techdigest.tv
10 November 2025
Chris Price

A catastrophic data breach at Chinese cybersecurity firm Knownsec has exposed a state-backed cyber arsenal and global surveillance targets.

A prominent Chinese cybersecurity firm with ties to the government, Knownsec, has suffered a catastrophic data breach, exposing over 12,000 classified documents detailing the inner workings of China’s state-sponsored cyber espionage program.
The leak of over 12,000 classified documents provides an unprecedented window into the operational infrastructure supporting China’s intelligence-gathering efforts, triggering significant international concern.

The leaked materials initially appeared on GitHub before being removed for terms-of-service violations. They reveal a vast technical arsenal, including sophisticated Remote Access Trojans (RATs) engineered to compromise every major operating system, specifically Linux, Windows, macOS, iOS, and Android.

The documents detail the use of highly specialized surveillance tools. These include Android attack code capable of extracting extensive message histories from popular chat applications, enabling targeted spying on specific individuals.

Even more concerning is the detail on hardware-based attack vectors. The firm allegedly developed a maliciously engineered power bank that can covertly exfiltrate data when connected to a victim’s computer, representing a sophisticated, hands-on supply-chain attack. This highlights the willingness of state-sponsored programs to invest in complex infrastructure to circumvent traditional security controls.

The archives also contain detailed spreadsheets documenting alleged breaches against more than 80 overseas targets. The scale of the data theft is massive, listing 95GB of immigration records from India, 3TB of call records from South Korea’s LG U Plus, and 459GB of road planning data from Taiwan.

The target list explicitly names over twenty countries and regions, including the United Kingdom, Japan, and Nigeria.

Knownsec, founded in 2007 and backed by Tencent, holds a trusted position within China’s security apparatus, providing services to government departments and major financial institutions. This prominence amplifies the significance of the leak.

In response to the disclosure, a Chinese Foreign Ministry spokesperson was evasive, stating unfamiliarity with any Knownsec breach while asserting that China “firmly opposes and combats all forms of cyberattacks.”

Analysts note this measured response avoided denying government support for such operations, underscoring Beijing’s positioning of cyber activities as national security instruments. Cybersecurity specialists worldwide are now studying the exposed data to improve global defense strategies.

Sky News Australia
Max Melzer

An Iranian-backed hacking group has posted plans for Australia's new $7 billion infantry fighting vehicles online following a spate of attacks on Israeli arms companies.

Plans for Australia's new $7 billion Redback infantry fighting vehicles have been stolen and posted online by Iran-backed hackers following a spate of attacks on Israeli arms companies.

Cyber Toufan, a hacking group believed to have ties to the Iranian state, posted classified 3D renderings and technical details of the next generation fighting vehicles on Telegram.

The group claimed to have stolen confidential data from 17 Israeli defence companies in a major cyberattack carried out after it gained access to supply chain firm MAYA Technologies over a year ago.

Israel’s Elbit Systems, which was contracted to provide hi-tech weapons turrets for the Redbacks, was among the companies targetted.

Skynews.com.au has contacted Elbit Systems for comment.

In addition to the exposure of sensitive details about the fighting vehicles' technical specifications, the documents posted by Cyber Toufan also revealed the Australian Defence Force had apparently been weighing whether to purchase Spike NLOS anti-tank missiles from the Israeli company.

It is not fully clear how much data was stolen in the hack or whether the details published online could be used to develop countermeasures to the Redback's defensive and offensive capabilities.

The Australian Army is set to receive 127 of the fighting vehicles under a roughly $7 billion contract with South Korean firm Hanwha Defence.

Elbit Systems' turrets will be affixed to the Redback's under a separate contract worth around $920 million.

The Israeli firm's involvement with the project had drawn criticism due to Israel's war in Gaza, although Defence Industry Minister Pat Conroy has repeatedly defended the company's involvement.

"We make no apology for getting the best possible equipment for the Australian Defence Force," he told the Indo-Pacific Maritime Exposition last week.

Cyber Toufan's attacks underscore the growing threat of hacking groups targetting sensitive military data.

The Australian Signals Directorate warned in its 2025 Cyber Threat Report that government and defence-related information was "an attractive target for state-sponsored cyber actors".

AUKUS remains the principle target for hostile actors, although Australian Security Intelligence Organisation Director-General Mike Burgess revealed even "countries we consider friendly" were attempting to gather intelligence about the nuclear submarine program.

"ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies," he warned in his annual threat assessment earlier this year.

Several Australian defence projects have already faced hacks in recent years, including in 2017 when a defence contractor was breached and data on the nation's F-35 program and the Collins-class submarine program was exposed.

Shipbuilder Austal was also successfully targetted by hackers in 2018.

akamai.com
Nov 06, 2025

Akamai is aware of content and connectivity filtering within Russia. Although we have not yet seen wholesale blocking of our platform for users, Russian network operator actions and actions by the Russian government may impact delivery to some users within some networks.

Such blocks often happen without any advance notice and are beyond our control. This is a highly dynamic situation as the nature and targets of filtering and blocking are changing without notice or visibility.

The Akamai network can automatically adapt to some of these impacts. However, it is impossible for us to respond to all Russian government actions (including IP-based blocks, SNI-based blocks, traffic throttling, total network shutdowns, and potential others).

Because of the constantly evolving situation — including active hostilities — ongoing delivery of traffic to users in Russia is provided, unfortunately, on a best-effort basis.

mozilla.org
November 7, 2025
Brian Smith

Firefox Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support.

Increasingly, businesses, schools, and government institutions deploy Firefox at scale for security, resilience, and data sovereignty. Organizations have fine-grained administrative and orchestration control of the browser’s behavior using policies with Firefox and the Extended Support Release (ESR). Today, we’re opening early access to Firefox Support for Organizations, a new program that begins operation in January 2026.

What Firefox Support for Organizations offers
Support for Organizations is a dedicated offering for teams who need private issue triage and escalation, defined response times, custom development options, and close collaboration with Mozilla’s engineering and product teams.

Private support channel: Access a dedicated support system where you can open private help tickets directly with expert support engineers. Issues are triaged by severity level, with defined response times and clear escalation paths to ensure timely resolution.
Discounts on custom development: Paid support customers get discounts on custom development work for integration projects, compatibility testing, or environment-specific needs. With custom development as a paid add-on to support plans, Firefox can adapt with your infrastructure and third-party updates.
Strategic collaboration: Gain early insight into upcoming development and help shape the Firefox Enterprise roadmap through direct collaboration with Mozilla’s team.
Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support. All Firefox users will continue to have full access to existing public resources including documentation, the knowledge base, and community forums, and we’ll keep improving those for everyone in future. Support plans will help us better serve users who rely on Firefox for business-critical and sensitive operations.

The EU Commission has announced that it will "immediately" stop funding individuals or organizations involved in "serious professional misconduct." This follows an investigation by Follow the Money (FtM) which revealed that EU funds amounting to millions of euros have been directly channeled to commercial spyware firms in recent years.

In September, the FtM portal, in collaboration with other media partners, uncovered that the spyware industry is receiving substantial subsidies from the EU while simultaneously surveilling its citizens. According to the report, the Intellexa Group, which developed the Predator state trojan, has, through affiliated companies, secured public funding, particularly through innovation programs. Cognyte, CyGate, and Verint are also reported to have received financial support from EU sources for their surveillance technologies, such as spyware, whose solutions are frequently mentioned in the context of human rights violations.

In response, 39 EU parliamentarians from four political groups have jointly requested concrete answers from the Commission in a letter. The representatives lamented that the EU is, apparently unintentionally, funding instruments that have been or are being used for repressive purposes in member states like Poland, Greece, and Hungary, as well as in authoritarian third countries. This, they argue, undermines fundamental rights and democracy.

According to the letter, the Commission has apparently failed to verify the trustworthiness, ownership structure, and human rights compliance of these companies. The requested end-user clauses or dual-use controls, which assess whether a product can be misused for civilian, military, and police purposes, are apparently not being effectively enforced. The revelations indicate that the Brussels-based governing institution is not sufficiently adhering to recommendations from the parliamentary inquiry committee on spyware scandals in this highly sensitive area.
Commission Stands By
In its statement, according to an FtM newsletter, the Commission explains that law enforcement agencies and intelligence services may "lawfully use spyware for legitimate purposes." However, it fails to list all EU programs from which surveillance companies have benefited. Specifically, information regarding grants from the European Social Fund and another financial pot awarded to the Italian surveillance company Area is missing.

The executive body also fails to mention financial flows to the notorious spyware manufacturer Hacking Team, the report continues. Even recent transfers from the European Investment Fund (EIF) to the Israeli spyware company Paragon Solutions, which is currently at the center of a scandal in Italy, remain unmentioned. Instead of proposing new protective measures, the Commission merely refers to the existing legal framework for protection against the illegal use of spyware.

The EU executive is "hiding behind vague references to 'EU values'," criticizes Aljosa Ajanovic Andelic from the initiative European Digital Rights (EDRi) regarding the response to FtM. It openly admits that "European funds have financed companies whose technologies are used for espionage against journalists and human rights defenders." This, he states, demonstrates a complete lack of effective control mechanisms. Green Party MEP Hannah Neumann criticizes that the Commission has taken hardly any action in the past two years following the committee's report.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025

WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.

Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.

On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”

“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”

Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.

The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.

Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.

“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.

“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.

Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.

At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.

A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.

Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.

In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.

Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.

COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.

COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.

Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.

| RTS Radio Télévision Suisse
08.11.2025

La Suisse prise en étau dans une guerre avec des dommages catastrophiques. Des cyberattaques massives contre les infrastructures ferroviaires et hospitalières. C'est le scénario imaginé par la Confédération pour un exercice de sécurité nationale mené sur deux jours.
Cet exercice de simulation de cyberattaques, d'ampleur inédite et gardé secret, s'est achevé vendredi soir et visait à évaluer la capacité du pays à résister à des menaces hybrides.

Toutes les couches politiques ont été concernées: le Conseil fédéral, le Parlement, les 26 cantons et 5 villes ont ainsi participé. C'est la première fois que la collaboration de crise est testée avec les cantons mais aussi des organisations scientifiques, la Migros, les CFF et plusieurs hôpitaux, avec un scénario jugé plausible face à la menace de cyberattaques en Suisse.

Capacité de coordination
Par exemple dans le canton de Vaud, le scénario imaginait un blackout à la Vallée de Joux ou la maternité du CHUV évacuée.

Toutes ces catastrophes existaient uniquement sur le papier, sans impact pour la population, avec un objectif: tester la capacité de coordination pour prendre des décisions d'urgence malgré le millefeuille fédéral.

La Chancellerie reconnaît que le fédéralisme a pu freiner la prise de certaines décisions. Mais le résultat est jugé globalement positif selon un bilan intermédiaire de la Confédération, avec un exercice mené à terme et des participants qui se sont tous pris au jeu.

L'évaluation complète seront rendus dans le courant du premier semestre 2026.

Le groupe informatique fait partie de la dizaine d’entreprises ciblées par les hackers de Clop, qui imposent un ultimatum de vingt-quatre heures.
Le groupe de hackers russe Clop a donné un ultimatum de vingt-quatre heures à Logitech.
Contacté ce vendredi en début d’après-midi, le siège du groupe à Lausanne «ne souhaite pas faire de commentaire à ce stade».
L’attaque vise une dizaine de grandes entreprises et institutions, dont le «Washington Post».
Le fabricant de périphériques informatiques Logitech figure parmi les cibles d’une vaste offensive perpétrée par le groupe de hackers Clop. Ce dernier en a fait l’annonce vendredi matin sur le dark web. Et indique avoir imposé un ultimatum de vingt-quatre heures au groupe helvético-américain, fondé en 1981 à Lausanne. En clair, ce dernier est sommé de payer une rançon, s’il ne veut pas voir les masses de données subtilisées sur ses serveurs disséminées sur le web.

Ces trois derniers jours, le groupe cybercriminel a mentionné une dizaine d’autres entreprises victimes de cette attaque. Mais également des institutions comme l’Université de Harvard ou le «Washington Post».

«Pas de commentaire» de Logitech
Contacté ce vendredi en début d’après-midi, le siège européen de Logitech indique qu’il «ne souhaite pas faire de commentaire à ce stade» sur cette offensive visant son système informatique.

«Attendons vingt-quatre heures pour voir de quoi il en retourne, Clop est l’un des acteurs les plus en vue de ces détournements de données et ils n’ont vraiment pas l’habitude de bluffer», réagit un fin connaisseur du dark web. «Peut-être Logitech essaie-t-il de gagner du temps, afin de négocier pour éviter que des masses de documents confidentiels ne soient rendus publics», s’interroge ce dernier.

La surveillance régulière de telles opérations a permis à cet expert de retrouver, depuis le début de l’année, des données volées provenant d’une quarantaine de sociétés suisses. Il s’agit avant tout de celles ayant refusé de payer face au chantage. «Au départ, elles étaient environ trois fois plus nombreuses à être désignées comme cibles, ce qui semble indiquer que près des deux tiers finissent malheureusement par payer», estime ce dernier.

Une brèche dans un logiciel mène à la cyberattaque
Selon les spécialistes, la vaste attaque des derniers jours aurait été perpétrée en utilisant la même «brèche» dans un logiciel professionnel Oracle. Après la revendication de Clop, le «Washington Post» a confirmé jeudi, sur Reuters, être victime d’une cyberattaque liée à une faille dans sa plateforme Oracle E-Business Suite (EBS).

Selon le site spécialisé TechNadu, ce logiciel est utilisé par les grandes entreprises pour «gérer leurs opérations commerciales critiques, la logistique, la production ou la gestion de la relation client». Les équipes de Google estimaient le mois dernier que cette campagne a visé une centaine d’entreprises dans le monde.

Souvent identifié par le pseudo Cl0p^_-Leaks, le groupe de «ransomware» russophone, un des plus anciens en activité, a été identifié en 2019. Il est spécialisé dans le racket de grandes sociétés – celles ayant le plus de moyens pour payer.

reuters.com
By Raphael Satter and A.J. Vicens
November 7, 20254:21 PM GMT+1Updated 22 hours ago

The Washington Post said it is among victims of a sweeping cyber breach tied to Oracle (ORCL.N), opens new tab software.
In a statement released on Thursday, the newspaper said it was one of those impacted "by the breach of the Oracle E-Business Suite platform."

The paper did not provide further detail, but its statement comes after CL0P, the notorious ransomware group, said on its website that the Washington Post was among its victims. CL0P did not return messages seeking comment. Oracle pointed Reuters to a pair of security, opens new tab advisories, opens new tab issued last month.

Ransom-seeking hackers typically publicize their victims in an effort to shame them into making extortion payments, and CL0P are among the world's most prolific. The hacking squad is alleged to be at the center of a sweeping cybercriminal campaign targeting Oracle's E-Business Suite of applications, which Oracle clients use to manage customers, suppliers, manufacturing, logistics, and other business processes.
Google said last month that there were likely to be more than 100 companies affected by the intrusions.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025

The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.

The U.S. Congressional Budget Office has confirmed it was hacked.

Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”

CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.

On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.

Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.

It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.

Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.

Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.

On Thursday, Beaumont said that the firewall is now offline.

The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.

bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025

Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.

The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.

When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.

The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.

Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.

Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.

"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."

CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.

On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."

Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.

More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.

| Eurojust | European Union Agency for Criminal Justice Cooperation
eurojust.europa.eu
Eurojust Press Team

Nine people suspected of money laundering have been arrested during a synchronised operation that took place in three countries at the same time. The suspects set up a cryptocurrency money laundering network that scammed victims out of over EUR 600 million. Eurojust, the EU’s judicial cooperation hub, ensured that French, Belgian, Cypriot, German and Spanish authorities worked together to take the network down.

The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns. They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles and fake testimonials from celebrities or successful investors.

When victims would transfer cryptocurrency to the platforms, they were never able to recover their money. The crypto assets earned through the various scams were then laundered using blockchain technology. The criminals were able to launder approximately EUR 600 million.

Investigations into the network started when authorities received several complaints from victims. Eurojust ensured that the authorities were able to work together in a fast and efficient manner by setting up a joint investigation team between French and Belgian authorities. As other countries had to be involved during the actions, Eurojust brought prosecutors and investigative judges from France, Belgium, Cyprus, Spain and Germany together to plan the takedown of the network.

Actions against the suspects took place on 27 and 29 October and were coordinated from the Eurojust premises in The Hague. Nine suspects were arrested at their homes in Cyprus, Spain and Germany on suspicion of their involvement in money laundering from fraudulent activities. At the same time, searches took place that resulted in the seizure of EUR 800 000 in bank accounts, EUR 415 000 in cryptocurrencies and EUR 300 000 in cash.

The actions were carried out by the following authorities:

France: Investigative Judge of the Court of Paris JUNALCO (National Jurisdiction against Organised Crime) - Cybercrime Unit; Gendarmerie Nationale - Cyber Unit
Belgium: PPO Limburg; Investigating Judge of the Court of 1st Instance in Limburg; Federal Judicial Police Limburg
Cyprus: Attorney General's Office; MOKAS; Cyprus Police
Germany: Public Prosecutor’s Office Cologne; Cologne Criminal Police
Spain: PPO Barcelona - International Cooperation Section; Investigative Court num 5 in Vilanova i la Geltrú; Mossos d’Esquadra (Cybercrime Central Area); Policía Nacional (Cybercrime Central Unit and Barcelona and Oviedo Provincial Brigade of Judicial Police)

| The Record from Recorded Future News
therecord.media
Alexander Martin
November 3rd, 2025

The U.K.'s water suppliers have reported five cyberattacks since January 2024, according to information reviewed by Recorded Future News. The incidents did not affect the safety of water supplies, but they highlight an increasing threat.

None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure.

The data shared by the Drinking Water Inspectorate (DWI) showed the watchdog received 15 reports from suppliers between January 1, 2024, and October 20, 2025. These were sent under the NIS Regulations, which is just one part of the extensive legal framework governing the security of drinking water systems in Britain.

Of these reports, five regarded cybersecurity incidents affecting what the DWI called “out-of-NIS-scope systems” with the others being non-cyber operational issues. Further details of the 15 reports were not shared with Recorded Future News..

Currently, the NIS Regulations limit formally reportable cyber incidents to those that actually result in disruption to an essential service. If British infrastructure suppliers were impacted by hacks such as the pre-positioning campaign tracked as Volt Typhoon, suppliers would not have a legal duty to disclose them.

DWI said the five incidents that were disclosed to the watchdog were shared for information purposes because they were considered to be “related to water supply resilience risks.”

British officials are expected to try to amend this high bar for reporting when the government updates those laws through the much-delayed Cyber Security and Resilience Bill, when it is finally introduced to Parliament later this year.

A government spokesperson said: “The Cyber threats we face are sophisticated, relentless and costly. Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences — protecting the services the public rely on so they can go about their normal lives.”

Five reports better than none
That the reports were made despite not being required by the NIS Regulations was a positive sign, said Don Smith, vice president threat research at Sophos.

“Critical infrastructure providers, like any modern connected enterprise, are subject to attacks from criminal actors daily. It is no surprise that security incidents do occur within these enterprises, despite the compliance regimes that they’re subjected to,” Smith told Recorded Future News when asked about the data.

“I think we should be encouraged that these reports were shared outside of the scope of the NIS Regulations. It is very useful for critical infrastructure operators to understand the nature of these attacks, both in the case of commodity threats and if there’s an advanced adversary operating, and a culture of information sharing helps widen everyone’s aperture.”

Although there have been ransomware attacks against the IT office systems used by water companies — including on South Staffs Water in the U.K. and Aigües de Mataró in Spain — it is extremely rare for cyberattacks on water suppliers to actually disrupt supplies.

In one rare case of a successful attack on an OT (operational technology) component, residents of a remote area on Ireland’s west coast were left without water for several days in December 2023 when a pro-Iran hacking group indiscriminately targeted facilities using a piece of equipment the hackers complained was made in Israel.

The U.S. federal government had issued a warning about the exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector. Attacks on PLCs, core technology components in a lot of industrial control systems, are one of the main concerns of critical infrastructure defenders.

Initiatives to improve the security of water systems in the United States faltered under the Biden administration when water industry groups partnered with Republican lawmakers to put a halt to the federal efforts, despite significant increases in the number of ransomware attacks and state-sponsored intrusions.

Last week, Canadian authorities warned of an incident in which hacktivists changed the water pressure at one local utility among a spate of attacks interfering with industrial control systems.

Britain's National Cyber Security Centre encourages critical infrastructure providers to ensure they have properly segmented their business IT systems and their OT systems to reduce the impact of any cyber intrusion. In August, the agency released a new Cyber Assessments Framework to help organizations improve their resilience.

“Commodity rather than targeted attacks remain the most likely threat to impact critical infrastructure providers. The messaging I pass to CISOs and the people managing risk in these organizations is to worry about defending from the everyday as opposed to defending from the exotic,” said Smith.

“They’re expected to do both, but the much bigger risk is that we end up with a major piece of our CNI knocked offline because of a ransomware attack. I worry about people thinking about investing huge amounts in monitoring esoteric systems when they’re actually not protecting themselves from the basics.”

washingtonpost.com
By Joseph Menn

More than a half-dozen federal departments and agencies backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor’s ties to mainland China make them a national security risk, according to people briefed on the matter and a communication reviewed by The Washington Post.

The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company’s former assets in China. The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”

If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.

None of the agencies involved responded to requests to comment on the proposal, which is now back in the hands of Commerce. While Commerce initially proposed the ban and sought the interagency review, it has taken no action since that process was completed. It could still decide to not issue a ban against TP-Link routers or could reach an agreement with the company for a different resolution of its concerns. The White House, which the people said supported the proposed ban, could also change its mind.

A former senior Defense Department official and two other people familiar with the details described the ban proposal to The Post; they spoke on the condition of anonymity to reveal internal deliberations. One of those people and four other current officials confirmed that the proposal had secured interagency approval.

A White House spokesperson asked about the proposed ban declined to address it specifically. “We are aware of active efforts by the Chinese government to exploit critical security vulnerabilities and are working with all relevant parties to assess exposure and mitigate the damage,” the spokesperson said.

Trump met Chinese leader Xi Jinping on Thursday in South Korea, where they reached an agreement that lowered the temperature of the conflict over trade between the two countries. The negotiations leading to that deal have made any move toward banning TP-Link routers less likely in the near term, two of the people said. One of them said the administration viewed TP-Link as a bargaining chip in further U.S.-China trade talks.

A spokesman for TP-Link Systems, Jeff Seedman, called it “nonsensical to suggest” that any measure taken against the company could serve as a “bargaining chip” in U.S.-China talks. “Any adverse action against TP-Link would have no impact on China, but would harm an American company,” he said.

Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government. TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years. The Commerce proposal mentions the prospect that the company could offer a deal after notification that would satisfy the government and forestall a ban, one of the people said, but the government would have to be certain that key hardware and software was being developed without influence from China.

TP-Link Systems has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies and operates them without Chinese government supervision, according to company spokeswoman Silverio. TP-Link Technologies serves only the Chinese market, she said. U.S.-based TP-Link Systems has about 500 employees in the U.S. and about 11,000 in China, Silverio said, adding that some of them work in facilities physically adjacent to those still owned by TP-Link Technologies.

TP-Link Systems’s website says it has 36 percent of the U.S. market for home routers by direct unit sales, while other estimates and congressional testimony put the share above 50 percent. A substantial portion of TP-Link routers and those of its competitors are purchased or leased through internet service providers, industry analysts said.

Federal regulations partly based on executive orders issued by Trump in his first term and by President Joe Biden empower the commerce secretary to make a risk assessment of transactions in “information and communications technology or services” that involve material from entities “controlled by, or subject to the jurisdiction or direction of foreign adversaries” and may therefore pose an “undue or unacceptable” security risk.

Last year, Commerce Secretary Gina Raimondo blocked U.S. sales of antivirus software from Russia’s Kaspersky Lab, noting the extensive access such security programs have to computers. “Russia has shown it has the capacity — and even more than that, the intent — to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action we are taking today,” Raimondo said at the time. Kaspersky denied that its U.S. activities posed a security risk.

Under the law, if the commerce secretary determines there is a security risk from foreign-influenced technology, the department can suggest ways to mitigate those risks. In the case of TP-Link Systems, Commerce officials decided that no mitigation short of a prohibition would suffice, according to the people briefed on the interagency review.

Seedman said any concerns “are fully resolvable by a common-sense mix of measures like onshoring key development functions, making strong and coordinated investments in cybersecurity, and being transparent with the government.” TP-Link Systems, he added, “has repeatedly sought Commerce’s input as to where the government believes there could be residual concerns. Commerce has so far not responded to TP-Link’s outreach in that regard.”

The proposed ban’s approval by the other federal departments returned it to Commerce, leaving the department free to issue a formal notification to TP-Link Systems that would give the company 30 days to respond. Commerce would then have 30 days to consider any objections before any ban would take effect.

The Post could not determine why Commerce has not taken further action. Some of those briefed said officials might by leery of stepping on any toes in the White House, especially amid trade talks with China that involve other technology issues. More recently, the government shutdown has become the top priority at Commerce and is occupying the time of the officials who remain on the job, the people said.

None of those interviewed for this article said they knew of any substantive objections inside government to the ban, which has been sought by members of both parties in Congress.

Paul Triolo, a partner at DGA Group in Washington who monitors U.S.-China technology issues, said recently it was not clear whether the interagency decision required an additional White House sign-off. “It may be too small of a thing to create a reaction from China,” he said.

Sen. Tom Cotton (R-Arkansas), who chairs the Senate Intelligence Committee, pushed for an investigation of TP-Link and is frustrated that no action has been taken, a spokesman said. “The continued sale of networking equipment linked to communist China in the United States puts our security at risk and American competitors at a disadvantage,” Cotton told The Post.

Many brands of home and small office routers, including those from TP-Link, have been used as stepping stones in recent years by Chinese government-supported hacking groups, which break into them to disguise where they are coming from, government and private-sector cybersecurity officials determined.

Some security experts have complained that the company has been slow to fix flaws after they are exposed. Last month, TP-Link Systems said it was still working to patch U.S. routers exposed to a high-severity weakness that had been reported in May. The company said its response time was within industry norms and that some measures show it has fewer reported flaws than rivals.

TP-Link Systems gear did not play a notable role in the major hack of U.S. telecommunication carriers exposed more than a year ago, which Sen. Mark R. Warner (D-Virginia) called the “worst telecom hack in our nation’s history.” But Microsoft said last year that hacked TP-Link Systems routers made up most of a covert network used by Chinese attackers since at least 2021 to steal log-in credentials from the software giant’s sensitive customers.

Microsoft said that network was used by multiple Chinese groups on spying missions. TP-Link Systems issued a patch for the vulnerable devices in November, four months after they were reported being hacked, even though they had been designated as end-of-life and too old for such updates. TP-Link said its action showed its willingness to go beyond what was legally required to help with security issues.

Some other U.S. router makers also depend on manufacturers in China. But U.S. officials said they are more concerned about TP-Link because under Chinese law companies there must comply with intelligence agency requests and notify Beijing of security flaws. They said the Chinese arm could even be compelled to push out software updates that could change the way the devices function.

California-based TP-Link Systems said it is “not subject to the direction of the PRC [Chinese government] intel apparatus.” It told The Post that only U.S. engineers can push updates to U.S. customers.

TP-Link Systems is owned by one of the two brothers who started TP-Link Technologies in China and his wife. The company said the brother in Irvine, chief executive Jeffrey (Jianjun) Chao, is pursuing U.S. citizenship and plans to expand the company’s American workforce.

A federal judge hearing an unrelated patent dispute in Texas against TP-Link Technologies concluded two years ago that frequent changes in that company’s corporate structure seemed designed to avoid accountability, telling an attorney for the Chinese company that “the evidence that we have indicates that your clients are deliberately trying to hide their relationship with TP-Link USA,” as the American operation was called at the time.

“The Texas case did not even involve TP-Link’s California company,” Silverio told The Post. “The defendants in that case were TP-Link foreign entities that were not affiliated with the California company at the time. The defendants later became affiliated with TP-Link’s California entity after a series of corporate reorganizations.”

It is unclear exactly which networking products would be covered under what is technically defined as a “prohibition” by Commerce on certain transactions, though they would include home and small office routers.

In related work on TP-Link Systems, the Justice Department’s antitrust unit is weighing criminal charges, based on claims that TP-Link products have been subsidized by the Chinese government and artificially priced under U.S. rivals, according to the people briefed on the interagency discussions. The company says it does not price products lower than they cost to make, and its spokeswoman said it has not heard from the Justice Department regarding an antitrust probe but would cooperate with any investigation.

The interagency probe began under the Biden administration and gained steam after the inauguration amid Trump’s tough talk on China, officials said. The possibility of a ban was first reported by the Wall Street Journal late last year, and the criminal antitrust probe was reported in April by Bloomberg News. Bloomberg reported this month that the administration was considering other actions.

| OAIC oaic.gov.au
Published: 09 October 2025

The Federal Court ordered that Australian Clinical Labs (ACL) pay $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business in February 2022.

The Federal Court yesterday ordered that Australian Clinical Labs (ACL) pay $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business in February 2022. The breach resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals.

These are the first civil penalties ordered under the Privacy Act 1988 (Cth).

Australian Information Commissioner Elizabeth Tydd welcomed the Court's orders, stating that they “provide an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold.

“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately.

“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act".

The Federal Court has made orders imposing the following penalties:

a penalty of $4.2 million for ACL's failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, which amounted to more than to 223,000 contraventions of s 13G(a) of the Privacy Act;
a penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of s 26WH(2) of the Privacy Act; and
a penalty of $800,000 for ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act.
Justice Halley said in his judgment that the contraventions were “extensive and significant.” His Honour also found that:

‘ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab Cyberattack, including whether it amounted to an eligible data breach.’
‘ACL’s contraventions … resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems’
‘ACL’s contravening conduct … had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.’
‘the contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.’
His Honour identified several factors that reduced the penalty that was imposed. These included that that ‘ACL ... cooperated with the investigation undertaken by the office of the Commissioner', and that it had commenced ‘a program of works to uplift the company’s cybersecurity capabilities’ which ‘satisfied [his Honour] that these actions demonstrate that ACL has sought, and continues to seek, to take meaningful steps to develop a satisfactory culture of compliance.’ His Honour also took into account the apologies made by ACL and the fact that it had admitted liability.

ACL admitted the contraventions, consented to orders being made and the parties made joint submissions on liability and penalty.

The penalties were imposed under the penalty regime which was in force at the time of the contraventions, with a maximum penalty of $2.22 million per contravention. The new penalty regime that came into force on 13 December 2022 allows the Court to impose much higher penalties for serious interferences with privacy. Under the new regime, maximum penalties per contravention can be as much as $50 million, three times the benefit derived from the conduct or up to the 30% of a business’s annual turnover per contravention.

Privacy Commissioner Carly Kind said, “This outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament. This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”

watson.ch
29.10.2025, 07:17
(jzs/ats)

Une vulnérabilité a été découverte sur les bus électriques Yutong qui circulent en Norvège: des tiers pourraient en prendre le contrôle à distance.

Une vulnérabilité a été découverte sur les bus électriques chinois circulant à Oslo, a annoncé mardi l'opérateur des transports publics de la capitale norvégienne. Les véhicules peuvent passer sous contrôle de leur constructeur ou de parties tierces.

Ruter, l'opérateur, a discrètement testé cet été deux bus électriques, l'un construit par le groupe chinois Yutong l'autre par l'entreprise néerlandaise VDL, dans un cadre isolé à l'intérieur d'une montagne, afin de mesurer leurs ondes électromagnétiques. «Ce que nous avons découvert, c'est que tout ce qui est connecté, y compris les bus, présente un risque», a déclaré le directeur de Ruter, Bernt Reitan Jenssen, au micro de la chaîne télévisée NRK.

«Il existe un risque que les fournisseurs puissent en prendre, disons, un contrôle non souhaité, mais aussi que d'autres acteurs puissent s'introduire dans cette chaîne de valeur et influencer les bus», a-t-il ajouté.

Pare-feu numérique
Cette vulnérabilité est liée à un boîtier contenant une carte SIM qui permet au constructeur du modèle chinois d'installer à distance des mises à jour logicielles mais aussi, selon des experts, de désactiver le bus, a détaillé le journal Aftenposten. Cette fonctionnalité et donc cette vulnérabilité n'existent pas sur le modèle néerlandais, selon ces mêmes experts.

Les caméras installées sur les deux bus, chinois et néerlandais, ne sont pas reliées à Internet et ne transmettent, quant à elles, pas de données, a précisé Ruter dans un communiqué.

Ruter dit avoir informé les autorités norvégiennes de ses conclusions et a annoncé des mesures telles que le développement d'un pare-feu numérique pour se prémunir contre le contrôle d'un bus à distance. «Nous tenons à évaluer de manière approfondie les risques liés notamment au fait d'avoir des bus provenant de pays avec lesquels nous n'avons pas de coopération en matière de sécurité», a réagi le ministre norvégien des transports, Jon-Ivar Nygård.

«Ce travail est en cours», a-t-il indiqué à NRK. Ruter opère quelque 300 bus électriques chinois à Oslo et dans ses environs. (jzs/ats)

| The Verge theverge.com
by
Robert Hart
Oct 30, 2025, 4:53 PM GMT+1

Huge cyber breaches are on the horizon thanks to AI-powered web browsers like ChatGPT Atlas and Comet, experts warn.

Web browsers are getting awfully chatty. They got even chattier last week after OpenAI and Microsoft kicked the AI browser race into high gear with ChatGPT Atlas and a “Copilot Mode” for Edge. They can answer questions, summarize pages, and even take actions on your behalf. The experience is far from seamless yet, but it hints at a more convenient, hands-off future where your browser does lots of your thinking for you. That future could also be a minefield of new vulnerabilities and data leaks, cybersecurity experts warn. The signs are already here, and researchers tell The Verge the chaos is only just getting started.

Atlas and Copilot Mode are part of a broader land grab to control the gateway to the internet and to bake AI directly into the browser itself. That push is transforming what were once standalone chatbots on separate pages or apps into the very platform you use to navigate the web. They’re not alone. Established players are also in the race, such as Google, which is integrating its Gemini AI model into Chrome; Opera, which launched Neon; and The Browser Company, with Dia. Startups are also keen to stake a claim, such as AI startup Perplexity — best known for its AI-powered search engine, which made its AI-powered browser Comet freely available to everyone in early October — and Sweden’s Strawberry, which is still in beta and actively going after “disappointed Atlas users.”

In the past few weeks alone, researchers have uncovered vulnerabilities in Atlas allowing attackers to take advantage of ChatGPT’s “memory” to inject malicious code, grant themselves access privileges, or deploy malware. Flaws discovered in Comet could allow attackers to hijack the browser’s AI with hidden instructions. Perplexity, through a blog, and OpenAI’s chief information security officer, Dane Stuckey, acknowledged prompt injections as a big threat last week, though both described them as a “frontier” problem that has no firm solution.

“Despite some heavy guardrails being in place, there is a vast attack surface,” says Hamed Haddadi, professor of human-centered systems at Imperial College London and chief scientist at web browser company Brave. And what we’re seeing is just the tip of the iceberg.

With AI browsers, the threats are numerous. Foremost, they know far more about you and are “much more powerful than traditional browsers,” says Yash Vekaria, a computer science researcher at UC Davis. Even more than standard browsers, Vekaria says “there is an imminent risk from being tracked and profiled by the browser itself.” AI “memory” functions are designed to learn from everything a user does or shares, from browsing to emails to searches, as well as conversations with the built-in AI assistant. This means you’re probably sharing far more than you realise and the browser remembers it all. The result is “a more invasive profile than ever before,” Vekaria says. Hackers would quite like to get hold of that information, especially if coupled with stored credit card details and login credentials often found on browsers.

Another threat is inherent to the rollout of any new technology. No matter how careful developers are, there will inevitably be weaknesses hackers can exploit. This could range from bugs and coding errors that accidentally reveal sensitive data to major security flaws that could let hackers gain access to your system. “It’s early days, so expect risky vulnerabilities to emerge,” says Lukasz Olejnik, an independent cybersecurity researcher and visiting senior research fellow at King’s College London. He points to the “early Office macro abuses, malicious browser extensions, and mobiles prior to [the] introduction of permissions” as examples of previous security issues linked to the rollout of new technologies. “Here we go again.”

Some vulnerabilities are never found — sometimes leading to devastating zero-day attacks, named as there are zero days to fix the flaw — but thorough testing can slash the number of potential problems. With AI browsers, “the biggest immediate threat is the market rush,” Haddadi says. “These agentic browsers have not been thoroughly tested and validated.”

But AI browsers’ defining feature, AI, is where the worst threats are brewing. The biggest challenge comes with AI agents that act on behalf of the user. Like humans, they’re capable of visiting suspect websites, clicking on dodgy links, and inputting sensitive information into places sensitive information shouldn’t go, but unlike some humans, they lack the learned common sense that helps keep us safe online. Agents can also be misled, even hijacked, for nefarious purposes. All it takes is the right instructions. So-called prompt injections can range from glaringly obvious to subtle, effectively hidden in plain sight in things like images, screenshots, form fields, emails and attachments, and even something as simple as white text on a white background.

Worse yet, these attacks can be very difficult to anticipate and defend against. Automation means bad actors can try and try again until the agent does what they want, says Haddadi. “Interaction with agents allows endless ‘try and error’ configurations and explorations of methods to insert malicious prompts and commands.” There are simply far more chances for a hacker to break through when interacting with an agent, opening up a huge space for potential attacks. Shujun Li, a professor of cybersecurity at the University of Kent, says “zero-day vulnerabilities are exponentially increasing” as a result. Even worse: Li says as the flaw starts with an agent, detection will also be delayed, meaning potentially bigger breaches.

It’s not hard to imagine what might be in store. Olejnik sees scenarios where attackers use hidden instructions to get AI browsers to send out personal data or steal purchased goods by changing the saved address on a shopping site. To make things worse, Vekaria warns it’s “relatively easy to pull off attacks” given the current state of AI browsers, even with safeguards in place. “Browser vendors have a lot of work to do in order to make them more safe, secure, and private for the end users,” he says.

For some threats, experts say the only real way to keep safe using AI browsers is to simply avoid the marquee features entirely. Li suggests people save AI for “only when they absolutely need it” and know what they’re doing. Browsers should “operate in an AI-free mode by default,” he says. If you must use the AI agent features, Vekaria advises a degree of hand-holding. When setting a task, give the agent verified websites you know to be safe rather than letting it figure them out on its own. “It can end up suggesting and using a scam site,” he warns.

blog.mozilla.org – Mozilla Add-ons Community Blog
Alan Byrne October 23, 2025

As of November 3rd 2025, all new Firefox extensions will be required to specify if they collect or transmit personal data in their manifest.json file using the browser_specific_settings.gecko.data_collection_permissions key. This will apply to new extensions only, and not new versions of existing extensions. Extensions that do not collect or transmit any personal data are required to specify this by setting the none required data collection permission in this property.

This information will then be displayed to the user when they start to install the extension, alongside any permissions it requests.

This information will also be displayed on the addons.mozilla.org page, if it is publicly listed, and in the Permissions and Data section of the Firefox about:addons page for that extension. If an extension supports versions of Firefox prior to 140 for Desktop, or 142 for Android, then the developer will need to continue to provide the user with a clear way to control the add-on’s data collection and transmission immediately after installation of the add-on.

Once any extension starts using these data_collection_permissions keys in a new version, it will need to continue using them for all subsequent versions. Extensions that do not have this property set correctly, and are required to use it, will be prevented from being submitted to addons.mozilla.org for signing with a message explaining why.

In the first half of 2026, Mozilla will require all extensions to adopt this framework. But don’t worry, we’ll give plenty of notice via the add-ons blog. We’re also developing some new features to ease this transition for both extension developers and users, which we will announce here.

techcrunch.com
Jagmeet Singh
6:30 PM PDT · October 28, 2025

A security researcher found the Indian automotive giant exposing personal information of its customers, internal company reports, and dealers’ data. Tata confirmed it fixed the issues.

Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.

Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.

Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number (PAN), a 10-character unique identifier issued by the Indian government.

“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.

There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.

The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
“As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.

The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.

Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the issues were fixed.

Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023 but would not say if it notified affected customers that their information was exposed.

“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.

“Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.

Python Software Foundation News
pyfound.blogspot.com
Monday, October 27, 2025

The PSF has withdrawn a $1.5 million proposal to US government grant program
In January 2025, the PSF submitted a proposal to the US government National Science Foundation under the Safety, Security, and Privacy of Open Source Ecosystems program to address structural vulnerabilities in Python and PyPI. It was the PSF’s first time applying for government funding, and navigating the intensive process was a steep learning curve for our small team to climb. Seth Larson, PSF Security Developer in Residence, serving as Principal Investigator (PI) with Loren Crary, PSF Deputy Executive Director, as co-PI, led the multi-round proposal writing process as well as the months-long vetting process. We invested our time and effort because we felt the PSF’s work is a strong fit for the program and that the benefit to the community if our proposal were accepted was considerable.

We were honored when, after many months of work, our proposal was recommended for funding, particularly as only 36% of new NSF grant applicants are successful on their first attempt. We became concerned, however, when we were presented with the terms and conditions we would be required to agree to if we accepted the grant. These terms included affirming the statement that we “do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI, or discriminatory equity ideology in violation of Federal anti-discrimination laws.” This restriction would apply not only to the security work directly funded by the grant, but to any and all activity of the PSF as a whole. Further, violation of this term gave the NSF the right to “claw back” previously approved and transferred funds. This would create a situation where money we’d already spent could be taken back, which would be an enormous, open-ended financial risk.

Diversity, equity, and inclusion are core to the PSF’s values, as committed to in our mission statement:
The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.
Given the value of the grant to the community and the PSF, we did our utmost to get clarity on the terms and to find a way to move forward in concert with our values. We consulted our NSF contacts and reviewed decisions made by other organizations in similar circumstances, particularly The Carpentries.

In the end, however, the PSF simply can’t agree to a statement that we won’t operate any programs that “advance or promote” diversity, equity, and inclusion, as it would be a betrayal of our mission and our community.

We’re disappointed to have been put in the position where we had to make this decision, because we believe our proposed project would offer invaluable advances to the Python and greater open source community, protecting millions of PyPI users from attempted supply-chain attacks. The proposed project would create new tools for automated proactive review of all packages uploaded to PyPI, rather than the current process of reactive-only review. These novel tools would rely on capability analysis, designed based on a dataset of known malware. Beyond just protecting PyPI users, the outputs of this work could be transferable for all open source software package registries, such as NPM and Crates.io, improving security across multiple open source ecosystems.

In addition to the security benefits, the grant funds would have made a big difference to the PSF’s budget. The PSF is a relatively small organization, operating with an annual budget of around $5 million per year, with a staff of just 14. $1.5 million over two years would have been quite a lot of money for us, and easily the largest grant we’d ever received. Ultimately, however, the value of the work and the size of the grant were not more important than practicing our values and retaining the freedom to support every part of our community. The PSF Board voted unanimously to withdraw our application.

Giving up the NSF grant opportunity—along with inflation, lower sponsorship, economic pressure in the tech sector, and global/local uncertainty and conflict—means the PSF needs financial support now more than ever. We are incredibly grateful for any help you can offer. If you're already a PSF member or regular donor, you have our deep appreciation, and we urge you to share your story about why you support the PSF. Your stories make all the difference in spreading awareness about the mission and work of the PSF.

How to support the PSF:
Become a Member: When you sign up as a Supporting Member of the PSF, you become a part of the PSF. You’re eligible to vote in PSF elections, using your voice to guide our future direction, and you help us sustain what we do with your annual support.
Donate: Your donation makes it possible to continue our work supporting Python and its community, year after year.
Sponsor: If your company uses Python and isn’t yet a sponsor, send them our sponsorship page or reach out to sponsors@python.org today. The PSF is ever grateful for our sponsors, past and current, and we do everything we can to make their sponsorships beneficial and rewarding.