Dramatic revelations shed fresh light on investigation into whether Chinese tech firm tried to buy influence in EU politics.
Belgian security agents bugged a corporate box at the RSC Anderlecht football stadium that was being used by Chinese tech giant Huawei to schmooze members of the European Parliament.
They also listened into other conversations involving one of Huawei’s leading lobbyists, including in his car. The surveillance operations, confirmed by three people with close knowledge of the investigation, formed part of a wide-ranging probe into allegations of corruption that was first revealed in March. They contributed to the Belgian prosecutor’s decision, reported by POLITICO on Monday, to request that a group of MEPs have their immunities lifted so they can be investigated.
The extraordinary revelations are the latest chapter in a saga that combines concerns about the reach of China in European politics and how susceptible EU lawmakers are to bribery and shady lobbying practices, even after a string of similar scandals.
The Council today decided to impose additional restrictive measures against 21 individuals and 6 entities responsible for Russia’s destabilising actions abroad.
The Council has also broadened the scope to allow the EU to target tangible assets linked to Russia’s destabilising activities, such as vessels, aircraft, real estate, and physical elements of digital and communication networks, as well as transactions of credit institutions, financial institutions and entities providing crypto-assets services that directly or indirectly facilitate Russia’s destabilising activities.
Furthermore, in light of the systematic, international Russian campaign of media manipulation and distortion of facts aimed at destabilising neighbouring countries and the EU, the Council will now have the possibility to suspend the broadcasting licences of Russian media outlets under the control of the Russian leadership, and to prohibit them from broadcasting their content in the EU.
In line with the Charter of Fundamental Rights, the measures agreed today will not prevent the targeted media outlets and their staff from carrying out activities in the EU other than broadcasting, e.g. research and interviews.
Today’s listings include Viktor Medvedchuk, a former Ukrainian politician and businessman who, through his associates Artem Marchevskyi and Oleg Voloshin also listed today, controlled Ukrainian media outlets and used them to disseminate pro-Russian propaganda in Ukraine and beyond. Through secret financing of the “Voice of Europe” media channel - also listed today - and his political platform “Another Ukraine”, Medvedchuk has promoted policies and actions intended to erode the legitimacy and credibility of the government of Ukraine, in direct support of the foreign policy interests of the Russian Federation and disseminating pro-Russian propaganda.
Enterprise management solutions provider Serviceaide has informed the Department of Health and Human Services (HHS) that a data leak impacts the personal and medical information of nearly half a million Catholic Health patients.
California-based Serviceaide, whose solutions are used by organizations worldwide, discovered in November 2024 that an Elasticsearch database maintained for one of its customers, Buffalo, New York-based non-profit healthcare system Catholic Health, had been inadvertently made publicly available.
An investigation showed that the database had been exposed between September 19 and November 5, 2024.
While Serviceaide did not find any evidence that the information was exfiltrated, the company said it cannot definitively rule it out.
According to a data breach notice posted on the Serviceaide website, the exposed information varies for each individual, but it can include name, SSN, date of birth, medical record number, patient account number, medical information, health insurance information, prescription and treatment information, clinical information, healthcare provider details, email or username, and password.
Impacted individuals are being notified and offered 12 months of free credit monitoring and identity theft protection services.
Serviceaide informed the HHS, according to the government organization’s incident tracker, that just over 483,000 individuals are impacted by the data breach.
It’s not uncommon for healthcare data breaches to impact hundreds of thousands of individuals, and some incidents affect millions and even tens of millions.
Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations.
The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations.
"We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson.
"Due to the safety measures initiated as a result of the incident, production was temporarily affected."
Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries.
The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide.
The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week.
"Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected."
Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases.
"We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson.
BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time.
Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.
Dear Friends, Neighbors, and Valued Cellcom/Nsight Customers,
Over the past five days, many of you have been impacted by a service disruption — and I want to begin by saying something simple, and deeply meant: I’m here.
While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast.
We’ve always believed in being present, open, and accountable to the people we serve. That’s what this letter is about.
We experienced a cyber incident. While this is unfortunate, it’s not something we were unprepared for. We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans — including engaging outside cybersecurity experts, notifying the FBI and Wisconsin officials, and working around the clock to bring systems safely back online.
The incident was concentrated on an area of our network separate from where we store sensitive information related to you, our Cellcom/Nsight family. We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event.
Thanks to an incredible amount of hard work and tenacity, we achieved a major milestone last night. We are building on that success and expect to have the rest of service restored this week. Every part of this recovery is being handled with care and precision — we will not rush anything that compromises safety, security or trust.
For 115 years, as a company that began as a local telephone provider, we've understood that connection is everything. Generations of my family have had the privilege of serving generations of yours. We've grown and changed with the times, but our purpose has always remained the same: helping you stay connected to what matters most. We know this disruption has caused frustration and, for some, real hardship — and for that, I am truly sorry.
In the midst of it all, I’ve witnessed what makes this company special. Across the organization, people put mission ahead of role, put pride aside, and put the community first. We saw teams find creative solutions, take personal initiative, and step outside the bounds of job descriptions to make things right. That spirit — of care, urgency and accountability — has defined our response and will continue to shape our path forward.
To our employees — thank you. Your heart and grit during these trying days make me proud beyond words.
To our customers — thank you. Your patience, understanding and kindness mean the world to us. We’ve felt your support every step of the way, and we don’t take it for granted.
We know that gratitude alone isn’t enough — we’re taking responsibility. We’re covering the time you were without service, and then some.
Please know that we hear you, we appreciate you, and you have the very best team in the world on the case. I know we will be a better and stronger Cellcom/Nsight for this experience.
Warmly,
Brighid Riordan in cursive
Brighid Riordan
Microsoft’s head of security for AI, Neta Haiby, accidentally revealed confidential messages about Walmart’s use of Microsoft’s AI tools during a Build talk that was disrupted by protesters.
The Build livestream was muted and the camera pointed down, but the session resumed moments later after the protesters were escorted out. In the aftermath, Haiby then accidentally switched to Microsoft Teams while sharing her screen, revealing confidential internal messages about Walmart’s upcoming use of Microsoft’s Entra and AI gateway services.
Haiby was co-hosting a Build session on best security practices for AI, alongside Sarah Bird, Microsoft’s head of responsible AI, when two former Microsoft employees disrupted the talk to protest against the company’s cloud contracts with the Israeli government.
“Sarah, you are whitewashing the crimes of Microsoft in Palestine, how dare you talk about responsible AI when Microsoft is fueling the genocide in Palestine,” shouted Hossam Nasr, an organizer with the protest group No Azure for Apartheid, and a former Microsoft employee who was fired for holding a vigil outside Microsoft’s headquarters for Palestinians killed in Gaza.
Walmart is one of Microsoft’s biggest corporate customers, and already uses the company’s Azure OpenAI service for some of its AI work. “Walmart is ready to rock and roll with Entra Web and AI Gateway,” says one of Microsoft’s cloud solution architects in the Teams messages. The chat session also quoted a Walmart AI engineer, saying: “Microsoft is WAY ahead of Google with AI security. We are excited to go down this path with you.”
Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD).
The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.
This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.
Although Microsoft states they plan to fix this issue in the future, a patch is not currently available. Therefore, organizations need to take other proactive measures to reduce their exposure to this attack. Microsoft has reviewed our findings and approved the publication of this information.
In this blog post, we provide full details of the attack, as well as detection and mitigation strategies.
A person has been arrested in Switzerland as part of a ccordinated raid on 270 dark web sites in ten countries.
The international raid, dubbed “RapTor”, dismantled networks trafficking drugs, weapons and counterfeit goods. The suspects were identified during the dismantling of the dark web markets Nemesis, Tor2Door, Bohemia and Kingdom Markets.
Many of them made thousands of sales on illegal markets using encryption tools and cryptocurrencies to cover their tracks.
Officers seized more than 180 firearms, over two tonnes of drugs and €184 million in cash and cryptocurrencies during the operation, which included arrests in ten countries, including Germany, France, Austria, Britain and the United States.
Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools.
Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.
This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.
An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.
Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.
Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
Threat actors are advancing AI strategies and outpacing traditional security. CXOs must critically examine AI weaponization across the attack chain.
The integration of AI into adversarial operations is fundamentally reshaping the speed, scale and sophistication of attacks. As AI defense capabilities evolve, so do the AI strategies and tools leveraged by threat actors, creating a rapidly shifting threat landscape that outpaces traditional detection and response methods. This accelerating evolution necessitates a critical examination for CXOs into how threat actors will strategically weaponize AI across each phase of the attack chain.
One of the most alarming shifts we have seen, following the introduction of AI technologies, is the dramatic drop in mean time to exfiltrate (MTTE) data, following initial access. In 2021, the average MTTE stood at nine days. According to our Unit 42 2025 Global Incident Response Report, by 2024 MTTE dropped to two days. In one in five cases, the time from compromise to exfiltration was less than 1 hour.
In our testing, Unit 42 was able to simulate a ransomware attack (from initial compromise to data exfiltration) in just 25 minutes using AI at every stage of the attack chain. That’s a 100x increase in speed, powered entirely by AI.
Recent threat activity observed by Unit 42 has highlighted how adversaries are leveraging AI in attacks:
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.
While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts.
Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog.
The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.
Key outcomes of this analysis include:
Examination and technical analysis of a lesser known phishing campaign
Demonstration of Telegram API-based data interception techniques
Collection of threat intelligence (TI) indicators to help identify the actor
Recommendations for detecting this type of threat
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been…
For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.
Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.
After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.
“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”
The cyberattackers claimed 2.1m pieces of customer data had been stolen from the Legal Aid Agency
Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack.
The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ).
The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached.
An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years.
“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.
In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets.
In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms:
Key Takeaways
The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.
LONDON, May 14 (Reuters) - U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said.
Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers. While inverters are built to allow remote access for updates and maintenance, the utility companies that use them typically install firewalls to prevent direct communication back to China.
However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S experts who strip down equipment hooked up to grids to check for security issues, the two people said.
Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said.
Reuters was unable to determine how many solar power inverters and batteries they have looked at. The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said.
Both declined to be named because they did not have permission to speak to the media.
"We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption," said Mike Rogers, a former director of the U.S. National Security Agency. "I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue."
A spokesperson for the Chinese embassy in Washington said: "We oppose the generalisation of the concept of national security, distorting and smearing China's infrastructure achievements."
Threat actor used malicious Google Invites and hidden Unicode “Private Use Access” characters (PUAs) to brilliantly obfuscate and hide a malicious NPM package.
On March 19th, 2025, we discovered a package called os-info-checker-es6 and were taken aback. We could tell it was not doing what it said on the tin. But what's the deal? We decided to investigate the matter and initially hit some dead ends. But patience pays off, and we eventually got most of the answers we sought. We also learned about Unicode PUAs (No, not pick-up artists). It was a roller coaster ride of emotions!
