Incidents
A targeted intrusion against Taiwanese web hosting infrastructure is detailed by Talos, which attributes the activity to UAT-7237, a Chinese‑language threat actor active since at least 2022 and assessed as a subgroup of UAT-5918. The operators exploited unpatched, internet‑facing servers, then moved quickly to fingerprint systems, harvest credentials, and pivot. The campaign mixed customized and open‑source tooling, including a bespoke shellcode loader called SoundBill (derived from VTHello) to decode local payloads and load position‑independent Cobalt Strike beacons over HTTPS. Other tools included JuicyPotato, Mimikatz (also embedded within SoundBill), SharpWMI, WMICmd, FScan, and SMB scanners used to enumerate hosts and dump LSASS memory. Talos observed configuration changes such as disabling UAC and enabling WDigest, and artifacts tied to SoftEther VPN usage with operator preferences set to Simplified Chinese. The result was sustained access to hosting, cloud, and VPN resources with significant credential exposure and lateral movement risk. The report provides indicators, Snort rules, and detection guidance; recommended steps include prioritizing patching of internet‑exposed services, monitoring for SoftEther and unusual RDP/SMB activity, detecting LSASS dumping and Cobalt Strike indicators, and hardening endpoints and networks against the techniques described.
Separately, KrebsOnSecurity documents a “ramp and dump” cashout tactic targeting compromised retail brokerage accounts. Gangs seed purchases of thinly traded or IPO shares across many victim accounts and liquidate in concert to move prices, leaving legitimate investors with losses. The ecosystem includes Chinese‑language Telegram vendors supplying turnkey phishing kits; one prominent seller (“Outsider”) pushes iMessage and RCS lures impersonating major brokers and capturing credentials and OTPs via human‑in‑the‑loop operations. The activity follows earlier mobile‑wallet enrollments that exploited OTP-based onboarding. The write‑up notes varied MFA offerings across brokers and highlights hardware security keys as resistant to OTP phishing, alongside recommendations for stronger, phishing‑resistant MFA, closer monitoring for coordinated trading patterns, and improved user communications and education.
Platforms
Capacity options expanded in Southeast Asia as EC2 R8g launched in the AWS Asia Pacific (Jakarta) Region. These Graviton4‑based instances are aimed at memory‑intensive workloads, with vendor‑reported gains over the prior generation and sizes up to 48xlarge with 1.5 TB RAM. Built on the Nitro System, they offer up to 50 Gbps networking and 40 Gbps to EBS. AWS points to migration aids such as Porting Advisor and the Graviton Fast Start program; organizations should validate compatibility and run representative benchmarks before broad adoption.
Operational visibility for key‑value workloads received two updates. First, DynamoDB now emits more granular throttling exceptions, including specific reasons and the ARN of the throttled table or index, with companion CloudWatch metrics; SDK upgrades are required to receive the expanded payloads in clients. Second, a targeted telemetry mode for Contributor Insights can limit events to throttled keys only, reducing noise and monitoring cost while making hotspots easier to pinpoint. Suggested remediations include capacity adjustments, on‑demand mode, and access‑pattern and key‑design optimization.
Network and access controls were also tightened. ACM now supports PrivateLink, allowing certificate lifecycle operations from within a VPC without traversing the public internet—a fit for segmented and regulated environments across commercial, GovCloud, and China Regions. For multi‑account observability, Amazon Managed Service for Prometheus added resource‑based policies so workspace owners can directly grant external IAM principals permission to ingest metrics or run queries, reducing role‑assumption overhead while emphasizing careful, least‑privilege policy design.
Data and AI workflows gained new options. Athena supports CREATE TABLE AS SELECT for S3 Tables—the Iceberg‑native, managed table format—so teams can convert and partition heterogeneous datasets into optimized managed tables via a single SQL statement. Meanwhile, Amazon Neptune integrates with Cognee to provide a graph‑native memory layer for agentic applications, combining graph reasoning with vector and keyword retrieval for more context‑aware generative AI. Both updates streamline operations but call for governance over metadata, access controls, and persisted agent memory.
Research
A consumer‑focused analysis from Kaspersky reviews how unsolicited deliveries have evolved from benign “brushing” into multi‑step fraud. Tactics include postcards, stickers, and QR‑laden inserts that push victims to pay fake fees, divulge credentials or OTPs, or install malicious apps; some campaigns add call‑center follow‑ups or phone numbers that facilitate social engineering and larger charges. Cash‑on‑delivery variants, law‑enforcement impersonation, and even mailed USB devices aimed at high‑value targets show that physical channels can be part of threat actors’ playbooks. The guidance emphasizes avoiding unknown QR codes and phone numbers on parcels, refusing ad‑hoc delivery or customs payments, verifying tracking via official courier sites, not connecting unknown storage media, enabling two‑factor authentication, monitoring statements, and reporting incidents to couriers and police with preserved packaging evidence.