Login
Azure was hit by the "largest-ever" cloud-based distributed denial of service (DDoS) attack, originating from the Aisuru botnet and measuring 15.72 terabits per second (Tbps), according to Microsoft.…
Loose lips sink ships, the classic line goes. Information proliferation in the internet age has government auditors reiterating that loose tweets can sink fleets, and they're concerned that the Defense Department isn't doing enough to stop sensitive info from getting out there. …
A security researcher says Coinbase knew about a December 2024 security breach during which miscreants bribed its support staff into handing over almost 70,000 customers' details at least four months before it disclosed the data theft.…
It sounds like easy money. North Koreans pay you to use your identity so they can get jobs working for American companies in IT. However, if you go this route, the US Department of Justice promises to catch up with you eventually.…
Europol's Internet Referral Unit (EU IRU) says a November 13 operation across gaming and "gaming-adjacent" services led its partners to report thousands of URLs hosting terrorist and hate-fueled material, including 5,408 links to jihadist content, 1,070 pushing violent right-wing extremist or terrorist propaganda, and 105 tied to racist or xenophobic groups.…
PacketSmith v4.0 is shipped with an X.509 certificate extractor designed for use with TLS/SSL over TCP and DTLS over UDP streams. You can now either export these certificates to disk or dissect their attributes and output them as JSON objects and arrays.
Teams that think they're ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday.…
French telco Eurofiber says cybercriminals swiped company data during an attack last week that also affected some internal systems.…
British prosecutors have secured a civil recovery order to seize crypto assets worth £4.11 million ($5.39 million) from Twitter hacker Joseph James O'Connor, clawing back the proceeds of a scam that used hijacked celebrity accounts to solicit digital currency and threaten high-profile individuals.…
Asia In Brief India’s Tata Motors, owner of Jaguar Land Rover, has revealed the cyberattack that shut down production in the UK has so far cost it around £1.8 billion ($2.35 billion).…
INFOSEC IN BRIEF The US Senate passed a resolution in July to force the US Cybersecurity and Infrastructure Security Agency (CISA) to publish a 2022 report into poor security in the telecommunications industry but the agency has not delivered the document.…
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.
Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.
“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”
Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.
“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”
Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.
Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.
Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.
“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”
Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.
The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.
As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]
Hi everyone,
My best friend and I have been working on a project after going through CCNA → CCNP ENCOR → CCNP ENARSI together. We realised that for most people (including us), the hardest part of the CCNA journey isn’t the technical content. It’s staying motivated through the long PDFs, the repetitive labs, and the feeling of studying alone.
We wanted to take some of that pain away and make learning networking feel more structured, more guided, and more rewarding. So we started building something based on short lessons, clear diagrams, and a gamification system that helps you actually feel your improvement.
The idea is to help learners stay consistent, avoid feeling lost, and have a more enjoyable path through the CCNA topics.
We’re currently sharing this with CCNA learners and mentors to see if it actually helps, and we’d definitely welcome any feedback or questions :)
Anthropic just published a case study where threat actors jailbroke Claude and used it to run entire attack campaigns autonomously.
This week, it was an absolute privilege to be at Europol in The Hague, speaking about cyber offenders and at the InterCOP conference and spending time with some of the folks involved in the Operation Endgame actions. The latter in particular gave me a new sense of just how much coordination is involved in this sort of operation, all the way down to some of the messaging in the videos they've since released. I've seen some social commentary on these already, check them out and see what you think, especially as it relates to the psyops those videos play a role in.
I built npmscan.com because npm has become a minefield. Too many packages look safe on the surface but hide obfuscated code, weird postinstall scripts, abandoned maintainers, or straight-up malware. Most devs don’t have time to manually read source every time they install something — so I made a tool that does the dirty work instantly.
What npmscan.com does:
The goal is simple:
👉 Make it obvious when a package is trustworthy — and when it’s not.
If you want to quickly “x-ray” your dependencies before you add them to your codebase, you can try it here:
Let me know what features you’d want next.
I recently completed a project on “Scanning and Enumeration with Nmap” using Kali Linux and Metasploitable2. The project includes network discovery, port scanning, service enumeration, NSE scripting, and vulnerability detection. I’ve documented all findings, screenshots, and results in a structured report. I’m sharing it here to get feedback and suggestions to improve my methodology and reporting style.
#DevTown #nmap #cybersecurity
FaceSeek is like Google Images but mostly for faces. It uses facial photos and reverse photo finding method to recognition and detect a face even if it’s cropped or filtered. Plus it also ad modify those faaces to some body and make videos out of them. This could be useful for OSINT or threat hunting, but it also means attackers could find out our digital footprints by photo. Is it a threat? Or not? Considering that there are already a lot Ai tools like these, But Ai is alvo improving daily.
Welcome back to another This Week in Scams.
This week, have attacks that take over Androids and iPhones, plus news that Google has gone on the offensive against phishing websites.
First up, a heads-up for iPhone owners.
In the hands of a scammer, “Find My” can quickly turn into “Scam Me.”
Switzerland’s National Cyber Security Center (NCSC) shared word this week of a new scam that turns the otherwise helpful “Find My” iOS feature into an avenue of attack.
Now, the thought of losing your phone, along with all the important and precious things you have on it, is enough to give you goosebumps. Luckily, the “Find My” can help you track it down and even post a personalized message on the lock screen to help with its return. And that’s where the scam kicks in.
From the NCSC:
When a device is marked as lost, the owner can display a message on the lock screen containing contact details, such as a phone number or email address. This can be very helpful if the finder is honest – but in dishonest hands, the same information can be used to launch a targeted phishing attack.
With that, scammers send a targeted phishing text, as seen in the sample provided by the NCSC below …
What do the scammers want once you tap that link? They request your Apple ID and password, which effectively hands your phone over to them—along with everything on it and everything else that’s associated with your Apple ID.
It’s a scam you can easily avoid. So even if you’re still stuck with a lost phone that’s likely in the hands of a scammer the point of consolation is that, without your ID, the phone is useless to them.
Ignore such messages. The most important rule is Apple will never contact you by text message or email to inform you that a lost device has been found.
Never click on links in unsolicited messages or enter your Apple ID credentials on a linked website.
If you lose your device, act immediately. Enable Lost Mode straight away via the Find My app on another device or at iCloud.com/find. This will lock the device.
Be careful about which contact details you show on your lost device’s lock screen. For example, use a dedicated email address created specifically for this purpose. Never remove the device from your Apple account, as this would disable the Activation Lock.
Make sure your SIM card is protected with a PIN. This simple yet effective measure prevents criminals from gaining access to your phone number.
Now, a different attack aimed at Android owners …
A story shared on Fox this week breaks down how a combination of paid search ads, remote access tools, and social engineering have led to hijacked Android phones.
It starts with a search, where an Android owner looks up a bank, a tech support company, or what have you. Instead of getting a legitimate result, they get a link to a bogus site via paid search results that appear above organic search results. The link, and the page it takes them to, look quite convincing, given the ease with which scammers can spin up ads and sites today. (More on that next.)
Once there, they call a support number and get connected to a phony agent. The agent convinces the victim to download an app that will help the “agent” solve their issue with their account or phone. In fact, the app is a remote access tool that gives control of the phone, and everything on it, to the scammer. That means they can steal passwords, send messages to friends, family, or anyone at all, and even go so far as to lock you out.
Basically, this scam hands over one of your most precious possessions to a scammer.
Skip paid search results for extra security. That’s particularly true when contacting your bank or other companies you’re doing business with. Look for their official website in the organic search results below paid ads. Better yet, contact places like your bank or credit card company by calling the number on the back of your card.
Get a scam detector. A combination of our Scam Detector and Web Protection can call out sketchy links, like the bogus paid links here. They’ll even block malicious sites if you accidentally tap a bad link.
Never download apps from third-party sites outside of the Google Play Store. Google has checks in place to spot malicious apps in its store.
Lastly, never give anyone access to your phone. No bank rep needs it. So if someone on a call asks you to download an app like TeamViewer, AnyDesk, or AirDroid, it’s a scam. Hang up.
Beyond that, you can protect yourself further by installing an app like our McAfee Security: Antivirus VPN. You can pick it up in the Google Play store, which also includes our Scam Detector and Identity Monitoring. You can also get it as part of your McAfee+ protection.
Just Wednesday, Google took a first step toward making the internet safer from bogus sites, per a story filed by National Public Radio.
A lawsuit alleges that a China-based company called “Lighthouse” runs a “Phishing-as-a-Service” operation that outfits scammers with quick and easy tools and templates for creating convincing-looking websites. According to Google’s general counsel, these sites could “compromise between 12.7 and 115 million credit cards in the U.S. alone.”
The suit was filed in the U.S. District Court in the Southern District of New York, which, of course, has no jurisdiction over a China-based company. The aim, per Google’s counsel, is deterrence. From the article:
“It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure,” she said, without naming which platforms or services Google might focus on. “Even if we can’t get to the individuals, the idea is to deter the overall infrastructure in some cases.”
We’ll keep an eye on this case as it progresses. And in the meantime, it’s a good reminder to get Scam Detector and Web Protection on all your devices so you don’t get hoodwinked by these increasingly convincing-looking scam sites.
Again, scammers can roll them out so quickly and easily today.
Here’s a quick list of a few stories that caught our eye this week:
Alarmingly realistic deepfake threats now target banks in South Africa
Hyundai data breach exposes 2.7 million Social Security numbers
And that’s it for this week! We’ll see you next Friday with more updates, scam news, and ways you can stay safer out there.
The post This Week in Scams: New Alerts for iPhone and Android Users and a Major Google Crackdown appeared first on McAfee Blog.
FreshRSS 