AI Agent Controls, Cloud Platform Updates, and Patch Tuesday

AgentCore Identity: Secure Identity for AI Agents at Scale

🔐 Amazon Bedrock AgentCore Identity centralizes and secures identities and credentials for AI agents, integrating with existing identity providers such as Amazon Cognito to avoid user migration and rework of authentication flows. It provides a token vault encrypted with AWS KMS, native AWS Secrets Manager support, and orchestrates OAuth 2.0 flows (2LO and 3LO). Declarative SDK annotations and built-in error handling simplify credential injection and refresh workflows, helping teams deploy agentic workloads securely at scale.

Amazon EC2 M7i arrives in Milan with custom Intel CPUs

🚀 Amazon EC2 M7i instances, powered by custom 4th Gen Intel Xeon Scalable processors (Sapphire Rapids), are now available in the Europe (Milan) region. M7i delivers up to 15% better performance versus comparable x86 Intel processors on other clouds and up to 15% improved price-performance compared to M6i. Instances scale to 48xlarge and include two bare-metal sizes (metal-24xl, metal-48xl) with built-in Intel accelerators for data streaming, in-memory analytics, and QuickAssist Technology, making them suited for sustained high-CPU workloads like gaming servers, CPU-based ML, and video streaming.

Microsoft launches ExCyTIn-Bench to benchmark AI security

🛡️ Microsoft released ExCyTIn-Bench, an open-source benchmarking tool to evaluate how well AI systems perform realistic cybersecurity investigations. It simulates a multistage Azure SOC using 57 Microsoft Sentinel log tables and measures multistep reasoning, tool usage, and evidence synthesis. The benchmark offers fine-grained, actionable metrics for CISOs, product owners, and researchers.

Amazon Route 53 Profiles Adds AWS PrivateLink Support

🔒 Amazon Route 53 Profiles now supports AWS PrivateLink, allowing customers to access and manage their Profiles privately over the Amazon network instead of the public internet. When accessed via PrivateLink, management operations such as creating, editing, listing, and deleting Profiles occur over private connectivity between VPCs, AWS services, and on‑premises applications. This capability reduces control‑plane exposure and supports hybrid and regulated deployments.

Microsoft and Oracle Expand Oracle Database@Azure Reach

🚀 Microsoft and Oracle have expanded Oracle Database@Azure with broader regional coverage and support for Oracle Database 19c and 23ai, plus full support for Base Database, Exadata (Dedicated and Exascale), and Autonomous Database. The update introduces continuous zero-ETL mirroring into OneLake via Oracle GoldenGate and native integrations with Microsoft Fabric, enabling real-time analytics with Copilot Studio, Azure AI Foundry, and Power BI. Security and operational management are strengthened through Microsoft Defender, Microsoft Sentinel, Entra ID, and Azure Arc, while Azure Accelerate for Oracle and marketplace programs streamline migrations and partner engagement.

US Seizes $15 Billion in Crypto from Scam Kingpin Leader

💰 The U.S. Department of Justice has seized $15 billion in bitcoin tied to Chen Zhi, leader of the Prince Group, a transnational criminal network that ran large-scale “pig butchering” cryptocurrency investment and romance scams. Unsealed court documents describe fortified forced-labor compounds in Cambodia, automated call centers, and over 100 shell companies spanning 30+ countries. The Treasury’s OFAC also sanctioned Chen Zhi and 146 associates as part of the coordinated action.

BigQuery Data Clean Room Query Templates — Preview

🔒 BigQuery data clean room query templates are now available in preview, enabling clean room owners to publish fixed, reusable TVF-based queries that accept table or field inputs and return only aggregated rows. Templates reduce data exfiltration risk, simplify onboarding for non-SQL users, and enforce consistent analytical and privacy controls via aggregation thresholds and approval workflows. They support single-direction and multi-party collaboration while keeping query logic hidden from subscribers.

Google Cloud Marketplace for Enterprise and AI Agents

🤖 Google Cloud Marketplace offers a vetted path for organizations to deploy, buy, or build AI agents that integrate with Gemini Enterprise, simplifying procurement and deployment. Listings are pre-validated for A2A integration and allow consolidated billing, while administrators can enforce governance using IAM and Private Marketplace controls. For partners, the Marketplace provides global reach, co-selling, and flexible monetization (subscription, usage-based, private offers, outcome-based) plus automated provisioning via Pub/Sub and the Cloud Commerce Partner Procurement API.

Google Cloud NetApp Volumes: iSCSI, FlexCache, Gemini

🚀 Google Cloud announced enhancements to NetApp Volumes, adding unified iSCSI block and file storage to support SAN migrations and NetApp FlexCache for high-performance local caching in hybrid environments. The service integrates with Gemini Enterprise as a data store for retrieval-augmented generation, and includes large-capacity volumes, SnapMirror replication, and auto-tiering to optimize performance and costs.

Amazon AppStream Adds License-Included Microsoft Apps

🧾 Amazon AppStream 2.0 now offers license-included Microsoft Office, Visio, and Project (2021/2024) in Standard and Professional editions, available in both 32‑bit and 64‑bit for On‑Demand and Always‑On fleets. Administrators can add or remove these applications from images and fleets to control availability, and end users access fully integrated Microsoft apps within AppStream sessions. Deployments require an AppStream Image Builder agent released on or after October 2, 2025, or managed image updates dated October 3, 2025 or later. Billing remains hourly for streaming and per-user per-month (non-prorated) for Microsoft apps.

AWS for Fluent Bit 3.0.0 Released with Fluent Bit 4.1.1

🚀 AWS for Fluent Bit 3.0.0, based on Fluent Bit 4.1.1 and built on Amazon Linux 2023, is now available for Amazon ECS and Amazon EKS customers. The release introduces native OpenTelemetry (OTel) support to ingest and forward OTLP logs, metrics, and traces with AWS SigV4 authentication, removing the need for additional sidecars. It delivers faster JSON parsing and higher log throughput per vCPU with lower latency, plus configurable TLS minimum versions and cipher controls to strengthen output security. Upgrade by pulling the 3.0.0 image from the Amazon ECR Public Gallery, updating your ECS FireLens task definition, or updating the DaemonSet/Helm release on EKS.

Amazon EBS Volume Clones for Instant Volume Copies

⚡ Amazon Web Services has launched general availability of Amazon EBS Volume Clones, enabling instant, point-in-time copies of EBS volumes within the same Availability Zone. Cloned volumes are immediately accessible with single-digit millisecond latency and support all EBS volume types. The capability integrates with the EBS Container Storage Interface (CSI) driver and is available via Console, CLI, SDKs, and CloudFormation across AWS Commercial and GovCloud (US) Regions.

Stopping Living-off-the-Land Abuse of Trusted Tools

🔒 CrowdStrike highlights how attackers increasingly weaponize trusted software—RMM tools, built-in Windows utilities, and admin binaries—to evade detection and operate within networks. The Falcon platform layers behavioral IOAs, custom controls, and Exposure Management and now adds APEX, a machine-learning model that analyzes command-line syntax, parameters, process lineage, timing, and context to detect LOLbin abuse. APEX is generally available for Windows and aims to raise detection while reducing false positives.

Microsoft Advances Open Standards for Frontier AI Scale

🔧 Microsoft details OCP contributions to accelerate open-source infrastructure for frontier-scale AI, focusing on power, cooling, networking, security, and sustainability. It highlights innovations such as solid-state transformers, a power-stabilization paper with OpenAI and NVIDIA, and a next-generation HXU for liquid cooling. Networking efforts include ESUN and scale-up Ethernet workstreams, while security contributions introduce Caliptra 2.1, Adams Bridge 2.0, and L.O.C.K. The post also advances fleet lifecycle management, carbon accounting, and waste-heat reuse for globally deployable AI datacenters.

Microsoft October 2025 Patch Tuesday: 6 Zero-Days Fixed

🔒 Microsoft released its October 2025 Patch Tuesday, addressing 172 vulnerabilities including six zero‑day flaws and eight Critical issues. The updates include five remote code execution and three elevation‑of‑privilege critical bugs, along with numerous information disclosure, denial‑of‑service and security feature bypass fixes. Notable actions include the removal of an Agere modem driver and patches for exploited elevation‑of‑privilege and SMB/SQL Server issues. Windows 10 reaches end of support with this release; Extended Security Updates remain available for organizations and consumers.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

Patch Tuesday Oct 2025: 172 Flaws, End of Windows 10

⚠️ Microsoft’s October 2025 updates close 172 security holes and include at least two actively exploited zero‑days. The company removed a decades-old Agere modem driver to mitigate CVE-2025-24990 and patched an elevation-of-privilege zero-day in RasMan (CVE-2025-59230). A critical unauthenticated RCE in WSUS (CVE-2025-59287) carries a 9.8 threat score and should be prioritized. This release also marks the end of security updates for Windows 10, prompting ESU enrollment or migration options.

AMD issues patches for RMPocalypse flaw in SEV-SNP

⚠️ AMD released mitigations and firmware/BIOS updates to address a vulnerability dubbed RMPocalypse, which ETH Zürich researchers Benedict Schlüter and Shweta Shinde say can be triggered by a single 8-byte overwrite of the Reverse Map Paging (RMP) table during SEV‑SNP initialization. The flaw, assigned CVE-2025-0033, stems from a race condition in the AMD Secure Processor/Platform Security Processor (PSP/ASP) that could allow an admin-privileged or malicious hypervisor to modify initial RMP content and void SEV‑SNP integrity guarantees. AMD listed impacted EPYC families and provided vendor guidance; Microsoft and Supermicro have acknowledged the issue and are working on remediations.

October 2025 Patch Tuesday: 172 CVEs, 3 Zero-Days, 8 Critical

🔒 Microsoft’s October 2025 Patch Tuesday addresses 172 vulnerabilities, including two publicly disclosed issues, three zero‑day flaws and eight Critical CVEs. The bulk of fixes target Windows (134 patches), Microsoft Office (18) and Azure (6), with elevation-of-privilege and remote code execution as the primary risks. Windows 10 reaches end of life on October 14, 2025; hosts must be on 22H2 to receive Extended Security Updates. CrowdStrike recommends prioritizing patches for actively exploited zero‑days and using Falcon Exposure Management dashboards to track and remediate affected systems.

Anatomy of a BlackSuit Ransomware Blitz at Manufacturer

🔐 Unit 42 responded to a significant BlackSuit ransomware campaign after attackers obtained VPN credentials via a vishing call and immediately escalated privileges. The adversary executed DCSync, moved laterally with RDP/SMB using tools like Advanced IP Scanner and SMBExec, established persistence with AnyDesk and a custom RAT, and exfiltrated over 400 GB before deploying BlackSuit across ~60 ESXi hosts. Unit 42 expanded Cortex XDR visibility from 250 to over 17,000 endpoints and used Cortex XSOAR to automate containment while delivering prioritized remediation guidance.

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

Oracle issues second emergency patch for E-Business Suite

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

Chinese Hackers Turn ArcGIS Server into Year-Long Backdoor

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

Malicious npm, PyPI and RubyGems Packages Use Discord C2

⚠️ Researchers at a software supply chain security firm found multiple malicious packages across npm, PyPI, and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate developer secrets. Examples include npm packages that siphon config files and a Ruby gem that sends host files like /etc/passwd to a hard-coded webhook. The investigators warn that webhook-based C2 is cheap, fast, and blends into normal traffic, enabling early-stage compromise via install-time hooks and build scripts. The disclosure also links a large North Korean campaign that published hundreds of malicious packages to deliver stealers and backdoors.

Microsoft releases final Windows 10 Patch Tuesday update

🔔 Microsoft has issued the final cumulative update for Windows 10, KB5066791, as the OS reaches end of support on October 14, 2025. The mandatory update delivers Microsoft's October 2025 Patch Tuesday fixes, closing six zero-day vulnerabilities and addressing 172 additional flaws. After installation, Windows 10 22H2 and 21H2 are updated to builds 19045.6456 and 19044.6456; users can install via Windows Update or the Microsoft Update Catalog and may schedule restarts to complete the process.

Pixnapping: Pixel-by-pixel Android MFA code theft

🔍 A new side‑channel attack called Pixnapping allows a permissionless Android app to infer and reconstruct on‑screen pixels and steal sensitive content such as one‑time authentication codes, chat messages, and emails. The technique abuses Android intents and SurfaceFlinger compositing to isolate and enlarge individual pixels, then uses a GPU compression side channel to leak visual data. The proof‑of‑concept from a team of seven U.S. university researchers works on modern Pixel and Samsung devices and can extract 2FA codes in under 30 seconds; Google issued an initial mitigation (CVE‑2025‑48561) in September that was bypassed, and a broader fix is planned for December 2025, with Samsung committing to patches as well.

Chinese APT Abuses ArcGIS SOE for Year-Long Persistence

🔒 Researchers say a Chinese state-linked actor, likely Flax Typhoon, exploited a component of the ArcGIS geo-mapping platform to maintain undetected access for over a year. Using valid admin credentials, the attackers uploaded a malicious Java SOE that acted as a web shell, accepting base64-encoded commands via a REST parameter protected by a hardcoded secret. They then installed SoftEther VPN as a Windows service to create an outbound HTTPS tunnel to 172.86.113[.]142 on port 443, enabling persistent lateral movement and credential harvesting even if the SOE were removed.

Chinese APT Abuses ArcGIS Component to Maintain Backdoor

🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.

New SonicWall SSLVPN Compromises Linked to Credentials

🔒 Huntress reports a fresh wave of compromises targeting SonicWall SSLVPN appliances in early October, affecting at least 16 organizations and more than 100 accounts. Attackers are authenticating with valid credentials rather than brute forcing, often from recurring attacker-controlled IPs. Some sessions involved internal reconnaissance and attempts against Windows administrative accounts, but Huntress says it has no evidence linking the activity to September’s MySonicWall cloud backup disclosure. It urges administrators to reset credentials, restrict remote management, review SSLVPN logs, and enable MFA.

Microsoft October 2025 Patch Tuesday: Key Fixes & Rules

🛡️ Microsoft’s October 2025 Patch Tuesday addresses 175 Microsoft CVEs and 21 non‑Microsoft CVEs, including 17 rated critical and 11 marked important, with three already observed exploited in the wild. Talos highlights active exploitation of CVE-2025-24990 (Agere Modem driver), CVE-2025-59230 (Remote Access Connection Manager), and CVE-2025-47827 (IGEL OS Secure Boot bypass) and urges prompt remediation. Cisco Talos also published new Snort rules to detect many of these exploits and recommends updating patches, removing unsupported drivers, and refreshing IDS/IPS signatures.

The AI Fix #72 — Hype, Space Data Centers, Robot Heads

🎧 Hosts Graham Cluley and Mark Stockley review episode 72 of The AI Fix, covering GPT-5’s disputed training data, Irish police warnings about AI-generated home-intruder pranks, Jeff Bezos’s proposal for gigawatt-scale data centres in orbit, OpenAI’s drag-and-drop Agent Kit, and a Chinese company’s ultra-lifelike robot head. The episode questions corporate AI hype and highlights rising public disclosures of AI risk, urging attention to data provenance and realistic deployment expectations.

CISA Adds Five Exploited Vulnerabilities to KEV Catalog

🔒 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions include CVE-2016-7836 (SKYSEA Client View), CVE-2025-6264 (Rapid7 Velociraptor), CVE-2025-24990 and CVE-2025-59230 (Microsoft Windows), and CVE-2025-47827 (IGEL OS). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the designated due dates; CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Malicious VSCode Extensions Resurface on OpenVSX Registry

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.

Microsoft: Exchange Server 2016 and 2019 End of Support

⚠️ Microsoft notified administrators that Exchange Server 2016 and Exchange Server 2019 reached end of support on October 14, 2025, and will no longer receive security patches or time zone updates after the October 2025 security releases. The company strongly advises migrating to Exchange Online or upgrading to Exchange Server Subscription Edition (SE). In-place upgrades from Exchange 2019 to SE follow the same process as installing a Cumulative Update. Customers still on Exchange 2016 or 2013 should upgrade to SE or first move to Exchange 2019.

TA585 Deploys MonsterV2 Malware With Sophisticated Delivery

🔍 Proofpoint researchers uncovered TA585, a cybercriminal group that operates its own phishing, delivery and malware infrastructure rather than outsourcing. The actor distributes MonsterV2, a subscription-based RAT/stealer/loader that avoids CIS systems and offers modules like HVNC. Early 2025 campaigns used ClickFix social engineering and compromised sites with fake CAPTCHAs to filter victims and deliver payloads, and organisations should train users to spot ClickFix and restrict PowerShell for non-admins.

Secure Boot bypass risk in Framework Linux laptops

🔒 Eclypsium discovered that Framework shipped signed UEFI shells containing a dangerous mm (memory modify) command that can directly read and write system RAM and be leveraged to disable Secure Boot. By overwriting the gSecurity2 security handler pointer to NULL or redirecting it to a stub that always returns success, the mm command stops signature verification and can permit bootkits to load. Framework estimates roughly 200,000 affected units; users should apply available firmware and DBX updates, restrict physical access, or temporarily remove Framework's DB key in BIOS until patches are applied.

Signed UEFI Shell Enables Secure Boot Bypass on Framework

⚠️ Researchers at Eclypsium warn that roughly 200,000 Framework Linux systems shipped with legitimately signed UEFI shells containing a dangerous mm (memory modify) command. The command can read and write physical memory and be used to overwrite the gSecurity2 pointer that enforces UEFI signature checks, effectively disabling verification. That failure allows persistent bootkits to load at boot time and survive OS reinstalls. Framework is issuing firmware and DB/DBX updates; users should apply patches or follow temporary mitigations until fixes are available.

Rockwell 1715 EtherNet/IP Module: CVE-2025-9177/9178

⚠️ Rockwell Automation disclosed two remotely exploitable vulnerabilities in the 1715 EtherNet/IP Comms Module (versions 3.003 and earlier) that have a CVSS v4 base score of 7.7. One issue (CWE-770, CVE-2025-9177) allows resource exhaustion of the device web server causing a crash; the other (CWE-787, CVE-2025-9178) permits crafted CIP payloads to trigger an out-of-bounds write and loss of CIP communication. Rockwell has released firmware version 3.011 to address both flaws; operators who cannot immediately upgrade should implement recommended network segmentation, firewalling, and secure remote-access controls.

Scattered Lapsus$ Extortion Site Goes Dark — Next Steps

🔒 Police seized several domains tied to the Scattered Lapsus$ Hunters extortion network, but one dark‑web mirror remained briefly accessible and was used to publish alleged data on October 10. The site listed victims including Qantas, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources, with claimed volumes from millions to hundreds of thousands of records. Authorities caution that domain seizures are tactical wins: actors often resurrect forums from backups or migrate to platforms such as Telegram, and the group has even promised a 2026 return with a subscription-based extortion-as-a-service model.

Google Cloud Adds AI Annotations and Object Contexts

🧠 Google Cloud is introducing two Cloud Storage features—auto annotate and object contexts—that apply pretrained AI to generate metadata and attach custom key-value tags to stored objects. Auto annotate (experimental) produces image annotations such as object detection, labels, and objectionable-content signals tied to an object's lifecycle. Object contexts (preview) let teams add, manage, and query contextual tags with IAM controls and Storage Insights integration. Together they enable scalable discovery, curation, and governance of previously unanalyzed unstructured “dark data.”

Pixnapping: Android GPU Side-Channel Steals 2FA Pixels

⚠️ Researchers have disclosed Pixnapping, a pixel-stealing side-channel that can extract 2FA codes, Maps timelines, and other sensitive UI contents from Android apps by abusing GPU compression together with Android's window-blur and intent mechanisms. The proof-of-concept captures codes in under 30 seconds on several Google and Samsung devices running Android 13–16 without requiring special manifest permissions. Google tracked the issue as CVE-2025-48561 (CVSS 5.5) and issued mitigations in the September 2025 Android Security Bulletin, but researchers say a workaround can re-enable the technique and that some app-list bypass behavior will not be fixed.

Cloudflare addresses Workers CPU benchmark disparities

🔍 Cloudflare investigated an independent October benchmark comparing server-side JavaScript performance between Cloudflare Workers and Vercel, which initially showed Workers up to 3.5x slower. The company found multiple causes — scheduling heuristics, outdated V8 garbage-collector tuning, and framework-level inefficiencies in OpenNext/Next.js — and implemented fixes. Most changes are live and yield parity with Vercel across nearly all tested cases, with further work planned to close the remaining Next.js gap.

Apigee Named a Leader in Gartner's 2025 API Magic Quadrant

🏆 Google Cloud's Apigee has been named a Leader in the 2025 Gartner Magic Quadrant for API Management and was positioned highest for Ability to Execute. The announcement highlights Apigee's expansion to support generative and agentic AI workloads by acting as an intelligent, secure API proxy that improves governance, security, scalability, and cost control. Key capabilities called out include AI productization, agent-ready API specification boosting (Private Preview), native quota-based token controls and Looker Studio reporting, a centralized API hub with Gemini-driven semantic search, and enhanced security policies including Model Armor and Advanced API Security.

Windows 11 KB5066835 and KB5066793 October 2025 Updates

🔒 Microsoft has released cumulative updates KB5066835 and KB5066793 for Windows 11 versions 25H2/24H2 and 23H2 as part of the October 2025 Patch Tuesday. These mandatory updates move systems to Build 26200.6899 (25H2/24H2) and 226x1.6050 (23H2) and address recent security vulnerabilities plus several functional issues. Notable fixes include a Chromium print preview hang, PowerShell Remoting timeouts, Windows Hello USB IR camera setup failures, and a gaming sign-in input bug. The update also removes the ltmdm64.sys modem driver and rolls out new AI, accessibility, and File Explorer features gradually.

IBM Spectrum Symphony HostFactory Connectors for GCP

🚀 Google Cloud announces the general availability of open-source IBM Spectrum Symphony HostFactory connectors for Google Compute Engine and GKE. The connectors enable organizations to extend on‑premises Symphony clusters into Google Cloud or deploy fully cloud-native clusters with automatic provisioning and decommissioning to match workload demand. Partner-built by Accenture and validated by Aneo, the connectors support enterprise features such as Spot and on‑demand VMs, GPUs, Local SSD, Confidential VMs, Pub/Sub event-driven management, Kubernetes CRDs, and integration with managed instance group (MIG) APIs for large-scale HPC operations.

Microsoft: Windows 10 Reaches End of Support Oct 14, 2025

⚠️ Microsoft says Windows 10 reached end of support on October 14, 2025, and will no longer receive feature or security updates. Machines will continue to run but will be at greater risk of viruses and malware without patches. Microsoft advises customers to upgrade to Windows 11, migrate to Windows 365 in the cloud, enroll in Extended Security Updates (ESU), or use LTSC editions for specialized devices. ESU pricing and limited free enrollment options for home and EEA users are noted.

AWS Expands Graviton4 M8g EC2 Instances to Regions

🚀 AWS announced that Amazon EC2 M8g instances, powered by Graviton4 processors, are now available in Europe (Paris), Asia Pacific (Osaka), Canada (Central), and the Middle East (Bahrain). The M8g family delivers up to 30% better performance versus Graviton3-based instances and offers larger sizes with up to 3× more vCPUs and memory. Built on the AWS Nitro System, these instances provide enhanced networking and EBS bandwidth for general-purpose workloads such as application servers, microservices, gaming servers, and caching fleets.

UK urges FTSE 350 CEOs to boost cyber readiness now

📣 Senior leaders are being warned to take personal responsibility for cyber resilience as the UK government says organisations cannot rely on state protection alone. The NCSC's 2025 Annual Review recorded 204 "nationally significant" incidents and prompted a ministerial letter to FTSE 350 CEOs urging physical incident plans and supply‑chain checks. The agency also highlighted slow uptake of Cyber Essentials and launched the Cyber Action Toolkit to help small businesses reach minimum standards.

AWS for Fluent Bit 3.0.0: Based on Fluent Bit 4.1.0

🚀 AWS for Fluent Bit 3.0.0, based on Fluent Bit 4.1.0 and Amazon Linux 2023, delivers faster, more secure container logging for Amazon ECS and Amazon EKS. It adds native OpenTelemetry (OTel) support for OTLP logs, metrics, and traces with SigV4 authentication and faster JSON parsing for higher throughput and lower latency. TLS minimum version and cipher controls enforce stronger output security. The image is available in the Amazon ECR Public Gallery and Amazon ECR, and source code and guidance are provided on GitHub.

Trump Administration Expands Social Media Visa Surveillance

🔍The Brookings report details the Trump administration’s expanded social media surveillance to identify and punish foreign nationals for public speech. Agencies historically gathered millions of handles, but Secretary of State Marco Rubio has promoted a zero-tolerance “Catch and Revoke” policy that uses AI to flag conduct deemed contrary to national interest. Rubio said about 300 visas—mainly student and visitor visas—were revoked, and a State Department cable now requires student applicants to set accounts public for vetting.

UK NCSC Reports 130% Rise in National Cyber Incidents

🔐 The UK’s National Cyber Security Centre (NCSC) reported 204 nationally significant incidents between September 2024 and August 2025, a 130% increase on the prior year’s 89 incidents. In total the agency received 1,727 incident tips and elevated 429 to cyber incidents requiring support, including 18 Category 2 “highly significant” events. NCSC leaders warned attackers are improving and urged businesses to harden defences and prioritise preparedness to sustain operations during attacks.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

Amazon MSK Connect Expands to Ten More AWS Regions

🚀 Amazon MSK Connect is now available in ten additional AWS Regions — Jakarta, Hong Kong, Osaka, Melbourne, Milan, Zurich, Bahrain, UAE, Cape Town, and Tel Aviv. MSK Connect provides fully managed Kafka Connect clusters for deploying, monitoring, and scaling connectors to move data between Apache Kafka/Amazon MSK and external systems without provisioning infrastructure. The service supports both managed and self-managed Kafka clusters and is accessible via the MSK console and CLI.

AWS Transfer Family SFTP Connectors Gain VPC Support

🔒 AWS Transfer Family SFTP connectors can now route connections through your Amazon VPC, enabling secure file transfers between Amazon S3 and remote SFTP servers whether privately or publicly hosted. Connectors can present VPC CIDR IP addresses for compatibility with IP allowlists and leverage NAT Gateway bandwidth for higher-throughput internet transfers. All traffic is routed through existing VPC networking and security controls, including Transit Gateway and centralized firewalls to help meet data security mandates.

Legacy Windows Protocols Enable Network Credential Theft

🔒 Resecurity warns that legacy Windows name-resolution protocols continue to expose organisations to credential theft when attackers share the same local network. By poisoning LLMNR and NBT-NS broadcasts using tools such as Responder, attackers can capture usernames, domain context and password hashes without exploiting a software vulnerability. Recommended mitigations include disabling these protocols via Group Policy, blocking UDP 5355, enforcing SMB signing, reducing NTLM, and monitoring for anomalous traffic.

CISA Releases ICS Advisory for Rockwell 1715 Module

🔔 CISA published one Industrial Control Systems advisory on October 14, 2025, identifying a vulnerability in the Rockwell Automation 1715 EtherNet/IP Communications Module (ICSA-25-287-01). The advisory summarizes affected firmware and configurations and provides technical details to assess exposure. It recommends prioritized mitigations, including vendor updates, network segmentation, and access restrictions, and urges administrators to review and implement the guidance promptly.

From CISO to Chief Risk Architect: Rethinking Cybersecurity

🔐 The article argues that the traditional CISO role must evolve into a Chief Risk Architect, shifting focus from purely technical controls to enterprise resilience and business continuity. It emphasizes anticipating disruptions, minimizing operational impact, and demonstrating recovery capabilities to regulators, partners, and shareholders. Required skills now include risk quantification, ERM, threat detection, geopolitical awareness, and fluency with regulations like NIS2, DORA and the AI Act. It also stresses reporting to the board or CEO to gain strategic influence and attract future talent.

Windows 10 End of Support: Guidance for Enterprises

🛡️ As of October 14, 2025, Microsoft has ended support for non‑LTSC releases of Windows 10, leaving installations without default security patches unless organizations purchase Extended Security Updates (ESUs). CrowdStrike advises inventorying assets, evaluating ESU costs, and prioritizing migration while ensuring continuous endpoint protection. The Falcon platform delivers cloud‑native detection, behavioral AI, and visibility across mixed Windows environments to help reduce risk during transition. Note that EDR complements but does not replace operating system updates.

EU Authorized to Sign UN Cybercrime Convention Agreement

🔐 The Council of Europe has authorized the European Commission and EU member states to sign the United Nations Convention against Cybercrime, adopted by the UN General Assembly in December 2024, which sets common global standards for cybercrime and the cross-border exchange of electronic evidence. The treaty requires harmonization of criminal offenses, including computer fraud, illegal interception and measures targeting online child sexual abuse, grooming and non-consensual dissemination of intimate images, while including explicit safeguards to protect human rights. The Convention will be open for signature from October 25, 2025 until December 31, 2026 and enters into force ninety days after the fortieth ratification; the EU Presidency will prioritize finalizing a Council decision to enable conclusion of the instrument and seek the European Parliament's consent.

Amazon Connect Adds Configurable Schedule Adherence

📈 Amazon Connect now supports configurable thresholds for schedule adherence, enabling contact center managers to set allowable early and late windows for shift starts, shift ends, and individual activities. Administrators can apply defaults and customize thresholds at the team level—for example, allowing a 5-minute early start, a 10-minute late end, or a 3-minute late break—so minor timing differences don’t hurt adherence scores. This reduces false violations, helps managers focus on real adherence issues, and improves agent satisfaction and productivity.

Cyberattack Targets German Federal Employment Agency

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

Scaling Customer Experience with AI on Google Cloud

🤖 LiveX AI outlines a Google Cloud blueprint to scale conversational customer experiences across chat, voice, and avatar interfaces. The post details how Cloud Run hosts elastic front-end microservices while GKE provides GPU-backed AI inference, and how AgentFlow orchestrates conversational state, knowledge retrieval, and human escalation. Reported customer outcomes include a >90% self-service rate for Wyze and a 3× conversion uplift for Pictory. The design emphasizes cost efficiency, sub-second latency, multilingual support, and secure integrations with platforms such as Stripe, Zendesk, and Salesforce.

When Agentic AI Joins Teams: Hidden Security Shifts

🤖 Organizations are rapidly adopting agentic AI that does more than suggest actions—it opens tickets, calls APIs, and even remediates incidents autonomously. These agents differ from traditional Non-Human Identities because they reason, chain steps, and adapt across systems, making attribution and oversight harder. The author from Token Security recommends named ownership, on‑behalf tracing, and conservative, time‑limited permissions to curb shadow AI risks.

AI-Enhanced Reconnaissance: Risks for Web Applications

🛡️ Alex Spivakovsky (VP of Research & Cybersecurity at Pentera) argues that AI is accelerating reconnaissance by extracting actionable insight from external-facing artifacts—site content, JavaScript, error messages, APIs, and public repos. AI enhances credential guessing, context-aware fuzzing, and payload adaptation while reducing false positives by evaluating surrounding context. Defenders must treat exposure as what can be inferred, not just what is directly reachable.

UK Firms Lose Average $3.9M to Unmanaged AI Risk in UK

⚠️ EY polling of 100 UK firms finds that nearly all respondents (98%) experienced financial losses from AI-related risks over the past year, with an average loss of $3.9m per company. The most common issues were regulatory non-compliance, inaccurate or poor-quality training data and high energy usage affecting sustainability goals. The report highlights governance shortfalls — only 17% of C-suite leaders could identify appropriate controls — and warns about the risks posed by unregulated “citizen developer” AI activity. EY recommends adopting comprehensive responsible AI governance, targeted C-suite training and formal policies for agentic AI.

CISOs Must Rethink Tabletop Exercises and Readiness

⚠️ The Cytactic 2025 State of Cyber Incident Response Management report found that 57% of significant incidents involved attack types the security team had not rehearsed. The finding suggests many tabletop exercises focus on dramatic, familiar scenarios like ransomware rather than the subtle, realistic tactics adversaries commonly use. Reported failures include misplaced burner phones and stale contact lists, illustrating gaps in basic readiness. Experts recommend regularly refreshing tailored simulations, roleplaying smaller breaches, and practicing communications and logistics to build practical muscle memory.

Security firms dispute credit for overlapping CVEs

🔍 A public dispute has emerged between FuzzingLabs and Gecko Security after FuzzingLabs accused Gecko of copying vulnerability PoCs, backdating blog posts, and filing duplicate CVEs for flaws FuzzingLabs disclosed in late 2024 and early 2025. Gecko denies wrongdoing, says overlaps arose from coordinating directly with maintainers, and has updated credits and dates. The episode underscores tensions in responsible disclosure and CVE attribution.

Security Firms Clash Over CVE Credit and Disclosure

🔍 A public dispute erupted when FuzzingLabs accused Y Combinator-backed Gecko Security of copying proof-of-concepts (PoCs), resubmitting them for CVEs, and backdating blog posts to claim credit. FuzzingLabs cites two specific flaws — an Ollama token-stealing bug and a Gradio arbitrary file-copy/DoS issue — and says unique markers in its PoCs prove plagiarism. Gecko denies wrongdoing, saying its process involves direct coordination with maintainers and that overlaps were accidental; it has since updated posts to credit FuzzingLabs.

Cybersecurity Awareness Month 2025: Patching Matters

🔒 October's Cybersecurity Awareness Month is a reminder that timely software patching is essential to reduce risk. Last year saw around 40,000 newly disclosed vulnerabilities — roughly a 30% increase — and 2025 is on track to set another record, while attackers increasingly exploit unpatched flaws. In a video, ESET Chief Security Evangelist Tony Anscombe explains why delayed patching effectively invites threat actors into your network. Stay tuned for more awareness videos and consider ESET's cybersecurity awareness training.

Fortinet Strengthens Global Cybercrime Collaboration

🔒 Fortinet underscores its leadership within the World Economic Forum’s Cybercrime Atlas, promoting cross-sector intelligence sharing and coordinated disruption to combat cybercriminal networks. The 2025 Impact Report, released ahead of the WEF Annual Meeting on Cybersecurity 2025, details operational support for INTERPOL-led Operations Serengeti and Serengeti 2.0 and quantifies arrests, takedowns, and recovered illicit funds. Fortinet stresses the need for accountability at scale and continued expansion of collaborative capacity-building.

Beyond Security Awareness: Proactive Threat Hunting

🔍 Security Awareness Month highlights the human side of defense but by itself it cannot sustain long-term resilience. The author argues organizations must pair awareness with proactive threat hunting and a structured Continuous Threat Exposure Management (CTEM) program to find misconfigurations, exposed credentials, and excessive privileges before attackers can exploit them. He outlines a three-step readiness model: collect attacker-centric data, map attack paths with a digital twin, and prioritize remediation by business impact.

Upcoming Speaking Engagements — Fall 2025 and Beyond

📅 This is a current list of scheduled speaking engagements featuring Bruce Schneier and co-speaker Nathan E. Sanders, centered on the book Rewiring Democracy. Events include in-person appearances in Cambridge, Toronto, Strasbourg, and Chicago, as well as virtual talks hosted by Data & Society, Boston Public Library, and City Lights. Most events combine a book discussion with opportunities for audience Q&A and some include signings. Attendees should check the maintained events page for registration details and any updates.