Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p.
The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.
“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, told The Hacker News in a statement.
Mandiant CTO Charles Carmakal described the ongoing activity as a “high-volume email campaign” that’s launched from hundreds of compromised accounts, with evidence suggesting that at least one of those accounts has been previously associated with activity from FIN11, which is a subset within the TA505 group.
FIN11, per Mandiant, has engaged in ransomware and extortion attacks as far back as 2020. Previously, it was linked to the distribution of various malware families like FlawedAmmyy, FRIENDSPEAK, and MIXLABEL.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS),” Carmakal added. “This move strongly suggests there’s some association with Cl0p, and they are leveraging the brand recognition for their current operation.”
That said, Google said it does not have any evidence on its own to confirm the alleged ties, despite similarities in tactics observed in past Cl0p attacks. The company is also urging organizations to investigate their environments for evidence of threat actor activity.
It’s currently not clear how initial access is obtained. However, according to Bloomberg, it’s believed that the attackers compromised user emails and abused the default password reset function to gain valid credentials of internet-facing Oracle E-Business Suite portals, citing information shared by Halycon.
The Hacker News has reached out to Oracle for further comment about the extortion campaign, and will update the story if we hear back.
In recent years, the highly prolific Cl0p group has been attributed to a number of attack waves exploiting zero-day flaws in Accellion FTA, SolarWinds Serv-U FTP, Fortra GoAnywhere MFT, and Progress MOVEit Transfer platforms, successfully breaching thousands of organizations.
Penetration testing is critical to uncovering real-world security weaknesses. With the shift into continuous testing and validation, it is time we automate the delivery of these results.
The way results are delivered hasn’t kept up with today’s fast-moving threat landscape. Too often, findings are packaged into static reports, buried in PDFs or spreadsheets, and handed off manually to already-overloaded IT and engineering teams. By the time remediation begins, days or even weeks may have passed since the issues were first discovered.
As we explored in our recent article on how automation is redefining pentest delivery, static, manual processes no longer cut it. Security teams need faster insights, cleaner handoffs, and more consistent workflows if they want to keep pace with modern exposure management.
That’s where automation makes the difference, ensuring findings move seamlessly from discovery to remediation in real time.
Where Should You Start?
Knowing automation matters is only the first step. The bigger challenge is understanding where to start. Not every workflow carries equal impact, and trying to automate everything at once can be overwhelming.
This article focuses on the seven key workflows that deliver the greatest immediate value.
By automating these first, security teams can accelerate delivery, reduce friction, and build the foundation for a modern, scalable approach to penetration test delivery.
Platforms like PlexTrac help automate pentest finding delivery in real time through robust, rule-based workflows. (No waiting for the final report!)
1. Create Tickets for Remediation When Findings Are Discovered
One of the most powerful ways to accelerate penetration test delivery is by integrating findings directly into the tools that engineering and IT teams already use. Instead of manually transcribing vulnerabilities into Jira, ServiceNow, or Azure DevOps, automation can create remediation tickets the moment findings are published.
This ensures findings reach the right teams without delay, while eliminating the risk of human error during handoff. For organizations with multiple stakeholders — from internal IT groups to external clients — automated ticketing ensures everyone works within familiar systems, without adding new friction. The result is faster remediation cycles, bidirectional visibility between teams, and ensuring all findings are tracked and resolved promptly.
2. Auto-Close Informational Findings
Not every discovery requires action. Informational findings, while valuable for historical context, can clutter dashboards and distract teams from higher-priority risks. By automatically closing findings tagged as informational during scan ingestion, organizations can reduce triage noise and keep workflows streamlined.
This automation helps security leaders ensure their teams stay focused on what truly matters, while still retaining visibility into lower-level data if needed. It’s a simple but effective way to declutter queues, improve dashboard accuracy, and give teams back valuable time.
3. Send Real-Time Alerts for Critical Findings
Critical vulnerabilities discovered in active environments need immediate attention, often before a report is finalized. With automation, real-time alerts can be pushed directly to communication channels like Slack, Microsoft Teams, email, or even text using custom webhooks based on the severity of the finding.
This workflow ensures high-severity issues are escalated instantly, enabling faster response and reducing risk exposure. In many cases, alerts can be paired with auto-ticket creation, sending findings to the right remediation team the moment they’re identified. This proactive approach helps organizations shorten the time from discovery to mitigation.
4. Request Proofreading of Draft Findings
Delivering high-quality penetration tests requires collaboration and potentially multiple levels of review. Instead of sending manual messages asking teammates to review a draft or running into duplicate versioning issues, automation can trigger real-time notifications when findings are ready for proofreading.
This workflow promotes stronger peer review practices, reduces communication overhead, and helps teams scale their quality assurance process without slowing delivery. For junior analysts, it provides a structured way to involve more experienced team members in the editing process, ultimately improving the end deliverable.
5. Send Alerts When Findings Are Ready for Retest
Closing the loop on vulnerabilities is just as important as identifying them in the first place. Retesting is often delayed because communication between testing and remediation teams breaks down. By automating alerts when findings are ready for retest, organizations ensure timely follow-up and avoid SLA misses.
This workflow helps teams align more effectively, improves accountability, and reduces the risk of lingering vulnerabilities. It’s a small but high-impact automation that strengthens trust in the overall pentesting process by ensuring that vulnerabilities are truly resolved.
6. Auto-Assign Findings to Users Based on Role, Team, or Asset Type
Findings can quickly get lost in the shuffle if they’re not routed correctly. Manual assignment leads to delays, confusion, and even rework when issues land with the wrong team or individual. Automating assignment rules based on attributes like asset type, vulnerability category, or team role ensures findings are delivered directly to the subject matter experts best equipped to address them.
This targeted delivery not only speeds up triage but also reduces human error and boosts overall efficiency. Whether findings need to go to a specific department, system owner, or regional team, auto-assignment builds clarity into the remediation process and ensures accountability from day one.
7. Send Finding Updates to Client Portals or Alert Clients Directly
For service providers, keeping clients informed during and after a pentest is critical for trust and satisfaction. Instead of relying on periodic emails or manual updates, automation can send findings directly into client-facing portals or dashboards. Clients can also receive real-time alerts for critical issues, ensuring they have immediate visibility into high-severity risks.
This creates a bridge between security providers and their clients, enabling faster responses and stronger collaboration so providers can position themselves as trusted partners.
PlexTrac supports each of these capabilities through its Workflow Automation Engine. Explore their Workflow Automation Playbook for deeper guidance on how these automations work together.
Automation Amplifies the Impact of Penetration Testers
By eliminating repetitive tasks, reducing delays, and ensuring findings reach the right people at the right time, automation frees teams to focus on what matters most: protecting the organization.
The seven workflows we’ve outlined are not only practical starting points, but also building blocks for more advanced automation in the future. Whether it’s auto-assigning findings, streamlining retests, or delivering updates directly to stakeholders, each step helps create a more resilient, efficient, and collaborative security practice.
Want to see what automated pentest workflows look like in action? Platforms like PlexTrac help teams unify and accelerate delivery, remediation, and closure in one platform, enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
From unpatched cars to hijacked clouds, this week’s Threatsday headlines remind us of one thing — no corner of technology is safe. Attackers are scanning firewalls for critical flaws, bending vulnerable SQL servers into powerful command centers, and even finding ways to poison Chrome’s settings to sneak in malicious extensions.
On the defense side, AI is stepping up to block ransomware in real time, but privacy fights over data access and surveillance are heating up just as fast.
It’s a week that shows how wide the battlefield has become — from the apps on our phones to the cars we drive. Don’t keep this knowledge to yourself: share this bulletin to protect others, and add The Hacker News to your Google News list so you never miss the updates that could make the difference.
Claude Now Finds Your Bugs
Anthropic said it has rolled out a number of safety and security improvements to Claude Sonnet 4.5, its latest coding focused model, that make it difficult for bad actors to exploit and secure the system against prompt injection attacks, sycophancy (i.e., the tendency of an AI to echo and validate user beliefs no matter how delusional or harmful they may be),
and child safety risks. “Claude’s improved capabilities and our extensive safety training have allowed us to substantially improve the model’s behavior, reducing concerning behaviors like sycophancy, deception, power-seeking, and the tendency to encourage delusional thinking,”
the company said. “For the model’s agentic and computer use capabilities, we’ve also made considerable progress on defending against prompt injection attacks, one of the most serious risks for users of these capabilities.”
The AI company said the latest model has better defensive cybersecurity abilities, such as vulnerability discovery, patching, and basic penetration testing capabilities. However, it did acknowledge that these tools could be “dual-use,” meaning they might also potentially be used by malicious actors, as well as cybersecurity professionals.
Generative AI systems like those offered by Microsoft and OpenAI are at the forefront of a battle between companies providing sophisticated text and image generation capabilities and malicious actors looking to exploit them.
Scan Waves Hint Pre-Exploit Staging
The SANS Internet Storm Center Security has disclosed its observation of a significant increase in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability
(CVE-2024-3400). The vulnerability, disclosed last year, is a command injection vulnerability that could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on susceptible firewalls.
SANS ISC said it has detected specially crafted requests that seek to upload a TXT file and subsequently attempt to retrieve that file via an HTTP GET request. “This will return a ‘403’ error if the file exists, and a ‘404’ error if the upload failed. It will not execute code,” it noted. “The content of the file is a standard Global Protect session file, and will not execute. A follow-up attack would upload the file to a location that leads to code execution.”
In recent weeks, exploit attempts have also been registered against Hikvision cameras susceptible to an older flaw
(CVE-2017-7921), SANS ISC said.
Open DBs Turn into Persistent Backdoors
A sophisticated attack campaign has targeted improperly managed Microsoft SQL servers to deploy the open-source XiebroC2 command-and-control (C2) framework using PowerShell to establish persistent access to compromised systems.
The attack leverages vulnerable credentials on publicly accessible database servers, allowing threat actors to obtain an initial foothold and escalate privileges through a tool called JuicyPotato.
“XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to Cobalt Strike,” AhnLab said.
Vishers Bypass Code—They Hijack Humans
Google has outlined the various hardening recommendations that organizations can take to safeguard against attacks mounted by UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations’ Salesforce instances for large-scale data theft and subsequent extortion.
Central to the operation involves deceiving victims into authorizing a malicious connected app to their organization’s Salesforce portal.
“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” it said.
“This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of the organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.”
Phishers Use Robots.txt to Block Reporters
Censys said it identified over 60 cryptocurrency phishing pages impersonating popular hardware wallet brands Trezor and Ledger through an analysis of robots.txt files.
These sites have an entry in the file: “Disallow: /add_web_phish.php.”
“Notably, the actor behind the pages attempted to block popular phishing reporting sites from indexing the pages by including endpoints of the phishing reporting sites in their own robots.txt file,” the company said.
The unusual robots.txt pattern has also been discovered on several GitHub repositories, some of which date back to January 2025.
“The misuse of robots.txt and the merge conflicts found in multiple READMEs could also suggest that the actor behind these pages is not well-versed in web development practices,” security researcher Emily Austin added.
Drive Pauses Syncs — Buys You Minutes
Google has announced that it’s updating Google Drive for desktop with AI-powered ransomware detection to automatically stop file syncing and allow users to easily restore files with a few clicks.
“Our AI-powered detection in Drive for desktop identifies the core signature of a ransomware attack — an attempt to encrypt or corrupt files en masse — and rapidly intervenes to put a protective bubble around a user’s files by stopping file syncing to the cloud before the ransomware can spread,” Google Cloud said.
“The detection engine adapts to novel ransomware by continuously analyzing file changes and incorporating new threat intelligence from VirusTotal. When Drive detects unusual activity that suggests a ransomware attack, it automatically pauses syncing of affected files, helping to prevent widespread data corruption across an organization’s Drive and the disruption of work.”
Users subsequently receive an alert on their desktop and via email, guiding them to restore their files. The real-time ransomware detection capability is built atop a specialized AI model trained on millions of real victim files encrypted by various ransomware strains.
Imgur Cuts U.K. Users, Investigation Still Open
Imgur, a popular image hosting platform with more than 130 million users, has blocked access to users in the U.K. after regulators signalled their intention to impose penalties over concerns around children’s data.
The U.K.’s data watchdog, the Information Commissioner’s Office (ICO), said it recently notified the platform’s parent company, MediaLab AI, of plans to fine Imgur after investigating its approach to age checks and handling of children’s personal data.
The probe was launched earlier this March.
“Imgur’s decision to restrict access in the U.K. is a commercial decision taken by the company,” the ICO said.
“We have been clear that exiting the U.K. does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing.”
In a help page, Imgur confirmed U.K. users will not be able to log in, view content, or upload images.
App Could Collect Data — But Didn’t (Observed)
An audit of the Russian government’s new MAX instant messenger mobile app has found no evidence of surveillance beyond accessing features necessary for the app to function.
“During two days of observation, no test configurations revealed improper access to the camera, location, microphone, notifications, contacts, photos, and videos,” RKS Global said.
“Technically, the application had the ability to collect these data and send them, but experts did not record what happened. After revoking permits, the application does not record attempts to obtain these accesses again through requests or unauthorized.”
U.K. Demands Access — Targets Britons’ Backups
The U.K. government has issued a new request for Apple to provide access to encrypted iCloud user data, this time focusing specifically on the iCloud data of British citizens, according to the Financial Times.
The request, issued in early September 2025, has demanded that Apple create a way for officials to access encrypted iCloud backups.
In February, Apple withdrew iCloud’s Advanced Data Protection feature in the U.K.
Subsequent pushback from civil liberty groups and the U.S. government led to the U.K. apparently abandoning its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens.
In late August, the Financial Times also reported that the U.K. government’s secret order was “not limited to” Apple’s ADP feature and included requirements for Apple to “provide and maintain a capability to disclose categories of data stored within a cloud-based backup service,” suggesting that the access was far broader in scope than previously known.
Car Hacks Work Remotely — Cars Still Unfixed
Back in April 2025, Oligo Security disclosed a set of flaws in AirPlay called AirBorne (CVE-2025-24252 and CVE-2025-24132) that could be chained together to take over Apple CarPlay, in some cases, without even requiring any user interaction or authentication.
While the underlying technology uses the iAP2 protocol to establish a wireless connection over Bluetooth and negotiate a CarPlay Wi-Fi password to allow an iPhone to connect to the network and initiate screen mirroring, the researcher found that many devices and systems default to a “No-PIN” approach during the Bluetooth pairing phase, making the attacks “frictionless and harder to detect.”
This, coupled with the fact that iAP2 does not authenticate the iPhone, meant that an attacker with a Bluetooth radio and a compatible iAP2 client can impersonate an iPhone, request the Wi-Fi credentials, trigger app launches, and issue any arbitrary iAP2 command.
From there, attackers can exploit CVE-2025-24132 to achieve remote code execution with root privileges.
“Although patches for CVE-2025-24132 were published on April 29, 2025, only a few select vendors actually patched,” Oligo said.
“To our knowledge, as of this post, no car manufacturer has applied the patch.”
New Rules: Companies Must Stop Hoarding Data
Russia’s Ministry of Digital Development is working on regulations to force companies to restrict the type of data they collect from citizens in the country, in the hopes of minimizing future leaks of confidential data.
“Systems should not process information containing personal data beyond what is necessary to ensure business processes,” said Evgeny Khasin, acting director of the Ministry of Digital Development’s cybersecurity department.
“This is because many organizations tend to collect as much data as possible in order to interact with it in some way or use it for their own purposes, while the law stipulates that data should be minimized.”
EU Vote Split — Backdoors Lose Key Ally
The Dutch government has said it won’t support Denmark’s proposal for an E.U. Chat Control legislation to force tech companies to introduce encryption backdoors so as to scan communications for “abusive material.”
The proposal is up for a vote on October 14.
The Electronic Frontier Foundation (EFF) has called the legislative proposal “dangerous” and tantamount to “chat surveillance.”
Other E.U. countries that have opposed the controversial legislation include Austria, Czechia, Estonia, Finland, Luxembourg, and Poland.
Big Payout — Period Data Traded for Ads
Google has agreed to pay $48 million, and the menstrual tracking app Flo Health will pay $8 million to resolve a class action lawsuit alleging the app illegally shared people’s health data.
Google is expected to set up a $48 million fund for Flo app users who entered information about menstruation or pregnancy from November 2016 until the end of February 2019.
In March 2025, defunct data analytics company Flurry said it would pay $3.5 million for harvesting sexual and reproductive health data from the period tracking app.
The complaint, filed in 2021, alleged that Flo used software development kits to allow Google, Meta, and Flurry to intercept users’ communications within the app.
our Bot Chats Fuel Targeting — No Opt-Out
Meta Platforms said it plans to start using people’s conversations with its AI chatbot to help personalize ads and content.
The policy is set to go into effect on December 16, 2025. It won’t apply to users in the U.K., South Korea, and the European Union, for now.
While there is no opt-out mechanism, conversations related to religious or political views, sexual orientation, health, and racial or ethnic origin will be automatically excluded from the company’s personalization efforts.
The company said its AI digital assistant now has more than 1 billion active monthly users.
Kids’ Data Sold, Fake ‘People’ Messages Used
The Federal Trade Commission (FTC) has sued Sendit’s operating company, Iconic Hearts, and its CEO for “unlawfully collecting personal data from children, misleading users by sending messages from fake ‘people,’ and tricking consumers into purchasing paid subscriptions by falsely promising to reveal the senders of anonymous messages.”
The agency said,
“Even though it was aware that many users were under 13, Iconic Hearts failed to notify parents that it collected personal information from children, including their phone numbers, birthdates, photos, and usernames for Snapchat, Instagram, TikTok, and other accounts, and did not obtain parents’ verifiable consent to such data collection.”
Normal PDFs Turn Into Malware Traps
Threat actors are selling access to MatrixPDF, a tool that lets them alter ordinary PDF files to lures that can redirect users to malware or phishing sites.
“It bundles phishing and malware features into a builder that alters legitimate PDF files with fake secure document prompts, embedded JavaScript actions, content blurring, and redirects,” Varonis said.
“To the recipient, the file looks routine, yet opening it and following a prompt or link can result in credential theft or payload delivery.”
Edge Will Auto-Revoke Sideloads — Even Offline
Microsoft said it’s planning to introduce a new Edge security feature that will protect users against malicious extensions sideloaded into the web browser.
“Microsoft Edge will detect and revoke malicious sideloaded extensions,” it said.
The rollout is expected to start sometime in November 2025. It did not provide further details on how these dangerous extensions will be identified.
Algorithm to be Cloned — China Keeps Stake
The U.S. government extended the deadline for ByteDance to divest TikTok’s U.S. operations until December 16, 2025, making it the fourth such extension.
The development came as China said the U.S. spin-off of TikTok will use ByteDance’s Chinese algorithm as part of a U.S.-agreed framework that includes “licensing the algorithm and other intellectual property rights.”
The artificial intelligence (AI)-powered algorithm that underpins the app has been a source of concern among national security circles, as it could be manipulated to push Chinese propaganda or polarizing material to users.
China has also called the framework deal a “win-win.”
Under the framework deal, about 80% of TikTok’s U.S. business would be owned by a joint venture that includes Oracle, Silver Lake Partners, media mogul Rupert Murdoch, and Dell CEO Michael Dell, with ByteDance’s stake dropping below 20% to comply with the national security law.
The divestiture also extends to other applications like Lemon8 and CapCut that are operated by ByteDance.
Furthermore, TikTok’s algorithm will be copied and retrained using U.S. user data as part of the deal, with Oracle auditing the recommendation system.
The White House has also promised that all U.S. user data on TikTok will be stored on Oracle servers in the U.S.
New Stealer Climbs Fast — Linked to Vidar
An information stealer known as Acreed is gaining traction among threat actors, with a steady rise in Acreed logs in Russian-speaking forums. The stealer was first advertised on the Russian Market in February 2025 by a user named “Nu####ez” and is assessed to be a private project. As of September 2025, the top five information stealer strains included Rhadamanthys (33%), Lumma (33%), Acreed (17%), Vidar (12%), and StealC (5%). “At the present time, Acreed is maybe a privately developed project, but our infrastructure analysis shows that it is also integrated in an existing ecosystem that overlaps with Vidar,” Intrinsec said.
Forensics Tool Reused to Tunnel and Ransom
Cybersecurity company Sophos said it observed Warlock ransomware actors (aka Storm-2603 or Gold Salem) abusing the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish a Visual Studio Code network tunnel within the compromised environment. Some of the incidents led to the deployment of the ransomware. Warlock gained prominence in July 2025 after it was found to be of the threat actors abusing a set of security flaws in Microsoft SharePoint called ToolShell to infiltrate target networks. The group has claimed 60 victims as of mid-September 2025, starting its operations in March, including a Russian company, suggesting that it may be operating from outside the Kremlin. Microsoft has described it with moderate confidence as a China-based threat actor. The group has also been observed weaponizing the ToolShell flaws to drop an ASPX web shell that’s used to download a Golang-based WebSockets server that allows continued access to the compromised server independently of the web shell. Furthermore, Gold Salem has employed the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security defenses by using a vulnerability (CVE-2024-51324) in the Baidu Antivirus driver BdApiUtil.sys to terminate EDR software. “The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity,” Sophos said.
Chat’ Extensions Hijack Searches to Spy
Threat actors are distributing fake Chrome extensions posing as artificial intelligence (AI) tools like OpenAI ChatGPT, Llama, Perplexity, and Claude. Once installed, the extensions let users type prompts in the Chrome search bar, but will hijack the prompts to redirect queries to attacker-controlled domains and track search activity. The browser add-ons “override the default search engine settings via the chrome_settings_overrides manifest key,” Palo Alto Networks Unit 42 said. The queries are redirected to domains like chatgptforchrome[.]com, dinershtein[.]com, and gen-ai-search[.]com.
Routers Rented Out for Mining and DDoS
A sophisticated operation has been found to break into routers and IoT devices using weak credentials and known security flaws, and rent the compromised devices to other botnet operators.
The operation has witnessed a major spike in activity this year, jumping 230% in mid-2025, with the botnet loader-as-a-service infrastructure used to deliver payloads for DDoS and cryptomining botnets like RondoDoX, Mirai, and Morte, per CloudSEK.
Trackers Leak IDs — Stalking Made Simple
Tile location trackers leak sensitive information that can allow threat actors to track a device’s location. That’s according to researchers from the Georgia Institute of Technology, who reverse-engineered the location-tracking service and found that the devices leak MAC addresses and unique device IDs.
An attacker can take advantage of the absence of encryption protections to intercept and collect the information using a simple radio antenna, ultimately enabling them to track all of the company’s customers.
“Tile’s servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile’s devices, and Tile’s anti-theft mode is easily subverted,” the researchers said in a study.
The issues were reported to its parent company Life360 in November 2024, following which it said a
“number of improvements” were rolled out to address the problem, without specifying what those were.
Quantum-Ready SSH Up 30% — TLS Lags
New statistics released by Forescout show that a quarter of all OpenSSH and 8.5% of all SSH servers now support post-quantum cryptography (PQC).
In contrast, TLSv1.3 adoption remains at 19% and TLSv1.2 – which does not support PQC – increased from 43% to 46%.
The report also found that manufacturing, oil and gas, and mining have the lowest PQC adoption rates, whereas professional and business services have the highest.
“The absolute number of servers with PQC support grew from 11.5 million in April to almost 15 million in August, an increase of 30%,” it added.
The relative number grew from 6.2% of total servers to 8.5%.
Prefs Can Be Poisoned — Extensions Forced Active
Synacktiv has documented a new technique to programmatically inject and activate Chrome extensions in Chromium-based browsers within Windows domains for malicious purposes by manipulating Chromium internal preference files and their associated JSON MAC property (“super_mac”).
The research “highlights the inherent challenge in cryptographically protecting browser-internal secrets like the MAC seed, as any truly robust solution would need to account for diverse operating system-specific security mechanisms (like DPAPI on Windows) without affecting cross-platform compatibility,” the company said.
Phish Kits Grab Duo Codes, Then Move Laterally
An email phishing campaign has been spotted targeting entities in the higher education sector to steal credentials and Cisco Duo one-time passwords (OTPs) with the goal of compromising accounts, exfiltrating data, and launching lateral attacks.
“Targets are funneled to spoofed sign-in portals that perfectly mimic university login pages,” Abnormal AI said.
“Then, purpose-built phishing kits harvest both credentials and Duo one-time passwords (OTPs) through seamless multi-step flows. With these details in hand, attackers swiftly hijack accounts, hide their tracks with malicious mailbox rules, and launch lateral phishing campaigns within the same organization.”
More than 40 compromised organizations and over 30 targeted universities and colleges have been identified as part of the campaign.
Every breach has one thing in common: people. Whether it’s a tricked employee, a careless click, or a decision to delay a patch — humans shape the outcome. Stay sharp, stay informed, and help others do the same.
Running a SOC often feels like drowning in alerts. Every morning, dashboards light up with thousands of signals; some urgent, many irrelevant. The job is to find the real threats fast enough to keep cases from piling up, prevent analyst burnout, and maintain client or leadership confidence.
The toughest challenges, however, aren’t the alerts that can be dismissed quickly, but the ones that hide in plain sight. These tricky threats drag out investigations, create unnecessary escalations, and quietly drain resources over time.
Why Detection Gaps Keep Opening
What slows SOCs down isn’t the flood of alerts alone but the way investigations get split across disconnected tools. Intel in one platform, detonation in another, enrichment in a third; every switch wastes time. Across hundreds of cases, those minutes add up to stalled investigations, unnecessary escalations, and threats that linger longer than they should.
Action Plan That Delivers 3× SOC Efficiency in Threat Detection
SOC teams looking to close detection gaps have found one approach that works: building detection as a continuous workflow, where every step reinforces the next. Instead of stalling in disconnected tools, analysts move through a process that flows, from filtering alerts to detonating suspicious files to validating indicators.
A recent ANY.RUN survey shows just how much this shift can change SOC performance:
95% of SOC teams reported faster investigations
94% of users said triage became quicker and clearer
21 minutes saved on MTTR for each case
Up to 58% more threats identified overall
3-step action plan with its impact when using ANY.RUN
Behind these numbers is more than speed. SOCs that adopted this workflow reduced alert overload, gained clearer visibility into complex attacks, and built confidence in compliance and reporting. Teams also grew faster in expertise, as analysts learned by doing rather than relying solely on static reports.
So how are these numbers possible? The answer lies in three practical steps SOC teams have already put into action.
Let’s look at how this plan works, and how you can implement it in your own workflows.
Step 1: Expand Threat Coverage Early
The earlier a SOC can spot an incident, the faster it can respond. Threat Intelligence Feeds give analysts fresh, actionable IOCs drawn from the latest malware campaigns; IPs, domains, and hashes seen in real-world attacks. Instead of chasing alerts blindly, teams start with data that reflects what’s happening across the threat landscape right now.
TI Feeds as your first step in threat detection
With this early coverage, SOCs gain three key advantages: they catch incidents sooner, stay aligned with current threats, and cut down on noise that clutters Tier 1. In practice, that means a 20% decrease in Tier 1 workload and fewer escalations eating into senior analysts’ time.
Don’t let detection gaps slow your team down. Start with the 3-level process today and give your SOC the clarity and speed it needs.
The best part is that Threat Intelligence Feeds are available in multiple formats with simple integration options, so they can plug directly into your existing SIEM, TIP, or SOAR setup without disrupting workflows.
By filtering out duplicates and irrelevant signals at the start, Threat Feeds free up resources and ensure analysts focus on the alerts that actually matter.
Step 2: Streamline Triage & Response with Interactive Sandbox
Once alerts are filtered, the next challenge is proving what’s left. An interactive sandbox becomes the SOC’s proving ground. Instead of waiting for static reports, analysts can detonate suspicious files and URLs in real time, watching behavior unfold step by step.
This approach exposes what most automated defenses miss; payloads that need clicks to activate, staged downloads that appear over time, and evasive tactics designed to fool passive detection.
ANY.RUN’s sandbox analyzing complex threat
The result is faster, clearer answers:
Evasive attacks exposed before they can escalate
Actionable threat reports generated for quick response
Routine tasks minimized with automated investigations
In practice, SOCs achieve a 15-second median detection time, turning what used to be long, uncertain investigations into rapid, decisive outcomes.
By combining real-time visibility with automation, the sandbox gives specialists of all levels the confidence to act quickly, while freeing senior staff from spending hours on routine triage.
Step 3: Strengthen Proactive Defense with Threat Intelligence Lookup
Even with full sandbox results, one question always remains: has this threat been seen before? Knowing whether an IOC is part of a fresh campaign or one already circulating across industries can completely change how a SOC responds.
That’s why the third step is implementing Threat Intelligence Lookup. By tapping into live attack data contributed by more than 15,000 SOCs worldwide, analysts instantly enrich their findings and connect isolated alerts to wider patterns.
TI Lookup search of attack and its relevant sandbox analyses
The advantages are clear:
Hidden threats uncovered through proactive hunting
Greater incident clarity with rich historical context
Real-time visibility into evolving campaigns
With access to 24× more IOCs than typical isolated sources, security professionals can validate faster, close tickets sooner, and anticipate what might be coming next.
This final step ensures that every investigation ends with stronger evidence; not just a snapshot of one case, but an understanding of how it fits into the bigger threat landscape.
Build a Stronger SOC With a Unified Detection Workflow
Closing detection gaps is possible by creating a workflow where every stage strengthens the next. With early filtering from Threat Feeds, real-time visibility from the sandbox, and global context from Lookup, SOCs move from fragmented detection to a continuous process that delivers measurable results: faster triage, fewer escalations, and up to 3× greater efficiency in threat detection.
Organizations worldwide are already seeing the benefits:
74% of Fortune 100 companies use ANY.RUN to reinforce SOC operations
15,000+ organizations have integrated it into their detection workflows
500,000+ users rely on it daily for malware analysis and threat intelligence
Boost your detection rate, cut investigation time, and strengthen SOC efficiency.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.).
Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” ESET researcher Lukáš Štefanko said. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.”
The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, leveraging deceptive websites masquerading as Signal and ToTok to host booby-trapped APK files that claim to be upgrades to the respective apps, namely Signal Encryption Plugin and ToTok Pro.
The use of ToTok as a lure is no coincidence, as the app was removed from Google Play and Apple App Store in December 2019 due to concerns that it acted as a spying tool for the U.A.E. government, harvesting users’ conversations, locations, and other data.
The developers of ToTok subsequently went on to claim the removal was an “attack perpetrated against our company by those who hold a dominant position in this market” and that the app does not spy on users.
The rogue ProSpy apps are designed to request permissions to access contacts, SMS messages, and files stored on the device. It’s also capable of exfiltrating device information.
ESET said its telemetry also flagged another Android spyware family actively distributed in the wild and targeting users in the same region around the same time ProSpy was detected. The ToSpy campaign, which likely began on June 30, 2022, and is currently ongoing, has leveraged fake sites impersonating the ToTok app to deliver the malware.
The regionally focused campaigns center around stealing sensitive data files, media, contacts, and chat backups, with the ToTok Pro app propagated in the ProSpy cluster featuring a “CONTINUE” button that, when tapped, redirects the user to the official download page in the web browser and instructs them to download the actual app.
“This redirection is designed to reinforce the illusion of legitimacy,” ESET said. “Any future launches of the malicious ToTok Pro app will instead open the real ToTok app, effectively masking the spyware’s presence. However, the user will still see two apps installed on the device (ToTok and ToTok Pro), which could be suspicious.”
The Signal Encryption Plugin, in a similar manner, includes an “ENABLE” button to deceive the users into downloading the legitimate encrypted messaging app by visiting the signal[.]org site. But unlike the case of ToTok Pro, the rogue Signal app icon is changed to impersonate Google Play Services once the victim grants it all the necessary permissions.
Regardless of the app installed, the spyware embedded within it stealthily exfiltrates the data before the user clicks CONTINUE or ENABLE. This includes device information, SMS messages, contact lists, files, and a list of installed applications.
“Similarly to ProSpy, ToSpy also includes steps designed to further deceive the victim into believing that the malware they just installed is a legitimate app,” Štefanko said. “After the user launches the malicious ToTok app, there are two possible scenarios: either the official ToTok app is installed on the device or it’s not.”
“If the official ToTok app is not installed on the device, ToSpy attempts to redirect the user to the Huawei AppGallery, either through an already installed Huawei app or via the default browser, suggesting the user download the official ToTok app.”
In the event the app is already installed on the device, it displays a fake screen to give the impression that it’s checking for app updates before seamlessly launching the official ToTok app. However, in the background, it collects user contacts, files matching certain extensions, device information, and ToTok data backups (*.ttkmbackup).
To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android’s AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.
ESET said the campaigns are being tracked differently due to differences in delivery methods and infrastructure, despite several commonalities in the malware deployed. It’s currently not known who is behind the activity.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” the company added.
In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel’s Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data.
SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what’s called enclaves, preventing attackers from viewing their memory or CPU state.
In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limitations of SGX.
“We show how one can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet,” the researchers said. “Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.”
Like the Battering RAM attack recently disclosed by KU Leuven and the University of Birmingham researchers, the newly devised method – codenamed WireTap – relies on an interposer that sits between the CPU and the memory module to observe the data that flows between them. The interposer can be installed by a threat actor either through a supply chain attack or physical compromise.
At its core, the physical attack exploits Intel’s use of deterministic encryption to stage a full key recovery against Intel SGX’s Quoting Enclave (QE), effectively making it possible to extract an ECDSA signing key that can be used to sign arbitrary SGX enclave reports.
Put differently, an attacker can weaponize the deterministic nature of memory encryption to build an oracle of sorts to break the security of constant-time cryptographic code.
“We have successfully extracted attestation keys, which are the primary mechanism used to determine whether code is running under SGX,” the researchers said. “This allows any hacker to masquerade as genuine SGX hardware, while in fact running code in an exposed manner and peeking into your data.”
“Like two sides of the same coin, WireTap and Battering RAM look at complementary properties of deterministic encryption. While WireTap focuses mainly on breaching confidentiality, BatteringRAM focuses mostly on integrity. The bottom line is the same; however, both SGX and SEV are easy to break using memory interposition.”
However, while Battering RAM is a low-cost attack that can be pulled off using equipment costing less than $50, the WireTap setup costs about $1,000, including the logic analyzer.
In a hypothetical attack scenario targeting SGX-backed blockchain deployments such as Phala Network, Secret Network, Crust Network, and IntegriTEE, the study found that WireTap can be leveraged to undermine confidentiality and integrity guarantees and allow attackers to disclose confidential transactions or illegitimately obtain transaction rewards.
In response to the findings, Intel said the exploit is outside the scope of its threat model since it assumes a physical adversary that has direct access to the hardware with a memory bus interposer. In the absence of a “patch,” it’s recommended that the servers be run in secure physical environments and use cloud providers that provide independent physical security.
“Such attacks are outside the scope of the boundary of protection offered by Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) based memory encryption,” the chipmaker said. “As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.”
Oct 01, 2025The Hacker NewsAutomation / IT Operations
AI is changing automation—but not always for the better. That’s why we’re hosting a new webinar, “Workflow Clarity: Where AI Fits in Modern Automation,” with Thomas Kinsella, Co-founder & Chief Customer Officer at Tines, to explore how leading teams are cutting through the hype and building workflows that actually deliver.
The rise of AI has changed how organizations think about automation. But here’s the reality many teams are quietly wrestling with: AI isn’t a silver bullet. Purely human-led workflows buckle under pressure, rigid rules-based automations break the moment reality shifts, and fully autonomous AI agents risk introducing black-box decision-making that’s impossible to audit.
For cybersecurity and operations leaders, the stakes are even higher. You need workflows that are fast but reliable, powerful but secure, and—above all—explainable.
So where does AI really fit in?
The Hidden Problem with “All-In” Automation
The push to automate everything has left many teams with fragile systems:
Too much human intervention: slows down response time and eats up valuable analyst hours.
Too many rigid rules: can’t adapt to new threats or business realities, leading to constant rework.
Too much AI: risks shadow processes that no one fully understands, undermining trust and compliance.
The truth? The strongest workflows aren’t found at the extremes—they emerge when human judgment, traditional automation, and AI are blended intentionally.
A Webinar for Teams Who Want More Than AI Hype
Join Thomas Kinsella for a candid look at how top security and operations teams are blending people, rules, and AI agents to build workflows that deliver real outcomes—without over-engineering or sacrificing control.
In this session, you’ll learn:
Where AI belongs (and where it doesn’t): practical guidance on mapping human, rules-based, and AI-driven tasks.
How to avoid AI overreach: spotting when automation is adding complexity instead of clarity.
Building for security and auditability: ensuring workflows stand up to compliance and scrutiny.
Proven patterns from the field: real-world examples of how top security teams are scaling AI automation thoughtfully.
This session is designed for security leaders who are tired of the AI hype and want to cut through the noise. If you’re looking for practical strategies to deploy automation that strengthens defenses—without creating new risks—this is for you.
It’s equally valuable for Ops and IT teams working to free up their human talent while avoiding brittle, opaque systems that collapse under real-world pressure. And if you’re an innovation-minded professional exploring how to balance people, rules, and AI agents in the workplace, you’ll walk away with a clear framework for making those choices.
AI is already transforming workflows, but the winners won’t be those who chase complexity—they’ll be the teams who embrace clarity, security, and control. This webinar will give you the tools to identify the right mix of human, rules-based, and AI automation for your environment, and show you how to implement it in ways that are secure, auditable, and built to scale with confidence.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Oct 01, 2025Ravie LakshmananVulnerability / API Security
A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain circumstances.
The vulnerability, tracked as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of incorrect resource transfer between spheres (CWE-669), which causes a program to cross security boundaries and obtain unauthorized access to confidential data or functions.
CVE-2025-59363 “allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization’s OneLogin tenant,” Clutch Security said in a report shared with The Hacker News.
The identity security said the problem stems from the fact that the application listing endpoint – /api/2/apps – was configured to return more data than expected, including the client_secret values in the API response alongside metadata related to the apps in a OneLogin account.
The steps to pull off the attack are listed below –
Attacker uses valid OneLogin API credentials (client ID and secret) to authenticate
Request access token
Call the /api/2/apps endpoint to list all applications
Parse the response to retrieve client secrets for all OIDC applications
Use extracted client secrets to impersonate applications and access integrated services
Successful exploitation of the flaw could allow an attacker with valid OneLogin API credentials to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. Armed with this access, the threat actor could leverage the exposed secret to impersonate users and gain access to other applications, offering opportunities for lateral movement.
OneLogin’s role-based access control (RBAC) grants API keys broad endpoint access, meaning the compromised credentials could be used to access sensitive endpoints across the entire platform. Compounding matters further is the lack of IP address allowlisting, as a result of which it’s possible for attackers to exploit the flaw from anywhere in the world, Clutch noted.
Following responsible disclosure on July 18, 2025, the vulnerability was addressed in OneLogin 2025.3.0, which was released last month by making OIDC client_secret values no longer visible. There is no evidence that the issue was ever exploited in the wild.
“Identity providers serve as the backbone of enterprise security architecture,” Clutch Security said. “Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential.”
A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.
OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration.
The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as “Important” and not “Critical” in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment.
“A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator,” Red Hat said in an advisory earlier this week.
“This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.”
The following versions are affected by the flaw –
Red Hat OpenShift AI 2.19
Red Hat OpenShift AI 2.21
Red Hat OpenShift AI (RHOAI)
As mitigations, Red Hat is recommending that users avoid granting broad permissions to system-level groups, and “the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group.”
“The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,” it added.
Oct 01, 2025The Hacker NewsAutomation / IT Operations
AI is changing automation—but not always for the better. That’s why we’re hosting a new webinar, “Workflow Clarity: Where AI Fits in Modern Automation,” with Thomas Kinsella, Co-founder & Chief Customer Officer at Tines, to explore how leading teams are cutting through the hype and building workflows that actually deliver.
The rise of AI has changed how organizations think about automation. But here’s the reality many teams are quietly wrestling with: AI isn’t a silver bullet. Purely human-led workflows buckle under pressure, rigid rules-based automations break the moment reality shifts, and fully autonomous AI agents risk introducing black-box decision-making that’s impossible to audit.
For cybersecurity and operations leaders, the stakes are even higher. You need workflows that are fast but reliable, powerful but secure, and—above all—explainable.
So where does AI really fit in?
The Hidden Problem with “All-In” Automation
The push to automate everything has left many teams with fragile systems:
Too much human intervention: slows down response time and eats up valuable analyst hours.
Too many rigid rules: can’t adapt to new threats or business realities, leading to constant rework.
Too much AI: risks shadow processes that no one fully understands, undermining trust and compliance.
The truth? The strongest workflows aren’t found at the extremes—they emerge when human judgment, traditional automation, and AI are blended intentionally.
A Webinar for Teams Who Want More Than AI Hype
Join Thomas Kinsella for a candid look at how top security and operations teams are blending people, rules, and AI agents to build workflows that deliver real outcomes—without over-engineering or sacrificing control.
In this session, you’ll learn:
Where AI belongs (and where it doesn’t): practical guidance on mapping human, rules-based, and AI-driven tasks.
How to avoid AI overreach: spotting when automation is adding complexity instead of clarity.
Building for security and auditability: ensuring workflows stand up to compliance and scrutiny.
Proven patterns from the field: real-world examples of how top security teams are scaling AI automation thoughtfully.
This session is designed for security leaders who are tired of the AI hype and want to cut through the noise. If you’re looking for practical strategies to deploy automation that strengthens defenses—without creating new risks—this is for you.
It’s equally valuable for Ops and IT teams working to free up their human talent while avoiding brittle, opaque systems that collapse under real-world pressure. And if you’re an innovation-minded professional exploring how to balance people, rules, and AI agents in the workplace, you’ll walk away with a clear framework for making those choices.
AI is already transforming workflows, but the winners won’t be those who chase complexity—they’ll be the teams who embrace clarity, security, and control. This webinar will give you the tools to identify the right mix of human, rules-based, and AI automation for your environment, and show you how to implement it in ways that are secure, auditable, and built to scale with confidence.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
