cetas.turing.ac.uk/ Research Report
As AI increasingly shapes the global economic and security landscape, China’s ambitions for global AI dominance are coming into focus. This CETaS Research Report, co-authored with Adarga and the International Institute for Strategic Studies, explores the mechanisms through which China is strengthening its domestic AI ecosystem and influencing international AI policy discourse. The state, industry and academia all play a part in the process, with China’s various regulatory interventions and AI security research trajectories linked to government priorities. The country’s AI security governance is iterative and is rapidly evolving: it has moved from having almost no AI-specific regulations to developing a layered framework of laws, guidelines and standards in just five years. In this context, the report synthesises open-source research and millions of English- and Chinese-language data points to understand China’s strategic position in global AI competition and its approach to AI security.
This CETaS Research Report, co-authored with the International Institute for Strategic Studies (IISS) and Adarga, examines China’s evolving AI ecosystem. It seeks to understand how interactions between the state, the private sector and academia are shaping the country’s strategic position in global AI competition and its approach to AI security. The report is a synthesis of open-source research conducted by IISS and Adarga, leveraging millions of English- and Chinese-language data points.
Key Judgements
China’s political leadership views AI as one of several technologies that will enable the country to achieve global strategic dominance. This aligns closely with President Xi’s long-term strategy of leveraging technological revolutions to establish geopolitical strength. China has pursued AI leadership through a blend of state intervention and robust private-sector innovation. This nuanced approach challenges narratives of total government control, demonstrating significant autonomy and flexibility within China’s AI ecosystem. Notably, the development and launch of the DeepSeek-R1 model underscored China's ability to overcome significant economic barriers and technological restrictions, and almost certainly caught China’s political leadership by surprise – along with Western chip companies.
While the Chinese government retains ultimate control of the most strategically significant AI policy decisions, it is an oversimplification to describe this model as entirely centrally controlled. Regional authorities also play significant roles, leading to a decentralised landscape featuring multiple hubs and intense private sector competition, which gives rise to new competitors such as DeepSeek. In the coming years, the Chinese government will almost certainly increase its influence over AI development through closer collaboration with industry and academia. This will include shaping regulation, developing technical standards and providing preferential access to funding and resources.
China's AI regulatory model has evolved incrementally, but evidence suggests the country is moving towards more coherent AI legislation. AI governance responsibilities in China remain dispersed across multiple organisations. However, since February 2025, the China AI Safety and Development Association (CnAISDA) has become what China describes as its counterpart to the AI Security Institute. This organisation consolidates several existing institutions but does not appear to carry out independent AI testing and evaluation.
The Chinese government has integrated wider political and social priorities into AI governance frameworks, emphasising what it describes as “controllable AI” – a concept interpreted uniquely within the Chinese context. These broader priorities directly shape China’s technical and regulatory approaches to AI security. Compared to international competitors, China’s AI security policy places particular emphasis on the early stages of AI model development through stringent controls on pre-training data and onerous registration requirements. Close data sharing between the Chinese government and domestic AI champions, such as Alibaba’s City Brain, facilitates rapid innovation but would almost certainly encounter privacy and surveillance concerns if attempted elsewhere.
The geographical distribution of China's AI ecosystem reveals the strategic clustering of resources, talent and institutions. Cities such as Beijing, Hangzhou and Shenzhen have developed unique ecosystems that attract significant investments and foster innovation through supportive local policies, including subsidies, incentives and strategic infrastructure development. This regional specialisation emerged from long-standing Chinese industrial policy rather than short-term incentives.
China has achieved significant improvements in domestic AI education. It is further strengthening its domestic AI talent pool as top-tier AI researchers increasingly choose to remain in or return to China, due to increasingly attractive career opportunities within China and escalating geopolitical tensions between China and the US. Chinese institutions have significantly expanded domestic talent pools, particularly through highly selective undergraduate and postgraduate programmes. These efforts have substantially reduced dependence on international expertise, although many key executives and researchers continue to benefit from an international education.
Senior scientists hold considerable influence over China’s AI policymaking process, frequently serving on government advisory panels. This stands in contrast to the US, where corporate tech executives tend to have greater influence over AI policy decisions.
Government support provides substantial benefits to China-based tech companies. China’s government actively steers AI development, while the US lets the private sector lead (with the government in a supporting role) and the EU emphasises regulating outcomes and funding research for the public good. This means that China’s AI ventures often have easier access to capital and support for riskier projects, while a tightly controlled information environment mitigates against reputational risk.
US export controls have had a limited impact on China’s AI development. Although export controls have achieved some intended effects, they have also inadvertently stimulated innovation within certain sectors, forcing companies to do more with less and resulting in more efficient models that may even outperform their Western counterparts. Chinese AI companies such as SenseTime and DeepSeek continue to thrive despite their limited access to advanced US semiconductors.
www.scmp.com - Heightened US chip export controls have prompted Chinese AI and chip companies to collaborate.
Chinese chipmaker Sophgo has adapted its compute card to power DeepSeek’s reasoning model, underscoring growing efforts by local firms to develop home-grown artificial intelligence (AI) infrastructure and reduce dependence on foreign chips amid tightening US export controls.
Sophgo’s SC11 FP300 compute card successfully passed verification, showing stable and effective performance in executing the reasoning tasks of DeepSeek’s R1 model in tests conducted by the China Telecommunication Technology Labs (CTTL), the company said in a statement on Monday.
A compute card is a compact module that integrates a processor, memory and other essential components needed for computing tasks, often used in applications like AI.
CTTL is a research laboratory under the China Academy of Information and Communications Technology, an organisation affiliated with the Ministry of Industry and Information Technology.
The Irish Data Privacy Commission announced that TikTok is facing a new European Union privacy investigation into user data sent to China.
TikTok is facing a fresh European Union privacy investigation into user data sent to China, regulators said Thursday.
The Data Protection Commission opened the inquiry as a follow up to a previous investigation that ended earlier this year with a 530 million euro ($620 million) fine after it found the video sharing app put users at risk of spying by allowing remote access their data from China.
The Irish national watchdog serves as TikTok’s lead data privacy regulator in the 27-nation EU because the company’s European headquarters is based in Dublin.
During an earlier investigation, TikTok initially told the regulator it didn’t store European user data in China, and that data was only accessed remotely by staff in China. However, it later backtracked and said that some data had in fact been stored on Chinese servers. The watchdog responded at the time by saying it would consider further regulatory action.
“As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok,” the watchdog said.
“The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers,” the regulator said, referring to the European Union’s strict privacy rules, known as the General Data Protection Regulation.
TikTok, which is owned by China’s ByteDance, has been under scrutiny in Europe over how it handles personal user information amid concerns from Western officials that it poses a security risk.
TikTok noted that it was one that notified the Data Protection Commission, after it embarked on a data localization project called Project Clover that involved building three data centers in Europe to ease security concerns.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” the company said in a statement. “We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”
Under GDPR, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. Only 15 countries or territories are deemed to have the same data privacy standard as the EU, but China is not one of them.
securityweek.com - Nippon Steel Solutions has disclosed a data breach that resulted from the exploitation of a zero-day in network equipment.
Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability.
Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal.
Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7.
An investigation showed that hackers had exploited a zero-day flaw in unspecified network equipment, and gained access to information on customers, partners and employees.
In the case of customers, the attackers may have stolen information such as name, company name and address, job title, affiliation, business email address, and phone number.
The exposed information in the case of partners includes names and business email addresses, while in the case of employees the attackers may have obtained names, business email addresses, job titles, and affiliation.
Nippon Steel Solutions said the information may have been exfiltrated, but to date it has found no evidence of a data leak on the dark web or elsewhere.
The notorious ransomware group BianLian claimed to have stolen hundreds of gigabytes of data from Nippon Steel USA in mid-February, including files related to finances, employees, and production.
The cybercriminals at the time threatened to leak all of the stolen data, but the group went dark a few weeks later.
Nippon Steel does not appear to have confirmed a data breach in response to BianLian’s claims and it’s unclear if the two incidents are related.
SecurityWeek has reached out to NS Solutions for clarifications and will update this
Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information.
In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23.
Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed.
“On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained,” explains Bitcoin Depot in the letter.
“Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation.”
The type of data that has been exposed in this incident varies from individual to individual and may include:
Full name
Phone number
Driver’s license number
Address
Date of birth
Email address
Bitcoin Depot is one of the largest Bitcoin ATM networks in the United States, operating 8,800 machines in the U.S., Canada, and Australia.
Two vulnerabilities have been identified in RapidFire Tools Network Detective, a system assessment and reporting tool developed by Kaseya (RapidFire Tools). These issues significantly compromise the confidentiality and integrity of credentials gathered and processed during routine network scans, exposing sensitive data to both local attackers and potentially malicious insiders.
Vulnerability 1: Passwords in Cleartext
During its normal operation, Network Detective saves usernames and passwords in plain, readable text across several temporary files. These files are stored locally on the device and are not protected or hidden. In many cases, the credentials collected include privileged or administrative accounts, such as those used for VMware.
An attacker who gains access to the machine running the scan—whether physically, remotely, or through malware—can easily retrieve these passwords without needing to decrypt anything. This presents a serious risk to client infrastructure, especially when those credentials are reused or provide broad system access.
Vulnerability 2: Reversible Encryption
RapidFire Tools Network Detective uses a flawed method to encrypt passwords and other sensitive data during network scans. The encryption process is based on static, built-in values, which means it produces the same result every time for the same input. This makes it possible for anyone with access to the tool or encrypted data to easily reverse the encryption and retrieve original passwords.
This weakness puts client environments at risk, especially since the encrypted data often includes administrative credentials. The encryption does not follow modern security standards, and attackers do not need special tools or expertise to break it—only access to the files or application.
Analysis and Background
Network Detective, a product developed by RapidFire Tools (a Kaseya company), is designed to scan networks for vulnerabilities, misconfigurations, and compliance issues. It is used by managed service providers (MSPs), IT consultants, and internal IT departments to assess network health and generate reports. While commonly deployed as a standalone binary for one-off scans—often during sales or onboarding—Network Detective also supports scheduled, recurring scans in installed environments.
The application is typically configured via a step-by-step wizard, prompting users to define targets (e.g., IP ranges), scan types (e.g., HIPAA, PCI), and credentials for services such as Active Directory or VMware. This configuration is stored locally and reused for automated scans. Notably, the same binaries are used for both ad hoc and scheduled executions, meaning any vulnerabilities affect both deployment models equally.
Due to its ease of use and deep network visibility, the tool is often run with elevated privileges across production systems. Users implicitly trust the application to securely handle credentials and sensitive data. However, the issues discovered occur under default conditions, without requiring misuse or advanced manipulation—highlighting a significant risk for environments relying on the tool for security posture validation.
The probe is based on complaints from a lawmaker and an unnamed senior civil servant.
rench prosecutors have opened a criminal investigation into X over allegations that the company owned by billionaire Elon Musk manipulated its algorithms for the purposes of “foreign interference.”
Magistrate Laure Beccuau said in a statement Friday that prosecutors had launched the probe on Wednesday and were looking into whether the social media giant broke French law by altering its algorithms and fraudulently extracting data from users.
The criminal investigation comes on the heels of an inquiry launched in January, and is based on complaints from a lawmaker and an unnamed senior civil servant, Beccuau said.
A complaint that sparked the initial January inquiry accused X of spreading “an enormous amount of hateful, racist, anti-LGBT+ and homophobic political content, which aims to skew the democratic debate in France.”
POLITICO has reached out to X for comment.
The investigation lands as X is increasingly under fire from regulators in Paris and Brussels.
Two French parliamentarians referred the platform to France’s digital regulator Arcom on Thursday following anti-Semitic and racist posts by Grok, the artificial-intelligence chatbot that answers questions from X users.
The European Commission has separately been investigating the Musk-owned platform for almost two years now, on suspicion of breaching its landmark platforms regulation, the Digital Services Act.
We discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of organizations that use Synology’s “Active Backup for Microsoft 365” (ABM). This flaw could be leveraged by malicious actors to obtain potentially sensitive information — such as all messages in Microsoft Teams channels. It was reported to Synology and tracked as CVE-2025-4679.
This blog post contains the full technical walk-through and discovery of the vulnerability, its impact, and our experience during the responsible disclosure process with Synology.
The standalone disclosure report is available on our advisory page and potential Indicators of Compromise (IoC) are provided in a dedicated section further below.
Background
During a red-team engagement against a customer’s Microsoft Entra tenant and Azure infrastructure we came across an application named “Synology Active Backup for M365”.
The application had broad permissions — such as read access to all groups and Microsoft Teams channel messages — making it an ideal target to obtain information that may be useful for further attacks (i.e. credential abuse or social engineering).
To analyze it, we created our own lab environment consisting of a Microsoft sandbox tenant and the ABM add-on installed within Synology’s DiskStation Manager (DSM) operating system. For research purposes it is not necessary to have a Synology NAS appliance, as the entire OS can be virtualized via Docker. We also built some tools along the way, which can be helpful to reverse engineer DSM add-on packages. We will share them for other security researchers on our GitHub soon.
Lors d’un audit, des milliers de failles ont été découvertes dans le Système d’Information Schengen II, logiciel gérant le fichier mis en place dans le cadre de la convention de Schengen. Sopra Steria qui en est responsable a mis des mois, voire des années à corriger certains
problèmes. L’année dernière, la seconde version du Système […]
L'année dernière, la seconde version du Système d'Information Schengen (SIS) a essuyé un audit sévère du Contrôleur européen de la protection des données (CEPD). Ce logiciel est utilisé par les autorités aux frontières des pays de l'espace Schengen pour ficher les personnes recherchées et celles refoulées ou interdites de séjours.
La seconde version du système a été déployée en 2013, mais il a été « renouvelé » en mars 2023 et de nouvelles catégories de signalements, des données biométriques et des registres d'ADN de personnes disparues ont encore été ajoutées.
1,7 million de personnes concernées
Selon l'agence européenne eu-LISA qui utilise le système [PDF], plus de 93 millions d'alertes y étaient stockées au 31 décembre 2024, dont 1,7 million sur les personnes. Près de 1,2 million concerne des reconduites à la frontière, des refus d'entrée ou de rester sur le territoire et un peu plus de 195 000 personnes y sont fichées comme de possibles menaces pour la sécurité nationale.
Ce système stocke des données concernant des personnes visées par un mandat d'arrêt européen, mais aussi signale, aux fins de non-admission ou d'interdiction de séjour, des personnes signalées dans le cadre d'infractions pénales ou recherchées pour l'exécution d'une peine, ou encore des personnes disparues.
Ces données comprennent l'état civil, des photographies, des empreintes digitales et d'autres informations biométriques réunies dans les textes officiels sous la dénomination de « signes physiques particuliers, objectifs et inaltérables ». Des données particulièrement sensibles, donc. Des commentaires peuvent être ajoutés comme « la conduite à tenir en cas de découverte », « l'autorité ayant effectué le signalement » ou le type d'infraction.
Des milliers de problèmes de gravité « élevée »
Selon les documents consultés par Bloomberg et par Lighthouse Reports, le logiciel était, à l'époque de l'audit, truffé de vulnérabilités. Des milliers de problèmes de sécurités étaient d'une gravité « élevée ». Le contrôleur a aussi pointé du doigt un « nombre excessif » de comptes administrateurs de la base de données, ce qui était « une faiblesse évitable qui pourrait être exploitée par des attaquants internes ». Dans l'audit du CEPD est indiqué que 69 membres de l'équipe de développement avaient un accès à la base de données du système sans avoir l'habilitation de sécurité nécessaire.
Pour l'instant, le Système d'Information Schengen II fonctionne sur un réseau isolé, les nombreuses failles détaillées dans cet audit ne peuvent donc être exploitées que par un attaquant interne. Mais il est prévu qu'il soit intégré, à terme, au « système d'entrée/sortie » des personnes de nationalités en dehors de l'UE, qui lui doit être mis en place à partir d'octobre 2025. Celui-ci est connecté à Internet. Le rapport d'audit s'alarme d'une facilité des pirates d'accéder à la base de données à ce moment-là.
Une très lente réaction de Sopra Steria
Selon Bloomberg, l'audit explique que des pirates auraient pu prendre le contrôle du système et que des personnes extérieures auraient pu obtenir des accès non autorisés. Mais le média explique que des documents montrent que, lorsque l'eu-Lisa a signalé ces problèmes, Sopra Steria, qui est chargée du développement et de la maintenance du système, a mis entre huit mois et plus de cinq ans et demi pour les résoudre. Ceci alors que le contrat entre l'agence européenne et l'entreprise l'oblige à patcher les vulnérabilités « critiques ou élevées » dans les deux mois.
Dans des échanges de mails avec eu-LISA consultés par nos confrères, Sopra Steria demandait des frais supplémentaires à la hauteur de 19 000 euros pour la correction de vulnérabilités. L'agence européenne a, de son côté, répondu que cette correction faisait partie du contrat qui comprenait des frais compris entre 519 000 et 619 000 euros par mois pour la « maintenance corrective ».
Interrogée par nos confrères, Sopra Steria n'a pas voulu répondre à leurs questions, mais a affirmé : « En tant qu'élément clé de l'infrastructure de sécurité de l'UE, le SIS II est régi par des cadres juridiques, réglementaires et contractuels stricts. Le rôle de Sopra Steria a été joué conformément à ces cadres ».
Dans son audit, le CEPD vise aussi l'eu-LISA qui n'a pas informé son conseil d'administration des failles de sécurité. Il pointe aussi des « lacunes organisationnelles et techniques en matière de sécurité » et lui demande d'établir un plan d'action et une « stratégie claire » pour gérer les vulnérabilités du système.
À Bloomberg, l'eu-LISA affirme que « tous les systèmes gérés par l'agence font l'objet d'évaluations continues des risques, d'analyses régulières de la vulnérabilité et de tests de sécurité ».
: ¡Cuidado! Time to double-check before entering your Microsoft creds
Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru.
The .es top-level domain (TLD) is the domain reserved for the country of Spain, or websites targeting Spanish-speaking audiences.
Cofense said the abuse of the .es TLD started to pick up in January, and as of May, 1,373 subdomains were hosting malicious web pages on 447 .es base domains.
The researchers said that 99 percent of these were focused on credential phishing, while the other 1 percent were devoted to distributing remote access trojans (RATs) such as ConnectWise RAT, Dark Crystal, and XWorm.
The malware was distributed either via a C2 node or a malicious email spoofing a well-known brand (Microsoft in 95 percent of cases, unsurprisingly), so there was nothing overly novel about the campaigns themselves other than the TLD.
Emails seen in the wild tend to be themed around workplace matters such as HR requests or requests for the receipt of documents, for example, and the messages are often well-crafted, rather than low-effort one-liners.
The .es domains that host the malicious content, like the fake Microsoft sign-in portals, are in most cases randomly generated rather than crafted by a human. For potential targets, this potentially makes it easier to spot a lookalike/typosquat-style URL.
Some examples of the types of subdomains hosted on the .es base domains are as follows:
ag7sr[.]fjlabpkgcuo[.]es
gymi8[.]fwpzza[.]es
md6h60[.]hukqpeny[.]es
Shmkd[.]jlaancyfaw[.]es
As for why exactly the .es domain was proving so popular, Cofense did not venture any guesses. However, it said that aside from the top two most-abused TLDs (.com and .ru), the remainder tend to fluctuate from quarter-to-quarter.
Regardless, the general nature of the phishing campaigns experts observed over the past six months suggests dodgy .es websites could be here to stay.
Cofense said: "If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors that would be different from general campaigns delivered by a wide variety of threat actors with varying motives, targets, and campaign quality.
"This was not observed, making it likely that abuse of .es TLD domains is becoming a common technique among a large group of threat actors rather than a few more specialized groups."
spycloud.com
We analyzed the VenusTech and Salt Typhoon data leaks to uncover the latest trends in the Chinese criminal underground.
In late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These two posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting similarities. Both posts:
Were posted by new accounts that appear to have been created explicitly to sell a single dataset
Included data that allegedly came from companies in China’s large hack-for-hire ecosystem
Included data samples that, while limited, give us some insight into the companies they came from
While the samples provided on DarkForums were relatively small in comparison to previous data leaks of a similar nature (including Chinese IT contractor leaks, such as TopSec and iSoon), the latest leaks provide critical pivot points for assessing the state and structure of the Chinese cybersecurity contractor ecosystem.
We wanted to take a moment to analyze these two recent posts, dive into the sample data, and make some connections between this activity and some overall trends we are observing in our research into the Chinese cybercriminal underground.
Analysis of the VenusTech Data Leak
VenusTech is a major IT security vendor in China with a focus on serving government clients. It was founded in 1996 and is traded on the Shenzhen Stock Exchange. They have previously documented ties to the hack-for-hire industry including procuring services from XFocus, who created the original Blaster worm in 2003, as well as providing startup funding to Integrity Tech, the company responsible for the offensive hacking activity associated with Flax Typhoon.
On May 17, a post relating to VenusTech was created by an account called “IronTooth” and titled “Chinese tech company venus leaked documents.” The IronTooth account appears to have been newly created and simply uses the default profile image for DarkForums. The full post text reads:
selling sourced leaked documents dump of chinese tech company. includes papers, products sold to government, accesses, clients and more random shit sold to highest bidder after 48h. crossposted.
Four individuals in Britain were arrested early on Thursday morning by the National Crime Agency on suspicion of involvement in a range of ransomware attacks targeting the British retail sector earlier this year.
The individuals are a 20-year-old British woman from Staffordshire, a 19-year-old Latvian male from the West Midlands, a 19-year-old British man from London and a 17-year-old British male from the West Midlands.
All four are now in custody having been arrested at home, and the NCA said its officers have seized their electronic devices for forensic analysis.
The individuals are suspected of involvement in three incidents in April impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods.
The NCA said the individuals are suspected of Computer Misuse Act offenses, blackmail, money laundering and participating in the activities of an organized crime group.
“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Paul Foster, the head of the NCA’s National Cyber Crime Unit.
“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
“Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”
For many years, data brokers have existed in the shadows, exploiting gaps in privacy laws to harvest our information—all for their own profit. They sell our precise movements without our knowledge or meaningful consent to a variety of private and state actors, including law enforcement agencies. And they show no sign of stopping.
This incentivizes other bad actors. If companies collect any kind of personal data and want to make a quick buck, there’s a data broker willing to buy it and sell it to the highest bidder–often law enforcement and intelligence agencies.
One recent investigation by 404 Media revealed that the Airlines Reporting Corporation (ARC), a data broker owned and operated by at least eight major U.S. airlines, including United Airlines and American Airlines, collected travelers’ domestic flight records and secretly sold access to U.S. Customs and Border Protection (CBP). Despite selling passengers’ names, full flight itineraries, and financial details, the data broker prevented U.S. border forces from revealing it as the origin of the information. So, not only is the government doing an end run around the Fourth Amendment to get information where they would otherwise need a warrant—they’ve also been trying to hide how they know these things about us.
ARC’s Travel Intelligence Program (TIP) aggregates passenger data and contains more than one billion records spanning 39 months of past and future travel by both U.S. and non-U.S. citizens. CBP, which sits within the U.S. Department of Homeland Security (DHS), claims it needs this data to support local and state police keeping track of people of interest. But at a time of growing concerns about increased immigration enforcement at U.S. ports of entry, including unjustified searches, law enforcement officials will use this additional surveillance tool to expand the web of suspicion to even larger numbers of innocent travelers.
More than 200 airlines settle tickets through ARC, with information on more than 54% of flights taken globally. ARC’s board of directors includes representatives from U.S. airlines like JetBlue and Delta, as well as international airlines like Lufthansa, Air France, and Air Canada.
In selling law enforcement agencies bulk access to such sensitive information, these airlines—through their data broker—are putting their own profits over travelers' privacy. U.S. Immigration and Customs Enforcement (ICE) recently detailed its own purchase of personal data from ARC. In the current climate, this can have a detrimental impact on people’s lives.
gbhackers.com July 10, 2025 - A newly discovered man-in-the-middle exploit dubbed “Opossum” has demonstrated the unsettling ability to compromise secure communications.
Researchers warn that Opossum targets a wide range of widely used application protocols—including HTTP, FTP, POP3, SMTP, LMTP and NNTP—that support both “implicit” TLS on dedicated ports and “opportunistic” TLS via upgrade mechanisms.
By exploiting subtle implementation differences between these two modes, an attacker can provoke a desynchronization between client and server, ultimately subverting the integrity guarantees of TLS and manipulating the data seen by the client.
The Opossum attack is built upon vulnerabilities first highlighted in the ALPACA attack, which identified weaknesses in TLS authentication when application protocols allow switching between encrypted and plaintext channels.
Even with ALPACA countermeasures in place, Opossum finds fresh leverage points at the application layer. When a client connects to a server’s implicit TLS port—such as HTTPS on port 443—the attacker intercepts and redirects the request to the server’s opportunistic-TLS endpoint on port 80.
By posing as the client, the attacker initiates a plaintext session that is then upgraded to TLS with crafted “Upgrade” headers.
Simultaneously, the attacker relays the original client’s handshake to the server, mapping the two TLS sessions behind the scenes.
therecord.media July 9th, 2025 - DGSE intelligence head Nicolas Lerner said Moscow’s tactics are evolving and increasingly include on-the-ground activities carried out by paid operatives.
France’s top intelligence official has warned that Russia is waging "a war of influence" against the country through hybrid online disinformation, espionage and sabotage operations.
Nicolas Lerner, head of the DGSE foreign intelligence agency, said in an interview with French broadcaster LCI that Moscow’s tactics are evolving and now include physical operations carried out by paid intermediaries. He cited an incident last year in which suspected Russian saboteurs placed coffins near the Eiffel Tower draped in the French flag bearing the inscription “French soldiers of Ukraine.”
“These are not amateur operations,” Lerner said. “They reflect a desire to disrupt our information space and undermine trust in our institutions.”
He said that around 80 Russian agents were active in France before Russia’s full-scale invasion of Ukraine in 2022, and that 50 of them have since been expelled. Paris has also imposed sanctions on individuals linked to Moscow’s intelligence services.
Lerner warned that Russia poses a medium- and long-term “existential threat” to Europe, its democracies and its values.
His comments come amid alarm over a growing wave of alleged Russian hybrid operations across Europe. In recent months, NATO allies and EU member states have reported suspected sabotage, cyberattacks, and disinformation campaigns linked to Moscow.
In June, trains between Amsterdam and The Hague were disrupted in what Dutch authorities suspect was a sabotage attempt tied to the NATO summit. Around the same time, pro-Russian hacktivists claimed responsibility for distributed denial-of-service attacks targeting summit-related organizations.
In France, the high-speed rail network was hit by coordinated sabotage just hours before last year’s Olympic Games opening ceremony, affecting lines around Paris.
Polish officials recently accused Russian intelligence of orchestrating a 2024 fire at a major Warsaw shopping mall. Warsaw responded by shutting down a Russian consulate.
On Tuesday, three South London men were found guilty of carrying out an arson attack on a depot housing humanitarian aid intended for Ukraine. The men were hired by the Wagner Group, a private militia that has acted under the orders of the Kremlin.
European officials have also warned of cyber operations targeting military, government, and critical infrastructure across the continent. On Wednesday, German media reported that a Kremlin-linked hacking group is attempting to steal sensitive data from the German armed forces.
nextgov.com - July 9, 2025 09:30 AM ET
Rogers is Canada’s top wireless provider and is among that nation’s core telecom firms mandated to comply with Canadian lawful access rules, which require them to share user data with investigators.
Canadian telecom and mass media provider Rogers Communications was identified as a firm ensnared by a major Chinese hacking group that has targeted dozens of communications firms worldwide, according to two people familiar with the matter.
The group, known as Salt Typhoon, was discovered inside a batch of American telecom operators last year and first brought to light by the Wall Street Journal in late September. The campaign likely began around two to three years ago and has expanded rapidly since.
It’s not immediately clear what data, assets or other information were pilfered from Rogers networks. The people spoke on the condition of anonymity because the matter is sensitive.
“These allegations are false. We were not compromised by Salt Typhoon and this has been verified by two independent cyber security firms. As part of ongoing work, we partner with government and industry to proactively monitor and investigate potential threats,” a company spokesperson said.
"It’s important to note that if the Cyber Centre is aware of cyber threat activity in Canada, we alert the organization and provide mitigation support, advice and guidance," a spokesperson for the Canadian Centre for Cyber Security said, noting that they do not comment on specific or alleged cyber incidents but pointing to advisories they have issued about the threat posed by Salt Typhoon.
"Through the Canadian Security Telecommunications Advisory Committee (CSTAC), the Cyber Centre and its government partners regularly and actively engage with Canadian telecommunications service providers and key equipment suppliers to help ensure the security of Canadian critical telecommunications infrastructure," they said.
Rogers is the country’s top wireless provider and boasts some 20 million subscribers across its various services, a company webpage says. Over 60% percent of Canadian households rely on its internet, it notes. It also has extensive contracts with Canada’s government.
Canada, like many countries with robust telecom networks, has laws that let federal investigators compel providers to turn over communications metadata on individuals suspected of criminal activity, hacking or espionage. Rogers is among those required to comply with these Canadian “lawful access” inquiries.
In 2023, the company disclosed data on some 162,000 customers to authorities under lawful access requests backed by warrants and government orders, a transparency report shows.
Salt Typhoon has gone after those same wiretap environments in the U.S., and likely abused those platforms when it directly targeted the communications of President Donald Trump and Vice President JD Vance during their run for the White House last year.
Last month, Canada’s cybersecurity agency released a bulletin warning that Salt Typhoon was targeting telecommunications firms in the country. “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025,” says the bulletin, which doesn’t name the firm.
The agency identified a 2023 vulnerability in Cisco routers that was used as an access point into the unnamed Canadian provider. Cisco equipment that has not been patched with the latest security updates has provided the Chinese telecom hackers with a wide access point into various communications systems, according to earlier assessments.
That same 2023 vulnerability is detailed in a Cisco threat intelligence blog released in February.
Ian Carroll, Sam Curry / ian.sh
When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We discovered a vulnerability that could allow an attacker to access more than 64 million job applications. This data includes applicants' names, resumes, email addresses, phone numbers, and personality test results.
McHire is the chatbot recruitment platform used by 90% of McDonald’s franchisees. Prospective employees chat with a bot named Olivia, created by a company called Paradox.ai, that collects their personal information, shift preferences, and administers personality tests. We noticed this after seeing complaints on Reddit of the bot responding with nonsensical answers.
During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.
We disclosed this issue to Paradox.ai and McDonald’s at the same time.
06/30/2025 5:46PM ET: Disclosed to Paradox.ai and McDonald’s
06/30/2025 6:24PM ET: McDonald’s confirms receipt and requests technical details
06/30/2025 7:31PM ET: Credentials are no longer usable to access the app
07/01/2025 9:44PM ET: Followed up on status
07/01/2025 10:18PM ET: Paradox.ai confirms the issues have been resolved
morphisec - In the volatile aftermath of the Israel-Iran-USA conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, now operating as Pay2Key.I2P. Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, previously analyzed by Morphisec for its ELENOR-Corp variant, Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities. Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives. Our upcoming report includes personal communications from the group, revealing their dedication and the reasons behind rewriting their ransomware.
This blog introduces our technical analysis and OSINT findings, exposing Pay2Key.I2P’s operations and its ties to Mimic.
ince its debut in February 2025, Pay2Key.I2P has expanded rapidly. Strategic marketing on Russian and Chinese darknet forums, combined with a presence on X since January 2025, indicates a planned rollout. With over 51 successful ransom payouts in four months, the group’s effectiveness is undeniable.
While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear. Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare. The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.
gbhackers - A chilling discovery by Koi Security has exposed a sophisticated browser hijacking campaign dubbed “RedDirection,” compromising over 1.7 million users through 11 Google-verified Chrome extensions.
This operation, which also spans Microsoft Edge with additional extensions totaling 2.3 million infections across platforms, exploited trusted signals like verification badges, featured placements, and high install counts to distribute malware under the guise of legitimate productivity and entertainment tools.
The RedDirection campaign stands out due to its deceptive strategy of remaining benign for years before introducing malicious code via silent updates, a tactic that evaded scrutiny from both Google and Microsoft’s extension marketplaces.
These updates, auto-installed without user intervention, transformed trusted tools into surveillance platforms capable of tracking every website visit, capturing URLs, and redirecting users to fraudulent pages via command-and-control (C2) infrastructure like admitclick.net and click.videocontrolls.com.
krebsonsecurity - Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.
Mike Walters, co-founder of Action1, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users.
“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”
Adam Barnett at Rapid7 notes that today is the end of the road for SQL Server 2012, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege.
Barnett also called attention to CVE-2025-47981, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw.
Microsoft also patched at least four critical, remote code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.
Two more high severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites.
CVE-2025-47178 involves a remote code execution flaw in Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins at Immersive Labs said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it.
“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”
Separately, Adobe has released security updates for a broad range of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Internet Storm Center has a breakdown of each individual patch, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on AskWoody for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month).
If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.
The unknown individual contacted at least five government officials, including three foreign ministers, a U.S. governor and a member of Congress, according to a State Department cable.
An impostor pretending to be Secretary of State Marco Rubio contacted foreign ministers, a U.S. governor and a member of Congress by sending them voice and text messages that mimic Rubio’s voice and writing style using artificial intelligence-powered software, according to a senior U.S. official and a State Department cable obtained by The Washington Post.
U.S. authorities do not know who is behind the string of impersonation attempts but they believe the culprit was probably attempting to manipulate powerful government officials “with the goal of gaining access to information or accounts,” according to a cable sent by Rubio’s office to State Department employees.
Using both text messaging and the encrypted messaging app Signal, which the Trump administration uses extensively, the impostor “contacted at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress,” said the cable, dated July 3.
The impersonation campaign began in mid-June when the impostor created a Signal account using the display name “Marco.Rubio@state.gov” to contact unsuspecting foreign and domestic diplomats and politicians, said the cable. The display name is not his real email address.
“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” said the cable. It also noted that other State Department personnel were impersonated using email.
When asked about the cable, the State Department responded that it would “carry out a thorough investigation and continue to implement safeguards to prevent this from happening in the future.” Officials declined to discuss the contents of the messages or the names of the diplomats and officials who were targeted.
A volunteer-run network of service centers halts custom firmware updates for DJI drones following a cyber attack.
Can a cyber operation have an impact on drone warfare? Recent developments in Russia offer an example of how this can happen in a not-so-obvious way.
On Friday, a volunteer group Russian Hackers for the Front (“Русские Хакеры – Фронту”, RH) known for building a customized firmware for DJI drones reported a cyber attack that affected its servers and end-point devices (terminals). While recovering from the attack, RH instructed hundreds of service centers to stop using its terminals until further notice, thus pausing a wide operation of weaponizing commercial drones.
Although details are scanty, this is a rare publicly reported cyber attack that affects drones warfare and might have militarily significant consequences.
In this post I will summarize what is known about the attack and provide additional information about the impact and who might be behind it.
How the Mellowtel library transforms browser extensions into a distributed web scraping network, making nearly one million devices an unwitting bot army.
Many developers begin creating browser extensions with a strong passion to solve problems they believe others might face as well. Eventually, as extensions become more popular, the added burden of updates and maintenance can weigh heavily on developers who likely have other priorities. These developers might try to find paths to monetize their extensions, but it often isn't as simple as just putting a price tag on them.
There are a handful of "monetization-as-a-service" companies that have emerged, promising developers a way to be compensated for their hard work. These companies offer software libraries that can be easily added to existing extensions (sometimes without requiring any new permissions!) and in return, extension developers begin getting paid as their extensions are used. Does that sound too good to be true?
There are several of these libraries, but some of the more popular ones track user browsing behaviors to generate 'clickstream' data. The companies creating these libraries are targeting developers and are often advertising technology firms that aggregate the data and offer their clients (very large companies) realistic profiles of browsing behaviors for advertising purposes.
Recently, we discovered a new monetization library developed by Mellowtel that pays extension developers in exchange for the "unused bandwidth" of users who have an extension installed. The reality could be far more sinister. We'll cover what that actually means, who is actually behind the library, and the cybersecurity risks a company should consider if they find an extension using this library.
Sending private screenshots to an AI-based “wingman” app is probably not the best idea. Who would have thought? Unfortunately, users of FlirtAI - Get Rizz & Dates will have to find out the hard way.
The Cybernews research team recently discovered an unprotected Google Cloud Storage Bucket owned by Buddy Network GmbH, an iOS app developer.
The exposed data was attributed to one of the company’s projects, FlirtAI - Get Rizz & Dates, an app that intends to analyze screenshots that users provide, promising to suggest appropriate replies.
Meanwhile, the app makers leaked over 160K screenshots from messaging apps and dating profiles, belonging to individuals that users of the AI wingman wanted assistance with.
What makes it worse is that, according to the team, leaked data indicates that FlirtAI - Get Rizz & Dates was often used by teenagers, who fed the AI screenshots of their conversations with their peers.
“Due to the nature of the app, people most affected by the leak may be unaware that screenshots of their conversations even exist, let alone that they could be leaked on the internet,” the team said.
After the team noted the company and the relevant Computer Emergency Response Team (CERT), Buddy Network GmbH closed the exposed bucket. We have reached out to the company for a comment and will update the article once we receive a reply.
A recent security analysis has uncovered critical vulnerabilities in the infotainment systems of KIA vehicles, raising alarm across the automotive cybersecurity community.
These flaws allow attackers to inject and execute malicious code through specially crafted PNG image files, potentially compromising vehicle safety and user privacy.
Security researchers, during an in-depth examination of KIA’s head unit and its underlying Real-Time Operating System (RTOS), found that the infotainment firmware failed to properly validate certain image file formats—most notably PNG files.
By exploiting this weakness, attackers could embed executable payloads inside images that, when processed by the infotainment system, triggered remote code execution.
he attack leverages a buffer overflow vulnerability in the image parsing library used by KIA’s infotainment system.
When a malicious PNG file is loaded—either via USB, Bluetooth, or over-the-air update—the system’s parser mishandles the image data, allowing the attacker’s code to overwrite critical memory regions.
Attack Chain
A deep investigation by DeepSpecter.com uncovered a multi-year data exposure involving Uffizio, the software provider behind a widely used white-label GPS fleet management platform. Despite claiming GDPR compliance, Uffizio’s software — and its deployment by hundreds of global resellers — leaked sensitive fleet data across at least 12 countries for over five years, continuing even after a public CVE disclosure and an internal GDPR audit.
The leaked data included SIM identifiers, license plates, company names, tracker IMEIs, and real-time activity — effectively mapping the movement of thousands of vehicles, including those operated by police, ambulances, municipal fleets, and even nuclear energy providers. The fact that Uffizio was quick to patch its software while exposure continued elsewhere underscores a broader issue: the delivery chain was broken, and we’ll expose that in a dedicated follow-up.
This case makes one thing clear — compliance is not enough. Businesses responsible for real-world assets and lives cannot afford to treat security as a checkbox. When fleet systems tie directly to public safety and critical infrastruc data-leakture, the absence of active monitoring turns regulatory compliance into a false sense of protection. The risk is real, the impact is human, and silence is no longer an option.
NSFOCUS Fuying Lab's Global Threat Hunting System has discovered a new botnet family called "hpingbot" that has been quickly expanding.
This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386.
Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks.
According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm.
Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently.
DDoS Attacks
Attack method
Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components.
This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods.
Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP.
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely.
MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity.
"AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say.
"The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."
www.nsb.gov.tw
In recent years, the international community has shown growing concerns over cybersecurity issues deriving from China-developed mobile applications (apps). Governments and independent research institutions worldwide have already issued warnings concerning data breaches in users’ communication security. To prevent China from illegally acquiring personal data of Taiwan’s nationals, National Security Bureau (NSB) has reviewed cybersecurity reports from countries around the world and organized relevant information, as per the National Intelligence Work Act. Subsequently, the NSB informed and coordinated with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency to conduct random inspection on several China-developed mobile apps. The results indicate the existence of security issues, including excessive data collection and privacy infringement. The public is advised to exercise caution when choosing mobile apps.
The 5 China-developed apps selected for inspection, consisting of rednote, Weibo, TikTok, WeChat, and Baidu Cloud, are widely used by Taiwanese nationals. The MJIB and CIB adopted the Basic Information Security Testing Standard for Mobile Applications v4.0 announced by the Ministry of Digital Affairs, and evaluated the apps against 15 indicators under 5 categories of violation, consisting of personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.
All 5 apps have shown serious violations across multiple inspection indicators. Notably, the rednote fails to meet all 15 inspection standards. Weibo and TikTok violate 13 indicators, separately, as well as 10 for WeChat and 9 for Baidu Cloud. These findings suggest that the said China-made apps present cybersecurity risks far beyond the reasonable expectations for data-collection requirement taken by ordinary apps.
All 5 China-made apps are found to have security issues of excessively collecting personal data and abusing system permissions. The violations include unauthorized access to facial recognition data, screenshots, clipboard contents, contact lists, and location information. As to the category of system information extraction, all apps were found to collect data such as application lists and device parameters. Furthermore, as far as biometric data are concerned, users’ facial features may be deliberately harvested and stored by those apps.
With regard to data transmission and sharing, the said 5 apps were found to send packets back to servers located in China. This type of transmission has raised serious concerns over the potential misuse of personal data by third parties. Under China’s Cybersecurity Law and National Intelligence Law, Chinese enterprises are obligated to turn over user data to competent authorities concerning national security, public security, and intelligence. Such a practice would pose a significant security breach to the privacy of Taiwanese users, which could lead to data collection by specific Chinese agencies.
A wide range of countries, such as the US, Canada, the UK, and India, have already publicly issued warnings against or bans on specific China-developed apps. The European Union has also launched investigations under the General Data Protection Regulation framework into suspected data theft involving certain China-made apps. Substantial amount of fines are imposed in those cases. In response to the cybersecurity threats, the Taiwanese government has prohibited the use of Chinese-brand products regarding computer and communications technology within official institutions. Both software and hardware are included.
The NSB coordinates with the MJIB and CIB to test the 5 inspected China-developed apps, and confirms that widespread cybersecurity vulnerabilities indeed exist. The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets.
techradar.com - 4 july
Almost a year later, the company comes forward with more details
The organization confirmed the news after an extensive investigation that took almost a year, noting in a data breach notification letter sent earlier to affected individuals the attack most likely took place on October 4 2024, when cybercriminals accessed its network and stole sensitive information on current and former employees, current and former support service contractors, and their dependents.
We don’t know exactly how many people were affected by this attack, or what the nature of the data is. IdeaLab just said the attackers took people’s names, in combination with “variable data”.
Categories: U.S. Federal Law, Cybersecurity, Enforcement
In a surprising development in the US Securities and Exchange Commission’s (“SEC’s”) ongoing securities fraud case against SolarWinds Corp. (“SolarWinds”) and its former chief information security officer (“CISO”), Timothy Brown, all three parties have petitioned the judge for a stay pending final settlement. Until the SEC’s four commissioners can vote to approve the settlement, the parties have requested the stay until at least September 12, 2025.
As we previously reported, in October 2023, the SEC sued software developer SolarWinds and its former CISO, alleging that SolarWinds misled investors about a series of heavily publicized cyberattacks that targeted the company, culminating in the December 2020 Sunburst malware attack. In addition to alleging securities fraud and violations of SEC reporting provisions, the SEC also alleged that SolarWinds violated Sarbanes-Oxley internal control provisions.
In July 2024, U.S. District Judge Paul A. Engelmayer granted SolarWinds’ and the company’s former CISO’s motions to dismiss on most claims. A single set of fraud claims survived concerning alleged misstatements and omissions in a “Security Statement” that was published on SolarWinds’ website. The Security Statement described the company’s various cybersecurity practices, which the SEC alleges painted an incomplete and misleading picture. As recently as June 2025, the SEC indicated it was ready to try the case and filed a motion in opposition to the defendants’ motion to dismiss the remaining claim.
On July 2, 2025, all three parties—the SEC, SolarWinds and the company’s former CISO—sent a joint letter to the judge indicating they had reached an agreement in principle to settle the case. Any settlement is subject to approval of the four SEC commissioners. As noted above, the parties’ joint letter requested a stay until at least September 12, 2025 to give the SEC commissioners time to review the matter. Two of the sitting commissioners have been critical of the SEC’s case.
It is difficult to speculate what the final terms of settlement may be. Unrelated to this case, with the change in presidential administration, the SEC has dismissed numerous enforcement cases targeting the cryptocurrency industry on the grounds that the cases were imprudently brought. It is possible this philosophy has now been extended to the SolarWinds case, and the SEC may seek to drop the case entirely. It also is possible that this movement by the SEC staff is more in line with other settled cases, and could simply entail reduced charges and remedies acceptable to all parties. The fact that the SEC enforcement staff still needs approval by the SEC commissioners may imply that this latter scenario is more likely. Like any plaintiff, the SEC does from time to time settle enforcement cases after they have entered litigation for any number of reasons.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.
Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues.
BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices.
The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack.
It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
