European law enforcement dismantled and seized an expansive cybercrime operation used to facilitate phishing attacks via mobile networks for fraud, including account intrusions, credential and financial data theft, Europol said Friday.

Investigators from Austria, Estonia and Latvia linked the cybercrime networks to more than 3,200 fraud cases, which also involved investment scams and fake emergencies for financial gain. Financial losses amounted to about $5.3 million in Austria and $490,000 in Latvia, authorities said.

The operation dubbed “SIMCARTEL” netted seven arrests and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards that were used to conduct various cybercrimes over telecom networks. Officials described the infrastructure as highly sophisticated, adding that the online service it supported provided telephone numbers for criminal activities to people in more than 80 countries.

“It allowed perpetrators to set up fake accounts for social media and communications platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location,” Europol said in a news release.

The law enforcement operation largely occurred Oct. 10 in Latvia, spanning 26 searches that also resulted in the seizure of hundreds of thousands of additional SIM cards, five servers and two websites. Officials also seized four luxury vehicles and froze a combined $833,000 in suspects’ bank and cryptocurrency accounts. 

Europol said the full scale of the cybercrime network is still under investigation, but they’ve already traced the operation to more than 49 million accounts that were created and provided by the suspects. 

The services provided by the cybercriminal organization were also allegedly used to commit extortion, migrant smuggling and various scams involving second-hand marketplaces, fake investments, shops and websites. 

The coordinated takedown underscored the global prevalence of SIM farms, which allow cybercriminals to conduct and sell services for scams and various criminal activities via mobile network infrastructure. The Secret Service last month disrupted a network of electronic devices in the New York City area that included more than 300 servers and 100,000 SIM cards spread across multiple sites in the region. 

Unit 221B on Thursday warned that SIM boxes and SIM farms are growing rapidly, placing any phone user, bank, network carrier or retailer at risk. Ben Coon, Unit 221B’s chief intelligence officer, has identified at least 200 SIM boxes operating across dozens of locations across the United States, the company said on LinkedIn.

Europol published a video of the Latvian police takedown: ​​https://youtu.be/Z-ImysXws-0

The post Europol dismantles cybercrime network linked to $5.8M in financial losses appeared first on CyberScoop.

Suspected Iranian hackers infiltrated former national security adviser John Bolton’s email account and threatened to release sensitive materials, his indictment alleges.

The indictment on charges that Bolton mishandled classified information, released Thursday, comes after President Donald Trump’s unprecedented public call for the Justice Department to prosecute his enemies. Bolton served under Trump in his first term as national security adviser and since has become a critic.

The passage of the indictment related to the Iranian hackers seeks to demonstrate a representative of Bolton knew his personal emails included information they shouldn’t have.

In early July of 2021, according to the indictment, the Bolton representative contacted the FBI to alert the bureau about the apparent hack, and their suspicion that it was someone from Iran. The indictment states that it was “a cyber actor believed to be associated with the Islamic Republic of Iran.”

The Justice Department had recently closed an investigation into whether Bolton illegally published classified information in a memoir. Later that July, the apparent hackers threatened to release Bolton’s emails, drawing comparisons to the leak of 2016 Democratic presidential candidate Hillary Clinton’s emails.

“I do not think you would be interested in the FBI being aware of the leaked content of John’s email (some of which have been attached), especially after the recent acquittal,” the threatening note from on or about July 25 read, the indictment states. “This could be the biggest scandal since Hillary’s emails were leaked, but this time on the GOP side! Contact me before it’s too late.”

Days later — on or about July 28, the indictment states — Bolton’s representative also told the FBI that they were “[j]ust sending you the text (not the documents [the hacker] attached since there might be sensitive information in them.)”

According to the indictment, “A day later, on or about July 29, 2021, Bolton’s representative told the FBI that Bolton would be deleting the contents of his personal email account that had been hacked.”

Bolton got one more message from the apparent hackers in August. “OK John … As you want (apparently), we’ll disseminate the expurgated sections of your book by reference to your leaked email…” It’s not clear if the hackers followed through on the threat, or what they demanded of Bolton not to release the sections.

Bolton didn’t disclose to the FBI that he had used a hacked email account to share classified information with two unnamed relatives, “nor did he tell the FBI that the hackers now held this information,” the indictment reads.

A search warrant affidavit released last month contains a passage headed “Hack of Bolton AOL Account by Foreign Entity,” but the passage itself is redacted.

Bolton surrendered to authorities on Friday. The law firm of the lawyer defending did not immediately respond to an email about the indictment passages related to the alleged hack, but his attorney, Abbe Lowell, has denied Bolton committed any crimes.

“These charges stem from portions of Ambassador Bolton’s personal diaries over his 45-year career — records that are unclassified, shared only with his immediate family, and known to the FBI as far back as 2021,” Lowell said in a statement. “Like many public officials throughout history, Ambassador Bolton kept diaries — that is not a crime.”

The post John Bolton indictment says suspected Iranian hackers accessed his emails, issued threats appeared first on CyberScoop.

North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.

Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. 

GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. 

Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.

By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware’s functionality and maintain continuous control over their operations without worry about infrastructure takedowns or disruptions.

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google’s incident response firm, said in an email. 

Google researchers described North Korea’s social engineering campaign as a sophisticated and ongoing effort to commit espionage, gain persistent access to corporate networks and steal sensitive data or cryptocurrency during the job application and interview process.

The crux of these attacks often occur during a fake technical assessment when job candidates are asked to download files that unbeknownst to them contain malicious code, according to Google. Researchers observed a multi-stage malware infection process involving JadeSnow, BeaverTail and InvisibleFerret. 

Cisco Talos researchers uncovered a Famous Chollima attack on an undisclosed organization based in Sri Lanka that likely originated from a user that fell for a fake job offer. The organization wasn’t targeted by the attackers, according to the report.

Researchers observed a previously undocumented keylogging and screenshotting module in the campaign that they traced to OtterCookie samples. The information-stealing malware contained a module that listens for keystrokes and periodically takes screenshots of the desktop session, which are automatically uploaded to the OtterCookie command and control server, Cisco Talos said.

Cisco and Google both shared indicators of compromise in their respective reports to help threat hunters find additional artifacts of the North Korea threat groups’ malicious activity.

The post North Korean operatives spotted using evasive techniques to steal data and cryptocurrency appeared first on CyberScoop.

Every day, billions of people place their trust in websites they know little about. Behind each one is a hosting provider, but not all of them play by the same rules. 

Traditionally, privacy policies let web visitors understand how their data would be handled, and SSL (Secure Sockets Layer) certificates ensured their connection was encrypted. Those safeguards were once sufficient. Today, they are not.

The online threat landscape is evolving at the speed and scale of AI development, and many on the front lines are unprepared. A recent survey of 600 enterprise IT leaders found that just 10% of respondents were very confident in their ability to address AI-enabled attacks targeting their organizations. 

Before AI, cyberattacks were primarily rule-based, scripted, and manually executed. These attacks now deploy everything from deepfake phishing calls to automated vulnerability scanning. AI has enhanced their scale, personalization, and automation, making them easier to adapt and harder to detect. That should alarm us all. 

This isn’t only about evolving to meet technological advancements — it’s also about trust. Consumers and businesses alike must be able to identify which providers meet high standards for transparency, reliability, and accountability. Without that clarity, they are left in the dark, unable to make informed choices about who they rely on to keep their digital lives safe. In an era of relentless cyberattacks, the internet needs a higher standard to safeguard not just websites, but the very trust that keeps the entire system running. 

That’s why the Secure Hosting Alliance (SHA) is introducing the SHA Trust Seal. The seal sets a clear bar for providers by demanding transparency, accountability, and resilience. Certified hosts commit to offering fair and understandable terms of service, with no hidden surprises. They act quickly and responsibly when their infrastructure is misused, maintain reliable and resilient services through proactive monitoring and recovery planning, and handle government requests with documented, lawful processes that respect privacy and due process. Most importantly, they commit to ongoing accountability. 

In recent years, transparency has become a cornerstone of the larger cybersecurity community, with companies expected to back up their claims through independent audits, public disclosures, and measurable outcomes. Trust seals are already standard in industries like e-commerce, finance, and health care, where sensitive information is exchanged and verified authentication is essential. Given that the web-hosting industry is part of the internet’s critical infrastructure, it too deserves a clear symbol of trust. The SHA Trust Seal delivers exactly that, translating providers’ promises from words on a website into commitments that can be verified against clear, rigorous standards.

The Trust Seal also reflects a larger shift in how the industry tackles problems. Instead of every company responding in isolation, SHA works with partners such as the Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Anti-Phishing Working Group (APWG) to build common approaches for preventing cybercrime, improving incident response, and reducing misuse of hosting resources. By creating consistent expectations across providers, the seal helps establish a baseline for what responsible stewardship of the internet should look like.

The stakes are high. From ransomware to supply chain breaches, hackers increasingly target the companies behind the websites we use every day. Earlier this year, Cloudflare blocked a record-breaking distributed denial-of-service (DDoS) attack of 7.3 terabits per second — the largest in history. Attacks like this strike at the very infrastructure of the internet, yet most consumers remain unaware of how fragile that foundation can be. 

This lack of visibility is exactly why a trust seal is needed. The SHA Trust Seal is more than just a badge — it’s a promise. It gives responsible providers a way to make their commitments visible, reassuring customers, elevating industry standards, and strengthening the foundation of a safer internet. By embracing a trust seal, the web hosting industry can transform security from a hidden feature into a visible standard.

Christian Dawson is the co-founder of the Internet Infrastructure Coalition (i2Coalition)and the Coalition on Digital Impact (CODI). 

The post Why the web-hosting industry needs a trust seal appeared first on CyberScoop.

A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.

Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.

U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.

Federal prosecutors were seeking a sentence of eight years for Lane, arguing that the crimes he pleaded guilty to follow a series of cybercriminal activity dating back to 2021. “The government has serious concerns that Lane poses an ongoing threat to the community and remains in denial about the scope of his criminal activity,” prosecutors said in a sentencing memo filed Oct. 7 in the U.S. District Court for the District of Massachusetts. 

Prosecutors cited multiple examples of other cybercriminals who committed and were convicted of less serious crimes. In those cases, the lighter sentences cybercriminals received did not sufficiently deter them from reengaging in cybercrime upon their release from jail. Lane’s attack on PowerSchool put 10 million teachers and 60 million children, some as young as five years old, at risk of identity theft for the remainder of their lives, prosecutors said. 

The PowerSchool attack, which Lane committed in September 2024 by using a PowerSchool contractor’s credentials to gain unauthorized access, is reportedly the single largest breach of American schoolchildren’s data on record. Lane threatened to release the data in December 2024 if PowerSchool didn’t pay a ransom valued at nearly $2.9 million at the time.

Multiple school district customers of PowerSchool received follow-on extortion demands linked to the stolen same data, the company said in May. The downstream extortion attempts underscore how cybercriminals, affiliated or not, will continue to exploit sensitive data for financial gain.

Lane forfeited almost $161,000 traced to his crimes, but about $3 million in illicit proceeds remains unaccounted for, according to court documents. “The money he returned is barely one percent of the financial loss he caused,” prosecutors said in the court filing.

Lane is required to surrender to the Federal Bureau of Prisons by Dec. 1.

The post PowerSchool hacker sentenced to 4 years in prison appeared first on CyberScoop.

Federal cyber authorities issued an emergency directive Wednesday requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.

The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.

F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.

CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.

Many federal agencies and private organizations could be impacted. CISA said there are thousands of F5 product types in use across executive branch agencies. 

These attacks on widely used vendors and their customers are part of a broader campaign targeting key elements of America’s technology supply chain, extending the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at CISA, said during a media briefing. 

CISA declined to name the country or specific threat groups behind the attack on F5’s systems. Generally, the broader goal of nation-state attackers is to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack,  or gather sensitive information, Andersen said.

CISA’s order requires federal agencies to apply security patches F5 released in response to the attack, disconnect non-supported devices or services, and provide CISA a report including a detailed inventory of all instances of F5 products within scope of the directive.

Officials referred questions about the effectiveness of F5’s security patches back to the vendor and declined to independently verify if the software updates have fixed the vulnerabilities attackers gained information on during the breach. 

Neither CISA nor F5 have explained how the attackers gained access to F5’s internal systems. 

Officials repeatedly insisted that the government shutdown and multiple waves of reductions to CISA’s workforce did not negatively affect or delay the government’s ability to coordinate with partners, respond to this threat and issue the emergency directive. Andersen declined to say how many CISA employees have been dismissed with reduction-in-force orders since the federal government shut down two weeks ago. 

“This is really part of getting CISA back on mission,” Andersen said.

“While, yes, this may be the third emergency directive that’s been issued since the beginning of the Trump administration, this is the core operational mission for CISA,” Andersen said. “That’s really what we should be doing, and we’re able to continue to perform that mission in collaboration with our asset partners right now.”

The post CISA warns of imminent risk posed by thousands of F5 products in federal agencies appeared first on CyberScoop.

F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.

According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  

Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

F5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain, including source code or build and release pipelines. The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities, nor any current exploitation linked to the breach. The company also stated that containment actions were implemented promptly and have so far been effective, with no evidence of new unauthorized activity since those efforts began.

According to the SEC form, no evidence was found of access to the company’s customer relationship management, financial, support case management, or iHealth systems. However, the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers. F5 is continuing to review these materials and is contacting customers as needed.

Investigative findings further indicated that the NGINX product development environment, as well as F5 Distributed Cloud Services and Silverline systems, remained unaffected.

The United Kingdom’s National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5’s compromised network.

F5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses. Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date. Ongoing assessments are being conducted to determine if there may be any impact on the company’s financial position or results.

F5, based in Seattle, is a major player in the application security and delivery market, serving thousands of enterprise customers worldwide, including much of the Fortune 500. The company’s primary offerings include its BIG-IP line of hardware and software products, which provide network traffic management, application security, and access control, as well as its NGINX and F5 Distributed Cloud Services platforms. F5’s technologies are used extensively by businesses, government agencies, and service providers around the world. 

Fixes rolled out

F5 released a series of updates to its BIG-IP software suite and advised customers to update their clients for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM as soon as possible. 

The company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool, which can help identify gaps in security and prioritize a proper course of action. 

F5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools. 

The vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems. F5 also added tools to better monitor, detect and respond to threats, and said it strengthened security controls in its product development environment. 

The company brought in multiple firms to assist in its response and recovery efforts, including NCC Group, IOActive and CrowdStrike. F5 said it’s working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers. 

NCC Group and IOActive both attested that they have not identified any critical-severity vulnerabilities in F5’s source code nor did they find evidence of exploited defects in the company’s critical software, products or development environment. NCC Group added that it has not found any suspicious threat activity such as malicious code injection, malware or backdoors in F5 source code during its review thus far.

“Your trust matters. We know it is earned every day, especially when things go wrong,” the company said in a blog post. “We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”

Matt Kapko contributed to this story.

The post F5 discloses breach tied to nation-state threat actor appeared first on CyberScoop.

Rep. Eric Swalwell, D-Calif., sent a letter Tuesday to acting CISA Director Madhu Gottumukkala raising concerns about staffing levels and the direction of the nation’s primary cybersecurity agency, writing that the “Trump Administration has undertaken multiple efforts to decimate CISA’s workforce, undermining our nation’s cybersecurity.”

Swalwell, the ranking member on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, called out the agency for its reported shift of cybersecurity personnel to the Department of Homeland Security’s deportation efforts, on top of the approximately 760 people that have been let go from the agency since January. 

“Amid reports that the Department of Homeland Security is now forcibly transferring CISA’s cybersecurity employees to other DHS components, it has become apparent that the Department’s exclusive focus on its mass deportation campaign is coming at the expense of our national security,” Swalwell writes. “As further evidence of the Administration’s failure to prioritize cybersecurity, CISA is now engaging in Reductions in Force (RIFs) that threaten CISA’s capacity to prevent and respond to cybersecurity threats. I demand you immediately cease all efforts to cut CISA’s workforce, reinstate employees who were transferred or dismissed, and provide details on the impacts of the agency’s workforce reductions.“

The letter is not the first time Swalwell has asked for information about CISA’s workforce. In April, he asked the agency to brief the subcommittee on its workforce plans. He wrote in Tuesday’s letter he had not heard back from CISA. 

Further in the letter, Swalwell says shifting CISA personnel to deportation efforts takes away from the agency’s core mission at a time of “unprecedented cybersecurity threats,” pointing to the emergency directive issued last month about an ongoing and widespread attack spree affecting Cisco firewalls. He also questions CISA’s ability to leverage third-party expertise, given the agency’s September termination of its agreement with the Multi-State Information Sharing and Analysis Center — a partnership previously underpinned by $27 million in federal funding for fiscal year 2025. 

“In order to combat these threats, CISA needs to have sufficient personnel to carry out its mission, particularly at a time when canceled contracts and cooperative agreements have left CISA without critical third-party support,” Swalwell writes. 

You can read the full letter below. 

A CISA spokesperson sent CyberScoop the following statement:

“During the Biden Administration, Rep. Swalwell had no issue with CISA performing duties outside of its statutory authority – including censorship, branding, and electioneering. Under the leadership of President Trump and Secretary Noem, CISA focused squarely on executing its statutory mission: serving as the national coordinator for securing and protecting U.S. critical infrastructure. CISA is delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

Update: October 18, 2025, 4:00 pm: This article has been updated with comment from CISA.

The post Swalwell seeks answers from CISA on workforce cuts appeared first on CyberScoop.

How much private and sensitive data can you get by pointing $600 worth of satellite equipment at the sky?

Quite a bit, it turns out.

Researchers from the University of Maryland and the University of California, San Diego say they were able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.

The satellites they focused on — geostationary satellites — provide modern high-speed communications and services to rural or remote parts of the globe, including television, IP communications, internet and in-flight Wi-Fi capabilities. They also provide backhaul internet services — the links between a core telecom or internet network and its end users — for private networks operating sensitive remote commercial and military equipment.

Using cheap, commercially available equipment, researchers scanned 39 satellites across 25 distinct longitudinal points over seven months.

The goal was to see how much sensitive data they could intercept by “passively scanning as many GEO transmissions from a single vantage point on Earth as possible.” It was also to prove that you don’t need to be a well-resourced foreign intelligence service or have deep pockets to pull it off.

What they found was unsettling: “Many organizations appear to treat satellite[s] as any other internal link in their private networks. Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks,” write authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman.

They note that “severity” of their findings suggest “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.”

“Given that any individual with a clear view of the sky and $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” the researchers wrote.

Wired first reported on the academic study.

Researchers reached out to major businesses and organizations that were leaking data via satellite communications to notify them and address the vulnerabilities, but said they declined to engage in any bug bounties that included a nondisclosure agreement.  

The researchers said discussions with the U.S. military, the Mexican government, T-Mobile, AT&T, IntelSat, Panasonic Avionics, WiBo and KPU all took place between December 2024 and July 2025 as the study was ongoing.

Satellites are outfitted with multiple transponders to collect different kinds of telemetry, and here the research focuses on a single type — Ku-Band transponders — that are heavily used for internet and television services. Using their consumer-grade equipment, the researchers were able to tap into 411 different transponders around the globe, collecting reams of sensitive data in the process.

They observed unencrypted data for T-Mobile users, including plaintext user SMS messages, voice call contents, user internet traffic, metadata, browsing history and cellular network signaling protocols, leaking out over the skies. Over a single, nine-hour listening session, the dish picked up phone numbers and metadata for 2,711 individuals. Similar leakages were spotted for calls over Mexican telecoms TelMex and WiBo, and Alaskan telecom KPU Telecommunications.

They also picked up unencrypted and encrypted traffic coming from U.S. military sea vessels, including plaintext that included the ships’ names — something the researchers said allowed them to determine they were all “formerly privately-owned ships” that are now owned by the government. Meanwhile, unencrypted HTTP traffic leaking out through the satellites gave them details into internal applications and systems used for infrastructure, logistics and administrative management.

The researchers say that while this kind of capability isn’t novel, previous research has suggested that only foreign governments and well-resourced companies have the capabilities to conduct such widespread monitoring. Their study, which developed a new way to parse through issues around signal quality, suggests that the barrier of entry is far lower than previously thought, requiring technical knowhow and just a few hundred dollars worth of commercial tech.

“To our knowledge, our threat model of using low-cost consumer grade satellite equipment to comprehensively survey GEO satellite usage has not been explored before in the academic literature.”

The findings underscore how much governments and businesses rely on standard satellite communications today to move their data around, and the lack of security attention these critical nodes receive compared to other technologies.The federal government has designated 16 sectors of society and industry as “critical infrastructure” and prioritized these sectors for additional security investment and assistance. Space is not one of those sectors, though policymakers have pushed the idea as a means to quickly retrofit our space-based communications for security. 

The post Researchers find a startlingly cheap way to steal your secrets from space  appeared first on CyberScoop.

Microsoft addressed 175 vulnerabilities affecting its core products and underlying systems, including two actively exploited zero-days, the company said in its latest security update. It’s the largest assortment of defects disclosed by the tech giant this year.

The zero-day vulnerabilities — CVE-2025-24990 affecting Agere Windows Modem Driver and CVE-2025-59230 affecting Windows Remote Access Connection Manager — both have a CVSS rating of 7.8. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog Tuesday.

Microsoft said the third-party Agere Modem drive that ships with supported Windows operating systems has been removed in the October security update. Fax modem hardware that relies on the driver will no longer work on Windows, the company said.

Attackers can achieve administrator privileges by exploiting CVE-2025-24990. “All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” Microsoft said in its summary of the defect.

The improper access control vulnerability affecting Windows Remote Access Connection manager can be exploited by an authorized attacker to elevate privileges locally and gain system privileges, Microsoft said. 

Windows Remote Access Connection Manager, a service used to manage remote network connections through virtual private networks and dial-up networks, is a “frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022,” Satnam Narang, senior staff research engineer at Tenable, said in an email. “This is the first time we’ve seen it exploited in the wild as a zero day.”

The most severe vulnerabilities disclosed this month include CVE-2025-55315 affecting ASP.NET core and CVE-2025-49708 affecting Microsoft Graphics Component. Microsoft said exploitation of the defects is less likely, but both have a CVSS rating of 9.9.

Microsoft flagged 14 defects as more likely to be exploited this month, including a pair of critical vulnerabilities with CVSS ratings of 9.8 — CVE-2025-59246 affecting Azure Entra ID and CVE-2025-59287 affecting Windows Server Update Service.

The vendor disclosed five critical and 121 high-severity vulnerabilities this month. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s Patch Tuesday fixes 175 vulnerabilities, including two actively exploited zero-days appeared first on CyberScoop.

Federal authorities seized 127,271 Bitcoin, valued at approximately $15 billion, from Chen Zhi, the alleged leader of a sprawling cybercrime network based in Cambodia, the Justice Department said Tuesday. Officials said it’s the largest financial seizure on record.

“Today’s action represents one of the most significant strikes ever against the global scourge of human trafficking and cyber-enabled financial fraud,” Attorney General Pamela Bondi said in a statement.

Officials said Chen, a 38-year-old United Kingdom and Cambodian national who has renounced his Chinese citizenship, built a business empire under the Prince Group umbrella headquartered in Phnom Penh, Cambodia, that constructs, operates and manages scam compounds that rely on human trafficking and modern-day slavery. 

A criminal indictment against Chen was also unsealed in the U.S. District Court for the Eastern District of New York. He remains at large and the FBI is seeking information about his whereabouts. Chen faces up to 40 years in prison for his alleged crimes.

Chen is accused of founding and running Prince Group since 2015, resulting in a global expansion that has brought the cybercrime network’s operations to dozens of entities spanning more than 30 countries. 

Officials said Chen was directly involved in managing the scam compounds and committed violence against people in the forced labor camps where schemes targeted victims around the world, including in the United States. One network based in Brooklyn, New York, scammed more than 250 people in New York and across the country out of millions of dollars, according to the indictment.

Authorities in the U.S. and U.K also imposed coordinated sanctions against the Prince Group’s cybercrime networks in Southeast Asia accused of long-running investment scams and money laundering operations. 

Officials said the sanctions against people and organizations involved with the Prince Group transnational criminal organization and its severing of Huione Group from the U.S. financial system mark the most extensive action taken against cybercrime operations in the region to date.

“The rapid rise of transnational fraud has cost American citizens billions of dollars, with life savings wiped out in minutes,” Treasury Secretary Scott Bessent said in a statement. 

The agency’s Office of Foreign Assets Control imposed sanctions on 146 people and organizations participating in Prince Group TCO, while the Financial Crimes Enforcement Network issued a rule under the USA PATRIOT Act to sever Cambodia-based financial services conglomerate Huione Group from the U.S. financial system.

OFAC also sanctioned a network of 117 illegitimate businesses affiliated with Prince Group. The agency published a complete list of people and entities sanctioned as part of the sweeping action.

Authorities said Prince Group is prolific and remains a dominant player in Cambodia’s scam economy, responsible for billions of dollars in illicit financial transactions. U.S. government officials estimate Americans lost more than $10 billion to Southeast Asia-based scam operations last year, noting that U.S. online investment scams surpass $16.6 billion.

Huione Group has allegedly laundered proceeds from cyberattacks initiated by North Korea and transnational criminal organizations in Southeast Asia responsible for virtual currency investment scams, authorities said. The organization laundered more than $4 billion in illicit proceeds between August 2021 and January 2025, the Treasury Department said. 

The U.K.’s Foreign, Commonwealth, and Development Office also participated in the crackdown by imposing sanctions on Prince Holding Group, its alleged leader Chen and key associates. 

“Today, the FBI and partners executed one of the largest financial fraud takedowns in history,” FBI Director Kash Patel said in a statement.

The post Officials crack down on Southeast Asia cybercrime networks, seize $15B appeared first on CyberScoop.

LevelBlue announced Tuesday it has signed a definitive agreement to acquire Cybereason, a Boston-based cybersecurity firm specializing in extended detection and response platforms and digital forensics. 

Dallas-based LevelBlue, a managed security services provider formerly known as AT&T Cybersecurity, will fold Cyberreason’s extended detection and response (XDR) platform, threat intelligence team, and digital forensics and incident response (DFIR) capabilities into its managed detection and response (MDR) offerings.

“The addition of Cybereason is a strategic leap forward in our mission to become the most complete cybersecurity partner for our clients and strategic partners,” Bob McCullen, CEO and chairman of LevelBlue, said in a release. “By combining Cybereason’s world-class XDR and DFIR capabilities with our AI-powered MDR and incident response, we can deliver unified protection that’s proactive, scalable, and purpose-built for today’s fast-evolving threats.”

The acquisition follows a trend of industry consolidation, as cybersecurity companies aim to offer a variety of products and services under singular brands. Cybereason merged with managed service provider Trustwave earlier this year. 

For Cybereason, the acquisition bookends a turbulent seven-year period that saw the company swing from near-IPO status to dramatic valuation declines and multiple restructurings. Founded in 2012 by former members of the Israeli Defense Forces signals intelligence unit, the company competes with firms like CrowdStrike and SentinelOne in providing endpoint detection services and threat intelligence capabilities.

Cybereason appeared to reach its apex in 2021, when it raised $325 million in a funding round led by Liberty Strategic Capital. That round valued the company at approximately $3.1 billion, and Cybereason confidentially filed for an initial public offering with an expected valuation of $5 billion. At its peak, the company employed roughly 1,500 workers and had raised $850 million in total funding, with Japanese multinational investment holding company SoftBank as its primary investor.

However, the economic downturn of 2022 fundamentally altered the company’s trajectory. The shifting market conditions, combined with pressure from SoftBank following its significant losses on investment in WeWork, forced Cybereason to acknowledge it had over-hired at unsustainable wage levels. The company conducted two major rounds of layoffs, cutting more than 300 employees. In early 2022, Cybereason eliminated approximately 10% of its workforce, citing what it called a “seismic shift” in private and public markets. The IPO was eventually scrapped. 

As part of Tuesday’s announced transaction, SoftBank Corp. and Liberty Strategic Capital will become investors in LevelBlue. Additionally, Steven Mnuchin, former U.S. Treasury secretary and managing partner of Liberty Strategic Capital, will join LevelBlue’s board of directors. 

The post LevelBlue to acquire Cybereason in latest cybersecurity industry consolidation appeared first on CyberScoop.

For more than a year, hackers from a Chinese state-backed espionage group maintained backdoor access to a popular software mapping tool by turning one of its own features into a webshell, according to new research from ReliaQuest.

In a report published Tuesday, researchers said that Flax Typhoon — a group that has been spying on entities in the U.S., Europe and Taiwan since at least 2021 — has had access for more than a year to a private ArcGIS server. To achieve and maintain that access, the group leveraged “an unusually clever attack chain” that allowed them to both blend in with normal traffic and maintain access even if the victim tried to restore their system from backups.

ArcGIS, made by Esri, is one of the most popular software programs for geospatial mapping and used widely by both private organizations and government agencies. Like many programs, however, it relies on backend servers and various other technical infrastructure to fully function.

For example, many ArcGIS users will use what is known as a Server Object Extension (SOE), which allows you to create service operations to extend the base functionality of map or image services” and implement custom code, according to ArcGIS documentation.

The attackers found a public-facing ArcGIS server connected to another private backend server used by the program to perform computations. They compromised a portal administrator account for the backend server and deployed a malicious extension, instructing the public-facing server to create a hidden directory to serve as the group’s “private workspace.” They also locked off access to others with a hardcoded key and maintained access long enough for the flaw to be included in the system’s backup files.

In doing so, the Chinese hackers effectively weaponized ArcGIS, turning it into a webshell to launch further attacks, and mostly did so using the software program’s own internal processes and functionality.

ReliaQuest researchers wrote that by structuring their requests to appear as routine system operations, they were able to evade detection tools, while the hardcoded key “prevented other attackers, or even curious admins, from tampering with its access.”

Infecting the backups, meanwhile, gave Flax Typhoon an insurance plan if their presence ultimately was discovered.

“By ensuring the compromised component was included in system backups, they turned the organization’s own recovery plan into a guaranteed method of reinfection,” ReliaQuest researchers claimed. “This tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”

This continues a consistent trend around Flax Typhoon’s behavior observed by researchers: the group’s propensity for quietly turning an organization’s own tools against itself rather than using sophisticated malware or exploits.

In 2023, Microsoft’s threat intelligence team detailed what it described as Flax Typhoon’s “distinctive” pattern of cyber-enabled espionage. The group was observed achieving long-term access to “dozens” of organizations in Taiwan “with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.”

Earlier this year, the U.S. Treasury Department placed economic sanctions on Integrity Technology Group, a Beijing company the agency says has provided technical support and infrastructure for Flax Typhoon cyberattacks, including operating a massive botnet taken down by the FBI last year.

That may be why ReliaQuest researchers emphasized that the true threat revealed by their research isn’t about Esri or any specific vendor or their product. The real worry is that most enterprise software relies on the same kind of third-party applications and extensions that Flax Typhoon exploited to hijack an ArcGIS server. The same vulnerability exists wherever an external tool needs access that can be turned against the user when compromised.

“When a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,” they wrote. “This attack is a wake-up call: Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.”

The post Flax Typhoon can turn your own software against you appeared first on CyberScoop.

Cybersecurity today is defined by complexity. Threats evolve in real time, driven by AI-generated malware, autonomous reconnaissance, and adversaries capable of pivoting faster than ever. 

In a recent survey by DarkTrace of more than 1,500 cybersecurity professionals worldwide, nearly 74% said AI-powered threats are a major challenge for their organization, and 90% expect these threats to have a significant impact over the next one to two years. 

Meanwhile, many organizations are still operating with defensive models that were built for a more static world. These outdated training environments are ad hoc, compliance-driven, and poorly suited for the ever-changing nature of today’s security risks.

What’s needed now within organizations and cybersecurity teams is a transformation from occasional simulations to a daily threat-informed practice. This means changing from fragmented roles to cross-functional synergy and from a reactive defense to operational resilience. 

At the heart of that transformation lies Continuous Threat Exposure Management (CTEM), a discipline — not a tool or a project — that enables organizations to evolve in step with the threats they face.

Why traditional models no longer work

Legacy training models that include annual penetration tests, semi-annual tabletop exercises, and isolated red vs. blue events are no longer sufficient. They offer limited visibility, simulate too narrow a scope of attack behavior, and often check a compliance box without building lasting and strategic capabilities.

Even worse, they assume adversaries are predictable and unchanging. But as we know, AI-generated malware and autonomous reconnaissance have raised the bar. Threat actors are now faster, more creative, and harder to detect. 

Today’s attackers are capable of developing evasive malware and launching attacks that shift in real time. To meet this evolving threat environment, organizations must shift their mindset before they can shift their tactics. 

Embedding CTEM into daily practice

CTEM offers a fundamentally different approach. It calls for operationalized resilience, where teams systematically test, refine, and continually evolve their defensive posture daily. 

This is not done through broad-stroke simulations, but through atomic, context-aware exercises targeting individual techniques relevant to their specific threat landscape. This is also done one sub-technique at a time. Teams look at one scenario, then iterate, refine, and move to the next. 

This level of precision ensures organizations are training for the threats that actually matter — attacks that target their sector, their infrastructure, and their business logic. It also creates a steady rhythm of learning that helps build enduring security reflexes.

Real-time breach simulations: training under pressure

What separates CTEM from traditional testing is not just frequency, but authenticity. Real-time breach simulations aren’t hypothetical. These simulations are designed to replicate real adversarial behavior, intensity, and tactics. If they are done right, they mirror the sneakiness and ferocity of live attacks.

We should keep in mind that authenticity doesn’t just come from tools but also from the people designing the simulations. You can only replicate real-world threats if your SOC teams are keeping current with today’s threat landscape. Without that, simulations risk becoming just another theoretical exercise. 

These complex scenarios don’t just test defenses; they reveal how teams collaborate under pressure, how fast they detect threats, and whether their response protocols are aligned with actual threat behavior.

Analytics as a feedback loop

What happens after a simulation is just as important as the exercise itself. The post-simulation analytics loop offers critical insights into what worked, what didn’t, and where systemic weaknesses lie. 

Granular reporting is essential, as it allows organizations to identify issues with skills, processes, or coordination. By learning the specifics and gaining meaningful metrics — including latency in detection, success of containment, and coverage gaps — they can turn simulations into actionable intelligence. 

Over time, recurring exercises using similar tradecraft help measure progress with precision and determine if improvements are taking hold or if additional refinements are needed.

A blueprint for CISOs: building resilient, cross-functional teams

For CISOs and security leaders, adopting CTEM is not just about adding more tools — it’s about implementing culture, structure, and strategy. 

This is a blueprint for embedding CTEM into an organization’s security protocols:

• Integrate tactical threat intelligence. Training must be based on real-world intelligence. Scenarios disconnected from the current threat landscape are at best inefficient, at worst misleading.
• Align red and blue teams through continuous collaboration. Security is a team sport. Silos between offensive and defensive teams must be broken down. Shared learnings and iterative refinement cycles are essential.
• Engage in simulation, not just instruction. Structured training is the foundation, but true readiness comes from cyber incident simulation. Teams need to move from knowing a technique to executing it under stress, in an operational context.
• Establish CTEM as a daily discipline. CTEM must be part of the organization’s DNA and a continuous process. This requires organizational maturity, dedicated feedback loops, and strong process ownership.
• Use metrics to drive learning. Evidence-based repetition depends on reliable data. Analytics from breach simulations should be mapped directly to skills development and tooling performance.

The role of AI in cybersecurity training

While attackers are already using AI to their advantage, defenders can use it too, but with care. 

AI isn’t a replacement for real-world training scenarios. Relying on it alone to create best-practice content is a mistake. What AI can do well is speed up content delivery, adapt to different learners, and personalize the experience. 

It can also identify each person’s weaknesses and guide them through custom learning paths that fill real skill gaps. In 2026, expect AI-driven personalization to become standard in professional development, aligning learner needs with the most relevant simulations and modules.

Beyond tools: making CTEM a culture

Ultimately, CTEM succeeds when it’s embraced not as a feature or a product but as a discipline woven into the daily practices of the organization. 

It also requires careful development. Red and blue teams must be open, transparent, and aligned. It’s not enough to simulate the threat. Security teams must also simulate to match an adversary’s intensity in order to build reflexes strong enough to withstand the real thing. 

The organizations that take this path won’t just respond faster to incidents — they’ll be able to anticipate and adapt and cultivate resilience that evolves as quickly as the threats do.

Dimitrios Bougioukas is vice president of training at Hack The Box, where he leads the development of advanced training initiatives and certifications that equip cybersecurity professionals worldwide with mission-ready skills.

The post Red, blue, and now AI: Rethinking cybersecurity training for the 2026 threat landscape appeared first on CyberScoop.

Fortra, in its most forceful admission yet, confirmed a maximum-severity defect it disclosed in GoAnywhere MFT has been actively exploited in attacks, yet researchers are still pressing the vendor to be more forthcoming about how attackers obtained a private key required to achieve exploitation.

The vendor published a summary of its investigation into CVE-2025-10035 Thursday, three weeks after it publicly addressed the vulnerability in its file-transfer service for the first time. “At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035,” the company said. 

“It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga,” Ben Harris, founder and CEO at watchTowr, told CyberScoop. “However, the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”

Researchers at watchTowr, Rapid7 and VulnCheck last month rang alarm bells about the private key after they independently confirmed the steps attackers would have to take to achieve exploitation. 

“The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” Harris said.

The scope of compromise has continued to grow during the past month as Fortra and researchers continue hunting for evidence of active exploitation. Fortra also shared more details about the timeline and actions it took behind the scenes prior to publicly disclosing and addressing the vulnerability. 

Security staff at Fortra began investigating a potential vulnerability after a customer reported suspicious activity Sept. 11. After inspecting customer logs, the company started notifying potentially impacted customers and reported the malicious activity to law enforcement that same day. 

The vendor also said it found three instances in its cloud-based GoAnywhere MFT environment “with potentially suspicious activity related to the vulnerability.” Fortra said it isolated those instances for further investigation and alerted customers using those managed services of potential exposure. 

The company deployed the patch to cloud-based services it hosts for customers Sept. 17, but it has not described the extent to which the vulnerability has been exploited in on-premises customer environments and Fortra-hosted services. The vendor said it updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds.

Fortra did not answer questions submitted by CyberScoop on Monday.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. Microsoft Threat Intelligence followed up on that last week, noting that a cybercriminal group it tracks as Storm-1175 has exploited CVE-2025-10035 to initiate multi-stage attacks including ransomware. 

Fortra repeatedly declined to confirm it was aware of active exploitation in the wake of those reports. The company previously added indicators of compromise to its security advisory, but didn’t say it was aware of reports of unauthorized activity related to the defect until Thursday.

The post Fortra cops to exploitation of GoAnywhere file-transfer service defect appeared first on CyberScoop.

A fast-spreading Android spyware is mushrooming across Russia, camouflaging itself as popular apps like TikTok or YouTube, researchers at Zimperium have revealed in a blog post.

The company told CyberScoop they expect the campaign is likely to expand beyond Russian borders, too.

In three months, Zimperium zLabs researchers observed more than 600 samples, the company wrote in a blog post Thursday. Once implanted, the spyware can steal text messages, call logs, device information and more, and wrest control of a phone to do things like take pictures or place phone calls.

“It’s mainly targeting Russia, but they can always adapt to other payloads, and since every inflected phone then becomes an attack vector, it’s likely to become a global campaign,” said Nico Chiaraviglio, chief scientist at Zimperium. “However, it’s not easy to know the attackers’ intentions.”

The spyware, dubbed ClayRat, has some notable tools it uses to infect victims.

“ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role,” the blog post reads. “This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.”

It’s also been evolving quickly, Zimperium said, “adding new layers of obfuscation and packing to evade detection.”

Zimperium didn’t say who was behind the spyware. The Russian government is a cyberspace power, but typically hasn’t had to rely on spyware vendors, per se, as it has its own capabilities. Often — but not always — spyware linked to or suspected to be linked to the Kremlin is turned inwards, snooping on domestic targets.

“ClayRat is distributed through a highly orchestrated mix of social engineering and web-based deception, designed to exploit user trust and convenience,” according to Zimperium. “The campaign relies heavily on Telegram channels and phishing websites that impersonate well-known services and applications.”

ClayRat’s users also rely on phishing platforms.

The post Russian spyware ClayRat is spreading, evolving quickly, according to Zimperium appeared first on CyberScoop.

The Trump administration wants your voter data.

Since President Donald Trump took office in January, the Department of Justice has made an ambitious effort to collect sensitive voter data from all 50 states, including information that one election expert described as “the holy trinity” of identity theft: Social Security numbers, driver’s license numbers and dates of birth.

In states where Trump’s party or allies control the levers of government, this information is handed over willingly. In states where they do not, the DOJ has formally asked, then threatened and then sued states that refuse. The department has also claimed many of these reluctant states are failing to properly maintain their voter registration rolls, and has pushed states to more aggressively remove potentially ineligible voters.

This week, Democrats in the House and Senate introduced new legislation that seeks to defang those efforts by raising the legal bar for states to purge voters based on several factors, such as inactivity or changing residency within the same state.

The Voter Purge Protection Act, introduced by Sen. Alex Padilla, D-Calif., and Rep. Joyce Beatty, D-Ohio, would amend the National Voter Registration Act to make it more difficult for states to kick large numbers of voters off their rolls for actions that Democrats — and many election officials — say are common, overwhelmingly benign and not indicative of voter fraud.

Padilla told reporters that the legislation would help ensure “that Americans cannot be stripped of their right to vote without proof that a voter has either passed away or has permanently moved out of their state.”

Voters targeted for removal must also be notified by election officials “so that there’s no surprise when they show up to vote on election day that their name is not on the list and it’s too late to address whatever the issue may or may not be,” Padilla said.

Beatty pointed to her home state, where Republican Secretary of State Frank LaRose removed more than 155,000 voters from active voter rolls in 2024, as an example where federal protections are needed. The primary factor for purging those voters were records showing they had not cast a ballot in an election for the past four years.

She claimed more than half of the voters who stand to be affected by similar purges in 2025 and 2026 are registered in counties where demographic minorities make up a majority of voters.

“Let me be clear: voting is not use-it-or-lose the right, because too often these so-called voter purges have silenced voices, people of color, people of low income communities, and even our seniors who have waited and fought for the right to vote,” Beatty said.

Meanwhile, a comprehensive post-election audit conducted by LaRose’s office in 2024 identified and referred 597 “apparent noncitizens” on state voter rolls to the state Attorney General for further review, out of 8 million state voters. Critically, 459 of those registered voters never cast an actual ballot, and similar audits performed by LaRose in 2019, 2021 and 2022 found that such people made up similarly miniscule percentages of all active registered voters in the state. Last month, his office put out a press release touting an additional 78 “apparent noncitizens” registered, 69 of whom had no evidence of voting.

“States have the responsibility to keep accurate voter rolls and ensure election integrity,” LaRose added. “In order to meet that responsibility, we need more access to data from the federal government. I will continue to push until we have the resources we need to do our jobs to the standard Ohioans deserve.”

As any state election official will tell you, voter registration lists are never static — every day, people die, get married (or divorced), take on different names, become naturalized citizens or experience a range of other life events that can impact their registration status or result in outdated information. Further, it’s not typically viewed as unusual or a sign of fraud when voters sparingly make use of their registration to vote, though most election experts endorse some level of database maintenance to remove inactive voters.  

But it is often these discrepancies that get highlighted by Trump and state allies as evidence of unacceptably messy voter rolls that justify stricter removal policies.

And there are election officials — mostly in Republican-controlled states — who have embraced the philosophy that even small numbers of questionable registrations or voter fraud must be aggressively stamped out or it will lead to American voters losing faith in their democracy. LaRose and Georgia Republican Secretary of State Brad Raffensperger have long championed a similar approach to voter maintenance, and have called for Congress to pass laws making it easier for states to remove voters during election years.

“List maintenance is about election security and voter confidence,” Raffensperger said last month while announcing that approximately 146,000 Georgia voters would be moved to inactive voter rolls, including 80,754 voters who had moved to another county within the state. “We want every Georgian to have full faith in the system, knowing that our elections are free, fair — and fast.”

Critics have pointed out that states already have numerous, effective means for preventing mass voter registration or fraud that have been borne out by post-election audits finding very low instances of fraud, and that overly harsh policies around list maintenance can and do end up disenfranchising far more eligible voters than bad actors. Further, they argue against removing large numbers of voters without a robust follow-up process from states to give affected voters an opportunity to appeal or address any discrepancies that may affect their registration.

The bill has 22 Democratic co-sponsors in the Senate and 24 in the House but is unlikely to gain serious consideration under a Republican-controlled Congress, where most GOP members have long believed voter fraud is rampant and are broadly supportive of state and federal efforts to remove voters based on those same factors.

Asked by CyberScoop how Democrats would navigate that reality, Padilla said the legislation was part of a broader overall effort to push back on these efforts at all levels of constitutional governance. That includes states fighting to protect their constitutional role as administrators of elections when denying data requests from the federal government, within the court system as states and voting rights groups fight in court to block the administration’s use of the SAVE database as a pretext for voter removal, and through public awareness and politics.

Teeing up legislation to prevent states from potentially disenfranchising voters from spurious purges, he said, is part of asserting Congress’ constitutional role in a much broader fight about the way elections are run.

“We’re pushing back on it at every turn and calling attention to it, so that voters understand what they may be facing and make all the necessary preparations so that their right to vote is not denied, whether it’s in next year’s midterm elections or even other regular or special elections before then,” Padilla said.

The post Dems introduce bill to halt mass voter roll purges  appeared first on CyberScoop.

A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.

An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.

SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post. 

“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.

The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack. 

Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added. 

SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years. 

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.

While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.

The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.

“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said. 

“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”

SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.

The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.

A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.

Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.

The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.

“There are some of my Republican colleagues who have concerns about CISA as the agency, and I remind them, this is not about the agency,” he said. “It’s about … cybersecurity protections and the ability to have liability protections and to be able to share information. I’ve often heard the chair conflate the two, and I have to continually remind him.”

A House bill also would establish a different name.

Paul has objected to Peters’ attempts on the floor to extend CISA 2015. A shorter-term extension of the law was included in the House-passed continuing resolution to keep the government open, but that bill didn’t advance in the Senate, prompting a shutdown.

Peters’ latest bill, like earlier legislation he co-sponsored with Sen. Mike Rounds, R-S.D., would extend CISA 2015 for 10 years. He rejected the idea of trying to get a shorter-term extension until a longer-term extension could be passed.

“One thing that is very clear from all of the stakeholders is that they need long-term certainty when it comes to these protections, that you can’t operate with just a few-week-patch and then another few-week–patch,” Peters said. “That’s no way to run a business. That’s no way to run a sophisticated cybersecurity operation.”

Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements  for members.

The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.

“An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

Peters said he’s heard from organizations becoming increasingly nervous about the expiration, but didn’t want to comment on whether any had stopped sharing because that’s “sensitive information, important information, and our adversaries should know as little about what’s happening as possible.”

Peters said he wouldn’t comment on his deliberations with Paul, or comment on Paul’s motives for objecting to his floor maneuvers. Paul cancelled a planned markup of his own version of CISA 2015 renewal legislation in September that included language on free-speech guarantees under CISA the agency, with a spokesperson saying Democrats had requested more time and were “not negotiating in good faith.”

Peters told reporters that claim was “absolutely false … the problem is not on our end.”

The revised Peters legislation doesn’t touch on the topic of free speech. Democrats and Republicans have blamed one another for the government shutdown.

“Firstly, this authority will be turned back on when Democrats, including the bill sponsor, vote to reopen the government,” said Gabrielle Lipsky, a spokesperson for Paul. “The Senator has made it clear that a longer-term reauthorization will need robust free speech protections included.”

Peters said he had spoken to Senate Majority Leader John Thune, R-S.D., about getting the bill through Senate procedures. He and Rounds have both been speaking with colleagues to gain backing. The Trump administration also has been lobbying senators to support a CISA 2015 reauthorization.

“I’m confident that if this bill gets to the floor for a vote, it will not only pass, it will pass overwhelmingly,” he said. “And that’s what we’re working to do.”

The post Sen. Peters tries another approach to extend expired cyber threat information-sharing law appeared first on CyberScoop.

Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday. 

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29. 

Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update. 

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.

Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity. 

Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.

Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims. 

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit. 

“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report. 

While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.

Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.