Elon Musk Claims X Being Targeted in 'Massive Cyberattack'
X (formerly Twitter) experienced multiple outages on Monday affecting thousands of users. Elon Musk claimed the platform was being targeted in a "massive cyberattack" involving "a lot of resources," potentially from "a large, coordinated group and/or a country." According to Downdetector.com, complaints peaked at over 40,000 users reporting no access, with 56% reporting issues with the app and 33% with the website. Cybersecurity expert Nicholas Reese expressed skepticism about a state actor being involved, noting the short duration and high visibility of the outages wouldn't align with typical nation-state tactics.
Trump Coins Used as Lure in Malware Campaign
Cybercriminals are impersonating cryptocurrency exchange Binance in a sophisticated email campaign offering free "TRUMP Coins" to trick victims into downloading the ConnectWise remote access trojan (RAT). According to a Cofense Intelligence Flash Alert, attackers created realistic-looking emails with accurate Binance branding and warnings about phishing to increase trust. Victims who click the download button are directed to a fake Binance page where they're prompted to download malware disguised as a Binance Windows client. Once installed, attackers can gain complete control of the victim's computer within minutes. The campaign leverages the popularity of Trump Coins, meme coins launched in January 2025 with a current value of approximately $10.99.
Details Disclosed for SCADA Flaws That Could Facilitate Industrial Attacks
Palo Alto Networks has disclosed five high-severity vulnerabilities affecting Iconics and Mitsubishi Electric SCADA products, including Genesis64 and MC Works64. The flaws (CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300) require authentication but could enable attackers to execute arbitrary code, elevate privileges, and manipulate critical files. In real-world scenarios, these vulnerabilities could allow attackers to cause disruptions and potentially take full control of industrial systems. With hundreds of thousands of installations worldwide in sectors including government, military, water, manufacturing, and energy, the impact could be significant. Patches and mitigations were released last year.
Cobalt Strike Abuse Dropped 80% in Two Years
Fortra, the developer of the adversary simulation tool Cobalt Strike, reports an 80% decrease in the unauthorized use of their product over the past two years. This significant reduction follows collaboration with Microsoft and the Health Information Sharing and Analysis Center (Health-ISAC) to combat abuse through legal and technical measures. The operation has resulted in the seizure and sinkholing of over 200 malicious domains, with the average time between detection and takedown reduced to less than one week in the United States and under two weeks worldwide. Fortra continues to work with law enforcement, issue takedown notices to hosting providers, and implement automation to further streamline the removal process.
Developer Convicted for Hacking Former Employer's Systems
Davis Lu, a 55-year-old former software developer from Houston, Texas, has been convicted for deploying malware to sabotage his employer's computer systems. Lu worked for the victim company for 12 years before beginning his sabotage in 2018 after a corporate realignment restricted his system access. He deployed code that caused system crashes and deleted employee profile files, implementing a 'kill switch' activated upon his termination that blocked all user logins. The malicious code, named 'IsDLEnabledinAD' (Is Davis Lu enabled in Active Directory), affected thousands of users worldwide when activated on September 9, 2019. Lu faces up to 10 years in prison for intentional computer damage. The victim organization is reportedly power management giant Eaton Corporation.
Google Paid Out $12 Million via Bug Bounty Programs in 2024
Google announced it awarded $11.8 million in bug bounties to 660 researchers who reported security flaws through its vulnerability reward programs in 2024. This brings Google's total bug bounty rewards to approximately $71 million since establishing its first program in 2010. The company revamped its reward structure in 2024, offering up to $151,515 for Google VRP and Cloud VRP submissions, up to $300,000 for Mobile VRP, and up to $250,000 for critical Chrome vulnerabilities. Notable distributions include $3.3 million for Android and Google mobile application vulnerabilities, $3.4 million for Chrome security defects (with the highest single reward of $100,115), and over $500,000 for issues reported through its Cloud VRP launched in October 2024.
Mass Exploitation of Critical PHP Vulnerability Begins
Threat intelligence firm GreyNoise warns that attackers are actively exploiting CVE-2024-4577, a critical PHP vulnerability with a CVSS score of 9.8. The flaw affects Windows servers using Apache and PHP-CGI with certain code pages, allowing attackers to inject arguments remotely and execute arbitrary code. According to GreyNoise data, exploitation has expanded beyond initially targeted Japanese organizations to affect systems in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain, and Malaysia. Over 1,000 unique IP addresses attempted to exploit the vulnerability in January 2025 alone, with 43% of attack sources coming from Germany and China. The vulnerability impacts all versions of PHP on Windows and was patched in versions 8.1.29, 8.2.20, and 8.3.8.
560,000 People Impacted Across Four Healthcare Data Breaches
More than 560,000 individuals were affected by four healthcare data breaches disclosed last week by Hillcrest Convalescent Center, Gastroenterology Associates of Central Florida, Community Care Alliance, and Sunflower Medical Group. The largest breach involved Sunflower Medical Group, which reported to the Maine Attorney General's Office that 220,000 individuals were impacted after hackers accessed their systems between December 2024 and January 2025. The Rhysida ransomware group claimed responsibility, stating they stole over 3TB of files. The other breaches similarly involved unauthorized access to sensitive personal and medical information, with Hillcrest Convalescent Center reporting 106,000 affected individuals, Gastroenterology Associates of Central Florida reporting 122,000, and Community Care Alliance reporting 115,000.
US Seizes Garantex in Cryptocurrency Money Laundering Bust
The US Justice Department announced the seizure of online infrastructure used by cryptocurrency exchange Garantex, which allegedly facilitated multi-billion dollar money laundering operations and sanctions violations. Authorities seized three domain names (garantex.org, garantex.io, and garantex.academy) and charged Lithuanian Aleksej Besciokov and Russian Aleksandr Mira Serda with money laundering, sanctions violations, and operating an unlicensed money transmitting business. According to court documents, Garantex processed at least $96 billion in cryptocurrency transactions since April 2019 and was previously sanctioned by the US in 2022 for laundering funds from ransomware attacks and darknet markets. The DOJ reports that over $26 million in funds linked to money laundering activities have been frozen.
Edimax Camera Zero-Day Disclosed by CISA Exploited by Botnets
Multiple Mirai-based botnets are exploiting a zero-day vulnerability (CVE-2025-1316) in Edimax IP cameras that was disclosed this week by the Cybersecurity and Infrastructure Security Agency (CISA). According to security firm Akamai, the critical command injection vulnerability has been exploited in the wild since fall 2024. While exploitation requires authentication, attackers are leveraging the fact that many internet-exposed cameras can be accessed using default credentials. Once access is gained, attackers execute a shell script that downloads Mirai malware. Edimax IC-7100 IP cameras are listed as "legacy products" by the vendor, suggesting they've reached end-of-life status. Akamai reported that Edimax was first notified in October 2024 but has been unresponsive to coordination attempts.
FBI: Fake Ransomware Attack Claims Sent to US Executives via Snail Mail
The FBI has issued an alert about a scam campaign targeting corporate executives in the US, primarily in the healthcare sector, through physical letters claiming to be from the BianLian ransomware group. The letters, marked "Time Sensitive Read Immediately," falsely claim that the recipient's organization was hit by a cyberattack where thousands of sensitive data files were stolen. Recipients are threatened with data publication unless they pay between $250,000 and $500,000 via a QR code linked to a Bitcoin wallet. According to cybersecurity firm Arctic Wolf, the campaign began on February 25, with all letters containing nearly identical text, suggesting the use of a template. The FBI notes there is no known connection between the letter senders and the actual BianLian ransomware group.
Microsoft Says One Million Devices Impacted by Infostealer Campaign
Microsoft reports that nearly one million devices have been compromised in a malvertising campaign that redirects users to information-stealing malware hosted on GitHub. The campaign, attributed to a threat actor tracked as Storm-0408, primarily targeted visitors of illegal streaming websites, redirecting them to GitHub-hosted malware. The attacks impacted both consumer and enterprise devices across various organizations and industries. Attackers deployed information stealers such as Lumma stealer and an updated version of Doenerium, along with NetSupport remote monitoring software and various malicious scripts. For persistence, the threat actors modified registry run keys and added shortcut files to the Startup folder. Microsoft identified and revoked 12 different certificates used in these attacks.
Cyberattack Disrupts National Presto Industries Operations
Home appliance maker National Presto Industries disclosed in a regulatory filing that it experienced a cyberattack on March 1 that caused a system outage. The company activated its incident response team, including external cybersecurity experts, and notified law enforcement and regulatory bodies. The attack has impacted operations including shipping, receiving, manufacturing processes, and back-office functions. According to the company's website, phone lines are currently disabled. National Presto Industries stated that while the incident may have a material impact on its financial condition and results, the full extent of the damage is yet unknown. The company is implementing temporary measures to maintain critical functions while systems are being restored.
18,000 Organizations Impacted by NTT Com Data Breach
Japanese ICT provider NTT Communications Corporation (NTT Com) disclosed a data breach affecting nearly 18,000 corporate clients. The incident occurred on February 5 when an unnamed threat actor accessed internal systems hosting customer information. NTT Com restricted access to a compromised system immediately upon detection but discovered unauthorized access to another system on February 15. The attackers exfiltrated information on 17,891 customer companies, including contract numbers, customer names, contact information, and service usage details. NTT Com emphasized that only corporate customers were affected, as the compromised systems did not store end-user information. A subsidiary of telecommunications giant Nippon Telegraph and Telephone Corporation, NTT Com provides cloud, network, and security services in over 190 countries.
Many Schools Report Data Breach After Retirement Services Firm Hit by Ransomware
Dozens of school districts and thousands of individuals across the United States are impacted by a data breach resulting from a ransomware attack on retirement services provider Carruth Compliance Consulting (CCC). The attack, which occurred between December 19-26, 2024, led to the theft of personal information including names, Social Security numbers, financial account information, and in some cases, driver's license numbers, medical billing information, and tax filings. The Skira ransomware group has claimed responsibility, stating they stole approximately 469GB of data. In Maine alone, nine school districts reported identifying more than 20,000 affected individuals. This breach follows closely behind another significant education sector incident involving PowerSchool, where millions of students' and educators' information may have been compromised.
New AI Protection from Google Cloud Tackles AI Risks, Threats, and Compliance
Google Cloud has announced AI Protection, a comprehensive solution designed to help organizations manage AI-related risks. The platform has three core capabilities: discovering AI inventory, securing AI assets, and managing threats with detect, investigate, and respond capabilities. AI Protection integrates with Google's Security Command Center (SCC) to provide teams with a centralized view of their IT posture and manage AI risks alongside other cloud security concerns. Key features include automated discovery and cataloging of AI assets, Model Armor for detecting and preventing prompt injection and jailbreak attempts, and threat detection powered by Google and Mandiant intelligence. The solution works in conjunction with other Google Cloud offerings, including Sensitive Data Protection for regulatory compliance and Confidential Computing for data protection.
Medusa Ransomware Attacks Increase
Symantec reports that Medusa ransomware attacks have steadily increased over the past two years, doubling in the first two months of 2025 compared to the same period last year. Operating under the ransomware-as-a-service model since early 2023, Medusa targets organizations in healthcare, manufacturing, education, and other sectors across multiple countries. The group, tracked as Spearwing and Storm-1175, has listed approximately 400 victims on its Tor-based leak site and demands ransom payments ranging from $100,000 to $15 million. According to Symantec, Medusa's rise coincides with law enforcement actions against other ransomware groups like BlackCat and LockBit. Its affiliates primarily exploit unpatched vulnerabilities in internet-facing appliances, including Microsoft Exchange Server, and deploy various living-off-the-land tools for network infiltration, lateral movement, and data exfiltration.
Armis Acquires Otorio to Expand OT and CPS Security Suite
California-based cyber exposure management firm Armis announced the acquisition of Otorio, a deal valued at approximately $120 million that enhances Armis's capabilities in operational technology (OT) and cyber-physical systems (CPS) security. The acquisition provides Armis with technology to offer an on-premises solution for organizations operating in air-gapped or sequestered environments, particularly in heavy industry and critical infrastructure sectors like energy and utilities. Founded in 2018, Otorio is known for its expertise in securing converged and air-gapped environments across sectors including oil and gas, utilities, and manufacturing. This marks Armis's third acquisition in less than 12 months, following purchases of AI security startup CTCI and risk prioritization startup Silk Security. Armis recently completed a $200 million funding round at a valuation of $4.2 billion and is preparing for an IPO.
How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist
Forensics experts at Mandiant have determined that last week's $1.4 billion cryptocurrency heist targeting ByBit's Ethereum cold wallet system resulted from a sophisticated attack combining social engineering, stolen AWS session tokens, MFA bypasses, and a malicious JavaScript file. The attack, attributed to North Korea's Lazarus hacking group, began with threat actors posing as a trusted open source contributor to target a developer with admin rights at Safe{Wallet}. The developer was tricked into installing a malicious Docker Python project, which gave attackers access to the developer's workstation and allowed them to steal AWS session tokens. The hackers maintained access for nearly 20 days before replacing a harmless JavaScript file with a tampered version that redirected funds during a high-value transaction. The FBI has linked the incident to a North Korean APT it tracks as TraderTraitor and noted that the stolen assets are being rapidly laundered across thousands of addresses on multiple blockchains.
House Passes Bill Requiring Federal Contractors to Implement Vulnerability Disclosure Policies
The House of Representatives has passed the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, which requires federal contractors to implement vulnerability disclosure policies (VDPs) consistent with NIST guidelines. The bill, which also instructs the Defense Department to require similar policies for defense contractors, aims to make it easier for individuals and companies to responsibly disclose vulnerabilities found in contractors' systems. Several major cybersecurity and tech companies, including HackerOne, Bugcrowd, Microsoft, and Tenable, signed a letter supporting the legislation, emphasizing that contractors handle vast amounts of sensitive data and are prime targets for cyber threats. The bill has been in development for two years, first introduced by Representative Nancy Mace (R-SC) in 2023, with a companion version introduced in 2024 by senators Mark R. Warner (D-VA) and James Lankford (R-OK). It now moves to the Senate.
Nigerian Accused of Hacking Tax Preparation Firms Extradited to US
Matthew Akande, a 36-year-old Nigerian national residing in Mexico, appeared in a US court on charges related to hacking US tax preparation companies. Arrested in the UK in October 2024 and extradited to the US on March 5, 2025, Akande faces charges including computer intrusion, wire fraud, government money theft, identity theft, and money laundering. Along with co-conspirator Kehinde H. Oyetunji and others, Akande allegedly filed fraudulent tax returns for approximately five years using stolen personally identifiable information (PII). In February 2020, the group allegedly sent phishing emails to five Massachusetts tax preparation firms, tricking employees into downloading remote access trojans like the Warzone RAT. Between June 2016 and June 2021, the group filed over 1,000 fraudulent tax returns, attempting to obtain over $8.1 million in tax refunds and successfully receiving over $1.3 million.
Financial Organizations Urge CISA to Revise Proposed CIRCIA Implementation
A group of financial organizations has sent an open letter to CISA urging it to rescind and reissue the proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association argue that CISA's proposal departs from the intent to establish a uniform incident reporting standard and would require organizations to divert resources from response and recovery. The organizations request that CISA adjust the proposed rulemaking ahead of the October 2025 statutory deadline for issuing a final rule, emphasizing the need to "strike the balance Congress intended between getting information quickly and letting victims respond to an attack without imposing burdensome requirements." This challenge aligns with predictions from cybersecurity experts like Reuven Aronashvili, founder and CEO at CYE, who anticipated regulatory uncertainty would create compliance challenges in 2025.
BadBox Botnet Powered by 1 Million Android Devices Disrupted
Human Security reports that a second iteration of the BadBox botnet, dubbed BadBox 2.0, has been partially disrupted after infecting over one million Android devices in more than 220 countries. The botnet consists of backdoored Android devices from multiple Chinese manufacturers, including off-brand tablets, CTV boxes, and projectors. The backdoor is implanted somewhere in the supply chain, fetched from a command-and-control server upon first boot, or downloaded from a third-party marketplace. The infected devices have been used for programmatic ad fraud, click fraud, and as residential proxies, enabling activities such as account takeover, account creation, DDoS attacks, malware distribution, and OTP theft. Four threat actor groups were identified as operating the botnet: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The disruption effort involved collaboration with Google, Trend Micro, Shadowserver, and other partners, implementing ad fraud monetization mitigations and adding detection of BadBox-associated behavior to Google Play Protect.
AIceberg Gets $10 Million in Seed Funding for AI Security Platform
AIceberg announced the launch of its AI trust platform, securing $10 million in seed funding from SYN Ventures and Sprout & Oak. Founded in 2022, the New York-based company has developed a platform to help governments and enterprises safely, securely, and compliantly adopt generative AI and agentic AI. The platform acts as a firewall and gateway, monitoring AI usage for potential risks and enforcing security policies. It prevents unsanctioned content, redacts sensitive information, detects common cyberattack vectors like prompt injection and jailbreaking, and performs security analysis of agentic workflows. According to CEO Alex Schlager, many organizations are operating with a false sense of security because using LLMs to safeguard LLMs introduces systemic risks. AIceberg addresses this by using purpose-built, non-generative models to detect risk signals independently of AI applications.
Exploited VMware ESXi Flaws Put Many at Risk of Ransomware, Other Attacks
Scans reveal that tens of thousands of VMware ESXi instances are affected by three zero-day vulnerabilities recently patched by Broadcom-owned VMware. The flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, can allow attackers with elevated privileges to perform VM escapes, moving from a compromised virtual machine into the hypervisor itself. CISA has added these vulnerabilities to its Known Exploited Vulnerabilities catalog. According to Netlas, over 7,000 internet-exposed VMware ESXi instances appear to be impacted, while the Shadowserver Foundation reported seeing more than 41,000 vulnerable instances, primarily in China, France, the US, Germany, Iran, Brazil, and South Korea. Security researcher Kevin Beaumont warns that once attackers gain ESX access, they can access everything on the ESX server, including VM data, ESX configuration, and mounted storage, potentially bypassing security products to access valuable assets such as Active Directory domain controller databases without triggering alerts.
US Indicts China's iSoon 'Hackers-for-Hire' Operatives
The US Justice Department has unsealed indictments charging employees of Chinese cybersecurity firm i-Soon (Anxun Information Technology) with conducting extensive hacking campaigns on behalf of Beijing's security services. Prosecutors allege i-Soon employees acted as "hackers-for-hire" for China's Ministry of Public Security (MPS) and Ministry of State Security (MSS), breaching email networks, government databases, and corporate systems. Victims ranged from US federal and state agencies, including the Department of the Treasury, to American journalists, human rights activists, and Chinese pro-democracy dissidents abroad. The indictments come a year after an unauthorized leak of i-Soon documents that revealed methods used by Chinese authorities to surveil dissidents, hack other nations, and promote pro-Beijing narratives. The DOJ announced it had seized i-Soon's primary internet domain and is offering rewards for information on several Chinese nationals alleged to have directed or carried out malicious cyber activities.
Organizations Still Not Patching OT Due to Disruption Concerns: Survey
According to a survey by cyber-physical security firm TXOne Networks, many organizations are still not conducting regular patching of operational technology (OT) systems due to concerns about equipment downtime and operational disruptions. Based on responses from 150 C-level executives, the survey found that 85% of organizations don't conduct regular patching, with a majority installing patches quarterly or less often. The main challenges cited include lack of personnel or expertise (48%), concerns about operational disruptions (47%), and lack of vendor support or patch testing (43%). Nearly 60% of respondents apply patches during planned downtime or maintenance windows, while 55% test patches in a controlled environment before deployment. To overcome these challenges, TXOne recommends adopting more flexible patch management strategies, integrating automation tools, and using virtual patching.
SpecterOps Scores $75M Series B to Scale BloodHound Enterprise Platform
SpecterOps, a security startup specializing in securing Microsoft's Active Directory (AD) and Azure AD (now Entra ID) deployments, has raised $75 million in Series B funding led by Insight Partners, with participation from Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. The company reports 100% annual recurring revenue growth in 2024 and a 60% increase in new customer acquisitions in Q4, now serving nearly 200 enterprise customers. SpecterOps plans to use the funding to scale its BloodHound Enterprise platform, expand research efforts, and grow its consulting, sales, and marketing teams. The platform, launched in 2021, provides continuous mapping of identity attack paths to help security teams identify and eliminate high-risk exposure points before attackers can exploit them. The company is also known for its open source BloodHound Community Edition, widely used for mapping AD attack paths.
China Hackers Behind US Treasury Breach Caught Targeting IT Supply Chain
Microsoft has warned of a significant shift in tactics by Silk Typhoon, a Chinese government espionage group linked to recent US Treasury hacks. Instead of targeting high-profile cloud services directly, the group is now focusing on companies in the global IT supply chain, including IT services, remote monitoring and management firms, and managed service providers. According to Microsoft's threat intelligence team, the hackers use stolen API keys and compromised credentials to breach IT supply chain companies and extend their reach to downstream customer environments. The group conducts extensive reconnaissance, collects sensitive data, and moves laterally within victim networks, exploiting tools like Microsoft's Entra Connect to escalate privileges. Silk Typhoon has been linked to successful exploits against Microsoft Exchange servers, VPN products, and firewall appliances, and has targeted sectors including state and local government, IT services, and financial institutions.
Iranian Hackers Target UAE Firms With Polyglot Files
Proofpoint has identified a highly targeted campaign against several United Arab Emirates organizations across multiple sectors, attributed to an Iranian threat actor tracked as UNK_CraftyCamel. The attacks used polyglot files—files structured to be interpreted as different formats depending on how they're read—to hide malicious payloads. The attackers compromised an Indian electronics company's email account in October 2024 and used it to send malicious emails to UAE organizations in aviation, satellite communications, and critical transportation infrastructure. The messages contained a URL to download a ZIP archive with an LNK file disguised as an XLS file and two PDF files that were polyglots, one appended with an HTA file and the other with a ZIP archive. This sophisticated chain ultimately executed a backdoor dubbed Sosano, written in Golang with limited functionality. According to Proofpoint, the campaign's TTPs suggest alignment with threat actors TA451 and TA455, believed to be associated with the Islamic Revolutionary Guard Corps (IRGC).
North Korean Fake IT Workers Pose as Blockchain Developers on GitHub
Threat monitoring firm Nisos has uncovered a network of North Korean fake IT workers creating personas on GitHub to obtain remote engineering and full-stack blockchain developer positions in the US and Japan. These individuals reuse matured GitHub accounts and portfolio content, claim to be located in Asia, and some appear to be employed at small companies. The Nisos report identified six personas connected through shared GitHub and contact information, including individuals allegedly employed at Japanese consulting company Tenpct Inc and video game developer Enver Studio. Red flags include claims of experience across multiple programming languages, accounts on various professional platforms but not on social media, and connection to suspicious GitHub accounts. North Korea is believed to have dispatched thousands of IT workers globally who have funneled tens of millions of dollars to the Pyongyang regime.
Ransomware Group Claims Attack on Tata Technologies
The Hunters International ransomware gang has claimed responsibility for an attack on Indian engineering firm Tata Technologies, threatening to leak 1.4 terabytes of data allegedly stolen from the company. The incident appears to be connected to a ransomware attack that Tata disclosed in a regulatory filing with the Indian National Stock Exchange in late January. At that time, the company stated that "a few IT assets" had been affected and some IT services were temporarily suspended but later restored. Hunters International, which operates under the ransomware-as-a-service model since late 2023, added Tata to their Tor-based leak site, claiming to have stolen over 730,000 files and threatening to publish all data within six days. The group, which took over and adapted tools and techniques from the disrupted Hive ransomware gang, has previously targeted organizations across multiple sectors including automotive, financial, food, healthcare, and manufacturing.
Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
Google and Mozilla have released updates to their browsers with patches for numerous security vulnerabilities. Chrome 134 includes fixes for 14 security issues, including 9 reported by external researchers. The most severe is CVE-2025-1914, a high-severity out-of-bounds read bug in the V8 JavaScript engine that earned researchers a $7,000 bounty. Google distributed a total of $27,000 in rewards for these vulnerability reports. Firefox 136 addresses 15 vulnerabilities, including 8 high-severity bugs that could lead to sandbox escape, tricking users into granting sensitive permissions, and arbitrary code execution. Mozilla also released Firefox ESR 128.8 and 115.21 with patches for several critical and high-severity flaws, as well as Thunderbird 136 and Thunderbird ESR 128.8. Neither Google nor Mozilla reported any of these vulnerabilities being exploited in the wild, but users are advised to update as soon as possible.
Knostic Secures $11 Million to Rein in Enterprise AI Data Leakage, Oversharing
Knostic, a Virginia startup building technology to manage data leakage and oversharing with enterprise-class AI tools, has secured $11 million in seed funding led by Bight Pixel Capital, with participation from Silicon Valley CISO Investments, DNX Ventures, and Seedcamp. Founded by security veterans Gadi Evron and Sounil Yu, the company has raised a total of $14 million to build a "knowledge control layer" that ensures AI outputs adhere to an organization's need-to-know principles. The platform integrates directly with AI systems to control information flow, applying filters that adjust AI responses based on a user's clearance level. Additional features include continuous oversharing detection through query simulation, contextual curation to deliver sanitized answers without exposing confidential details, and real-time alerts to help administrators quickly tighten permissions when needed. Knostic fits into the emerging category of AI-driven data loss prevention (DLP) that addresses oversharing with LLMs and AI-powered productivity tools.
US Sanctions Iranian Administrator of Nemesis Darknet Marketplace
The US Treasury Department has announced sanctions against Behrouz Parsarad, an Iranian national accused of running the online darknet marketplace Nemesis Market. The marketplace, which was shut down in March 2024 by a multinational law enforcement operation, had over 150,000 user accounts and 1,100 seller accounts registered. Nemesis provided a platform for drug trafficking, trading fraudulently obtained goods and data, and cybercrime services including DDoS attacks, phishing, and ransomware. According to the Treasury Department, the marketplace facilitated the sale of nearly $30 million worth of drugs between 2021 and 2024. Parsarad, who allegedly held full control over the website and its cryptocurrency wallets, earned millions of dollars through transaction fees and helped users launder funds. Officials reported that since the takedown of Nemesis, Parsarad has discussed setting up a new darknet marketplace with former vendors.
New Eleven11bot DDoS Botnet Powered by 80,000 Hacked Devices
Several cybersecurity organizations are tracking what has been described as one of the largest known DDoS botnets observed in recent years. The new botnet, named Eleven11bot, was recently noticed by Nokia's Deepfield Emergency Response Team conducting hyper-volumetric DDoS attacks. While Nokia initially reported the botnet had ensnared roughly 30,000 devices, mainly security cameras and network video recorder (NVR) devices, the Shadowserver Foundation subsequently identified approximately 86,400 compromised IoT devices. A majority of affected devices are in the United States (25,000), followed by the United Kingdom (10,000), Canada (4,000), and Australia (3,000). According to GreyNoise, 61% of 1,000 IPs it observed linked to the botnet are Iranian. The botnet has been seen launching DDoS attacks against various sectors, including gaming and communications, with attack intensity ranging from a few hundred thousand to several hundred million packets per second.