Reading view

Law firm insisted on one password to rule them all

PWNED Welcome back to PWNED, the weekly column where we gather lessons from organizations that didn’t take security seriously enough. This week’s tale of woe comes from a company that left a door wide open for miscreants, but was lucky it didn't have to pay the price. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our story comes courtesy of a reader we’ll Regomize as Manny. A few years ago, Manny got a job working at a law firm. The firm used him to replace an entire team, making him the de facto IT department all by himself. He soon discovered that all of the company’s data and applications lived in one large web-based interface, which was divided up based on the type of client. So there were areas in the UI for personal injury cases and others for travel refunds, for example. There was just one big, gaping security hole: a master password that allowed you to log in as any user in the system. If you had this password, which many people in the law firm did, you could grab detailed personal information about any client, even their health records. “I immediately raised this as a huge security risk,” Manny told us. “But I was told, 'Oh that's the admin password, everyone uses it. Don't touch it.'” As long as you had the person’s email address that you wanted to impersonate, this password would allow you to impersonate them. This applied to both staff and clients. “Colleague is off sick? Sign in as them and reassign their work to someone else to complete. Client forgot to fill in a field? Log in as them and complete it for them,” Manny said. The system itself was 15 years old, ancient in tech terms, and it desperately needed replacing. So Manny was asked to build a whole new system. Naturally, he refused to add a back door, even though that’s what the boss wanted. “I point blank refused to add any back doors to it,” Manny recalled. “So they promoted every user to a system admin and carried on, business as usual.” What we can take away from Manny’s experience is that sometimes even the best IT people who know security basics can still be hindered by clueless management. We also know that sometimes in order to pay the bills, IT people have to go along with security practices they strongly disagree with. In the end, the boss will have the final word, even if that word is “ignorance.” ®

  •  

Tech support scam caused massive data breach at Australian airline Qantas

Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket. Those actions instead connected the CRM to a data extraction tool which the crooks used to siphon off customer records. The Commissioner considered whether Qantas observed the Australian Privacy Principles (APPs), the binding rules that govern how businesses safeguard PII, and found the airline did the right thing. The report found that Qantas audited the operator of the contact center and tested the security awareness of its employees – and had done so in the months before the incident. Qantas also conducted mandatory and recurring training on how to handle PII. The Commissioner was therefore satisfied Qantas took adequate steps to ensure the contact center observed the APPs and didn’t fail in its obligations. The regulator made a similar finding regarding the airline’s cross-border data-sharing practices. “Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident,” the report states. The APPs include a requirement to take reasonable steps to protect personal information from unauthorized access. Again, the Commissioner decided Qantas complied because it used role-based access controls, among other techniques to protect data. Another issue the regulator considered was whether Qantas took reasonable steps to destroy or de-identify the personal information it didn’t need. The carrier told the Privacy Commissioner that it scheduled annual data removal runs from its CRM, and that no records that deserved deletion or removal were present at the time of the attack. That clean record saw the Commissioner decide not to launch a deeper investigation. “I have a broad discretion to commence an investigation of an act or practice where it may be a contravention of the APPs and where it is desirable to do so,” the report states. The first-person pronoun is presumably the work of Commissioner Carly Kind, who observed “it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas’ current role-based access controls.” It’s possible the Commissioner will revisit the matter at another time, and class-action lawsuits are also in train regarding the incident. Qantas may therefore still have to fight through plenty of turbulence before this matter lands. One thing the report doesn’t address is the identity of the attackers. Pundits have suggested the Scattered Spider gang did the deed after it started attacking the aviation industry in the weeks before the Qantas incident. ®

  •  

Cyberattack threatens utterly critical infrastructure in Japan: KFC

The crippling high-consequence attack on vital infrastructure that cybersecurity experts have warned about for years is upon us, in the form of an incident that may force KFC to close some stores in Japan. Colonel Sanders himself is not the victim here. That role goes to Nichirei Group, a Japanese purveyor of frozen foods and super-chill logistics services that move them around. Nichirei Group on Monday posted a notice in which it admitted “system failures caused by unauthorized access have occurred.” The failures meant the frozen food concern could not arrange shipments to or from its refrigerated warehouses or conduct its other operations. Shortly after Nichirei Group revealed its difficulties, KFC Japan warned customers that delivery of ingredients to its stores would likely be affected. The chicken chain therefore stopped taking orders through its app and website and said it may need to limit menu items and opening hours. “Some stores may be closed depending on the availability of ingredients,” the company said. On Wednesday, Nichirei Group confirmed the cause of the outage was a cyberattack and admitted attackers accessed a server that stores personal information. The Group declined to offer any detail on the incident “to prevent further damage.” The company hopes to resume operations on Friday. That Nichirei Group is unable to provide some services suggests a ransomware attack has made some data unavailable. The mention of “further damage” suggests that discussing whatever happened could divulge clues about security weaknesses that would allow further attacks, perhaps directed at the Group’s clients. KFC Japan hasn’t posted any information about store closures. Indeed, the company continues to promote summer menu items such as a Japanese-style citrus and chicken combo that the chain says is refreshing to eat even in the heat of summer. The Register’s Asia-Pacific bureau will not venture to Japan to assess the impact of this incident, or try the burgers: At times like this, with critical infrastructure under stress, that’s just the right thing (not) to do. ®

  •  

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed

  •  

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and

  •  

CISA sounds alarm over trio of exploited SharePoint flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations running SharePoint to harden their defenses after the disclosure of actively exploited vulnerabilities. The warning applies to those running any supported version of SharePoint Server on-prem, with three vulnerabilities of particular interest cited. A spoofing bug, CVE-2026-32201 (6.5), was the first to be mentioned. Microsoft disclosed it in March and CISA confirmed it was being actively exploited in June. Additionally, CISA appears concerned by CVE-2026-45659 (8.8) – a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely." The most recent of the three, CVE-2026-56164 (5.3), a privilege escalation flaw, was one of the 622 bugs that featured in this month's record Patch Tuesday. CISA also picked out two more critical bugs, both from the latest Patch Tuesday, as ones that could potentially complicate SharePoint security further. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is being actively exploited to date, although Microsoft has attached the "Exploitation More Likely" label to both. CISA said the three exploited vulnerabilities are associated with post-exploitation activity, including the theft of Internet Information Services (IIS) machine keys and deserialization techniques, both in an effort to gain persistence and deploy malware. The agency did not offer any more detail about what led it to issue the warning, but went on to encourage defenders to review an alert it published in August 2025, which similarly urged organizations to harden SharePoint from "ToolShell" attacks. CISA said attackers were chaining together CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some cases, deploy Warlock ransomware. It did not go as far as attributing the activity referenced in either SharePoint advisory to any group or country, although Microsoft said as far back as July 2025 that ToolShell vulnerabilities were being exploited by Chinese nation-state crews. Applying Microsoft's latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application are among the recommended hardening measures. CISA also advised defenders to go threat hunting for signs of intrusion before rotating IIS keys to avoid exposing SharePoint to the web unless it's necessary and block external access to SharePoint Central Administration. As is the case with any potential intrusion, CISA encouraged organizations to implement robust, tailored logging that can detect potential exploits. ®

  •  

Microsoft cancels Patch Tuesday for some Dell users over surprise shutdowns, overheating devices

UPDATED Patch Tuesday was followed by Oopsie Wednesday for some Dell customers, with Microsoft slamming on the update brakes after the hardware maker reported some problems. Yesterday was Microsoft's monthly security update for Windows. This month was, by all accounts, a bit of a doozy with a record-breaking number of CVEs patched, some of which were classed as critical and under active exploitation. Better get patching then? Well, er, no. Not if you're using a Dell device affected by issues associated with the update. Microsoft admitted it affected "some Dell devices with Intel processors," but stopped short of providing a full list. The Register asked the Windows giant and Dell which models had been hit, but both have yet to respond. Microsoft confirmed on its update page: "This update might not be available for a limited number of Dell devices with Intel processors due to an incompatibility reported by Dell that can potentially cause unexpected shutdowns, poor performance, increased heat, and battery drain." And the fix? "We are working together with Dell to prevent the affected models from experiencing the issue and plan to release a resolution for affected devices in the coming days." While the pair works on a solution, the update is "temporarily unavailable." Thanks to the sheer number of CVEs in the update, the delay is unfortunate, doubly so when considering that only a week ago, Microsoft was fiercely advocating for users to get patches installed as soon as possible due to the speed at which AI systems can detect and exploit vulnerabilities. In this instance, Microsoft has acted quickly to halt the update for affected devices. However, the fact that it got this far and can cause surprise shutdowns, overheating, and performance problems does not speak well of the company's validation and quality procedures. Dell is hardly a bit player in the hardware ecosystem. Somewhere, deep in the heart of Microsoft's Redmond campus, a sad-faced engineer is likely resetting the "Days since we broke something" counter and thinking fondly of the days when the number reached double or triple figures. ® Updated to add on July 16: A Microsoft spokesperson told The Register: "We are aware of the issue and have paused the Windows 11, versions 25H2 and 24H2 (KB5101650) update for impacted devices while we work on a resolution." The company has also updated its Windows release health dashboard. According to the Windows behemoth, the issue occurs on Dell models with an Intel Innovation Platform Framework Processor Participant driver and is related to the new Windows USB-C Connection Manager interface. The problem first cropped up in the preview update on June 23, ahead of patch Tuesday. There's no workaround, and Microsoft has halted the rollout to affected devices until a fix is ready, "in the next few days."

  •  
❌