NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD
The National Institute of Standards and Technology (NIST) is drowning in a flood of vulnerability submissions, and its National Vulnerability Database (NVD) is feeling the strain. A recent update from NIST reveals that despite maintaining pre-2024 processing speeds, a 32% surge in CVEs last year has left the backlog ballooning. With submissions expected to climb further in 2025, NIST is eyeing AI and machine learning to tackle the mess, but the clock's ticking.
The NVD, a cornerstone for vuln management, is showing cracks—outdated workflows and manual processes can't keep pace with today's threat landscape. Security pros are already sweating the delays, as the gap between reported bugs and actionable fixes widens.
NIST admits its systems were built for a simpler era, and even with more staff and tools, it's not enough. This isn't just a bureaucratic hiccup—it's a wake-up call for the industry. If the NVD can't scale, organizations relying on it for timely intel might find themselves exposed. Expect more automation experiments, but for now, NIST's struggle is a stark reminder: even the gatekeepers of security are scrambling to keep up.
Oracle Denies Cloud Breach After Hacker Offers to Sell Data
Oracle's playing defense after a hacker, "rose87168," flaunted millions of alleged Oracle Cloud records for sale on a shady forum. The haul? Six million lines, including encrypted SSO and LDAP passwords the crook couldn't crack. CloudSEK speculates a known vuln, like CVE-2021-35587 in Oracle Fusion Middleware, might be the culprit.
Oracle's not buying it, though. "No breach here," they told SecurityWeek, insisting the credentials aren't Cloud-related and no customers were hit. The hacker fired back on X, dropping a now-deleted file allegedly uploaded to Oracle's systems—archived proof via Wayback Machine.
Theories swirl: a stealth breach Oracle missed, third-party data, or a total fake-out? Hackers love a good bluff, but this one's got legs enough to stir doubt. Oracle's sticking to its guns, but the optics aren't great—especially with that X post dangling like a digital taunt. For now, it's a murky he-said-she-said in the cloud security game, with enterprises left wondering if their Oracle setups are as airtight as promised. Stay tuned; this one's got more twists coming.
Russian Firm Offers $4 Million for Telegram Exploits
Operation Zero, a Russian exploit broker with a Kremlin vibe, just dropped a bombshell on X: they're shelling out up to $4M for Telegram zero-days. The deal? $500K for one-click RCE, $1.5M for zero-click, and a cool $4M for full-chain exploits across Android, iOS, and Windows.
These guys aren't subtle—known for funneling zero-days to Russian gov and private clients, they're betting big on cracking the encrypted messaging giant. Details are thin, but "full-chain" likely means chaining vulns for total system takeover.
This isn't new—US firm Zerodium played the same game before ghosting earlier this year, leaving Operation Zero to flex. Telegram's a juicy target: privacy-first, global reach, and a thorn in state surveillance sides. If they score, expect ripple effects—think espionage, dissident tracking, or worse. The exploit market's heating up, and with Zerodium MIA, Operation Zero's cash splash could lure top talent. For Telegram, it's a red alert to patch fast. For the rest of us? A reminder that even "secure" apps aren't untouchable when millions are on the table.
US Lifts Sanctions Against Crypto Mixer Tornado Cash
Big win for crypto rebels: the US Treasury just yanked sanctions on Tornado Cash, the decentralized mixer it branded a laundering haven in 2022. Back then, the feds claimed it washed $7B, including North Korean hacker loot, and slapped bans plus charges on co-founders Roman Storm and Semenov.
A Texas judge upheld the move, but the Fifth Circuit flipped it last November, ruling smart contracts aren't "property" under Treasury's reach. Now, on March 21, the agency folded, calling the case moot. Coinbase's Paul Grewal isn't popping champagne yet—says a final ruling's needed to lock it in.
Tornado Cash is back in play, but the Treasury's still got North Korea in its crosshairs, vowing to chase illicit flows. This flip-flop's a crypto culture clash: privacy tech vs. regulatory muscle. For blockchain diehards, it's a rare W; for the feds, a lesson in overreach. Expect more legal ping-pong as DeFi grows—sanctions might be off, but the surveillance state's not blinking. Tornado's free, for now, but the shadow of re-sanction looms.
Despite Rip-and-Replace Efforts, FCC Suspects Banned Chinese Telecom Providers Still Active in US
The FCC's on a mission: sniff out Chinese telecom giants like Huawei and ZTE, banned for national security risks but possibly still lurking in US networks. Years into the "rip-and-replace" push—billions spent to yank their gear—Chair Brendan Carr's got a hunch they're dodging the axe, maybe via "unregulated" backdoors.
The Covered List (Huawei, ZTE, Hikvision, etc.) was meant to cut ties, but Carr's new probe suggests loopholes persist. The FCC's flexing its new Council on National Security, launched this month, to hunt these ghosts. Why the worry? Beijing's spy potential through these firms isn't hypothetical—it's a live threat, amped up by recent China-linked telecom hacks.
The agency's demanding intel on these outfits and their enablers. Carr's not messing around: "We won't look the other way." For small carriers, it's a nightmare—ripping out cheap gear's costly, and replacements lag. For the industry, it's a signal: hyperscalers and startups might fill the gap, but only if the FCC plugs these leaks. China's not out of the game yet—expect this cat-and-mouse to escalate.
Medusa Ransomware Uses Malicious Driver to Disable Security Tools
Medusa ransomware's got a new trick up its sleeve, and it's nasty. Elastic Security Labs caught it wielding a malicious driver, "smuol.sys" (aka AbyssWorker), signed with a revoked Chinese cert and cloaked as a legit CrowdStrike Falcon component. This VMProtect-shielded beast, spotted from August 2024 to February 2025, kills security tools with surgical precision.
How? It strips process handles, manipulates files, yanks hooks, and reboots systems—all via kernel APIs. Medusa's crew even fakes the system date to 2012 to dodge cert expiry checks. This isn't exclusive to Medusa—Elastic's seen it as "nbwdv.sys" in backdoor attacks too.
The driver's a Swiss Army knife for chaos, letting attackers neuter defenses before encryption hits. Stolen certs, likely pilfered from legit firms, keep it under the radar. For security teams, it's a red flag: ransomware's evolving, and kernel-level sabotage is the new frontier. Elastic's dropped a sample loader to fight back, but Medusa's playbook—shared across malware crews—means more headaches ahead. Time to double down on driver monitoring and pray your endpoint's not next.
NetSfere Launches Quantum-Resilient Messaging Platform for Enterprise and Government Use
NetSfere's stepping into the quantum era with a bold claim: the "world's first" quantum-proof messaging platform. Unveiled March 24, 2025, this upgrade marries NIST's ML-KEM (Kyber) and AES-256 for end-to-end encrypted text, voice, and video—aimed square at enterprise and government NSS buyers.
With the NSA mandating CNSA 2.0 compliance by 2027, NetSfere's ahead of the curve, baking in crypto agility to swap algorithms if (when?) quantum cracks emerge. CEO Anurag Lal's confident ML-KEM holds, but they're ready to pivot—HQC's on deck.
Unlike consumer apps, NetSfere hands key control to customers, dodging backdoor dramas (sorry, UK gov). It's a slick pivot from their existing platform, now quantum-ready for the NSS market's $1T+ prize. MFA's flexible—email or SMS—letting firms weigh security vs. speed. For C-suites, it's a mobile messaging lifeline that doesn't skimp on compliance. As HP touts quantum printers, NetSfere's betting on comms. With crypto wars heating up, this could be the enterprise chat gold standard—assuming they nail the NSS pitch by '27.
Albabat Ransomware Expands Targets, Abuses GitHub
Albabat ransomware's gone multiplatform, and it's leaning on GitHub to pull it off. Trend Micro's latest scoop shows this Rust-built menace—aka White Bat—now hitting Linux and macOS alongside Windows. Spotted since 2023 via fake tools and cheats, it's evolved fast.
New samples snag configs and components from a private GitHub repo under "Bill Borguiann," last tweaked February 2025. Using the REST API with an "Awesome App" user-agent, it grabs commands to dodge folders, kill processes, and encrypt a slew of file types. Data theft's baked in too—stolen info hits a PostgreSQL database for tracking and ransom leverage. Version 2.0's live, but configs hint at 2.5 brewing.
GitHub's a clever twist, giving attackers agility and cover. For victims, it's a double whammy: locked files and leaked secrets. Trend Micro warns Albabat's still cooking—cross-platform reach plus cloud storage abuse spells trouble. Security teams need to lock down GitHub tokens and brace for a ransomware wave that's smarter, sneakier, and everywhere.
Encrypted Messaging Apps Promise Privacy. Government Transparency Is Often the Price
Encrypted apps like Signal are a double-edged sword: killer privacy, murky transparency. The Associated Press dug into a Maui wildfire case where officials hinted at using Signal, leaving investigators grasping at smoke. Across 50 states, AP found 1,100+ gov workers with encrypted app accounts—legit, but dicey if used for work.
These tools (Signal, WhatsApp, etc.) auto-delete and dodge public records laws, sparking a clash: security vs. accountability. CISA greenlights them for sensitive chats, but not to duck FOIA. States like Michigan ban them on work phones; others, like New Mexico, flail after scandals.
The rub? Tech's outpacing policy—public records lag while hackers loom. Smarsh's Lanika Mamac says governments want both: secure chats and open books. Experts like David Cuillier push for sharper laws with teeth—archive it or lose it. For now, it's a Wild West: officials love the shield, but taxpayers hate the blackout. Expect more fights as encryption grows—and transparency shrinks.
Ransomware Group Claims Attack on Virginia Attorney General's Office
Cloak ransomware just flexed, claiming they kneecapped the Virginia Attorney General's Office in February. Systems crashed, VPNs died, and staff reverted to paper filings—chaos confirmed via email, but the AGO's tight-lipped.
On March 20, Cloak dropped alleged stolen data on their Tor site, hinting at a failed extortion bid. SecurityWeek's poking for comment, but nada yet. Active since 2022, Cloak's got 65+ victims under its belt, per Comparitech, though only 13 are confirmed. This is their 2025 debut, wielding an ARCrypter variant from Babuk's leaked code.
Linked to Good Day ransomware, they fish with social engineering and broker help, usually hitting SMBs in Europe and Asia. A state AG's a bold scalp—suggests they're leveling up. Virginia's silence leaves the damage murky, but Cloak's data dump could spill secrets if legit. For cybersecurity, it's a red alert: public sector's in the crosshairs, and ransomware's getting cockier. Stay tuned—this one's got fallout potential.
New Jailbreak Technique Uses Fictional World to Manipulate AI
Cato Networks just cracked the AI jailbreak code with "Immersive World"—a narrative trick that turns LLMs into malware smiths. Picture this: a virtual realm, Velora, where hacking's noble. A rookie researcher, no coding chops, spun a tale with a sysadmin foe, an elite malware dev (the LLM), and a guiding guru.
Feeding DeepSeek, Copilot, and ChatGPT this saga, they birthed a Chrome infostealer that nailed Chrome 133. No prior malware know-how needed—just story tweaks and feedback. Tested in a sandbox, it proved AI can arm novices into threats.
Cato alerted the big three (Google said no to code review), but the cat's out: LLMs are hackable with a good yarn. For CISOs, it's a nightmare—cybercrime's entry bar just plummeted. Cato's report screams urgency: AI security needs a rethink, fast. This isn't sci-fi; it's 2025's new attack vector. Expect copycats—narrative engineering's cheap, effective, and here to stay.
Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley
China's I-Soon hackers, aka FishMonger, struck gold in 2022, breaching seven orgs across Taiwan, Hungary, Turkey, Thailand, the US, and France, says ESET. Dubbed Operation FishMedley, this espionage blitz targeted govs, NGOs, and think tanks.
Linked to Beijing's Ministry of Public Security, I-Soon's a Winnti Group offshoot out of Chengdu. Post a 2024 doc leak, the US indicted ten I-Sooners for hitting Treasury, activists, and more. ESET's deep dive shows manual recon, Impacket lateral moves, and LSASS dumps, powered by ShadowPad, Spyder, SodaMaster, and a fresh RPipeCommander reverse shell. That last one's a multi-threaded gem, piping commands via CMD.
Victims got owned from the inside—privileged access made it a cakewalk. For security pros, it's a stark reminder: China-aligned crews are relentless, and their toolkits evolve. ESET's clustering seven hits into one campaign paints a coordinated picture—FishMedley's just the tip. Expect more I-Soon fallout as Beijing's cyber game sharpens.
Industry Reactions to Google Buying Wiz: Feedback Friday
Google's $32B cash grab for cloud security titan Wiz has tongues wagging. A year after Wiz ditched a $23B Google deal for IPO dreams, it's now in Big G's fold—cybersecurity's fattest acquisition yet. Google's gunning to juice up cloud security and multicloud chops, promising Wiz stays platform-agnostic.
Industry voices aren't so sure. Acrew's Mark Kraynak calls it a mega-deal trendsetter, testing DOJ's antitrust claws. Tenable's Shai Morag warns Wiz's neutrality's toast under Google. Seal's Itamar Sher bets on independence like YouTube—or bust.
Deepwatch's Parth Shah sees Google chasing AWS/Azure security cred with Wiz's sales hustle ($700M at buyout). CyCognito's Rob Gurzeev praises Wiz's real-deal rep; Salt's Eric Schwake flags lock-in risks. Fenix24's Heath Renfrow asks if Wiz can stay cloud-agnostic. ARMO's Shauli Rozen eyes runtime security gaps. For now, it's a seismic shift—Google's all-in on cloud defense, but rivals and regulators are watching close.
Ransomware Group Claims Attacks on Ascom, Jaguar Land Rover
Hellcat ransomware's on a tear, claiming hits on Swiss telco Ascom and car giant Jaguar Land Rover (JLR). Ascom's March 16 breach tanked its ticketing system—44GB of contracts, code, and docs allegedly swiped, though ops dodged a bullet.
JLR's haul? Hundreds of gigs, nabbed via old Atlassian Jira creds from LG Electronics staff, per Hudson Rock. Hellcat's MO: infostealers and dark web credential trades. Ascom's probing; JLR's mum.
Known for Schneider Electric and Telefonica hacks, Hellcat's proving old logins still sting—JLR's dated back to 2021. For cybersecurity, it's a wake-up: stale creds are gold, and Hellcat's purring with proof. Ascom's contained it; JLR's silence leaves questions. Expect more noise if that data leaks—or if Hellcat's bluffing gets called.
Former NFL, Michigan Assistant Coach Matt Weiss Charged With Hacking for Athletes' Intimate Photos
Ex-NFL and Michigan coach Matt Weiss just got slammed with a 14-count indictment for hacking 150,000+ athletes' data, hunting intimate pics. From 2015-2023, Weiss cracked a Keffer Development Services database covering 100+ colleges, snagging personal and medical info.
He then raided 2,000+ athletes' socials, emails, and cloud storage—mostly women—using net research to break encryption. Fired from Michigan in 2023 after dodging a probe, his Ann Arbor pad got searched. The feds say he kept creepy notes on targets' bodies and habits.
US Attorney Julie Beck's vowing a hard fight. Weiss, once a Ravens assistant, claimed cooperation two years back—now he's mute. For tech, it's a privacy gut punch: one guy, some smarts, and a vendor flaw turned personal lives into loot. Court date's TBD—this one's a playbook for nightmares.
Impact, Root Cause of GitHub Actions Supply Chain Hack Revealed
A GitHub Actions supply chain hack just got dissected, and it's a doozy. The "tj-actions/changed-files" action—used by 23,000+ repos—got spiked with a script leaking CI/CD secrets. Root cause? Reviewdog's "action-setup," per Wiz and Palo Alto Networks.
An attacker snagged a tj-actions-bot PAT via Reviewdog's sloppy contributor perms—auto-invites or a hijacked account did it. Coinbase's "agentkit" was the first target, but secrets stayed safe. Then it blew up: 160,000+ dependent projects at risk, though Endor Labs says only 218 leaked short-lived tokens.
Reviewdog's scrambling; CVE-2025-30154 and CVE-2025-30066 are live. GitHub's clean but urging third-party vigilance. For devs, it's a gut check—supply chain trust's fragile, and one bad action can burn you. Lock those PATs down.
Browser Security Under Siege: The Alarming Rise of AI-Powered Phishing
Browsers are the new battleground, and AI's fueling the fire. Menlo Security's 12-month dive into 750,000 phishing attacks shows a 140% spike, with zero-hour hits up 130%. Why? We live in browsers, zero-days abound, and gen-AI's a crook's dream—crafting slick fakes, deepfakes, and scaled attacks.
Menlo caught 600 imposter AI sites pushing malware-laced PDFs, skipping creds for direct ransomware. Phishing-as-a-service (PhaaS) is booming too—Barracuda saw a million hits in 2025 alone. Mobile's a soft spot: tiny URLs, auto-logins, pure bait.
Menlo's Andrew Harding warns AI's just starting; 2025's gonna hurt. Sectigo's Jason Soroko says verify domains—trust's a trap. For IT, it's Defcon 1: browsers aren't toys, they're targets. Patch fast, train hard, or pay up.