades to the...
IPFire Update Brings New Network and Security Features to Firewall Deployments
IPFire released Core Update 199, bringing Wi‑Fi 6 and Wi‑Fi 7 support, native LLDP/CDP discovery, and a Linux 6.12.58 kernel. The update upgrades Suricata to version 8.0.2 and refines OpenVPN handling, including multiple DNS/WINS pushes. It also patches a proxy‑related CVE and improves web‑interface...
Turning Data Security Into the Defining MSP Opportunity of 2026
Managed service providers (MSPs) are facing a market shift where cybersecurity is now a core expectation rather than an optional add‑on. Data Security Posture Management (DSPM) offers a continuous, automated view of sensitive data across tenants, turning security into a...
GitLab Patches Multiple Flaws Allowing Arbitrary Code Execution
GitLab has issued emergency patches—versions 18.7.1, 18.6.3 and 18.5.5—to close seven newly disclosed vulnerabilities affecting self‑managed instances. The flaws include two high‑severity stored and reflected cross‑site scripting bugs, missing authorization checks in AI GraphQL endpoints, and a runner‑removal issue that...
BlueDelta Hackers Target Microsoft OWA, Google, and Sophos VPN to Steal Credentials
Recorded Future’s Insikt Group uncovered a credential‑harvesting campaign by the Russian‑state backed BlueDelta group throughout 2025. The actors deployed phishing emails with legitimate‑looking PDFs to lure victims into fake Microsoft Outlook Web Access, Google, and Sophos VPN login portals, using...
CISA Tags Max Severity HPE OneView Flaw as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has designated a maximum‑severity vulnerability in Hewlett Packard Enterprise (HPE) OneView as actively exploited. Identified as CVE‑2025‑37164, the flaw permits unauthenticated code‑injection attacks that lead to remote code execution on any OneView...
PayPal Email Scam: How It Worked Before the Fix
In December 2025 scammers hijacked PayPal’s subscription feature to generate authentic‑looking notification emails from service@paypal.com, inserting fake purchase details and a phone number to lure victims into callback scams. The abuse relied on a paused subscription triggering a legitimate “payment no...
StackRox: Open-Source Kubernetes Security Platform
StackRox is an open‑source Kubernetes security platform that unifies build‑time image scanning, configuration analysis, and runtime telemetry. It ingests data from container images, Kubernetes APIs, and live cluster activity to drive policy checks covering vulnerabilities, privilege escalation, and network exposure....
Australian Insurer Prosura Confirms Cyber Incident, Takes Online Services Offline Amid Investigation
Australian insurer Prosura confirmed a cyber incident on Jan 3, 2026 after detecting unauthorized access to internal systems. The breach led the company to temporarily disable its self‑service portal, halting online policy purchases, claims and account management. Fraudulent phishing emails were sent...