windows_11_1

Windows 11 October Update Breaks Localhost

by with No Comment Cybersecurity News

Microsoft’s October 2025 cumulative update (KB5066835) for Windows 11 has introduced a disruptive issue that’s impacting developers and IT environments across the board. After installing the update—particularly on build 26100.6899—many users have reported that localhost functionality is broken, rendering local web services and applications unreachable via 127.0.0.1.

Developers began noticing issues immediately after the update was rolled out on October 14, 2025. Applications that rely on local web servers, such as those running via IIS Express or Kestrel, are now frequently throwing HTTP/2 protocol errors like:

  • ERR_HTTP2_PROTOCOL_ERROR
  • ERR_CONNECTION_RESET

This bug is more than an inconvenience. It’s disrupting core workflows like:

  • Debugging in Visual Studio
  • Testing ASP.NET applications
  • Running desktop software that communicates internally via loopback

Even Chromium-based browser previews are failing in local environments, causing widespread frustration among developers.

The issue isn’t limited to individual users or hobbyist developers. Large software vendors and enterprise customers are affected too.

For instance, Autodesk confirmed that its Vault software has been impacted, advising customers to roll back the update to restore functionality. Posts on Microsoft’s own support forums, Stack Overflow, and Server Fault further confirm this is a global issue affecting production environments, internal business tools, and development setups alike.

Root Cause: HTTP.sys Modifications

Preliminary investigations suggest that the problem originates from changes made to HTTP.sys—the Windows kernel-mode driver responsible for handling HTTP traffic.

Update KB5066835 included security-related updates to HTTP.sys, but these changes seem to have broken HTTP/2 loopback negotiation under certain configurations. Systems that had also installed the September preview update (KB5065789) appear especially vulnerable.

Workarounds and Fixes

Until Microsoft releases an official fix, affected users have reported several temporary workarounds:

Uninstall Recent Updates

Run the following commands in Command Prompt (admin) to remove the offending updates:

wusa /uninstall /kb:5066835
wusa /uninstall /kb:5065789

Then restart your system.

Disable HTTP/2 (Registry Edit)

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\Parameters

Create or modify the DWORD key:

EnableHttp2 = 0

Then reboot. (Proceed with caution and backup your registry first.)

Update Microsoft Defender

Some users report that updating Microsoft Defender Antivirus definitions via KB2267602 has resolved the problem without uninstalling the updates entirely.

Notable Observations

  • Fresh installs of Windows 11 are not affected, indicating that the bug arises due to conflicts with existing configurations, not a core OS flaw.
  • As of October 17, 2025, Microsoft has not officially acknowledged the issue on the KB5066835 update page, though internal responses on support forums hint that engineers are working on a fix.
  • A Defender intelligence update or minor patch may already be softening the impact for some users, but success appears to vary by system and setup.
18925617_605

Banking Trojan Spreading Through WhatsApp in Brazil

by with No Comment Cybersecurity News

A new and highly advanced banking Trojan, dubbed Maverick, has surfaced in Brazil, exploiting WhatsApp as its main vector to compromise thousands of unsuspecting users. First detected in mid-October 2025, Maverick has already triggered over 62,000 blocked infection attempts within just the first ten days, signaling a significant threat to Brazilian internet users

Maverick targets Brazilian users by sending Portuguese-language WhatsApp messages that include malicious ZIP archives. These archives cleverly bypass WhatsApp’s security filters and contain a weaponized .LNK file, a Windows shortcut file that acts as the Trojan’s entry point.

The infection process begins when victims open these ZIP files, often disguised as bank notifications or important documents. The .LNK file then launches a chain of commands through cmd.exe and PowerShell, connecting stealthily to command-and-control (C2) servers. These servers validate the malware with stringent authentication protocols before downloading additional payloads.

What makes Maverick especially dangerous is that it operates in a fully fileless manner, all malicious components run directly in the system’s memory without writing files to the disk. This approach makes detection by traditional antivirus tools extremely difficult.

An Evolution in Malware Development: AI-Assisted Coding

Researchers at Securelist have found that Maverick shares significant code overlap with Coyote, a Brazilian banking Trojan documented in 2024. However, Maverick is more sophisticated, notably due to its use of artificial intelligence during its development. AI techniques are leveraged particularly for decrypting security certificates and optimizing the malware’s code-writing process.

This marks a worrying trend where cybercriminals are integrating AI tools to create more potent and evasive malware, raising the stakes in the cybersecurity battle.

Confirming the Victim’s Location

Maverick includes stringent geographic targeting measures to avoid detection and ensure attacks focus solely on Brazilian users. The malware checks:

  • System timezone
  • System language
  • Region settings
  • Date format

If any of these indicators do not confirm a Brazilian environment, the malware immediately terminates, preventing analysis by security researchers outside Brazil.

Spyware Capabilities and Data Theft

Once activated, Maverick unleashes an arsenal of surveillance tools:

  • Capturing screenshots
  • Monitoring browsers
  • Logging keystrokes
  • Controlling the mouse
  • Displaying overlay phishing pages

These tactics target credentials from 26 Brazilian banks, six cryptocurrency exchanges, and one payment platform, aiming to steal sensitive financial information and take over accounts.

Self-Propagation Through WhatsApp Account Hijacking

Perhaps the most alarming feature of Maverick is its ability to self-propagate by hijacking infected users’ WhatsApp accounts. Using WPPConnect, an open-source WhatsApp Web automation framework, the malware automatically sends malicious messages to all contacts in the victim’s list.

This worm-like behavior allows the Trojan to spread rapidly and exponentially, leveraging WhatsApp’s massive user base as a distribution network.

Advanced Command-and-Control Security

Maverick’s C2 infrastructure employs sophisticated security measures to avoid detection and tampering:

  • HMAC-256 signatures authenticate each request with a hardcoded secret key: "MaverickZapBot2025SecretKey12345".
  • Validation of User-Agent headers ensures that only genuine malware clients connect.
  • API endpoints deliver payloads encrypted as shellcodes using Donut loaders, with XOR encryption keys cleverly hidden within the payload’s final bytes.

The malware’s decryption method extracts the encryption key from the payload itself by reading the last four bytes to determine key size and then applying XOR operations to decrypt the entire code. Additionally, heavy code obfuscation techniques, such as Control Flow Flattening, make reverse engineering and analysis extremely challenging.

building-Cisco-Systems

Rootkits hitting unpatched Cisco switches

by with No Comment Cybersecurity News

Security teams got a rude reminder this month where older, unpatched Cisco switches are being actively targeted and backdoored with a Linux rootkit in a campaign Trend Micro has named Operation ZeroDisco. If you manage campus or branch network gear, especially older 9400/9300/3750G-series hardware, read this now — the attackers are using a recent SNMP zero‑day plus a reused Telnet exploit to get persistent, stealthy access.

What the attackers are exploiting

Vulnerability: CVE‑2025‑20352 (CVSS 7.7), a stack‑overflow bug in SNMP on Cisco IOS / IOS XE. Cisco released a patch in late September after confirming in‑the‑wild exploitation.

Secondary exploit: A modified exploit for CVE‑2017‑3881 (a Telnet RCE) that the adversary uses to read/write memory on affected devices.

Targets: Older Linux‑based devices (Trend Micro observed Cisco 9400, 9300 and legacy 3750G models).

Campaign name: Operation ZeroDisco, the malware sets a universal password containing the text “disco” (one-letter change from “Cisco”), hence the name.

How the attack works (high level)

On 32‑bit devices the attackers send malicious SNMP packets to execute commands and use the Telnet exploit to obtain arbitrary memory read/write.

On 64‑bit devices they deploy a rootkit via the SNMP bug, set the universal “disco” password in memory, then log in and install a fileless backdoor. They can also connect different VLANs to move laterally.

The rootkit monitors UDP packets (even to closed ports) so specific packets can trigger backdoor functionality. It also tampers with IOSd memory to:

  • install the universal password across many auth methods,
  • hide running‑config items in memory,
  • bypass ACLs applied to VTY,
  • disable or tamper with log history,
  • reset running‑config timestamps to conceal changes.

Why this is bad

This isn’t just a noisy DoS exploit it’s a stealthy, persistent compromise that actively hides from blue teams. Because the malware modifies device memory and running config in ways that don’t always show in persistent storage, standard checks can miss it. Trend Micro warns there’s currently no reliable universal automated tool to detect ZeroDisco infections across switches.

4276

OpenAI’s Guardrails Framework Bypassed by Basic Prompt Injection

by with No Comment Cybersecurity AttackCybersecurity News

On October 6, 2025, OpenAI released Guardrails, a new safety framework designed to detect and prevent harmful behaviors in AI systems by leveraging large language models (LLMs) to judge inputs and outputs for risks like jailbreaks, prompt injections, and more. While the framework represents a step forward in modular AI safety, recent research from cybersecurity firm HiddenLayer has revealed significant vulnerabilities showing how basic prompt injection techniques can completely bypass these safeguards.

What is OpenAI’s Guardrails Framework?

Guardrails aims to empower developers with customizable pipelines that filter malicious or harmful interactions in AI agents. Key capabilities include:

  • Masking personally identifiable information (PII)
  • Content moderation
  • LLM-based checks for complex threats like jailbreak attempts, off-topic prompts, hallucinations, and agentic prompt injections (where tools’ outputs misalign with user intent)
  • Non-LLM tools for filtering URLs and detecting PII

At its core, the framework uses an LLM “judge” to evaluate the safety of outputs generated by the same or similar LLMs powering the AI agent.

“Same Model, Different Hat”

HiddenLayer’s research highlights a fundamental flaw in this design. When the same or a similar LLM is used both to generate content and to judge its safety, attackers can exploit prompt injection vulnerabilities to manipulate both simultaneously. This “same model, different hat” problem means that if the base model is tricked into generating malicious content, the judge model can also be tricked into approving it essentially nullifying the safety layer.

This stands in contrast to traditional non-LLM detectors, which avoid such weaknesses but lack the flexibility to handle nuanced threats like obfuscated jailbreak prompts.

How Attackers Bypass Guardrails

HiddenLayer demonstrated multiple real-world bypasses, including:

  • Jailbreak Prompt Manipulation: Using OpenAI’s default gpt-4.1-mini with a 0.7 confidence threshold, the system correctly flagged a malicious prompt requesting harmful instructions (e.g., anthrax sporulation) with 95% confidence. However, attackers crafted injection templates that spoofed the judge’s metadata, reporting a false lower confidence score (e.g., 0.675) below the threshold (e.g., 0.6), allowing the dangerous content to slip through unnoticed.
  • Agentic Prompt Injection Attacks: The system’s mechanism to block tool misuse, such as unauthorized “fetch” calls that leak sensitive data, can also be circumvented. By embedding fabricated judge override data within web content, attackers convinced the judge LLM to approve malicious tool calls, enabling indirect data exfiltration and command injection.

These exploits underscore the fragility of relying on LLM-based self-judgment for safety-critical decisions.

Why This Matters

As AI systems increasingly integrate into sensitive enterprise workflows, the stakes for robust safety measures have never been higher. Guardrails’ modular design and use of LLM judges are promising — but as HiddenLayer’s findings show, over-reliance on the same model family for both generation and evaluation invites sophisticated adversarial tactics that can evade detection.

Moreover, this research builds on earlier work like HiddenLayer’s Policy Puppetry (April 2025), which demonstrated universal prompt injection bypasses across major models.

Recommendations for AI Safety

To mitigate risks highlighted by this research, organizations and AI developers should consider:

  • Independent validation layers outside the generating LLM family
  • Red teaming and adversarial testing focused on prompt injection and judge manipulation
  • External monitoring and anomaly detection for AI outputs and tool interactions
  • Careful evaluation of confidence thresholds and metadata integrity
  • Avoiding sole reliance on self-judgment mechanisms

OpenAI’s Guardrails framework marks meaningful progress in modular AI safety but to avoid false security, it must evolve beyond vulnerable self-policing and incorporate diverse, independent safeguards.

Spoofed Homebrew install page (Source - The Sequence)

Sophisticated Homebrew Installer Spoofing Campaign Targets macOS Users

by with No Comment Cybersecurity AttackCybersecurity News

A new and highly polished campaign is targeting macOS users by cloning the Homebrew installation experience and quietly slipping malicious commands into victims’ clipboards. Instead of attacking Homebrew’s package repositories, attackers are impersonating the trusted installation page itself and hijacking the moment users paste the install command.

What’s happening

Researchers uncovered several pixel-perfect replicas of the official Homebrew installer page. Fraudulent domains identified include:

  • homebrewfaq[.]org
  • homebrewclubs[.]org
  • homebrewupdate[.]org

These sites look and behave like the genuine Homebrew install page, but they include hidden JavaScript that interferes with normal copy-and-paste behavior. Rather than allowing users to select the install command manually, the spoofed pages disable normal text selection and force visitors to click a site-provided Copy button. That button runs code which injects extra, malicious commands into the clipboard along with the legitimate Homebrew installer command.

How the attack works

  • The attacker creates a convincing replica of the Homebrew install page so users won’t suspect anything is wrong.
  • The page blocks standard selection and clipboard events (contextmenu, selectstart, copy, cut, dragstart), preventing manual copying of the installation text.
  • A visible Copy button triggers a copyInstallCommand() routine in JavaScript. That routine writes a command string to the clipboard using the Clipboard API or a textarea fallback for compatibility across browsers.
  • When the victim pastes that clipboard content into Terminal and runs it, the legitimate Homebrew install command executes but it’s accompanied by the attacker’s injected command(s), which download and run additional payloads in the background.
  • Because the real Homebrew installer runs normally, the infection can be stealthy and persistent while appearing innocuous to the user.

Security analysts also noted Russian-language comments in the code showing where malicious commands are inserted — a sign this may be a commoditized service or a repeatable toolkit attackers can reuse.

Why this is notable

This campaign represents a significant shift in supply-chain style tactics. Instead of compromising package repositories or tampering with software packages directly, attackers have built a parallel interception point: the initial installation experience. That bypasses many defenses that focus on repository integrity and package signing, and it relies instead on social engineering and subtle client-side manipulation of the clipboard.

Homebrew itself has no recent compromise reports, but the attack exploits the strong user trust placed in Homebrew’s installation instructions.

For safety reasons I’ve redacted the exact malicious command observed in the wild. Publishing exact live payload commands or download URLs could enable abuse. If you need to analyze the specific artifacts for incident response, work with a trusted security team and obtain samples through secure channels.

Indicators and detection

Researchers identified the suspicious domains listed above and monitored infrastructure linked to known malware distribution networks. The telltale signs of this campaign include:

  • Pixel-perfect replicas of the Homebrew installer page hosted on non-official domains.
  • Disabled text selection and clipboard-related event handlers.
  • A required on-page Copy button (rather than allowing manual selection).
  • JavaScript routines that overwrite clipboard contents to append or prepend extra commands.
Anatomy-Of-A-Cyber-Attack-image

Trinity of Chaos -The New Face of Ransomware and Data Extortion

by with No Comment Cybersecurity AttackCybersecurity News

The cybersecurity world has been rocked by the rise of the Trinity of Chaos, a highly sophisticated ransomware collective that has launched a new data leak site featuring sensitive information from 39 major corporations. This group, possibly a merger of notorious hacker groups like Lapsus$, Scattered Spider, and ShinyHunters, represents a significant evolution in the scale and complexity of cybercrime.

The Trinity of Chaos collective is not just another ransomware gang, it is a hybrid threat actor that merges traditional ransomware tactics with data extortion strategies, creating a new and highly effective form of attack. By combining these methods, they maximize their operational impact and financial return, leaving organizations exposed to both financial losses and reputational damage.

Data Leak Sites on the TOR Network

The group’s primary method of operation revolves around their Data Leak Site, hosted on the TOR network. This is a familiar tactic among modern ransomware groups, and Trinity of Chaos has refined it to a level of operational sophistication that sets them apart.

Rather than announcing new attacks or publicizing their ransom demands upfront, the group opts to share samples of stolen data, including sensitive records, to prove the success of their breaches. This approach not only validates their claims but also increases the pressure on their victims by threatening public exposure. This calculated strategy ensures the group maintains operational security while leveraging the threat of reputational harm to manipulate their targets into compliance.

Previous Salesforce Exploit and Data-Exfiltration Tactics

Trinity of Chaos has already demonstrated their ability to exploit Salesforce environments, a method they refined by exploiting compromised Salesloft Drift AI chat integrations. By using social engineering techniques, the group gains unauthorized access to OAuth tokens, which they then use to infiltrate corporate Salesforce environments. This precise and targeted approach has proven to be highly effective, leading to substantial data breaches and stolen records.

The leaked data from these campaigns primarily includes personally identifiable information, but also reveals internal communications, loyalty program data, and full activity histories. In addition to using this data for extortion, Trinity of Chaos has proven adept at using it for further social engineering campaigns, gaining additional leverage over both companies and individuals.

This particular method of attack prompted the FBI to issue a flash warning, cautioning organizations to monitor their Salesforce instances for signs of intrusion.

Major Corporations Hit

The scale of the breach is unprecedented. Among the compromised organizations are some of the world’s most recognizable names, including:

  • Google
  • Cisco
  • Toyota Motor Corporation
  • FedEx
  • Disney/Hulu
  • Home Depot
  • Marriott
  • McDonald’s

These companies, spanning a range of industries including technology, automotive, finance, and telecommunications, are now facing the prospect of massive data leaks unless negotiations with the hackers are met.

Pressure Tactics and Ultimatums

Trinity of Chaos has set October 10th as a hard deadline for negotiations. Like many traditional ransomware operations, the group employs psychological pressure tactics, leveraging the threat of public data exposure and even regulatory reporting that could lead to criminal negligence charges for non-compliant companies.

This combination of tactics heightens the stakes for organizations and forces them to make quick decisions under intense pressure.

A Treasure Trove for Cybercriminals

The Trinity of Chaos collective claims to have amassed an incredible 1.5 billion records from over 760 companies, including:

  • 254 million account records
  • 579 million contact entries
  • 458 million case files

This data, collected over several years, comes from previous attack campaigns such as UNC6395 and UNC6040, showcasing the group’s systematic approach to data aggregation and monetization.

By compiling vast databases of stolen records, Trinity of Chaos is building a cybercrime empire with an unprecedented level of access to sensitive corporate and personal information.

Sophistication and Operational Security

What sets Trinity of Chaos apart is their operational security. The group is known to maintain persistent access within victim networks for extended periods of time, often remaining undetected for years.

This long-term, stealthy approach is indicative of a highly disciplined and experienced group, with extensive operational infrastructure that allows them to scale and evolve their methods over time.

The Rise of a Hybrid Cybercrime Syndicate

The Trinity of Chaos collective marks a significant evolution in the world of cybercrime. By blending ransomware tactics with data extortion and leveraging the TOR network for secure communications and leak sites, they are raising the stakes for both organizations and the cybersecurity industry at large. With an impressive track record, a global reach, and an ever-growing arsenal of attack methods, this group represents a formidable challenge to the cybersecurity landscape.

Organizations are urged to stay vigilant, fortify their defenses, and remain proactive in addressing any potential threats to prevent becoming the next victim of this highly skilled and resourceful group.

sonicwall risk

SonicWall Confirms Customer Firewall Backup Breach

by with No Comment Uncategorized

SonicWall has confirmed a significant security breach involving unauthorized access to its cloud service, where a full repository of customer firewall configuration backup files was stolen. The breach was uncovered following an investigation in collaboration with cybersecurity firm Mandiant, which has concluded that all customers utilizing the cloud backup feature are affected.

The investigation revealed that threat actors managed to exfiltrate .EXP files, which are complete backups containing critical details of firewall configurations. These files include key information about network setups, security policies, and encrypted credentials for various services. While SonicWall assures that the credentials remain encrypted, the overall configuration data is only encoded, meaning it can still be read by attackers.

Experts are warning that this exposed information provides attackers with a comprehensive map of a network’s security setup, making it easier for them to launch future targeted attacks. The compromised data could also enable threat actors to exploit vulnerabilities in the network’s configuration or attempt to crack the encrypted credentials offline, particularly if weak passwords were used.

SonicWall’s Official Response

In the wake of the breach, SonicWall is actively notifying all affected customers and partners, and has released tools designed to assist with the assessment and remediation of the incident.

The breach affects any SonicWall firewall that utilized the cloud backup feature on the MySonicWall[.]com platform. SonicWall has provided an updated list of impacted devices within the MySonicWall portal, categorizing them by priority to help customers focus their remediation efforts.

SonicWall urges all customers to log in, check for affected devices, and start the remediation process immediately.

Strengthening Security Measures

To prevent future breaches, SonicWall has taken steps to enhance the security of its infrastructure, working closely with Mandiant to strengthen cloud security and monitoring systems. Additionally, the company has provided clear guidelines for customers on how to mitigate the impact of the breach.

The most critical action for affected users is to perform an “Essential Credential Reset”. This involves changing all passwords and secrets for services configured on the impacted firewalls.

To assist with this, SonicWall has published a “Remediation Playbook” and an “Online Tool” designed to help users analyze their firewall configurations and identify which services require credential updates.

DIG_3C Spot

Doctors Imaging Group Reports Significant Data Breach Affecting Over 171,000 Individuals

by with No Comment Uncategorized

Doctors Imaging Group, a healthcare provider located in Florida, has recently disclosed a significant data breach that exposed the personal and medical information of over 171,800 individuals. The breach, classified as a “Hacking/IT Incident,” involved unauthorized access to the organization’s network, compromising a vast array of sensitive data.

This breach is part of a growing trend of cyberattacks targeting healthcare organizations, putting personal health and financial information at risk. Here’s what we know about the breach and what affected individuals should do next.

According to Doctors Imaging Group, the data breach occurred over a one-week period between November 5, 2024, and November 11, 2024. During this time, unauthorized actors were able to gain access to the organization’s network server. Once inside, the attackers copied files that contained sensitive patient data, including personally identifiable information and protected health information.

The company became aware of suspicious activity on its network and immediately initiated an investigation. However, determining the full extent of the breach and identifying which specific data had been compromised was no small feat. It took nearly ten months to complete a comprehensive review of the affected files. The investigation concluded on August 29, 2025, and the breach was officially reported to the relevant authorities on September 24, 2025.

The breach exposed a wide range of sensitive personal and medical information, leaving affected individuals at an increased risk of identity theft and other forms of fraud. The compromised data includes:

  • Patient names, addresses, dates of birth, and Social Security numbers.
  • Medical record numbers, patient account numbers, admission dates, health insurance details, medical treatment information, and medical claim data.
  • Financial account numbers and account types, which could open the door for financial fraud and theft.

This breach highlights the growing threat to healthcare organizations, where large amounts of sensitive data are stored and often targeted by cyber criminals looking to exploit vulnerable systems.

Immediate Actions Taken by Doctors Imaging Group

Upon discovering the breach, Doctors Imaging Group took immediate steps to investigate the suspicious activity and assess the overall security of its network. The company reported the incident to federal law enforcement and other regulatory bodies. In compliance with legal requirements, notification letters are being sent to all individuals whose data was affected, provided that contact information is available.

The investigation confirmed that both PHI and PII were compromised, exposing the sensitive data of tens of thousands of individuals. As part of its efforts to contain the breach and prevent future incidents, the healthcare provider is reviewing its internal security policies and procedures. It is also evaluating the implementation of new cybersecurity tools and practices to safeguard its network against future attacks.

What Affected Individuals Should Do

If you believe your data may have been compromised in this breach, Doctors Imaging Group advises affected individuals to remain vigilant and take the following steps:

  1. Carefully review your bank and credit card statements, as well as your health insurance explanation of benefits statements for any signs of unauthorized activity.
  2. Request your free annual credit reports from each of the three major credit bureaus, Equifax, Experian, and TransUnion. Review your credit history for any suspicious accounts or credit inquiries.
  3. If you detect any errors or fraudulent activity, immediately contact the relevant financial institution, insurance company, or healthcare provider. Early reporting can help minimize the potential impact of identity theft.

Additionally, you should consider placing a fraud alert or credit freeze on your credit file to make it more difficult for anyone to open new accounts in your name.

Strengthening Cybersecurity

Doctors Imaging Group has assured the public that it is taking this breach seriously. The healthcare provider is actively reviewing its cybersecurity infrastructure to identify vulnerabilities and implement stronger security measures. The company is also working with cybersecurity experts to bolster its defenses against potential future threats.

This incident serves as a reminder of the critical importance of safeguarding sensitive personal and medical information. With cyberattacks targeting the healthcare sector on the rise, both healthcare providers and patients must be more proactive in addressing security risks.

Final Thoughts

The breach at Doctors Imaging Group is yet another wake-up call for the healthcare industry. As healthcare organizations continue to store vast amounts of sensitive personal and medical data, the risks associated with cybersecurity incidents are greater than ever. Healthcare providers must prioritize robust security protocols and stay ahead of emerging threats to protect the privacy of their patients.

For individuals affected by the breach, it’s important to stay proactive in monitoring your personal and financial information. By staying vigilant, you can minimize the risk of falling victim to identity theft and other forms of fraud in the wake of a data breach.

huawei

Alleged Huawei Data Breach – Hacker Claims to Sell Stolen Source Code and Development Tools

by with No Comment Uncategorized

A threat actor has claimed responsibility for a major data breach at Huawei Technologies, a global technology giant headquartered in China. The hacker is reportedly attempting to sell what they allege is the company’s internal source code and development tools on a dark web forum.

The post, made public in early October 2025, asserts that the breach resulted in the theft of sensitive intellectual property.

Details of the Alleged Breach

The actor’s post lists a variety of internal assets they claim to have stolen, including source code, development tools, build files, scripts, and technical manuals. The hacker is reportedly asking for $1,000 for the data, with the price negotiable, and communications are being handled via the Session messaging platform.

This breach has attracted the attention of cybersecurity intelligence groups monitoring dark web activities. The incident adds to Huawei’s long history of security concerns and espionage allegations, particularly from Western nations.

A History of Scrutiny

For years, the U.S. government and other Western nations have raised alarms about potential espionage risks posed by Huawei’s equipment. These concerns date back to a 2012 U.S. House Intelligence Committee report, which warned that using Huawei’s technology could compromise national security interests.

In addition, Huawei has faced multiple allegations of intellectual property theft from competitors. One notable case emerged in 2019, when it was revealed that Vodafone Italy had discovered hidden backdoors in Huawei equipment between 2009 and 2012. The backdoors, which could have granted unauthorized access to the carrier’s network, were later described by Huawei as “technical mistakes” that were fixed, but the incident tarnished the company’s reputation.

In July 2025, a cyberattack targeting Huawei routers was linked to a nationwide telecom outage in Luxembourg, prompting a government investigation. Huawei has also been the target of state-sponsored hacking, including a 2009 breach in which the U.S. National Security Agency (NSA) infiltrated the company’s servers to uncover links to the Chinese military and steal source code.

Implications of the Alleged Breach

The full scope and authenticity of this latest breach are still under investigation. If the claims are validated, the exposure of Huawei’s source code and internal tools could have significant consequences. It could reveal new vulnerabilities in the company’s products, potentially opening doors for further attacks and allowing malicious actors to compromise Huawei’s global infrastructure.

Microsoft Secure Default Exchange and Teams

Microsoft Strengthens API Security for Exchange and Teams with Admin Approval Requirement

by with No Comment Cybersecurity News

As part of its ongoing efforts to strengthen cloud security, Microsoft is introducing a major policy update that will require administrator approval for all new third-party applications seeking access to Exchange and Teams data.

This change, part of Microsoft’s broader Secure Future Initiative, is scheduled to roll out between late October and late November 2025. The update falls under Microsoft’s “Secure by Default” approach, designed to tighten access controls and protect organizational data across Microsoft 365 environments.

What’s Changing and Why It Matters

The core of this update involves changes to the default consent policy managed by Microsoft. Moving forward, any new third-party app requesting access to Exchange or Teams content via APIs such as Microsoft Graph, Exchange Web Services, Exchange ActiveSync, POP3, or IMAP4 will now require explicit administrator approval before access is granted.

This policy does not impact existing apps that users have already authorized. However, if an app requests new permissions or a new user tries to authorize it, the administrator consent process will be triggered.

Organizations that have already implemented custom user consent policies will remain unaffected by this change.

A Consistent Security Approach Across Microsoft 365

This move aligns with previous Microsoft efforts to improve baseline security, including earlier changes to SharePoint and OneDrive, where legacy protocol access was blocked and admin consent was required for file-level third-party access.

By expanding this model to Exchange and Teams, Microsoft continues to harden its platform against potential abuse and unauthorized data access, without requiring customers to purchase additional licenses.

What IT Teams Should Do Now

To prepare for the rollout, Microsoft recommends several key actions for IT administrators:

  1. Review Existing Permissions
    Audit your current environment to identify third-party applications accessing mail, calendars, contacts, and Teams chat or meeting data.
  2. Enable the Admin Consent Workflow
    Set up the admin consent request workflow in Azure AD (Entra ID). Without this, users won’t have a way to request access to blocked apps.
  3. Create App Access Policies for Trusted Apps
    For critical third-party tools your organization relies on, preemptively create granular app access policies to avoid disruption.
  4. Communicate the Changes
    Inform IT teams, app owners, and security personnel about the upcoming policy shift. Update on-boarding documentation and internal guidelines accordingly.

This policy update underscores Microsoft’s commitment to improving tenant security by default, giving administrators greater control and visibility into third-party integrations. With rising threats targeting collaboration platforms and messaging systems, this is a timely and necessary evolution in Microsoft’s security posture.