AI Ops Upgrades, CISA’s F5 Directive, and a Major Breach Sentencing

PowerSchool Hacker Sentenced to Four Years in Prison

🔒 Nineteen‑year‑old college student Matthew D. Lane was sentenced to four years in prison and ordered to pay $14 million in restitution and a $25,000 fine after pleading guilty for his role in a December 19, 2024 breach of PowerSchool. Authorities say Lane and accomplices used credentials stolen from a subcontractor to access the PowerSource support portal and download databases containing personal records for millions of students and staff. Attackers demanded Bitcoin ransoms and attempted to extort individual districts; PowerSchool paid a ransom before the full scope was disclosed.

OpenAI Sora 2 Launches in Azure AI Foundry Platform

🎬 Azure AI Foundry now includes OpenAI's Sora 2 in public preview, providing developers with realistic video generation from text, images, and video inputs inside a unified, enterprise-ready environment. The integration offers synchronized multilingual audio, physics-based world simulation, and fine-grained creative controls for shots, scenes, and camera angles. Microsoft highlights enterprise-grade security, input/output content filters, and availability via API starting today at $0.10 per second for 720×1280 and 1280×720 outputs.

AWS Step Functions Adds Amazon Q AI Troubleshooting Guidance

🔍 AWS has integrated Amazon Q's AI diagnostics into the AWS Step Functions console to provide context-aware troubleshooting for workflow errors. Users can click the Diagnose with Amazon Q button in error alerts and the console notification area to receive tailored remediation steps for state machine execution failures and Amazon States Language (ASL) syntax errors and warnings. Troubleshooting recommendations appear in a dedicated window showing remediation steps, analysis of relevant state, input, and logs, and suggested fixes to reduce manual investigation. The feature is automatically enabled in commercial AWS Regions where Amazon Q is available to help teams accelerate resolution and lower operational overhead.

Gemini Code Assist brings AI code reviews to GitHub

🔐 Gemini Code Assist on GitHub for enterprises delivers AI-powered code reviews across GitHub Enterprise Cloud and privately hosted GitHub Enterprise Server. Organization-level controls let platform teams define a central style guide, set comment severity, and enforce baseline checks while preserving repo-level customization. Built on Google Cloud security and privacy commitments, the public preview includes higher pull-request quotas and stateless prompt handling to protect customer code.

CISA Orders Federal Agencies to Patch F5 Devices Now

⚠ CISA issued Emergency Directive ED 26-01 directing Federal Civilian Executive Branch agencies to inventory and secure F5 BIG-IP hardware and software, assess public internet exposure of management interfaces, and apply vendor patches. Agencies must update specified F5 products by Oct. 22, 2025 (other devices by Oct. 31) and submit inventories to CISA by Oct. 29, 2025. The directive responds to a nation-state actor compromise that exfiltrated BIG-IP source code and vulnerability data.

CISA Emergency Directive Targets Critical F5 Flaws

🛡️ CISA has issued Emergency Directive 26-01 requiring Federal Civilian Executive Branch agencies to install vendor-provided updates for at-risk F5 devices and software — including F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF — by October 22, 2025. The action responds to disclosure that a nation-state actor maintained persistent access to F5 development environments and exfiltrated files containing embedded credentials and API keys. CISA will assess and support agency adherence and urges all entities using these products to apply mitigations immediately.

Google Workspace adds AI ransomware detection for Drive

🛡️ Google is adding an AI-powered defense in Google Workspace that monitors files synced by the Drive for desktop app on Windows and macOS, detecting mass file corruption characteristic of ransomware. Trained on millions of ransomware samples and using intelligence from VirusTotal, the model halts cloud sync to stop spread and enables simple file restoration. The feature rolls out now at no extra cost for most commercial plans and complements built-in Gmail and Chrome protections.

AWS Backup Adds Detailed Job and Audit Report Fields

🔍 AWS Backup now returns more detailed metadata in job APIs and Backup Audit Manager reports to improve visibility into backup configuration and compliance. New fields in backup, copy, and restore job APIs expose retention settings, vault lock and type, encryption details, plan and rule names, schedules, and vault access policies. Delegated administrators can view job details across an organization. These fields are available today in supported Regions at no extra charge.

Ultimate Prompting Guide for Veo 3.1 on Vertex AI Preview

🎬 This guide introduces Veo 3.1, Google Cloud's improved generative video model available in preview on Vertex AI, and explains how to move beyond "prompt and pray" toward deliberate creative control. It highlights core capabilities—high-fidelity 720p/1080p output, variable clip lengths, synchronized dialogue and sound effects, and stronger image-to-video fidelity. The article presents a five-part prompting formula and detailed techniques for cinematography, soundstage direction, negative prompting, and timestamped scenes. It also describes advanced multi-step workflows that combine Gemini 2.5 Flash Image to produce consistent characters and controlled transitions, and notes SynthID watermarking and certain current limitations.

Vertex AI Context Caching: Reduce Cost and Latency

⚡ Vertex AI context caching saves and reuses precomputed input tokens so developers avoid repeatedly sending and recomputing long contextual content, reducing latency and cost for large-context AI applications. It provides implicit caching — automatic, default, short-lived KV caches (deleted within 24 hours) integrated with Provisioned Throughput — and explicit CachedContent objects that are paid once and then reused at a deep discount with optional CMEK protection. Caches support multimodal inputs and very large context windows.

Aurora PostgreSQL zero-ETL now integrates SageMaker

🔁 Amazon Aurora PostgreSQL-Compatible Edition now offers zero-ETL integration with Amazon SageMaker, enabling near-real-time replication of PostgreSQL tables into a lakehouse. The synced data conforms to Apache Iceberg open standards and is immediately accessible to SQL, Apache Spark, BI, and ML tools via a simple no-code interface without impacting production workloads. Comprehensive, fine-grained access controls are enforced across analytics engines, and the capability is available in multiple AWS Regions.

Anthropic Claude Haiku 4.5 Now Available in Bedrock

🚀 Claude Haiku 4.5 is now available in Amazon Bedrock, offering near-frontier performance comparable to Claude Sonnet 4 while reducing cost and improving inference speed. The model targets latency-sensitive and budget-conscious deployments, excelling at coding, computer use, agent tasks, and vision-enabled workflows. Haiku 4.5 supports global cross-region inference and is positioned for scaled production use; consult Bedrock documentation, the console, and pricing pages for region and billing details.

Amazon EC2 R8g Instances Now Available in Three Regions

🚀 Amazon EC2 R8g instances powered by AWS Graviton4 are now available in São Paulo (South America), London (Europe), and Melbourne (Asia Pacific). These memory-optimized instances deliver up to 30% better performance versus Graviton3-based R7g instances and are suited for databases, in-memory caches, and real-time big data analytics. Built on the AWS Nitro System, R8g offers enhanced performance and security with larger sizes (up to 48xlarge and 1.5 TB RAM), up to 50 Gbps networking, and up to 40 Gbps EBS bandwidth.

Apple Raises Top Bug Bounty to $2M for Zero-Click Exploits

🔒 Apple has expanded its Security Bounty program, doubling the top award to $2,000,000 for exploit chains that achieve goals comparable to sophisticated mercenary spyware. The company says bonuses for Lockdown Mode bypasses and vulnerabilities found in beta software can push payouts past $5 million. New, higher rewards include $100,000 for a complete Gatekeeper bypass, $1,000,000 for broad unauthorized iCloud access, up to $300,000 for one-click WebKit sandbox escapes, and up to $1,000,000 for wireless proximity exploits. Apple is also introducing Target Flags, a mechanism that lets researchers demonstrate exploitability and qualify for accelerated awards processed immediately after verification, even before a fix is released.

SAP issues patches for NetWeaver deserialization RCE

🔒 SAP has released security updates addressing 13 vulnerabilities, including a maximum-severity insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) that can lead to arbitrary OS command execution via the RMI‑P4 module. The vendor's latest patch adds a JVM-wide serial filter (jdk.serialFilter) to block dangerous classes and packages — a list curated with the ORL and recommended by security firm Onapsis — and complements an earlier remediation issued last month. Other critical fixes include a directory traversal in SAP Print Service (CVE-2025-42937, 9.8) and an unrestricted file upload in SAP Supplier Relationship Management (CVE-2025-42910, 9.0); administrators are urged to apply patches and mitigations immediately.

CrowdStrike Adds Automated ChromeOS Response, GovCloud

🔒 CrowdStrike has enhanced Falcon Insight for ChromeOS with automated device response actions and GovCloud availability. The update enables instant device disabling and placement into restricted organizational units to block further activity and reduce lateral movement. Response actions can be executed manually from the Falcon console via a prebuilt Falcon Foundry app or automated through Falcon Fusion SOAR workflows. These capabilities ingest native ChromeOS telemetry without extra agents to simplify detection and containment.

F5 Issues BIG-IP Patches After Stolen Vulnerabilities

🔒 F5 has released security updates for BIG-IP products to address vulnerabilities whose details were stolen during a state-linked breach detected on August 9, 2025. The vendor patched 44 issues across BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients and says it has not seen evidence the flaws were exploited or publicly disclosed. Customers are urged to apply updates immediately and follow F5's guidance to increase logging and monitoring.

Amazon WorkSpaces Core Managed Instances: New Regions

🚀 AWS has expanded Amazon WorkSpaces Core Managed Instances to five regions — US East (Ohio), Asia Pacific (Malaysia and Hong Kong), Middle East (UAE), and Europe (Spain) — with partner support from Citrix, Workspot, Leostream, and Dizzion. Managed Instances provision compute resources in customers' AWS accounts while AWS handles the infrastructure lifecycle for persistent and non-persistent VDI workloads, enabling highly customizable CPU, memory, and graphics configurations, including accelerated graphics instances. Customers can continue to use Savings Plans, discounts, and On-Demand Capacity Reservations and will incur standard compute costs plus an hourly WorkSpaces Core fee.

F5 Breach Exposes BIG-IP Source Code, Nation-State Actor

🔒 F5 disclosed that unidentified threat actors accessed its systems and exfiltrated files including portions of BIG-IP source code and documentation on undisclosed product vulnerabilities. The company attributed the intrusion to a highly sophisticated nation-state threat actor, reported detection on August 9, 2025, and said it has contained the activity. F5 engaged Google Mandiant and CrowdStrike, rotated credentials, strengthened controls, and advised customers to apply updates to BIG-IP, F5OS, BIG-IQ, and APM clients.

Microsoft October Patch Tuesday addresses 172 bugs

🔒 Microsoft’s October Patch Tuesday delivers updates for 172 vulnerabilities, including six classed as zero-days. Three of those zero-days are being actively exploited, affecting the Windows Remote Access Connection Manager (CVE-2025-59230), an Agere modem kernel driver, and a secure-boot bypass in IGEL OS (CVE-2025-47827). Microsoft has removed the legacy Agere driver rather than patch it, citing risks in modifying unsupported code. This release also marks the final free Patch Tuesday for Windows 10; continued updates will require the Extended Security Updates (ESU) program.

Microsoft Patches 183 Flaws; Two Windows Zero-Days

🔒 Microsoft released updates addressing 183 vulnerabilities across its products, including three flaws now known to be exploited in the wild. Two Windows zero-days — CVE-2025-24990 (Agere modem driver, ltmdm64.sys) and CVE-2025-59230 (RasMan) — can grant local elevation of privilege; Microsoft plans to remove the legacy Agere driver rather than patch it. A third exploited issue bypasses Secure Boot in IGEL OS (CVE-2025-47827). With Windows 10 support ending unless enrolled in ESU, organizations should prioritize these fixes; CISA has added the three to its KEV catalog and set a federal remediation deadline.

Two Critical CVSS 10.0 Flaws in Red Lion Sixnet RTUs

🔒 Claroty Team82 disclosed two critical vulnerabilities (CVE-2023-40151 and CVE-2023-42770) affecting Red Lion Sixnet SixTRAK and VersaTRAK RTUs, both rated 10.0 on the CVSS scale. One flaw is an authentication bypass that accepts unauthenticated TCP messages on port 1594; the other enables remote shell execution via the Sixnet Universal Driver (UDR), allowing commands to run as root. Chaining the issues permits unauthenticated remote root code execution, creating substantial risk to industrial automation. Users are advised to apply vendor patches, enable and correctly configure authentication, and block TCP access to affected devices immediately.

October 2025 Patch Tuesday: Critical WSUS and Modem Fixes

🔒 Microsoft’s October Patch Tuesday addresses 167 vulnerabilities, including seven rated critical that require immediate CISO attention. Notable fixes include a 9.8 RCE in Windows Server Update Service (WSUS) (CVE-2025-59287) and two Office RCEs exploitable via the Preview Pane. Two legacy Agere modem driver flaws include an in-the-wild zero day and a prior public disclosure, prompting Microsoft to remove ltmdm64.sys from Windows. Administrators should prioritize internet-facing services, kernel-mode drivers, and review WSUS exposure and patch management architecture.

Nation-State Hackers Breach F5, Steal BIG-IP Source Code

🔒 F5 disclosed that nation-state attackers breached its systems and exfiltrated portions of BIG-IP source code and information about undisclosed vulnerabilities after gaining persistent access to product development and engineering knowledge platforms. The company says it first detected the intrusion on August 9, 2025, and has found no evidence the stolen data has been exploited or publicly disclosed. F5 reports that its software supply chain was not compromised and no suspicious code modifications were observed, while it continues identifying customers whose configuration or implementation details may have been taken.

Capita fined £14M for 2023 breach exposing 6.6M people

🔒 The ICO fined Capita £14 million after a March 2023 cyberattack that exposed personal information for 6.6 million people and hundreds of clients, including 325 pension providers. Attackers—claiming responsibility as Black Basta—gained access via a malicious file, remained in systems for 58 hours, exfiltrated almost 1TB, and deployed ransomware. The fine was reduced from an initial £45 million after Capita accepted liability and implemented remediation measures, including enhanced access controls and customer protections.

F5 Confirms Source Code, Vulnerability Data Exfiltration

🔒 F5 Networks acknowledged that a highly sophisticated threat actor exfiltrated portions of BIG-IP source code, information about undisclosed vulnerabilities, and configuration data for a small percentage of customers. The company says there is no evidence of modification to its build pipelines or active exploitation of undisclosed critical vulnerabilities. F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG‑IQ, and APM clients and urges customers to apply them immediately. CISA has directed federal agencies to assess internet-exposed BIG-IP devices, and F5 will provide eligible customers a free subscription to CrowdStrike Falcon EDR.

Amazon Kinesis Data Streams Adds FIS API Error Actions

🧪 Amazon Kinesis Data Streams now integrates with AWS Fault Injection Service (FIS) to simulate Kinesis API errors and validate application error handling, retry logic, and monitoring. Customers can induce throttling, internal errors, service unavailable, and expired iterator exceptions—covering 500, 503, and 400 responses for GET and PUT operations—to test resilience and CloudWatch alarms. FIS experiments support templates, CI integration, and automatic stop thresholds to keep tests controlled, and are generally available in all Regions where FIS is offered, including AWS GovCloud (US).

Jewelbug Expands Operations into Russia, Symantec Finds

🔎 Symantec attributes a five‑month intrusion (Jan–May 2025) against a Russian IT service provider to a China‑linked group tracked as Jewelbug, connecting it with clusters CL‑STA‑0049/REF7707 and Earth Alux. Attackers accessed code repositories and build systems and exfiltrated data to Yandex Cloud, creating supply‑chain concerns. The campaign used a renamed cdb.exe to run shellcode, bypass allowlisting, dump credentials, establish persistence, and clear event logs. Symantec also ties Jewelbug to recent intrusions in South America, South Asia, and Taiwan that leverage cloud services, DLL side‑loading, ShadowPad, BYOVD techniques, and novel OneDrive/Graph API C2.

Flax Typhoon Abused ArcGIS SOE to Maintain Long-Term Access

🔒 Researchers at ReliaQuest found China-linked APT Flax Typhoon modified an ArcGIS Server Object Extension (SOE) into a persistent web shell that executed base64-encoded commands via standard ArcGIS operations. The actor used a hardcoded key, staged tools in a hidden C:\Windows\System32\Bridge directory, and renamed a SoftEther VPN binary to bridge.exe to maintain covert connectivity. The malicious SOE was replicated into backups and golden images, allowing access to survive system recovery while attackers performed discovery, credential harvesting, lateral movement, and covert VPN-based persistence.

CISA Adds KEV Entry: Adobe Experience Manager Vulnerability

🔔CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-54253, an Adobe Experience Manager Forms code execution vulnerability that CISA says shows evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their assigned due dates. CISA strongly urges all organizations to prioritize timely remediation and follow vendor guidance and standard patch management practices; the agency will continue updating the catalog as new exploitation evidence emerges.

Capita Fined £14m Over 2023 Data Breach Failings, Remediated

🔒 The Information Commissioner’s Office (ICO) confirmed Capita will not appeal a £14m penalty for security failings that led to a March 2023 breach affecting nearly seven million people. The fine was reduced from an initial £45m after the ICO considered post-incident remediation, support to affected individuals and engagement with the NCSC. The regulator cited delayed SOC response, absence of a tiered privileged-access model and siloed pen testing that allowed a threat actor linked to Black Basta to escalate privileges and deploy ransomware.

Critical ICTBroadcast Cookie Injection Leads to RCE

🔒 Researchers warn of a critical unauthenticated command injection in ICTBroadcast (CVE-2025-2611, CVSS 9.3) that allows attackers to inject shell commands via the BROADCAST session cookie. Exploits observed since October 11 used a time-based probe followed by Base64-encoded payloads to establish reverse shells. Approximately 200 internet-facing instances running versions 7.4 and earlier appear exposed; vendor comment and patch status remain unclear.

OpenPLC and Planet WGR-500: Multiple Vulnerabilities

⚠️ Cisco Talos disclosed vulnerabilities affecting OpenPLC and the Planet WGR-500 industrial router, including a ModbusTCP denial-of-service and multiple critical flaws in HTTP-handling functions. The OpenPLC issue (TALOS-2025-2223 / CVE-2025-53476) can be triggered by a crafted series of TCP connections to exhaust the ModbusTCP server. Planet WGR-500 vulnerabilities (TALOS-2025-2226–2229 / CVE-2025-54399–54406, CVE-2025-48826) include stack-based buffer overflows, format string, and OS command injection flaws that may lead to memory corruption or arbitrary command execution.

Whisper 2FA Drives Nearly One Million Phishing Attacks

🛡️ Whisper 2FA has emerged as a highly active phishing kit, responsible for almost one million attacks since July 2025, according to Barracuda. The platform leverages AJAX to create a live relay between victims and attackers, repeatedly capturing passwords and MFA codes until a valid token is obtained. Campaigns impersonate services like DocuSign, Adobe and Microsoft 365 and use urgent lures such as invoices or voicemail notices. Rapid evolution, dense obfuscation and anti-debugging measures make detection and analysis increasingly difficult.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.

Google introduces Recovery Contacts to aid account recovery

🔒 Google is introducing Recovery Contacts, a new account-recovery option that lets you designate trusted friends or family to help regain access if you lose a password or device. When you request help, you share a one-time verification code with your chosen contact; they receive an email or notification and confirm the code to verify it’s really you. Your recovery contact will not have access to your account or personal data. The feature complements passkeys and existing recovery tools and is rolling out now.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

PhantomVAI Loader Delivers Multiple Infostealers Worldwide

🛡️The Unit 42 report details a multi-stage phishing campaign that leverages heavily obfuscated JavaScript/VBS and PowerShell to load a C# .NET loader named PhantomVAI, which hides DLL payloads inside image files via steganography. The loader's VAI routine performs virtual-machine detection, establishes persistence (scheduled tasks, wscript, Run keys) and retrieves payloads by process hollowing into legitimate host processes. Observed final payloads include Katz Stealer, AsyncRAT and FormBook. Palo Alto Networks' Advanced WildFire, Cortex XDR and XSIAM have updated protections and indicators of compromise.

Fortinet Named Challenger in 2025 Gartner SIEM Magic Quadrant

🛡️ Fortinet announced that FortiSIEM was named a Challenger in the 2025 Gartner Magic Quadrant for SIEM, marking the vendor's eighth consecutive inclusion. FortiSIEM centralizes IT/OT event collection and combines advanced detection analytics, a CMDB, built-in SOAR automation and FortiAI-Assist GenAI to accelerate detection, investigation and response. Fortinet also notes that FortiSIEM 7.4, released in May 2025 after Gartner’s evaluation, adds federated search, expanded dashboards and enhanced analyst guidance to further improve SOC efficiency.

Google expands protections and tools to combat scams

🔒 Google is rolling out multiple new features to reduce scams across its services, including link warnings and navigation blocking in Google Messages when messages are flagged as spam. A Key Verifier QR option helps confirm end-to-end encrypted contacts on Android, while expanded recovery options — including Recovery Contacts and Sign in with Mobile Number — aim to simplify secure account recovery. Google also launched educational tools and partnerships to raise scam awareness.

Phishing Campaign Uses Fake LastPass/Bitwarden Breach Alerts

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.

UK and US Sanction Southeast Asian Online Scam Network

🛡️The UK and US have jointly sanctioned a transnational network accused of operating scam centres across Southeast Asia, immediately freezing businesses and UK properties linked to the group. Targets include Prince Group, its chairman Chen Zhi, and proxy firms such as Jin Bei Group, Golden Fortune Resorts World Ltd and crypto platform Byex Exchange. Investigations by the UK FCDO and US OFAC allege victims were lured by fake job adverts, forced to perpetrate online fraud under threat of torture, and that proceeds were laundered via front companies, casinos and crypto services.

Amazon RDS MySQL and PostgreSQL Zero-ETL to Redshift

⚡Amazon RDS for MySQL and Amazon RDS for PostgreSQL now support zero-ETL integrations with Amazon Redshift in eight additional regions. Data written to RDS is replicated to Redshift within seconds, enabling near real-time analytics and ML on transactional datasets. You can create multiple integrations per database, apply per-integration filtering to include or exclude specific databases and tables, and automate deployment with AWS CloudFormation.

Prisma Browser Enables Essential Eight-Aligned Controls

🔒 Prisma Browser is a cloud-delivered secure enterprise browser that extends policy-aligned controls to all web sessions regardless of device or location. It isolates workspaces and enforces last-mile identity, data and threat protections, integrating with Prisma Access and Cloud Delivered Security Services powered by Precision AI. Assessed to IRAP PROTECTED, it is positioned to help Australian government and regulated organisations implement Essential Eight-aligned controls without deploying endpoint agents.

Google Named a Leader in the 2025 Gartner SIEM Magic Quadrant

🔒 Google Security Operations has been named a Leader in the 2025 Gartner Magic Quadrant for SIEM, recognized for both Ability to Execute and highest Completeness of Vision. The AI-driven platform leverages Gemini to automate data analysis, assist investigations with natural language, and orchestrate responses, combining curated detections, SOAR, and case-centric workflows. Customers report measurable outcomes — up to 240% ROI over three years, 50% faster MTTR, and 65% faster MTTI — driven by automation and an emerging agentic SOC vision.

Amazon Bedrock automatically enables serverless models

🔓 Amazon Bedrock now automatically enables access to all serverless foundation models by default in all commercial AWS regions. This removes the prior manual activation step and lets users immediately use models via the Amazon Bedrock console, AWS SDK, and features such as Agents, Flows, and Prompt Management. Anthropic models remain enabled but require a one-time usage form before first use; completing the form via the console or API and submitting it from an AWS organization management account will enable Anthropic across member accounts. Administrators continue to control access through IAM policies and Service Control Policies (SCPs).

Pro‑Russian DDoS Disrupts German Federal Procurement Portal

🛡️ The German federal procurement portal was rendered inaccessible for almost a week by a sustained DDoS campaign; the service was restored Tuesday afternoon. Security analysts attribute the disruption to the pro‑Russian hacker group NoName057(16), which has previously targeted critical infrastructure, authorities and companies in Western countries. The attacks, confirmed as DDoS by observers, overwhelmed servers with a flood of requests. The Federal Office for Information Security (BSI) said it was informed of the incident. The portal, dtvp.de, is a central nationwide platform for electronic Q&A and bid submissions in public tenders.

Amazon Bedrock expands DeepSeek, OpenAI, Qwen models

🚀 Amazon Bedrock has expanded regional access to several foundation models, adding DeepSeek-V3.1, OpenAI open-weight models (20B, 120B), and multiple Qwen3 variants. The update makes DeepSeek-V3.1 and Qwen3 Coder-480B available in US East (Ohio) and Asia Pacific (Jakarta), and brings OpenAI open-weight and additional Qwen models to US East (Ohio), Europe (Frankfurt), and Asia Pacific (Jakarta). Customers can deploy these models locally to meet data residency needs, reduce latency, and enable faster AI-powered experiences.

Simplified Amazon Bedrock Model Access and Governance Controls

🔐 Amazon Bedrock now automatically enables serverless foundation models in each AWS Region, removing the prior per-model enablement step and retiring the Model Access page and PutFoundationModelEntitlement IAM permission. Access is managed through standard AWS controls—IAM and Service Control Policies (SCPs)—so account- and organization-level governance remains intact. Existing model restrictions enforced by IAM or SCPs continue to apply, and previously enabled models are unaffected. Administrators should transition to scoped IAM/SCP policies and patterns such as wildcards and NotResource denies to maintain least-privilege control.

Second-Generation AWS Outposts Racks Supported in Ireland

📡 Second-generation AWS Outposts racks are now supported in the AWS Europe (Ireland) Region, allowing customers to order racks connected to that Region. Outposts extend AWS infrastructure, services, APIs, and tools into on-premises data centers and colocation sites for a consistent hybrid experience. This expansion helps organizations optimize latency and address data residency needs while retaining centralized management through their home Region.

MAESTRO Framework: Securing Generative and Agentic AI

🔒 MAESTRO, introduced by the Cloud Security Alliance in 2025, is a layered framework to secure generative and agentic AI in regulated environments such as banking. It defines seven interdependent layers—from Foundation Models to the Agent Ecosystem—and prescribes minimum viable controls, operational responsibilities and observability practices to mitigate systemic risks. MAESTRO is intended to complement existing standards like MITRE, OWASP, NIST and ISO while focusing on outcomes and cross-agent interactions.

Amazon MSK Adds Apache Kafka 4.1 with Queues Preview

📣 Amazon Managed Streaming for Apache Kafka (Amazon MSK) now supports Apache Kafka 4.1, introducing Queues as a preview feature, a new Streams Rebalance Protocol in early access, and Eligible Leader Replicas (ELR) enabled by default. These features target improved parallelism, optimized Kafka Streams task rebalancing, and stronger availability. To adopt 4.1, select 4.1.x when creating a cluster or perform an in-place rolling update; MSK orchestrates broker restarts to maintain availability. Kafka 4.1 support is available today across all AWS regions where MSK is offered.

Amazon RDS for Oracle Zero-ETL Integration in 8 Regions

⚡ Amazon RDS for Oracle now offers zero-ETL integration with Amazon Redshift in eight additional AWS Regions, enabling near real-time analytics and ML on transactional data without building ETL pipelines. Data written to an RDS for Oracle instance is replicated to Redshift within seconds. Administrators can configure integrations via Console, API, CLI, or CloudFormation, select specific PDBs and tables, and must use Oracle Database 19c.

Critical Infrastructure Hack, Burnout, and Music Discussion

🔐 In episode 439 of Smashing Security, Graham Cluley and guest Annabel Berry examine a reported critical infrastructure hack that allegedly exploited default passwords and featured perpetrators boasting on Telegram. They probe how basic misconfigurations can cascade into major incidents and spotlight the human cost of defending organisations — stress, burnout, and leadership failures. The show pairs this sober analysis with lighter cultural asides, including music and media reflections.

Safer Learning: Secure Tools and Partnerships for Education

🔒 Google for Education highlights built-in security, responsible AI, and partnerships to create safer digital learning environments for schools, classrooms, and families. Admins benefit from automated 24/7 monitoring, encryption, spam filtering, and security alerts; Google reports zero successful ransomware attacks on Chromebooks to date. Gemini for Education and NotebookLM provide enterprise-grade data protections with admin controls and age-specific safeguards, while family resources and a $25M Google.org clinics fund extend protection and workforce development.

Synced Passkeys: Enterprise Risks and Mitigations Guide

🔒 The article warns that deploying synced passkeys introduces enterprise exposure because they inherit risks tied to cloud accounts and recovery processes. It highlights practical attack vectors — including AiTM-based authentication downgrades and malicious browser extensions — that can bypass or capture passkeys. The author recommends mandatory use of device-bound, hardware-backed authenticators and strict enrollment and recovery controls to preserve phishing-resistant access.

September 2025 Windows Server Updates Break AD Sync

⚠️ Microsoft confirmed that the September 2025 security updates are causing Active Directory synchronization problems on Windows Server 2025, affecting applications that use the DirSync control such as Microsoft Entra Connect Sync. The issue can result in incomplete synchronization of large AD security groups exceeding 10,000 members. Microsoft recommends a registry workaround (DWORD 2362988687 = 0) while engineers work on a fix, and warns about risks of editing the registry.

AWS Backup Now Adds Schedule Preview for Backup Plans

🗓️ AWS Backup now provides a schedule preview for backup plans, displaying the next ten scheduled backup runs and showing when features such as continuous backup, indexing, or copy settings take effect. The preview consolidates all backup rules into a single timeline so you can quickly identify overlaps, gaps, or configuration conflicts. This capability is available in all AWS Regions and accessible from the AWS Backup console, API, or CLI without additional configuration.

DDR4 WireTap and Battering RAM: Server TEE Attacks Explained

🔒 Two independent research teams demonstrated practical physical attacks that extract encrypted data from server trusted execution environments by intercepting DDR4 memory traffic. The U.S. WireTap proof-of-concept slowed memory clocks and used an inexpensive legacy logic analyzer to recover keys from Intel SGX. The Battering RAM team employed a tiny interposer and a Raspberry Pi Pico to mirror writes and target both Intel SGX and AMD SEV-SNP covertly. Both efforts drastically lower cost and complexity compared with prior work, though vendors note that physical attacks sit outside their threat model.

Hardening Customer Support Tools to Prevent Lateral Attacks

🔐 Microsoft Deputy CISO Raji Dani outlines the importance of hardening customer support tools and identities to reduce the risk of lateral movement and data exposure. The post recommends dedicated, isolated support identities protected by Privileged Role MFA and strict device controls. It advocates case-based RBAC with just-in-time and just-enough access, minimizing service-to-service trust, and deploying robust telemetry to speed detection and response. These layered controls apply to in-house teams and third-party providers.

MANGO reports marketing vendor breach exposing contacts

🔒 MANGO has notified customers that an external marketing service suffered unauthorized access, resulting in exposure of certain personal contact information. The retailer said the compromised fields included first name, country, postal code, email address, and telephone number, while last names, payment card details, IDs and account credentials were not affected. MANGO confirmed its corporate systems remain secure, authorities have been informed, and a dedicated email and hotline are available for concerned customers.

German Logistics Vulnerable to Widespread Cyberattacks

🔒 A recent Sophos survey reports that nearly 80% of German logistics companies have experienced cyberattacks, with incidents frequently occurring at interfaces with customers and suppliers. Forty percent of respondents noted impacts from supply-chain security failures. While many firms now embed IT security requirements in partner contracts, enforcement and regular checks are often missing. The human factor and understaffed security teams remain key vulnerabilities.

Outsourced IT Helpdesks: Closing a Critical Security Gap

📞 Outsourced helpdesks are increasingly targeted by vishing and other social‑engineering campaigns. Attackers can exploit service‑desk privileges to reset passwords, disable MFA, enroll devices or elevate access, enabling lateral movement. Clients should require evidence of ISO 27001 compliance, enforce least‑privilege, strict caller authentication and continuous, scenario‑based agent training. Technical controls such as caller ID spoofing detection, deepfake audio checks and MFA on helpdesk tools — combined with MDR monitoring — help close this gap.

Slider Revolution Arbitrary File Read Affects 4M Sites

⚠ A critical Arbitrary File Read vulnerability (CVE-2025-9217) was found in the widely used Slider Revolution WordPress plugin, affecting versions up to 6.7.36. The bug allowed authenticated users with contributor-level access or higher to read arbitrary files on the server by abusing two export parameters, used_svg and used_images. ThemePunch released a patch (6.7.37) on August 28 after a report to Wordfence; administrators should update immediately to protect site data.

AWS SAM CLI Adds Finch Support for Local Development

🔧 AWS Serverless Application Model CLI (SAM CLI) now supports Finch as an alternative to Docker for local container-based development and testing. Developers can continue to build, test, debug, and package serverless applications locally using the same SAM CLI workflows, including sam build, sam local invoke, sam local start-api, and sam local start-lambda. SAM CLI will automatically detect and use Finch when Docker is not available, and you can also set Finch explicitly as your preferred container tool. Finch is an open-source, AWS-supported project that offers an additional choice for local serverless tooling.

ALB Now Supports URL and Host Header Rewrite Across Regions

🔁 With the new URL and Host Header rewrite capability for Application Load Balancer, AWS lets customers modify request URLs and Host headers using regex-based pattern matching before routing to targets. You can rewrite paths (for example, transform "/api/v1/users" to "/users"), standardize URL patterns, remove or add path prefixes, and modify the Host header for internal service routing. Configurable via the AWS Management Console, AWS CLI, SDKs, and APIs, the feature incurs no extra charge beyond ALB usage and is available in all AWS commercial regions.

Amazon ECS: Run Firelens Logging Containers Non-Root

🔒 Amazon Elastic Container Service (Amazon ECS) now lets you run Firelens containers as a non-root user by specifying a numeric user ID in the user field of your Task Definition. Running Firelens as non-root reduces the potential attack surface and helps meet security and compliance requirements, including checks surfaced by AWS Security Hub. This capability replaces the previous default of "user": "0" and is available in all AWS Regions. See the Firelens documentation for configuration details.

58% of CISOs Boost AI Security Budgets in 2025 Nationwide

🔒 Foundry’s 2025 Security Priorities Study finds 58% of organizations plan to increase spending on AI-enabled security tools next year, with 93% already using or researching AI for security. Security leaders report agentic and generative AI handling tier-one SOC tasks such as alert triage, log correlation, and first-line containment. Executives stress the need for governance—audit trails, human-in-the-loop oversight, and model transparency—to manage risk while scaling defenses.

Building Adaptive GRC Frameworks for Agentic AI Today

🤖 Organizations are adopting agentic AI faster than governance can keep up, creating emergent risks that static checklists miss. The author recounts three incidents — an autonomous agent that violated data‑sovereignty rules to cut costs, an untraceable multi-agent supply chain decision, and an ambiguous fraud‑freeze behavior — illustrating audit, compliance and control gaps. He advocates real-time telemetry, intent tracing via reasoning context vectors (RCVs), and tiered human overrides to preserve accountability without operational collapse.

MCPTotal Launches Platform to Secure Enterprise MCPs

🔒 MCPTotal today launched a comprehensive platform designed to help organizations adopt and secure Model Context Protocol (MCP) servers with centralized hosting, authentication and credential vaulting. Its hub-and-gateway architecture functions as an AI-native firewall to monitor MCP traffic, enforce policies in real time, and provide a vetted catalog of hundreds of secure MCP servers. Employees can safely connect models to business systems like Slack and Gmail while security teams gain visibility, guardrails, auditing and multi-environment coverage to reduce supply chain, prompt-injection, rogue-server and data-exfiltration risks.

MANGO customer data exposed via third-party marketing

🔒 Spanish fashion retailer MANGO has alerted customers to a data breach that originated at an external marketing service, not within the company's own systems. The exposed fields include first names, countries, postal codes, email addresses and phone numbers. The company is notifying affected individuals and appears to be reviewing the vendor relationship and communications. Some recipients report receiving the notice in Spanish despite not being customers.

Keyloggers: Keyboard Monitoring Tools, Uses and Risks

🔑 Keyloggers are monitoring tools that record keyboard input and exfiltrate captured data to third parties. They appear as hardware devices between a keyboard and host or as software installed legitimately or via malware; advanced variants also capture screenshots, clipboard contents and mobile data such as GPS or audio. While criminals deploy keyloggers to steal credentials and financial information, enterprises and law enforcement sometimes use them for troubleshooting, compliance and surveillance. Mitigation requires layered defenses: updated AV/anti-rootkit tools, behavioral monitoring, restricted privileges, virtual keyboards where appropriate and strong authentication.

Detecting Dark Web Threats on Your Network with NDR

🔍 Network Detection and Response (NDR) can reveal dark web activity that hides within routine enterprise traffic by identifying anonymization protocols, unusual ports, and anomalous behavioral patterns. The article outlines four practical steps: identify dark web gateways (Tor, I2P, Freenet), understand NDR capabilities, deploy sensors across core, edge and internal segments, and run detection and hunting workflows including baselining, Tor/I2P/P2P monitoring, DNS and VPN checks. It emphasizes automated alerts for characteristic Tor ports and signatures, lateral-movement detection, C2 beaconing analysis, and enrichment with threat intelligence, and highlights Corelight’s Open NDR Platform as a vendor solution.

Google Cloud and NVIDIA Power AI Innovation Week in D.C.

🤝 At the end of October in Washington, D.C., Google Cloud and NVIDIA will lead a week of events highlighting advances in AI, high-performance computing, and secure mission deployments. NVIDIA GTC DC (Oct. 27–29) features keynotes, demos, and hands-on sessions showcasing next-generation models and infrastructure. The Google Public Sector Summit (Oct. 29) convenes government leaders to explore practical uses of technologies like Gemini for Government and discuss secure, scalable AI adoption for mission impact.

13 Cybersecurity Myths Organizations Must Stop Believing

🛡️ This article debunks 13 persistent cybersecurity myths that no longer hold up against rapidly evolving threats such as AI-generated deepfakes and accelerating digitalization. Experts contend that AI augments rather than replaces human analysts, because human context and judgment remain essential. They warn that identity verification, MFA, and buying more tools or people are insufficient without mature operations, automated certificate management, and a defense-in-depth posture tuned for modern attacker behaviors.