mercurynews.com
By Ethan Baron |
‘Top Secret’ files among those allegedly misappropriated by software engineer losing job at Santa Clara chip giant Intel
At first the software engineer did not succeed in making off with a trove of Santa Clara computer chip giant Intel’s trade secrets, but then he tried again.
Jinfeng Luo, at Intel since 2014, had been told July 7 his job at the company would be terminated, effective July 31, according to a lawsuit Intel filed against him Friday.
Eight days before his employment was to end, Luo allegedly hooked up an external hard drive to his Intel laptop, but when he tried to download a file, the company’s internal controls blocked the transfer, the lawsuit claimed.
Five days later, the lawsuit alleged, Luo deployed a different technology, a more sophisticated gadget that resembles a small computer server, called a network storage device.
Over the next three days, Luo downloaded nearly 18,000 files, including some labeled “Intel Top Secret,” the lawsuit in Washington State court said.
It was unclear Wednesday if Luo had a lawyer representing him in the case, and he could not immediately be reached for comment.
Intel, accusing Luo of breaking federal and state trade-secrets laws, is seeking at least $250,000 in compensation from him. The company also wants a court order forcing Luo to hand over his personal electronic devices for inspection, and requiring him to give the company its allegedly misappropriated confidential information.
The Santa Clara chip maker, outshone in the public eye by its consumer-facing Silicon Valley neighbors Google, Apple and Facebook — received a turn in the national spotlight over the summer when President Donald Trump announced that the federal government — using previously issued but mostly unpaid grants and funding pledges — was taking a 10% stake in the company.
The lawsuit did not make clear why Luo, of Seattle, was terminated from his job. Intel said in a June regulatory filing that it planned to slash its workforce by 15% this year.
Intel detected Luo’s alleged data transfers and launched an investigation, the lawsuit said.
For almost three months, the company tried to reach Luo — a rundown of Intel’s efforts to contact him takes up two pages of the 14-page lawsuit — but he never responded to the phone calls, emails and letters, the lawsuit claimed.
“Luo has refused to even engage with Intel,” the lawsuit claimed, “let alone return the files.”
www.politico.com
Katherine Tully-McManus
11/10/2025, 2:01pm ET
Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’ nonpartisan scorekeeper.
Employees at the Library of Congress were warned in a Monday email, obtained by POLITICO, that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.
Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.
“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.
Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.
There was no immediate information Monday about the broader implications that a legislative branch office was continuing to experience cybersecurity vulnerabilities.
A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident.
When asked for comment Monday about ongoing issues, the CBO spokesperson referred to the prior statement.
gbhackers.com
By Divya
November 3, 2025
A severe unauthenticated Remote Code Execution vulnerability in Ubiquiti's UniFi OS that earned a substantial $25,000 bug bounty reward.
Security researchers have uncovered a severe unauthenticated Remote Code Execution vulnerability in Ubiquiti’s UniFi OS that earned a substantial $25,000 bug bounty reward.
Tracked as CVE-2025-52665, this critical flaw allows attackers to gain complete control of UniFi devices without requiring any credentials or user interaction, posing significant risks to organizations using UniFi Dream Machine routers and access control systems.
Misconfigured API Exposes Critical Attack Surface
The vulnerability originated from a misconfigured backup API endpoint at /api/ucore/backup/export that was designed to operate only on the local loopback interface.
However, researchers discovered the endpoint was externally accessible through port 9780, bypassing intended security restrictions.
The flaw stems from improper input validation on the dir parameter, which the backup orchestration system passes directly to shell commands without sanitization or escaping.
When researchers analyzed the UniFi Core service code, they found that the backup operation chains multiple shell commands including mktemp, chmod, and tar that directly interpolate the user-supplied directory path.
This design pattern created a perfect opportunity for command injection attacks, as metacharacters in the input would be interpreted as new shell commands rather than literal path components.
Researchers successfully exploited the vulnerability by crafting a malicious JSON payload that terminated the intended command and injected arbitrary code.
The attack required sending a POST request to the exposed endpoint with a specially formatted dir parameter containing command injection sequences.
By using semicolons to separate commands and hash symbols to comment out remaining shell syntax, attackers could execute arbitrary commands with full system privileges.
The researchers demonstrated the severity by exfiltrating the /etc/passwd file and establishing a reverse shell connection, proving complete interactive access to the compromised device.
Beyond basic system access, the vulnerability provided direct entry into UniFi Access components, granting attackers control over physical door systems and NFC credential management infrastructure.
The investigation revealed multiple unauthenticated API endpoints beyond the primary RCE vulnerability.
Researchers found that /api/v1/user_assets/nfc accepted POST requests to provision new credentials without authentication, while /api/v1/user_assets/touch_pass/keys exposed sensitive credential material including Apple NFC keys and Google Pass authentication data containing PEM-formatted private keys.
These additional exposures compound the security impact, allowing attackers to manipulate access control systems and steal cryptographic credentials that protect mobile and NFC-based authentication mechanisms.
bleepingcomputer.com
By Bill Toulas
November 12, 2025
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.
“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”
Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.
Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.
The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.
In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.
The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.
The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.
It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.
The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.
Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.
It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.
| TechCrunch
techcrunch.com
Zack Whittaker
4:47 AM PST · November 12, 2025
Australia's intelligence chief warned that Chinese hackers are trying to break into its networks, sometimes successfully, to "pre-position" for sabotage ahead of an anticipated invasion of Taiwan.
Australia’s intelligence head Mike Burgess has warned that China-backed hackers are “probing” the country’s critical infrastructure, and in some cases have gained access.
Burgess, who heads the country’s main intelligence agency, the Australian Security Intelligence Organisation, said that at least two China government-backed hacking groups are pre-positioning for sabotage and espionage.
The comments, made during a conference speech in Melbourne on Wednesday, echo similar remarks by the U.S. government, which has warned that the ongoing hacking campaigns may pose risks of economic and societal disruption.
According to Burgess, a hacker group known as Volt Typhoon is trying to break into critical infrastructure networks such as power, water, and transportation systems. Burgess warned that successful hacks could affect energy and water supplies, and cause widespread outages.
The U.S. has previously said that the Chinese hackers have spent years planting malware on critical infrastructure systems that are capable of causing disruptive cyberattacks when activated. U.S. officials said that Volt Typhoon’s goals are to hamper the U.S.’ response to China’s anticipated future invasion of Taiwan.
“I do not think we — and I mean all of us — truly appreciate how disruptive, how devastating, this could be,” said Burgess, speaking about the threat. He said that once the hackers have access, what happens next is a “matter of intent, not capability.”
Burgess also warned that another China-backed hacking group dubbed Salt Typhoon, known for hacking into the networks of phone and internet companies to steal call records and other sensitive data, was also targeting the country’s telecoms infrastructure.
Salt Typhoon has hacked more than 200 phone and internet companies, according to the FBI, including AT&T, Verizon and Lumen, along with several other cloud and data center providers. The hacks prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps to avoid having their calls and text messages accessed by the hackers.
The Canadian government also confirmed earlier this year that its telcos were breached as part of China-linked attacks.
China has long denied the hacking allegations.
forbes.com
By Lars Daniel
Nov 10, 2025
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses. The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.
How the Breach Happened
Think of Hyundai AutoEver America, or HAEA, as the digital nervous system for Hyundai, Kia and Genesis operations in North America. This California-based company manages everything from the software that enables remote car features to the computer systems dealerships use to process your purchase.
Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected. That’s like a burglar having unsupervised access to a bank vault for over a week. Plenty of time to identify and steal important data.
The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended.
What Information Was Stolen
The exposed data includes:
Hyundai AutoEver hasn’t said exactly how many people were affected, but regulatory filings show the breach reached multiple states. The upper limit is potentially massive: HAEA’s systems connect to 2.7 million vehicles across North America.
To put that in perspective, that’s roughly the entire population of Chicago potentially at risk. However, only individuals confirmed to be affected will receive notification letters.
This Keeps Happening to Hyundai
This isn’t Hyundai's first rodeo with hackers.
In early 2024, the Black Basta ransomware gang hit Hyundai Motor Europe, claiming to steal 3 terabytes of data, equivalent to about 750,000 digital photos or five hundred hours of high-definition video. That attack exposed everything from HR records to legal documents across multiple departments.
Before that, in 2023, breaches at Hyundai's Italian and French operations leaked customer email addresses, home addresses, and vehicle identification numbers.
Security researchers have also found serious vulnerabilities in Hyundai and Kia’s smartphone apps that could let hackers remotely control vehicles.
The Modern Car Is a Computer on Wheels
Here's what makes automotive breaches particularly concerning: Your car isn't just transportation anymore. It's a rolling data center.
Modern vehicles collect and transmit information constantly:
Where you drive and when
Your home and work addresses
How fast you accelerate and brake
When you service your vehicle
Your purchase and financing details
When hackers breach the IT provider managing this digital ecosystem, they don’t just get your Social Security number. They potentially access a comprehensive profile of your life and habits. It’s like the difference between someone stealing your wallet versus breaking into your phone. The phone contains exponentially more information about you.
What You Should Do Right Now
If you own or lease a Hyundai, Kia, or Genesis vehicle:
Immediate Actions:
Check your credit reports for unauthorized accounts or inquiries. You can get free reports at AnnualCreditReport.com
Monitor bank and credit card statements weekly for suspicious charges
Enable transaction alerts on your financial accounts
If You Receive a Notification Letter:
Enroll in the free credit monitoring within 90 days using the unique code provided
The service runs for two years and monitors all three credit bureaus
Call the dedicated hotline at 855-720-3727 with questions
For Everyone, Breached or Not:
Consider a credit freeze with Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name
Enable fraud alerts which require creditors to verify your identity before issuing credit
Watch for phishing scams exploiting breach news. Hyundai will never ask for your Social Security number or payment information via email
The Uncomfortable Truth About Data Breaches
Data breaches have become depressingly routine. In 2024 alone, major incidents hit healthcare providers, retailers, financial institutions, and now automotive companies joining the list with alarming frequency.
But there's something particularly unsettling about automotive breaches. You chose your bank and can switch it. You chose your doctor and can change providers. But if you bought a Hyundai three years ago, you're stuck with their security practices until you sell the vehicle. Your data sits in their systems whether you like it or not.
And unlike a credit card breach where the bank typically covers fraudulent charges, identity theft involving Social Security numbers can create problems that take years to resolve. Victims may discover the theft only when they're denied a loan, receive bills for services they never used, or have their tax returns rejected because someone else already filed using their information.
What Hyundai Is Saying
In its breach notification, Hyundai AutoEver stated: "We regret that this incident occurred and take the security of personal information seriously."
The company says it’s investing in "additional security enhancements designed to mitigate future risk." But given this is the third major breach in three years across Hyundai Motor Group entities, many cybersecurity experts argue the company needs more than enhancements: it needs a fundamental security overhaul.
The automotive industry finds itself caught between competing pressures. Customers want connected features: remote start from their phone, navigation that predicts traffic, software updates that add new capabilities. These features require extensive data collection and cloud connectivity.
But every connection creates a potential vulnerability. Every database becomes a target. And when IT providers centralize services for millions of vehicles, they become high-value targets offering hackers a massive potential payoff from a single breach.
The challenge for automakers isn’t just fixing the specific vulnerabilities that enabled this breach. It’s fundamentally rethinking how they secure the growing mountain of customer data their business models now require.
bleepingcomputer.com
By Lawrence Abrams
November 11, 2025
The Rhadamanthys infostealer operation has been disrupted, with numerous
The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.
The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.
According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.
In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.
"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.
Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.
"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.
A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.
G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.
Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.
Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.
The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.
BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.
techdigest.tv
10 November 2025
Chris Price
A catastrophic data breach at Chinese cybersecurity firm Knownsec has exposed a state-backed cyber arsenal and global surveillance targets.
A prominent Chinese cybersecurity firm with ties to the government, Knownsec, has suffered a catastrophic data breach, exposing over 12,000 classified documents detailing the inner workings of China’s state-sponsored cyber espionage program.
The leak of over 12,000 classified documents provides an unprecedented window into the operational infrastructure supporting China’s intelligence-gathering efforts, triggering significant international concern.
The leaked materials initially appeared on GitHub before being removed for terms-of-service violations. They reveal a vast technical arsenal, including sophisticated Remote Access Trojans (RATs) engineered to compromise every major operating system, specifically Linux, Windows, macOS, iOS, and Android.
The documents detail the use of highly specialized surveillance tools. These include Android attack code capable of extracting extensive message histories from popular chat applications, enabling targeted spying on specific individuals.
Even more concerning is the detail on hardware-based attack vectors. The firm allegedly developed a maliciously engineered power bank that can covertly exfiltrate data when connected to a victim’s computer, representing a sophisticated, hands-on supply-chain attack. This highlights the willingness of state-sponsored programs to invest in complex infrastructure to circumvent traditional security controls.
The archives also contain detailed spreadsheets documenting alleged breaches against more than 80 overseas targets. The scale of the data theft is massive, listing 95GB of immigration records from India, 3TB of call records from South Korea’s LG U Plus, and 459GB of road planning data from Taiwan.
The target list explicitly names over twenty countries and regions, including the United Kingdom, Japan, and Nigeria.
Knownsec, founded in 2007 and backed by Tencent, holds a trusted position within China’s security apparatus, providing services to government departments and major financial institutions. This prominence amplifies the significance of the leak.
In response to the disclosure, a Chinese Foreign Ministry spokesperson was evasive, stating unfamiliarity with any Knownsec breach while asserting that China “firmly opposes and combats all forms of cyberattacks.”
Analysts note this measured response avoided denying government support for such operations, underscoring Beijing’s positioning of cyber activities as national security instruments. Cybersecurity specialists worldwide are now studying the exposed data to improve global defense strategies.
Sky News Australia
Max Melzer
An Iranian-backed hacking group has posted plans for Australia's new $7 billion infantry fighting vehicles online following a spate of attacks on Israeli arms companies.
Plans for Australia's new $7 billion Redback infantry fighting vehicles have been stolen and posted online by Iran-backed hackers following a spate of attacks on Israeli arms companies.
Cyber Toufan, a hacking group believed to have ties to the Iranian state, posted classified 3D renderings and technical details of the next generation fighting vehicles on Telegram.
The group claimed to have stolen confidential data from 17 Israeli defence companies in a major cyberattack carried out after it gained access to supply chain firm MAYA Technologies over a year ago.
Israel’s Elbit Systems, which was contracted to provide hi-tech weapons turrets for the Redbacks, was among the companies targetted.
Skynews.com.au has contacted Elbit Systems for comment.
In addition to the exposure of sensitive details about the fighting vehicles' technical specifications, the documents posted by Cyber Toufan also revealed the Australian Defence Force had apparently been weighing whether to purchase Spike NLOS anti-tank missiles from the Israeli company.
It is not fully clear how much data was stolen in the hack or whether the details published online could be used to develop countermeasures to the Redback's defensive and offensive capabilities.
The Australian Army is set to receive 127 of the fighting vehicles under a roughly $7 billion contract with South Korean firm Hanwha Defence.
Elbit Systems' turrets will be affixed to the Redback's under a separate contract worth around $920 million.
The Israeli firm's involvement with the project had drawn criticism due to Israel's war in Gaza, although Defence Industry Minister Pat Conroy has repeatedly defended the company's involvement.
"We make no apology for getting the best possible equipment for the Australian Defence Force," he told the Indo-Pacific Maritime Exposition last week.
Cyber Toufan's attacks underscore the growing threat of hacking groups targetting sensitive military data.
The Australian Signals Directorate warned in its 2025 Cyber Threat Report that government and defence-related information was "an attractive target for state-sponsored cyber actors".
AUKUS remains the principle target for hostile actors, although Australian Security Intelligence Organisation Director-General Mike Burgess revealed even "countries we consider friendly" were attempting to gather intelligence about the nuclear submarine program.
"ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies," he warned in his annual threat assessment earlier this year.
Several Australian defence projects have already faced hacks in recent years, including in 2017 when a defence contractor was breached and data on the nation's F-35 program and the Collins-class submarine program was exposed.
Shipbuilder Austal was also successfully targetted by hackers in 2018.
akamai.com
Nov 06, 2025
Akamai is aware of content and connectivity filtering within Russia. Although we have not yet seen wholesale blocking of our platform for users, Russian network operator actions and actions by the Russian government may impact delivery to some users within some networks.
Such blocks often happen without any advance notice and are beyond our control. This is a highly dynamic situation as the nature and targets of filtering and blocking are changing without notice or visibility.
The Akamai network can automatically adapt to some of these impacts. However, it is impossible for us to respond to all Russian government actions (including IP-based blocks, SNI-based blocks, traffic throttling, total network shutdowns, and potential others).
Because of the constantly evolving situation — including active hostilities — ongoing delivery of traffic to users in Russia is provided, unfortunately, on a best-effort basis.
mozilla.org
November 7, 2025
Brian Smith
Firefox Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support.
Increasingly, businesses, schools, and government institutions deploy Firefox at scale for security, resilience, and data sovereignty. Organizations have fine-grained administrative and orchestration control of the browser’s behavior using policies with Firefox and the Extended Support Release (ESR). Today, we’re opening early access to Firefox Support for Organizations, a new program that begins operation in January 2026.
What Firefox Support for Organizations offers
Support for Organizations is a dedicated offering for teams who need private issue triage and escalation, defined response times, custom development options, and close collaboration with Mozilla’s engineering and product teams.
Private support channel: Access a dedicated support system where you can open private help tickets directly with expert support engineers. Issues are triaged by severity level, with defined response times and clear escalation paths to ensure timely resolution.
Discounts on custom development: Paid support customers get discounts on custom development work for integration projects, compatibility testing, or environment-specific needs. With custom development as a paid add-on to support plans, Firefox can adapt with your infrastructure and third-party updates.
Strategic collaboration: Gain early insight into upcoming development and help shape the Firefox Enterprise roadmap through direct collaboration with Mozilla’s team.
Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support. All Firefox users will continue to have full access to existing public resources including documentation, the knowledge base, and community forums, and we’ll keep improving those for everyone in future. Support plans will help us better serve users who rely on Firefox for business-critical and sensitive operations.
The EU Commission has announced that it will "immediately" stop funding individuals or organizations involved in "serious professional misconduct." This follows an investigation by Follow the Money (FtM) which revealed that EU funds amounting to millions of euros have been directly channeled to commercial spyware firms in recent years.
In September, the FtM portal, in collaboration with other media partners, uncovered that the spyware industry is receiving substantial subsidies from the EU while simultaneously surveilling its citizens. According to the report, the Intellexa Group, which developed the Predator state trojan, has, through affiliated companies, secured public funding, particularly through innovation programs. Cognyte, CyGate, and Verint are also reported to have received financial support from EU sources for their surveillance technologies, such as spyware, whose solutions are frequently mentioned in the context of human rights violations.
In response, 39 EU parliamentarians from four political groups have jointly requested concrete answers from the Commission in a letter. The representatives lamented that the EU is, apparently unintentionally, funding instruments that have been or are being used for repressive purposes in member states like Poland, Greece, and Hungary, as well as in authoritarian third countries. This, they argue, undermines fundamental rights and democracy.
According to the letter, the Commission has apparently failed to verify the trustworthiness, ownership structure, and human rights compliance of these companies. The requested end-user clauses or dual-use controls, which assess whether a product can be misused for civilian, military, and police purposes, are apparently not being effectively enforced. The revelations indicate that the Brussels-based governing institution is not sufficiently adhering to recommendations from the parliamentary inquiry committee on spyware scandals in this highly sensitive area.
Commission Stands By
In its statement, according to an FtM newsletter, the Commission explains that law enforcement agencies and intelligence services may "lawfully use spyware for legitimate purposes." However, it fails to list all EU programs from which surveillance companies have benefited. Specifically, information regarding grants from the European Social Fund and another financial pot awarded to the Italian surveillance company Area is missing.
The executive body also fails to mention financial flows to the notorious spyware manufacturer Hacking Team, the report continues. Even recent transfers from the European Investment Fund (EIF) to the Israeli spyware company Paragon Solutions, which is currently at the center of a scandal in Italy, remain unmentioned. Instead of proposing new protective measures, the Commission merely refers to the existing legal framework for protection against the illegal use of spyware.
The EU executive is "hiding behind vague references to 'EU values'," criticizes Aljosa Ajanovic Andelic from the initiative European Digital Rights (EDRi) regarding the response to FtM. It openly admits that "European funds have financed companies whose technologies are used for espionage against journalists and human rights defenders." This, he states, demonstrates a complete lack of effective control mechanisms. Green Party MEP Hannah Neumann criticizes that the Commission has taken hardly any action in the past two years following the committee's report.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025
WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.
Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.
On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”
“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”
Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.
The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.
Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.
“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.
“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.
Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.
At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.
A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.
Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.
In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.
Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.
COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.
COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.
Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.
| RTS Radio Télévision Suisse
08.11.2025
La Suisse prise en étau dans une guerre avec des dommages catastrophiques. Des cyberattaques massives contre les infrastructures ferroviaires et hospitalières. C'est le scénario imaginé par la Confédération pour un exercice de sécurité nationale mené sur deux jours.
Cet exercice de simulation de cyberattaques, d'ampleur inédite et gardé secret, s'est achevé vendredi soir et visait à évaluer la capacité du pays à résister à des menaces hybrides.
Toutes les couches politiques ont été concernées: le Conseil fédéral, le Parlement, les 26 cantons et 5 villes ont ainsi participé. C'est la première fois que la collaboration de crise est testée avec les cantons mais aussi des organisations scientifiques, la Migros, les CFF et plusieurs hôpitaux, avec un scénario jugé plausible face à la menace de cyberattaques en Suisse.
Capacité de coordination
Par exemple dans le canton de Vaud, le scénario imaginait un blackout à la Vallée de Joux ou la maternité du CHUV évacuée.
Toutes ces catastrophes existaient uniquement sur le papier, sans impact pour la population, avec un objectif: tester la capacité de coordination pour prendre des décisions d'urgence malgré le millefeuille fédéral.
La Chancellerie reconnaît que le fédéralisme a pu freiner la prise de certaines décisions. Mais le résultat est jugé globalement positif selon un bilan intermédiaire de la Confédération, avec un exercice mené à terme et des participants qui se sont tous pris au jeu.
L'évaluation complète seront rendus dans le courant du premier semestre 2026.
Le groupe informatique fait partie de la dizaine d’entreprises ciblées par les hackers de Clop, qui imposent un ultimatum de vingt-quatre heures.
Le groupe de hackers russe Clop a donné un ultimatum de vingt-quatre heures à Logitech.
Contacté ce vendredi en début d’après-midi, le siège du groupe à Lausanne «ne souhaite pas faire de commentaire à ce stade».
L’attaque vise une dizaine de grandes entreprises et institutions, dont le «Washington Post».
Le fabricant de périphériques informatiques Logitech figure parmi les cibles d’une vaste offensive perpétrée par le groupe de hackers Clop. Ce dernier en a fait l’annonce vendredi matin sur le dark web. Et indique avoir imposé un ultimatum de vingt-quatre heures au groupe helvético-américain, fondé en 1981 à Lausanne. En clair, ce dernier est sommé de payer une rançon, s’il ne veut pas voir les masses de données subtilisées sur ses serveurs disséminées sur le web.
Ces trois derniers jours, le groupe cybercriminel a mentionné une dizaine d’autres entreprises victimes de cette attaque. Mais également des institutions comme l’Université de Harvard ou le «Washington Post».
«Pas de commentaire» de Logitech
Contacté ce vendredi en début d’après-midi, le siège européen de Logitech indique qu’il «ne souhaite pas faire de commentaire à ce stade» sur cette offensive visant son système informatique.
«Attendons vingt-quatre heures pour voir de quoi il en retourne, Clop est l’un des acteurs les plus en vue de ces détournements de données et ils n’ont vraiment pas l’habitude de bluffer», réagit un fin connaisseur du dark web. «Peut-être Logitech essaie-t-il de gagner du temps, afin de négocier pour éviter que des masses de documents confidentiels ne soient rendus publics», s’interroge ce dernier.
La surveillance régulière de telles opérations a permis à cet expert de retrouver, depuis le début de l’année, des données volées provenant d’une quarantaine de sociétés suisses. Il s’agit avant tout de celles ayant refusé de payer face au chantage. «Au départ, elles étaient environ trois fois plus nombreuses à être désignées comme cibles, ce qui semble indiquer que près des deux tiers finissent malheureusement par payer», estime ce dernier.
Une brèche dans un logiciel mène à la cyberattaque
Selon les spécialistes, la vaste attaque des derniers jours aurait été perpétrée en utilisant la même «brèche» dans un logiciel professionnel Oracle. Après la revendication de Clop, le «Washington Post» a confirmé jeudi, sur Reuters, être victime d’une cyberattaque liée à une faille dans sa plateforme Oracle E-Business Suite (EBS).
Selon le site spécialisé TechNadu, ce logiciel est utilisé par les grandes entreprises pour «gérer leurs opérations commerciales critiques, la logistique, la production ou la gestion de la relation client». Les équipes de Google estimaient le mois dernier que cette campagne a visé une centaine d’entreprises dans le monde.
Souvent identifié par le pseudo Cl0p^_-Leaks, le groupe de «ransomware» russophone, un des plus anciens en activité, a été identifié en 2019. Il est spécialisé dans le racket de grandes sociétés – celles ayant le plus de moyens pour payer.
reuters.com
By Raphael Satter and A.J. Vicens
November 7, 20254:21 PM GMT+1Updated 22 hours ago
The Washington Post said it is among victims of a sweeping cyber breach tied to Oracle (ORCL.N), opens new tab software.
In a statement released on Thursday, the newspaper said it was one of those impacted "by the breach of the Oracle E-Business Suite platform."
The paper did not provide further detail, but its statement comes after CL0P, the notorious ransomware group, said on its website that the Washington Post was among its victims. CL0P did not return messages seeking comment. Oracle pointed Reuters to a pair of security, opens new tab advisories, opens new tab issued last month.
Ransom-seeking hackers typically publicize their victims in an effort to shame them into making extortion payments, and CL0P are among the world's most prolific. The hacking squad is alleged to be at the center of a sweeping cybercriminal campaign targeting Oracle's E-Business Suite of applications, which Oracle clients use to manage customers, suppliers, manufacturing, logistics, and other business processes.
Google said last month that there were likely to be more than 100 companies affected by the intrusions.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025
The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.
The U.S. Congressional Budget Office has confirmed it was hacked.
Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”
CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.
On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.
Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.
It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.
Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.
Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.
On Thursday, Beaumont said that the firewall is now offline.
The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.
bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025
Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.
The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.
When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.
The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.
Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.
Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.
"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."
CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.
On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."
Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.
More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).
"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.
| Eurojust | European Union Agency for Criminal Justice Cooperation
eurojust.europa.eu
Eurojust Press Team
Nine people suspected of money laundering have been arrested during a synchronised operation that took place in three countries at the same time. The suspects set up a cryptocurrency money laundering network that scammed victims out of over EUR 600 million. Eurojust, the EU’s judicial cooperation hub, ensured that French, Belgian, Cypriot, German and Spanish authorities worked together to take the network down.
The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns. They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles and fake testimonials from celebrities or successful investors.
When victims would transfer cryptocurrency to the platforms, they were never able to recover their money. The crypto assets earned through the various scams were then laundered using blockchain technology. The criminals were able to launder approximately EUR 600 million.
Investigations into the network started when authorities received several complaints from victims. Eurojust ensured that the authorities were able to work together in a fast and efficient manner by setting up a joint investigation team between French and Belgian authorities. As other countries had to be involved during the actions, Eurojust brought prosecutors and investigative judges from France, Belgium, Cyprus, Spain and Germany together to plan the takedown of the network.
Actions against the suspects took place on 27 and 29 October and were coordinated from the Eurojust premises in The Hague. Nine suspects were arrested at their homes in Cyprus, Spain and Germany on suspicion of their involvement in money laundering from fraudulent activities. At the same time, searches took place that resulted in the seizure of EUR 800 000 in bank accounts, EUR 415 000 in cryptocurrencies and EUR 300 000 in cash.
The actions were carried out by the following authorities:
France: Investigative Judge of the Court of Paris JUNALCO (National Jurisdiction against Organised Crime) - Cybercrime Unit; Gendarmerie Nationale - Cyber Unit
Belgium: PPO Limburg; Investigating Judge of the Court of 1st Instance in Limburg; Federal Judicial Police Limburg
Cyprus: Attorney General's Office; MOKAS; Cyprus Police
Germany: Public Prosecutor’s Office Cologne; Cologne Criminal Police
Spain: PPO Barcelona - International Cooperation Section; Investigative Court num 5 in Vilanova i la Geltrú; Mossos d’Esquadra (Cybercrime Central Area); Policía Nacional (Cybercrime Central Unit and Barcelona and Oviedo Provincial Brigade of Judicial Police)
| The Record from Recorded Future News
therecord.media
Alexander Martin
November 3rd, 2025
The U.K.'s water suppliers have reported five cyberattacks since January 2024, according to information reviewed by Recorded Future News. The incidents did not affect the safety of water supplies, but they highlight an increasing threat.
None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure.
The data shared by the Drinking Water Inspectorate (DWI) showed the watchdog received 15 reports from suppliers between January 1, 2024, and October 20, 2025. These were sent under the NIS Regulations, which is just one part of the extensive legal framework governing the security of drinking water systems in Britain.
Of these reports, five regarded cybersecurity incidents affecting what the DWI called “out-of-NIS-scope systems” with the others being non-cyber operational issues. Further details of the 15 reports were not shared with Recorded Future News..
Currently, the NIS Regulations limit formally reportable cyber incidents to those that actually result in disruption to an essential service. If British infrastructure suppliers were impacted by hacks such as the pre-positioning campaign tracked as Volt Typhoon, suppliers would not have a legal duty to disclose them.
DWI said the five incidents that were disclosed to the watchdog were shared for information purposes because they were considered to be “related to water supply resilience risks.”
British officials are expected to try to amend this high bar for reporting when the government updates those laws through the much-delayed Cyber Security and Resilience Bill, when it is finally introduced to Parliament later this year.
A government spokesperson said: “The Cyber threats we face are sophisticated, relentless and costly. Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences — protecting the services the public rely on so they can go about their normal lives.”
Five reports better than none
That the reports were made despite not being required by the NIS Regulations was a positive sign, said Don Smith, vice president threat research at Sophos.
“Critical infrastructure providers, like any modern connected enterprise, are subject to attacks from criminal actors daily. It is no surprise that security incidents do occur within these enterprises, despite the compliance regimes that they’re subjected to,” Smith told Recorded Future News when asked about the data.
“I think we should be encouraged that these reports were shared outside of the scope of the NIS Regulations. It is very useful for critical infrastructure operators to understand the nature of these attacks, both in the case of commodity threats and if there’s an advanced adversary operating, and a culture of information sharing helps widen everyone’s aperture.”
Although there have been ransomware attacks against the IT office systems used by water companies — including on South Staffs Water in the U.K. and Aigües de Mataró in Spain — it is extremely rare for cyberattacks on water suppliers to actually disrupt supplies.
In one rare case of a successful attack on an OT (operational technology) component, residents of a remote area on Ireland’s west coast were left without water for several days in December 2023 when a pro-Iran hacking group indiscriminately targeted facilities using a piece of equipment the hackers complained was made in Israel.
The U.S. federal government had issued a warning about the exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector. Attacks on PLCs, core technology components in a lot of industrial control systems, are one of the main concerns of critical infrastructure defenders.
Initiatives to improve the security of water systems in the United States faltered under the Biden administration when water industry groups partnered with Republican lawmakers to put a halt to the federal efforts, despite significant increases in the number of ransomware attacks and state-sponsored intrusions.
Last week, Canadian authorities warned of an incident in which hacktivists changed the water pressure at one local utility among a spate of attacks interfering with industrial control systems.
Britain's National Cyber Security Centre encourages critical infrastructure providers to ensure they have properly segmented their business IT systems and their OT systems to reduce the impact of any cyber intrusion. In August, the agency released a new Cyber Assessments Framework to help organizations improve their resilience.
“Commodity rather than targeted attacks remain the most likely threat to impact critical infrastructure providers. The messaging I pass to CISOs and the people managing risk in these organizations is to worry about defending from the everyday as opposed to defending from the exotic,” said Smith.
“They’re expected to do both, but the much bigger risk is that we end up with a major piece of our CNI knocked offline because of a ransomware attack. I worry about people thinking about investing huge amounts in monitoring esoteric systems when they’re actually not protecting themselves from the basics.”
