Platform Controls Lead as Android Patches and Token Abuse Surface

AWS Clean Rooms ML adds redacted error log summaries

🔒 AWS Clean Rooms ML collaborators can now configure a privacy control to send redacted error log summaries to selected collaboration members. Summaries include exception type, error message, and the line in the code where the error occurred. When associating a model with a collaboration, parties decide which members receive summaries and whether detectable PII, numbers, or custom strings will be redacted. This helps teams debug models while protecting sensitive data and intellectual property.

Agent Factory: From Prototype to Production with Foundry

🔧 Azure AI Foundry aims to accelerate the path from IDE prototypes to enterprise-grade AI agents. It emphasizes local-first prototyping, a single, consistent Model Inference API, and one-click deployment from VS Code and GitHub so developer code runs unchanged in production. Foundry supports popular frameworks like Semantic Kernel and AutoGen, embraces open protocols (MCP, A2A), and supplies prebuilt connectors, observability, and enterprise guardrails to scale agents securely.

Indirect Prompt-Injection Threats to LLM Assistants

🔐 New research demonstrates practical, dangerous promptware attacks that exploit common interactions—calendar invites, emails, and shared documents—to manipulate LLM-powered assistants. The paper Invitation Is All You Need! evaluates 14 attack scenarios against Gemini-powered assistants and introduces a TARA framework to quantify risk. The authors reported 73% of identified threats as High-Critical and disclosed findings to Google, which deployed mitigations. Attacks include context and memory poisoning, tool misuse, automatic agent/app invocation, and on-device lateral movement affecting smart-home and device control.

Google ships September Android patches for 120 flaws

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

Amazon MQ Adds OAuth 2.0 Support for RabbitMQ Brokers

🔐 Amazon MQ now supports OAuth 2.0 authentication and authorization for RabbitMQ brokers, allowing client and user authentication via JWT-encoded access tokens in single-instance and Multi-AZ cluster deployments. You can enable OAuth 2.0 through the AWS Console, CloudFormation, CLI, or CDK, and the feature is available in all regions where Amazon MQ is offered. Compatibility with standard RabbitMQ OAuth 2.0 implementations helps ensure a smooth migration for existing deployments.

Target modernizes search with hybrid AlloyDB AI platform

🔍 Target rebuilt its on-site search to combine lexical keyword matching with semantic vector retrieval, using AlloyDB AI to power filtered vector queries at scale. The engineering team implemented a multi-index architecture and a multi-channel relevance framework so hybrid queries can apply native SQL filters alongside vector similarity. The overhaul produced measurable gains — ~20% improvement in product discovery relevance, halved "no results" occurrences, and large latency reductions — while consolidating the stack and accelerating development.

DNS64 and NAT64 for Connecting IPv6-only Workloads

🌐 Google Cloud introduces DNS64 and NAT64 for Cross‑Cloud Network to allow IPv6-only workloads to access IPv4-only services without dual‑stack. DNS64 synthesizes AAAA responses by embedding IPv4 addresses into the 64:ff9b::/96 prefix, and NAT64 translates traffic by extracting those addresses and initiating IPv4 connections on behalf of IPv6 clients. The blog post includes step‑by‑step gcloud commands to create VPCs, DNS64 policies, and a NAT64 gateway.

Amazon RDS for Oracle Adds Support for Bare Metal Instances

🆕 Amazon RDS for Oracle and Amazon RDS Custom for Oracle now support a range of bare metal instance types, with pricing at about 25% below equivalent virtualized instances. Supported families include M7i, R7i, X2iedn, X2idn, X2iezn, M6i, M6id, M6in, R6i, R6id, and R6in. Using the Multi-tenant feature you can consolidate multiple databases onto a single bare metal instance to reduce infrastructure cost, and you may also be able to lower commercial Oracle licensing and support fees because bare metal provides full visibility into CPU cores and sockets. Bare metal is available with Bring Your Own License (BYOL) for Oracle Enterprise Edition; consult RDS pricing and your licensing partner for region and configuration availability.

Cloudflare AI Week 2025: Product, Security, and Tools

🔒 Cloudflare framed AI Week 2025 around products and controls to help organizations adopt AI while retaining safety and visibility. The company emphasized four core priorities: securing AI environments and workflows; protecting original content from misuse; enabling developers to build secure AI experiences; and applying AI to improve Cloudflare’s services. Key launches included AI Gateway, Infire, AI Crawl Control, expanded CASB scanning, and MCP Server Portals, with a continued focus on customer feedback and ongoing investment.

Amazon Bedrock: Global Cross-Region Inference for Claude 4

🔁 Anthropic's Claude Sonnet 4 is now available with Global cross‑Region inference in Amazon Bedrock, allowing inference requests to be routed to any supported commercial AWS Region for processing. The Global profile helps optimize compute resources and distribute traffic to increase model throughput. It supports both on‑demand and batch inference and is intended for use cases that do not require geography‑specific routing.

Salesloft Takes Drift Offline After OAuth Token Theft

🔒 Salesloft said it will temporarily take its Drift chatbot service offline after a supply-chain compromise led to the mass theft of OAuth and refresh tokens tied to the Drift AI chat agent. The outage is intended to allow a comprehensive security review and build additional resiliency; Drift chatbot functionality and access will be unavailable during the process. Salesloft is working with cybersecurity partners Mandiant and Coalition while investigators, including Google Threat Intelligence Group, attribute the campaign to UNC6395 and report that more than 700 organizations may be affected.

HexStrike‑AI Enables Rapid N‑Day Exploitation of Citrix

🔒 HexStrike-AI, an open-source red‑teaming framework, is being adopted by malicious actors to rapidly weaponize newly disclosed Citrix NetScaler vulnerabilities such as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Check Point Research reports dark‑web chatter and evidence of automated exploitation chains that scan, exploit, and persist on vulnerable appliances. Defenders should prioritize immediate patching, threat intelligence, and AI-enabled detection to reduce shrinking n‑day windows.

BigQuery Managed Disaster Recovery Adds Soft Failover

🔁 Soft failover in BigQuery Managed Disaster Recovery defers promotion of secondary compute and datasets until replication is confirmed, reducing the risk of data loss during planned disaster recovery tests. Unlike hard failover, which may promote immediately and accept RPO gaps to restore service, soft failover coordinates primary and secondary acquiescence to ensure data integrity. Available via the BigQuery UI, DDL, and CLI, it provides administrators with controlled, realistic DR drills without compromising production data.

Google fixes actively exploited Android flaws in September

🔒 Google has released the September 2025 Android security update addressing 84 vulnerabilities, including two zero-day flaws observed in limited, targeted exploitation: CVE-2025-38352 (Linux kernel) and CVE-2025-48543 (Android Runtime). The bulletin also patches four critical issues — including an RCE in the System component and three Qualcomm vulnerabilities affecting modem and data stacks. Users are urged to install security patch level 2025-09-01 or 2025-09-05 via Settings > System > Software updates > System update.

Sitecore ViewState Deserialization Zero-Day Advisory

🔒 Mandiant and Sitecore investigated an active ViewState deserialization exploit that allowed remote code execution on internet-facing Sitecore instances that used publicly exposed sample ASP.NET machine keys. Tracked as CVE-2025-53690, the vulnerability enabled attackers to craft malicious __VIEWSTATE payloads, deploy a reconnaissance backdoor (WEEPSTEEL), and stage tunneling and remote access tooling. Sitecore has updated deployments to auto-generate unique machine keys and notified affected customers; Mandiant recommends rotating keys, enabling ViewState MAC, and encrypting secrets in web.config to mitigate similar attacks.

Russia-backed APT28 Deploys 'NotDoor' Outlook Backdoor

🛡️ Researchers at S2 Grupo’s LAB52 disclosed NotDoor, a VBA-based Outlook backdoor attributed to Russia-backed APT28 that monitors incoming mail for trigger phrases to exfiltrate data, upload files and execute arbitrary commands. The malware abuses Outlook event-driven macros, employs DLL side-loading via a signed OneDrive.exe to load a malicious SSPICLI.dll, and persists by disabling security prompts and enabling macros. Organizations are advised to disable macros by default, monitor Outlook activity and inspect email-based triggers.

Brazilian FinTech Sinqia Discloses $130M Pix Heist Attempt

🔒 Sinqia disclosed an attempted theft of approximately R$710 million (about $130m) from two banking customers processed through its Pix transaction environment on 29 August 2025. The company says attackers leveraged compromised credentials from an IT vendor, halted Pix processing, and engaged forensic teams while cooperating with regulators. A portion of the funds has been recovered and investigations, including law enforcement coordination, are ongoing.

Supply-chain Breach Impacts Palo Alto, Zscaler, Cloudflare

🔒 Three major vendors—Palo Alto Networks, Zscaler, and Cloudflare disclosed a supply‑chain breach tied to the Salesloft Drift Salesforce integration that exposed OAuth tokens and customer CRM data. The incident reportedly involved mass exfiltration from Account, Contact, Case and Opportunity records and included business contact data and some plaintext case notes. Vendors recommend rotating credentials, revoking unused OAuth tokens, auditing Salesforce Event Monitoring and reviewing SOQL query logs and connected-app activity for signs of abuse.

Cloudflare, Palo Alto Hit by Salesloft Drift Breach

🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.

Smashing Security #433: Hackers Harnessing AI Tools

🤖 In episode 433 of Smashing Security, Graham Cluley and Mark Stockley examine how attackers are weaponizing AI, from embedding malicious instructions in legalese to using generative agents to automate intrusions and extortion. They discuss LegalPwn prompt-injection tactics that hide payloads in comments and disclaimers, and new findings from Anthropic showing AI-assisted credential theft and custom ransomware notes. The episode also includes lighter segments on keyboard history and an ingenious AI-generated CAPTCHA.

U.S. Offers $10M Reward for Info on FSB Cyber Hackers

🛡️ The U.S. Department of State is offering up to $10 million for information on three Russian FSB officers accused of carrying out cyberattacks against U.S. critical infrastructure. The named individuals — Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov — are tied to the FSB's Center 16, tracked under aliases such as Berserk Bear and Dragonfly. Charged in March 2022, the officers are alleged to have run intrusions from 2012–2017 targeting government agencies and energy firms, and recent activity shows exploitation of CVE-2018-0171 in end-of-life Cisco devices. The State Department directs tips to its Rewards for Justice Tor channel; eligible informants could receive rewards and relocation assistance.

Threat Actors Try to Weaponize HexStrike AI for Exploits

⚠️ HexStrike AI, an open-source AI-driven offensive security platform, is being tested by threat actors to exploit recently disclosed vulnerabilities. Check Point reports criminals claim success exploiting Citrix NetScaler flaws and are advertising flagged instances for sale. The tool's automation and retry capabilities can shorten the window to mass exploitation; immediate action is to patch and harden systems.

CISA Adds Two TP-Link Vulnerabilities to KEV Catalog

⚠️ CISA has added two TP-Link vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2023-50224 (TL-WR841N authentication bypass) and CVE-2025-9377 (Archer C7(EU) and TL-WR841N/ND(MS) OS command injection). The agency notes these flaw types are frequent attack vectors and impose significant risk to the federal enterprise under BOD 22-01. Although the directive binds Federal Civilian Executive Branch agencies, CISA urges all organizations to prioritize remediation and reduce exposure.

Iran-linked Spear-Phishing Targets 100+ Embassies Worldwide

📧 Israeli cybersecurity company Dream has attributed a coordinated, multi-wave spear-phishing campaign to Iranian-aligned operators connected to Homeland Justice, targeting embassies, consulates, and international organizations globally. Attackers used geopolitical lures and 104 unique compromised sender addresses — including a hacked mailbox at the Oman Ministry of Foreign Affairs in Paris — to distribute Microsoft Word documents that prompt users to Enable Content and run embedded VBA macros. The macros drop executables that establish persistence, contact command-and-control servers, and harvest system information; ClearSky has also documented related activity and linked it to prior Iranian techniques.

Model Namespace Reuse: Supply-Chain RCE in Cloud AI

🔒 Unit 42 describes a widespread flaw called Model Namespace Reuse that lets attackers reclaim abandoned Hugging Face Author/ModelName namespaces and distribute malicious model code. The technique can lead to remote code execution and was demonstrated against major platforms including Google Vertex AI and Azure AI Foundry, as well as thousands of open-source projects. Recommended mitigations include version pinning, cloning models to trusted storage, and scanning repositories for reusable references.

Cloudflare Mitigates Record 11.5 Tbps UDP Flood Attack

🛡️ Cloudflare said it automatically mitigated a record-setting volumetric DDoS attack that peaked at 11.5 Tbps and reached 5.1 billion packets per second; the UDP flood lasted roughly 35 seconds and reportedly originated largely from Google Cloud. The company reported it has autonomously blocked hundreds of hyper‑volumetric L3/4 attacks in recent weeks, underscoring a sharp surge in such events. Security researchers warn these massive traffic floods can be used as a smoke screen for follow-on targeted exploits.

CISA Adds TP-Link and WhatsApp Vulnerabilities to KEV

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity flaw in TP‑Link TL‑WA855RE Wi‑Fi range extenders (CVE‑2020‑24363, CVSS 8.8) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The missing authentication issue lets an unauthenticated attacker on the same network submit a TDDP_RESET request to factory‑reset the device and set a new administrative password. CISA also added a WhatsApp vulnerability (CVE‑2025‑55177, CVSS 5.4) that was chained with an Apple platform flaw in a targeted spyware campaign; federal agencies must apply mitigations by September 23, 2025.

Workiva Discloses Data Theft Linked to Salesforce Breach

🔒 Workiva notified customers that attackers who accessed a third-party CRM exfiltrated a limited set of business contact data, including names, email addresses, phone numbers, and support ticket content. The company said the Workiva platform and any data within it were not accessed or compromised. Workiva warned customers to remain vigilant for spear‑phishing and reiterated it will not request passwords by text or phone. BleepingComputer reported the incident is tied to recent Salesforce breaches attributed to the ShinyHunters group.

CloudWatch Metrics Insights: Query Metrics Up to Two Weeks

🕒 Amazon Web Services now enables customers to query CloudWatch metrics up to two weeks in the past using the Metrics Insights query source. Metrics Insights delivers fast, SQL-based metric queries and this enhancement expands the prior ~3-hour visualization window to 14 days for dashboards, alarms, and investigations. The capability is available now in commercial AWS regions and is automatically enabled at no additional charge, though standard pricing still applies for alarms, dashboards, and API usage.

Malicious npm Packages Use Ethereum Smart Contracts

🛡️A new campaign used malicious npm packages to hide command-and-control URLs inside Ethereum smart contracts, evading typical static detection. ReversingLabs researcher Karlo Zanki uncovered packages colortoolsv2 and mimelib2 that delivered second-stage payloads via blockchain-held URLs. The threat also included fake GitHub projects, such as solana-trading-bot-v2, built to appear legitimate. Developers are urged to vet dependencies and maintainers beyond superficial metrics.

Threat Actors Use X's Grok AI to Spread Malicious Links

🛡️ Guardio Labs researcher Nati Tal reported that threat actors are abusing Grok, X's built-in AI assistant, to surface malicious links hidden inside video ad metadata. Attackers omit destination URLs from visible posts and instead embed them in the small "From:" field under video cards, which X apparently does not scan. By prompting Grok with queries like "where is this video from?", actors get the assistant to repost the hidden link as a clickable reference, effectively legitimizing and amplifying scams, malware distribution, and deceptive CAPTCHA schemes across the platform.

Malicious npm Packages Use Ethereum to Deliver Malware

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.

Copeland OT Controller Flaws Risk Remote Control and Damage

⚠️ Security firm Armis disclosed 10 vulnerabilities, dubbed Frostbyte10, in Copeland LP E2 and E3 controllers used in heating, cooling, and refrigeration that could let attackers disable or remotely control equipment. Copeland issued firmware 2.31F01; organizations should deploy the update promptly to mitigate exposure. Combined flaws can enable unauthenticated remote code execution with root privileges; specific issues include a predictable default admin account (CVE-2025-6519), API endpoints that expose credential hashes, and unauthenticated file operations. Copeland says engineers acted quickly and that there are no known exploits to date.

Amazon CloudWatch: Single Alarm for Multiple Metrics

🔔 Amazon CloudWatch now supports creating a single alarm that evaluates and acts on multiple individual metrics dynamically. By authoring a Metrics Insights (SQL) query with GROUP BY and ORDER BY clauses, the alarm automatically includes matching metrics as resources are created or removed, eliminating manual per-resource alarm management. You can configure these alarms via the CloudWatch console, AWS CLI, CloudFormation, or CDK; the capability is available in all commercial AWS regions, AWS GovCloud (US) Regions, and China Regions, and Metrics Insights query alarm pricing applies.

AWS Config Adds Five New Resource Types for Monitoring

🔔 AWS Config now supports five additional AWS resource types, expanding its ability to discover, assess, audit, and remediate resources across your accounts. The new types — AWS::CodeArtifact::Domain, AWS::Config::ConformancePack, AWS::Glue::Database, AWS::NetworkManager::TransitGatewayPeering, and AWS::RolesAnywhere::TrustAnchor — are tracked automatically if you record all resource types and are available for Config rules and aggregators. Support applies in all Regions where these resources are available, enabling broader compliance and operational visibility. This update simplifies monitoring and remediation workflows.

AWS Clean Rooms: Add Data Providers to Collaborations

🔒 AWS Clean Rooms now lets collaboration owners add new data provider members to existing collaborations, enabling partners to contribute data without creating a separate collaboration. New members can be configured to only supply data while inheriting the collaboration’s existing privacy controls and access rules. Invitations and member additions are recorded in the collaboration change history for transparency and auditability. This reduces onboarding time for multi‑party workflows such as publisher–advertiser measurement and third‑party enrichment.

Amazon SageMaker Adds Restricted Classification Terms

🔒 Amazon SageMaker Catalog now supports governed classification using Restricted Classification Terms, enabling catalog administrators to mark sensitive glossary terms so only authorized users or projects can apply them to assets. Administrators grant usage through explicit policies and group membership, allowing centralized governance teams to control labels like Seller-MCF or PII. The capability is available in all regions that support SageMaker Unified Studio; consult the user guide to get started.

AWS HealthOmics private workflows now in Seoul Region

🧬 AWS HealthOmics private workflows are now available in the Asia Pacific (Seoul) Region, providing fully managed bioinformatics pipelines for healthcare and life sciences customers in Korea. The HIPAA-eligible service supports domain-specific languages such as Nextflow, WDL, and CWL and offers features like call caching, dynamic run storage, Git integrations, and ECR pull-through cache. These capabilities simplify pipeline migration, accelerate genomics development, and help maintain data provenance and compliance.

Court Upholds EU-US Data Privacy Framework Agreement

⚖️ The European Court of Justice's General Court has dismissed a legal challenge seeking to annul the EU-US Data Privacy Framework (DPF), finding that, at the time of adoption, US law ensured an adequate level of protection for personal data transferred from the EU. Negotiated in July 2023, the DPF now stands as the main mechanism for transatlantic data flows, providing immediate relief to the European Commission and many businesses. Critics including Max Schrems and advocacy group NOYB have signalled likely appeals, meaning the ruling may not be the final word and legal uncertainty could continue.

FBI: Seniors Targeted by Three-Phase Phantom Scams

⚠️ The FBI and its Internet Crime Complaint Center (IC3) warn that seniors are being targeted by a three‑phase “Phantom Hacker” scam that combines tech‑support, financial‑institution, and U.S. government impersonations to extract life savings. Scammers typically gain trust by convincing victims to grant remote access, then prompt transfers via wire, cash, or cryptocurrency to purportedly secure accounts. The IC3 reports substantial losses—an average of US $83,000 per victim—and urges people not to allow remote access, download unsolicited software, or transfer funds at the request of unknown callers.

International Partners Release Shared SBOM Vision Statement

🔒 CISA, the NSA, and 19 international partners published a joint guide outlining the benefits of adopting software bills of materials (SBOM) to increase software component and supply chain transparency. The guide advises software producers, purchasers, and operators to integrate SBOM generation, analysis, and sharing into security processes to better identify and mitigate component risks. It calls for international alignment of SBOM technical approaches to reduce complexity, improve interoperability, and advance secure-by-design software.

Disney to Pay $10M Over YouTube Kids' Data Violations

⚖️ The FTC secured a $10 million settlement with Disney after finding the company mislabeled children’s content on YouTube, enabling collection of kids' personal data without parental notice or consent. The complaint says Disney applied channel-level tags that caused many videos to be marked as 'Not Made for Kids' instead of Made for Kids, circumventing COPPA protections. The settlement imposes a civil penalty, requires parental notice prior to data collection, and mandates a new program to ensure correct MFK labeling on future uploads.

Massive IPTV Piracy Network Spanning 1,100+ Domains

🔍 Silent Push uncovered an extensive IPTV piracy operation spanning more than 1,100 domains and over 10,000 IP addresses that has reportedly operated for several years. The investigation links the network to hosting firms XuiOne and Tiyansoft and identifies Nabi Neamati as a central operator. The infrastructure served unlicensed streams for major brands and sports leagues, and users face risks including fraud, identity theft and malware. Silent Push will present detailed findings in a webinar on 23 September 2025.

CISA, NSA and Partners Release SBOM Shared Vision Guidance

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.

Detecting and Preventing Data Leaks Before Disaster

🔒 In January 2025 Wiz Research discovered a publicly accessible ClickHouse database belonging to Chinese AI firm DeepSeek, exposing over one million log streams that included chat histories and secret keys. The issue was reported and quickly closed, but the event highlights how misconfigurations and human error can expose sensitive data. To reduce risk, organisations should adopt least-privilege access, deploy DLP solutions, classify high-risk data and provide ongoing staff training.

Jaguar Land Rover production halted after cyberattack

🔒 A cyberattack on British automaker Jaguar Land Rover forced a temporary global production halt after the company proactively shut down affected IT systems to limit potential damage. A spokeswoman said teams are working to restart systems in a controlled way, and so far there is no evidence that customer data was stolen. Jaguar Land Rover is part of Tata Motors, and the company has not yet identified the attacker.

EMBER2024: Advancing ML Benchmarks for Evasive Malware

🛡️ The EMBER2024 release modernizes the popular EMBER malware benchmark by providing metadata, labels, and computed features for over 3.2 million files spanning six file formats. It supplies a 6,315-sample challenge set of initially evasive malware, updated feature extraction code using pefile, and supplemental raw bytes and disassembly for 16.3 million functions. The package also includes source code to reproduce feature calculation, labeling, and dataset construction so researchers can replicate and extend benchmarks.

US Sues Toy Maker Over Kids' Geolocation Data Leak

🔒 The U.S. Department of Justice has sued toy maker Apitor after an FTC referral, alleging it allowed a Chinese third party to collect precise geolocation data from children without notifying parents or obtaining consent required under COPPA. Apitor's Android app for robot toys uses the JPush SDK, which reportedly collected location data for any purpose, including targeted advertising. Under a proposed settlement, Apitor must secure third-party COPPA compliance, notify parents, delete collected personal information, limit retention, and faces a $500,000 penalty that is currently suspended amid claimed financial hardship.

Police, ACE Disrupt Streameast Pirated Sports Network

🔒 Authorities, working with the Alliance for Creativity and Entertainment (ACE), have disrupted Streameast, the world's largest illegal live sports streaming network, and arrested two individuals in Egypt. The ad-supported platform, active since 2018, operated roughly 80 domains and drew hundreds of millions of visits monthly. Law enforcement seized devices and financial records while ACE redirected many domains to a Watch Legally portal. Investigators say the operation routed significant advertising revenue through a UAE shell company.

Managing Shadow AI: Three Practical Corporate Policies

🔒 The MIT report "The GenAI Divide: State of AI in Business 2025" exposes a pervasive shadow AI economy—90% of employees use personal AI while only 40% of organizations buy LLM subscriptions. This article translates those findings into three realistic policy paths: a complete ban, unrestricted use with hygiene controls, and a balanced, role-based model. Each option is paired with concrete technical controls (DLP, NGFW, CASB, EDR), organizational steps, and enforcement measures to help security teams align risk management with real-world employee behaviour.

Zero Trust Implementation Remains a Major CISO Challenge

🔐According to an Accenture report, 88% of security leaders say they face significant difficulties implementing Zero Trust, and 80% cannot effectively protect cyber-physical systems. Other industry studies show mixed adoption—Gartner found 63% with full or partial strategies in 2024, while Entrust reports Germany lags at 53%. Experts point to divergent definitions, legacy systems, cultural resistance to the never trust, always verify model, poor visibility into data flows, and misaligned incentives as core obstacles; many argue the effort is strategic, lengthy, and requires top-down leadership.

Tycoon Phishing Kit Uses New Link Obfuscation Techniques

🔐 Barracuda researchers have detailed new link-obfuscation capabilities in the Tycoon Phishing-as-a-Service kit that hide malicious destinations from scanners and recipients. Observed techniques include URL encoding with '%20' invisible spaces, deceptive Unicode characters, hidden codes appended to links, redundant protocol prefixes, and subdomain manipulation. Attacks also incorporate a fake CAPTCHA stage and tools aimed at bypassing multi-factor authentication, enabling more effective email-based social engineering and evasion of traditional filters.

They Know Where You Are: Geolocation Cyber Risks Evolving

📍 Geolocation data from smartphones, apps and IPs can be weaponized by threat actors to launch precise, geographically targeted attacks such as localized phishing and malware activation. These attacks can act as "floating zero days," remaining dormant until they reach a specific location, as seen with Stuxnet and modern campaigns like Astaroth. Organizations should adopt multilayered defenses — robust endpoint detection, decoys, location baselines and stronger multi-factor verification — to mitigate this evolving threat.

Malicious npm Packages Use Ethereum Smart Contracts

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.

AWS Direct Connect Adds First Location in Nairobi, Kenya

🌐 AWS announced a new AWS Direct Connect location at East African Data Centres NBO1 near Nairobi, Kenya. The site is the first Direct Connect location in Kenya and offers dedicated 10 Gbps and 100 Gbps connections with MACsec encryption available. From this location customers can establish private, physical connections to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones, providing a more consistent network experience than the public internet.

How the Generative AI Boom Opens Privacy and Cyber Risks

🔒The rapid adoption of generative AI is prompting significant privacy and security concerns as vendors revise terms to use user data for model training. High-profile pushback — exemplified by WeTransfer’s reversal — revealed how unclear terms and live experimentation can expose corporate and personal information. Employees using consumer tools like ChatGPT for work tasks risk leaking secrets, and platforms such as Slack are explicitly reserving rights to leverage customer data. CISOs must balance strategic AI adoption with heightened compliance, governance and operational risk.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

Prepared for Cyberattacks: Crisis Communication by Plan

🛡️ Corporate communications must be an integral part of cyber incident preparedness, working closely with the CISO to develop and execute a crisis communication plan. Preventive measures include a crisis manual, continuous internet monitoring, and established relationships with opinion leaders to preserve reputation. The article advises joint leadership by communications and IT of a compact emergency team, creation of an independently accessible emergency infrastructure (including an darksite), staged statements and prebuilt templates, and secure off-network contact lists.