Daily Security Review

Social engineering has reclaimed center stage as today’s most reliable intrusion vector—and it’s not just email anymore. Recent warnings from law enforcement and national cyber centers underscore how adversaries exploit human psychology to “log in, not hack in,” bypassing hardened perimeters with phishing, vishing (voice phishing) against IT help desks, smishing, and polished impersonation. These campaigns pair urgency, intimidation, and empathy ploys with modern twists like deepfake audio/video and LLM-written lures that mirror a target’s tone, role, and business context. Once a foothold is gained, operators ride legitimate tools (PowerShell, RDP, admin consoles), blend into normal...

The infamous Rowhammer vulnerability, long thought to be contained by new DRAM protections, has resurfaced with devastating force. Academic researchers, working with Google, have unveiled the Phoenix attack, a breakthrough Rowhammer variant that shatters the defenses of DDR5 memory chips. Despite the industry’s investment in Target Row Refresh (TRR) and Error Correcting Codes (ECC), Phoenix exploits “blind spots” in SK Hynix DDR5 DIMMs—the world’s leading DRAM manufacturer—using novel hammering patterns and a self-correcting synchronization technique. In real-world tests, Phoenix achieved privilege escalation in as little as 109 seconds, giving attackers full root access on commodity DDR5 systems.

Cybercriminals aren’t just breaking in—they’re borrowing your brand to do it. This episode dives into the critical intersection of brand protection, threat intelligence, and external attack surface management (EASM) and lays out a practical, intelligence-driven blueprint you can start applying today.

We begin with the state of brand abuse: a sharp year-over-year surge in online scams ranging from HR recruitment fraud to “money-flipping” schemes and look-alike social accounts. Why it matters: your brand is the first—and often only—trust signal customers and candidates use. One exposure to a toxic impersonation can drive nearly half of your a...

California’s Assembly Bill 566 (AB 566) has become one of the most hotly contested pieces of privacy legislation in the country. The bill would require universal “opt-out preference signals” in web browsers and mobile operating systems, allowing consumers to automatically block the sale and sharing of their personal data across the internet. Proponents—including the California Privacy Protection Agency, Consumer Reports, and Mozilla—hail the measure as a long-overdue step to simplify consumer privacy choices and push back against the relentless surveillance economy.

But opposition is fierce. Tech industry groups, the California Chamber of Commerce, and front groups like the C...

FinWise Bank is facing a double crisis—one of data security and another of public trust. Nearly 700,000 customers of American First Finance (AFF), a FinWise partner, were impacted by a massive data breach after a former employee improperly accessed sensitive records. The bank has responded with offers of free credit monitoring, but the damage to consumer trust is already done.

At the same time, FinWise Bank is the subject of intense scrutiny from the National Consumer Law Center and other leading advocacy groups, who accuse the institution of serving as a “rent-a-bank” for predatory lenders. These groups point...

In late August 2025, the open-source software ecosystem was rocked by a sophisticated two-phase supply chain attack, now known as “s1ngularity.” The incident began when attackers exploited a flaw in GitHub Actions workflows for the Nx repository, stealing an NPM publishing token and using it to release malicious versions of Nx packages. These packages carried a hidden malware script—telemetry.js—that targeted developer machines, searching for GitHub tokens, NPM tokens, API keys, SSH keys, crypto wallets, and .env files, then uploading the stolen secrets into public GitHub repositories labeled s1ngularity-repository.

The breach didn’t stop there. In...

Wealthsimple, one of Canada’s largest online investment platforms, has confirmed a data breach that exposed the sensitive information of fewer than 1% of its three million clients. The incident, detected on August 30, 2025, originated from a supply chain attack: a trusted third-party vendor’s compromised software package served as the entry point for attackers. While Wealthsimple quickly contained the breach and confirmed that no client funds were accessed or stolen, the compromised data includes Social Insurance Numbers (SINs), government IDs, financial account numbers, IP addresses, dates of birth, and contact details—a treasure trove for identity thieves.

Wealthsimple has as...

In a year when cybercrime is projected to cost the world over $10.5 trillion, FireCompass has emerged as one of the most closely watched AI-driven cybersecurity innovators. The startup, founded in 2019, just secured $20 million in new funding—bringing its total raised to nearly $30 million. Backed in part by EC-Council’s Cybersecurity Innovation Fund, this investment is aimed at accelerating research and development, scaling global operations, and strengthening its talent base in an industry where skilled professionals remain in short supply.

FireCompass offers a unified AI-powered offensive security platform designed to outpace adversaries by simulating real-world attacks at machine spee...

A newly uncovered critical vulnerability, tracked as CVE-2025-42957, is sending shockwaves through the enterprise technology world. Affecting all SAP S/4HANA deployments, both on-premise and in private cloud environments, this ABAP code injection flaw carries a near-maximum CVSS score of 9.9. What makes it especially dangerous is its low complexity: attackers armed with only low-privileged credentials can remotely inject code and achieve a full system takeover—no user interaction required.

Discovered by SecurityBridge and patched by SAP in August 2025, the vulnerability is already being actively exploited in the wild. Attackers have been observed manipulating business data, creating ne...

North Korean cybercriminals have escalated their social engineering operations, deploying a wave of sophisticated campaigns designed to infiltrate cryptocurrency and decentralized finance (DeFi) organizations. At the center of these operations is the “Contagious Interview” campaign, where hackers impersonate recruiters and trick job seekers into downloading malicious software under the guise of skill assessments or interview tasks. Victims are often lured into copying commands from fabricated error messages, unknowingly executing malware that grants attackers access to sensitive systems.

But the threat doesn’t stop there. Hackers are also posing as investment institution employees on platforms like Telegram, exploiting trust...

Cato Networks, a leader in Secure Access Service Edge (SASE), has made its first acquisition, purchasing Aim Security, an AI security startup founded in 2022. The acquisition, valued at an estimated $300–350 million, represents a major step in addressing the growing risks tied to generative AI adoption in enterprises.

As organizations increasingly embrace AI, a phenomenon known as “shadow AI” has emerged, with employees feeding sensitive company data into public tools like ChatGPT and Microsoft Copilot — often via personal accounts. This uncontrolled use of AI presents enormous security challenges, from exposing customer data and intellectual property to bypassing corporate complian...

Cybersecurity startup Tidal Cyber, founded in 2022 by three former MITRE experts, has raised $10 million in Series A funding, bringing its total capital to $15 million. The funding will accelerate the company’s product innovation and expansion, advancing its mission to operationalize the MITRE ATT&CK framework and empower organizations with threat-informed defense.

Unlike traditional security approaches that rely on compliance checklists or vulnerability counts, Tidal Cyber focuses on real-world adversary behavior. Its platform maps tactics, techniques, and procedures (TTPs) used by threat actors, providing defenders with actionable intelligence that goes far beyond indicators of compromise. A standout feature is...

Disney has reached a $10 million settlement with the U.S. Federal Trade Commission (FTC) after being found in violation of the Children’s Online Privacy Protection Act (COPPA). At the heart of the case is Disney’s failure to properly label child-directed content on YouTube as “Made for Kids” (MFK). Instead, many videos — including clips from Frozen, Moana, Cars, Tangled, Toy Story, and other beloved franchises — were incorrectly designated as “Not Made for Kids” (NMFK), enabling YouTube to collect personal data from viewers under 13 for targeted advertising without parental consent.

This mislabeling occurred despite earlier enforcement actions, such as the 2019...

Google has released its September 2025 Android security patches, addressing a staggering 111 unique vulnerabilities, including two actively exploited zero-day flaws that are already being used in targeted attacks. These zero-days — CVE-2025-38352, a Linux kernel race condition, and CVE-2025-48543, a flaw in the Android Runtime — allow attackers to escalate privileges and potentially take control of devices. Both issues require no special permissions or user interaction to exploit, making them especially dangerous.

The update also fixes a critical remote code execution (RCE) vulnerability in the System component (CVE-2025-48539) that attackers could abuse without elevated privileges. Combined, these vuln...

A critical zero-day vulnerability, CVE-2025-53690, is being actively exploited in the wild, targeting Sitecore Experience Manager (XM) and Experience Platform (XP) systems deployed with outdated ASP.NET machine keys. Google and Microsoft threat intelligence teams have confirmed that attackers are leveraging ViewState deserialization attacks to achieve remote code execution (RCE), enabling full compromise of vulnerable IIS servers.

Once inside, attackers deploy WeepSteel malware, a reconnaissance and data exfiltration tool that blends into normal traffic by disguising exfiltrated information as benign ViewState responses. Post-exploitation activity includes creating stealthy administrator accounts (e.g., asp$, sawadmin), harvesting credentials, dumping...

A new and highly sophisticated Android malware campaign, dubbed Brokewell, has emerged as one of the most dangerous mobile threats of 2024–2025. First spotted in April 2024 disguised as fake browser updates, Brokewell has since evolved into a fully featured spyware and remote access trojan (RAT), delivered through deceptive Meta (Facebook) advertisements. The latest campaign, active since July 2024, lures unsuspecting users with fraudulent promises of a premium version of the popular trading platform TradingView. Victims who sideload the malicious app are unknowingly giving attackers near-total control over their devices.

Brokewell is no ordinary piece of malware—it is built for...

Aviation safety and geopolitics collided when multiple flights carrying high-ranking European and UK officials were hit by suspected Russian GPS jamming. European Commission President Ursula von der Leyen’s flight to Bulgaria experienced a severe GPS outage, forcing a manual landing. EU officials immediately pointed the finger at Moscow, calling the incident “blatant interference.” Around the same time, UK Defence Secretary Grant Shapps’s jet lost GPS and communications while flying near Russia’s heavily militarized Kaliningrad enclave, an area long associated with electronic warfare testing.

These incidents underscore a growing pattern of Russian electronic warfare tactics in the Bal...

In August 2025, the largest SaaS breach of the year shook the enterprise world when a newly identified threat actor, UNC6395, orchestrated a supply-chain attack through compromised Salesloft Drift and Drift Email applications. By stealing OAuth tokens, the attackers gained unauthorized access to Salesforce and Google Workspace environments of more than 700 companies—an attack scale ten times greater than previous Salesforce breaches.

The attackers exfiltrated sensitive business data, including Salesforce account records, customer contacts, support cases, and opportunity details. More alarmingly, they actively searched for credentials such as AWS access keys, Snowflake tokens, VPN logins, and passwords, putting cr...

A pair of newly discovered zero-day vulnerabilities—CVE-2025-43300 in Apple’s ImageIO framework and CVE-2025-55177 in WhatsApp—have been confirmed as part of a sophisticated spyware campaign targeting both iPhone and Android users. Security researchers revealed that attackers chained these flaws together in seamless zero-click exploits, requiring no user interaction to compromise devices. The Apple vulnerability, which exploited flaws in how Digital Negative (DNG) files were processed, enabled arbitrary code execution, while the WhatsApp flaw allowed attackers to force devices to fetch malicious content from arbitrary URLs.

Amnesty International reports that these vulnerabilities were used agains...

Sweden is reeling from one of the largest public sector cyber incidents in its history. A ransomware attack on Miljödata, an IT services provider supporting nearly 80% of Sweden’s municipalities and several regions, has left critical systems inaccessible and raised fears of a massive leak of sensitive personal data. The stolen information could include medical certificates, labor law cases, rehabilitation data, and records of workplace injuries, placing thousands of citizens at risk.

The attackers are demanding 1.5 Bitcoin (≈1.5 million SEK, $168,000) to return the stolen data—an extortion tactic that has become a hallmark of modern ransomware. This crisis...

The cybersecurity world has entered a new era: AI-powered ransomware. Researchers recently uncovered PromptLock, a proof-of-concept malware that uses OpenAI’s gpt-oss:20b model and Lua scripting to autonomously generate malicious code, encrypt data, and exfiltrate files across Windows, Linux, and macOS. While still experimental, PromptLock demonstrates just how quickly artificial intelligence can be weaponized for cybercrime—and how it drastically lowers the barrier to entry, enabling even low-skilled attackers to launch sophisticated attacks.

PromptLock’s design highlights the dual-use nature of AI models. By embedding hard-coded prompts, it can dynamically generate Lua scripts that decide in real t...

The 2025 Purple Knight Report paints a stark picture of enterprise identity security: the average security assessment score for hybrid Active Directory (AD) and Entra ID environments has plummeted to just 61%—a failing grade and an 11-point decline since 2023. This troubling trend underscores the persistent challenges organizations face in protecting their most critical authentication and authorization infrastructure.

Meanwhile, financially motivated groups like Storm-0501 are exploiting these weaknesses with cloud-native ransomware tactics. Once focused on on-premises attacks, Storm-0501 now leverages compromised credentials, misconfigurations, and hybrid cloud pivot points to exfiltrate data, destroy backups, and encrypt Azure resources. Their attacks do...

Cybercrime is entering a new phase—one marked by AI-powered phishing attacks, the weaponization of legitimate remote access tools, and the rise of professionalized underground markets.

Recent reports highlight the alarming growth of AI-driven polymorphic phishing, where malicious emails are automatically tailored, randomized, and adapted in real time. By scraping public data and mimicking communication styles, attackers craft hyper-personalized spear phishing messages capable of bypassing blocklists, static signatures, and secure email gateways. Some campaigns even incorporate deepfake voice and video content, making them nearly indistinguishable from legitimate communications. With 82% of recent phishing campaigns showing AI involvement—a 53% surg...

The recent Salesforce data breach underscores a growing reality in cybersecurity: even when core SaaS platforms are secure, their third-party integrations often aren’t. Between August 8–18, 2025, attackers from the group UNC6395 exploited compromised OAuth tokens from the Salesloft Drift AI chat integration, systematically exporting data from hundreds of Salesforce customer instances. The stolen data included sensitive credentials like AWS access keys, Snowflake tokens, and user passwords—a goldmine for further attacks. Google’s Threat Intelligence Group reported over 700 potentially affected organizations, though Salesforce has downplayed the scale.

Critically, this wasn’t a flaw in Salesforce itself but rather a w...

A new and highly sophisticated cyber espionage campaign attributed to Silk Typhoon—also known as Mustang Panda, TEMP.Hex, or UNC6384—has been uncovered, targeting diplomats and government entities across Southeast Asia. Researchers from Google’s Threat Intelligence Group (GTIG) revealed that the attackers deployed Adversary-in-the-Middle (AitM) techniques to hijack web traffic at captive portals, redirecting victims to a malware-serving website disguised as a legitimate Adobe update page.

Unsuspecting users were tricked into downloading a digitally signed installer, AdobePlugins.exe, carrying the STATICPLUGIN downloader. This malicious file was signed with a valid certificate from Chengdu Nuoxin Times Techno...

The fight over encryption has entered a new phase. The Federal Trade Commission (FTC), led by Chairman Andrew Ferguson, has issued a strong warning to major U.S. technology companies: resist foreign government demands to weaken encryption. At stake is nothing less than the security of millions of Americans’ private communications, financial data, and digital identities.

This warning comes amid growing pressure from foreign governments, particularly through Europe’s Digital Services Act and the UK’s Online Safety and Investigatory Powers Acts, which often push companies to create encryption backdoors for law enforcement access. Ferguson cautioned that applyi...

Researchers have uncovered a new form of indirect prompt injection that leverages a simple but powerful trick: image scaling. This novel attack involves hiding malicious instructions inside high-resolution images, invisible to the human eye. When AI systems automatically downscale these images during preprocessing, the hidden prompt becomes visible—not to the user, but to the AI model itself. The result? The model executes instructions the user never saw, potentially leading to data exfiltration, manipulation, or unauthorized actions.

In this episode, we break down how this attack works, why it’s so stealthy, and the risks it poses to e...

The healthcare sector has been rocked yet again by a massive cybersecurity incident. Healthcare Services Group (HCSG), a provider of dining and laundry services to healthcare facilities, disclosed a data breach that compromised the personal information of over 624,000 individuals. Between late September and early October 2024, hackers gained unauthorized access to HCSG’s systems, exfiltrating files containing names, Social Security numbers, driver’s license details, financial account information, and login credentials. While no fraud has been confirmed yet, the scale and sensitivity of the stolen data put victims at significant risk of identity theft.

Adding to the complexity, the...

French retail giant Auchan has confirmed a massive data breach that compromised the personal details of hundreds of thousands of customers. The stolen data includes names, addresses, phone numbers, email addresses, and loyalty card numbers—though banking details, passwords, and PINs were reportedly not affected. Despite this, the breach is serious enough that Auchan has deactivated affected loyalty cards, requiring customers to visit stores in person to obtain replacements.

Authorities, including the French data protection regulator CNIL, have been notified, and Auchan is warning customers to be on high alert for phishing attempts that may leverage the ex...

A critical vulnerability in Docker Desktop, CVE-2025-9074, has shaken the container security world. Scoring 9.3 on the CVSS scale, this flaw exposed an unauthenticated Docker Engine API (192.168.65.7:2375) to any container running on Windows and macOS. With nothing more than a few HTTP requests—or even three lines of Python code—attackers could escape their container boundaries and manipulate host files. On Windows, this meant full system compromise: mounting the entire C: drive, stealing sensitive data, or overwriting system DLLs for administrator-level control. On macOS, while user prompts and lower privileges offered partial safeguards, attackers could still tamper with Docker itse...

The Arch Linux community has just endured more than a week of turbulence as a massive distributed denial-of-service (DDoS) attack disrupted its most critical services, including the main website, the Arch User Repository (AUR), and community forums. Beginning in mid-August 2025, the sustained volumetric and protocol-level assault overwhelmed hosting infrastructure, triggered connection resets, and made access to packages and documentation unreliable for countless users. While the Arch DevOps team has managed partial recovery and implemented emergency workarounds, the main site remains intermittently affected, and the investigation into the attackers’ identity and motives continues.

In this episode, we examine th...

Cyberattacks against supply chains are no longer isolated disruptions—they are systemic threats with the power to cascade across industries and nations. The recent ransomware attack on Data I/O, a chip programming firm whose customers include global giants like Apple, Microsoft, Amazon, and Bosch, demonstrates how one breach can disrupt manufacturing, shipping, and communications far beyond a single company’s walls. Like Colt Technology Services before it, Data I/O faced crippling operational outages, possible data exfiltration, and financial damage so significant it had to file disclosures with the SEC. These incidents reflect a broader trend: ransomware groups now...

The U.S. healthcare sector continues to face relentless cyberattacks, and rural hospitals are increasingly at the center of this crisis. The recent Aspire Rural Health System breach in Michigan—attributed to the BianLian ransomware group—exposed the personal and medical data of nearly 140,000 patients and staff. From Social Security numbers and financial accounts to detailed medical histories and biometric identifiers, the scale and sensitivity of the compromised information make this one of the most damaging healthcare data breaches to date.

This episode dives into the attack timeline, how BianLian infiltrated Aspire’s systems, and why rural hospit...

Artificial Intelligence (AI) models are shaping the future of industries from healthcare and finance to autonomous vehicles and national infrastructure. But with this rise comes a hidden battlefield: adversarial attacks designed to manipulate AI systems in subtle yet devastating ways. One of the most alarming threats is the OneFlip attack, a method that exploits a hardware flaw known as Rowhammer to flip a single bit in a model’s memory. This tiny, nearly undetectable change can force AI systems into catastrophic misclassifications—turning stop signs into speed limits, altering medical diagnoses, or tricking financial algorithms. Unlike traditional cyberattacks, OneFlip and...

The Python Package Index (PyPI), the backbone of the global Python ecosystem, has rolled out new security safeguards aimed at stopping a dangerous form of supply-chain attack: domain resurrection attacks. These attacks exploit a subtle but devastating weakness—when a maintainer’s email domain expires, attackers can re-register it, hijack the email, and reset the maintainer’s PyPI account password. With that access, malicious actors could inject harmful code into widely used Python packages, creating ripple effects across software projects worldwide.

To address this, PyPI has introduced a preventive control: email addresses linked to expired or expiring domain...

Both Google and Mozilla have rolled out urgent security updates to patch multiple high-severity vulnerabilities in their flagship browsers—Google Chrome and Mozilla Firefox—underscoring the constant arms race between developers and cyber attackers.

Google’s update addresses a critical out-of-bounds write vulnerability (CVE-2025-9132) within Chrome’s V8 JavaScript engine, which could allow attackers to execute arbitrary code on a victim’s system simply by luring them to a malicious webpage. What makes this case especially notable is the discovery method: the flaw was identified by Google’s “Big Sleep” AI agent, a tool designed to proactively hunt...

A major international clash over encryption has come to a dramatic resolution. Earlier this year, the U.K. government, acting under its controversial Investigatory Powers Act of 2016 (IPA)—better known as the “Snoopers’ Charter”—issued a secret Technical Capacity Notice to Apple, demanding that the company weaken its Advanced Data Protection (ADP) system to allow government access to encrypted iCloud data. The order forced Apple to temporarily disable ADP for U.K. users, sparking outrage among privacy advocates, civil liberties groups, and even the United States government.

At the heart of the dispute was whether a democratic government...

In early 2025, Microsoft and security researchers uncovered PipeMagic, a modular and memory-resident backdoor that has been quietly leveraged in ransomware campaigns worldwide. Disguised as a legitimate ChatGPT desktop application, this sophisticated malware granted persistent access, precise control, and stealthy communication channels to its operators. Attributed to Storm-2460, a financially motivated threat group linked to the RansomEXX ransomware family, PipeMagic represents a dangerous evolution in ransomware delivery and persistence.

PipeMagic exploited a critical Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS), allowing attackers to escalate privileges to SYSTEM level. Once inside, the malware used...

In late 2024, Intel faced a major cybersecurity wake-up call when security researcher Eaton Zveare uncovered a series of vulnerabilities inside the company’s internal systems—flaws that exposed employee and supplier data at unprecedented scale. These vulnerabilities, later confirmed and patched by Intel, included authentication bypasses in web applications and the use of hardcoded credentials, some as simple as admin/admin123, across critical platforms.

Through these exploits, Zveare demonstrated that it was possible to access sensitive employee information—names, emails, phone numbers, and roles—impacting more than 270,000 Intel workers worldwide, along with potentially confidential supplier details and contract...

In July 2025, Allianz Life Insurance Company of North America confirmed a data breach impacting over 1.1 million customers, financial professionals, and employees—a stark reminder of how vulnerable even the most established financial institutions remain to evolving cyber threats. The breach stemmed from a third-party vendor compromise, specifically a cloud-based Salesforce CRM platform, where attackers leveraged sophisticated social engineering tactics to trick employees into granting unauthorized access.

According to investigators, hackers posed as IT helpdesk personnel and persuaded employees to authorize malicious connections to Salesforce’s Data Loader tool, opening the door to sensitive customer data. This method mirr...