Newsletters

At least two Chinese APT groups are exploiting a recently disclosed vulnerability in the React framework's server components.

Attacks began within hours after the vulnerability, tracked as CVE-2025-55182 and named React2Shell, was disclosed last Wednesday.

The AWS security team has linked the attacks to two groups tracked as Earth Lamia and Jackpot Panda.

A new paper from the Germany-based think tank Interface has attempted to define the threshold at which peacetime state cyber operations become irresponsible. 

The author thinks that more concrete definitions of responsible behaviour would help guide states and prevent dangerous conduct.  

It's a commendable effort, but we don't think the architects of cyber operations really care about norms, and a German think tank writing down its preferred rules on a piece of paper won't make any difference to state behaviour. 

OpenAI security incident: OpenAI says some customer data was exposed during a breach at Mixpanel, a third-party analytics provider.

French Football Federation breach: The French Football Federation says hackers gained access to a software panel used by French football clubs to manage their licenses.

West London ransomware attack: A ransomware attack on a shared IT provider has brought down the networks of three city councils in West London—Royal Borough of Kensington and Chelsea, London Borough of Hammersmith and Fulham, and Westminster City Council. [MyLondon]

The Chinese-made DeepSeek-R1 AI model produces more insecure code when prompts mention subjects considered sensitive to the Chinese Communist Party (CCP), according to recent research from Crowdstrike. 

CrowdStrike's testing compared the security of code produced by DeepSeek with that of other state-of-the-art Large Language Models (LLMs). In the baseline test, the models were given straightforward prompts to produce code to carry out a particular task. 

They were then given the same base prompt with additional information that CrowdStrike described as a "contextual modifier" and/or a "geopolitical trigger".

Another Salesforce breach: Hackers are pilfering data from Salesforce customers again, this time after they've breached Gainsight, the maker of a Salesforce app. More than 200 customers were affected. The Scattered Lapsus$ Hunters group took credit for the hack, the same group that breached Salesforce earlier this year as well. [Salesforce//TechCrunch]

CrowdStrike fires malicious insider: Security firm CrowdStrike has fired an employee who was feeding information to the Scattered Lapsus$ Hunters hacking group. The company discovered the insider after screenshots of its internal systems were posted on the group's Telegram channel. [BleepingComputer]

SitusAMC hack impacts Wall Street: Hackers have stolen sensitive data from fintech company SitusAMC. Its main customers include banks and real estate loan platforms. [CNN]

Last week, Anthropic revealed a real-world, AI-orchestrated cyber espionage campaign. There's a real speed and scale benefit here for malicious actors that care more about hacking everything than flying under the radar. Western governments, however, will likely stick to the tried and tested method of "slowly, slowly, catchy monkey".

In the report, Anthropic detailed its discovery of the campaign that used AI "not just as an advisor, but to execute the cyberattacks themselves". 

Anthropic believes the threat actor was a Chinese state-sponsored group whose goals align with those of the Chinese Ministry of State Security. The group attempted to infiltrate "roughly thirty" typical victims: large tech companies, financial institutions, chemical manufacturing companies and government agencies. It succeeded in a small number of cases. 

Russian surveillance vendor got hacked: An unidentified threat actor has hacked and leaked sensitive data from Protei, a Russian company that makes telecom-grade surveillance gear, including equipment for Russia's SORM system. [TechCrunch]

Cyberattack disrupts Russian port operator: A cyberattack has crippled the operations of Port Alliance, a Russian company that manages cargo terminals at six Russian ports. The incident lasted days and disrupted Russian coal and fertilizer shipments. [The Record]

NHS impacted by Oracle zero-days: The UK National Health Service (NHS) has joined a long list of companies that were hacked using an Oracle EBS zero-day this summer. [SecurityWeek]

Europol and law enforcement agencies from more than 30 countries have seized servers, domains, and Telegram channels for three malware services—the Rhadamanthys infolstealer, the VenomRAT, and the Elysium botnet.

Authorities say the three malware strains infected hundreds of thousands of users and stole millions of credentials. The stolen credentials were later used to deploy ransomware or steal cryptocurrency.

The takedown was part of Operation Endgame, an Europol-led project that began in 2023 and targets criminal infrastructure that is used to enable ransomware attacks.

In an eye-popping investigation, Reuters has revealed that Meta had projected its 2024 advertisements for scams and banned goods would bring in about USD$16 billion or 10% of its total revenue. 

The report is based on a cache of documents reviewed by Reuters.

In one of those documents, Meta's safety staff estimated that the company's platforms were "involved" in a third of all successful scams in the US. That's a stunning figure. But we do wonder how much of that involvement is simply WhatApp being used to talk to victims. If advertisements weren't the bait that lured victims, it hardly seems fair to blame Meta for running an end-to-end encrypted messaging app. 

More than 12,000 internal documents were leaked online from Chinese security firm KnownSec.

The files were uploaded last week on GitHub by an unknown individual and later removed before the repo got any widespread circulation.

According to analyses from Mrxn and NetAskari, who got their hands on the leak, the most recent documents are from 2023. This suggests this was likely when the files were stolen/exfiltrated from the company's network, or at least someone intentionally truncated the leak to keep the most recent files for themselves.