Login
A lovestruck US Air Force employee has pleaded guilty to conspiring to transmit confidential national defense information after sharing military secrets information about the Russia-Ukraine war with a woman he met on a dating app.…
The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions.…
A former ASML and NXP semiconductor engineer will spend three years in a Dutch prison after stealing secret chip technology from his employers and sharing it with Russia.…
Authorities in the United Kingdom this week arrested four alleged members of “Scattered Spider,” a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer.
Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.
The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female. The NCA said the defendants were charged in cyberattacks against Marks & Spencer, the U.K. retailer Harrods, and the British food retailer Co-op Group.
KrebsOnSecurity has learned the identities of the two 19-year-old suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.
Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.
The bigger fish netted as part of the Scattered Spider dragnet is Thalha Jubair, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”
In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.
Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.
Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.
In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.
That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “Everlynn,” the founder of a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.
Sources say Jubair also used the nickname “Operator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.
In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”
Russia, home to some of the world's most lucrative and damaging cybercrime operations, has rejected a bill to legalize ethical hacking.…
This comprehensive security report investigates unpatchable vulnerabilities in Windows 10 and11, focusing on systemic flaws that resist traditional patching due to their deep integration intothe operating system’s architecture, hardware dependencies, and legacy compatibility requirements. These vulnerabilities, rooted in fundamental design choices and ecosystem constraints,pose significant challenges to securing millions of Windows devices worldwide. The report examines three critical vulnerabilities: legacy BIOS/UEFI firmware weaknesses, kernel memorymanagement flaws, and backward compatibility with legacy protocols. It provides a detailedtechnical analysis, exploitation vectors, detection challenges, and comprehensive mitigationstrategies. With Windows 10 approaching its end-of-support deadline in October 2025, theseflaws pose heightened risks, necessitating proactive defenses. This report adheres to responsible disclosure principles and aims to support Microsoft’s efforts to strengthen Windows securityin 2025.
In the high-stakes arena of cybersecurity, Microsoft Defender stands as a cornerstone ofWindows security, integrating a sophisticated array of defenses: the Antimalware Scan Interface (AMSI) for runtime script scanning, Endpoint Detection and Response (EDR) forreal-time telemetry, cloud-based reputation services for file analysis, sandboxing for isolated execution, and machine learning-driven heuristics for behavioral detection. Despiteits robust architecture, attackers increasingly bypass these defenses—not by exploitingcode-level vulnerabilities within the Microsoft Security Response Center’s (MSRC) service boundaries, but by targeting logical vulnerabilities in Defender’s decision-makingand analysis pipelines. These logical attacks manipulate the system’s own rules, turningits complexity into a weapon against it.This article series, Strengthening Microsoft Defender: Analyzing and Countering Logical Evasion Techniques, is designed to empower Blue Teams, security researchers, threathunters, and system administrators with the knowledge to understand, detect, and neutralize these threats. By framing logical evasion techniques as threat models and providingactionable Indicators of Compromise (IoCs) and defensive strategies, we aim to bridgethe gap between attacker ingenuity and defender resilience. Our approach is grounded inethical research, responsible disclosure, and practical application, ensuring that defenderscan anticipate and counter sophisticated attacks without crossing legal or ethical lines.
AI-powered hacking is surging in 2025—deepfakes, autonomous tools, and an AI arms race.
The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in the big three cyberattacks on UK retail businesses in recent weeks.…
Google Cloud is attempting to ease concerns about where AI data is stored by offering organizations the option to keep Gemini 2.5 Flash machine learning processing entirely within the UK.…
Sponsored feature Passwords are necessary for businesses, but look away for a minute and they quickly get out of control. If your users do things right and use a different password for each application, you'll easily reach hundreds of them with just a few dozen people. It's time to take control of them before they become toxic.…
Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one.…
This comprehensive security report investigates unpatchable vulnerabilities in Windows 10 and11, focusing on systemic flaws that resist traditional patching due to their deep integration intothe operating system’s architecture, hardware dependencies, and legacy compatibility requirements. These vulnerabilities, rooted in fundamental design choices and ecosystem constraints,pose significant challenges to securing millions of Windows devices worldwide. The report examines three critical vulnerabilities: legacy BIOS/UEFI firmware weaknesses, kernel memorymanagement flaws, and backward compatibility with legacy protocols. It provides a detailedtechnical analysis, exploitation vectors, detection challenges, and comprehensive mitigationstrategies. With Windows 10 approaching its end-of-support deadline in October 2025, theseflaws pose heightened risks, necessitating proactive defenses. This report adheres to responsible disclosure principles and aims to support Microsoft’s efforts to strengthen Windows securityin 2025
Posted by Egidio Romano on Jul 09
----------------------------------------------------------------------------------As we gradually roll out HIBP’s Partner Program, we’re aiming to deliver targeted solutions that bridge the gap between being at risk and being protected. HIBP is the perfect place to bring these solutions to the forefront, as it's often the point at which individuals and organisations first learn of their exposure in data breaches. The challenge for corporates, in particular, is especially significant as they're tasked with protecting entire workforces, often against highly motivated and sophisticated attackers seeking to exploit organisational vulnerabilities. That's why today, I'm especially happy to welcome Push Security to the program.
Push's mandate is to "defend workforce identities in the browser" from attacks that put corporate assets at risk. Especially within the context of data breaches, this includes attacks that leverage reused credentials (which often appear in breaches), account takeovers, phishing and session hijacking. Protecting organisations directly in the browser makes a lot of sense given how many attacks originate in that environment (something I'm painfully familiar with myself), and as they're fond of saying, "Push Security is like EDR but for the browser".
Because Push is focused on business solutions, they now have placement within the business section of the HIBP dashboard, namely the overview and domains pages:
I'm really happy with how we've been able to position partners in a way that's contextual, relevant and non-obtrusive. We've clearly marked Push as "Sponsored" and positioned them right at the heart of where those protecting organisatoins spend their time on HIBP.
Lastly, we've also now launched a dedicated partners page, which lists each relationship we have, including Push Security:
Regardless of where you are in the world, you'll see each partner, the pages on which they are displayed, and any geolocation dependencies. This ensures both transparency and exposure for the organisations we've entrusted to help protect users of our service.
So, a big welcome to Push Security and one more piece in the puzzle of protecting organisations from the scourge of data breaches.
A clever AI bug hunter found a way to trick ChatGPT into disclosing Windows product keys, including at least one owned by Wells Fargo bank, by inviting the AI model to play a guessing game.…
Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-011: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Server-Side Request ForgeryPosted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center Expert Privilege EscalationPosted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-009: Schneider Electric EcoStruxure IT Data Center Expert Remote Command ExecutionPosted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-008: Schneider Electric EcoStruxure IT Data Center Expert Root Password DiscoveryPosted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code ExecutionPosted by KoreLogic Disclosures via Fulldisclosure on Jul 09
KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities InjectionThe US Treasury has imposed sanctions on 38-year-old Song Kum Hyok, a North Korean accused of attempting to hack the Treasury Department and posing as an IT worker to collect revenue and secret data for Pyongyang.…
AMD is warning users of a newly discovered form of side-channel attack affecting a broad range of its chips that could lead to information disclosure.…
If someone called you claiming to be a government official, would you know if their voice was real? This question became frighteningly relevant this week when a cybercriminal used social engineering and AI to impersonate Secretary of State Marco Rubio, fooling high-level officials with fake voice messages that sounded exactly like him. It raises a critical concern: would other world leaders be able to tell the difference, or would they fall for it too?
In June 2025, an unknown attacker created a fake Signal account using the display name “Marco.Rubio@state.gov” and began contacting government officials with AI-generated voice messages that perfectly mimicked the Secretary of State’s voice and writing style. The imposter successfully reached at least five high-profile targets, including three foreign ministers, a U.S. governor, and a member of Congress.
The attack wasn’t just about pranks or publicity. U.S. authorities believe the culprit was “attempting to manipulate powerful government officials with the goal of gaining access to information or accounts.” This represents a sophisticated social engineering attack that could have serious national and international security implications.
The Rubio incident isn’t isolated. In May, someone breached the phone of White House Chief of Staff Susie Wiles and began placing calls and messages to senators, governors and business executives while pretending to be Wiles. These attacks are becoming more common because:
While the Rubio case involved government officials, these same techniques are being used against everyday Americans. A recent McAfee study found that 59% of Americans say they or someone they know has fallen for an online scam in the last 12 months, with scam victims losing an average of $1,471. In 2024, our research revealed that 1 in 3 people believe they have experienced some kind of AI voice scam
Some of the most devastating are “grandparent scams” where criminals clone a grandchild’s voice to trick elderly relatives into sending money for fake emergencies. Deepfake scam victims have reported losses ranging from $250 to over half a million dollars.
Common AI voice scam scenarios:
One big reason deepfake scams are exploding? The tools are cheap, powerful, and incredibly easy to use. McAfee Labs tested 17 deepfake generators and found many are available online for free or with low-cost trials. Some are marketed as “entertainment” — made for prank calls or spoofing celebrity voices on apps like WhatsApp. But others are clearly built with scams in mind, offering realistic impersonations with just a few clicks.
Not long ago, creating a convincing deepfake took experts days or even weeks. Now? It can cost less than a latte and take less time to make than it takes to drink one. Simple drag-and-drop interfaces mean anyone — even with zero technical skills – can clone voices or faces.
Even more concerning: open-source libraries provide free tutorials and pre-trained models, helping scammers skip the hard parts entirely. While some of the more advanced tools require a powerful computer and graphics card, a decent setup costs under $1,000, a tiny price tag when you consider the payoff.
Globally, 87% of scam victims lose money, and 1 in 5 lose over $1,000. Just a handful of successful scams can easily pay for a scammer’s gear and then some. In one McAfee test, for just $5 and 10 minutes of setup time, we created a real-time avatar that made us look and sound like Tom Cruise. Yes, it’s that easy — and that dangerous.
Figure 1. Demonstrating the creation of a highly convincing deepfake
Recognizing the urgent need for protection, McAfee developed Deepfake Detector to fight AI-powered scams. McAfee’s Deepfake Detector represents one of the most advanced consumer tools available today.
While McAfee’s Deepfake Detector is built to identify manipulated audio within videos, it points to the kind of technology that’s becoming essential in situations like this. If the impersonation attempt had taken the form of a video message posted or shared online, Deepfake Detector could have:
Our technology uses advanced AI detection techniques — including transformer-based deep neural networks — to help consumers discern what’s real from what’s fake in today’s era of AI-driven deception.
While the consumer-facing version of our technology doesn’t currently scan audio-only content like phone calls or voice messages, the Rubio case shows why AI detection tools like ours are more critical than ever — especially as threats evolve across video, audio, and beyond – and why it’s crucial for the cybersecurity industry to continue evolving at the speed of AI.
While technology like McAfee’s Deepfake Detector provides powerful protection, you should also:
The Rubio incident shows that no one is immune to AI voice scams. It also demonstrates why proactive detection technology is becoming essential. Knowledge is power, and this has never been truer than in today’s AI-driven world.
The race between AI-powered scams and AI-powered protection is intensifying. By staying informed, using advanced detection tools, and maintaining healthy skepticism, we can stay one step ahead of cybercriminals who are trying to literally steal our voices, and our trust.
The post When AI Voices Target World Leaders: The Growing Threat of AI Voice Scams appeared first on McAfee Blog.
Partner content Every organization is investing in cyberresilience tools, training, and processes. Unfortunately, only some of them will be able to successfully respond and recover from an attack. Regardless of how hard they work, many IT and security teams are constrained by legacy technology architectures that were built for the challenges of 2015, not 2025.…
Partner content Cybersecurity executives and their teams are under constant pressure and scrutiny. As the barrier to entry for attackers gets lower, organizations need to improve their defenses. As businesses get leaner, so do their security teams. There are increasingly high expectations and increasingly tougher challenges to meet them across people, processes, and platforms.…
Qantas says that when cybercrooks attacked a "third party platform" used by the airline's contact center systems, they accessed the personal information and frequent flyer numbers of the "majority" of the circa 5.7 million people affected.…
Ingram Micro says it is gradually reactivating customer's ordering capabilities across the world, region by region, now its ransomware attack is thought to be "contained".…
Privacy activists are unimpressed with London's Metropolitan Police and its use of live facial recognition (LFR) to catch criminals, saying it is not effective use of taxpayer money and an overreach by government.…
Posted by Security Explorations on Jul 09
Dear All,An Iranian ransomware-as-a-service operation with ties to a government-backed cyber crew has reemerged after a nearly five-year hiatus, and is offering would-be cybercriminals cash to infect organizations in the US and Israel.…
FreshRSS 