theregister.com
Jessica Lyons
Thu 20 Nov 202

They keep coming back for more

Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.

This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.

“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”

"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.

Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.

This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.

“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”

"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.

"Per our update, upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues," Salesforce spokesperson Allen Tsai told The Register.

Tsai declined to answer specific questions about the breach, including how many customers were compromised - the company has notified those affected, he said - and who is behind the latest theft of Salesforce customers' data.

"There is no indication that this issue resulted from any vulnerability in the Salesforce platform," Tsai said. "The activity appears to be related to the app's external connection to Salesforce."

Gainsight did not immediately respond to The Register's request for comment.
While Salesforce isn't pointing the finger at a particular threat group, Larsen attributed the activity to ShinyHunters. This is the same criminal crew that breached SalesLoft's Drift application earlier this year and stole a bunch of companies' OAuth tokens, which allowed them access to numerous orgs' Salesforce instances.

"Our team at Google Threat Intelligence Group (GTIG) has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances," Larsen said in a LinkedIn post on Thursday.

Google's Mandiant incident response team is working with Salesforce to notify potentially affected organizations, Larsen added, and urged all companies to "view this as a signal to audit their SaaS environments," including conducting regular reviews of all third-party applications connected to their Salesforce instances.

Companies should also "investigate and revoke tokens for unused or suspicious applications," and, upon detecting any anomalous activity, "rotate the credentials immediately," he wrote.

• The Register
Carly Page
Thu 23 Oct 2025 //

Google has taken down thousands of YouTube videos that were quietly spreading password-stealing malware disguised as cracked software and game cheats.

Researchers at Check Point say the so-called "YouTube Ghost Network" hijacked and weaponized legitimate YouTube accounts to post tutorial videos that promised free copies of Photoshop, FL Studio, and Roblox hacks, but instead lured viewers into installing infostealers such as Rhadamanthys and Lumma.

The campaign, which has been running since 2021, surged in 2025, with the number of malicious videos tripling compared to previous years. More than 3,000 malware-laced videos have now been scrubbed from the platform after Check Point worked with Google to dismantle what it called one of the most significant malware delivery operations ever seen on YouTube.

Check Point says the Ghost Network relied on thousands of fake and compromised accounts working in concert to make malicious content look legitimate. Some posted the "tutorial" videos, others flooded comment sections with praise, likes, and emojis to give the illusion of trust, while a third set handled "community posts" that shared download links and passwords for the supposed cracked software.

"This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe," said Eli Smadja, security research group manager at Check Point. "What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponise engagement tools to spread malware."

Once hooked, victims were typically instructed to disable antivirus software, then download an archive hosted on Dropbox, Google Drive, or MediaFire. Inside was malware rather than a working copy of the promised program, and once opened, the infostealers exfiltrated credentials, crypto wallets, and system data to remote command-and-control servers.

One hijacked channel with 129,000 subscribers posted a cracked version of Adobe Photoshop that racked up nearly 300,000 views and more than 1,000 likes. Another targeted cryptocurrency users, redirecting them to phishing pages hosted on Google Sites.

As Check Point tracked the network, it found the operators frequently rotated payloads and updated download links to outpace takedowns, creating a resilient ecosystem that could quickly regenerate even when accounts were banned.

Check Point says the Ghost Network's modular design, with uploaders, commenters, and link distributors, allowed campaigns to persist for years. The approach mimics a separate operation the firm has dubbed the "Stargazers Ghost Network" on GitHub, where fake developer accounts host malicious repositories.

While most of the malicious videos pushed pirated software, the biggest lure was gaming cheats – particularly for Roblox, which has an estimated 380 million monthly active players. Other videos dangled cracked copies of Microsoft Office, Lightroom, and Adobe tools. The "most viewed" malicious upload targeted Photoshop, drawing almost 300,000 views before Google's cleanup operation.

The surge in 2025 marks a sharp shift in how malware is being distributed. Where phishing emails and drive-by downloads once dominated, attackers are now exploiting the social credibility of mainstream platforms to bypass user skepticism.

"In today's threat landscape, a popular-looking video can be just as dangerous as a phishing email," Smadja said. "This takedown shows that even trusted platforms aren't immune to weaponization, but it also proves that with the right intelligence and partnerships, we can push back."

Check Point doesn't have concrete evidence as to who is operating this network. It said the primary beneficiaries currently appear to be cybercriminals motivated by profit, but this could change if nation-state groups use the same tactics and video content to attract high-value targets.

The YouTube Ghost Network's rise underscores how far online malware peddlers have evolved from spammy inbox bait. The ghosts may have been exorcised this time, but with engagement now an attack vector, the next haunting is only ever a click away.

• The Register
Mon 29 Sep 2025 // 08:01 UTC
by Danny Bradbury

Feature: Guess how much of our direct transatlantic data capacity runs through two cables in Bude?

The first transatlantic cable, laid in 1858, delivered a little over 700 messages before promptly dying a few weeks later. 167 years on, the undersea cables connecting the UK to the outside world process £220 billion in daily financial transactions. Now, the UK Parliament's Joint Committee on National Security Strategy (JCNSS) has told the government that it has to do a better job of protecting them.

The Committee's report, released on September 19, calls the government "too timid" in its approach to protecting the cables that snake from the UK to various destinations around the world. It warns that "security vulnerabilities abound" in the UK's undersea cable infrastructure, when even a simple anchor-drag can cause major damage.

There are 64 cables connecting the UK to the outside world, according to the report, carrying most of the country's internet traffic. Satellites can't shoulder the data volumes involved, are too expensive, and only account for around 5 percent of traffic globally.

These cables are invaluable to the UK economy, but they're also difficult to protect. They are heavily shielded in the shallow sea close to those points. That's because accidental damage from fishing operations and other vessels is common. On average, around 200 cables suffer faults each year. But as they get further out, the shielding is less robust. Instead, the companies that lay the cables rely on the depth of the sea to do its job (you'll be pleased to hear that sharks don't generally munch on them).

The report praises a strong cable infrastructure, and admits that in some areas at least we have the redundancy in the cable infrastructure to handle disruptions. For example, it notes that 75 percent of UK transatlantic traffic routes through two cables that come ashore in Bude, Cornwall. That seems like quite the vulnerability, but it acknowledges that we have plenty of infrastructure to route around if anything happened to them. There is "no imminent threat to the UK's national connectivity," it soothes.

But it simultaneously cautions against adopting what it describes as "business-as-usual" views in the industry. The government "focuses too much on having 'lots of cables' and pays insufficient attention to the system's actual ability to absorb unexpected shocks," it frets. It warns that "the impacts on connectivity would be much more serious," if onward connections to Europe suffered as part of a coordinated attack.

"While our national connectivity does not face immediate danger, we must prepare for the possibility that our cables can be threatened in the event of a security crisis," it says.

Reds on the sea bed
Who is the most likely to mount such an attack, if anyone? Russia seems front and center, according to experts. It has reportedly been studying the topic for years. Keir Giles, director at The Centre for International Cyber Conflict and senior consulting fellow of the Russia and Eurasia Programme at Chatham House, argues that Russia has a long history of information warfare that stepped up after it annexed Crimea in 2014.

"The thinking part of the Russian military suddenly decided 'actually, this information isolation is the way to go, because it appears to win wars for us without having to fight them'," Giles says, adding that this approach is often combined with choke holds on land-based information sources. Cutting off the population in the target area from any source of information other than what the Russian troops feed them achieves results at low cost.

In a 2021 paper he co-wrote for the NATO Cooperative Cyber Defence Centre of Excellence, he pointed to the Glavnoye upravleniye glubokovodnykh issledovaniy (Main Directorate for Deep-Water Research, or GUGI), a secretive Russian agency responsible for analyzing undersea cables for intelligence or disruption. According to the JCNSS report, this organization operates the Losharik, a titanium-hulled submarine capable of targeting cables at extreme depth.

Shenanigans under the sea
You don't need a fancy submarine to snag a cable, as long as you're prepared to do it in plain sight closer to the coast. The JNCSS report points to several incidents around the UK and the Baltics. November last year saw two incidents. In the first, Chinese-flagged cargo vessel Yi Peng 3 dragged its anchor for 300km and cut two cables between Sweden and Lithuania. That same month, the UK and Irish navies shadowed Yantar, a Russian research ship loitering around UK cable infrastructure in the Irish sea.

The following month saw Cook Islands-flagged ship Eagle S damage one power cable and three data cables linking Finland and Estonia. This May, unaffiliated vessel Jaguar approached an underseas cable off Estonia and was escorted out of the country's waters.

The real problem with brute-force physical damage from vessels is that it's difficult to prove that it's intentional. On one hand, it's perfect for an aggressor's plausible deniability, and could also be a way to test the boundaries of what NATO is willing to tolerate. On the other, it could really be nothing.

"Attribution of sabotage to critical undersea infrastructure is difficult to prove, a situation significantly complicated by the prevalence of under-regulated and illegal shipping activities, sometimes referred to as the shadow fleet," a spokesperson for NATO told us.

"I'd push back on an assertion of a coordinated campaign," says Alan Mauldin, research director at analyst company TeleGeography, which examines undersea cable infrastructure warns. He questions assumptions that the Baltic cable damage was anything other than a SNAFU.

The Washington Post also reported comment from officials on both sides of the Atlantic that the Baltic anchor-dragging was probably accidental. Giles scoffs at that. "Somebody had been working very hard to persuade countries across Europe that this sudden spate of cables being broken in the Baltic Sea, one after another, was all an accident, and they were trying to say that it's possible for ships to drag their anchors without noticing," he says.

One would hope that international governance frameworks could help. The UN Convention on the Law of the Sea [PDF] has a provision against messing with undersea cables, but many states haven't enacted the agreement. In any case, plausible deniability makes things more difficult.

"The main challenge in making meaningful governance reforms to secure submarine cables is figuring out what these could be. Making fishing or anchoring accidents illegal would be disproportionate," says Anniki Mikelsaar, doctoral researcher at Oxford University's Oxford Internet Institute. "As there might be some regulatory friction, regional frameworks could be a meaningful avenue to increase submarine cable security."

The difficulty in pinning down intent hasn't stopped NATO from stepping in. In January it launched Baltic Sentry, an initiative to protect undersea infrastructure in the region. That effort includes frigates, patrol aircraft, and naval drones to keep an eye on what happens both above and below the waves.

Preparing for the worst
Regardless of whether vessels are doing this deliberately or by accident, we have to be prepared for it, especially as cable installation shows no sign of slowing. Increasing bandwidth needs will boost global cable kilometers by 48 percent between now and 2040, says TeleGeography, adding that annual repairs will increase 36 percent between now and 2040.

"Many cable maintenance ships are reaching the end of their design life cycle, so more investment into upgrading the fleets is needed. This is important to make repairs faster," says Mikelsaar.

There are 62 vessels capable of cable maintenance today, and TeleGeography predicts that'll be enough for the next 15 years. However, it takes time to build these vessels and train the operators, meaning that we'll need to start delivering new vessels soon.

The problem for the UK is that it doesn't own any of that repair capacity, says the JNSS. It can take a long time to travel to a cable and repair it, and ships can only work on one at a time. The Committee reported that the UK doesn't own any sovereign repair capacity, and advises that it gets some, prescribing a repair ship by 2030.

"This could be leased to industry on favorable terms during peacetime and made available for Government use in a crisis," it says, adding that the Navy should establish a set of reservists that will be trained and ready to operate the vessel.

Sir Chris Bryant MP, the Minister for Data Protection and Telecoms, told the Committee it that it was being apocalyptic and "over-egging the pudding" by examining the possibility of a co-ordinated attack. "We disagree," the Committee said in the report, arguing that the security situation in the next decade is uncertain.

"Focusing on fishing accidents and low-level sabotage is no longer good enough," the report adds. "The UK faces a strategic vulnerability in the event of hostilities. Publicly signaling tougher defensive preparations is vital, and may reduce the likelihood of adversaries mounting a sabotage effort in the first place."

To that end, it has made a battery of recommendations. These include building the risk of a coordinated campaign against undersea infrastructure into its risk scenarios, and protecting the stations - often in remote coastal locations - where the cables come onto land.

The report also recommends that the Department for Science, Innovation and Technology (DSIT) ensures all lead departments have detailed sector-by-sector technical impact studies addressing widespread cable outages.

"Government works around the clock to ensure our subsea cable infrastructure is resilient and can withstand hostile and non-hostile threats," DSIT told El Reg, adding that when breaks happen, the UK has some of the fastest cable repair times in the world, and there's usually no noticeable disruption."

"Working with NATO and Joint Expeditionary Force allies, we're also ensuring hostile actors cannot operate undetected near UK or NATO waters," it added. "We're deploying new technologies, coordinating patrols, and leading initiatives like Nordic Warden alongside NATO's Baltic Sentry mission to track and counter undersea threats."

Nevertheless, some seem worried. Vili Lehdonvirta, head of the Digital Economic Security Lab (DIESL) and professor of Technology Policy at Aalto University, has noticed increased interest from governments and private sector organizations alike in how much their daily operations depend on oversea connectivity. He says that this likely plays into increased calls for digital sovereignty.

"The rapid increase in data localization laws around the world is partly explained by this desire for increased resilience," he says. "But situating data and workloads physically close as opposed to where it is economically efficient to run them (eg. because of cheaper electricity) comes with an economic cost."

So the good news is that we know exactly how vulnerable our undersea cables are. The bad news is that so does everyone else with a dodgy cargo ship and a good poker face. Sleep tight.

theregister.com • The Register
by Jessica Lyons
Wed 1 Oct 2025 // 19:35 UTC

: Who wouldn't want root access on cluster master nodes?

9.9 out of 10 severity bug in Red Hat's OpenShift AI service could allow a remote attacker with minimal authentication to steal data, disrupt services, and fully hijack the platform.

"A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator," the IBM subsidiary warned in a security alert published earlier this week.

"This allows for the complete compromise of the cluster's confidentiality, integrity, and availability," the alert continues. "The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it."

Red Hat deemed the vulnerability, tracked as CVE-2025-10725, "important" despite its 9.9 CVSS score, which garners a critical-severity rating from the National Vulnerability Database - and basically any other organization that issues CVEs. This, the vendor explained, is because the flaw requires some level of authentication, albeit minimal, for an attacker to jeopardize the hybrid cloud environment.

Users can mitigate the flaw by removing the ClusterRoleBinding that links the kueue-batch-user-role ClusterRole with the system:authenticated group. "The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege," Red Hat added.

Additionally, the vendor suggests not granting broad permissions to system-level groups.

Red Hat didn't immediately respond to The Register's inquiries, including if the CVE has been exploited. We will update this story as soon as we receive any additional information.

Whose role is it anyway?
OpenShift AI is an open platform for building and managing AI applications across hybrid cloud environments.

As noted earlier, it includes a ClusterRole named "kueue-batch-user-role." The security issue here exists because this role is incorrectly bound to the system:authenticated group.

"This grants any authenticated entity, including low-privileged service accounts for user workbenches, the permission to create OpenShift Jobs in any namespace," according to a Bugzilla flaw-tracking report.
One of these low-privileged accounts could abuse this to schedule a malicious job in a privileged namespace, configure it to run with a high-privilege ServiceAccount, exfiltrate that ServiceAccount token, and then "progressively pivot and compromise more powerful accounts, ultimately achieving root access on cluster master nodes and leading to a full cluster takeover," the report said.

"Vulnerabilities offering a path for a low privileged user to fully take over an environment needs to be patched in the form of an incident response cycle, seeking to prove that the environment was not already compromised," Trey Ford, chief strategy and trust officer at crowdsourced security company Bugcrow said in an email to The Register.

In other words: "Assume breach," Ford added.

"The administrators managing OpenShift AI infrastructure need to patch this with a sense of urgency - this is a delightful vulnerability pattern for attackers looking to acquire both access and data," he said. "Security teams must move with a sense of purpose, both verifying that these environments have been patched, then investigating to confirm whether-and-if their clusters have been compromised."

www.theregister.com 2025/08/28/ -
US payments platform back in action, says it's informing affected customers
Shoppers and merchants in Germany found themselves dealing with billions of euros in frozen transactions this week, thanks to an apparent failure in PayPal's fraud-detection systems.

According to the Association of German Banks, the problem hit on Monday when banks noticed a slew of recent unauthorized direct debits from PayPal. The body said the banks responded in various ways, which is one way of putting it – the Süddeutsche Zeitung reported that some stopped all PayPal transactions, with the total number of frozen payments likely to be around €10 billion.

A spokesperson for the German Savings Banks Association (DSGV), which represents hundreds of regional banks across the country, confirmed the issue to The Register. The DSGV said PayPal had assured it the problem was resolved, adding that PayPal payments had been running smoothly since Tuesday morning and the US payments platform was informing affected customers "directly."

The DSGV said the unauthorized payments had a "significant impact on transactions throughout Europe, particularly in Germany." However, there have been no confirmed reports of the incident being felt outside Germany. Austrian media reported that the banks there had seen no problems.

PayPal is the most popular method of online payment in Germany, having been used for 28.5 percent of online purchases last year, according to research by the EHI Retail Institute. (The next most popular option is buying on account.)

That's largely down to PayPal's payment protection, which appeals to privacy-conscious Germans. In the wake of the unauthorized direct debit issue, financial industry consultant Peter Woeste Christensen told local media that PayPal's particular strength in Germany was partly thanks to the poor user experience of German banks' own apps.

PayPal had not responded to The Register's request for comment at the time of publication, although SZ quoted a spokesperson as saying PayPal had quickly identified the cause and was working with banks to "ensure all accounts are updated." The US company referred to the incident as a "temporary service interruption."

PayPal's reputational hit in Germany is likely to be exacerbated by last week's reports of hackers offering millions of PayPal credentials that they claimed PayPal had recently exposed in plaintext. The hackers' claims appear dubious, with PayPal denying any recent breach, but the reports gained significant traction in Germany.

"It's possible that the data is incorrect or outdated," read a Wednesday advisory from the German consumer organization Stiftung Warentest, which bundled the leak report with this week's snafu. "Nonetheless, PayPal users should change their passwords as a precaution."

theregister.com 2025/08/22/ -
: Pro tip: When taking revenge, don't use your real name

A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers.

Davis Lu, 55, spent a dozen years at Eaton and rose to become a senior developer of emerging technology, before the company demoted him after restructuring. Lu unwisely responded to that setback by installing a "kill switch" that would activate if the company revoked his network access.

The package was a Java program that generated increasing numbers of non-terminating threads in an infinite loop that would eventually use enough resources to crash the server.

"The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a US company," said acting assistant Attorney General Matthew Galeotti of the Justice Department’s Criminal Division in an email. "However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions."

Not that he had much technical savvy. Lu labeled his malware IsDLEnabledinAD, for "Is Davis Lu enabled in Active Directory." Furthermore, after developing the software he uploaded it using his corporate credentials – hardly clean OPSEC, to quote the US Defense Secretary.

Eaton terminated Lu’s position on September 9, 2019, and cut off his network access, which caused the Java program to fire up, overloading the network, preventing login access for thousands of Eaton's global staff, and deleting some corporate data.

But when it came time for Lu to turn in his corporate laptop, it turned out he'd been using it to execute his plan. His search history showed he'd been looking up how to delete data, escalate privileges, and conceal process trails. He also deleted a large chunk of encrypted data.
Less than a month after his malware ran, federal agents arrested Lu. He admitted to his crime but still opted for a jury trial. That didn't work out so well for him, and a federal jury in Cleveland found him guilty of intentionally damaging a protected computer. On Thursday he received a four-year sentence and an additional three years of supervised release.

"I am proud of the FBI cyber team’s work which led to today’s sentencing and hope it sends a strong message to others who may consider engaging in similar unlawful activities," said assistant director Brett Leatherman of the FBI’s Cyber Division. "This case also underscores the importance of identifying insider threats early."

As The Register has pointed out time and time again, insiders can cause the most damage with ease. All the fancy firewalls, AI tools, and malware monitoring services won't protect you if the person running them goes rogue.

Eaton had no comment on the sentence.

theregister.com 21.08.2025 - Better late than never after SharePoint assault?
Microsoft has reportedly stopped giving Chinese companies proof-of-concept exploit code for soon-to-be-disclosed vulnerabilities following last month's SharePoint zero-day attacks, which appear to be related to a leak in Redmond's early-bug-notification program.

The software behemoth gives some software vendors early bug disclosures under its Microsoft Active Protections Program (MAPP), which typically delivers info two weeks before Patch Tuesday. MAPP participants sign a non-disclosure agreement, and in exchange get vulnerability details so that they can provide updated protections to customers more quickly.

According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in "countries where they're required to report vulnerabilities to their governments," including China. Companies in these countries will no longer receive "proof of concept" exploit code, but instead will see "a more general written description" that Microsoft sends at the same time as patches, Cuddy told the news outlet.

Microsoft did not respond to The Register's inquiries.

In late July, China-based crews – including government goons, data thieves, and a ransomware gang – exploited a couple of bugs that allowed them to hijack on-premises SharePoint servers belonging to more than 400 organizations and remotely execute code.

Redmond disclosed the two SharePoint flaws during its July 8 Patch Tuesday event, and a couple weeks later admitted that the software update didn't fully fix the issues. The Windows giant issued working patches on July 21 to address its earlier flawed fixes, but by then the bugs were already under mass exploitation.
This led some to speculate that whomever was exploiting the CVEs knew about them in advance – and also knew how to bypass the original patches.

"A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register in July. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."

One possible explanation: Someone leaked details from the MAPP update to Beijing.

Childs said ZDI was able to poke holes in the initial patches. China does not lack talented security researchers capable of doing likewise.
At the time, Microsoft declined to answer The Register's specific questions about what role, if any, MAPP played in the SharePoint attacks. "As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly," a Microsoft spokesperson told us in July.

Microsoft today declined to comment on its internal investigation.

Childs today told The Register that the MAPP change "is a positive change, if a bit late. Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome."

"In the past, MAPP leaks were associated with companies out of China, so restricting information from flowing to these companies should help," Childs said. "The MAPP program remains a valuable resource for network defenders. Hopefully, Microsoft can squelch the leaks while sending out the needed information to companies that have proven their ability (and desire) to protect end users."

theregister.com - European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org.

The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.

"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.

"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."

The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.

However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.

KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.

The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.

"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."

The Register approached the companies for additional information but they did not comment beyond the public statement.

The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.

In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz.

All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.

None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on Snowflake customers.

Scattered Spider also changed its focus toward airlines earlier this year, and some researchers said it could be behind the attack on Hawaiian Airlines in June.

Check Point said last month that the attacks on Qantas and WestJet, which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions.

theregister.com - A week after Microsoft told the world that its July software updates didn't fully fix a couple of bugs, which allowed miscreants to take over on-premises SharePoint servers and remotely execute code, researchers have assembled much of the puzzle — with one big missing piece.

How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day?

"A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."

Countdown to mass exploitation
It all began back in May, on stage at the Pwn2Own competition.

Pwn2Own is the hackers' equivalent of the World Series, and ZDI usually hosts these competitions twice a year.

The most recent contest occurred in Berlin, beginning May 15. On day 2 of the event, Vietnamese researcher Dinh Ho Anh Khoa combined an auth bypass and an insecure deserialization bug to exploit Microsoft SharePoint and win $100,000.

"What happens on the stage is just one part of Pwn2Own," Childs said.

After demonstrating a successful exploit, the bug hunter and vendor are whisked away into a private room where the researcher explains what they did and provides the technology company with a full write-up of the exploit. Assuming it's not a duplicate or already known vulnerability, the vendor then has 90 days to issue a fix before the bug and exploit are made public.

"So Microsoft received the working exploit in a white paper describing everything on that day," Childs said.

Less than two months later, on July 8, the software giant disclosed the two CVEs – CVE-2025-49704, which allows unauthenticated remote code execution, and CVE-2025-49706, a spoofing bug – and released software updates intended to patch the flaws. But mass exploitation had already started the day before, on July 7.

"Sixty days to fix really isn't a bad timeline for a bug that stays private and stays under coordinated disclosure rules," Childs said. "What is bad: a leak happened."

There's another key date that may shed light on when that leak happened.

Patch Tuesday happens the second Tuesday of every month – in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP).

These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster.

"The first MAPP drop occurs at what we call r minus 14, which is two weeks ahead of the [Patch Tuesday] release," Childs said – that is, beginning on June 24. "Then, on July 7, we started to see attacks. July 8, the patches were out and were almost immediately bypassed."

ZDI, along with other security providers, poked holes in the initial patches and determined that the authentication bypass piece was too narrow, and attackers could easily bypass this fix. In fact, anyone who received the early MAPP information about the CVEs and software updates "would be able to tell that this is an easy way to get past it," Childs said.

On July 18, Eye Security first sounded the alarm on "large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild."

A day later, Microsoft warned SharePoint server users that three on-prem versions of the product included a zero-day flaw that was under attack – and that its own failure to completely patch the holes was to blame.

By July 21, Redmond had issued software updates for all three versions. But by then, more than 400 organizations had been compromised by at least two Chinese state-sponsored crews, Linen Typhoon and Violet Typhoon, plus a gang Microsoft tracks as Storm-2603, which was abusing the vulnerabilities to deploy ransomware.

Microsoft declined to answer The Register's specific questions for this story. "As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly," a Microsoft spokesperson said in an emailed statement.

One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register.

"It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.

theregister.com - Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin

Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.

The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.

Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians.

Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded."

"We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded."

He said that Microsoft asks the US administration to redirect it to the client.

"When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined."

Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."

theregister.com - Exclusive Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling.

Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips.

"The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses."

Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable.

HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members' first and last names "as if you sent them to yourself."

"We also kindly ask that you act responsibly given the current situation."

According to other internal comms seen by The Register, Air Serbia's IT team began emailing staff warning them that it was facing a cyberattack on July 4.

"Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes," they read.

"We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible."

The same email communication chain mentioned the company's IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7.

All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords.

Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available.

IT also installed a new VPN client "due to identified security vulnerabilities."

"We kindly ask you to take this situation seriously and fully cooperate with the IT team," the memo reads. "Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide."

Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins.

On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them.

A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory.

As of July 14, the source claimed the airline's blue team has not fully eradicated the attackers' access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July.

The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.