Google Scales Ironwood & Axion; AWS Details EU Sovereign Cloud

Inside Ironwood: Google's Co‑Designed TPU AI Stack

🚀 The Ironwood TPU stack is a co‑designed hardware and software platform that scales from massive pre‑training to low‑latency inference. It combines dense MXU compute, ample HBM3E memory, and a high‑bandwidth ICI/OCS interconnect with compiler-driven optimizations in XLA and native support for JAX and PyTorch. Pallas and Mosaic enable hand‑tuned kernels for peak performance, while observability and orchestration tools address resilience and efficiency across pods and superpods.

Google Cloud previews Axion-based N4A general VMs Series

🚀 Google Cloud has introduced the Axion-based N4A VM series in preview, positioned as the most cost-effective N-series to date with up to 2× better price-performance and 80% better performance-per-watt versus comparable x86 VMs. Available on Compute Engine, GKE, Dataproc and Batch, N4A supports up to 64 vCPUs, 512 GB DDR5, 50 Gbps networking, Custom Machine Types and new Hyperdisk storage profiles (Balanced, Throughput, ML). Early customers report substantial cost and performance gains.

Google Cloud Announces Ironwood TPUs and Axion VMs

🚀 Google Cloud announced general availability of Ironwood, its seventh-generation TPU, alongside a new family of Arm-based Axion VMs. Ironwood is optimized for large-scale training, reinforcement learning, and high-volume, low-latency inference, with claims of 10x peak performance over TPU v5p and multi-fold efficiency gains versus TPU v6e (Trillium). The architecture supports superpods up to 9,216 chips, 9.6 Tb/s inter‑chip interconnect, up to 1.77 PB shared HBM, and Optical Circuit Switching for dynamic fabric routing. Complementary software and orchestration updates — including Cluster Director, MaxText improvements, vLLM support, and GKE Inference Gateway — aim to reduce time-to-first-token and serving costs, while Axion N4A/C4A instances provide ARM-based CPU options for cost-sensitive inference and data-prep workloads.

AWS Releases Whitepaper on European Sovereign Cloud

🔒 Amazon Web Services (AWS) published a whitepaper, Overview of the AWS European Sovereign Cloud, available in English, German, and French, outlining the planned design and objectives. The document describes a new, independent cloud for Europe supported by a €7.8 billion investment and a target launch of the first Region in the State of Brandenburg, Germany by the end of 2025. It highlights dedicated physical infrastructure, logical isolation, EU-based corporate governance, and continued access to the full AWS service portfolio while addressing data sovereignty and law enforcement processes.

Azure Ultra Disk: Performance, Cost, Instant Access

🚀Microsoft refreshed Azure Ultra Disk to deliver substantially lower tail latency, finer provisioning granularity, and faster snapshot-driven recovery for mission-critical workloads. Platform changes target an 80% reduction in P99.9 and outlier latency and a ~30% improvement in average latency. The update raises the IOPS/GiB ceiling to 1,000, introduces 1 GiB billing granularity, and sets minimums of 100 IOPS and 1 MB/s per disk to improve cost optimization. Instant Access Snapshot (public preview) enables disks from snapshots to hydrate up to 10x faster for rapid recovery and scale-out.

Google Cloud Announces Axion C4A Metal Bare-Metal Arm

🔧 Google Cloud is introducing C4A metal, a bare-metal instance class powered by its Arm-based Axion processors, entering preview soon. Designed for workloads that require direct hardware access and Arm-native compatibility, C4A metal delivers 96 vCPUs, 768 GB DDR5 memory, up to 100 Gbps networking, and support for Google Cloud Hyperdisk variants. C4A metal targets Android development, automotive simulation, CI/CD, security workloads, and custom hypervisors by eliminating nested virtualization overhead and preserving Arm instruction-set parity.

Amazon Keyspaces (Cassandra) Now Available in UAE Region

🚀 Amazon Keyspaces (for Apache Cassandra) is now available in the Middle East (UAE) Region, enabling customers to run Cassandra-compatible applications with lower latency and keep data within the Region to meet data residency requirements. The fully managed, serverless service supports point-in-time recovery, Multi-Region replication, CDC streams, and IPv6, allowing teams to scale without operating Cassandra clusters. Customers pay only for resources used and can use familiar CQL to build high-throughput applications.

CloudWatch Application Signals Now in AWS GovCloud

🔒 CloudWatch Application Signals is now available in AWS GovCloud (US-East) and AWS GovCloud (US-West), extending automated application observability to government and regulated workloads. The service automatically collects telemetry from Amazon EC2, Amazon ECS, Amazon EKS and AWS Lambda to provide real-time health, dependency visualization and anomaly detection. By eliminating manual instrumentation, it helps teams meet compliance and monitoring requirements while improving incident detection and resolution. For pricing and setup, consult the CloudWatch pricing page and Application Signals documentation.

Amazon EVS Expanded to Mumbai, Sydney, Canada, Paris

🚀 Amazon has expanded Amazon Elastic VMware Service (EVS) to all availability zones in Asia Pacific (Mumbai), Asia Pacific (Sydney), Canada (Central), and Europe (Paris). EVS runs VMware Cloud Foundation on EC2 bare‑metal instances powered by AWS Nitro, and can be deployed via a step‑by‑step workflow or the AWS CLI in hours. The expansion delivers lower latency, improved data‑residency options, and additional resiliency and high‑availability choices for VMware workloads.

Leading Bug Bounty Programs and Market Shifts 2025

🔒 Bug bounty programs remain a core component of security testing in 2025, drawing external researchers to identify flaws across web, mobile, AI, and critical infrastructure. Leading platforms like Bugcrowd, HackerOne, Synack and vendors such as Apple, Google, Microsoft and OpenAI have broadened scopes and increased payouts. Firms now reward full exploit chains and emphasize human-led reconnaissance over purely automated scanning. Programs also support regulatory compliance in critical sectors.

Multi-Turn Adversarial Attacks Expose LLM Weaknesses

🔍 Cisco AI Defense's report shows open-weight large language models remain vulnerable to adaptive, multi-turn adversarial attacks even when single-turn defenses appear effective. Using over 1,000 prompts per model and analyzing 499 simulated conversations of 5–10 exchanges, researchers found iterative strategies such as Crescendo, Role-Play and Refusal Reframe drove failure rates above 90% in many cases. The study warns that traditional safety filters are insufficient and recommends strict system prompts, model-agnostic runtime guardrails and continuous red-teaming to mitigate risk.

Critical Cisco UCCX Flaw Allows Remote Root Execution

🔒 Cisco has released updates to address a critical vulnerability in Unified Contact Center Express (UCCX) — CVE-2025-20354 — found in the Java RMI process that can let unauthenticated attackers execute arbitrary commands as root. A separate CCX Editor flaw allows authentication bypass and script execution with admin privileges. Administrators should upgrade to the first fixed releases (12.5 SU3 ES07 or 15.0 ES01) immediately; Cisco has not yet observed active exploitation.

Critical RCE in React Native CLI Exposes Dev Servers

⚠️ A critical remote-code execution vulnerability in @react-native-community/cli and its cli-server-api component lets attackers run arbitrary OS commands via the Metro development server. The flaw stems from a /open-url endpoint that forwards a supplied URL directly to the open() package and, despite console messages, the server can bind to 0.0.0.0 rather than localhost. JFrog demonstrated Windows exploitation and the issue is fixed in cli-server-api version 20.0.0; users should update or bind the server to 127.0.0.1.

AI-Powered Mach-O Analysis Reveals Undetected macOS Threats

🔎VirusTotal ran VT Code Insight, an AI-based Mach-O analysis pipeline against nearly 10,000 first-seen Apple binaries in a 24-hour stress test. By pruning binaries with Binary Ninja HLIL into a distilled representation that fits a large LLM context (Gemini), the system produces single-call, analyst-style summaries from raw files with no metadata. Code Insight flagged 164 samples as malicious versus 67 by traditional AV, surfacing zero-detection macOS and iOS threats while also reducing false positives.

Cisco Warns of Firewall Attack Causing DoS; Urges Patch

⚠️ Cisco disclosed a new attack variant that targets devices running Cisco Secure Firewall ASA and FTD software that are vulnerable to CVE-2025-20333 and CVE-2025-20362. The exploit can cause unpatched devices to unexpectedly reload, creating denial-of-service conditions, and follows prior zero-day campaigns that delivered malware such as RayInitiator and LINE VIPER, per the U.K. NCSC. Cisco additionally released patches for critical Unified CCX flaws and a high-severity DoS bug in ISE, and urges customers to apply updates immediately.

Advantech DeviceOn/iEdge: Multiple Remote Flaws Report

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.

Organized fraud ring abused payment providers, stole €300M

🔍 Authorities across three continents executed coordinated raids and arrests in a probe that uncovered an organized fraud network accused of using stolen credit‑card data to create over 19 million fake subscriptions and siphon more than €300 million. Investigators say suspects exploited vulnerabilities at multiple payment service providers, operated hundreds of sham websites offering porn, dating and streaming services, and used small recurring charges with opaque descriptions to avoid detection. The operation, named Operation Chargeback, was halted in 2021 and is the focus of ongoing international legal assistance.

AI-Powered Malware Emerges: Google Details New Threats

🛡️ Google Threat Intelligence Group (GTIG) reports that cybercriminals are actively integrating large language models into malware campaigns, moving beyond mere tooling to generate, obfuscate, and adapt malicious code. GTIG documents new families — including PROMPTSTEAL, PROMPTFLUX, FRUITSHELL, and PROMPTLOCK — that query commercial APIs to produce or rewrite payloads and evade detection. Researchers also note attackers use social‑engineering prompts to trick LLMs into revealing sensitive guidance and that underground marketplaces increasingly offer AI-enabled “malware-as-a-service,” lowering the bar for less skilled threat actors.

Sandworm Deploys Data Wipers Against Ukraine's Grain Sector

🔒Russian state-backed Sandworm (aka APT44) deployed multiple data-wiping malware families in June and September 2025, targeting Ukrainian education, government, and grain-production organizations. ESET says these wipers — distinct from ransomware — corrupt files, partitions, and boot records to prevent recovery and cause long outages. Some intrusions began with access by UAC-0099, which then handed access to APT44 for destructive payloads.

Google: LLMs Employed Operationally in Malware Attacks

🤖 Google’s Threat Intelligence Group (GTIG) reports attackers are using “just‑in‑time” AI—LLMs queried during execution—to generate and obfuscate malicious code. Researchers identified two families, PROMPTSTEAL and PROMPTFLUX, which query Hugging Face and Gemini APIs to craft commands, rewrite source code, and evade detection. GTIG also documents social‑engineering prompts that trick models into revealing red‑teaming or exploit details, and warns the underground market for AI‑enabled crime is maturing. Google says it has disabled related accounts and applied protections.

Cloudflare Removes Aisuru Botnet Domains from Rankings

🛡️ Cloudflare has begun redacting and hiding domains tied to the rapidly growing Aisuru botnet after those malicious hostnames repeatedly appeared atop its public domain rankings. The botnet — comprised of hundreds of thousands of compromised IoT devices — recently shifted from querying 8.8.8.8 to 1.1.1.1, flooding Cloudflare’s resolver and skewing popularity metrics. Cloudflare says attackers are likely both manipulating rankings and mounting attacks on its DNS service, and the company is refining its ranking algorithm while removing known malicious entries.

ABB FLXeon Devices: Multiple Remote-Access Vulnerabilities

⚠ ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.

Google Warns: AI-Enabled Malware Actively Deployed

⚠️ Google’s Threat Intelligence Group has identified a new class of AI-enabled malware that leverages large language models at runtime to generate and obfuscate malicious code. Notable families include PromptFlux, which uses the Gemini API to rewrite its VBScript dropper for persistence and lateral spread, and PromptSteal, a Python data miner that queries Qwen2.5-Coder-32B-Instruct to create on-demand Windows commands. GTIG observed PromptSteal used by APT28 in Ukraine, while other examples such as PromptLock, FruitShell and QuietVault demonstrate varied AI-driven capabilities. Google warns this "just-in-time AI" approach could accelerate malware sophistication and democratize cybercrime.

Ransomware Breach: How Nevada's Systems Were Encrypted

🔒 The State of Nevada published a detailed after-action report describing how attackers used a trojanized system administration utility to establish persistent access and deploy ransomware across state infrastructure. The initial compromise occurred on May 14 and was detected on August 24, impacting more than 60 agencies and prompting a 28-day recovery that restored 90% of required data without paying a ransom. Nevada engaged external responders including Microsoft DART and Mandiant, and has since implemented account cleanups, password resets, certificate removals, and tightened access controls.

Trojanized ESET Installers Deliver Kalambur Backdoor

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.

AWS launches regional service discovery in Builder Center

🔍 AWS announced AWS Capabilities by Region in Builder Center, a web-based tool to discover and compare service availability, features, APIs, and CloudFormation resources across AWS Regions. The interactive interface lets users explore Regions, run side-by-side comparisons, and view forward-looking roadmap details to support global deployment planning. AWS also enhanced the Knowledge MCP Server to expose regional capability data in an LLM-compatible format, enabling MCP clients and agentic frameworks to obtain real-time availability insights and suggested alternatives when features are unavailable.

ESET APT Activity Report Q2–Q3 2025: Key Findings Overview

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.

CIO’s First Principles: A Reference Guide to Securing AI

🔐 Enterprises must redesign security as AI moves from experimentation to production, and CIOs need a prevention-first, unified approach. This guide reframes Confidentiality, Integrity and Availability for AI, stressing rigorous access controls, end-to-end data lineage, adversarial testing and a defensible supply chain to prevent poisoning, prompt injection and model hijacking. Palo Alto Networks advocates embedding security across MLOps, real-time visibility of models and agents, and executive accountability to eliminate shadow AI and ensure resilient, auditable AI deployments.

Nikkei Slack Breach Exposes Data of Over 17,000 Users

🔐 Nikkei confirmed a breach of employee Slack accounts that may have exposed names, email addresses and chat histories for 17,368 registered users. The company says malware on an employee’s personal computer stole Slack authentication credentials and session tokens, enabling unauthorized access. The incident was identified in September; Nikkei implemented password changes and voluntarily reported the matter to Japan’s Personal Information Protection Commission. No reporting-source leaks have been confirmed.

Remember, Remember: AI Agents, Threat Intel, and Phishing

🔔 This edition of the Threat Source newsletter opens with Bonfire Night and the 1605 Gunpowder Plot as a narrative hook, tracing how Guy Fawkes' image became a symbol of protest and hacktivism. It spotlights Cisco Talos research, including a new Incident Response report and a notable internal phishing case where compromised O365 accounts abused inbox rules to hide malicious activity. The newsletter also features a Tool Talk demonstrating a proof-of-concept that equips autonomous AI agents with real-time threat intelligence via LangChain, OpenAI, and the Cisco Umbrella API to improve domain trust decisions.

Phishing Campaign Targets Booking.com Partners and Guests

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.

Hackers Use Hyper-V to Hide Linux VM and Evade EDR

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

Amazon ECS: Managed EBS Permissions for Non-Root Containers

🔐 Amazon Elastic Container Service (ECS) now supports mounting Amazon EBS volumes to containers running as non-root users. ECS automatically sets file system permissions on the attached EBS volume so non-root processes can securely read and write while preserving root ownership. This removes the need for manual chown/chmod or custom entrypoint scripts, simplifying security-first container deployments. The capability is available across all AWS Regions for EC2, AWS Fargate, and ECS Managed Instances.

AWS IoT Greengrass v2.16 Adds Log Forwarding and TPM

🔒 AWS IoT Greengrass v2.16 adds a system log forwarder and a new nucleus lite (v2.3) with TPM 2.0 support. The system log forwarder uploads system logs to AWS CloudWatch to simplify debugging and centralize operational visibility for edge applications. The nucleus lite TPM integration provides a hardware-based root of trust for secure secrets storage and streamlined device authentication on resource-constrained devices. The update is available in all AWS Regions where Greengrass is offered.

Nikkei Slack Account Compromise Exposes Employee Data

🔒 Nikkei disclosed that unauthorized actors used malware to infect an employee’s computer, obtain Slack credentials, and access accounts on the company's Slack workspace. The firm reports that data for possibly more than 17,000 employees and business partners — including names, email addresses and chat logs — may have been stolen. Nikkei discovered the incident in September and implemented password resets and other remediation measures. The company said there's no confirmation that sources or journalistic activities were affected.

Amazon S3 Adds Tagging for S3 Tables (ABAC & Cost)

🔖Amazon S3 now supports tags on S3 Tables to enable attribute-based access control (ABAC) and cost allocation. Tags can be applied to table buckets and individual tables, letting you manage permissions for users and roles without frequent IAM or resource-policy updates. Tagging is available in all Regions where S3 Tables is offered and can be used via the Console, SDK, API, or CLI. Use tags to simplify governance and track costs.

Ubia Ubox: Insufficiently Protected Credentials Advisory

🔒 CISA warns that Ubia's Ubox firmware (v1.1.124) exposes API credentials, potentially allowing remote attackers to access backend services. Successful exploitation could permit viewing live camera feeds or modifying device settings. The issue is tracked as CVE-2025-12636 with a CVSS v4 base score of 7.1. Users should minimize network exposure, isolate devices behind firewalls, use secure remote-access methods such as VPNs, and contact Ubia support for guidance.

Kaspersky SD-WAN 2.5: Efficiency and Reliability Gains

🔒 Kaspersky's new SD-WAN 2.5 delivers improved network reliability, performance, and operational efficiency through enhanced traffic rerouting, conditional DNS forwarding, and scheduled CPE configuration. The release automates complex tasks — from graphical BGP/OSPF debugging in the orchestrator to seamless CPE replacement — reducing downtime and lowering the load on regional IT staff. Additional capabilities such as LTE diagnostics, power-failure reporting, console-port security controls, and support for 2000+ CPEs further strengthen fault tolerance and manageability.

AWS Backup: Support for KMS Customer Managed Keys for Vaults

🔐 AWS Backup now lets you encrypt logically air-gapped vaults with your own AWS KMS customer managed keys (CMKs). This gives organizations more control over key lifecycle, access policies, and compliance posture while preserving the security benefits of logically air-gapped backups. Support covers same-account and cross-account CMKs and is available in all Regions where air-gapped vaults are supported. You can enable CMK encryption when creating vaults via the console, API, or CLI.

November 2025 Fraud and Scams Advisory — Key Trends

🔔 Google’s Trust & Safety team published a November 2025 advisory describing rising online scam trends, attacker tactics, and recommended defenses. Analysts highlight key categories — online job scams, negative review extortion, AI product impersonation, malicious VPNs, fraud recovery scams, and seasonal holiday lures — and note increased misuse of AI to scale fraud. The advisory outlines impacts including financial theft, identity fraud, and device or network compromise, and recommends protections such as 2‑Step Verification, Gmail phishing defenses, Google Play Protect, and Safe Browsing Enhanced Protection.

AWS Deadline Cloud Adds 6th–8th Gen EC2 Instances Now

🚀 Deadline Cloud now supports an expanded set of EC2 instance families — including C7i, C7a, M7i, M7a, R7a, R7i, M8a, M8i and R8i — plus additional 6th-generation types that were previously unavailable. The update broadens compute-optimized, general-purpose and memory-optimized options for visual effects and animation rendering workloads. Studios can better right-size resources for tasks ranging from compute-heavy simulations to memory-intensive scene processing, improving performance and cost-efficiency in the Regions where Deadline Cloud is offered.

Amazon DynamoDB Streams Adds AWS PrivateLink FIPS Endpoints

🔒 Amazon DynamoDB Streams now supports AWS PrivateLink for all available Federal Information Processing Standard (FIPS) endpoints in US and Canada commercial Regions. Customers can establish private VPC interface connections to Amazon DynamoDB Streams FIPS endpoints instead of routing traffic over the public internet. This capability helps organizations meet business, compliance, and regulatory requirements that limit public internet connectivity. Supported Regions include US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Canada (Central), and Canada West (Calgary).

Cloudflare Open-Sources tokio-quiche: Async QUIC for Tokio

🚀 Cloudflare has open-sourced tokio-quiche, an async QUIC library that combines its quiche transport implementation with the Tokio async runtime. The project provides a battle-tested integration for async UDP I/O and HTTP/3, delivering low-latency, high-throughput handling of millions of requests per second without requiring developers to wire a sans-io stack. tokio-quiche includes an HTTP/3-focused driver, examples, and abstractions such as ApplicationOverQuic so teams can build clients and servers more quickly. It already powers Cloudflare Proxy B in Apple iCloud Private Relay, Oxy-based proxies, and Warp’s MASQUE client, and aims to accelerate broader adoption of HTTP/3 and QUIC.

Build Your First AI Travel Assistant with Gemini Today

🚀 This codelab walks developers through building a functional travel chatbot using Google's Gemini via the Vertex AI SDK. It explains how to connect a web frontend to Gemini, craft system instructions to shape assistant behavior, and enable function-calling to fetch live data such as geocoding and weather. No advanced ML expertise is required; the lab provides step-by-step code samples, API usage, and practical recommendations for iterating prompts so you can produce a working, production-ready demo.

Google: Cyber-Physical Attacks to Rise in Europe 2026

🚨 Google Cloud Security's Cybersecurity Forecast 2026 warns of a rise in cyber-physical attacks across EMEA targeting energy grids, transport and digital infrastructure. The report highlights increased state-sponsored espionage from Russia and China and anticipates these operations may form hybrid warfare combined with information operations to erode public trust. It also flags supply-chain compromises of managed service providers and software dependencies, and notes that cybercrime — including ransomware aimed at ERP systems — will remain a major disruptive threat to ICS/OT. Analysts further expect adversaries to increasingly leverage AI and multimodal deepfakes.

ClickFix attacks add multi-OS support, videos, timers

🔒 ClickFix campaigns have evolved to include embedded video tutorials, an automated OS detector, and a countdown timer to pressure victims into executing pasted commands. Researchers at Push Security observed fake Cloudflare CAPTCHA pages that auto-copy malicious commands to the clipboard and adapt instructions for Windows, macOS, or Linux. Attackers promote these pages via malvertising, SEO poisoning, and compromised sites, then deliver varying payloads such as MSHTA executables and PowerShell scripts. Users are strongly advised never to paste and run terminal commands from unknown web prompts.

CISA Releases Four Industrial Control Systems Advisories

🔔 CISA released four Industrial Control Systems (ICS) advisories covering Advantech DeviceOn iEdge, Ubia Ubox, ABB FLXeon Controllers, and an update for Hitachi Energy Asset Suite. Each advisory provides technical details on identified vulnerabilities and recommended mitigations. Users and administrators are urged to review the advisories and apply mitigations promptly.

ThreatsDay Bulletin: Cybercrime Trends and Major Incidents

🛡️ This bulletin catalogues a broad set of 2025 incidents showing cybercrime’s increasing real-world impacts. Microsoft patched three Windows GDI flaws (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) rooted in gdiplus.dll and gdi32full.dll, while Check Point warned partial fixes can leave data leaks lingering. Threat actors expanded toolsets and infrastructure — from RondoDox’s new exploits and TruffleNet’s AWS abuse to FIN7’s SSH backdoor and sophisticated phishing campaigns — and law enforcement action ranged from large fraud takedowns to prison sentences and cross-border crackdowns.

Amazon SageMaker Adds Custom Tags for Project Resources

🔖 Amazon SageMaker Unified Studio now lets administrators define custom tags that are applied to resources created by a SageMaker project. Administrators configure project profiles to supply tag key/value pairs or keys with default values that users can modify during project creation, helping enforce tagging standards and support SCPs and cost allocation. This initial release is API-only and available across all supported AWS Regions.

IDC: Major Shift in Cloud Security Investment Trends

🔍 IDC’s latest research finds organizations averaged nine cloud security incidents in 2024, with 89% reporting year-over-year increases. The study identifies CNAPP as a top-three investment for 2025, rising CISO ownership of cloud security, and persistent tool sprawl that increases cost and risk. It also documents practical uses of generative AI for detection and response and a move toward integrated, autonomous SecOps platforms. Microsoft positions its integrated CNAPP and AI-driven threat intelligence as a way to unify protection across the application lifecycle.

AWS B2B Data Interchange Now Available in Europe (Ireland)

🚀 AWS announces that AWS B2B Data Interchange is now available in the AWS Europe (Ireland) Region, enabling customers to build scalable, cost-efficient EDI workloads locally. The service automates validation, transformation, and generation of EDI files such as ANSI X12, converting to and from JSON and XML to support modern integrations. The regional launch also brings the generative AI mapping capability to Ireland, simplifying mapping code development and accelerating trading partner onboarding.

AWS End User Messaging adds SMS Carrier Lookup feature

📲 AWS End User Messaging now offers Carrier Lookup, enabling customers to retrieve carrier-related details for a phone number — including country, number type, dialing code, and mobile network and carrier codes. By validating these attributes before sending, teams can improve SMS deliverability, reduce failed or misrouted messages, and avoid sending to incorrect destinations. The capability supports common use cases such as OTPs, account updates, reminders, and promotions, and is available in all AWS Regions where the service is offered.

Amazon CloudFront Adds Cross-Account VPC Origins Support

🔒 Amazon announced that CloudFront now supports cross-account VPC origins, enabling distributions to reach ALB, NLB, and EC2 origins inside private subnets across different AWS accounts. Customers can grant access via AWS RAM, including across Organizations and OUs, removing the need to place origins in public subnets. The capability is available in AWS Commercial Regions at no extra charge and is designed to simplify security and multi-account operations.

Susvsex Ransomware Test Published on VS Code Marketplace

🔒 A malicious VS Code extension named susvsex, published by 'suspublisher18', was listed on Microsoft's official marketplace and included basic ransomware features such as AES-256-CBC encryption and exfiltration to a hardcoded C2. Secure Annex researcher John Tuckner identified AI-generated artifacts in the code and reported it, but Microsoft did not remove the extension. The extension also polled a private GitHub repo for commands using a hardcoded PAT.

Hackers Blackmail Massage Parlour Clients in Korea

🔒 South Korean police uncovered a criminal network that used a malicious app to steal customer data from massage parlours and extort clients. The group tricked nine business owners into installing software that exfiltrated names, phone numbers, call logs and text messages, then sent threatening messages claiming to have video footage. About 36 victims paid between 1.5M and 47M KRW, with attempted extortion near 200M KRW. Authorities traced activity to January 2022 across Seoul, Gyeonggi and Daegu and made arrests in August 2023.

Cloudflare Stream Adds Audio Extraction for Video Files

🎧 Cloudflare Stream now lets developers extract audio-only M4A tracks from videos with a single API call or dashboard action. Use Media Transformations (mode=audio) for on-the-fly clipping or create persistent audio downloads for VOD-managed content. This reduces bandwidth, cost, and complexity for transcription, translation, moderation, and other audio-first AI workflows.

Hacktivist DDoS Drives Majority of Public Sector Attacks

🛡️ ENISA's study of 586 public administration incidents found DDoS attacks made up roughly 60% of events, with 63% attributed to hacktivist groups. Central government incidents accounted for 69% of the total, while data breaches (17%) and ransomware (10%) caused disproportionate disruption. ENISA warns the sector's low maturity and recent inclusion in NIS2 increase risk and recommends CDNs/WAFs for DDoS mitigation, MFA/PAM/DLP for data protection, and EDR, segmentation and backups to combat ransomware.

Equipping Autonomous AI Agents with Cyber Hygiene Practices

🔐 This post demonstrates a proof-of-concept for teaching autonomous agents internet safety by integrating real-time threat intelligence. Using LangChain with OpenAI and the Cisco Umbrella API, the example shows how an agent can extract domains and query dispositions to decide whether to connect. The agent returns clear disposition reports and abstains when no domains are present. The approach emphasizes decision-making over hardblocking.

Digital Health Needs Security at Its Core to Scale AI

🔒 The article argues that AI-driven digital health initiatives proved essential during COVID-19 but simultaneously exposed critical cybersecurity gaps that threaten pandemic preparedness. It warns that expansive data ecosystems, IoT devices and cloud pipelines multiply attack surfaces and that subtle AI-specific threats — including data poisoning, model inversion and adversarial inputs — can undermine public-health decisions. The author urges security by design, including zero-trust architectures, data provenance, encryption, model governance and cross-disciplinary drills so AI can deliver trustworthy, resilient public health systems.

Forrester's 2026 Predictions: CIOs and CISOs on Alert

🔍 Forrester warns that 2026 will demand precision, resilience and strategic foresight from CIOs and CISOs as volatility persists and the AI hype phase gives way to a results-driven era. Leaders will face rising pressure to deliver measurable, secure outcomes from AI initiatives while managing vendor promises, postponements and tighter financial scrutiny. Neocloud growth, talent bottlenecks and accelerating quantum risk will further complicate planning and force cross-functional governance.

Smashing Security #442: Clock Hack and Rogue Negotiators

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

Seeing Threats First: AI and Human Cyber Defense Insights

🔍 Check Point Research and External Risk Management experts explain how combining AI-driven analytics with seasoned human threat hunters enables organizations to detect and anticipate attacks before they strike. The AMA webinar, featuring leaders like Sergey Shykevich and Pedro Drimel Neto, detailed telemetry fusion, rapid malware analysis, and automated triage to act at machine speed. Speakers stressed continuous intelligence, cross-team collaboration, and proactive hunting to shorten dwell time. The approach blends scalable automation with human context to prevent large-scale incidents.

Continuous Purple Teaming for Ongoing Security Validation

🛡️ Continuous purple teaming unites offensive and defensive functions into a collaborative, repeatable cycle that turns testing into measurable defense improvement. Using Breach and Attack Simulation (BAS), teams automate emulations mapped to MITRE ATT&CK, safely execute simulated payloads, and instantly score prevention, detection, and response. That evidence-driven loop—attack, observe, fix, validate, repeat—reduces noise, prioritizes real risk, and accelerates remediation. With careful AI assistance and a curated BAS library, organizations can validate controls continuously and focus on the highest-impact gaps.

DOJ Indicts 31 in High-Tech Rigging of Poker Games

🃏 The Department of Justice has indicted 31 people for using altered shuffling machines and other covert devices to rig high-stakes poker games. The modified shuffling machines read every card and relayed which player would win to off-site conspirators, who then communicated via cellphone to a table “Quarterback” who signaled accomplices. Victims lost tens to hundreds of thousands of dollars, and conspirators also used a chip-tray analyzer, an x-ray table, and special contact lenses or eyeglasses to read cards.

From Tabletop to Turnkey: Cyber Resilience in Finance

🛡️ Financial institutions face a regulatory shift: cyber‑resilience has moved from best practice to prescriptive requirement under regimes such as DORA, CORIE, MAS TRM, FCA/PRA and others. Filigran’s OpenAEV combines tabletop crisis playbooks with breach-and-attack simulation so teams can rehearse human and technical responses together. The platform synchronizes players via enterprise IAM, translates threat intelligence into timed technical injects and simulated communications, and streamlines logistics, reporting and continual improvement. OpenAEV is free for community use, with a library of scenarios and SIEM/EDR integrations, and Filigran is hosting expert sessions to demonstrate operationalization.

Bitdefender Named Representative Vendor in 2025 Gartner Guide

🔒 Bitdefender has been named a Representative Vendor in the 2025 Gartner Market Guide for Managed Detection and Response for the fourth consecutive year. The recognition reflects Bitdefender’s human-driven MDR approach, combining 24x7 analyst-led response, AI-driven analytics, and proactive exposure management. Gartner inclusion is based on client visibility and service orientation rather than ranking, highlighting providers that meet its inclusion criteria.

Lessons from ERP Failures for Security Platformization

🔐 CISOs are urged to learn from 1990s ERP migrations as they evaluate vendor-led security platforms from Cisco, CrowdStrike, Microsoft, Palo Alto Networks and others. Research shows many enterprises run 40–80 discrete security tools, driving silos, integration headaches, and alert fatigue. The article warns that platformization can repeat ERP mistakes—data inconsistency, excessive customization, political resistance, and costly timelines—and recommends executive sponsorship, phased implementations, a modern data pipeline, team retraining, and process reengineering to succeed.