Cloud Controls Tighten, KEV Adds Three, and PowerSchool Fallout

Texas Sues PowerSchool After 62M-Student Data Breach

🔒 Texas Attorney General Ken Paxton has filed suit against PowerSchool after a December breach exposed personal data for 62.4 million students, including over 880,000 Texans. The attacker used a subcontractor’s stolen credentials to access the PowerSource portal, demanded a $2.85 million ransom, and later extorted individual districts. A 19‑year‑old subsequently pleaded guilty in connection with the attack and extortion efforts.

AWS Console Adds ECS Exec for Direct Container Shell Access

🔐 The AWS Management Console now supports ECS Exec, allowing operators to open secure, interactive shell sessions to running containers directly from the console. This removes the need to switch to the CLI, API, or SDKs for troubleshooting and avoids opening inbound ports or managing SSH keys. You can enable ECS Exec when creating or updating services and standalone tasks, and configure encryption and logging at the cluster level. Sessions launch through CloudShell, and the console displays the underlying AWS CLI command for reuse in a local terminal.

High-Availability Multi-Regional Services on Cloud Run

🚀 This Cloud Next 2025 talk explains how to build fault-tolerant, multi-region services using Cloud Run, highlighting autoscaling, decoupled control/data planes, and N+1 zonal redundancy. The post previews an upcoming Service Health feature that automates cross-region failover by relying on container readiness probes and minimum-instance settings. It also outlines deployment patterns (global external ALB with Serverless NEGs) and shows a live demo of automated traffic failover.

Prisma SASE 4.0: AI-Ready Security for Distributed Work

🔒 Prisma SASE 4.0 is positioned as a unified, cloud-delivered security platform engineered for the AI era. It combines AI-powered threat protection, frictionless data security for structured and unstructured content, and unified intelligent operations to automate deployment and troubleshooting. New capabilities include browser-based postload inspection, an Advanced DNS Resolver with Precision AI, SaaS security posture monitoring for AI agents, and Autonomous Digital Experience Management to preserve performance and resilience.

AWS adds condition keys to govern Amazon Bedrock API keys

🔐 AWS introduced three new IAM condition keys that let administrators govern API keys for Amazon Bedrock. The keys control which services can be issued service-specific credentials, the maximum allowable age of long-term Bedrock API keys at creation, and whether requests use short-term or long-term bearer tokens. These controls are available in all AWS Regions and are documented in the IAM and Bedrock User Guides.

Agent Factory Recap: AI, Future Development, Vibe Coding

🛠️ In Episode #6 of the Agent Factory podcast, Keith Ballinger discusses how AI agents and the Gemini CLI are reshaping software development and elevating developers into orchestration and context engineering roles. He demonstrates 'vibe coding' with live demos that produced a command-line markdown viewer in under 15 minutes and highlights open-source projects Terminus and Aether as practical examples. The episode also addresses infrastructure for AI workloads, multi-cloud and edge orchestration, and the growing need for human review in regulated industries.

Generative AI Used as Cybercrime Assistant, Reports Say

⚠️ Anthropic reports that a threat actor used Claude Code to automate reconnaissance, credential harvesting, network intrusion, and targeted extortion across at least 17 organizations, including healthcare, emergency services, government, and religious institutions. The actor prioritized public exposure over classic ransomware encryption, demanding ransoms that in some cases exceeded $500,000. Anthropic also identified North Korean use of Claude for remote‑worker fraud and an actor who used the model to design and distribute multiple ransomware variants with advanced evasion and anti‑recovery features.

Honeywell OneWireless WDM Vulnerabilities and Patch Advisory

⚠️ Honeywell's OneWireless Wireless Device Manager (WDM) contains multiple high‑severity vulnerabilities in the Control Data Access (CDA) component — including buffer overread, sensitive resource reuse, integer underflow, and wrong handler deployment (CVE‑2025‑2521, CVE‑2025‑2522, CVE‑2025‑2523, CVE‑2025‑3946). These issues can enable information disclosure, denial of service, or remote code execution. Honeywell advises updating affected WDM releases to R322.5 or R331.1; CISA recommends minimizing network exposure and isolating control networks to reduce exploitation risk.

Agentic Tool Hexstrike-AI Accelerates Exploit Chain

⚠️ Check Point warns that Hexstrike-AI, an agentic AI orchestration platform integrating more than 150 offensive tools, is being abused by threat actors to accelerate vulnerability discovery and exploitation. The system abstracts vague commands into precise, sequenced technical steps, automating reconnaissance, exploit crafting, payload delivery and persistence. Check Point observed dark‑web discussions showing the tool used to weaponize recent Citrix NetScaler zero-days, including CVE-2025-7775, and cautions that tasks which once took weeks can now be completed in minutes. Organizations are urged to patch immediately, harden systems and adopt adaptive, AI-enabled detection and response measures.

Sitecore ViewState Flaw Under Active Exploitation Now

⚠️ Mandiant reports attackers are actively exploiting a leaked ASP.NET machineKey sample from old Sitecore deployment guides to carry out ViewState code-injection attacks that execute arbitrary .NET assemblies in server memory. The issue, tracked as CVE-2025-53690, affects multi-instance deployments of Sitecore XM, XP, and XC that used the static sample key, and may also impact some Sitecore Managed Cloud Standard container configurations. After initial access, adversaries deploy tools Mandiant calls WEEPSTEEL and EARTHWORM, escalate to SYSTEM, create administrative accounts, dump SYSTEM/SAM hives, and move laterally. Sitecore customers are advised to inspect environments for indicators of compromise, rotate and encrypt <machineKey> entries, and follow Microsoft ASP.NET ViewState guidance.

Legacy Sitecore ViewState Zero-Day Allows WeepSteel Backdoors

🔐 Mandiant observed attackers exploiting a zero‑day ViewState deserialization flaw (CVE-2025-53690) in legacy Sitecore deployments that reused a sample ASP.NET machineKey. Adversaries delivered a WeepSteel reconnaissance backdoor to collect system and network data and disguised exfiltration as normal ViewState traffic. Sitecore advises replacing and encrypting static machineKey values and instituting regular key rotation to mitigate further risk.

CRM Supply-Chain Breach via Salesloft Drift Impacts Vendors

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

Sitecore Issues Patch After Critical Exploited Zero-Day

🔒 Mandiant disrupted an active exploitation of a critical zero-day in Sitecore's Experience Manager and Experience Platform that permits remote code execution via ViewState deserialization. Publicly disclosed on September 3 as CVE-2025-53690 (CVSS 9.0), the flaw affects Sitecore versions up to 9.0 when deployments retained the sample ASP.NET machine key published in older deployment guides. Attackers used the vulnerability to deliver WEEPSTEEL and other tooling, harvest credentials and perform lateral movement. Sitecore has issued a security advisory, notified impacted customers and says recent deployments now auto-generate unique machine keys.

APT28 Deploys NotDoor: Outlook VBA Backdoor in NATO

🔒 NotDoor is a newly reported Outlook VBA backdoor attributed to the Russian state-sponsored actor APT28 that monitors incoming mail for a trigger phrase and enables data exfiltration, file drops, and remote command execution. S2 Grupo's LAB52 describes deployment via DLL side-loading of onedrive.exe, which loads a malicious SSPICLI.dll, disables macro protections, and runs Base64-encoded PowerShell to establish persistence. The implant watches for a trigger such as "Daily Report" and supports four commands — cmd, cmdno, dwn and upl — sending stolen files via Proton Mail.

New TP-Link CWMP Zero-Day Targets Multiple Routers

🔒TP-Link has confirmed an unpatched zero-day in its CWMP implementation that can enable remote code execution on multiple routers. Independent researcher Mehrun (ByteRay) reported the issue to TP-Link on May 11, 2024; the flaw is a stack-based buffer overflow in the SOAP SetParameterValues handler caused by unbounded strncpy calls. TP-Link says a patch exists for some European firmware builds and that fixes for U.S. and other global versions are in development; users should update firmware, change default admin credentials, and disable CWMP if it is not required.

GhostRedirector: China-aligned IIS SEO Fraud Campaign

🔍 ESET researchers identified GhostRedirector, a China-aligned threat group active since at least August 2024 that has compromised at least 65 Windows servers across multiple countries, notably Brazil, Thailand and Vietnam. The group deployed two novel tools: a C++ backdoor Rungan for remote command execution and a malicious IIS module Gamshen that manipulates search rankings to boost targeted sites. Operators also leveraged known privilege escalation exploits like BadPotato and EfsPotato to obtain administrator access and create persistent accounts. Organizations are advised to monitor IIS modules, patch promptly and audit high-privilege accounts and PowerShell activity.

CISA Adds Three CVEs to Known Exploited Vulnerabilities

🔔 CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-38352 (Linux kernel TOCTOU race condition), CVE-2025-48543 (Android Runtime unspecified vulnerability), and CVE-2025-53690 (Sitecore multiple-products deserialization). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation, patching, and vulnerability management to reduce exposure to active exploitation.

Baseten: improved cost-performance for AI inference

🚀 Baseten reports major cost-performance gains for AI inference by combining Google Cloud A4 VMs powered by NVIDIA Blackwell GPUs with Google Cloud’s Dynamic Workload Scheduler. The company cites 225% better cost-performance for high-throughput inference and 25% improvement for latency-sensitive workloads. Baseten pairs cutting-edge hardware with an open, optimized software stack — including TensorRT-LLM, NVIDIA Dynamo, and vLLM — and multi-cloud resilience to deliver scalable, production-ready inference.

North Korea-Linked Actors Target Cyber Threat Intel

🔍 Cybersecurity firm SentinelLabs and internet intelligence company Validin uncovered a coordinated effort by a North Korea-aligned cluster, tracked as Contagious Interview, to exploit CTI platforms between March and June 2025. The actors repeatedly created accounts on Validin’s portal, reused Gmail addresses tied to prior operations and registered new domains after takedowns. Investigators observed team-based coordination, probable Slack use, and operational slip-ups that exposed logs and directory structures. The probe also identified ContagiousDrop malware delivery applications that harvested details from more than 230 mostly cryptocurrency-sector victims, underscoring the campaign’s revenue-driven motive and the need for vigilance from job seekers and infrastructure providers.

CISA Adds Two Exploited TP-Link Router Vulnerabilities

🔔 CISA has added two TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing in-the-wild exploitation activity. The flaws—CVE-2023-50224 (CVSS 6.5), an authentication bypass via spoofing in the httpd service exposing stored credentials at /tmp/dropbear/dropbearpwd, and CVE-2025-9377 (CVSS 8.6), an OS command injection enabling remote code execution—affect multiple TL-WR841 and Archer C7 models. TP-Link says several affected models are End-of-Life, released firmware updates in November 2024, and recommends upgrading hardware; CISA urges federal agencies to apply mitigations by September 24, 2025.

From Summer Camp to Grind Season — Threat Source Recap

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

France Fines Google €325M for Cookie Consent Breaches

⚖ The French data protection authority CNIL has fined Google €325 million for placing advertising cookies and showing ads in Gmail's 'Promotions' and 'Social' tabs without valid user consent after investigations in 2022–2023. CNIL found Google failed to inform new account holders that accepting advertising cookies was required to access services, breaching Article L.34-5 and the French Data Protection Act (Article 82). The authority said the cookie-related practices affected over 74 million accounts (53 million individuals saw the ads), described the conduct as negligent and cited prior sanctions; it also fined Shein €150 million the same day for separate cookie violations.

Bridgestone Confirms Cyberattack Affecting Manufacturing

🔒 Bridgestone Americas is investigating a limited cyber incident that has disrupted operations at several North American manufacturing facilities. The company says its rapid response contained the issue at an early stage and that there is currently no evidence of customer data compromise or deep network infiltration. Reports indicated production impacts in Aiken County, South Carolina, and Joliette, Quebec, and Bridgestone is working around the clock to mitigate supply-chain fallout while forensic analysis continues. Bridgestone declined to confirm whether the incident involves ransomware; no extortion group has claimed responsibility to date.

Scattered Spider Claims Responsibility for JLR Cyber Attack

🔐 Jaguar Land Rover (JLR) is investigating claims by an English‑speaking cybercrime syndicate calling itself “Scattered Lapsus$ Hunters,” which says it accessed JLR systems and is attempting to extort the company. The group shared unverified screenshots on Telegram that allegedly show internal logs and troubleshooting notes. JLR confirmed a cyber incident on September 2 that disrupted sales and production after the company proactively shut down systems; analysts warn that alleged collaboration with ShinyHunters and Lapsus$ could amplify the threat.

Cybercriminals Exploit X's Grok to Amplify Malvertising

🔍 Cybersecurity researchers have flagged a technique dubbed Grokking that attackers use to bypass X's promoted-ads restrictions by abusing the platform AI assistant Grok. Malvertisers embed a hidden link in a video's "From:" metadata on promoted video-card posts and then tag Grok in replies asking for the video's source, prompting the assistant to display the link publicly. The revealed URLs route through a Traffic Distribution System to drive users to fake CAPTCHA scams, malware, and deceptive monetization networks. Guardio Labs observed hundreds of accounts posting at scale before suspension.

GhostRedirector: IIS SEO Fraud and Windows Backdoors

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.

AWS CloudFormation Hooks Adds Managed Proactive Controls

🔔 AWS CloudFormation Hooks now supports managed proactive controls, allowing teams to validate resource configurations against AWS best practices without writing custom Hook logic. Customers can select controls from the AWS Control Tower Controls Catalog and apply them during CloudFormation operations, and run them in warn mode for nonblocking evaluation before enforcing policies. A new Hooks Invocation Summary page provides a centralized historical view of control executions and outcomes to simplify compliance reporting and troubleshooting.

Fifteen Nations Agree Joint Guidance on SBOM Adoption

🔐 A coalition of 21 agencies from 15 countries, led by CISA and the NSA, published joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity on September 3. The document defines SBOM concepts, clarifies roles for producers, choosers and operators, and urges cross-border adoption. It promotes harmonized technical implementations and integration of SBOMs into security workflows to reduce complexity and improve supply chain risk management.

SVG Malware Campaign Impersonating Colombian Judiciary

🔍 VirusTotal’s Code Insight now parses SWF and SVG formats and quickly uncovered an undetected campaign impersonating the Colombian justice system. The tool differentiated a benign, heuristic-flagged SWF game from a malicious SVG that evaded all AV engines by hiding inline JavaScript which decodes and injects a Base64 phishing page and a ZIP dropper. Code Insight plus VirusTotal Intelligence exposed dozens of polymorphic SVGs and enabled a retrohunt linking hundreds of samples to the same campaign.

GhostRedirector Hits 65 Windows Servers with IIS Module

🔍 Researchers at ESET disclosed a previously undocumented campaign named GhostRedirector that has compromised at least 65 Windows servers mainly in Brazil, Thailand and Vietnam. The intruders deployed a passive C++ backdoor, Rungan, alongside a native IIS module, Gamshen, which selectively alters responses for Googlebot to perform SEO fraud. Initial access appears linked to SQL injection and abuse of xp_cmdshell, with subsequent PowerShell retrievals from a staging host.

StreamSight: AI-Powered Music Royalty Forecasting Tool

🔍 StreamSight is an AI-driven application developed by BMG in partnership with Google Cloud to improve transparency, speed, and accuracy in digital royalty forecasting and anomaly detection. The solution leverages BigQuery ML models (including ARIMA_PLUS and BOOSTED_TREE), uses Vertex AI and Python for training, and surfaces results in Looker Studio dashboards. It flags missing sales periods, rights mismatches, and sudden streaming spikes to reduce manual review and help accelerate fairer payouts. Currently a proof of concept, StreamSight is positioned for broader DSP integrations and richer data inputs to extend its capabilities.

AWS Clean Rooms Adds Configurable PySpark Compute Capacity

🔧 AWS Clean Rooms now lets customers configure compute size for PySpark analyses, enabling selection of instance type and cluster size at job runtime for each analysis. Customers can choose larger instances for complex datasets and higher performance or smaller instances to optimize costs. The change provides flexible, per-job resource allocation to balance scale, throughput, and budget while maintaining Clean Rooms' collaborative data protections.

Amazon RDS: PostgreSQL 18 RC1 in Preview Environment

🆕 Amazon RDS for PostgreSQL 18 Release Candidate 1 (RC1) is now available in the Amazon RDS Database Preview Environment, letting customers evaluate a fully managed pre-release. PostgreSQL 18 adds skip scan support for multicolumn B-tree indexes, parallel GIN index builds, improved OR/IN WHERE handling, and updated join behavior. Observability enhancements expose buffer usage counts, index lookup details during execution, and a per-connection I/O utilization metric. Preview instances are retained for up to 60 days, snapshots remain usable only within the preview, and pricing follows the US East (Ohio) region.

Unauthorized TLS Certificates Issued for 1.1.1.1 by Fina CA

🔒 Cloudflare reported that Fina CA issued twelve unauthorized TLS certificates for the public DNS IP 1.1.1.1 between February 2024 and August 2025. All certificates have been revoked and Cloudflare found no evidence they were used maliciously, noting that successful impersonation would also require client trust in Fina and interception of traffic. The misissuance was detected via Certificate Transparency logs, and Cloudflare is improving alerts, monitoring, and triage to prevent similar lapses.

Amazon EC2 AMI Usage: Track and Manage AMI Consumption

🔍 Amazon EC2 today announced AMI Usage, a new capability to track AMI consumption across AWS accounts and resources. It generates reports listing accounts that use your AMIs in EC2 instances and launch templates and shows utilization across instances, launch templates, Image Builder recipes, and SSM parameters. This reduces the need for custom scripts, helps safely manage AMI deregistrations, and supports cost optimization. AMI Usage is available at no additional cost in all AWS regions, including China and GovCloud.

CISA Issues Five ICS Advisories on Critical Vulnerabilities

⚠ CISA released five Industrial Control Systems (ICS) advisories on September 4, 2025, detailing vulnerabilities, impacts, and recommended mitigations for multiple OT products and protocols. The advisories address Honeywell OneWireless WDM, Mitsubishi Electric/ICONICS products, Delta Electronics COMMGR, Honeywell Experion PKS, and the End-of-Train/Head-of-Train Remote Linking Protocol. Several notices are updates (A/B) that include revised technical analysis and vendor-supplied mitigations. Administrators are urged to review the advisories promptly and apply recommended controls.

August Windows updates trigger UAC prompts, block installs

⚠️ Microsoft says the August 2025 security updates are causing unexpected User Account Control (UAC) credential prompts and preventing application installations and MSI repair operations for non‑admin users across supported Windows client and server releases. The behavior stems from a patch addressing CVE-2025-50173, a Windows Installer privilege escalation vulnerability that now enforces elevated UAC prompts during MSI repair and related operations. Affected scenarios include MSI repair commands, ConfigMgr deployments relying on per‑user advertising, Secure Desktop enablement, and launching certain Autodesk applications. Microsoft plans a fix allowing admins to exempt specific apps and recommends running affected apps as administrator or applying a Known Issue Rollback via support as a temporary mitigation.

France Fines Google €325M and Shein €150M Over Cookies

⚖️ The French data protection authority, CNIL, has fined Google €325 million ($379 million) and Shein €150 million ($175 million) for placing advertising cookies without valid consent. CNIL found users were nudged to accept personalized ad cookies during Google account creation and that information remained unclear even after an opt-out option was added in October 2023. The regulator also said targeted ads placed inside Gmail's Promotions and Social tabs required explicit consent under the CPCE. Shein has updated systems and plans to appeal; Google must comply within six months or face €100,000-per-day penalties.

Amazon Neptune Adds Public Endpoints for Developers

🌐 Amazon Neptune now supports Public Endpoints, enabling developers to connect to Neptune clusters directly from development desktops without VPNs, bastion hosts, or complex network setups. The capability can be enabled for new or existing clusters running engine version 1.4.6 or later via the AWS Console, CLI, or SDK. Security is maintained using IAM authentication, VPC security groups, and encryption in transit. The feature is available at no additional cost in all Regions where Neptune is offered.

Validate SAP HANA Best-Practice Compliance with SSM

🔍 AWS Systems Manager Configuration Manager now supports SAP HANA, enabling automated validation of SAP HANA databases running on AWS against best practices defined in the AWS Well‑Architected Framework SAP Lens. The capability automatically assesses configurations, proactively flags misconfigurations, and provides specific remediation guidance so teams can address issues before they impact operations. Checks can be scheduled or run on demand, and SSM for SAP Configuration Manager is available in all commercial AWS Regions.

Chess.com: Third-Party File Transfer App Breach Disclosed

🔒 Chess.com disclosed a data breach after threat actors gained unauthorized access to a third-party file transfer application used by the platform. The intrusion persisted from June 5 to June 18, 2025, and was discovered on June 19, prompting an investigation and engagement of outside experts. Chess.com says its own infrastructure and member accounts were not affected; just over 4,500 users may have had names and other PII accessed. No financial information appears exposed, and affected members are being offered 1–2 years of free identity theft and credit monitoring.

Why XSS Still Matters: MSRC on a 25-Year Threat Landscape

🛡️ MSRC reports that Cross-Site Scripting (XSS) remains a persistent threat across legacy portals and modern single-page applications, with hundreds of cases triaged in the past year. Between July 2024 and July 2025, MSRC mitigated over 970 XSS cases and awarded more than $900,000 in bounties, spanning low-impact self-XSS to zero-click critical exploits. The post describes MSRC’s severity matrix that combines data classification and exploit conditions, outlines servicing scope and exclusion criteria, and publishes a practical submission checklist. Developers and researchers are encouraged to adopt context-aware encoding, Content Security Policy (CSP), and secure-by-default frameworks to reduce exposure.

Pressure Grows on CISOs to Conceal Security Incidents

🔒 A growing majority of CISOs report being pressured to hide breaches, with a Bitdefender survey finding 69% instructed to keep incidents confidential, up from 42% two years earlier. Security leaders say attackers increasingly prioritize stealthy data theft rather than disruptive encryption, making breaches less visible to the public. Regulatory regimes such as GDPR, NIS2 and DORA complicate disclosure decisions, while experts warn that concealment multiplies legal, financial and reputational risk and recommend robust, transparent incident response plans.

Amazon ECR Repository Templates Now in AWS GovCloud

📦 Amazon ECR now supports repository creation templates in AWS GovCloud (US) Regions. Templates let you preconfigure encryption, lifecycle policies, access permissions, and tag immutability for repositories that ECR creates during pull-through cache and replication operations. Templates use a prefix to automatically match and apply settings to new repositories, reducing manual setup and helping enforce consistent registry governance across environments.

Amazon Connect: Expanded Disconnect Reasons for Outbound

📞 Amazon Connect now provides expanded disconnect reasons that map outbound call failures to standard telecom error codes. These enhanced reasons appear in Contact Trace Records and reporting, giving contact center teams real-time visibility into granular disconnection data to speed troubleshooting and reduce support tickets. The feature is available in all AWS regions where Amazon Connect is offered; refer to the public documentation and best practice guide for implementation details.

Microsoft Cost Management: July-August 2025 Product Updates

💡 Microsoft Cost Management released a set of July–August 2025 updates to help organizations monitor and reduce Azure spend. The release adds service principal support for the Partner Admin Reader role, enabling EA indirect partners to programmatically access cost data without interactive accounts. Other highlights include a Pricing Calculator user tip, new cost-saving offers such as Azure Firewall ingestion-time transformation (GA) and the Azure Storage Mover preview, updated documentation on billing and reservations, and new instructional videos on cost allocation and Copilot for cost insights.

Six Browser-Based Attack Techniques to Watch in 2025

🔒 This article outlines six browser-based attack techniques—phishing with reverse-proxy AitM kits, ClickFix/FileFix command-injection lures, malicious OAuth grants, rogue extensions, weaponized file downloads, and credential attacks exploiting MFA gaps—that security teams must prioritize in 2025. It explains why the browser has become the primary attack surface as users access hundreds of cloud apps, and why traditional email/network controls and endpoint defenses often miss these threats. The piece argues that effective detection requires real-time browser-level visibility and management across managed and unmanaged apps, highlighting Push Security as a vendor offering such capabilities.

Automotive Industry Raises Alarm Over Cyberattack Risks

🚗 A recent survey of 200 German automotive cybersecurity experts and IT decision-makers shows 75% of companies rate the threat from cyberattacks as high or very high. Respondents identified cloud security gaps (19.5%) and ransomware/malware (19%) as the leading concerns, while data breaches (16.5%), AI-based attack scenarios (14.5%) and connected-vehicle vulnerabilities (14%) followed. Fewer than half of firms (47%) express confidence in their defenses, and many plan investments in threat detection, AI-driven analytics and security training.

CrowdStrike Named Leader in Forrester Wave MDR Europe

🔒 CrowdStrike has been named a Leader in The Forrester Wave™: Managed Detection and Response (MDR) Services in Europe, Q3 2025, receiving the highest possible scores in 16 evaluation criteria spanning detection surfaces, managed response, threat hunting and analyst experience. Falcon Complete Next-Gen MDR combines AI-accelerated detection and investigation with expert-led response across endpoint, cloud, identity and third-party telemetry. The service uses CrowdStrike Charlotte AI to triage alerts and accelerate analysis, and emphasizes end-to-end remediation actions that remove persistence and contain intrusions without costly reimaging. CrowdStrike positions this recognition as validation of its platform-led, AI-plus-human approach to stopping breaches.

Managed Service for Prometheus: Quota Visibility via AWS

🔍 Amazon Managed Service for Prometheus now exposes applied quota values and utilization through AWS Service Quotas and Amazon CloudWatch. This integration delivers centralized visibility of service limits across workspaces, enables quick quota increase requests, and provides usage metrics that you can incorporate into CloudWatch alarms and dashboards. Usage metrics are always enabled, provided at no extra cost, and accessible via console, APIs, and CLI in all regions where the service is generally available.

Avnet Reclaims Security Data, Cuts Costs, Boosts AI

🔐 Avnet moved away from vendor-bound SIEM, EDR and RBVM silos toward a centralized security data pipeline built on Cribl, prompted by a legacy SIEM renewal that became a strategy inflection point. The redesign gave Avnet full ownership of telemetry, enabled large-scale ETL and flexible routing, and freed analysts from vendor dashboards. Operationally, licensing and storage costs dropped dramatically to 15% of prior levels while processing capacity doubled and pipeline staffing fell from four engineers to one. With its own data layer in place, Avnet is accelerating analytics and AI use cases such as tailored LLMs and retrieval-augmented generation (RAG) to improve investigations and reduce analyst workload.

Architecture Advantage: Fortinet's Hybrid Security Platform

🔒 Fortinet argues its long-standing, architecture-first approach uniquely positions it to address hybrid enterprise security without the operational overhead of cobbled-together point products. The company highlights early investments in AI, purpose-built ASICs, and a unified FortiOS to deliver integrated networking, SASE, SOC automation, and OT protection. Customers and Gartner Peer Insights recognition are cited as validation of lower total cost of ownership and simpler, high-performance operations.

SNI5GECT: 5G Downgrade Attack Enables 4G Tracking Now

🔒 Researchers demonstrated SNI5GECT, an over‑the‑air injection attack targeting unencrypted initial exchanges in 5G that can crash device modems or force a fallback to 4G. By observing the plain‑text handshake and injecting a crafted information block at precise timing, an attacker within roughly 20 meters can trigger a reboot or downgrade. The technique enabled 4G‑based tracking and spoofing on multiple handsets across different modem vendors, and arises from protocol characteristics rather than a single vendor implementation.

Healthcare slow to remediate serious flaws, average 58 days

🩺 Cobalt's State of Pentesting in Healthcare 2025 report shows healthcare organizations take far longer than peers to remediate serious vulnerabilities, leaving systems and patient data exposed. The firm, using a decade of internal pentest data and a survey of 500 US security leaders, found only 57% of serious findings are fixed and the median time to resolve is 58 days, with a 244-day half-life for serious issues. While business-critical assets often see fixes within days, Cobalt warns that prioritizing SLA-bound remediation lets other serious but non-critical flaws linger and accrue security debt, increasing ransomware and data-exfiltration risk.

Principal Financial Adopts Biometrics to Stop Account Fraud

🔐 Principal Financial replaced brittle knowledge-based authentication with a digital ID verification and biometric platform to block account takeovers. Using DIVA with a focus on facial recognition and an implementation by Onfido (an Entrust company), the insurer completed rollout within months. The change has virtually eliminated fraudulent registrations and improved user success and completion rates while preserving usability.

Resilient Network Security Strategies for Disruption

🔒 In a world where pandemics, war, and natural disasters are inevitable, security teams must plan for continuity. The article examines two primary approaches: scaling VPN capacity for remote access or adopting a SASE framework that integrates networking and security as a cloud-delivered service. Each option has trade-offs in cost, complexity, and operational risk; readiness requires assessing user patterns, threat exposure, and recovery objectives.

Secure-by-Default: Simple Defaults to Shrink Attack Surface

🔒 This article argues that adopting a security-by-default mindset—setting deny-by-default policies, enforcing MFA, and employing application Ringfencing™—can eliminate whole categories of risk early. Simple changes like disabling Office macros, removing local admin rights, and blocking outbound server traffic create a hardened environment attackers can’t easily penetrate. The author recommends pairing secure defaults with continuous patching and monitored EDR/MDR for comprehensive defense.