The EU Commission has announced that it will "immediately" stop funding individuals or organizations involved in "serious professional misconduct." This follows an investigation by Follow the Money (FtM) which revealed that EU funds amounting to millions of euros have been directly channeled to commercial spyware firms in recent years.
In September, the FtM portal, in collaboration with other media partners, uncovered that the spyware industry is receiving substantial subsidies from the EU while simultaneously surveilling its citizens. According to the report, the Intellexa Group, which developed the Predator state trojan, has, through affiliated companies, secured public funding, particularly through innovation programs. Cognyte, CyGate, and Verint are also reported to have received financial support from EU sources for their surveillance technologies, such as spyware, whose solutions are frequently mentioned in the context of human rights violations.
In response, 39 EU parliamentarians from four political groups have jointly requested concrete answers from the Commission in a letter. The representatives lamented that the EU is, apparently unintentionally, funding instruments that have been or are being used for repressive purposes in member states like Poland, Greece, and Hungary, as well as in authoritarian third countries. This, they argue, undermines fundamental rights and democracy.
According to the letter, the Commission has apparently failed to verify the trustworthiness, ownership structure, and human rights compliance of these companies. The requested end-user clauses or dual-use controls, which assess whether a product can be misused for civilian, military, and police purposes, are apparently not being effectively enforced. The revelations indicate that the Brussels-based governing institution is not sufficiently adhering to recommendations from the parliamentary inquiry committee on spyware scandals in this highly sensitive area.
Commission Stands By
In its statement, according to an FtM newsletter, the Commission explains that law enforcement agencies and intelligence services may "lawfully use spyware for legitimate purposes." However, it fails to list all EU programs from which surveillance companies have benefited. Specifically, information regarding grants from the European Social Fund and another financial pot awarded to the Italian surveillance company Area is missing.
The executive body also fails to mention financial flows to the notorious spyware manufacturer Hacking Team, the report continues. Even recent transfers from the European Investment Fund (EIF) to the Israeli spyware company Paragon Solutions, which is currently at the center of a scandal in Italy, remain unmentioned. Instead of proposing new protective measures, the Commission merely refers to the existing legal framework for protection against the illegal use of spyware.
The EU executive is "hiding behind vague references to 'EU values'," criticizes Aljosa Ajanovic Andelic from the initiative European Digital Rights (EDRi) regarding the response to FtM. It openly admits that "European funds have financed companies whose technologies are used for espionage against journalists and human rights defenders." This, he states, demonstrates a complete lack of effective control mechanisms. Green Party MEP Hannah Neumann criticizes that the Commission has taken hardly any action in the past two years following the committee's report.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025
WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.
Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.
On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”
“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”
Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.
The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.
Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.
“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.
“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.
Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.
At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.
A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.
Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.
In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.
Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.
COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.
COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.
Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.
| RTS Radio Télévision Suisse
08.11.2025
La Suisse prise en étau dans une guerre avec des dommages catastrophiques. Des cyberattaques massives contre les infrastructures ferroviaires et hospitalières. C'est le scénario imaginé par la Confédération pour un exercice de sécurité nationale mené sur deux jours.
Cet exercice de simulation de cyberattaques, d'ampleur inédite et gardé secret, s'est achevé vendredi soir et visait à évaluer la capacité du pays à résister à des menaces hybrides.
Toutes les couches politiques ont été concernées: le Conseil fédéral, le Parlement, les 26 cantons et 5 villes ont ainsi participé. C'est la première fois que la collaboration de crise est testée avec les cantons mais aussi des organisations scientifiques, la Migros, les CFF et plusieurs hôpitaux, avec un scénario jugé plausible face à la menace de cyberattaques en Suisse.
Capacité de coordination
Par exemple dans le canton de Vaud, le scénario imaginait un blackout à la Vallée de Joux ou la maternité du CHUV évacuée.
Toutes ces catastrophes existaient uniquement sur le papier, sans impact pour la population, avec un objectif: tester la capacité de coordination pour prendre des décisions d'urgence malgré le millefeuille fédéral.
La Chancellerie reconnaît que le fédéralisme a pu freiner la prise de certaines décisions. Mais le résultat est jugé globalement positif selon un bilan intermédiaire de la Confédération, avec un exercice mené à terme et des participants qui se sont tous pris au jeu.
L'évaluation complète seront rendus dans le courant du premier semestre 2026.
Le groupe informatique fait partie de la dizaine d’entreprises ciblées par les hackers de Clop, qui imposent un ultimatum de vingt-quatre heures.
Le groupe de hackers russe Clop a donné un ultimatum de vingt-quatre heures à Logitech.
Contacté ce vendredi en début d’après-midi, le siège du groupe à Lausanne «ne souhaite pas faire de commentaire à ce stade».
L’attaque vise une dizaine de grandes entreprises et institutions, dont le «Washington Post».
Le fabricant de périphériques informatiques Logitech figure parmi les cibles d’une vaste offensive perpétrée par le groupe de hackers Clop. Ce dernier en a fait l’annonce vendredi matin sur le dark web. Et indique avoir imposé un ultimatum de vingt-quatre heures au groupe helvético-américain, fondé en 1981 à Lausanne. En clair, ce dernier est sommé de payer une rançon, s’il ne veut pas voir les masses de données subtilisées sur ses serveurs disséminées sur le web.
Ces trois derniers jours, le groupe cybercriminel a mentionné une dizaine d’autres entreprises victimes de cette attaque. Mais également des institutions comme l’Université de Harvard ou le «Washington Post».
«Pas de commentaire» de Logitech
Contacté ce vendredi en début d’après-midi, le siège européen de Logitech indique qu’il «ne souhaite pas faire de commentaire à ce stade» sur cette offensive visant son système informatique.
«Attendons vingt-quatre heures pour voir de quoi il en retourne, Clop est l’un des acteurs les plus en vue de ces détournements de données et ils n’ont vraiment pas l’habitude de bluffer», réagit un fin connaisseur du dark web. «Peut-être Logitech essaie-t-il de gagner du temps, afin de négocier pour éviter que des masses de documents confidentiels ne soient rendus publics», s’interroge ce dernier.
La surveillance régulière de telles opérations a permis à cet expert de retrouver, depuis le début de l’année, des données volées provenant d’une quarantaine de sociétés suisses. Il s’agit avant tout de celles ayant refusé de payer face au chantage. «Au départ, elles étaient environ trois fois plus nombreuses à être désignées comme cibles, ce qui semble indiquer que près des deux tiers finissent malheureusement par payer», estime ce dernier.
Une brèche dans un logiciel mène à la cyberattaque
Selon les spécialistes, la vaste attaque des derniers jours aurait été perpétrée en utilisant la même «brèche» dans un logiciel professionnel Oracle. Après la revendication de Clop, le «Washington Post» a confirmé jeudi, sur Reuters, être victime d’une cyberattaque liée à une faille dans sa plateforme Oracle E-Business Suite (EBS).
Selon le site spécialisé TechNadu, ce logiciel est utilisé par les grandes entreprises pour «gérer leurs opérations commerciales critiques, la logistique, la production ou la gestion de la relation client». Les équipes de Google estimaient le mois dernier que cette campagne a visé une centaine d’entreprises dans le monde.
Souvent identifié par le pseudo Cl0p^_-Leaks, le groupe de «ransomware» russophone, un des plus anciens en activité, a été identifié en 2019. Il est spécialisé dans le racket de grandes sociétés – celles ayant le plus de moyens pour payer.
reuters.com
By Raphael Satter and A.J. Vicens
November 7, 20254:21 PM GMT+1Updated 22 hours ago
The Washington Post said it is among victims of a sweeping cyber breach tied to Oracle (ORCL.N), opens new tab software.
In a statement released on Thursday, the newspaper said it was one of those impacted "by the breach of the Oracle E-Business Suite platform."
The paper did not provide further detail, but its statement comes after CL0P, the notorious ransomware group, said on its website that the Washington Post was among its victims. CL0P did not return messages seeking comment. Oracle pointed Reuters to a pair of security, opens new tab advisories, opens new tab issued last month.
Ransom-seeking hackers typically publicize their victims in an effort to shame them into making extortion payments, and CL0P are among the world's most prolific. The hacking squad is alleged to be at the center of a sweeping cybercriminal campaign targeting Oracle's E-Business Suite of applications, which Oracle clients use to manage customers, suppliers, manufacturing, logistics, and other business processes.
Google said last month that there were likely to be more than 100 companies affected by the intrusions.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025
The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.
The U.S. Congressional Budget Office has confirmed it was hacked.
Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”
CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.
On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.
Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.
It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.
Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.
Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.
On Thursday, Beaumont said that the firewall is now offline.
The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.
bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025
Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.
The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.
When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.
The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.
Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.
Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.
"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."
CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.
On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."
Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.
More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).
"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.
