CTRL + ALT + SEC

Author: ByteMe

What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 10/20/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Verizon: Mobile Blindspot Leads to Needless Data Breaches

The analysis of Verizon’s 2025 Mobile Security Index (MSI) reveals a critical and dangerous blind spot in enterprise risk management: as employees increasingly rely on personal devices for work, organizations are failing to apply commensurate security controls to the mobile frontier. This gap is rooted in a fundamental, dangerous misconception of security at both the individual and organizational level. Employees exhibit deep overconfidence, engaging in risky practices; like storing passwords in their Notes app or using their phone as the default device for “risky clicks” because they “believe nothing can happen there.” Threat actors have effectively capitalized on this low awareness by pivoting to smishing (SMS phishing), which the data shows is overwhelmingly more effective than email phishing. The 80% reported smishing attempt rate against organizations and the alarmingly high employee failure rates in simulations (with up to half of employees failing in many companies) underscore that mobile devices are now the path of least resistance for initial access breaches.

This issue is amplified by an organizational failure to evolve security policies to match the reality of hybrid work. Companies have invested heavily in desktop and server security, yet the MSI highlights a significant parity gap on the mobile side, slowing detection and response times. This gap is structural, as most organizations do not issue work phones to all employees, meaning the majority of mobile attacks (70%) land on unmanaged personal devices. Simply put, companies are falling into the same trap as their employees, ignoring a known, high-impact vulnerability. For business leaders and security professionals, the Verizon MSI presents a clear strategic mandate for immediate action. The traditional security perimeter is gone, and organizations must shift their focus from preventing device use to managing the risk associated with it. This necessitates a combined approach of robust policy implementation and mandatory, high-frequency employee education. The data provides a powerful incentive: organizations utilizing a comprehensive set of eight mobile security best practices—including Mobile Device Management (MDM) and a zero-trust architecture—are five times less likely to experience major repercussions from a breach. The cost of inaction, leading to longer detection times and system downtime, far outweighs the investment required to bring mobile security up to parity with traditional IT controls, making

Projects
- TryHackMe – Vulnerability Scanner Overview – Complete
- TryHackMe – CyberChef: The Basics – In Progress
Videos

Articles
- Massive SIM farm network powering 49 million fake accounts taken apart by Europol – Law enforcement agencies from Austria, Estonia, Finland, and Latvia, together with Europol, have seized thousands of SIM-box devices and SIM cards used in multiple scam campaigns.
- 131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign – Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.
- Foreign hackers breached a US nuclear weapons plant via SharePoint flaws – A foreign actor infiltrated the National Nuclear Security Administration’s Kansas City National Security Campus through vulnerabilities in Microsoft’s SharePoint browser-based app, raising questions about the need to solidify further federal IT/OT security protections.
- Russian hackers evolve malware pushed in “I am not a robot” captchas – The Russian state-backed Star Blizzard hacker group has ramped up operations with new, constantly evolving malware families (NoRobot, MaybeRobot) deployed in complex delivery chains that start with ClickFix social engineering attacks.
- Muji’s minimalist calm shattered as ransomware takes down logistics partner – Japanese retailer halts online orders after attack cripples third-party vendor
- Hundreds of masked ICE agents doxxed by hackers, as personal details posted on Telegram – Hundreds of US government officials working for the FBI, ICE, and Department of Justice have had their personal data leaked by a notorious hacking group.
- Major AWS outage took down Fortnite, Alexa, Snapchat, and more – Amazon says the cause of the AWS outage was related to DNS.
- LA Metro digital signs taken over by hackers – the digital reader boards at a bus stop at 6th Street and Vermont Avenue displaying a message that read “EMERGENCY WARNING. LEAVE IMMEDIATELY. RISK OF SUICIDE BOMB.”
- SoCal man agrees to plead guilty to acting as Beijing’s agent – A California man has agreed to plead guilty to acting as an illegal agent for the Chinese government in Southern California while working as a campaign advisor for a local politician.
- Verizon: Mobile Blindspot Leads to Needless Data Breaches – People habitually ignore cybersecurity on their phones. Instead of compensating for that, organizations are falling into the very same trap, even though available security options could cut smishing success and breaches in half.
October 27, 2025
2025 Mobile Security Index
Below are the top take-aways from the Verizon 2025 Mobile Security Index report.

AI Threats vs. Lagging Defenses

A significant disconnect exists between the awareness of AI-driven threats and the implementation of specific defenses.
- High Concern: 77% of organizations believe AI-assisted deepfake and SMS phishing (smishing) attacks are likely to succeed.
- Low Preparedness: Despite this concern, deployment of relevant controls is dangerously low.
  - Only 17% have implemented specific security controls against AI-assisted attacks.
  - Only 12% have protections in place against deepfake-enhanced voice phishing.
  - Only 16% have protections against zero-day exploits.
GenAI & Human Error Remain Top Risks

Widespread, unsecured use of Generative AI (GenAI) and fundamental human fallibility are the primary entry points for compromise.
- Widespread GenAI Use: 93% of organizations report employees are using GenAI tools on their mobile devices.
- Top GenAI Risk: 64% of respondents see “data compromise from employees entering sensitive information into genAI” as their top mobile device risk.
- Persistent Human Error: The human element remains a key vulnerability. In smishing simulations, 39% of organizations reported that between 26% and 50% of their employees clicked a malicious link.
- BYOD Amplifies Risk: Personal devices are a major weak point. 70% of mobile devices impacted by an attack are personal, not corporate-issued.
October 23, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 10/13/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Satellites found exposing unencrypted data, including phone calls and some military comms

This article reveals a startling lapse in global data security, reporting that researchers from UC San Diego and the University of Maryland easily intercepted vast amounts of unencrypted sensitive data from as many as half of all geostationary satellites. Using only an $800 off-the-shelf satellite receiver over three years, they were able to eavesdrop on a broad spectrum of communications. The exposed information includes personal consumer data such as private voice calls, text messages, and internet traffic from commercial services like in-flight Wi-Fi, demonstrating that data considered private is often wide open to unauthorized interception with minimal effort.

The scope of the security failure extends far beyond consumer privacy, encompassing communications critical to national security and vital economic operations. Critically, the researchers found the unencrypted streams included data exchanged between critical infrastructure systems, such as energy and water suppliers, offshore oil and gas platforms, and even some military communications. The effortless exposure of these transmissions poses a profound security risk, creating a significant vulnerability for coordinated attacks or industrial espionage against foundational public and private utilities.

Following the discovery, the research team spent a year alerting affected organizations. This effort led to some immediate remediation, with companies like T-Mobile and AT&T’s network in Mexico quickly encrypting their data to mitigate the risk. However, the most alarming takeaway is the warning that the exposure is far from over. Many organizations, especially certain critical infrastructure providers, have not yet fixed their systems, meaning that large volumes of sensitive satellite data will continue to be vulnerable to eavesdropping for years to come, leaving essential systems exposed to this easily exploited security hole.

Projects
- TryHackMe – Vulnerability Scanner Overview – In Progress
Videos

Articles
- Harvard Is First Confirmed Victim of Oracle EBS Zero-Day Hack – Hackers have posted over 1 Tb of information allegedly stolen from Harvard on the Cl0p data leak website.
- Satellites found exposing unencrypted data, including phone calls and some military comms – Security researchers have discovered that as many as half of all geostationary satellites in Earth’s orbit are carrying unencrypted sensitive consumer, corporate, and military information, making this data wide open to eavesdropping.
- Fake LastPass, Bitwarden breach alerts lead to PC hijacks – An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager.
- F5 Breach Exposes BIG-IP Source Code — Nation-State Hackers Behind Massive Intrusion – U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product.
- Experian fined $3.2 million for mass-collecting personal data – Experian Netherlands has been fined EUR 2.7 million ($3.2 million) for multiple violations of the General Data Protection Regulation (GDPR)
- China Accuses US of Cyberattack on National Time Center – The Ministry of State Security alleged that the NSA exploited vulnerabilities in the messaging services of a foreign mobile phone brand to steal sensitive information.
Podcasts
October 20, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 10/6/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: The Salesloft-Drift Breach: Analyzing the Biggest SaaS Breach of 2025

Analysis of The Salesloft-Drift SaaS Supply Chain Breach

This article effectively spotlights the most critical emerging threat in enterprise security: the SaaS supply chain attack leveraging unmonitored SaaS-to-SaaS integrations. The breach of Salesloft and Drift, attributed to sophisticated groups like ShinyHunters and Scattered Spider, serves as a powerful case study for a fundamental shift in risk. Since most modern businesses rely on an interconnected ecosystem of applications like Salesforce and Gmail, a compromise in a single low-profile third-party vendor offers a “10x force multiplier” for attackers, allowing them to pivot laterally into hundreds of downstream customer environments. This risk profile—where a company’s sensitive data is accessed not through a firewall failure but through a trusted connection and persistent OAuth token—is highly relevant to all LinkedIn professionals, especially those in leadership and IT/DevOps roles responsible for vendor risk and cloud security architecture.

The analysis of why “traditional SaaS security failed” underscores the growing SaaS Security Gap. Legacy security tools, designed for on-premise networks or simple SaaS usage, are blind to the five critical attack vectors: the persistent nature of compromised OAuth tokens, the ability for attackers to conduct SaaS-to-SaaS lateral movement, and the complete lack of visibility into these third-party connections. This is a direct challenge to the common belief that simply having an identity and access management (IAM) solution is sufficient, as IAM often trusts OAuth tokens by design. The article thus compels organizations to shift their focus from protecting the network perimeter to continuously monitoring the permissions, configurations, and behavioral patterns within and across their interconnected cloud applications.

The proposed solution, Dynamic SaaS Security from the article’s publisher, Reco, frames the next necessary evolution in defense. It details a multi-layered strategy that directly counters each attack vector by providing instant discovery of risky SaaS-to-SaaS connections, continuous monitoring of OAuth token usage, and cross-SaaS threat detection.¹ For security professionals, this translates into actionable steps: prioritizing the active scanning and removal of secrets and API keys embedded in SaaS environments and implementing real-time behavioral policies that look for anomalous activity that spans multiple applications.² Ultimately, the Salesloft-Drift breach is presented not just as a news event, but as a watershed moment proving that static, siloed security is obsolete in the era of hyper-connected cloud workflows.

Projects
- TryHackMe – IDS Fundamentals – Complete
- TryHackMe – Vulnerability Scanner Overview – In Progress
Videos

Articles
- Discord discloses data breach after hackers steal support tickets – Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider.
- CometJacking: One Click Can Turn Perplexity’s Comet AI Browser Into a Data Thief – Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity’s agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.
- ParkMobile pays… $1 each for 2021 data breach that hit 22 million – ParkMobile has finally wrapped up a class action lawsuit over the platform’s 2021 data breach that hit 22 million users.
- Hacking group claims theft of 1 billion records from Salesforce customer databases – A notorious predominantly English-speaking hacking group has launched a website to extort its victims, threatening to release about a billion records stolen from companies who store their customers’ data in cloud databases hosted by Salesforce.
- The Salesloft-Drift Breach: Analyzing the Biggest SaaS Breach of 2025 – Supply chain attacks that exploit unmonitored SaaS-to-SaaS integrations affect ten times more companies than traditional credential-based breaches.
- DraftKings warns of account breaches in credential stuffing attacks – Sports betting giant DraftKings has notified an undisclosed number of customers that their accounts had been hacked in a recent wave of credential stuffing attacks.
- California enacts law giving consumers ability to universally opt out of data sharing – California Gov. Gavin Newsom on Wednesday signed a bill which requires web browsers to make it easier for Californians to opt-out of allowing third parties to sell their data.
- Fake ‘Inflation Refund’ texts target New Yorkers in new scam – An ongoing smishing campaign is targeting New Yorkers with text messages posing as the Department of Taxation and Finance, claiming to offer “Inflation Refunds” in an attempt to steal victims’ personal and financial data.
October 13, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 9/29/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: US Auto Insurance Platform ClaimPix Leaked 10.7TB of Records Online

This colossal data exposure involving ClaimPix, an auto insurance claims platform, serves as a stark warning about the pervasive dangers of basic security failures in the digital age. The discovery of an unsecured, unencrypted database containing a staggering 10.7 terabytes and 5.1 million files highlights critical shortcomings in data governance and cloud configuration management. For a platform entrusted with managing sensitive insurance and vehicle information, leaving such a massive repository of customer PII and operational data publicly accessible due to a lack of a simple password is a fundamental breach of trust and duty. This incident underscores that even with advanced security threats dominating the news, the simplest oversight—like misconfiguring storage access—can lead to catastrophic consequences.

The contents of the leak reveal the severe implications for data privacy and corporate legal exposure. Beyond standard PII like names and addresses, the exposure of vehicle records (VINs, license plates) and, most critically, approximately 16,000 Power of Attorney documents elevates the risk far beyond mere inconvenience. This combination of personal identity details and legal authorization is a potent toolkit for sophisticated criminals, enabling everything from identity theft and financial fraud to the highly specialized crime of vehicle cloning. The severity of this specific data mix places ClaimPix under immense scrutiny for compliance violations and potential long-term harm to the affected customers, demanding a comprehensive and transparent response regarding the full duration of exposure and the root cause.

While ClaimPix’s swift action to secure the database upon receiving the responsible disclosure is commendable, the lingering questions concerning the entity responsible for the database—whether ClaimPix directly or a third-party vendor—are paramount for risk analysis. This ambiguity is a key point for every business professional, emphasizing the critical need for rigorous vendor risk management and clear data ownership protocols. The incident provides an urgent case study for organizations to stress-test their security architectures, focusing on mandatory encryption, multi-factor access controls, and regular audits of cloud storage configurations. Ultimately, the ClaimPix leak is a powerful reminder that proactive, fundamental security hygiene is the bedrock of corporate responsibility and essential for maintaining customer trust in a data-driven ecosystem.

Projects
- TryHackMe – Firewall Fundamentals – Complete
- TryHackMe – IDS Fundamentals – In Progress
Articles
- Ransomware gang sought BBC reporter’s help in hacking media giant – Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money.
- Japan’s largest brewer suspends operations due to cyberattack – Asahi Group Holdings, Ltd (Asahi), the brewer of Japan’s top-selling beer, has disclosed a cyberattack that disrupted several of its operations.
- UK convicts “Bitcoin Queen” in world’s largest cryptocurrency seizure – The Metropolitan Police has secured a conviction in what is believed to be the world’s largest cryptocurrency seizure, valued at more than £5.5 billion ($7.3 billion).
- Google Ads Used to Spread Trojan Disguised as TradingView Premium – Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.
- Dutch teens arrested for trying to spy on Europol for Russia – Two Dutch teenage boys aged 17, reportedly used hacking devices to spy for Russia, have been arrested by the Politie on Monday.
- US Auto Insurance Platform ClaimPix Leaked 10.7TB of Records Online – Cybersecurity researcher Jeremiah Fowler discovered a massive 10.7TB ClaimPix leak exposing 5.1M customer files, vehicle data, and Power of Attorney documents. Read the full details.
- Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M – Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.
- Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws – Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web are vulnerable to two vulnerabilities actively leveraged by hackers.
- Allianz Life says July data breach impacts 1.5 million people – Allianz Life has completed the investigation into the cyberattack it suffered in July and determined that nearly 1.5 million individuals are impacted.
- That annoying SMS phish you just got may have come from a box like this – Scammers have been abusing unsecured cellular routers used in industrial settings to blast SMS-based phishing messages in campaigns that have been ongoing since 2023, researchers said.
Podcasts
October 6, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 9/22/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Attackers Abuse AI Tools to Generate Fake CAPTCHAs in Phishing Attacks

This new research by Trend Micro highlights a critical escalation in the cyber threat landscape, demonstrating how the very tools driving modern digital transformation, specifically AI-native development platforms are being co-opted for malicious ends. The core threat lies in the attackers’ ability to weaponize the ease of deployment, free hosting, and legitimate branding of services like Lovable, Netlify, and Vercel. By leveraging AI to rapidly generate convincing fake CAPTCHA pages, cybercriminals have streamlined their operations, lowering the technical skill and cost barrier to launching sophisticated phishing campaigns at scale. This trend forces organizations to recognize that their innovation partners (AI platforms) may inadvertently be enabling their adversaries, necessitating a complete re-evaluation of current security intelligence and threat models.

The tactical genius of this attack chain is its effectiveness in bypassing both human vigilance and automated security controls. The fake CAPTCHA serves a dual purpose: psychologically, it makes the malicious link appear legitimate to the end-user by simulating a routine security check, lowering their guard against a suspicious “Password Reset” or “USPS” notification. Technologically, it acts as a cloaking device. Automated security scanners that crawl the initial URL only encounter the CAPTCHA challenge, failing to see the credential-harvesting page hidden behind it. This redirection technique significantly enhances the success rate of the phishing operation, demonstrating that attackers are creatively adapting their social engineering and evasion techniques to overcome standard endpoint and email security defenses.

Moving forward, this research demands a robust, multi-layered response from the professional community. For security teams, traditional signature-based detection is no longer sufficient; defenses must evolve to analyze the entire redirect chain and monitor for abuse across trusted development domains. For business leaders and HR departments, the necessity of employee security awareness training is amplified, focusing specifically on verifying URLs even when a CAPTCHA is present. Ultimately, the “fake CAPTCHA” scheme underscores a broader industry challenge: balancing the benefits of agile, AI-powered development tools with the inherent risk they introduce when made accessible to all, including those with criminal intent. The industry must now collaborate to build in mechanisms that detect and shut down malicious use on these platforms swiftly and at the source.

Projects
- TryHackMe – Log Fundamentals – Complete
- TryHackMe – Introductrion to SIEM – Complete
- TryHackMe – Firewall Fundamentals – In Progress
Articles
- Attackers Abuse AI Tools to Generate Fake CAPTCHAs in Phishing Attacks – Cybercriminals are abusing AI platforms to create and host fake CAPTCHA pages to enhance phishing campaigns, according to new Trend Micro research.
- Chinese Network Selling Thousands of Fake US and Canadian IDs – New investigation exposes a China-based ring that sold over 6,500 fake United States and Canadian IDs using well-planned covert packaging. Learn how this operation threatens national security and enables financial crime.
- UK police arrested two teen Scattered Spider members linked to the 2024 attack on Transport for London – U.K. police arrested two teens from the Scattered Spider group for their role in the August 2024 cyberattack on Transport for London.
- American Archive of Public Broadcasting fixes bug exposing restricted media – A vulnerability in the American Archive of Public Broadcasting’s website allowed downloading of protected and private media for years, with the flaw quietly patched this month.
- U.S. Secret Service Seizes 300 SIM Servers, 100K Cards Threatening U.S. Officials Near UN – The U.S. Secret Service on Tuesday said it took down a network of electronic devices located across the New York tri-state area that were used to threaten U.S. government officials and posed an imminent threat to national security.
- A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York – More than 300 servers and 100,000 SIM cards designed to mimic cellphones and overwhelm networks.
- Jaguar Land Rover Says Shutdown Will Continue Until at Least Oct 1 After Cyberattack – JLR extended the pause in production “to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation.”
- How One Bad Password Ended a 158-Year-Old Business – The Northamptonshire-based firm fell victim to the Akira ransomware group after hackers gained access by guessing an employee’s weak password.
- Dutch teens arrested for trying to spy on Europol for Russia – Two Dutch teenage boys aged 17, reportedly used hacking devices to spy for Russia, have been arrested by the Politie on Monday.
- Harrods suffers new data breach exposing 430,000 customer records – UK retail giant Harrods has disclosed a new cybersecurity incident after hackers compromised a third-party supplier and stole 430,000 records with sensitive e-commerce customer information.
September 29, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 9/15/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Former FinWise employee may have accessed nearly 700K customer records

The data breach at FinWise Bank, which affected nearly 700,000 customer records, highlights the significant and often prolonged risk posed by former employees. A former staff member was able to potentially access sensitive information for over a year after their employment ended, demonstrating a critical failure in the company’s offboarding and access control protocols. While FinWise Bank has taken standard corrective measures, such as hiring cybersecurity professionals and offering free credit monitoring to the 689,000 affected customers, the incident underscores the severe consequences of a breach that goes undetected for a lengthy period.

This incident is not isolated and falls into a growing pattern of insider-related data breaches. The article cites similar, high-profile cases at companies like Coinbase and Rippling, where former or current employees were found to have maliciously accessed or stolen data. The problem extends beyond malicious intent to include accidental breaches, such as misdirected emails. The recurring nature of these events, including a statistic about student-caused cyberattacks in schools, points to a systemic vulnerability in how organizations manage and secure internal access to sensitive information.

Experts suggest that a more strategic approach to personnel security is needed to counter these risks effectively. The analysis from Paul Martin of RUSI points out the “lacking strategic thinking” in the field and recommends proactive measures rather than reactive ones. He advocates for a stronger internal security culture, built on trust, and the creation of a dedicated working group to aggregate and analyze data that could indicate insider malfeasance. By improving these internal processes, organizations like FinWise could better protect themselves from the risks posed by both current and former employees, thus preventing future incidents of this scale.

Projects
- TryHackMe – Log Fundamentals – In Progress
Papers
- DTEX 2025 Cost of Insider Risk Global Report
Articles
- 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet – Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report.
- Google confirms hackers gained access to law enforcement portal – Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company.
- Former FinWise employee may have accessed nearly 700K customer records – Bank says incident went undetected for over a year before discovery in June.
- Scattered Spider ransomware group abruptly decides to end operations – for now, at least: The Scattered Spider ransomware group and more than a dozen other hacker buddies have abruptly decided to close up shop. Apparently, the pressure from law enforcement agencies has become too hot to handle.
- RaccoonO365 Phishing Service Disrupted, Leader Identified – Microsoft and Cloudflare have teamed up to take down the infrastructure used by RaccoonO365.
- Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims – Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going “dark.”
- BreachForums Owner Sent to Prison in Resentencing – Conor Fitzpatrick, who pleaded guilty in July 2023, was sentenced last year to time served and supervised release.
- UK arrests ‘Scattered Spider’ teens linked to Transport for London hack – Two teenagers, believed to be linked to the August 2024 cyberattack on Transport for London, have been arrested in the United Kingdom.
- Tiffany Data Breach Impacts Thousands of Customers – The high-end jewelry retailer is informing customers in the United States and Canada that hackers accessed information related to gift cards.
- U.K. Arrests Two Teen Scattered Spider Hackers Linked to August 2024 TfL Cyber Attack Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency.
- ChatGPT Tricked Into Solving CAPTCHAs – The AI agent was able to solve different types of CAPTCHAs and adjusted its cursor movements to better mimic human behavior.
- UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware – An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn.
September 22, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 9/8/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Hackers Weaponize Amazon Simple Email Service to Send 50,000+ Malicious Emails Per Day

A recent cybercriminal campaign has been exploiting Amazon’s Simple Email Service (SES) to launch large-scale phishing attacks, delivering over 50,000 malicious emails per day. The campaign begins with attackers gaining access to AWS accounts through compromised access keys. They then use these credentials to probe the environment for SES permissions. By using a sophisticated, multi-regional approach, they are able to bypass SES’s default “sandbox” restrictions and daily email limits, unlocking the ability to send massive volumes of malicious emails.

The attackers’ infrastructure is technically advanced, utilizing both their own domains and legitimate domains with weak security configurations to facilitate email spoofing. They systematically verify these domains and create legitimate-looking email addresses to maximize the credibility of their messages. The phishing emails themselves are designed to appear as official tax-related notifications, directing victims to credential harvesting sites. To evade detection, the attackers use commercial traffic analysis services and programmatically attempt to escalate privileges within the AWS environment, though some of these attempts have failed.

This campaign highlights a growing threat where legitimate cloud services, intended for business purposes, are weaponized at scale. The successful exploitation of Amazon SES demonstrates the critical importance of robust security practices, including the need for enhanced monitoring of dormant access keys and unusual cross-regional API activity. The findings from Wiz.io researchers serve as a crucial reminder for organizations to implement more stringent security measures to prevent cloud service abuse and protect against sophisticated, large-scale cyberattacks.

Projects
- TryHackMe – SQLMap: The Basics – Complete
- TryHackMe – SOC Fundamentals – Complete
- TryHackMe – Digital Forensics Fundamentals – Complete
- TryHackMe – Incident Response Fundamentals – Complete
Videos

Articles
- Plex tells users to reset passwords after new data breach – Media streaming platform Plex is warning customers to reset passwords after suffering a data breach in which a hacker was able to steal customer authentication data from one of its databases.
- iCloud Calendar abused to send phishing emails from Apple’s servers – iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple’s email servers, making them more likely to bypass spam filters to land in targets’ inboxes.
- Hackers Weaponize Amazon Simple Email Service to Send 50,000+ Malicious Emails Per Day – A sophisticated cybercriminal campaign has emerged, exploiting Amazon’s Simple Email Service (SES) to orchestrate large-scale phishing operations capable of delivering over 50,000 malicious emails daily.
- Remote CarPlay Hack Puts Drivers at Risk of Distraction and Surveillance – Oligo Security has shared details on an Apple CarPlay attack that hackers may be able to launch without any interaction.
- Apple warns customers targeted in recent spyware attacks – Apple warned customers last week that their devices were targeted in a new series of spyware attacks, according to the French national Computer Emergency Response Team (CERT-FR).
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” – U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.
- Man gets over 4 years in prison for selling unreleased movies – A Tennessee court has sentenced a Memphis man who worked for a DVD and Blu-ray manufacturing and distribution company to 57 months in prison for stealing and selling digital copies of unreleased movies.
Podcasts
September 15, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 9/1/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

The article highlights the stealthy and evasive nature of this new threat. By using LOLBINS (Living Off the Land Binaries) like PowerShell, the malware is designed to evade detection by conventional antivirus software and even modern endpoint detection and response (EDR) systems, which are not commonly found on personal computers. The PowerShell script runs in memory, leaving little to no trace on the disk. This approach exploits the trust users place in legitimate system tools and known security services like Cloudflare. The use of a travel site for an expensive destination like the Galapagos suggests the attackers are targeting affluent individuals, potentially executives, whose personal devices could serve as a gateway to their corporate networks.

Despite successfully identifying the malware and its payload, researchers at Todyl have several unanswered questions about the operation’s infrastructure and the relationships between the different actors involved. For instance, they are unsure whether the developers of LightPerlGirl are directly affiliated with the creators of the Lumma infostealer or if they are separate entities using a malware-as-a-service model. The discovery of this variant was almost accidental, as it was found on a customer’s corporate device which was protected by Todyl’s security platform. This underscores the difficulty in detecting such stealthy attacks, even for advanced security solutions. The article emphasizes that the true danger of ClickFix variants lies in their potential to compromise a company’s enterprise network through an unsuspecting employee’s personal device.

Projects
- TryHackMe – Hydra – Complete
- TryHackMe – Gobuster: The Basics – Complete
- TryHackMe – Shells Overview – Complete
- TryHackMe – SQLMap: The Basics – In Progress
Videos

Articles
- No, Google did not warn 2.5 billion Gmail users to reset passwords – Google has disputed a widely reported story about the company warning all Gmail users to reset their passwords due to a recent data breach that also affected some Workspace accounts.
- FBI cyber cop: Salt Typhoon pwned ‘nearly every American’ – China’s Salt Typhoon cyberspies hoovered up information belonging to millions of people in the United States over the course of the years-long intrusion into telecommunications networks, according to a top FBI cyber official.
- Disney to pay $10M to settle claims it collected kids’ data on YouTube – Disney will pay $10 million to settle claims by the U.S. Federal Trade Commission that it mislabeled videos for children on YouTube, which allowed the collection of kids’ personal information without their consent or notification to their parents.
- Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack – Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).
- Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats – An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.
- Google Fined $379 Million by French Regulator for Cookie Consent Violations – The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages – Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system.
- New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack – Researchers identify a previously unknown ClickFix variant exploiting PowerShell and clipboard hijacking to deliver the Lumma infostealer via a compromised travel site.
- Jury orders Google to pay $425 million for violating user privacy – The class action lawsuit alleged that Google continued to collect user information even after they turned activity tracking off.
September 8, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 8/25/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Booking.com phishing campaign uses sneaky ‘ん’ character to trick you

These are two separate but related phishing campaigns that exploit a typographical trick called homoglyphs to deceive victims. In the first instance, threat actors used the Japanese hiragana character ん (U+3093), which in some fonts looks like a forward slash, to create a fake Booking.com URL. This visual deception makes the malicious domain [suspicious link removed] appear as a subdirectory of the legitimate booking.com, tricking users into believing they are on a genuine site. The link then redirects victims to a malicious MSI installer that drops malware, such as infostealers or remote access trojans, onto their computers. This tactic is a sophisticated form of a homograph attack, and it demonstrates how attackers leverage the visual similarities between characters from different alphabets to execute social engineering campaigns.

The second campaign targeting Intuit users employs a simpler yet equally effective homoglyph trick. Attackers used a lowercase Latin L to impersonate the letter i, creating the lookalike domain Lntuit.com to mimic the legitimate Intuit.com. This visual substitution is especially effective on mobile devices and in certain fonts where the two characters are nearly indistinguishable, preying on users’ tendency to glance quickly at URLs rather than scrutinize them. The email directs victims to a phishing page designed to steal credentials. Both the Booking.com and Intuit campaigns underscore a growing trend where attackers are creatively manipulating typography to bypass traditional security awareness, highlighting the vulnerability of visual inspection as a sole defense against phishing.

These attacks serve as a critical reminder that cybersecurity threats are constantly evolving, particularly in the realm of social engineering. The use of homoglyphs and homograph attacks demonstrates a move beyond simple fake emails to highly deceptive links that are difficult to spot. The article emphasizes the need for a multi-layered defense strategy, including user education on how to properly inspect URLs—by hovering over links and identifying the true registered domain—and maintaining up-to-date endpoint security software. While these measures offer protection, the campaigns also illustrate the limitations of relying on visual cues alone and reinforce the importance of robust technological solutions to combat increasingly sophisticated phishing tactics.

Projects
- TryHackMe – SQL Fundamentals – Complete
- TryHackMe – Hydra – In Progress
Articles
- Farmers Insurance data breach impacts 1.1M people after Salesforce attack – U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks.
- Booking.com phishing campaign uses sneaky ‘ん’ character to trick you – Threat actors are leveraging a Unicode character to make phishing links appear like legitimate Booking.com links in a new campaign distributing malware.
- TransUnion says hackers stole 4.4 million customers’ personal information – TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers’ personal data for its U.S. consumer support operations.
- WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices – WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
Podcasts
September 1, 2025