Cloud Platforms Add Controls as Exploits and Incidents Persist

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

JLR Hack Deemed UK’s Costliest Cyber Incident at £1.9bn

🔒The Cyber Monitoring Centre (CMC) concluded that the August 2025 cyber-attack on Jaguar Land Rover (JLR) produced an estimated UK financial impact of £1.9bn ($2.55bn) and affected more than 5,000 organisations. The CMC said the vast majority of the cost derived from halted manufacturing after an IT shutdown that stopped production at major UK plants and disrupted suppliers and dealer systems. Analysts ranked the incident a Category 3 systemic event and warned costs could rise if operational technology or intellectual property were compromised. Industry experts called for stronger governmental oversight and for boards to treat cybersecurity as a strategic risk.

Amazon EKS Auto Mode Adds FIPS Support in GovCloud

🔐 Amazon Elastic Kubernetes Service (EKS) Auto Mode is now available in AWS GovCloud (US-East) and (US-West), automating compute, storage, and networking management for Kubernetes clusters. Its AMIs include FIPS-validated cryptographic modules to help meet FedRAMP-style requirements. EKS Auto Mode handles OS patching, leverages ephemeral compute to reduce persistent attack surface, and dynamically scales EC2 instances to optimize costs while maintaining availability; it supports clusters running Kubernetes 1.29 and later with no upfront fees.

Amazon U7i High Memory Instances Reach US East (Ohio)

🚀 Amazon EC2 High Memory U7i instances (u7i-6tb.112xlarge) are now available in the AWS US East (Ohio) Region. These 7th-generation instances deliver 6TB of DDR5 memory and 448 vCPUs powered by custom 4th-generation Intel Xeon Scalable processors (Sapphire Rapids). They support up to 100 Gbps for EBS throughput and networking, include ENA Express, and are designed for mission-critical in-memory databases such as SAP HANA, Oracle, and SQL Server.

AWS Launches Second Secret Region: AWS Secret-West

🔒 AWS announced the launch of AWS Secret-West, its second Secret U.S. region for handling mission-critical workloads at the Secret classification. The region offers multiple Availability Zones, an ICD-accredited security architecture, and authorized services under ICD 503 and DoD SRG IL6. It provides lower latency for western U.S. operations, multi-region resiliency, and geographic separation to support government mission requirements.

Google Cloud H4D VMs Boost Finance Workload Performance

⚡ Google Cloud announced the H4D VM family (Preview), powered by 5th Gen AMD EPYC processors (Turin), aimed at delivering extreme performance for financial services workloads. The H4D series targets latency-sensitive use cases such as high-frequency trading, Monte Carlo risk simulations, backtesting, and derivatives pricing by offering faster core-to-core communication, larger memory capacity, and improved network throughput. AMD benchmarking with the open-source KX Nano test reported an average ~34% out-of-the-box performance gain over prior C3D VMs, with per-core and multi-threaded uplifts around 1.33–1.36x. Google Cloud will demonstrate H4D and complementary HPC solutions at STAC Summit NYC on October 28th and will have experts available to discuss performance, security, and compliance.

Amazon CloudWatch adds interactive incident reporting

📝 Amazon CloudWatch now offers interactive incident report generation, enabling customers to produce comprehensive post-incident analysis in minutes. The capability, available within CloudWatch investigations, automatically gathers and correlates telemetry data, user inputs, and investigation actions to produce streamlined reports. Reports include executive summaries, timelines, impact assessments, and actionable recommendations to help teams identify patterns and implement preventive measures. The feature is available in multiple AWS regions.

ChatGPT Atlas Signals Shift Toward AI Operating Systems

🤖 ChatGPT Atlas previews a future where AI becomes the primary interface for computing, letting users describe outcomes while the system orchestrates apps, data, and web services. Atlas demonstrates an context-aware assistant that understands a user’s digital life and can act on their behalf. This prototype points to productivity and accessibility gains, but it also creates new security, privacy, and governance challenges organizations must prepare for.

Meta launches new anti-scam tools for WhatsApp, Messenger

🛡️ Meta is rolling out new anti-scam features for Messenger and WhatsApp to help users detect and avoid fraud. Messenger testing includes AI-assisted scam detection that warns about suspicious new contacts and offers options to block, report, or submit messages for review. WhatsApp will display warnings about screen-sharing with unknown callers. These protections are enabled by default.

Amazon DCV 2025.0 Adds WebAuthn, ARM, and Keyboard Support

🔒 Amazon DCV 2025.0 is the latest release of the high-performance remote display protocol, delivering enhanced security and productivity for virtual desktop and application sessions. The update adds WebAuthn redirection on Windows and browser-based WebAuthn on Linux to enable security-key authentication in native and SaaS apps, plus server-side keyboard layout handling and alignment for Windows clients to improve input consistency. Other improvements include Linux client support for ARM, Windows Server 2025 host compatibility, and scroll wheel optimizations for smoother navigation. See AWS documentation and the DCV product page for full release notes.

CloudWatch Synthetics: Bundled Multi-Check Canaries

🔧 Amazon CloudWatch Synthetics now offers bundled multi-check blueprints that let teams define comprehensive synthetic tests using a single JSON configuration file. A single canary can include up to 10 steps covering HTTP (with varied authentication), DNS, SSL certificate checks and TCP ports, and supports complex assertions on status, latency, headers and response body. Integration with AWS Secrets Manager secures credentials, while step-by-step results and console debugging simplify implementation compared with writing multiple custom canaries.

Model Armor and Apigee: Protecting Generative AI Apps

🔒 Google Cloud’s Model Armor integrates with Apigee to screen prompts, responses, and agent interactions, helping organizations mitigate prompt injection, jailbreaks, sensitive data exposure, malicious links, and harmful content. The model‑agnostic, cloud‑agnostic service supports REST APIs and inline integrations with Apigee, Vertex AI, Agentspace, and network service extensions. The article provides step‑by‑step setup: enable the API, create templates, assign service account roles, add SanitizeUserPrompt and SanitizeModelResponse policies to Apigee proxies, and review findings in the AI Protection dashboard.

NTLM/LDAP Authentication Bypass (CVE-2025-54918) Analysis

🔍 This analysis examines CVE-2025-54918, a critical NTLM/LDAP authentication bypass that enables privilege escalation from a standard domain user to SYSTEM on Domain Controllers. The vulnerability chains coercion (PrinterBug-style) with NTLM relay and packet manipulation to evade channel binding and LDAP signing. The post outlines the attack flow, detection indicators such as empty usernames and LOCAL_CALL flags, and mitigations using CrowdStrike Falcon capabilities.

TARmageddon: High-Severity Flaw in async-tar Rust ecosystem

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

Critical TAR parsing bug found in popular Rust libraries

🛡️ Researchers at Edera disclosed a critical boundary-parsing flaw called TARmageddon (CVE-2025-62518) in the async-tar family and many forks, including the widely used tokio-tar. The desynchronization bug can smuggle extra archive entries during nested TAR extraction, enabling file overwrites that may lead to Remote Code Execution or supply-chain compromise. Administrators should patch affected forks, consider migrating to the patched astral-tokio-tar ≥0.5.6, and scan Rust-built applications for exposure.

TARmageddon: Abandoned Rust tar library enables RCE

🚨 A high-severity logic flaw in the abandoned async-tar Rust library and its forks allows unauthenticated attackers to inject archive entries and achieve remote code execution when nested TARs with mismatched ustar and PAX headers are processed. Edera, which named the issue TARmageddon and tracked it as CVE-2025-62518, explains the parser can jump into file content and mistake it for headers, enabling extraction of attacker-supplied files. The bug also affects the widely used but abandoned tokio-tar fork (7M+ downloads), while several active forks have already been patched. Developers are advised to upgrade to patched forks such as astral-tokio-tar or remove the vulnerable dependency immediately.

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

FinWise Breach Highlights Encryption and Insider Risk

🔒 The FinWise data breach involved a former employee who retained credentials and accessed systems on May 31, 2024, exposing personal records for 689,000 American First Finance customers. The intrusion remained undetected until June 18, 2025, prompting lawsuits alleging inadequate encryption and weak security governance. Experts say robust protection requires not only encryption but effective key management, strict access controls, and proactive monitoring. Vendor solutions such as D.AMO are presented as integrated platforms combining encryption, an isolated KMS, and centralized control to mitigate insider risk.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

Jingle Thief: Inside a Cloud Gift Card Fraud Campaign

🔍Unit 42 details the Jingle Thief campaign, a Morocco‑based, financially motivated operation that uses phishing and smishing to harvest Microsoft 365 credentials and abuse cloud services to commit large‑scale gift card fraud. The actors maintain prolonged, stealthy access for reconnaissance across SharePoint, OneDrive and Exchange, and rely on internal phishing, inbox rules and rogue device enrollment in Entra ID to persist and issue unauthorized cards. The report (cluster CL‑CRI‑1032) links the activity to Atlas Lion/STORM‑0539 and emphasizes identity‑centric detections and mitigations.

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

Iranian MuddyWater Targets 100+ Governments with Phoenix

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.

PhantomCaptcha campaign targets Ukraine relief organisations

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

MuddyWater Exploits Compromised Mailboxes in Global Phishing

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

CISA Adds Motex LANSCOPE CVE to KEV Catalog, Urges Fixes

⚠️ CISA added CVE-2025-61932 — an Improper Verification of Source of a Communication Channel vulnerability in Motex LANSCOPE Endpoint Manager — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by mandated deadlines. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management and will continue updating the KEV Catalog as new exploited vulnerabilities are confirmed.

PassiveNeuron APT Uses Neursite and NeuralExecutor

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

TP-Link fixes four critical Omada Gateway vulnerabilities

🔒 TP-Link has published firmware updates to address four security flaws in its Omada gateway devices, including two critical command injection vulnerabilities that could allow arbitrary command execution on the device OS. The issues are tracked as CVE-2025-6541, CVE-2025-6542, CVE-2025-7850 and CVE-2025-7851, affecting multiple ER, FR and G-series models. Users are urged to install the patched builds promptly and verify device configurations after upgrading.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

PhantomCaptcha ClickFix Attack Targets Ukraine Relief Orgs

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.

Amazon S3 Generates CloudTrail Events for Table Maintenance

🔔Amazon S3 now emits AWS CloudTrail events for S3 Tables maintenance operations so you can track compaction and snapshot expiration. Maintenance activities are recorded as management events in CloudTrail, enabling auditing and monitoring of automatic optimization tasks. To monitor these events, create a trail and filter for eventType='AwsServiceEvents' and eventName='TablesMaintenanceEvent'. Events are available in all Regions where S3 Tables are offered.

Typosquatted Nethereum NuGet Package Steals Wallet Keys

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.

Ransomware Attack Disrupts IT at Nickelhütte Aue Company

🔒 A ransomware attack on Nickelhütte Aue's office IT encrypted data and caused disruptions across multiple back-office systems, with HR, accounting, finance, purchasing and sales identified as affected. A company spokesperson told CSO that production remained unaffected and management established a crisis organisation after the incident was discovered on Saturday, October 18. The attackers left an extortion note threatening to publish stolen files; investigations by IT forensics teams and authorities are ongoing while the firm consults on how to respond to the ransom demand. The company says it is cleaning infected devices and making steady progress, but the timeframe to fully rebuild IT systems remains unclear.

Amazon RDS for SQL Server: KMS Encryption for Native Backups

🔐 Amazon RDS for SQL Server now supports encrypting native backup files (.bak) stored in Amazon S3 using server-side encryption with AWS KMS keys (SSE-KMS). By default, native backups remain encrypted with Amazon S3-managed keys (SSE-S3), and customers can opt to apply their own KMS key for additional protection and key control. To enable the feature, update the KMS key policy to grant the RDS backup service access and specify the parameter @enable_bucket_default_encryption in the native backup stored procedure. This capability is available in all AWS Regions where Amazon RDS for SQL Server is offered.

AWS PCS Adds Slurm Cluster Secret Rotation Support

🔐 AWS Parallel Computing Service (PCS) now supports rotation of Slurm cluster secret keys using AWS Secrets Manager. Administrators can update the credentials used for authentication between the Slurm controller and compute nodes without recreating a cluster, preserving running workloads and configuration. Regular rotation reduces the risk of credential compromise and helps meet security best practices and compliance requirements. The capability is available in all Regions where PCS operates and can be initiated from the Secrets Manager console or via API after preparing the cluster for rotation.

Google Careers Phishing Targets Job Seekers' Credentials

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.

SnakeStealer Infostealer Surges to Top of Detections

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.

Amazon EC2 C7i-flex Instances Launch in Jakarta Region

🚀 Amazon Web Services has launched C7i-flex instances in the Asia Pacific (Jakarta) Region. The new instances deliver up to 19% better price-performance versus C6i and use custom 4th generation Intel Xeon Scalable (Sapphire Rapids) processors available only on AWS, while offering roughly 5% lower prices than standard C7i. C7i-flex covers common sizes from large to 16xlarge and is intended for compute-intensive workloads that don’t fully utilize all vCPUs; customers with continuous high CPU usage or needs for very large sizes (up to 192 vCPUs and 384 GiB) should consider full-size C7i instances.

Amazon MQ Launches in AWS Asia Pacific (New Zealand)

🚀 Amazon MQ is now available in the AWS Asia Pacific (New Zealand) Region (API name ap-southeast-6) with three Availability Zones. The managed message broker supports Apache ActiveMQ and RabbitMQ, reducing operational overhead by managing provisioning, setup, and maintenance. Because it uses industry-standard APIs and protocols, customers can migrate applications to AWS without rewriting code. With this launch, Amazon MQ is now offered in 38 AWS regions globally.

CISO Imperative: Building Resilience in Accelerating Threats

🔒 The Microsoft Digital Defense Report 2025 warns that cyber threats are accelerating in speed, scale, and sophistication, driven by AI and coordinated, cross-border operations. Attack windows have shrunk—compromises can occur within 48 hours in cloud containers—while AI-powered phishing and credential theft have grown markedly more effective. For CISOs this requires reframing security as a business enabler, prioritizing resilience, automation, and modern identity controls such as phishing-resistant MFA. The Secure Future Initiative provides practitioner-tested patterns to operationalize these priorities.

Amazon Redshift Auto-Copy Expands to Four AWS Regions

📥 Amazon Redshift Auto-Copy is now available in Asia Pacific (Malaysia), Asia Pacific (Thailand), Mexico (Central), and Asia Pacific (Taipei). The feature lets you configure an integration to continuously detect and load new files from a specified Amazon S3 prefix into Redshift tables without requiring custom COPY pipelines or external tooling. Auto-Copy records previously loaded files to prevent duplicate ingestion and exposes job status and metrics via Redshift system tables for monitoring and troubleshooting.

Pentera Resolve Aims to Close the Remediation Gap Now

🔧 Pentera today unveiled Pentera Resolve, a platform extension that embeds automated remediation workflows into security validation to bridge the persistent remediation gap. The product converts validated findings into tracked, auditable tickets routed to owners in tools like ServiceNow, Jira, and Slack. Powered by AI-driven triage and contextual enrichment, it aims to replace manual consolidation with a measurable, repeatable remediation loop of validate, remediate, and re-test.

Amazon RDS for SQL Server: Preserve CDC on Restore

🛡️ Amazon RDS for SQL Server now preserves Change Data Capture (CDC) settings and metadata when restoring native database backups. By specifying the KEEP_CDC option during a restore, customers retain CDC configuration and any captured change data, preventing gaps in ongoing data-capture workflows. This capability is available in all AWS Regions where Amazon RDS for SQL Server is offered and is documented in the RDS for SQL Server User Guide.

Amazon DocumentDB Adds Graviton4-based R8g Instances

🚀 Amazon DocumentDB (with MongoDB compatibility) now supports Graviton4-based R8g instances, delivering DDR5 memory and Nitro System improvements for memory‑intensive workloads. R8g is available for Amazon DocumentDB 5.0 on both Standard and IO‑Optimized cluster storage. Customers can modify existing clusters or create new ones via the AWS Management Console, CLI, or SDK; check documentation for regional availability and pricing.

AWS Adds Scope 3 and Scope 1 to Carbon Footprint Tool

🌍 The AWS Customer Carbon Footprint Tool now reports Scope 3 emissions alongside Scope 1 natural gas and refrigerant data, giving customers more complete visibility into cloud-related carbon impacts. Historical Scope 3 data is available back to January 2022 and can be accessed through the CCFT dashboard and AWS Billing and Cost Management data exports. These updates extend CCFT coverage to all three scopes defined by the Greenhouse Gas Protocol and help customers integrate carbon insights into operational workflows, sustainability planning, and reporting.

Amazon S3 Metadata Expands to Frankfurt, Ireland, Tokyo

🆕 Amazon has expanded S3 Metadata to three additional AWS Regions — Europe (Frankfurt), Europe (Ireland), and Asia Pacific (Tokyo). The service provides automated, near-real-time, queryable metadata for S3 objects, covering system-defined attributes (size, source, timestamps) and custom metadata via tags. Metadata is automatically populated for both new and existing objects, enabling faster discovery, curation, and use for analytics and real-time inference. With this release, S3 Metadata is generally available in six AWS Regions.

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Samsung Galaxy S25 Exploited on Day Two of Pwn2Own

🔓 Security researchers earned $792,750 on day two of Pwn2Own Ireland 2025, exploiting 56 unique zero-day vulnerabilities across smartphones, NAS devices, printers, cameras and smart-home gear. A five-bug chain used by Ken Gannon and Dimitrios Valsamaras successfully compromised the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Several teams also exploited issues in QNAP and Synology NAS models, printers and IoT devices, and vendors now have 90 days to patch before public disclosure.

AI-Powered Mobile Threats Elevate Need to Rethink Security

📱 The 2025 Verizon Mobile Security Index underscores growing danger as mobile devices account for the majority of global internet traffic and increasingly serve as primary attack surfaces. Check Point highlights the rise of AI-powered threats, persistent phishing, and human error that expand exposure. Organizations must rethink security architectures, strengthen endpoint controls, and adopt AI-aware defenses across apps, devices, and identities to reduce risk.

Amazon CloudWatch Agent Gains Windows Event Log Filtering

🔎 Amazon CloudWatch Agent now supports configurable Windows Event Log filters for Windows hosts running on Amazon EC2 or on‑premises. You can define per-stream filter criteria in the agent configuration file — including event levels, specific event IDs, and regular expressions set to include or exclude — and the agent evaluates each event to determine whether it should be sent to CloudWatch. This reduces noisy ingestion and helps focus monitoring, troubleshooting, and cost control; the feature is available in all commercial AWS Regions and AWS GovCloud (US).

Microsoft Named a Leader in Gartner MQ for DHI 2025

🔹 Microsoft has been named a Leader in the 2025 Gartner Magic Quadrant for Distributed Hybrid Infrastructure, its third consecutive recognition. Azure’s adaptive approach—anchored by Azure Arc and Azure Local—delivers unified management, governance, and security across hybrid, edge, multicloud, and sovereign environments. These technologies enable services such as AKS, Microsoft Defender for Cloud, IoT operations and AI workloads, and Microsoft highlights customer outcomes and continued investment to broaden capabilities and compliance.

Four Bottlenecks Slowing Enterprise GenAI Adoption

🔒 Since ChatGPT’s 2022 debut, enterprises have rapidly launched GenAI pilots but struggle to convert experimentation into measurable value — only 3 of 37 pilots succeed. The article identifies four critical bottlenecks: security & data privacy, observability, evaluation & migration readiness, and secure business integration. It recommends targeted controls such as confidential compute, fine‑grained agent permissions, distributed tracing and replay environments, continuous evaluation pipelines and dual‑run migrations, plus policy‑aware integrations and impact analytics to move pilots into reliable production.

Vendor and Hyperscaler Watch: Attack Surface Tools

🔎 Cyber asset attack surface management (CAASM) and external ASM (EASM) solutions help organizations discover and continuously monitor internet-facing assets to reduce exposure and harden security. The article surveys a dozen commercial offerings — including Axonius, CrowdStrike Falcon Exposure, Microsoft Defender EASM, and Palo Alto Cortex Xpanse — highlighting discovery methods, integrations, AI features, and sample pricing. It stresses continuous monitoring, asset context and prioritization, and recommends vetting vendor automation, remediation workflows, and pricing transparency.

Prompt Hijacking Risks MCP-Based AI Workflows Exposed

⚠️ Security researchers warn that MCP-based AI workflows are vulnerable to "prompt hijacking" when MCP servers issue predictable or reused session IDs, allowing attackers to inject malicious prompts into active client sessions. JFrog demonstrated the issue in oatpp-mcp (CVE-2025-6515), where guessable session IDs could be harvested and reassigned to craft poisoned responses. Recommended mitigations include generating session IDs with cryptographically secure RNGs (≥128 bits of entropy) and having clients validate unpredictable event IDs.

Choosing the Right AWS Service for Secrets and Configs

🔐 AWS outlines when to use Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig to manage credentials, configuration values, and feature flags. The guidance recommends Secrets Manager for sensitive credentials that need rotation and multi‑Region replication, Parameter Store for simple or high‑volume key/value data, and AppConfig for validated, controlled deployments. The post compares encryption, access controls, replication, monitoring, and pricing to help architects select the best fit.

Replace Short Complex Passwords with Longer Passphrases

🔒Modern guidance favors long, memorable passphrases over short, complex passwords. Length provides far more effective entropy than symbol substitution, making offline brute-force attacks exponentially harder for attackers using modern GPU rigs. Passphrases lower helpdesk resets, discourage insecure reuse, and align with NIST recommendations. Implement by raising minimum length, dropping forced complexity, and blocking compromised credentials in real time.

Face Recognition Failures Affect Nonstandard Faces

⚠️ Bruce Schneier highlights how facial recognition systems frequently fail people with nonstandard facial features, producing concrete barriers to services and daily technologies. Those interviewed report being denied access to public and financial services and encountering nonfunctional phone unlocking and social media filters. The author argues the root cause is often design choices by engineers who trained models on a narrow range of faces and calls for inclusive design plus accessible backup systems when biometric methods fail.

Sendmarc names Dan Levinson Customer Success Director

🔐 Sendmarc has appointed Dan Levinson as Customer Success Director — North America to support the company’s regional expansion and enhance locally aligned customer support. Levinson brings more than 15 years of experience across email security, deliverability, account and product management, and leadership, with direct experience implementing SPF, DKIM and DMARC. He will build and lead a North America customer success team focused on accelerating DMARC adoption, improving visibility across email environments, and strengthening protections against impersonation while preserving deliverability.