AWS Tightens Cloud Guardrails and Advances AI Runtime Efficiency

Amazon Lex Enables LLMs as Primary NLU Across Connect

🤖 Amazon Lex now lets developers use Large Language Models (LLMs) as the primary natural language understanding option for voice and chat bots. Using LLMs improves handling of complex or misspelled utterances, extracts key details from verbose inputs, and enables intelligent follow‑up questions when customer intent is unclear. This capability is available in all AWS commercial regions where Amazon Connect and Amazon Lex operate, helping teams build more accurate, conversational self‑service experiences.

AWS Glue 5.1 GA: Spark 3.5, Iceberg 3.0, Lake Formation

⚡ AWS Glue 5.1 is now generally available, upgrading core engines to Apache Spark 3.5.6, Python 3.11, and Scala 2.12.18 to deliver performance and security improvements. The release refreshes open table format support (Apache Hudi 1.0.2, Apache Iceberg 1.10.0, Delta Lake 3.3.2) and adds Apache Iceberg format 3.0 features such as default column values and deletion vectors. AWS Lake Formation now enforces fine‑grained write control for Spark DDL/DML, and Glue adds full‑table access control for Hudi and Delta tables in Spark.

AWS Adds Warm Storage Tier to Kinesis Video Streams

📦 AWS announced a new warm storage tier for Amazon Kinesis Video Streams, offering lower-cost storage for extended media retention while preserving sub-second access latency. The existing standard tier is now designated the hot tier and remains optimized for real-time, short-term use. Developers can configure fragment sizes to trade latency for ingestion cost, and both tiers integrate with Amazon Rekognition Video and Amazon SageMaker for continuous video analytics. The warm tier is available in all supported regions except AWS GovCloud (US).

Amazon Quick Research Adds Third-Party Industry Data

🔍 Amazon Quick Research now integrates specialized third-party industry datasets from S&P Global, FactSet, and IDC, alongside public patent and PubMed collections. Users with existing subscriptions can combine these authoritative sources with enterprise data and real-time web search inside a unified AI workspace. The capability compresses weeks of data discovery and analysis into minutes and helps teams move more quickly from insight to action. The integration is available in select AWS Regions.

AWS Private CA Adds Partitioned CRLs for Scale, Compliance

🔒 AWS Private Certificate Authority now supports partitioned Certificate Revocation Lists (CRLs) to scale revocation handling up to 100 million certificates per CA. Partitioning breaks revocation data into ~1 MB CRL partitions and binds certificates to partitions using a critical Issuer Distribution Point (IDP) extension, allowing validators to match CDP and IDP URIs for accurate checks. The feature is backward compatible, RFC5280-compliant, configurable in the console (including S3 setup), and carries no charge beyond AWS Private CA and Amazon S3 usage.

Gemini 3 Reframes Enterprise Perimeter and Protection

🚧 Gemini 3’s release on 18 November 2025 signals a structural shift: beyond headline performance gains, it accelerates embedding large multimodal assistants directly into enterprise workflows and infrastructure. That continuation of a trend already visible with Microsoft Copilot effectively makes AI assistants a new enterprise perimeter — changing where corporate data, identities, and controls must be enforced. Security, compliance, and IT teams need to update policies, telemetry, and incident response to this expanded boundary.

Organization-Level S3 Block Public Access Enforcement

🔒 Amazon S3 Block Public Access now supports organization-level enforcement via AWS Organizations, enabling centralized standardization of public-access settings across member accounts. When attached at a root or OU the single policy configuration propagates to existing and new accounts, or it can be targeted to specific accounts for granular control. Policy attachment and enforcement are auditable through AWS CloudTrail, and the feature is available in the console and via CLI/SDK in supported regions at no additional charge.

SageMaker HyperPod: Managed Tiered KV Cache Launch

⚡ Amazon SageMaker HyperPod now offers Managed Tiered KV Cache and Intelligent Routing to optimize LLM inference for long-context prompts and multi-turn conversations. The two-tier cache combines local CPU memory (L1) with disaggregated cluster storage (L2) — with AWS-native tiered storage recommended and Redis optional — to reuse computed key-value pairs and reduce recomputation. Intelligent Routing directs requests using prefix-aware, KV-aware, or round-robin strategies, while built-in observability integrates with Amazon Managed Grafana and deployment is enabled via InferenceEndpointConfig or SageMaker JumpStart.

SageMaker HyperPod Adds Custom Kubernetes Labels and Taints

🛠️ Amazon SageMaker HyperPod now supports custom Kubernetes labels and taints configured at the instance group level via the CreateCluster and UpdateCluster APIs. You can specify up to 50 labels and 50 taints per instance group using the KubernetesConfig parameter. HyperPod automatically applies and preserves these settings across node creation, replacement, scaling, and patching, eliminating manual kubectl work and ensuring device plugin pods (EFA, NVIDIA) schedule correctly while allowing NoSchedule taints to protect costly GPU nodes.

Amazon Aurora adds PostgreSQL minor versions and DDM support

🔒 Amazon Aurora PostgreSQL-Compatible Edition now supports PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22, bringing community fixes plus Aurora-specific enhancements. The release introduces database-level Dynamic Data Masking (DDM) for 16.10 and 17.6 to mask sensitive column values at query time using role-based policies without altering stored data. Additional updates include a shared plan cache, improved performance and recovery-time-objective (RTO), and more reliable Global Database switchovers. New clusters can be created in the Amazon RDS console or existing databases upgraded; releases are available across all commercial AWS Regions and AWS GovCloud (US).

AWS Adds Apache Iceberg V3 Deletion Vectors and Lineage

🔔 AWS now supports Apache Iceberg V3 deletion vectors and row lineage across key analytics services. These features — available in Amazon EMR 7.12, AWS Glue, SageMaker notebooks, Amazon S3 Tables, and the AWS Glue Data Catalog — accelerate data modifications and make it simpler to identify changed records. Enable V3 by setting the table property 'format-version = 3' in CREATE TABLE or by updating table metadata; supported AWS query engines will automatically use deletion vectors and row lineage.

AWS Knowledge MCP Server Adds Topic-Based Search for Domains

🔎 The AWS Knowledge MCP Server now supports topic-based search across specialized documentation domains, enabling more precise queries against areas such as Troubleshooting, AWS Amplify, AWS CDK, CDK Constructs, and AWS CloudFormation. This enhancement lets MCP clients and agentic frameworks target domain-specific resources to reduce noise and improve relevance. The capability complements existing API reference and general documentation search features and is available immediately at no additional cost, subject to standard rate limits.

Amazon S3 Metadata Now Available in 22 More Regions

🔍 Amazon S3 Metadata is expanding to twenty-two additional AWS Regions, bringing automated, queryable object and custom metadata closer to more customers. The feature automatically populates metadata for both new and existing objects in near real-time and supports system-defined details (size, source) and user-defined tags such as product SKUs or transaction IDs. This expansion makes S3 Metadata generally available in 28 Regions and enables faster data discovery, curation, and analytics inside existing S3 workflows.

Amazon Bedrock Reserved Tier for Predictable Performance

🔒 Amazon Bedrock now offers a Reserved service tier that provides prioritized compute and guaranteed input/output tokens-per-minute capacity for inference workloads. Customers can reserve asymmetric input and output capacities to match workload patterns, and excess traffic overflows automatically to the pay-as-you-go Standard tier to keep operations running. The tier targets 99.5% model response uptime and is available today for Anthropic Claude Sonnet 4.5, with 1- or 3-month reservations billed monthly at a fixed price per 1K tokens-per-minute.

AWS Secrets Store CSI Driver Add-on for Amazon EKS

🔐 This post introduces the AWS provider for the Secrets Store CSI Driver and the new Amazon EKS add-on that mounts Secrets Manager secrets and Systems Manager parameters as files in Kubernetes pods. The add-on simplifies installation compared with Helm or kubectl, supports EC2 and hybrid nodes, and includes security patches and FIPS endpoint options. The walkthrough covers prerequisites, creating a test secret, installing the add-on, configuring an IAM role and EKS Pod Identity association, deploying an example pod that mounts the secret at /mnt/secrets-store, validating retrieval, and cleaning up resources.

AWS API MCP Server Now Available on AWS Marketplace

🔐 The AWS API MCP Server is now available on AWS Marketplace, enabling customers to deploy the Model Context Protocol (MCP) server to Amazon Bedrock AgentCore as a managed offering. The marketplace deployment provides built-in authentication (SigV4 or JWT), session isolation, and simplified container management while enabling configurable IAM roles and network settings to meet enterprise security requirements. Customers also benefit from AgentCore's logging and monitoring capabilities and regional availability where Bedrock AgentCore is supported.

Amazon EMR and AWS Glue Add Audit Context for Lake Formation

🔒 Amazon EMR and AWS Glue now include comprehensive audit context support for AWS Lake Formation credential vending APIs and AWS Glue Data Catalog GetTable and GetTables calls. Enabled by default, the feature logs platform type and identifiers (Cluster ID, Step ID, Job Run ID, Virtual Cluster ID) to AWS CloudTrail for enhanced security auditing and troubleshooting. It supports EMR 7.12+ and AWS Glue 5.1+ across all Regions that offer EMR, AWS Glue, and Lake Formation.

Shai-Hulud v2 Supply-Chain Campaign Hits Maven Central

⚠️ The second wave of the Shai-Hulud supply-chain attack has moved from npm into the Maven ecosystem after researchers found org.mvnpm:posthog-node:4.18.1 embedding the same setup_bun.js loader and bun_environment.js payload. The artifact was rebundled via an automated mvnpm process and was not published by PostHog; mirrored copies were purged from Maven Central on Nov 25, 2025. The campaign steals API keys, cloud credentials and npm/GitHub tokens by backdooring developer environments and injecting malicious GitHub workflows, affecting thousands of repositories.

SageMaker AI Adds Flexible Training Plans for Inference

⚙️ Amazon SageMaker AI's Flexible Training Plans (FTP) now support inference endpoints, allowing customers to reserve guaranteed GPU capacity for planned evaluations and production peaks. You choose instance types, compute requirements, reservation length, and start date, then reference the reservation ARN when creating an endpoint. SageMaker AI automatically provisions and runs the endpoint on the reserved capacity for the plan duration, removing much of the infrastructure scheduling overhead. FTP for inference is initially available in US East (N. Virginia), US West (Oregon), and US East (Ohio).

Meet Rey, Admin of Scattered LAPSUS$ Hunters Exposed

🔍 A prolific operator known as "Rey," one of three administrators of the Scattered LAPSUS$ Hunters (SLSH) Telegram channel, has confirmed his real-world identity after investigative outreach. Rey is tied to the recent release of the group's new RaaS offering ShinySp1d3r, which he says is derived from Hellcat ransomware code modified with AI tools. Reporting shows Rey made multiple operational security mistakes that allowed analysts to link him to a shared family PC in Amman, Jordan, revealing his name as Saif Al‑Din Khader and that he is a mid‑teens minor who says he is cooperating with law enforcement.

Cyberattack Disrupts OnSolve CodeRED Emergency Alerts

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.

Qilin Ransomware Targets South Korean MSP, Hits Finance

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

ASUS warns of critical auth bypass in AiCloud routers

⚠️ASUS has released firmware updates to remediate nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) affecting routers with AiCloud enabled. The flaw is caused by an unintended Samba side effect and can be exploited by unauthenticated remote attackers chaining a path traversal and an OS command injection in low-complexity attacks. Users should apply the provided firmware (3.0.0.4_386, 3.0.0.4_388, 3.0.0.6_102) immediately or follow ASUS mitigation guidance for end-of-life models.

ShadowV2 IoT Botnet Exploits Multiple Device Flaws

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

Amazon CloudWatch Adds Deletion Protection for Log Groups

🔒 Amazon CloudWatch now lets you enable deletion protection on log groups to prevent accidental or unintended removals. Once enabled, a log group cannot be deleted until protection is explicitly turned off, helping preserve audit, compliance, and operational logs. The feature is available in all AWS commercial Regions and can be configured during creation or applied to existing groups via the Console, AWS CLI, AWS CDK, and AWS SDKs.

Microsoft hardens Entra ID sign-ins against script injection

🔒 Microsoft will strengthen the Entra ID browser sign-in experience starting mid-to-late October 2026 by enforcing a stricter Content Security Policy that permits scripts only from Microsoft-trusted CDN domains and approved inline sources. The change applies to sign-ins at login.microsoftonline.com; Microsoft Entra External ID is not affected. Administrators should test sign-in flows, remove code-injecting extensions and review developer-console violations to identify and address dependencies before the rollout.

ToddyCat APT Targets Outlook Archives and M365 Tokens

🔒 Kaspersky Labs reports that the ToddyCat APT refined its toolkit in late 2024 and early 2025 to harvest Outlook offline archives and Microsoft 365 OAuth tokens in addition to browser credentials. New PowerShell and C++ components — notably TomBerBill and TCSectorCopy — copy browser artifacts and sector‑level OST files while attackers also attempt in‑memory token grabs from Outlook processes to maintain persistent access.

HashJack: Indirect Prompt Injection Targets AI Browsers

⚠️Security researchers at Cato Networks disclosed HashJack, a novel indirect prompt-injection vulnerability that abuses URL fragments (the text after '#') to deliver hidden instructions to AI browsers. Because fragments never leave the client, servers and network defenses cannot see them, allowing attackers to weaponize legitimate websites without altering visible content. Affected agents included Comet, Copilot for Edge and Gemini for Chrome, with some vendors already rolling fixes.

Serious Cyber Incidents Hit Multiple London Councils

⚠️ Multiple London local authorities, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, are responding to a serious cybersecurity incident identified on Monday. Both councils have informed the ICO and are working with the NCSC while invoking business continuity and emergency plans to protect critical services. A number of systems, including phone lines and shared IT services, are affected across boroughs. RBKC reports successful mitigations are in place and recovery work is continuing.

Ransomware Alliances Drive Large October Attack Surge

🔴 A seasonal surge and new alliances between ransomware groups drove a 41% month-on-month jump in attacks from September to October, NCC Group reports. Qilin was the most active actor, blamed for 170 of 594 incidents (29%), followed by Sinobi and Akira. The rise coincides with LockBit 5.0 realigning with DragonForce and Qilin, and the emergence of newcomers such as The Gentlemen. Organisations are urged to reinforce monitoring, staff awareness, and secure backups ahead of the peak threat season.

New ClickFix Attacks Use Fake Windows Update Lures

🛡️Huntress warns of an evolved ClickFix campaign that uses a convincing full‑screen Windows Update splash and steganographic PNGs to trick employees into pasting and running commands. Those commands deliver loaders that in turn deploy LummaC2 and Rhadamanthys infostealers. The firm reports a 313% increase in ClickFix incidents over six months and noted multiple active lure domains even after the Nov 13 Operation Endgame takedown. Primary mitigation advice is to disable the Windows Run dialog via Registry or GPO and pair user awareness with endpoint monitoring and EDR.

Amazon SageMaker HyperPod: Programmatic Node Recovery

🚀 Amazon SageMaker HyperPod is now generally available with new programmatic APIs that let administrators reboot or replace cluster nodes at scale. The BatchRebootClusterNodes and BatchReplaceClusterNodes APIs provide an orchestrator-agnostic way to recover unresponsive or degraded nodes for both Slurm and EKS clusters. Each API supports batch operations for up to 25 instances and complements existing orchestrator-specific workflows. The capabilities are currently available in US East (Ohio), Asia Pacific (Mumbai), and Asia Pacific (Tokyo) and are accessible via the AWS CLI, SDKs, or API calls.

ShadowV2 Mirai Botnet Tested During AWS Outage Activity

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.

node-forge patched for ASN.1 signature verification bypass

🔒 The popular JavaScript cryptography library node-forge received a security update after researchers found a high-severity flaw that can bypass signature verification. Tracked as CVE-2025-12816, the issue stems from an ASN.1 validation interpretation conflict that allows crafted, malformed structures to pass schema checks while remaining cryptographically invalid. Maintainers released version 1.3.2; developers are strongly advised to upgrade immediately because applications relying on node-forge for PKI or signature enforcement could face authentication bypasses or signed-data tampering.

Talos Discloses Multiple Dell, Lasso, GL.iNet Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities across Dell ControlVault, the Entr'ouvert Lasso SAML library, and the GL.iNet Slate AX travel router. Issues range from a hard-coded password and privilege escalation in ControlVault to memory corruption and buffer overflows that can enable arbitrary code execution, a type confusion bug and DoS in Lasso, and an OTA firmware downgrade in GL.iNet. Vendors have issued patches under Cisco’s disclosure policy and Snort rule updates are available to detect exploitation. Administrators should apply vendor updates, verify OTA integrity mechanisms, and deploy IDS signatures promptly.

Comcast to Pay $1.5M After Vendor Breach Affects 273,703

🔒 Comcast will pay $1.5 million to settle an FCC investigation after a February 2024 vendor breach at Financial Business and Consumer Solutions (FBCS) exposed the personal data of 273,703 current and former Xfinity customers. Under the consent decree Comcast must implement a compliance plan with enhanced vendor oversight, biennial risk assessments, and biannual reporting. Comcast says its network was not breached and has not conceded wrongdoing.

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.

FBI: $262M Lost to ATO Fraud as AI Phishing Escalates

🔐 The FBI warns that cybercriminals impersonating banks and payment services have caused over $262 million in losses this year through account takeover (ATO) fraud and more than 5,100 complaints. Attackers use phishing, SEO poisoning, calls and SMS to harvest credentials and MFA/OTP codes, then transfer funds to intermediary accounts and convert proceeds to cryptocurrency. The advisory highlights growing use of AI-generated phishing and holiday-themed scams and urges vigilance, unique passwords, URL checks and stronger authentication.

Amazon Route 53 Accelerated Recovery for Public DNS

⚡ Enabling the accelerated recovery option for Amazon Route 53 public hosted zones gives customers a predictable 60-minute recovery time objective (RTO) to regain the ability to modify public DNS records if AWS services in US East (N. Virginia) are temporarily unavailable. The feature is available globally except in GovCloud and China, and there is no additional charge. It supports faster DNS change operations for banking, FinTech, and SaaS customers to meet continuity and disaster recovery objectives.

Care That You Share: Holiday Risks and Mitigations

🛡️ This edition of Talos Threat Source urges a simple behavioral shift: practice care in what, how, and why you share information during the holiday season and beyond. The briefing highlights operational pressures as teams run lean and attackers intensify phishing and supply‑chain campaigns, and it outlines practical changes such as retiring obsolete ClamAV signatures and encouraging feature‑release container tags for better security maintenance. Thoughtful, timely sharing of tips, IOCs, and status updates can materially improve collective resilience when resources are constrained.

FBI Warns of Widespread Account Takeover Fraud Since 2025

🔒 Since January 2025 the FBI reports account takeover (ATO) schemes have produced losses exceeding $262 million. Cybercriminals impersonate bank, payroll and health account providers and use phishing domains, SEO poisoning and social engineering to harvest credentials and one-time codes. The Bureau recommends enabling MFA, using unique complex passwords, monitoring accounts regularly, avoiding search ads and verifying unsolicited calls or messages before sharing any login information.

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.

Amazon EMR and AWS Glue Enforce Lake Formation Write FGAC

🔐 Amazon has extended AWS Lake Formation fine-grained access control to include write operations for tables registered with Lake Formation when used in Apache Spark jobs on Amazon EMR and AWS Glue. Administrators can now enforce table-, column-, and row-level permissions for DML actions (CREATE, ALTER, INSERT, UPDATE, DELETE, MERGE INTO, DROP) as well as read operations, enabling single-job read/write pipelines. The change reduces the need for separate clusters or applications and centralizes governance. The feature is available in all Regions where EMR, Glue, and Lake Formation are supported.

AWS Health: actionability and persona for triage updates

🔔 AWS Health introduced two new event schema properties — actionability and persona — to help customers identify and prioritize operational notifications. Delivered via the AWS Health API and Health EventBridge, these fields let organizations programmatically flag events that require customer action and route them to relevant teams such as security or billing. Available across all AWS Commercial and GovCloud (US) Regions, the change streamlines integrations with monitoring, ticketing, and automation systems to improve triage and remediation workflows.

AWS Compute Optimizer: Unused NAT Gateway Recommendations

🔔 AWS announced that AWS Compute Optimizer now provides idle resource recommendations for NAT Gateways, helping identify unused NAT Gateways and realize potential cost savings. The feature flags NAT Gateways that show no traffic over a 32-day analysis period by evaluating CloudWatch metrics such as active connection count and incoming packet metrics. Compute Optimizer also checks Route Table associations to avoid recommending critical backup resources and surfaces estimated savings and utilization details for validation before remediation.

Hardening Microsoft Exchange SE for 2026 and Beyond

🔒 The article by Stan Kaminsky summarizes practical hardening steps for on-premises Microsoft Exchange, emphasizing that Exchange Server Subscription Edition (Exchange SE) will be the only supported on-premises option in 2026 following the end of support for Exchange Server 2019. It outlines common attacker techniques — from password spraying and web shells to mail-flow rule abuse — and highlights immediate actions like migrating to Exchange SE or obtaining Extended Security Updates, applying regular Cumulative Updates, and enabling the Emergency Mitigation service. Recommendations also cover baseline configuration, EDR/EPP deployment, modern authentication, Kerberos adoption, TLS and HSTS, administrative access controls, PowerShell stream signing and protections for forged mail headers.

UK Committee Urges Legal Liability for Software Insecurity

⚖️ The UK’s Business and Trade Committee has recommended making software providers legally accountable for insecure products, arguing that voluntary measures like the Software Security Code of Practice are insufficient to protect economic stability. The report highlights 2025 incidents affecting Co-op, M&S and Jaguar Land Rover that produced heavy public costs and operational disruption. It urges mandatory compliance, stronger enforcement powers and compulsory incident reporting to shift financial risk back to vendors.

ClickFix Campaign Uses Fake Windows Update Pages in Stealth

🛡️ Researchers at Huntress uncovered a ClickFix campaign that hides malware inside the RGB pixels of PNG images on a fake Windows Update page, tricking victims into pasting and running commands. The delivered payloads include the LummaC2 infostealer and the Rhadamanthys malware family, with active domains observed after a mid-November takedown. Huntress warns the steganographic technique and the realistic Windows Update motif increase the attack's stealth, and recommends disabling the Windows Run dialog and strengthening endpoint monitoring.

Agentic AI Security Use Cases for Modern CISOs and SOCs

🤖 Agentic AI is emerging as a practical accelerator for security teams, automating detection, triage, remediation and routine operations to improve speed and scale. Security leaders at Zoom, Dell, Palo Alto and others highlight its ability to reduce alert fatigue, augment SOCs and act as a force multiplier amid persistent skills shortages. Implementations emphasize augmentation over replacement, enabling continuous monitoring and faster, more consistent responses.

Microsoft: FIDO2 Security Keys May Require PIN on Windows

🔒 Microsoft warned that FIDO2 security keys may prompt users to create or enter a PIN after Windows updates beginning with the September 29, 2025 KB5065789 preview. This behavior affects devices running Windows 11 24H2 or 25H2 when a Relying Party or identity provider requests User Verification set to preferred. Microsoft says the change is intentional to align with the WebAuthn specification, which requires PIN setup when authenticators support user verification. Organizations that want to avoid PIN prompts can set user verification to discouraged in their WebAuthn settings.

Malicious Chrome Extension Injects Hidden Solana Fees

🛡️ A malicious Chrome extension named Crypto Copilot was found injecting covert Solana transfers into Raydium swap transactions, diverting funds to an attacker-controlled wallet. Published by "sjclark76" on May 7, 2024, the add-on remains available on the Chrome Web Store with 12 installs. The extension appends a hidden SystemProgram.transfer to each swap before signature, charging a minimum of 0.0013 SOL (and applying a 2.6 SOL/0.05% rule) while obfuscating its code to evade detection. It also contacts backend domains to register wallets and report activity, giving a false veneer of legitimacy.

When Detection Tools Fail: Invest in Your SOC Today

🔐 Enterprises often over-invest in rapid detection tools while under-resourcing their SOC, creating a dangerous asymmetry. A cross-company phishing campaign bypassed eight leading email defenses but was caught by SOC teams after employee reports, illustrating the SOC's broader context and investigative power. Investing in an AI-driven SOC like Radiant Security can triage alerts, reduce false positives, and extend 24/7 coverage for lean teams.

Passwork 7: Self-hosted Password and Secrets Manager

🔐 Passwork 7 is a self-hosted password and secrets manager designed for enterprise teams, combining a user-facing password vault with a programmatic secrets management system. It introduces a flexible vault architecture (user, company, and custom vault types), granular RBAC, secure internal and external sharing, and comprehensive audit trails. The platform supports SSO/LDAP, an API-first model with a Python connector, CLI and Docker deployment, and a zero-knowledge encryption mode to keep data encrypted client-side. Passwork 7 targets organizations seeking unified human and machine credential governance with self-hosting and compliance controls.

Huawei and Chinese Surveillance: Industry Complicity

🔍 The excerpt, from House of Huawei, recounts Wan Runnan’s experience as a celebrated 1980s entrepreneur who later fled China after supporting the 1989 pro‑democracy protests. At a late‑1980s dinner, local officials told him the Ministry of State Security planned to embed agents in tech firms under the pretext of protection, particularly in roles handling international relations. Wan reports that similar approaches were made to other companies and says Huawei, then a small Shenzhen startup, almost certainly would not have been exempt. He warns that telecommunications back‑end platforms are uniquely able to enable state eavesdropping, a rare public glimpse into intelligence ties with industry.

Webinar: Safely Patching Systems Using Community Tools

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.

NordVPN Black Friday Deal: Up to 77% Off VPN Plans

🔒 The NordVPN Black Friday promotion offers up to 77% off select plans, including a highlighted 27‑month Basic package priced at $80.73 and a 2‑year plan with three extra months free. Running from October 16 through December 10, the deal activates automatically via the article link with no promo codes. NordVPN emphasizes fast NordLynx speeds, a strict no‑logs policy, and bundled extras like Threat Protection and NordPass.