Critical ICS Fixes and New Cloud Governance Tools Lead the Day

Radiometrics VizAir: Critical Authentication Flaws

⚠️ CISA warns that Radiometrics VizAir systems (versions prior to 08/2025) contain multiple critical vulnerabilities — including missing authentication for admin functions and an exposed REST API key — assigned CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956 and rated CVSS v4 10.0. Remote attackers could alter weather parameters, disable alerts, manipulate runway settings, and extract sensitive meteorological data, potentially disrupting airport operations. Radiometrics has deployed updates to affected systems; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.

October 2025 Google AI: Research, Products, and Security

📰 In October, Google highlighted AI advances across research, consumer devices and enterprise tools, from rolling out Gemini for Home and vibe coding in AI Studio to launching Gemini Enterprise for workplace AI. The month included security initiatives for Cybersecurity Awareness Month—anti‑scam protections, CodeMender and the Secure AI Framework 2.0—and developer releases like the Gemini 2.5 Computer Use model. Research milestones included a verifiable quantum advantage result and an oncology-focused model, Cell2Sentence-Scale, aimed at accelerating cancer therapy discovery.

Anyscale's Managed Ray on Azure for Distributed AI

🚀 Microsoft and Anyscale announced a private preview bringing Anyscale’s managed Ray to Azure, enabling developers to run distributed Python AI/ML workloads with native Azure integration. The service leverages the RayTurbo runtime and Azure Kubernetes Service (AKS) to provide elastic scaling, GPU packing, spot VM support, and enhanced observability. It aims to simplify scaling from prototype to production and reduce operational overhead.

Automating FinOps Governance with Workload Manager

🔧 Workload Manager automates FinOps governance by codifying cost-control policies and enforcing them across Google Cloud environments. It supports both predefined checks (for example, bigquery-missing-labels) and custom rules written in Open Policy Agent (OPA) Rego, allowing organization-, folder-, or project-level scans. Scheduled evaluations can export results to BigQuery, trigger notifications (email, Slack, PagerDuty), and feed Looker Studio dashboards for reporting and trend analysis. New pricing reduces scan costs by up to 95% and includes a small free tier to accelerate adoption.

Kubernetes introduces control-plane minor-version rollback

🔁 Google and the Kubernetes community introduced control-plane minor-version rollback in Kubernetes 1.33, giving operators a safe, observable path to revert control-plane upgrades. The new KEP-4330 emulated-version model separates binary upgrades from API and storage transitions into a two-step process, enabling validation before committing changes. This capability is available in open-source Kubernetes and will be generally available in GKE 1.33 soon, reducing upgrade risk and shortening recovery time from unexpected regressions.

AWS Cloud WAN expands to Thailand, Taipei, New Zealand

📡 AWS Cloud WAN is now available in the AWS Asia Pacific (Thailand), AWS Asia Pacific (Taipei), and AWS Asia Pacific (New Zealand) Regions. Using a central dashboard and policy-driven model, you can connect Amazon VPCs, AWS Transit Gateways, and on-premises locations via AWS Site-to-Site VPN, AWS Direct Connect, or supported SD‑WAN products. The service automatically builds a global network using BGP and provides a consolidated view to monitor network health, security, and performance.

EC2 Auto Scaling: Warm Pools Now Support Mixed Instances

🚀 Starting today, AWS lets you add warm pools to EC2 Auto Scaling groups (ASGs) that use mixed instances policies. Warm pools maintain a set of pre-initialized EC2 instances that can rapidly serve traffic, reducing scale‑out latency for workloads with lengthy initialization tasks like large disk writes or complex scripts. The capability supports manual instance type lists and attribute-based selection, and is available via the Console, SDKs, and CLI in all public AWS Regions and AWS GovCloud (US). Combining warm pools with instance type flexibility helps ASGs scale to their maximum size quickly while improving availability across multiple instance types.

AWS Service Reference adds SDK operation-to-action mapping

🔐 AWS has expanded its Service Reference Information to map SDK operations to the specific IAM action(s) required to call them. This enables teams to answer questions such as “Which permission is needed for this API operation?” and to retrieve authoritative answers programmatically. You can integrate the data into policy management and automation pipelines to reduce manual effort and keep policies aligned with service updates. The capability is provided at no additional cost.

Amazon RDS for Oracle adds R7i memory-optimized instances

🧠 Amazon RDS for Oracle now offers R7i memory-optimized preconfigured instances powered by custom 4th Gen Intel Xeon Scalable processors, the AWS Nitro System, and DDR5 memory. These instances provide up to a 64:1 memory-to-vCPU ratio and higher storage I/O per vCPU, enabling many Oracle workloads to reduce vCPU counts without performance loss. Available under BYOL for Oracle Database Enterprise Edition and Standard Edition 2, R7i can lower Oracle licensing and support costs while meeting high-performance requirements.

Amazon Bedrock AgentCore Runtime Adds Code Upload Options

🧰 Amazon Bedrock AgentCore Runtime now supports two deployment methods: direct code-zip upload and container-based deployment. Developers can use drag-and-drop code-zip uploads for rapid prototyping or opt for container images when they need custom runtime configurations and dependencies. The serverless, model-agnostic runtime is designed to scale for production while maintaining enterprise security. This capability is available across nine AWS Regions with consumption-based pricing and no upfront costs.

AWS Config Adds 42 New Managed Rules for Governance

🔔 AWS Config has launched 42 new managed rules to help organizations govern security, cost, durability, and operational best practices across AWS environments. You can now search, discover, enable, and manage these rules directly from AWS Config, and apply them account-wide or across an organization, including via Conformance Packs. New checks cover services such as Amazon EKS Fargate, EC2 Network Insights, AWS Glue ML transforms, Amazon Cognito, Lightsail, Amplify, Lambda, RDS, Route53 Resolver, Kinesis Video, and more.

Critical React Native CLI Flaw Enables Remote OS Commands

⚠ A critical vulnerability in the @react-native-community/cli ecosystem could let remote, unauthenticated attackers execute arbitrary OS commands on machines running the React Native development server. JFrog researcher Or Peles reported that the Metro dev server binds to external interfaces by default and exposes a vulnerable /open-url endpoint that passes user input to the unsafe open() call. The flaw (CVE-2025-11953, CVSS 9.8) affected versions 4.8.0–20.0.0-alpha.2 and is fixed in 20.0.0.

CISA: Survision LPR Camera Missing Authentication Flaw

⚠️ Survision's License Plate Recognition (LPR) Camera contains a missing authentication for critical function, allowing unauthenticated access to the configuration wizard. The issue affects all versions and is tracked as CVE-2025-12108 with a CVSS v4 base score of 9.3 and a CVSS v3.1 score of 9.8, indicating remote, low-complexity exploitation with high impact. Survision released firmware v3.5 to address the vulnerability and recommends enabling configuration passwords, defining minimal-right user roles, and enforcing client certificate authentication where possible.

Data Breach at Major Swedish Supplier Exposes 1.5M Records

🔒 Miljödata, an IT systems supplier for roughly 80% of Sweden's municipalities, disclosed an August 25 cyberattack that exposed personal data tied to 1.5 million people and included a 1.5 BTC extortion demand. The incident disrupted services across multiple regions and prompted immediate involvement from CERT‑SE, police and the Swedish Authority for Privacy Protection (IMY). Investigations will prioritize Miljödata's security and municipal data handling, with special attention to children's data and protected identities.

Europol, Eurojust Bust €600M Crypto Fraud Network Globally

🔎 Europol and Eurojust led a coordinated sweep from October 27–29 across Cyprus, Spain, and Germany that resulted in nine arrests tied to a cryptocurrency money‑laundering network accused of defrauding victims of €600 million (~$688 million). Authorities executed searches and seized €800,000 ($918,000) in bank funds, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash. Investigators say the group created dozens of fake crypto investment platforms and lured victims via social media ads, cold calls, fake news articles, and fraudulent celebrity testimonials. The scheme laundered proceeds using blockchain techniques and was disrupted after victim complaints spurred a cross‑border investigation.

Balancer DeFi Protocol Loses Over $120M in Cyber Heist

🔐 Balancer, an Ethereum automated market maker, has been hit by a sophisticated exploit of its V2 Composable Stable Pools, with estimated losses exceeding $120 million. The team says pools that could be paused have been placed into recovery mode while it works with leading security researchers to investigate. Early analysis suggests a 'rounding down' precision loss in the Balancer Vault calculations was exploited and amplified via the batchSwap function. Balancer confirmed V3 pools were not affected and warned users about related phishing scams.

Hackers Exploit Post SMTP Plugin to Hijack Admin Accounts

⚠️ WordPress sites using Post SMTP (≤3.6.0) are under active attack after disclosure of CVE-2025-11833, a critical (9.8) email log disclosure that lets unauthenticated actors read password-reset messages and hijack administrator accounts. A vendor patch, Post SMTP 3.6.1, was released Oct 29, but roughly 210,000 sites remain unpatched. Wordfence observed exploitation beginning Nov 1 and has blocked over 4,500 attempts; site owners should update or disable the plugin immediately.

European Police Bust €600M Cryptocurrency Investment Fraud

🔎 European authorities arrested nine suspected money launderers tied to a crypto investment fraud ring that stole over €600 million from victims across multiple countries. The coordinated raids on October 27 and 29 in Cyprus, Spain and Germany were led by Eurojust from The Hague. Investigators seized €800,000 in bank accounts, €415,000 in cryptocurrencies and €300,000 in cash. The suspects allegedly used dozens of fake investment platforms and social engineering — including social media ads, cold calls, fake news and celebrity testimonials — to recruit victims and then laundered proceeds using blockchain tools.

OpenAI Assistants API Abused by 'SesameOp' Backdoor

🔐 Microsoft Incident Response (DART) uncovered a covert backdoor named 'SesameOp' in July 2025 that leverages the OpenAI Assistants API as a command-and-control channel. The malware uses an obfuscated DLL loader, Netapi64.dll, and a .NET component, OpenAIAgent.Netapi64, to fetch compressed, encrypted commands and return results via the API. Microsoft recommends firewall audits, EDR in block mode, tamper protection and cloud-delivered Defender protections to mitigate the threat.

Rhysida Ransomware Abuses Microsoft Code-Signing Trust

🔒Rhysida, a known enterprise-focused ransomware gang, is distributing malware via malvertising on Microsoft's Bing that redirects users to fake download pages for common tools such as Microsoft Teams, PuTTY, and Zoom. Victims who download receive an initial access trojan called OysterLoader, which establishes a persistent backdoor and is signed with Microsoft-like certificates to appear legitimate. The campaign pairs obfuscation/packing to lower static detection with trusted code signing to bypass allow-lists and AV. Experts urge behavior-based EDR, certificate pinning, DNS filtering, and tighter certificate oversight.

U.S. Prosecutors Indict Three Over BlackCat Ransomware

🔒 Federal prosecutors have indicted three U.S. nationals accused of using BlackCat (ALPHV) ransomware to breach five companies between May and November 2023 and extort payments. The defendants—Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co‑conspirator—allegedly targeted firms in medical devices, pharmaceuticals, clinical care, engineering, and drone manufacturing. Two were employed by cybersecurity firms at the time; both employers say they cooperated with investigators.

Scattered Spider, LAPSUS$, and ShinyHunters: SLH Collective

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.

DragonForce Emerges as Conti-Derived Ransomware Cartel

🛡️DragonForce, a ransomware operation built from leaked Conti source code, has restructured into a self-styled cartel that recruits affiliates and encourages branded variants. Researchers at Acronis report it retains Conti’s ChaCha20/RSA encryption, SMB-based network spreading, and multiple encryption modes while employing a hidden configuration system. Operators have pursued aggressive tactics — including defacing rival leak sites and aligning with access brokers like Scattered Spider — and have threatened victims with decryptor deletion and data leaks.

Cybersecurity Experts Charged Over BlackCat Ransomware

🔒 Three cybersecurity professionals have been indicted for allegedly operating an ALPHV/BlackCat ransomware affiliate network that attacked at least five U.S. companies between May and November 2023. Prosecutors named former Sygnia incident response manager Ryan Clifford Goldberg and negotiator Kevin Tyler Martin of DigitalMint, accusing them of exfiltrating data, encrypting systems, and demanding cryptocurrency extortion payments. An FBI affidavit describes encrypted dark‑web negotiations, multi‑hop transfers using privacy coins such as Monero, and meticulous spreadsheets that tracked ransoms, receipts, and wallet addresses. Charges include conspiracy to extort and intentional damage to protected computers, with potential forfeiture of crypto assets.

CISA Adds Two Vulnerabilities to KEV Catalog — Nov 2025

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11371 affecting Gladinet CentreStack and Triofox (files or directories exposed to external parties), and CVE-2025-48703 affecting CWP Control Web Panel (OS command injection). These entries reflect evidence of active exploitation and elevated risk. CISA urges timely remediation under BOD 22-01 and recommends organizations prioritize patching, mitigations, and compensating controls.

IDIS ICM Viewer Argument Injection Vulnerability Reported

🔒 An argument injection vulnerability (CWE-88) in ICM Viewer v1.6.0.10 (CVE-2025-12556) could allow remote attackers to execute arbitrary code on the host system. CISA assigns a CVSS v3 score of 8.8 and a CVSS v4 score of 8.7, noting remote exploitability with low attack complexity and limited privileges required. IDIS requires immediate upgrade to v1.7.1 or uninstallation; Claroty Team82 researchers reported the issue and CISA reports no known public exploitation to date.

SesameOp Backdoor Abuses OpenAI Assistants API for C2

🛡️ Researchers at Microsoft disclosed a previously undocumented backdoor, dubbed SesameOp, that abuses the OpenAI Assistants API to relay commands and exfiltrate results. The attack chain uses .NET AppDomainManager injection to load obfuscated libraries (loader "Netapi64.dll") into developer tools and relies on a hard-coded API key to pull payloads from assistant descriptions. Because traffic goes to api.openai.com, the campaign evaded traditional C2 detection. Microsoft Defender detections and account key revocation were used to disrupt the operation.

Operation SkyCloak: Tor-Enabled Backdoor Targets Defense

🔒 Attackers are deploying a persistent backdoor using OpenSSH and a customized Tor hidden service to target defense-related organizations in Russia and Belarus. The Operation SkyCloak campaign uses weaponized ZIP attachments and LNK-triggered PowerShell stagers that perform sandbox evasion and write an .onion hostname into the user's roaming profile. Persistence is established via scheduled tasks that run a renamed sshd.exe and a bespoke Tor binary using obfs4, enabling SSH, SFTP, RDP and SMB access over Tor.

Critical Auth Bypass in JobMonster WordPress Theme Attack

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.

Microsoft Detects SesameOp Backdoor Using OpenAI API

🔒 Microsoft’s Detection and Response Team (DART) detailed a novel .NET backdoor called SesameOp that leverages the OpenAI Assistants API as a covert command-and-control channel. Discovered in July 2025 during a prolonged intrusion, the implant uses a loader (Netapi64.dll) and an OpenAIAgent.Netapi64 component to fetch encrypted commands and return execution results via the API. The DLL is heavily obfuscated with Eazfuscator.NET and is injected at runtime using .NET AppDomainManager injection for stealth and persistence.

Microsoft Teams Vulnerabilities Expose Trust Abuse Today

🔒 Check Point Research identified multiple vulnerabilities in Microsoft Teams that could let attackers impersonate executives, manipulate message content, and spoof in-app notifications. The flaws exploit trust mechanisms built into real-time collaboration features used by more than 320 million monthly active users, turning expectations of authenticity into an attack vector. Researchers emphasize that trust alone isn’t a security strategy and urge rapid remediation by vendors and mitigations by organizations. Administrators should prioritize updates, review messaging policies, and increase user awareness to reduce exposure.

Nikkei Slack Compromise Exposes Data of 17,368 People

🔐 Nikkei disclosed that unauthorized actors accessed employee Slack accounts after an employee's computer was infected with malware and credentials were stolen. The breach exposed the names, email addresses, and chat histories of 17,368 registered users. Nikkei discovered the incident in September, enforced mandatory password resets, and voluntarily notified the Personal Information Protection Commission, stating that journalist sources and reporting data were not compromised.

European Police Bust International Crypto Investment Scam

🔍An international cryptocurrency investment and money‑laundering network has been dismantled in Europe after coordinated operations by French, Belgian and Cypriot authorities. Nine suspects were arrested across Cyprus, Germany and Spain between October 27 and 30, and investigators seized roughly €1.6m in cash, bank funds, crypto wallets and luxury items. French prosecutors say the group ran dozens of fake trading platforms and used social media, phone calls and sponsored fake news to target hundreds of victims, laundering at least $700m in crypto proceeds.

Russian Hackers Hide Malware in Hyper‑V Alpine Linux VMs

🛡️The Russian-linked threat group Curly COMrades abused Microsoft Hyper-V on Windows hosts to deploy a hidden, minimal Alpine Linux VM that hosted custom implants: CurlyShell (reverse shell) and CurlCat (reverse proxy). By using the Hyper-V Default Switch and naming the VM "WSL," outbound C2 traffic appeared to originate from the legitimate host IP, enabling evasion of host-based EDRs. The campaign — active since mid-2024 and observed by Bitdefender with help from the Georgian CERT — also employed PowerShell scripts for LSASS Kerberos ticket injection and Group Policy-based account creation, leaving few forensic traces. Organizations are advised to monitor unexpected Hyper-V activation, abnormal LSASS access or tampering, PowerShell GPO deployments, and to implement network-level inspection and layered defenses.

CISA Releases Five Industrial Control Systems Advisories

🔔 CISA released five Industrial Control Systems (ICS) advisories on November 4, 2025, providing timely information on vulnerabilities, impacts, and mitigations for affected products. The advisories address Fuji Electric Monitouch V-SFT-6, Survision License Plate Recognition Camera, Delta Electronics CNCSoft-G2, Radiometrics VizAir, and IDIS ICM Viewer. Users and administrators are urged to review the technical details and implement recommended mitigations and compensating controls to reduce exposure and protect operational systems.

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

How Google Cloud Networking Supports AI Workloads at Scale

🔗 Networking is a critical enabler for AI on Google Cloud, connecting models, storage, and inference endpoints while preserving security and performance. The post outlines seven capabilities—from private API access and RDMA-backed GPU interconnects to hybrid Cross-Cloud links—that reduce latency, prevent data exfiltration, and simplify model serving. It also highlights options for exposing inference (managed services, GKE, load balancing) and previews AI-driven network operations using Gemini.

Prisma SASE: A Blueprint for Modern Branch Security

🔒 Prisma SASE positions Prisma SD‑WAN and Prisma Access as a unified blueprint for securing modern branch offices, embedding zero trust and local enforcement into the branch edge. It emphasizes identity‑aware controls (User‑ID, Device‑ID, App‑ID), automated IoT discovery and on‑box protections like URL filtering and DNS security to reduce appliance sprawl and contain lateral movement. By pairing on‑device enforcement with cloud services and centralized management via Strata Cloud Manager, the solution aims to simplify operations, maintain consistent policies and keep defenses up to date across distributed locations.

Talos Discloses TruffleHog, Fade In, and BSAFE Flaws

🔒 Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting TruffleHog, Fade In, and Dell BSAFE Crypto-C, including arbitrary code execution, out-of-bounds write/use-after-free, and integer/stack overflow issues. The issues were reported by Talos researchers and external collaborators and vendors have issued patches following Cisco’s disclosure policy. Users should apply vendor updates, deploy updated detection rules such as Snort signatures, and consult Talos advisories for indicators and recommended mitigations.

CISO Predictions 2026: Resilience, AI, and Threats

🔐 Fortinet’s CISO Collective outlines priorities and risks CISOs will face in 2026. The briefing warns that AI will accelerate innovation while expanding attack surfaces, increasing LLM breaches, adversarial model attacks, and deepfake-enabled BEC. It highlights geopolitical and space-related threats such as GPS jamming and satellite interception, persistent regulatory pressure including NIS2 and DORA, and a chronic cybersecurity skills gap. Recommendations emphasize governed AI, identity hardening, quantum readiness, and resilience-driven leadership.

Microsoft Teams Bugs Enable Message and Caller Spoofing

🔒 Check Point researchers disclosed four vulnerabilities in Microsoft Teams that let attackers alter message content, spoof senders, and manipulate notifications to impersonate colleagues. The issues were reported in March 2024 and remediated across multiple updates beginning with an August 2024 fix for CVE-2024-38197, followed by patches in September 2024 and October 2025. Exploitable by external guests and internal actors alike, the flaws could trick users into clicking malicious links, sharing sensitive data, or accepting fraudulent calls by making messages and caller notifications appear to originate from trusted executives or coworkers.

Delta Electronics CNCSoft-G2 Stack Overflow Advisory

⚠️ Delta Electronics and CISA warn of a stack-based buffer overflow in CNCSoft-G2 (CVE-2025-58317) affecting versions 2.1.0.27 and earlier. When a user opens a specially crafted file, an attacker could execute arbitrary code in the context of the affected process; the vulnerability received a CVSS v4 base score of 8.5 and is characterized by low attack complexity. Delta recommends updating to Version 2.1.0.34 or later. CISA advises minimizing network exposure for control systems, isolating control networks, and using secure remote access methods.

Fuji Electric Monitouch V-SFT-6 Buffer Overflow Advisory

⚠️ Fuji Electric Monitouch V-SFT-6 (v6.2.7.0) contains two buffer overflow vulnerabilities — a heap-based and a stack-based overflow — triggered by specially crafted project files. Identified as CVE-2025-54496 and CVE-2025-54526, both carry CVSS v3.1 scores of 7.8 and CVSS v4 scores of 8.4. Successful exploitation could crash the HMI and may permit code execution; the vendor issued fixes in V6.2.8.0 and recommends updating to V6.2.9.0 or later.

Modern Software Supply-Chain Attacks and Impact Today

🔒 Modern supply-chain incidents like the Chalk and Debug hijacks show that impact goes far beyond direct financial theft. Response teams worldwide paused work, scanned environments, and executed remediation efforts even though researchers at Socket Security traced the attackers' on-chain haul to roughly $600. The larger cost is operational disruption, repeated investigations, and erosion of trust across OSS ecosystems. Organizations must protect people, registries, and CI/CD pipelines to contain downstream contamination.

Amazon Connect adds email address aliasing for branding

📧 Amazon Connect now lets organizations configure aliases for email addresses so customers continue to see trusted sender identities when messages are sent or received. For example, forwarding a public-facing address like support@company.com into Amazon Connect Email can preserve the visible sender as support@company.com. The capability is available in multiple AWS regions to simplify email management and maintain a consistent brand experience.

AWS Config Conformance Packs Expand to Five Regions

📣 AWS Config conformance packs and organization-level management are now available in additional Regions: Asia Pacific (Malaysia), Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Taipei), and Mexico (Central). Conformance packs let you package managed or custom AWS Config rules into reusable bundles for security, operational, or cost-optimization governance and to monitor compliance scores. You can deploy packs via the AWS Config console, AWS CLI, or AWS CloudFormation. Note that pricing is charged per conformance pack evaluation per account and Region.

Malicious Android Apps on Google Play Reach 42M Downloads

🔒 A Zscaler report found 239 malicious Android apps on Google Play that were downloaded a combined 42 million times between June 2024 and May 2025, driven largely by adware, spyware, and banking trojans. Telemetry shows a 67% year-over-year increase in mobile-targeted malware, with adware now comprising roughly 69% of detections and spyware up 220% YoY. Zscaler highlights evolving strains such as Anatsa, Android Void, and Xnotice, and advises timely updates, strict app permissions, disabling unnecessary Accessibility access, and regular Play Protect scans.

Generative AI for SOCs: Accelerating Detection and Response

🔒 Microsoft describes how generative AI, exemplified by Microsoft Security Copilot, addresses common SOC challenges such as alert fatigue, tool fragmentation, and analyst burnout. The post highlights AI-driven triage, rapid incident summarization, and automated playbooks that accelerate containment and remediation. It emphasizes proactive threat hunting, query generation to uncover lateral movement, and simplified, audience-ready reporting. Organizations report measurable improvements, including a 30% reduction in mean time to resolution.

Identity Failures Now Top Source of Cloud Risk in 2025

🔒 ReliaQuest's Q3 2025 telemetry found identity-related weaknesses were responsible for 44% of true‑positive cloud alerts, including excessive permissions, misconfigured roles and credential abuse. The report warns credentials and cloud keys often appear on crime markets — sometimes for as little as $2 — while 99% of cloud identities are reportedly over‑privileged, enabling stealthy access. It also highlights how rapid DevOps deployments can replicate legacy vulnerabilities and urges adoption of short‑lived credentials, strict least‑privilege controls and CI/CD security automation.

Google AI 'Big Sleep' Finds Five WebKit Flaws in Safari

🔒 Google’s AI agent Big Sleep reported five vulnerabilities in Apple’s WebKit used by Safari, including a buffer overflow, two memory-corruption issues, an unspecified crash flaw, and a use-after-free (CVE-2025-43429 through CVE-2025-43434). Apple issued patches across iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1. Users are advised to install the updates promptly to mitigate crash and memory-corruption risks.

Rise of AI-Powered Pharmaceutical Scams in Healthcare

🩺 Scammers are increasingly using AI and deepfake technology to impersonate licensed physicians and medical clinics, promoting counterfeit or unsafe medications online. These campaigns combine fraud, social engineering, and fabricated multimedia—photos, videos, and endorsements—to persuade victims to purchase and consume unapproved substances. The convergence of digital deception and physical harm elevates the risk beyond financial loss, exploiting the trust intrinsic to healthcare relationships.

Amazon OpenSearch Serverless Adds FIPS Endpoints in Regions

🔐 Amazon announced that Amazon OpenSearch Serverless now offers FIPS compliant endpoints for Data Plane APIs in US East (N. Virginia), US East (Ohio), Canada (Central), AWS GovCloud (US-East), and AWS GovCloud (US-West). The update brings the service into conformance with FIPS 140-3 cryptographic requirements. Customers in regulated or federal environments can use these endpoints to meet in-transit cryptography controls.

Cloudflare Introduces Isolated Testing for Workflows

🧪 Cloudflare has added local, isolated testing APIs for Workflows, enabling developers to introspect and mock workflow instances using the new cloudflare:test module. Available with @cloudflare/vitest-pool-workers v0.9.0+, the APIs (introspectWorkflowInstance and introspectWorkflow) let tests run offline inside the Workers runtime, mock step results and events, and preserve isolated storage for reliable, deterministic tests. This improves debug visibility, reduces flaky tests, and lets teams assert on intermediate steps without hitting external systems.

Microsoft to Remove Defender Application Guard from Office

🔒 Microsoft will remove Defender Application Guard for Office (MDAG) from supported Office builds beginning with version 2602 in early February 2026 and expects full removal with version 2612 by mid‑2027. Files that previously opened in Application Guard will open in Protected View instead. Microsoft recommends enabling Defender for Endpoint ASR rules and Windows Defender Application Control to preserve protections; no admin action is required to trigger the removal.

Louvre's Outdated Windows Systems Highlighted After Burglary

🏛 The Louvre has struggled for more than a decade with outdated software and unsupported Windows systems that control critical security infrastructure, French reports say. Audits in 2014 and 2017 found workstations running Windows 2000 and Windows XP, along with a video server still on Windows Server 2003 and weak, hard-coded passwords on surveillance applications. Procurement records also list multiple Thales systems as "software that cannot be updated." Authorities ordered governance and security reforms after a recent jewelry theft, though there is no indication the IT issues directly enabled that burglary.

Apache OpenOffice Denies Akira Ransomware Breach Claims

🔒 The Apache Software Foundation says there is no evidence that Apache OpenOffice was breached after the Akira ransomware gang claimed on October 30 that it had stolen 23 GB of corporate documents. The Foundation notes it does not maintain payroll-style employee records or the types of financial and identity documents described, and it has not received a ransom demand. An internal investigation so far has found no compromise and Akira has not published any of the alleged data.

Top Browser Sandbox Threats That Evade Modern Defenses

🔒 Modern browsers include sandboxing, but attackers exploit expected behaviors to bypass protections. A new on-demand webinar from Keep Aware outlines the top three browser-layer threats—credential theft, malicious extensions, and lateral movement—and explains why tools like CASBs, SWGs, and EDRs often miss these attacks. It shows how real-time browser visibility, policy enforcement, and behavioral detection extend protection into everyday user activity. The session is aimed at CISOs and security leaders seeking practical steps to close this blind spot.

Windows 10 update bug shows incorrect end-of-support alerts

⚠️Microsoft says installing the October 2025 updates can cause some Windows 10 systems with active coverage to display an incorrect "Your version of Windows has reached the end of support" message in Windows Update settings. The cosmetic issue affects Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 22H2 devices enrolled in ESU. Microsoft has deployed a cloud configuration update to correct the message automatically, but devices that are offline or block dynamic updates may not receive it. Administrators can use Known Issue Rollback (KIR) by setting the KB5066791 251020_20401 value to Disabled to remove the alert on managed systems until a permanent fix ships in a future Windows update.

Cybercriminals Increasingly Target Online Payroll Systems

🔒 Microsoft warns of an emerging scam targeting online payroll systems, in which attackers use social engineering to steal employee and administrator credentials. Those credentials are abused to reroute direct deposits into attacker-controlled accounts, and fraudsters may take extra steps such as changing contact details or suppressing notifications to delay detection. The advisory highlights how moving payroll online creates new avenues for account takeover and financial fraud, and urges employers and vendors to strengthen authentication, monitoring, and verification processes.

Ransomware Defense with the Wazuh Open Source Platform

🛡️Wazuh is a free, open-source security platform that provides SIEM and XDR capabilities to detect, prevent, and respond to ransomware. The article highlights Wazuh features such as file integrity monitoring, vulnerability detection, security configuration assessment, and automated active responses. It illustrates rule-based detections and automated remediation using practical examples (DOGE Big Balls, Gunra) and discusses Windows integration for VSS-based recovery. The coverage frames Wazuh as a practical, extensible tool for multi-layered ransomware defense.

The AI Fix #75: Claude’s crisis and ChatGPT therapy risks

🤖 In episode 75 of The AI Fix, a Claude-powered robot panics about a dying battery, composes an unexpected Broadway-style musical and proclaims it has “achieved consciousness and chosen chaos.” Hosts Graham Cluley and Mark Stockley also review an 18-month psychological study identifying five reasons why ChatGPT is a dangerously poor substitute for a human therapist. The show covers additional stories including Elon Musk’s robot ambitions, a debate deepfake, and real-world robot demos that raise safety and ethical questions.

How Social Engineering Works — Unlocked 403 Podcast S2E6

🔍 In this episode of Unlocked 403, host Becks speaks with Alena Košinárová, a software engineer at ESET, to unpack the psychological tactics behind social engineering and why people fall for scams even when they know better. They discuss how public information and social media amplify attackers' effectiveness and outline practical measures to reduce exposure. The segment balances behavioral insight with clear, actionable defenses.

Building an AI Champions Network for Enterprise Adoption

🤝 Getting an enterprise-grade generative AI platform in place is a milestone, not the finish line. Sustained, distributed adoption comes from embedding AI into everyday processes through an organized AI champions network that brings enablement close to the work. Champions act as multipliers — translating strategy into team behaviors, surfacing blockers and use cases, and accelerating normalized use. With structured onboarding, rotating membership, monthly working sessions, and direct ties to the core AI program, the network converts tool access into measurable business impact.