Intel Corporation (INTC) www.intc.com Aug 22, 2025 • 4:53 PM EDT
U.S. Government to make $8.9 billion investment in Intel common stock as company builds upon its more than $100 billion expansion of resilient semiconductor supply chain
SANTA CLARA, Calif.--(BUSINESS WIRE)-- Intel Corporation today announced an agreement with the Trump Administration to support the continued expansion of American technology and manufacturing leadership. Under terms of the agreement, the United States government will make an $8.9 billion investment in Intel common stock, reflecting the confidence the Administration has in Intel to advance key national priorities and the critically important role the company plays in expanding the domestic semiconductor industry.
The government’s equity stake will be funded by the remaining $5.7 billion in grants previously awarded, but not yet paid, to Intel under the U.S. CHIPS and Science Act and $3.2 billion awarded to the company as part of the Secure Enclave program. Intel will continue to deliver on its Secure Enclave obligations and reaffirmed its commitment to delivering trusted and secure semiconductors to the U.S. Department of Defense. The $8.9 billion investment is in addition to the $2.2 billion in CHIPS grants Intel has received to date, making for a total investment of $11.1 billion.
“As the only semiconductor company that does leading-edge logic R&D and manufacturing in the U.S., Intel is deeply committed to ensuring the world’s most advanced technologies are American made,” said Lip-Bu Tan, CEO of Intel. “President Trump’s focus on U.S. chip manufacturing is driving historic investments in a vital industry that is integral to the country’s economic and national security. We are grateful for the confidence the President and the Administration have placed in Intel, and we look forward to working to advance U.S. technology and manufacturing leadership.”
“Intel is excited to welcome the United States of America as a shareholder, helping to create the most advanced chips in the world,” said Howard Lutnick, United States Secretary of Commerce. “As more companies look to invest in America, this administration remains committed to reinforcing our country’s dominance in artificial intelligence while strengthening our national security.”
Under the terms of today’s announcement, the government agrees to purchase 433.3 million primary shares of Intel common stock at a price of $20.47 per share, equivalent to a 9.9 percent stake in the company. This investment provides American taxpayers with a discount to the current market price while enabling the U.S. and existing shareholders to benefit from Intel’s long-term business success.
The government’s investment in Intel will be a passive ownership, with no Board representation or other governance or information rights. The government also agrees to vote with the Company’s Board of Directors on matters requiring shareholder approval, with limited exceptions.
The government will receive a five-year warrant, at $20 per share for an additional five percent of Intel common shares, exercisable only if Intel ceases to own at least 51% of the foundry business.
The existing claw-back and profit-sharing provisions associated with the government’s previously dispersed $2.2 billion grant to Intel under the CHIPS Act will be eliminated to create permanency of capital as the company advances its U.S. investment plans.
Investing in America’s Future
Intel has continued to strategically invest in research, development and manufacturing in the United States since the company’s founding in 1968. Over the last five years, Intel has invested $108 billion in capital and $79 billion in R&D, the majority of which were dedicated to expanding U.S.-based manufacturing capacity and process technology.
Intel is currently undertaking a significant expansion of its domestic chipmaking capacity, investing more than $100 billion to expand its U.S. sites. The company’s newest chip fabrication site in Arizona is expected to begin high-volume production later this year, featuring the most advanced semiconductor manufacturing process technology on U.S. soil.
Since joining the company as CEO in March, Tan has taken swift actions to strengthen Intel’s financial position, drive disciplined execution and revitalize an engineering-first culture. Today’s agreement supports the company’s broader strategy to position Intel for the future.
Strengthening the U.S. Technology Ecosystem
Intel’s U.S. investments come as many leading technology companies support President Trump’s agenda to achieve U.S. technology and manufacturing leadership.
Intel is deeply engaged with current and potential customers and partners who share its commitment to building a strong and resilient U.S. semiconductor supply chain.
Satya Nadella, Chairman and Chief Executive Officer, Microsoft: “The decades-long partnership between Microsoft and Intel has pioneered new frontiers of technology and showcased the very best of American ingenuity and innovation. Intel’s continued investment in strengthening the U.S. semiconductor supply chain, supported by President Trump’s bold strategy to rebuild this critical industry on American soil, will benefit the country and broader technology ecosystem for years to come.”
Michael Dell, Chairman and Chief Executive Officer, Dell Technologies: “The industry needs a strong and resilient U.S. semiconductor industry, and no company is more important to this mission than Intel. It’s great to see Intel and the Trump Administration working together to advance U.S. technology and manufacturing leadership. Dell fully supports these shared priorities, and we look forward to bringing a new generation of products to market powered by American-designed and manufactured Intel chips.”
Enrique Lores, President and CEO, HP: “We share Intel’s and the Trump Administration’s deep commitment to building a strong, resilient and secure U.S. semiconductor industry. Intel’s continued investment in domestic R&D and manufacturing is integral to future innovation and will strengthen the partnership between HP and Intel for years come. This is a defining moment for great American companies to lead the world in cutting-edge technologies that will shape the future.”
Matt Garman, AWS CEO: “Leading-edge semiconductors are the bedrock of every AI technology and cloud platform, making U.S. investment in this critical industry one of the most important technological, economic and national security imperatives of our time. Intel plays a vital role as one of the country’s leading chip manufacturers, and we applaud the Trump administration’s efforts to usher in a new era of American innovation in partnership with American companies.”
PJT Partners acted as Intel’s exclusive financial advisor in connection with this investment agreement.
About Intel
Intel (Nasdaq: INTC) is an industry leader, creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, we continuously work to advance the design and manufacturing of semiconductors to help address our customers’ greatest challenges. By embedding intelligence in the cloud, network, edge and every kind of computing device, we unleash the potential of data to transform business and society for the better. To learn more about Intel’s innovations, go to newsroom.intel.com and intel.com.
Forward-Looking Statements
This release contains forward-looking statements, including with respect to: the agreement with the U.S. government and its expected benefits, including the anticipated timing of closing and impacts to Intel’s existing agreements with the U.S. government under the CHIPS Act; Intel’s investment plans, including in manufacturing expansion projects and R&D; and the anticipated production using Intel’s latest semiconductor process technology in Arizona later this year. Such statements involve many risks and uncertainties that could cause our actual results to differ materially from those expressed or implied, including those associated with: uncertainties as to the timing of the consummation of the transaction and the receipt of funding; Intel’s ability to effectively use the proceeds and realize and utilize the other anticipated benefits of the transaction as contemplated thereby; the availability of appropriations from the legislative branch of the U.S. government and the ability of the executive branch of the U.S. government to obtain funding and support contemplated by the transaction; the determination by the legislative, judicial or executive branches of the U.S. government that any aspect of the transaction was unauthorized, void or voidable; Intel’s ability to obtain additional or replacement financing, as needed; Intel’s ability to effectively assess, determine and monitor the financial, tax and accounting treatment of the transaction, together with Intel’s and the U.S. government’s obligations thereunder; litigation related to the transaction or otherwise; potential adverse reactions or changes to business relationships resulting from the announcement or completion of the transaction; the timing and achievement of expected business milestones; Intel’s ability to effectively comply with the broader legal and regulatory requirements and heightened scrutiny associated with government partnerships and contracts; the high level of competition and rapid technological change in the semiconductor industry; the significant long-term and inherently risky investments Intel is making in R&D and manufacturing facilities that may not realize a favorable return; the complexities and uncertainties in developing and implementing new semiconductor products and manufacturing process technologies; Intel’s ability to time and scale its capital investments appropriately; changes in demand for Intel’s products; macroeconomic conditions and geopolitical tensions and conflicts, including geopolitical and trade tensions between the U.S. and China, the impacts of Russia's war on Ukraine, tensions and conflict affecting Israel and the Middle East, and rising tensions between mainland China and Taiwan; the evolving market for products with AI capabilities; Intel’s complex global supply chain supporting its manufacturing facilities and incorporating external foundries, including from disruptions, delays, trade tensions and conflicts, or shortages; recently elevated geopolitical tensions, volatility and uncertainty with respect to international trade policies, including tariffs and export controls, impacting Intel’s business, the markets in which it competes and the world economy; product defects, errata and other product issues, particularly as Intel develops next-generation products and implements next-generation manufacturing process technologies; potential security vulnerabilities in Intel’s products; increasing and evolving cybersecurity threats and privacy risks; IP risks including related litigation and regulatory proceedings; the need to attract, retain, and motivate key talent; Intel’s debt obligations and its ability to access sources of capital; complex and evolving laws and regulations across many jurisdictions; fluctuations in currency exchange rates; changes in Intel’s effective tax rate; catastrophic events; environmental, health, safety, and product regulations; and other risks and uncertainties described in this release and Intel’s 2024 Form 10-K, Q1 2025 Form 10-Q, Q2 2025 Form 10-Q, and other filings with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date they were first made. Intel does not undertake, and expressly disclaims any duty, to update such statements, whether as a result of new information, new developments, or otherwise, except to the extent that disclosure may be required by law.
Microsoft Community Hub - techcommunity.microsoft.com - Aug 20, 2025
We are announcing that all Exchange Online customers who send external email should start switching to custom (aka vanity) domain names.
MOERA domains for email
When a organization creates a new tenant in Microsoft 365, an onmicrosoft.com domain (or similar default domain like onmicrosoft.de) is provided. These MOERA (Microsoft Online Email Routing Address) domains enable immediate connectivity and user creation. Having enabled a quick start and testing of a new tenant, customers are expected to add their own custom domains for better brand representation and control moving forward. Customers who continue using MOERA domains as their “primary domain” may face significant challenges.
Limitations of free ‘onmicrosoft’ shared domains
These “default” domains are useful for testing mail flow but are not suitable for regular messaging. They do not reflect a customer’s brand identity and offer limited administrative control. Moreover, because these domains all share the ‘onmicrosoft’ domain (for example, ‘contoso.onmicrosoft.com’), their reputation is collectively impacted. Despite our efforts to minimize abuse, spammers often exploit newly created tenants to send bursts of spam from ‘.onmicrosoft.com’ addresses before we can intervene. This degrades this shared domain’s reputation, affecting all legitimate users. To ensure brand trust and email deliverability, organizations should establish and use their own custom domains for sending email. Until now, we did not have any limits on use of MOERA domains for email delivery.
Introducing new throttling enforcement
To prevent misuse and help improve deliverability of customer email by encouraging best practices, we are changing our policy. In the future, MOERA domains should only be used for testing purposes, not regular email sending. We will be introducing throttling to limit messages sent from onmicrosoft.com domains to 100 external recipients per organization per 24 hour rolling window. Inbound messages won't be affected. External recipients are counted after the expansion of any of the original recipients. When a sender hits the throttling limit, they will receive NDRs with the code 550 5.7.236 for any attempts to send to external recipients while the tenant is throttled.
Customer actions
Customers will need to take actions depending on their use of their MOERA domain.
Purchase and migrate to a custom domain if not already done.
Ensure only custom domains are used for sending non-test emails.
If your tenant's default domain is a MOERA domain, set the default domain to a custom domain. This can be done in the Microsoft 365 admin center.
Mailboxes will need to have their primary SMTP addresses changed to the custom domain alias. Changing the primary SMTP address will have an impact on the username used to log into accounts so updates may need to be made to any credentials configured to authenticate devices or applications with users’ accounts.
Note: Customers with Federated Domains will have to add a non-Federated custom domain in Microsoft 365 to act as a default domain, as Federated domains cannot play that role. Learn more here: AD FS Overview.
Purchasing a domain
A domain registrar is a company authorized to sell and manage domain names. To purchase a domain, you typically visit a registrar’s website, search for an available domain name, and follow the checkout process to register it in your name. Once purchased, you can manage DNS settings through the registrar’s portal to validate your ownership when adding it to Exchange Online as an accepted domain. Once purchased, you can use the following instructions to add it to your tenant as an accepted domain – documentation.
Adding new aliases to existing mailboxes
To migrate users over to using a new custom domain, admins will need to add aliases to each user account for the new custom domain. These new aliases will need to be set as the Primary SMTP Address on the mailbox so that it is used for sending out emails. Users at organizations who make use of the Sending from Aliases feature will need to ensure that the correct alias is selected when they reply to emails addressed to their MOERA alias.
Known MOERA domain usage scenarios
Besides regular email client sending when a MOERA domain is a primary SMTP address, these are some of the known usage scenarios customers should be aware of:
Sender Rewriting Scheme may use MOERA domains as fallback if it is set as the default domain. Customers will need to change their default domains to avoid this. (Sender Rewriting Scheme (SRS) in Microsoft 365).
Bookings app invites may be configured to send from MOERA domains. Customers will need to ensure Bookings is configured to use their custom domain. (Custom domain support in Shared Bookings).
Notifications from Microsoft should be set up to use a custom domain. (Select the domain to use for email from Microsoft 365 products).
Journaling Reports use the Microsoft Exchange Recipient address set for tenants (MicrosoftExchangeRecipientPrimarySmtpAddress in Get-OrganizationConfig). This address cannot be modified by admins and therefore these messages will not count towards the throttling limit.
Hybrid configurations with complex routing make use of MOERA domains containing mail.onmicrosoft.com. It is possible that addresses using these domains could send emails to external recipients e.g. OOF messages when Sending from Aliases is enabled. These messages will not be throttling so long as these domains are not used for original traffic.
Analyzing your MOERA email traffic
You can use the Message Trace feature in Exchange Admin Center to retrieve the outbound traffic being sent from your tenant. By placing a wild card address in the Senders field, you can get a report with all traffic using your onmicrosoft.com domain to send. Note that this report would contain messages sent internally as well, but those can be filtered out of the resulting report by using the recipient domain.
Rollout timeline
The throttling rollout will be based on the number of Exchange seats in an organization:
MOERA outgoing email throttling starts
Exchange seats in the tenant
October 15, 2025
Trial
December 1, 2025
< 3
January 7, 2026
3 – 10
February 2, 2026
11 – 50
March 2, 2026
51 – 200
April 1, 2026
201 – 2,000
May 4, 2026
2,001 – 10,000
June 1, 2026
10,001 >
Announcements for each stage of the rollout will be made one month before via Message Center to all customers meeting the seat count criteria. All customers who are using their MOERA domains are encouraged to start planning and migrating today.
ZATAZ » zataz.com Posted On 21 Août 2025By : Damien Bancal
Bis repetita pour Auchan. Aprés la fuite de novembre de 2024, voici une nouvelle cyber attaques concernant les données des clients Auchan révélées. Les cartes waaoh sont bloquées pour ne pas perdre le cagnottage !
Auchan est à nouveau la cible d’un piratage : les données personnelles de clients liées à leur carte fidélité ont été exposées. Civilité, nom, prénom, adresses, téléphone, e‑mail et numéro de carte ont été consultés sans autorisation. Les données bancaires, mots de passe et codes PIN sont épargnés. Des cartes ont été désactivées, obligeant les clients à se rendre en magasin pour récupérer leur cagnotte via une nouvelle carte Waaoh.
Un nouveau choc discret mais massif
La scène se répète, et pourtant elle frappe toujours par son brutal réalisme. Des clients reçoivent un message laconique : « Nous vous écrivons afin de vous informer qu’Auchan a été victime d’une cyberattaque. » En quelques lignes, la mécanique est posée. La cyberattaque a entraîné un accès non autorisé à des données personnelles rattachées aux comptes de fidélité : civilité, statut client professionnel, nom, prénom, adresses email et postale, numéro de téléphone, numéro de carte fidélité.
La communication interne tente de rassurer : aucune donnée bancaire, mot de passe ou code PIN ne serait concerné. Mais derrière cette affirmation se cache une réalité plus complexe. Car le périmètre de l’intrusion touche à l’identité du client, son profil complet, ouvrant la voie à de multiples usages malveillants : usurpation, phishing, ciblage commercial illégal.
Le piratage, non encore médiatisé au moment de notre publication, s’est accompagné d’un geste concret : les cartes fidélité des clients concernés ont été désactivées. Pour récupérer l’accès à leur cagnotte waaoh, les clients doivent se déplacer en magasin afin de se voir attribuer une nouvelle carte. Cette mesure, discrète mais significative, confirme la gravité de l’incident.
A noter que le courrier d’alerte d’Auchan de ce 21 août, est mot pour mot l’alerte de novembre de 2024. A sa première lecture, j’ai même cru à une tentative de fraude !
Une riposte immédiate mais silencieuse
Auchan a rapidement notifié la Commission nationale de l’informatique et des libertés (CNIL), comme le prévoit la réglementation européenne sur la protection des données (RGPD). La communication évoque une réaction « avec la plus grande rigueur » et des mesures immédiates pour mettre fin à l’attaque. Aucune information n’a encore filtré sur la nature de l’intrusion : vecteur, auteur, durée, ou origine de l’attaque. S’agit-il d’un acte isolé, ou d’un épisode dans une série plus large de compromissions, comme celle révélée en novembre 2024, qui avait déjà affecté les données de plus de 500 000 clients ? Rien ne permet pour l’heure d’en juger. Il est cependant interessant de remarquer que cette alerte fait suite à plusieurs autres concernant Orange Belgique, Air France/KLM, Etc. La fuite provenant d’un partenaire.
La désactivation des cartes et la nécessité de se déplacer en magasin introduisent une friction inhabituelle dans le parcours client, révélant, comme ZATAZ a déjà pu vous le raconter, que le système de fidélité, souvent perçu comme périphérique, est une zone sensible.
La fidélité comme faille stratégique
Le programme de fidélité, pierre angulaire de la relation client dans la grande distribution, constitue un gisement de données hautement exploitables : habitudes d’achat, données personnelles, historique de consommation. En ciblant cette couche spécifique, les cybercriminels cherchent à déstabiliser l’image de la marque tout en récoltant des données facilement revendables sur les places de marché illégales.
san.com Aug 23, 2025 at 12:34 AM GMT+2
A hacker breached an airline and stole information on hundreds of thousands of people, including U.S. government employees.
Summary
Exposed IDs
Straight Arrow News examined 2,626 photos of identifying documents such as passports, IDs and birth certificates that were stolen by a hacker.
U.S. government data
The data includes the names, emails and phone numbers of employees from the State Deptartment, ICE, TSA, CBP and more.
Airline denial
Uzbekistan Airways denied that any intrusion took place and even suggested that leaked data may have been generated with artificial intelligence.
Full story
A hacker claims to have stolen information on hundreds of thousands of people — including U.S. government employees — after breaching an international airline. Straight Arrow News obtained a sample of the data, allegedly taken from Uzbekistan Airways, and confirmed the presence of sensitive documents such as scans of thousands of passports.
The data was advertised on Thursday by the hacker, who is known online as ByteToBreach and purports to be a native of the Swiss Alps, on a dark web forum known for hosting leaks, malware and hacking tools. The purportedly 300-gigabyte data cache contains, among other things, the email addresses of 500,000 passengers and 400 airline employees.
The post included a sample of the data, such as alleged credentials for multiple servers and software programs run by the airline. It also showed partial credit card data, as well as scans of 75 passports from the U.S., Russia, Israel, the U.K., South Korea and other nations. The hacker claims to have obtained identifying documents from more than 40 different countries.
The hacker provided Straight Arrow News with a larger data sample than the one posted online, containing 2,626 photos of identifying documents such as passports, IDs, marriage licenses and birth certificates. Numerous passports belonged to babies and young children.
Passports and other identifying data are valuable on underground markets given their potential use for a range of criminal activities, such as fraud and identity theft. Hackers could also leverage the prevalence of data on government employees for phishing attacks.
U.S. government employees’ data compromised
Another document from the sample the hacker provided to SAN contained 285 email addresses belonging to airline employees. A list of email addresses for passengers held 503,410 entries.
A spreadsheet with personal information of 379,603 members of Uzbekistan Airways’ loyalty program exposes names, genders, birthdates, nationalities, email addresses, phone numbers, member IDs and more.
The email addresses indicate that those members include employees of several U.S. government agencies, including the State Department, the Department of Energy, Immigration and Customs Enforcement, Customs and Border Protection and the Transportation Security Administration.
Employees of foreign government agencies from countries like Russia, Uzbekistan and the United Arab Emirates were also in the data.
SAN reached out to several phone numbers of government employees. An apparent TSA employee answered the phone by introducing themselves with the first name listed in the hacked data, as well as their government position. After SAN explained that their data had been exposed, the employee declined to comment and referred a reporter to the Department of Homeland Security’s public affairs office.
The public affairs office did not respond to an email from SAN. An email to the State Department’s office of press operations went unanswered as well.
Four files containing raw reservation and ticketing data mention airlines, airports, flight numbers and other information. The hacker also claimed that the raw data contained partial credit card information, although SAN was unable to independently verify the presence of financial data.
...
techradar.com 22.08.2025
Qilin claims another victim, threatens to release valuable information online.
Given the nature of Creative Box’s work, the stolen data could hurt the company and dull its competitive blade, if released to the wild, experts have said.
The company is a specialized satellite design studio forming part of Nissan’s global design network. Established in 1987 to be a creative sandbox for emerging designers, where they can create bold concepts that usually stray away from mainstream car design, it is often described as Nissan’s “design think tank”, as it does not churn out large volumes of visible work, but still retains a significant role within the network.
blog.narimangharib.com Nariman Gharib 22.08.2025
Lab-Dookhtegan has been systematically targeting Iranian infrastructure for months now, and when they reached out about their latest operation, I knew it would be significant. This group doesn't mess around - their March attack on 116 vessels proved that. But even knowing their track record, the evidence they shared from their August operation shocked me: 64 ships cut off from the world, navigation systems wiped clean, and digital destruction so thorough that some vessels might be offline for months.
The group hit 39 tankers and 25 cargo ships belonging to Iran's sanctioned maritime giants NITC and IRISL. While they gave media outlets the headline - "ships' communications disrupted" - the technical evidence tells a much darker story.
Let me walk you through what really happened.
The hackers didn't go after the ships directly. That would be nearly impossible - you'd need to compromise dozens of individual vessels scattered across the globe. Instead, they found something better: Fanava Group, an Iranian IT company that just happens to provide satellite communications to the entire fleet.
The screenshots they shared show root access on Linux terminals running iDirect satellite software - version 2.6.35, which is ancient by cybersecurity standards. We're talking about software so old it probably has more known vulnerabilities than my grandmother's Internet Explorer browser.
But here's where it gets interesting. They didn't just pop one system and call it a day. The database dumps show they mapped out the entire fleet - vessel by vessel, modem by modem. I'm looking at MySQL queries pulling records for ships like the Touska, Mahnam, Zardis, and dozens of others. Each entry includes the ship's modem serial number, network IDs, the works. It's like having a complete blueprint of Iran's maritime communication network.
Once inside, the hackers went after something called "Falcon" - the software that keeps these satellite links alive. Think of it as the heart of the ship's communication system. Stop the Falcon, and the ship goes dark. No emails to shore, no weather updates, no port coordination, nothing.
But here's what the email logs actually reveal - and this is huge: the timestamps go back to May and June. That means Lab-Dookhtegan didn't just hit and run in March. They've been sitting inside Iran's maritime network for five months straight. They had persistent access this entire time, could flip systems on and off whenever they wanted, and probably monitored every communication going through.
The "Node Down Notification" alerts I'm seeing are from various points over these months - they were testing their control, making sure they still had the keys. But this time, in August, they didn't just test. They went nuclear.
Scorched Earth at Sea
The attackers didn't just want to disrupt operations - they wanted to cause permanent damage. I found commands showing systematic data destruction:
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
For non-technical readers, this is the digital equivalent of taking a hammer to the ship's communication equipment. They overwrote six different storage partitions with zeros. Everything gone - navigation logs, message archives, system configurations, even the recovery partitions that would let you fix the system remotely.
Imagine you're a captain in the middle of the Indian Ocean, and suddenly your satellite terminal isn't just offline - it's been lobotomized. You can't fix it, your IT team can't remote in to help, and the nearest port might be days away.
As if cutting data communications wasn't enough, they also grabbed the entire IP phone system configuration. I'm looking at a spreadsheet with phone numbers, IP addresses, and - this is the embarrassing part - passwords in plain text. We're talking passwords like "1402@Argo" and "1406@Diamond."
With this data, the attackers could theoretically listen to phone calls between ships and ports, impersonate vessels, or just cause more chaos by killing voice communications too.
Why This Matters
NITC and IRISL aren't just any shipping companies. They're the backbone of Iran's sanctions-busting operations. NITC's tankers regularly switch off their tracking systems to secretly deliver oil to China. IRISL has been sanctioned by basically everyone - US, EU, UN - for helping Iran's nuclear program.
These ships operate in the shadows by design, and now they're stuck there - unable to phone home, navigate properly, or even send a distress signal if something goes wrong.
This is Lab-Dookhtegan's second hit this year. They claimed to have disrupted 116 vessels back in March, timing it with US operations against the Houthis in Yemen. This time, the attack comes just as the US Treasury added another 13 companies to the sanctions list for dealing with Iranian oil.
Coincidence? You tell me.
Here's what the public reports missed: this isn't something you fix with a reboot. These ships need physical intervention. Someone has to board each vessel, probably in port, and completely reinstall the communication systems from scratch. We're talking weeks, maybe months, of downtime per ship.
For a sanctions-squeezed fleet that relies on staying under the radar and maintaining precise coordination to avoid seizure, this is catastrophic. You can't evade sanctions if you can't communicate. You can't deliver oil if you can't navigate. You can't even call for help if something goes wrong.
The hackers knew exactly what they were doing. This was precision surgery designed to cripple Iran's maritime operations at the worst possible time.
And based on the evidence I've seen, they succeeded beyond what anyone's reporting.
South China Morning Post scmp.com Published: 5:00pm, 12 Aug 2025 - Chinese tech firms are leveraging software improvements to compensate for limited access to advanced hardware.
Huawei Technologies has unveiled a software tool designed to accelerate inference in large artificial intelligence models, an advancement that could help China reduce its reliance on expensive high-bandwidth memory (HBM) chips.
Unified Cache Manager (UCM) is an algorithm that allocates data according to varying latency requirements across different types of memories – including ultra-fast HBM, standard dynamic random access memory and solid-state drive – thereby enhancing inference efficiency, according to Huawei executives at the Financial AI Reasoning Application Landing and Development Forum in Shanghai on Tuesday.
Zhou Yuefeng, vice-president and head of Huawei’s data storage product line, said UCM demonstrated its effectiveness during tests, reducing inference latency by up to 90 per cent and increasing system throughput as much as 22-fold.
The move exemplifies how Chinese tech firms are leveraging software improvements to compensate for limited access to advanced hardware. Earlier this year, Chinese start-up DeepSeek captured global attention by developing powerful AI models with constrained chip resources.
Huawei plans to open-source UCM in September, first in its online developer community and later to the broader industry. The initiative could help China lessen its dependence on foreign-made HBM chips, a market mostly controlled by South Korea’s SK Hynix and Samsung Electronics, as well as the US supplier Micron Technology.
HBM is a stacked, high-speed, low-latency memory that provides substantial data throughput to AI chips, enabling optimal performance. The global HBM market is projected to nearly double in revenue this year, reaching US$34 billion, and is expected to hit US$98 billion by 2030, largely driven by the AI boom, according to consulting firm Yole Group.
telegraph.co.uk 2025/08/17/ - Lazarus cyber gang believed to have used stolen funds to boost military and nuclear programmes
North Korean hackers have been accused of a £17m Bitcoin heist that brought down a UK-based cryptocurrency company.
Lazarus, the hermit kingdom’s notorious cyber gang, has been identified as the potential culprit behind the theft of cryptocurrency from Lykke, a trading platform incorporated in Britain.
If confirmed, it would be North Korea’s biggest-known cryptocurrency heist to target Britain. The pariah state has made billions in recent years stealing cryptocurrency to fund its military and nuclear programmes.
Lykke was founded in 2015 and operated from Switzerland but was registered in the UK. The company said last year that it had lost $22.8m (£16.8m) in Bitcoin, Ethereum and other cryptocurrencies, forcing it to halt operations.
In March a judge ordered the company to be liquidated after a legal campaign from more than 70 affected users.
North Korea was named as the potential hacker in a recent report by the Office of Financial Sanctions Implementation (OFSI), a branch of the Treasury.
“The attack has been attributed to malicious Democratic People’s Republic of Korea cyberactors, who stole funds on both the Bitcoin and Ethereum networks,” it said.
The Treasury said the OFSI did not reveal the sources of its information but that it worked closely with law enforcement.
Lazarus had been separately blamed for the attack on Lykke by Whitestream, an Israeli cryptocurrency research company.
It said the attackers had laundered the stolen funds through two other cryptocurrency companies notorious for allowing users to hide their tracks, and thus avoid money-laundering controls.
Other researchers have disagreed with the conclusions, saying it is not currently possible to determine who hacked the exchange.
Lykke was founded by Richard Olsen, a great-grandson of the Swiss banking patriarch Julius Baer, and offered cryptocurrency trading without transaction fees.
The company was run out of Zug in Switzerland’s so-called “crypto valley” but its corporate entity was registered in Britain.
In 2023, the Financial Conduct Authority issued a warning about the company, saying it was not registered or authorised to offer financial services for consumers in Britain.
Despite saying it would be able to return customers’ funds, it froze trading after the hack and officially shut down last December.
The company was liquidated in March following a winding up petition in the UK courts brought by a group of customers, who say they have lost £5.7m as a result of the company shutting down.
Interpath Advisory has been appointed to distribute the remaining funds to those who lost money. Its Swiss parent was placed into liquidation last year.
Mr Olsen was declared bankrupt in January and is the subject of criminal investigations in Switzerland, according to British legal filings. He did not respond to requests for comment.
theregister.com 2025/08/22/ -
: Pro tip: When taking revenge, don't use your real name
A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers.
Davis Lu, 55, spent a dozen years at Eaton and rose to become a senior developer of emerging technology, before the company demoted him after restructuring. Lu unwisely responded to that setback by installing a "kill switch" that would activate if the company revoked his network access.
The package was a Java program that generated increasing numbers of non-terminating threads in an infinite loop that would eventually use enough resources to crash the server.
"The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a US company," said acting assistant Attorney General Matthew Galeotti of the Justice Department’s Criminal Division in an email. "However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions."
Not that he had much technical savvy. Lu labeled his malware IsDLEnabledinAD, for "Is Davis Lu enabled in Active Directory." Furthermore, after developing the software he uploaded it using his corporate credentials – hardly clean OPSEC, to quote the US Defense Secretary.
Eaton terminated Lu’s position on September 9, 2019, and cut off his network access, which caused the Java program to fire up, overloading the network, preventing login access for thousands of Eaton's global staff, and deleting some corporate data.
But when it came time for Lu to turn in his corporate laptop, it turned out he'd been using it to execute his plan. His search history showed he'd been looking up how to delete data, escalate privileges, and conceal process trails. He also deleted a large chunk of encrypted data.
Less than a month after his malware ran, federal agents arrested Lu. He admitted to his crime but still opted for a jury trial. That didn't work out so well for him, and a federal jury in Cleveland found him guilty of intentionally damaging a protected computer. On Thursday he received a four-year sentence and an additional three years of supervised release.
"I am proud of the FBI cyber team’s work which led to today’s sentencing and hope it sends a strong message to others who may consider engaging in similar unlawful activities," said assistant director Brett Leatherman of the FBI’s Cyber Division. "This case also underscores the importance of identifying insider threats early."
As The Register has pointed out time and time again, insiders can cause the most damage with ease. All the fancy firewalls, AI tools, and malware monitoring services won't protect you if the person running them goes rogue.
Eaton had no comment on the sentence.
eaton-works.com 2025/08/18 - Hardcoded credentials, pointless encryption, and generous APIs exposed details of every employee and made it possible to break into internal websites.
Key Points / Summary
...
Intel’s Response and Timeline
Intel’s bug bounty program has been around a while and is well-known. There are some great rewards too – up to $100k. After discovering multiple critical website vulnerabilities, I was excited about the potential rewards I would get. Then I read the fine print:
Credentials: Username, password, account identifier, keys, certificates, or other credentials that have been published, leaked, or exposed in some way should be reported to this program to ensure they can be properly investigated, cleaned up, and secured. Credentials are out of Scope for rewards.
Is Intel’s Web Infrastructure, i.e.*.intel.com in scope? Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against Intel.com and/or related web presence to external.security.research@intel.com.
Obviously disappointing, but the right thing to do was to still report the vulnerabilities, and that is what I did.
That is the only official correspondence I ever received from Intel. The good news is that everything was fixed, so while the email inbox was essentially a one-way black hole, at least the reports got to the right people eventually.
The full timeline:
October 14, 2024: Business Card vulnerability report sent.
October 29, 2024: Hierarchy Management and Product Onboarding vulnerability reports sent.
November 11, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread with more information as to what specific steps should be taken to fix the vulnerabilities.
November 12, 2024: SEIMS vulnerability report sent.
December 2, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread letting them know they must rotate the leaked credentials.
February 28, 2025: At this point, it has been more than 90 days since my first report and all vulnerabilities have been resolved. A new email was sent to alert Intel about the intent to publish.
August 18, 2025: Published.
The good news is that Intel has recently expanded their bug bounty coverage to include services. Hopefully they will include blanket coverage for *.intel.com in the future for bug bounty rewards.
securityweek.com ByIonut Arghire| August 22, 2025 - MITRE has updated the list of Most Important Hardware Weaknesses to align it with evolving hardware security challenges.
The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape.
Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start.
The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection.
‘CWE-226: Sensitive Information in Resource Not Removed Before Reuse’ is at the top of MITRE’s 2025 CWE MIHW list.
It refers to resources that are released and may be made available for reuse without being properly cleared. If memory, for example, is not cleared before it is made available to a different process, data could become available to less trustworthy parties.
“This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels,” CWE-226’s description reads.
Second on the revised list is ‘CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)’, which was at the top four years ago.
Other entries that were kept from the previous version of the list include ‘CWE-1191: On-Chip Debug and Test Interface With Improper Access Control’, ‘CWE-1256: Improper Restriction of Software Interfaces to Hardware Features’, ‘CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges’, and ‘CWE-1300: Improper Protection of Physical Side Channels’.
“These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance,” MITRE notes.
Of the six new CWEs that made it to the revised MIHW list, two were added to the CWE after the 2021 MIHW list was released.
In addition to the 11 weaknesses included in the main MIHW list, MITRE warns of five others that are also highly important and could lead to serious security defects. These include four entries that were in the previous iteration of the list.
“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations. Engineers working at higher layers need to understand that some risks are inherited and may never be fully remediated at their level. That makes transparency from vendors, independent evaluation ecosystems, and better incentives for proactive security in design critical,” NCC Group managing security consultant Liz James said.
nationalcrimeagency.gov.uk 16 August 2025 - The National Crime Agency leads the UK's fight to cut serious and organised crime.
A cyber criminal who hacked into the websites of organisations in North America, Yemen and Israel and stole the log in details of millions of people has been jailed.
Al Tahery AL MASHRIKYAl-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was arrested by specialist National Crime Agency cybercrime officers in August 2022, who were acting on intelligence supplied by US law enforcement around the activities of extremist hacker groups ‘Spider Team’ and ‘Yemen Cyber Army.
NCA investigators were able to link Al-Mashriky to the Yemen Cyber Army through social media and email accounts.
Forensic analysis of his laptop and several mobile phones showed that Al-Mashriky had infiltrated a number of websites including the Yemen Ministry of Foreign Affairs, the Yemen Ministry of Security Media and an Israeli news outlet.
His offending centred around gaining unauthorised access to the websites, then creating hidden webpages containing his online monikers and messaging that furthered his religious and political ideology.
He would often target websites with low security, gaining kudos in the hacking community for the sheer number of infiltrations.
Using one of his many online aliases, Al-Mashriky claimed on one cybercrime forum that he had hacked in to over 3,000 websites during a three month period in 2022.
However, a review of his seized laptop by NCA Digital Forensic Officers revealed the extent of his cyber offending. He was in possession of personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal, which could be used for further acts of cybercrime.
Investigators found that in February 2022, after hacking into the website for Israeli Live News he accessed admin pages and downloaded the entire website. He had also hacked into two Yemeni government websites, deploying tools to scan for usernames and vulnerabilities.
Al-Mashriky was also found to have targeted faith websites in Canada and the USA as well as the website for the California State Water Board.
The NCA, working with international law enforcement partners, was able to obtain accounts from the victims of these intrusions, who gave detailed insights into the significant cost and inconvenience he had caused.Al-Mashriky was due to stand trial at Sheffield Crown Court in March this year for 10 offences under the Computer Misuse Act.
However, on 17 March he pleaded guilty to nine offences and was sentenced to 20 months imprisonment at the same court yesterday (15 August).
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Al-Mashriky’s attacks crippled the websites targeted, causing significant disruption to their users and the organisations, just so that he could push the political and ideological views of the ‘Yemen Cyber Army’.
“He had also stolen personal data that could have enabled him to target and defraud millions of people.
“Cybercrime can often appear faceless, with the belief that perpetrators hide in the shadows and can avoid detection. However, as this investigation shows, the NCA has the technical capability to pursue and identify offenders like Al-Mashriky and bring them to justice.”
hackread.com August 18, 2025 - A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.
A threat actor using the name Chucky_BF on a cybercrime and hacker forum is advertising what they claim to be a massive PayPal data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.
The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.
Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.
The description provided by Chucky_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.
A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.
The way the data is put together is also important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen or old databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.
As for pricing, Chucky_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.
If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.
Infostealer Logs as the Likely Source
PayPal has never suffered a direct data breach in which attackers broke into its systems or stole millions of user records. Past incidents, including the one that involved 35,000 users, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.
This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of infostealer malware collecting login details from infected devices and bundling them together.
The structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer malware logs. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.
The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single PayPal-focused leak.
Infostealer malware infecting devices worldwide is hardly surprising. In May, cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing 184 million login credentials, including unique usernames, email addresses, and passwords, which he believes were likely collected using infostealer malware.
According to Hudson Rock, a cybercrime intelligence company, infostealer malware is easily and cheaply available on the dark web. The company’s research also revealed the scale at which these tools have successfully targeted critical infrastructure, including in the United States.
Researchers found that employees at key US defense entities such as the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies, including the FBI, have also fallen victim to infostealer malware.
As for PayPal, the company itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks.
Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.
cyberscoop.com August 20, 2025 - A Russian state-sponsored group known as Static Tundra has persistently exploited the Cisco CVE-2018-0171 vulnerability to compromise network devices worldwide, targeting key industries and evading detection for years, according to new findings by Cisco Talos.
The group, designated “Static Tundra” by Cisco Talos, is linked to the Russian Federal Security Service’s Center 16 unit and operates as a likely sub-cluster of the broader “Energetic Bear” threat group. The operation represents one of the most persistent network device compromise campaigns documented to date, with the group maintaining undetected access to victim systems for multiple years.
According to the researchers, the group has been leveraging CVE-2018-0171, a vulnerability in Cisco IOS software’s Smart Install feature that was patched when initially disclosed in 2018. Despite the availability of patches, the group continues to find success targeting organizations that have left devices unpatched or are running end-of-life equipment that cannot be updated.
The vulnerability allows attackers to execute arbitrary code on affected devices or trigger denial-of-service conditions.
Researchers believe the group has developed automated tooling to exploit the vulnerability at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys.
Once initial access is gained, the group employs sophisticated techniques to extract device configuration data, which often contains credentials and network information valuable for further compromise. The attackers use a combination of Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools to maintain access and collect intelligence.
The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.
“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” the Cisco Talos report states. The group expanded its targeting within Ukraine from selective, limited compromises to operations across multiple industry verticals.
techcrunch.com 2025/08/21 - The two self-described hacktivists said they had access to the North Korean spy’s computer for around four months before deciding what they had found should be made public.
Earlier this year, two hackers broke into a computer and soon realized the significance of what this machine was. As it turned out, they had landed on the computer of a hacker who allegedly works for the North Korean government.
The two hackers decided to keep digging and found evidence that they say linked the hacker to cyberespionage operations carried out by North Korea, exploits and hacking tools, and infrastructure used in those operations.
Saber, one of the hackers involved, told TechCrunch that they had access to the North Korean government worker’s computer for around four months, but as soon as they understood what data they got access to, they realized they eventually had to leak it and expose what they had discovered.
“These nation-state hackers are hacking for all the wrong reasons. I hope more of them will get exposed; they deserve to be,” said Saber, who spoke to TechCrunch after he and cyb0rg published an article in the legendary hacking e-zine Phrack, disclosing details of their findings.
There are countless cybersecurity companies and researchers who closely track anything the North Korean government and its many hacking groups are up to, which includes espionage operations, as well as increasingly large crypto heists and wide-ranging operations where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program.
In this case, Saber and cyb0rg went one step further and actually hacked the hackers, an operation that can give more, or at least different, insights into how these government-backed groups work, as well as “what they are doing on a daily basis and so on,” as Saber put it.
The hackers want to be known only by their handles, Saber and cyb0rg, because they may face retaliation from the North Korean government, and possibly others. Saber said that they consider themselves hacktivists, and he name-dropped legendary hacktivist Phineas Fisher, responsible for hacking spyware makers FinFisher and Hacking Team, as an inspiration.
At the same time, the hackers also understand that what they did is illegal, but they thought it was nonetheless important to publicize it.
“Keeping it for us wouldn’t have been really helpful,” said Saber. “By leaking it all to the public, hopefully we can give researchers some more ways to detect them.”
“Hopefully this will also lead to many of their current victims being discovered and so to [the North Korean hackers] losing access,” he said.
“Illegal or not, this action has brought concrete artifacts to the community; this is more important,” said cyb0rg in a message sent through Saber.
Saber said they are convinced that while the hacker — who they call “Kim” — works for North Korea’s regime, they may actually be Chinese and work for both governments, based on their findings that Kim did not work during holidays in China, suggesting that the hacker may be based there.
Also, according to Saber, at times Kim translated some Korean documents into simplified Chinese using Google Translate.
Saber said that he never tried to contact Kim. “I don’t think he would even listen; all he does is empower his leaders, the same leaders who enslave his own people,” he said. “I’d probably tell him to use his knowledge in a way that helps people, not hurt them. But he lives in constant propaganda and likely since birth so this is all meaningless to him.” He’s referring to the strict information vacuum that North Koreans live in, as they are largely cut off from the outside world.
Saber declined to disclose how he and cyb0rg got access to Kim’s computer, given that the two believe they can use the same techniques to “obtain more access to some other of their systems the same way.”
During their operation, Saber and cyb0rg found evidence of active hacks carried out by Kim, against South Korean and Taiwanese companies, which they say they contacted and alerted.
North Korean hackers have a history of targeting people who work in the cybersecurity industry as well. That’s why Saber said he is aware of that risk, but “not really worried.”
“Not much can be done about this, definitely being more careful though :),” said Saber.
INTERPOL-coordinated operation leads to 1,209 arrests
interpol.int - LYON, France 22.08.2025 – In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims.
The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation.
Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC). These were all identified as prominent threats in the recent INTERPOL Africa Cyberthreat Assessment Report.
The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively.
This intelligence was shared with participating countries ahead of the operation, providing critical information on specific threats as well as suspicious IP addresses, domains and C2 servers.
Operational highlights: From crypto mining to inheritance scams
Authorities in Angola dismantled 25 cryptocurrency mining centres, where 60 Chinese nationals were illegally validating blockchain transactions to generate cryptocurrency. The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than USD 37 million, now earmarked by the government to support power distribution in vulnerable areas.
Zambian authorities dismantled a large-scale online investment fraud scheme, identifying 65,000 victims who lost an estimated USD 300 million. The scammers lured victims into investing in cryptocurrency through extensive advertising campaigns promising high-yield returns. Victims were then instructed to download multiple apps to participate. Authorities arrested 15 individuals and seized key evidence including domains, mobile numbers and bank accounts. Investigations are ongoing with efforts focused on tracking down overseas collaborators.
Also in Zambia, authorities identified a scam centre and, in joint operations with the Immigration Department in Lusaka, disrupted a suspected human trafficking network. They confiscated 372 forged passports from seven countries.
Despite being one of the oldest-running internet frauds, inheritance scams continue to generate significant funds for criminal organizations. Officers in Côte d'Ivoire dismantled a transnational inheritance scam originating in Germany, arresting the primary suspect and seizing assets including electronics, jewellery, cash, vehicles and documents. With victims tricked into paying fees to claim fake inheritances, the scam caused an estimated USD 1.6 million in losses.
Valdecy Urquiza, Secretary General of INTERPOL, said:
"Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries. With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims."
Prior to the operation, investigators participated in a series of hands-on workshops covering open-source intelligence tools and techniques, cryptocurrency investigations and ransomware analysis. This focused training strengthened their skills and expertise, directly contributing to the effectiveness of the investigations and operational successes.
The operation also focused on prevention through a partnership with the International Cyber Offender Prevention Network (InterCOP), a consortium of law enforcement agencies from 36 countries dedicated to identifying and mitigating potential cybercriminal activity before it occurs. The InterCOP project is led by the Netherlands and aims to promote a proactive approach to tackling cybercrime.
Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.
Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.
Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.
bitdefender.com 19.08.2025 - A hack of the Netherlands' Public Prosecution Service has had an unusual side effect - causing some speed cameras to be no longer capturing evidence of motorists breaking the rules of the road.
Last month, Dutch media reports confirmed that Openbaar Ministerie (OM), the official body responsible for bringing suspects before the criminal court in the Netherlands, had suffered a security breach by hackers.
The National Cybersecurity Centre (NCSC) and data protection regulators in The Netherlands were informed that a data breach had potentially occurred, and an internal memo from the organisation's director of IT warned of the risks of reconnecting systems to the internet without knowing that the hackers had been expelled from the network.
And it is the disconnection of systems which has left many speed cameras in a non-functioning state - news that will bemuse cybercriminals, delight errant motorists, but is unlikely to be welcomed by those who care about road safety.
Local media reports claim that fixed speed cameras, average speed checks, and portable speed cameras that are usually in one location for about two months before relocation are impacted by the outage - with the only type to escape the problem being those which look out for motorists who are using their mobile phone while driving.
According to evidence seen by journalists, the Public Prosecution Service took itself offline on July 17, following suspicions that hackers had exploited vulnerabilities in Citrix devices to gain unauthorised access.
The organisation's disconnection from the internet left workers still able to email each other internally, but any communications or documents that were needed outside the organisation had to be printed out on paper.
Marthyne Kunst, a member of the crisis team dealing with the hack, told the media that this meant messages were having to be sent by post, lawyers were having to bring paperwork to their cases.
The consequence? Cases may be prevented from going ahead in a timely fashion.
"Unfortunately, it all takes more time," said Kunst.
And as for the speed cameras? Well, apparently it is not possible to reactivate them while the prosecution service's systems are down.
So this isn't a case of police cameras being hacked (although that has happened before), but it is another example of how all manner of connected systems can be impacted in the aftermath of a cyber attack.
The outage of speed cameras in the Netherlands is a timely reminder to us that cyber attacks do not just steal data - they can cause repercussions in sometimes strange and dangerous ways. In this instance, a hack hasn't only slowed down court cases and forced lawyers back to their filing cabinets, it has also blinded cameras designed to keep roads safe.
theregister.com 21.08.2025 - Better late than never after SharePoint assault?
Microsoft has reportedly stopped giving Chinese companies proof-of-concept exploit code for soon-to-be-disclosed vulnerabilities following last month's SharePoint zero-day attacks, which appear to be related to a leak in Redmond's early-bug-notification program.
The software behemoth gives some software vendors early bug disclosures under its Microsoft Active Protections Program (MAPP), which typically delivers info two weeks before Patch Tuesday. MAPP participants sign a non-disclosure agreement, and in exchange get vulnerability details so that they can provide updated protections to customers more quickly.
According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in "countries where they're required to report vulnerabilities to their governments," including China. Companies in these countries will no longer receive "proof of concept" exploit code, but instead will see "a more general written description" that Microsoft sends at the same time as patches, Cuddy told the news outlet.
Microsoft did not respond to The Register's inquiries.
In late July, China-based crews – including government goons, data thieves, and a ransomware gang – exploited a couple of bugs that allowed them to hijack on-premises SharePoint servers belonging to more than 400 organizations and remotely execute code.
Redmond disclosed the two SharePoint flaws during its July 8 Patch Tuesday event, and a couple weeks later admitted that the software update didn't fully fix the issues. The Windows giant issued working patches on July 21 to address its earlier flawed fixes, but by then the bugs were already under mass exploitation.
This led some to speculate that whomever was exploiting the CVEs knew about them in advance – and also knew how to bypass the original patches.
"A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register in July. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."
One possible explanation: Someone leaked details from the MAPP update to Beijing.
Childs said ZDI was able to poke holes in the initial patches. China does not lack talented security researchers capable of doing likewise.
At the time, Microsoft declined to answer The Register's specific questions about what role, if any, MAPP played in the SharePoint attacks. "As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly," a Microsoft spokesperson told us in July.
Microsoft today declined to comment on its internal investigation.
Childs today told The Register that the MAPP change "is a positive change, if a bit late. Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome."
"In the past, MAPP leaks were associated with companies out of China, so restricting information from flowing to these companies should help," Childs said. "The MAPP program remains a valuable resource for network defenders. Hopefully, Microsoft can squelch the leaks while sending out the needed information to companies that have proven their ability (and desire) to protect end users."
Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.
The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks. It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.
Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organizations could thus reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks). Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.
This blog discusses the different elements that make up a ClickFix campaign—from the arrival vectors it comes with to its various implementations—and provides different examples of threat campaigns we’ve observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.
helpnetsecurity.com 20.08.2025 - Apple has fixed yet another vulnerability (CVE-2025-43300) that has apparently been exploited as a zero-day in targeted attacks.
CVE-2025-43300 is an out-of-bounds write issue that could be triggered by a vulnerable device processing a malicious image file, leading to exploitable memory corruption.
The vulnerability affects the Image I/O framework used by Apple’s iOS and macOS operating systems.
Apple has fixed this flaw with improved bounds checking in:
iOS 18.6.2 and iPadOS 18.6.2
iPadOS 17.7.10
macOS Sequoia 15.6.1
macOS Sonoma 14.7.8
macOS Ventura 13.7.8
With Apple claiming the discovery of the vulnerability, it’s unlikely that we will soon find out who is/was leveraging it and for what.
But even though these attacks were apparently limited to targeting specific individuals – which likely means that the goal was to delivery spyware – all users would do well to upgrade their iDevices as soon as possible.
