mercurynews.com
By Ethan Baron |
‘Top Secret’ files among those allegedly misappropriated by software engineer losing job at Santa Clara chip giant Intel
At first the software engineer did not succeed in making off with a trove of Santa Clara computer chip giant Intel’s trade secrets, but then he tried again.
Jinfeng Luo, at Intel since 2014, had been told July 7 his job at the company would be terminated, effective July 31, according to a lawsuit Intel filed against him Friday.
Eight days before his employment was to end, Luo allegedly hooked up an external hard drive to his Intel laptop, but when he tried to download a file, the company’s internal controls blocked the transfer, the lawsuit claimed.
Five days later, the lawsuit alleged, Luo deployed a different technology, a more sophisticated gadget that resembles a small computer server, called a network storage device.
Over the next three days, Luo downloaded nearly 18,000 files, including some labeled “Intel Top Secret,” the lawsuit in Washington State court said.
It was unclear Wednesday if Luo had a lawyer representing him in the case, and he could not immediately be reached for comment.
Intel, accusing Luo of breaking federal and state trade-secrets laws, is seeking at least $250,000 in compensation from him. The company also wants a court order forcing Luo to hand over his personal electronic devices for inspection, and requiring him to give the company its allegedly misappropriated confidential information.
The Santa Clara chip maker, outshone in the public eye by its consumer-facing Silicon Valley neighbors Google, Apple and Facebook — received a turn in the national spotlight over the summer when President Donald Trump announced that the federal government — using previously issued but mostly unpaid grants and funding pledges — was taking a 10% stake in the company.
The lawsuit did not make clear why Luo, of Seattle, was terminated from his job. Intel said in a June regulatory filing that it planned to slash its workforce by 15% this year.
Intel detected Luo’s alleged data transfers and launched an investigation, the lawsuit said.
For almost three months, the company tried to reach Luo — a rundown of Intel’s efforts to contact him takes up two pages of the 14-page lawsuit — but he never responded to the phone calls, emails and letters, the lawsuit claimed.
“Luo has refused to even engage with Intel,” the lawsuit claimed, “let alone return the files.”
www.politico.com
Katherine Tully-McManus
11/10/2025, 2:01pm ET
Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’ nonpartisan scorekeeper.
Employees at the Library of Congress were warned in a Monday email, obtained by POLITICO, that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.
Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.
“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.
Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.
There was no immediate information Monday about the broader implications that a legislative branch office was continuing to experience cybersecurity vulnerabilities.
A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident.
When asked for comment Monday about ongoing issues, the CBO spokesperson referred to the prior statement.
gbhackers.com
By Divya
November 3, 2025
A severe unauthenticated Remote Code Execution vulnerability in Ubiquiti's UniFi OS that earned a substantial $25,000 bug bounty reward.
Security researchers have uncovered a severe unauthenticated Remote Code Execution vulnerability in Ubiquiti’s UniFi OS that earned a substantial $25,000 bug bounty reward.
Tracked as CVE-2025-52665, this critical flaw allows attackers to gain complete control of UniFi devices without requiring any credentials or user interaction, posing significant risks to organizations using UniFi Dream Machine routers and access control systems.
Misconfigured API Exposes Critical Attack Surface
The vulnerability originated from a misconfigured backup API endpoint at /api/ucore/backup/export that was designed to operate only on the local loopback interface.
However, researchers discovered the endpoint was externally accessible through port 9780, bypassing intended security restrictions.
The flaw stems from improper input validation on the dir parameter, which the backup orchestration system passes directly to shell commands without sanitization or escaping.
When researchers analyzed the UniFi Core service code, they found that the backup operation chains multiple shell commands including mktemp, chmod, and tar that directly interpolate the user-supplied directory path.
This design pattern created a perfect opportunity for command injection attacks, as metacharacters in the input would be interpreted as new shell commands rather than literal path components.
Researchers successfully exploited the vulnerability by crafting a malicious JSON payload that terminated the intended command and injected arbitrary code.
The attack required sending a POST request to the exposed endpoint with a specially formatted dir parameter containing command injection sequences.
By using semicolons to separate commands and hash symbols to comment out remaining shell syntax, attackers could execute arbitrary commands with full system privileges.
The researchers demonstrated the severity by exfiltrating the /etc/passwd file and establishing a reverse shell connection, proving complete interactive access to the compromised device.
Beyond basic system access, the vulnerability provided direct entry into UniFi Access components, granting attackers control over physical door systems and NFC credential management infrastructure.
The investigation revealed multiple unauthenticated API endpoints beyond the primary RCE vulnerability.
Researchers found that /api/v1/user_assets/nfc accepted POST requests to provision new credentials without authentication, while /api/v1/user_assets/touch_pass/keys exposed sensitive credential material including Apple NFC keys and Google Pass authentication data containing PEM-formatted private keys.
These additional exposures compound the security impact, allowing attackers to manipulate access control systems and steal cryptographic credentials that protect mobile and NFC-based authentication mechanisms.
bleepingcomputer.com
By Bill Toulas
November 12, 2025
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.
“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”
Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.
Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.
The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.
In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.
The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.
The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.
It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.
The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.
Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.
It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.
| TechCrunch
techcrunch.com
Zack Whittaker
4:47 AM PST · November 12, 2025
Australia's intelligence chief warned that Chinese hackers are trying to break into its networks, sometimes successfully, to "pre-position" for sabotage ahead of an anticipated invasion of Taiwan.
Australia’s intelligence head Mike Burgess has warned that China-backed hackers are “probing” the country’s critical infrastructure, and in some cases have gained access.
Burgess, who heads the country’s main intelligence agency, the Australian Security Intelligence Organisation, said that at least two China government-backed hacking groups are pre-positioning for sabotage and espionage.
The comments, made during a conference speech in Melbourne on Wednesday, echo similar remarks by the U.S. government, which has warned that the ongoing hacking campaigns may pose risks of economic and societal disruption.
According to Burgess, a hacker group known as Volt Typhoon is trying to break into critical infrastructure networks such as power, water, and transportation systems. Burgess warned that successful hacks could affect energy and water supplies, and cause widespread outages.
The U.S. has previously said that the Chinese hackers have spent years planting malware on critical infrastructure systems that are capable of causing disruptive cyberattacks when activated. U.S. officials said that Volt Typhoon’s goals are to hamper the U.S.’ response to China’s anticipated future invasion of Taiwan.
“I do not think we — and I mean all of us — truly appreciate how disruptive, how devastating, this could be,” said Burgess, speaking about the threat. He said that once the hackers have access, what happens next is a “matter of intent, not capability.”
Burgess also warned that another China-backed hacking group dubbed Salt Typhoon, known for hacking into the networks of phone and internet companies to steal call records and other sensitive data, was also targeting the country’s telecoms infrastructure.
Salt Typhoon has hacked more than 200 phone and internet companies, according to the FBI, including AT&T, Verizon and Lumen, along with several other cloud and data center providers. The hacks prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps to avoid having their calls and text messages accessed by the hackers.
The Canadian government also confirmed earlier this year that its telcos were breached as part of China-linked attacks.
China has long denied the hacking allegations.
forbes.com
By Lars Daniel
Nov 10, 2025
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses. The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.
How the Breach Happened
Think of Hyundai AutoEver America, or HAEA, as the digital nervous system for Hyundai, Kia and Genesis operations in North America. This California-based company manages everything from the software that enables remote car features to the computer systems dealerships use to process your purchase.
Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected. That’s like a burglar having unsupervised access to a bank vault for over a week. Plenty of time to identify and steal important data.
The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended.
What Information Was Stolen
The exposed data includes:
Hyundai AutoEver hasn’t said exactly how many people were affected, but regulatory filings show the breach reached multiple states. The upper limit is potentially massive: HAEA’s systems connect to 2.7 million vehicles across North America.
To put that in perspective, that’s roughly the entire population of Chicago potentially at risk. However, only individuals confirmed to be affected will receive notification letters.
This Keeps Happening to Hyundai
This isn’t Hyundai's first rodeo with hackers.
In early 2024, the Black Basta ransomware gang hit Hyundai Motor Europe, claiming to steal 3 terabytes of data, equivalent to about 750,000 digital photos or five hundred hours of high-definition video. That attack exposed everything from HR records to legal documents across multiple departments.
Before that, in 2023, breaches at Hyundai's Italian and French operations leaked customer email addresses, home addresses, and vehicle identification numbers.
Security researchers have also found serious vulnerabilities in Hyundai and Kia’s smartphone apps that could let hackers remotely control vehicles.
The Modern Car Is a Computer on Wheels
Here's what makes automotive breaches particularly concerning: Your car isn't just transportation anymore. It's a rolling data center.
Modern vehicles collect and transmit information constantly:
Where you drive and when
Your home and work addresses
How fast you accelerate and brake
When you service your vehicle
Your purchase and financing details
When hackers breach the IT provider managing this digital ecosystem, they don’t just get your Social Security number. They potentially access a comprehensive profile of your life and habits. It’s like the difference between someone stealing your wallet versus breaking into your phone. The phone contains exponentially more information about you.
What You Should Do Right Now
If you own or lease a Hyundai, Kia, or Genesis vehicle:
Immediate Actions:
Check your credit reports for unauthorized accounts or inquiries. You can get free reports at AnnualCreditReport.com
Monitor bank and credit card statements weekly for suspicious charges
Enable transaction alerts on your financial accounts
If You Receive a Notification Letter:
Enroll in the free credit monitoring within 90 days using the unique code provided
The service runs for two years and monitors all three credit bureaus
Call the dedicated hotline at 855-720-3727 with questions
For Everyone, Breached or Not:
Consider a credit freeze with Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name
Enable fraud alerts which require creditors to verify your identity before issuing credit
Watch for phishing scams exploiting breach news. Hyundai will never ask for your Social Security number or payment information via email
The Uncomfortable Truth About Data Breaches
Data breaches have become depressingly routine. In 2024 alone, major incidents hit healthcare providers, retailers, financial institutions, and now automotive companies joining the list with alarming frequency.
But there's something particularly unsettling about automotive breaches. You chose your bank and can switch it. You chose your doctor and can change providers. But if you bought a Hyundai three years ago, you're stuck with their security practices until you sell the vehicle. Your data sits in their systems whether you like it or not.
And unlike a credit card breach where the bank typically covers fraudulent charges, identity theft involving Social Security numbers can create problems that take years to resolve. Victims may discover the theft only when they're denied a loan, receive bills for services they never used, or have their tax returns rejected because someone else already filed using their information.
What Hyundai Is Saying
In its breach notification, Hyundai AutoEver stated: "We regret that this incident occurred and take the security of personal information seriously."
The company says it’s investing in "additional security enhancements designed to mitigate future risk." But given this is the third major breach in three years across Hyundai Motor Group entities, many cybersecurity experts argue the company needs more than enhancements: it needs a fundamental security overhaul.
The automotive industry finds itself caught between competing pressures. Customers want connected features: remote start from their phone, navigation that predicts traffic, software updates that add new capabilities. These features require extensive data collection and cloud connectivity.
But every connection creates a potential vulnerability. Every database becomes a target. And when IT providers centralize services for millions of vehicles, they become high-value targets offering hackers a massive potential payoff from a single breach.
The challenge for automakers isn’t just fixing the specific vulnerabilities that enabled this breach. It’s fundamentally rethinking how they secure the growing mountain of customer data their business models now require.
bleepingcomputer.com
By Lawrence Abrams
November 11, 2025
The Rhadamanthys infostealer operation has been disrupted, with numerous
The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.
The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.
According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.
In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.
"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.
Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.
"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.
A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.
G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.
Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.
Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.
The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.
BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.
