techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.
Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”
LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
venturebeat.com - OpenAI abruptly removed a ChatGPT feature that made conversations searchable on Google, sparking privacy concerns and industry-wide scrutiny of AI data handling.
OpenAI made a rare about-face Thursday, abruptly discontinuing a feature that allowed ChatGPT users to make their conversations discoverable through Google and other search engines. The decision came within hours of widespread social media criticism and represents a striking example of how quickly privacy concerns can derail even well-intentioned AI experiments.
The feature, which OpenAI described as a “short-lived experiment,” required users to actively opt in by sharing a chat and then checking a box to make it searchable. Yet the rapid reversal underscores a fundamental challenge facing AI companies: balancing the potential benefits of shared knowledge with the very real risks of unintended data exposure.
How thousands of private ChatGPT conversations became Google search results
The controversy erupted when users discovered they could search Google using the query “site:chatgpt.com/share” to find thousands of strangers’ conversations with the AI assistant. What emerged painted an intimate portrait of how people interact with artificial intelligence — from mundane requests for bathroom renovation advice to deeply personal health questions and professionally sensitive resume rewrites. (Given the personal nature of these conversations, which often contained users’ names, locations, and private circumstances, VentureBeat is not linking to or detailing specific exchanges.)
“Ultimately we think this feature introduced too many opportunities for folks to accidentally share things they didn’t intend to,” OpenAI’s security team explained on X, acknowledging that the guardrails weren’t sufficient to prevent misuse.
scworld.com 04.08 - Aeroflot, Russia's flag carrier, had travel information purportedly from its CEO Sergei Aleksandrovsky leaked by Belarusian hacktivist operation Cyber Partisans after Russian internet watchdog Roskomnadzor refuted any data breach resulting from last week's massive cyberattack that has prompted the cancellation of more than 50 flights, reports The Record, a news site by cybersecurity firm Recorded Future.
Included in the exposed data were information from over 30 flights taken by Aleksandrovsky from April 2024 to June 2025, claimed Cyber Partisans, which threatened the imminent reveal of more stolen data following the theft of Aeroflot's entire flight history database. Cyber Partisans noted that the extensive data compromise was made possible by weak employee credentials and the airline's use of outdated Windows versions. While the legitimacy of the data has not yet been confirmed, it contained Aleksandrovsky's passport number that matched those found in older breaches, according to investigative news outlet The Insider.
tomshardware.com - A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Selling properties and cutting staff numbers wasn't enough to save the business.
The Einhaus Group was once a familiar name, with its services available through 5,000 retail outlets in Germany and an annual revenue of around 70 million Euros.
A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Germany’s Einhaus Group was targeted by hackers in March 2023 and is understood to have paid a ransom(ware) fee of around $230,000 at the time, according to Wa.de and Golem.de (machine translations). However, the once large and successful company, with partnerships including Cyberport, 1&1, and Deutsche Telekom, struggled to recover from the service interruption and the obvious financial strains, which now appear to be fatal.
The ides of March
In mid-March 2023, Wilhelm Einhaus, founder of the Einhaus Group, recalls coming into the office in the morning to witness a ‘horrific’ greeting. On the output tray of every printer in the office was a page announcing, “We've hacked you. All further information can be found on the dark web.” Further investigations revealed that the hack group 'Royal' was the culprit. They had encrypted all of Einhaus Group’s systems, which were essential for the day-to-day running of the business. 'Royal' demanded a ransom payment, thought to be around $230,000 in Bitcoins, to return access to the computers.
Of course, with operational systems down, there was an immediate impact on Einhaus. The police were involved promptly. However, the affected firm seems to have decided to pay the ransom, as it could see business losses/damages piling up – meaning continuing without the computer systems was untenable. Einhaus estimated that the hacker-inflicted damage to its business was in the mid-seven-figure range.
nltimes.nl - Several major government institutions across the Caribbean part of the Kingdom of the Netherlands were hit by cyberattacks last week, including a ransomware attack on Curaçao’s Tax and Customs Administration that temporarily disabled critical services, NOS reports.
According to Curaçao’s Minister of Finance, ransomware was used in the attack on the tax authority. After the breach was discovered by staff, one of the agency’s systems was taken offline as a precaution. An investigation into the origin and impact of the attack is ongoing. The Ministry of Finance stated that no confidential information was compromised.
Despite the breach, the online platform for filing and paying taxes remained operational. However, both the telephone customer service and in-person assistance were unavailable for several days. All services were restored by Monday, the ministry confirmed.
Meanwhile, the Court of Justice — which operates across all six Caribbean islands of the Kingdom — was also affected by a cyber incident. A virus was detected in the court’s IT system, prompting officials to shut down the entire computer network out of caution. Several court cases scheduled for last week were postponed, although most hearings continued as planned. Restoration efforts are still underway.
In Aruba, hackers also gained unauthorized access to official email accounts belonging to members of parliament. The extent of the breach and potential consequences remain unclear.
In response to the string of incidents, authorities on Sint-Maarten issued a public alert urging businesses and institutions on the islands to increase their cybersecurity vigilance.
The wave of cyberattacks follows a separate hacking incident in the Netherlands just two weeks ago, when the national Public Prosecution Service (Openbaar Ministerie) disconnected all its systems from the internet after detecting a breach. The disruption continues to have major consequences. Defense attorneys have reported significant difficulty accessing essential information, hindering their ability to represent clients.
france24.com - Chinese authorities summoned Nvidia representatives on Thursday to discuss "serious security issues" over some of its artificial intelligence chips, as the US tech giant finds itself entangled in trade tensions between Beijing and Washington.
Nvidia is a world-leading producer of AI semiconductors, but the United States effectively restricts which chips it can export to China on national security grounds.
A key issue has been Chinese access to the "H20", a less powerful version of Nvidia's AI processing units that the company developed specifically for export to China.
The California-based firm said this month it would resume H20 sales to China after Washington pledged to remove licensing curbs that had halted exports.
But the firm still faces obstacles -- US lawmakers have proposed plans to require Nvidia and other manufacturers of advanced AI chips to include built-in location tracking capabilities.
And Beijing's top internet regulator said Thursday it had summoned Nvidia representatives to discuss recently discovered "serious security issues" involving the H20.
The Cyberspace Administration of China said it had asked Nvidia to "explain the security risks of vulnerabilities and backdoors in its H20 chips sold to China and submit relevant supporting materials".
The statement posted on social media noted that, according to US experts, location tracking and remote shutdown technologies for Nvidia chips "are already matured".
The announcement marked the latest complication for Nvidia in selling its advanced products in the key Chinese market, where it is in increasingly fierce competition with homegrown technology firms.
Nvidia committed
CEO Jensen Huang said during a closely watched visit to Beijing this month that his firm remained committed to serving local customers.
Huang said he had been assured during talks with top Chinese officials during the trip that the country was "open and stable".
"They want to know that Nvidia continues to invest here, that we are still doing our best to serve the market here," he said.
Nvidia this month became the first company to hit $4 trillion in market value -- a new milestone in Wall Street's bet that AI will transform the global economy.
Jost Wubbeke of the Sinolytics consultancy told AFP the move by China to summon Nvidia was "not surprising in the sense that targeting individual US companies has become a common tool in the context of US-China tensions".
"What is surprising, however, is the timing," he noted, after the two countries agreed to further talks to extend their trade truce.
"China's action may signal a shift toward a more assertive stance," Wubbeke said.
Beijing is also aiming to reduce reliance on foreign tech by promoting Huawei's domestically developed 910C chip as an alternative to the H20, he added.
"From that perspective, the US decision to allow renewed exports of the H20 to China could be seen as counterproductive, as it might tempt Chinese hyperscalers to revert to the H20, potentially undermining momentum behind the 910C and other domestic alternatives."
New hurdles to Nvidia's operation in China come as the country's economy wavers, beset by a years-long property sector crisis and heightened trade headwinds under US President Donald Trump.
Chinese President Xi Jinping has called for the country to enhance self-reliance in certain areas deemed vital for national security -- including AI and semiconductors -- as tensions with Washington mount.
The country's firms have made great strides in recent years, with Huang praising their "super-fast" innovation during his visit to Beijing this month.
therecord.media 04.08 - Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.
Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.
SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government.
The report focuses on intellectual property rights filings by Shanghai Firetech, a company the DOJ said works on behalf of the Shanghai State Security Bureau (SSSB). The company was allegedly involved in many of the Silk Typhoon attacks and was previously identified as part of the Hafnium attacks seen in 2021.
The researchers found previously unseen patents on offensive technologies tied to Shanghai Firetech, SentinelLabs expert Dakota Cary told Recorded Future News.
The findings suggest the company “serves other offensive missions not tied to the Hafnium cluster,” he said.
“The company also has patents on a variety of offensive tools that suggest the capability to monitor individual's homes, like ‘intelligent home appliances analysis platform,’ ‘long-range household computer network intelligentized control software,’ and ‘intelligent home appliances evidence collection software’ which could support surveillance of individuals abroad.”
Cary noted that intelligence agencies like the CIA are known to use similar tools.
Shanghai Firetech also filed patents for software for “remote” evidence collection, and for targeting routers and Apple devices, among other uses.
The patent for Apple computers stood out to the researchers because it allows actors to remotely recover files from devices and was not previously documented as a capability of any Hafnium-related threat actor.
SentinelLabs said the technologies “offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices.”
The Justice Department indicted two prominent hackers this month — Xu Zewei and Zhang Yu — that are accused of working with China’s Ministry of State Security (MSS) and its Shanghai bureau. The indictments said Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium/Silk Typhoon group.
Xu was arrested after flying into Milan on July 3, and prosecutors accused both men of being deeply involved in China’s cyberattacks on institutions working on COVID-19 vaccines throughout 2020 and 2021. The DOJ obtained emails from Xu to the Shanghai security bureau confirming he had acquired the contents of the COVID-19 researchers’ mailboxes.
nytimes.com 04.08 - The introduction of a state-approved messaging app has raised fears that Russia could be preparing to block WhatsApp and Telegram.
Russia is escalating its efforts to curtail online freedom, taking new steps toward a draconian state-controlled internet.
The authorities are cracking down on workarounds that Russians have been using for access to foreign apps and banned content, including through new laws signed by President Vladimir V. Putin this past week. Moscow has also been impeding the function of services from U.S. tech companies, like YouTube, that Russians have used for years.
At the same time, the Kremlin is building out a domestic ecosystem of easily monitored and censored Russian alternatives to Western tech products. That includes a new state-approved messaging service, MAX, which will come preinstalled by law on all new smartphones sold in Russia starting next month.
The idea, experts say, is to migrate more Russians from an open internet dominated by the products of Western tech giants to a censored online ecosystem, where Russians primarily use software under the gaze and influence of the state. The effort has advanced significantly amid wartime repression, but it is unclear how far it will go.
“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”
blog.pypi.org - - The Python Package Index Blog - PyPI Users are receiving emails detailing them to log in to a fake PyPI site.
PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site.
Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled:
[PyPI] Email verification
from the email address noreply@pypj.org.
Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org.
This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.
The email instructs users to follow a link to verify their email address, which leads to a phishing site that looks like PyPI but is not the official site.
The user is prompted to log in, and the requests are passed back to PyPI, which may lead to the user believing they have logged in to PyPI, but in reality, they have provided their credentials to the phishing site.
PyPI Admins are looking into a few methods of handling this attack, and want to make sure users are aware of the phishing attempt while we investigate different options.
There is currently a banner on the PyPI homepage to warn users about this phishing attempt.
Always inspect the URL in the browser before logging in.
We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent them regarding the phishing site.
If you have received this email, do not click on any links or provide any information. Instead, delete the email immediately.
If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account's Security History for anything unexpected.
reuters.com - July 30 (Reuters) - More than 90 state and local governments have been targeted using the recently revealed vulnerability in Microsoft server software, according to a U.S. group devoted to helping local authorities collaborate against hacking threats.
The nonprofit Center for Internet Security, which houses an information-sharing group for state, local, tribal, and territorial government entities, provided no further details about the targets, but said it did not have evidence that the hackers had broken through.
None have resulted in confirmed security incidents," Randy Rose, the center's vice president of security operations and intelligence, said in an email.
A wave of hacks hit servers running vulnerable versions of Microsoft SharePoint this month, causing widespread concern. The campaign has claimed at least 400 victims, according to Netherlands-based cybersecurity firm Eye Security. Multiple federal government agencies are reportedly among the victims, and new ones are being identified every day.
On Wednesday, a spokesperson for one of the U.S. Department of Energy's 17 national labs said it was among those hit.
"Attackers did attempt to access Fermilab's SharePoint servers," the spokesperson said, referring to the U.S. Fermi National Accelerator Laboratory. "The attackers were quickly identified, and the impact was minimal, with no sensitive or classified data accessed." The Fermilab incident was first reported by Bloomberg.
The U.S. Department of Energy has previously said the SharePoint security hack has affected "a very small number" of its systems
channelnewsasia.com - The decision to identify cyber threat group UNC3886 was because Singaporeans “ought to know about it” given the seriousness of the threat, said the minister.
SINGAPORE: While naming a specific country linked to cyber threat group UNC3886 is not in Singapore’s interest at this point in time, the attack was still serious enough for the government to let the public know about the group, said Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam on Friday (Aug 1).
Speaking to reporters on the side of the Cyber Security Agency of Singapore’s (CSA) Exercise Cyber Star, the national cybersecurity crisis management exercise, Mr Shanmugam said that when it comes to naming any country responsible for a cyber attack, “we always think about it very carefully”.
Responding to a question from CNA on reports tying the group to China, Mr Shanmugam said: “Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this.
“We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.”
UNC3886 has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale.
Mr Shanmugam had announced on Jul 18 that Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, identifying the entity as UNC3886 without disclosing if it was a state-linked actor.
He said the threat actor poses a serious danger to Singapore and could undermine the country's national security, and added that it was not in Singapore's security interests to disclose further details of the attack then.
When asked the following day about UNC3886's alleged links to China and possible retaliation for naming them, Mr Shanmugam, who is also Home Affairs Minister, said this was "speculative".
"Who they are linked to and how they operate is not something I want to go into," he said.
Responding to media reports in a Jul 19 Facebook post, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at the claims linking the country to UNC3886, stating that they were "groundless smears and accusations against China".
“In fact, China is a major victim of cyberattacks," it wrote.
"The embassy would like to reiterate that China is firmly against and cracks down (on) all forms of cyberattacks in accordance with law. China does not encourage, support or condone hacking activities."
On Friday, Mr Shanmugam also gave his reasons for disclosing the identity of threat actors like UNC3886.
“We look at the facts of each case (and) the degree of confidence we have before we can name. And when we decide to name the threat actor, we look at whether it is in Singapore's best interest,” said Mr Shanmugam, who is also the home affairs minister.
In this case, the threat, attack and compromise to Singapore’s infrastructure was “serious enough” and the government was confident enough to name UNC3886 as the perpetrators, he said.
“Here, we said this is serious. They have gotten in. They are compromising a very serious critical infrastructure. Singaporeans ought to know about it, and awareness has got to increase. And because of the seriousness, it is in the public interest for us to disclose,” said Mr Shanmugam.
therecord.media (01.08.2025) - Authorities in Luxembourg said a nationwide telecommunications outage in July was caused by a deliberately disruptive cyberattack. Huawei networking products were reportedly the target.
Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure.
The outage on July 23 left the country’s 4G and 5G mobile networks unavailable for more than three hours. Officials are concerned that large parts of the population were unable to call the emergency services as the fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible.
According to government statements issued to the country’s parliament, the attack was intentionally disruptive rather than an attempt to compromise the telecoms network that accidentally led to a system failure.
Officials said the attackers exploited a vulnerability in a “standardised software component” used by POST Luxembourg, the state-owned enterprise that operates most of the country’s telecommunications infrastructure. The government’s national alert system, which officials had intended to use to warn the population about the incident, failed to reach many people because it also depends on POST’s mobile network.
POST’s director-general described the attack itself as “exceptionally advanced and sophisticated,” but stressed it did not compromise or access internal systems and data. POST itself and the national CSIRT are currently forensically investigating the cause of the outage.
Although the government’s statements avoid naming the affected supplier, Luxembourg magazine Paperjam reported the attack targeted software used in Huawei routers. Paperjam added that the country’s critical infrastructure regulator is currently asking any organisations using Huawei enterprise routers to contact the CSIRT.
Remote denial-of-service vulnerabilities have previously been identified in the VRP network operating system used in Huawei’s enterprise networking products, although none have recently been publicly identified. Huawei’s press office did not respond to a request for comment.
The Luxembourg government convened a special crisis cell within the High Commission for National Protection (HCPN) to handle the response to the incident and to investigate its causes and impacts, alongside the CSIRT and public prosecutor.
The CSIRT’s full forensic investigation is intended to confirm how the attack happened, while the public prosecutor will assess whether a crime has taken place and if a perpetrator can be identified and prosecuted.
The incident has also accelerated Luxembourg’s national resilience review, a process already underway before the attack. Authorities, concerned that a single point of failure had such a dramatic disruptive effect, are now reassessing the robustness of critical infrastructure, including fallback procedures for telecom and emergency services.
Luxembourg is also exploring regulatory changes to allow mobile phones to automatically switch to other operators’ networks during telecom outages, a practice already used in countries like the United Kingdom, Germany and the United States for emergency calls.
techcrunch.com 24.07 - "We're getting a lot of stuff that looks like gold, but it's actually just crap,” said the founder of one security testing firm. AI-generated security vulnerability reports are already having an effect on bug hunting, for better and worse.
So-called AI slop, meaning LLM-generated low-quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events.
The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.
“People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’,” Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.
“It turns out it was just a hallucination all along. The technical details were just made up by the LLM,” said Ionescu.
Ionescu, who used to work at Meta’s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,” said Ionescu.
“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Ionescu.
Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. “The attacker miscalculated badly,” Sintonen wrote in a post on Mastodon. “Curl can smell AI slop from miles away.”
In response to Sintonen’s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is “flooded with AI garbage.”
One open source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving “almost entirely AI slop reports.”
The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.
Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services. In our previous blog, we reported the actor likely leverages Russia’s domestic intercept systems such as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating the actor’s current AiTM activity, judging from the large-scale nature of these operations.
This blog provides guidance on how organizations can protect against Secret Blizzard’s AiTM ApolloShadow campaign, including forcing or routing all traffic through an encrypted tunnel to a trusted network or using an alternative provider—such as a satellite-based connection—hosted within a country that does not control or influence the provider’s infrastructure. The blog also provides additional information on network defense, such as recommendations, indicators of compromise (IOCs), and detection details.
Secret Blizzard is attributed by the United States Cybersecurity and Infrastructure Agency (CISA) as Russian Federal Security Service (Center 16). Secret Blizzard further overlaps with threat actors tracked by other security vendors by names such as VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.
As part of our continuous monitoring, analysis, and reporting of the threat landscape, we are sharing our observations on Secret Blizzard’s latest activity to raise awareness of this actor’s tradecraft and educate organizations on how to harden their attack surface against this and similar activity. Although this activity poses a high risk to entities within Russia, the defense measures included in this blog are broadly applicable and can help organizations in any region reduce their risk from similar threats. Microsoft is also tracking other groups using similar techniques, including those documented by ESET in a previous publication.
AiTM and ApolloShadow deployment
In February 2025, Microsoft Threat Intelligence observed Secret Blizzard conducting a cyberespionage campaign against foreign embassies located in Moscow, Russia, using an AiTM position to deploy the ApolloShadow malware to maintain persistence and collect intelligence from diplomatic entities. An adversary-in-the-middle technique is when an adversary positions themself between two or more networks to support follow-on activity. The Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target’s browsing in clear text including the delivery of certain tokens and credentials. Secret Blizzard has exhibited similar techniques in past cyberespionage campaigns to infect foreign ministries in Eastern Europe by tricking users to download a trojanized Flash installer from an AiTM position.
akamai.com - Akamai researchers previously outlined the potential for malicious use of UIA.
Now, Akamai researchers have analyzed a new variant of the Coyote malware that is the first confirmed case of maliciously using Microsoft’s UI Automation (UIA) framework in the wild.
The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges.
To help prevent Coyote infections and UIA abuse more broadly, we’ve included indicators of compromise and additional detection measures in this blog post.
In December 2024, we published a blog post that highlighted how attackers could abuse Microsoft’s UIA framework to steal credentials, execute code, and more. Exploitation was only a proof of concept (PoC) — until now.
Approximately two months after the publication of that blog post, our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild — marking the first known case of such exploitation.
This UIA abuse is the latest of these malicious Coyote tracks in their digital habitat since its discovery in February 2024.
In this blog post, we take a closer look at the variant to better understand how UIA is being leveraged for malicious purposes, and what it means for defenders.
What is Coyote malware?
Coyote is a well-known malware family that was discovered in February 2024 and has caused significant damage in the Latin America region ever since. Coyote is a trojan malware that employs various malicious techniques, such as keylogging and phishing overlays, to steal banking information.
It uses the Squirrel installer to propagate (hence the name “Coyote,” which pays homage to the coyotes’ nature to hunt squirrels). In one of its most well-known campaigns, Coyote targeted Brazilian companies in an attempt to deploy an information stealing Remote Access Trojan within their systems.
After the initial discovery of Coyote, many security researchers uncovered details of its operations and provided in-depth technical analyses. One such examination, published by Fortinet in January 2025, shed light on Coyote’s internal workings and attack chain.
UIA abuse
We’ve expanded on those analyses and discovered one new key detail: Coyote now leverages UIA as part of its operation. Like any other banking trojan, Coyote is hunting banking information, but what sets Coyote apart is the way it obtains this information, which involves the (ab)use of UIA.
nytimes.com (29.07.2025) - Gov. Tim Walz of Minnesota activated the National Guard to help the city of St. Paul address a cyberattack that was detected last Friday.
Gov. Tim Walz of Minnesota on Tuesday activated the state National Guard to help officials in St. Paul, the capital, respond to a complex cyberattack that was first detected on Friday.
Mayor Melvin Carter of St. Paul said the city had shut down the bulk of its computer systems as a defensive measure as state and federal investigators tackled what he called “a deliberate, coordinated digital attack, carried out by a sophisticated external actor.”
Mr. Carter said that the F.B.I. and several state agencies were helping assess who was behind the attack. He declined to say whether ransom had been demanded or whether there was any evidence suggesting a foreign government was behind the attack.
City officials said they have yet to ascertain whether sensitive data had been stolen.
Emergency services, including police response systems, were not crippled by the attack, the city said in a statement. The shutdown meant that city employees did not have access to the internet in municipal buildings, and that routine services such as library loans and online payment systems were inaccessible.
Large and small cities across the United States, along with school systems and hospitals, have been targeted in cyberattacks in recent years. Such attacks are often carried out by individuals who compromise networks and encrypt data, then demand ransom payments in order to restore access.
Attackers sometimes steal sensitive data — such as credit card information — that they can later sell online.
St. Paul officials said they detected unusual activity on their network Friday morning and eventually realized the city’s networks had been breached. Deeming it a serious attack, they sought help from the governor and federal law enforcement agencies as well as cybersecurity companies.
Mr. Walz issued an executive order on Tuesday directing the National Guard to assign military computer experts to assist officials in St. Paul. In the order, Mr. Walz said that “the scale and complexity of this incident exceeded both internal and commercial response capabilities.”
swissinfo.ch - Swiss defence ministry funds domestic satellites with eye on sovereign communications network.
The first test satellite from the Geneva-based company Wisekey has been flying over Switzerland three times a day since January, with more to follow.
The satellite is not much larger than a desktop computer – a gray box equipped with panels. Wisekey launched the first test satellite for the Swiss army in January from California on a launch vehicle from Elon Musk’s company SpaceX.
Company founder and CEO Carlos Moreira confirmed this to Swiss public broadcaster SRF. “The satellite belongs to us. We lease it to the Swiss army through a partnership,” Moreira said.
Moreira’s company has been working with the army for three years. The next satellite is scheduled to be launched in June, with five more to follow. “Every time the satellite flies over Switzerland, we conduct tests,” said Moreira.
An important update and apology on the Expel blog, for a blog we published on PoisonSeed on July 17, 2025.
What we got wrong
The original post described a new form of phishing attack that allowed an attacker to circumvent a FIDO passkey protected login. It stated that this attacker used cross-device authentication to successfully authenticate while not in close proximity to the authenticating client device.
The evidence does show the targeted user’s credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user. It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code (the WebAuthn client). When properly implemented, without proximity, the request will time out and fail.
So, at the time of the original post, Expel believed the attacker successfully completed the authentication workflow, resulting in access to protected resources. After discussing these findings with the security community, we understand that this is not accurate. The Okta logs show the password factor passing successfully, but all subsequent MFA challenges failed and the attacker is never granted access to the requested resource.
What we’re doing
We recognize that an attempted attack of this magnitude merits additional scrutiny beyond our typical technical blog review process.
We’re conducting a thorough review of our technical review processes. To enable proper scrutiny of our analysis, future posts will also include clear and transparent evidence alongside our findings.
In conclusion
Thank you for reading this far. We appreciate all of you and all the community members that have engaged with us. We especially appreciate the engagement from the FIDO Alliance and are happy to have the opportunity to clear up the misunderstanding we created. We value the defender community and know we missed the mark on this blog post. Thank you for allowing us the chance to fix it and thank you for the continued support.
We deeply apologize for any negative impact our mistake caused. Expel is committed to improving so it doesn’t happen again.
newsukraine.rbc.ua - Cyber specialists from Ukraine's Defense Intelligence (HUR) have carried out a large-scale special operation targeting the occupation authorities in Crimea.
According to a Ukrainian intelligence source speaking to RBC-Ukraine, the operation lasted several days.
A powerful DDoS attack effectively paralyzed the information systems and network infrastructure in Crimea.
While the Russian occupiers were scrambling to identify the cause of the government systems' failure, HUR cyber experts infiltrated the electronic accounts of the leadership of the occupation administration in temporarily occupied Crimea. They gained access to the following digital resources:
securityweek.com - LG Innotek LNV5110R security cameras are affected by a vulnerability that can be exploited for unauthenticated remote code execution.
Hundreds of LG security cameras are vulnerable to remote hacking due to a recently discovered flaw and they will not receive a patch.
The cybersecurity agency CISA revealed on Thursday that LG Innotek LNV5110R cameras are affected by an authentication bypass vulnerability that can allow an attacker to gain administrative access to the device.
The flaw, tracked as CVE-2025-7742 and assigned a ‘high severity’ rating, can allow an attacker to upload an HTTP POST request to the device’s non-volatile storage, which can result in remote code execution with elevated privileges, according to CISA.
LG Innotek has been notified, but said the vulnerability cannot be patched as the product has reached end of life.
Souvik Kandar, the MicroSec researcher credited by CISA for reporting the vulnerability, told SecurityWeek there are roughly 1,300 cameras that are exposed to the internet and which can be remotely hacked.
