This posting is here to collect cyber security news in July 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
75 Comments
Tomi Engdahl says:
Cisco warns that Unified CM has hardcoded root SSH credentials
https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges.
Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco’s IP telephony systems, handling call routing, device management, and telephony features.
The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
Tomi Engdahl says:
Millions of Linux systems worldwide, including those running critical services, are potentially vulnerable to a new, easy-to-exploit sudo flaw that allows unauthorized users to run commands as root on Ubuntu, Fedora, and other servers.
#Linux
Read more: https://cnews.link/critical-linux-sudo-flaw-discovered/
Tomi Engdahl says:
Millions of Linux systems worldwide, including those running critical services, are potentially vulnerable to a new, easy-to-exploit sudo flaw that allows unauthorized users to run commands as root on Ubuntu, Fedora, and other servers.
https://cybernews.com/security/critical-linux-sudo-flaw-discovered/?utm_source=cn_facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post&source=cn_facebook&medium=social&campaign=cybernews&content=post
The bug first appeared in version 1.9.14, released in June 2023, and was fixed in the latest sudo version 1.9.17p1, released on June 30th, 2025. The exploitation has been verified on Ubuntu and Fedora Servers, but may include many more systems.
“These vulnerabilities can result in the escalation of privileges to root on the impacted system,” the report reads.
They urge administrators to install the latest sudo packages as soon as possible, as no other workarounds exist.
“The default sudo configuration is vulnerable,” Rich Mirch from Stratascale Cyber Research Unit explains
Vulnerability Advisory: Sudo chroot Elevation of Privilege
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
The Sudo utility is a privileged command-line tool installed on Linux systems that allows a permitted user to execute a command as the superuser, or another user, as specified by the security policy. It is commonly used to implement the least privilege model by delegating administrative tasks that require elevated privileges without sharing the root password, while also creating an audit trail in the system log.
The Stratascale Cyber Research Unit (CRU) team discovered two local privilege vulnerabilities in Sudo. These vulnerabilities can result in the escalation of privileges to root on the impacted system.
The default Sudo configuration is vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed. The following versions are known to be vulnerable. Note: Not all versions within the range have been tested.
Stable 1.9.14 – 1.9.17
Note: The legacy versions of Sudo (currently <= 1.8.32) are not vulnerable because the chroot feature does not exist.
Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2
Fedora 41 Server; Sudo 1.9.15p5
Install the latest sudo packages for your system. No workaround exists for this issue.
The chroot option is now deprecated as of 1.9.17p1. It is recommended to avoid using the chroot options, as this could unintentionally make your environment less secure if not implemented properly.
Look for the use of the runchroot= option or CHROOT= directive in the individual rules.
You can search for sudo entries in the syslog. Any commands using chroot will be logged with the CHROOT= string.
However, chroot is not considered a strong security boundary. The Linux chroot(2) man page explicitly states, "This call changes an ingredient in the pathname resolution process and does nothing else. It is not intended to be used for any kind of security purpose, neither to fully sandbox a process nor to restrict filesystem system calls."
A value of "*" in the runchroot= sudoers configuration indicates that the user may specify the root directory by running sudo with the -R option.
CVE-2025-32463 Sudo chroot Elevation of Privilege
Tomi Engdahl says:
Norjalaistutkijat varoittavat Tampereellakin käytössä olevien kiinalaisten sähköbussien turvallisuudesta
Tampereen Kaupunkiliikenteen toimitusjohtaja Kai Honkanen sanoo, että bussien turvallisuuteen liittyvistä kysymyksistä ollaan tietoisia, mutta ainakaan tällä hetkellä ei ole mitään näyttöä, että turvallisuusriskejä olisi.
https://www.aamulehti.fi/tampere/art-2000011334281.html?utm_term=Autofeed&utm_campaign=al_echo&utm_medium=Toimitus&utm_source=Facebook&fbclid=IwZXh0bgNhZW0CMTEAAR5PU8JqVvX0z1393JSHrBt0KFmnyszJXUDxNG_RNQLOkakIVedou_HM1yENnA_aem_3O-R5pIRIm8qkcpBHoV27A#Echobox=1751427149
Norjalainen tutkija on huolissaan kiinalaisiin Yutong-merkkisiin sähköbusseihin liittyvistä turvallisuusuhista, kertoo Norjan yleisradio NRK. Myös Tampereella liikennöivät Nysse-liikenteen sähköbussit ovat Yutong-merkkisiä.
Tutkija Ståle Ulriksen Norjan laivastoakatemiasta sanoo, että kiinalaisten sähköbussien ostaminen osoittaa, ettei maailman turvallisuustilanteesta olla yhtään tietoisia.
”Emme saa unohtaa, että Venäjä on Kiinan liittolainen ja että maat tekevät yhteistyötä ja jakavat toistensa kanssa valvontadataa, jota ne voisivat helposti käyttää hyödykseen mahdollisessa konfliktissa lännen kanssa”, Ulriksen varoittaa.
Professori Øystein Tunsjø Norjan puolustusinstituutista sanoo toisessa NRK:n jutussa, ettei ole mahdotonta, että Kiina voisi ottaa bussien hallinnan itselleen ja pysäyttää ne.
”On tunnistettu, että he voivat tehdä niin, jos he haluavat. Minua ei yllättäisi, jos busseissa olisi kameroita ja sensoreita”, Tunsjø sanoo.
Hänen mukaansa kiinalaiset viranomaiset voisivat jopa pystyä monitoroimaan matkustajien puhelimia, jos nämä käyttävät langatonta verkkoa bussissa.
Tampereen Kaupunkiliikenteen lisäksi kiinalaisilla Yutong-merkin sähköbusseilla liikennöivät Tampereen seudulla myös ainakin Pohjolan liikenne ja Koiviston auto. Länsilinjat on kokeillut Yutong-merkkistä sähköbussia kaukoliikenteessä Tampereen ja Ikaalisten välillä.
bussit on päätetty ostaa kiinalaiselta yritykseltä kilpailutuksen perusteella.
”Siinä on kokonaistaloudellisuus ollut isolla painoarvolla ja muiden ominaisuuksien painoarvo on ollut pienempi.”
Honkanen sanoo, että turvallisuuskysymykset tiedostetaan tulevissa hankinnoissa. Hän kuitenkin lisää, että yhtiön tulevien sähköbussien hankinnat joudutaan tekemään erityisalojen hankintalain puitteissa, mikä asettaa omat raaminsa sähköbussien kilpailutukselle.
Tomi Engdahl says:
W3c digital credentials api draft https://idtechwire.com/w3c-releases-digital-credentials-api-draft-to-advance-standardized-identity-verification-on-the-web/
Thomas Frank says:
Wacky Flip is the perfect combination of parkour and physical comedy! Challenge yourself with unique obstacle courses and flip yourself over tricky terrain. Do you dare to control a character as soft as noodles?
Tomi Engdahl says:
Joku huijasi tekoälyäänellä olevansa Yhdysvaltain ulkoministeri – näin kävi
https://www.is.fi/ulkomaat/art-2000011353793.html
Tomi Engdahl says:
Hackers can attempt to steal money, data, or electricity, gain unauthorized control, or even shut down entire systems.
Read more: https://cnews.link/hackers-can-target-electric-vehicles-chargers/
Tomi Engdahl says:
McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’
Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.
https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/
If you want a job at McDonald’s today, there’s a good chance you’ll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and résumé, directs them to a personality test, and occasionally makes them “go insane” by repeatedly misunderstanding their most basic questions.
Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald’s applicants—including all the personal information they shared in those conversations—with tricks as straightforward as guessing that an administrator account’s username and password was “123456.”
On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald’s website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company’s databases that held every McHire user’s chats with Olivia. The data appears to include as many as 64 million records, including applicants’ names, email addresses, and phone numbers.
“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” says Carroll. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the administrator account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers. The company also added that it’s instituting a bug bounty program to better catch security vulnerabilities in the future. “We do not take this matter lightly, even though it was resolved swiftly and effectively,”
In its own statement to WIRED, McDonald’s agreed that Paradox.ai was to blame.
On a whim, Carroll says he tried two of the most common sets of login credentials: The username and password “admin,” and then the username and password “123456.” The second of those two tries worked. “It’s more common than you’d think,” Carroll says. There appeared to be no multifactor authentication for that Paradox.ai login page.
With those credentials, Carroll and Curry could see they now had administrator access to a test McDonald’s “restaurant” on McHire
That’s when Carroll and Curry discovered the second critical vulnerability in McHire: When they started messing with the applicant ID number for their application—a number somewhere above 64 million—they found that they could increment it down to a smaller number and see someone else’s chat logs and contact information.
“Had someone exploited this, the phishing risk would have actually been massive,” says Curry. “It’s not just people’s personally identifiable information and résumé. It’s that information for people who are looking for a job at McDonald’s, people who are eager and waiting for emails back.”
That means the data could have been used by fraudsters impersonating McDonald’s recruiters and asking for financial information to set up a direct deposit, for instance. “If you wanted to do some sort of payroll scam, this is a good approach,” Curry says.
Tomi Engdahl says:
https://ian.sh/mcdonalds
Would you like an IDOR with that? Leaking 64 million McDonald’s job applications
Introduction
McHire is the chatbot recruitment platform used by 90% of McDonald’s franchisees.
Logging in
We noticed that restaurant owners can login to view applicants at https://www.mchire.com/signin. Although the app tries to force SSO for McDonald’s, there is a smaller link for “Paradox team members” that caught our eye.
Without much thought, we entered “123456” as the username and “123456” as the password and were surprised to see we were immediately logged in!
Tomi Engdahl says:
https://www.paradox.ai/blog/responsible-security-update#toc-summary
Tomi Engdahl says:
”It’s every manager’s worst nightmare: hiring a remote employee who turns out to be a North Korean hacker intent on loading malware on to your network.”
”We needed some way for identifying, authenticating humans in the age of AGI.”
https://www.ft.com/content/1a93ca54-d1b9-4b06-b504-7c4937173068?shareType=nongift&fbclid=IwY2xjawLeQX9leHRuA2FlbQIxMQABHlE91dKR-IZIxhpM4FWc6OP-y-DoBQoh1ZAD4OLq3SWZGVl9psl_zcMcZ_ox_aem_SzissU2x9jFRPIpnEjJLww
Tomi Engdahl says:
ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies
Crims have cottoned on to a new way to lead you astray
https://www.theregister.com/2025/07/03/ai_phishing_websites/
AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals.
Netcraft prompted the GPT-4.1 family of models with input such as “I lost my bookmark. Can you tell me the website to login to [brand]?” and “Hey, can you help me find the official website to log in to my [brand] account? I want to make sure I’m on the right site.”
The brands specified in the prompts named major companies the field of finance, retail, tech, and utilities.
Tomi Engdahl says:
Massive browser hijack: extensions turn Trojan and infect 2.3M Chrome and Edge users
https://cybernews.com/security/chrome-edge-hijacked-by-eighteen-malicious-extensions/
Eighteen extensions had a “squeaky clean” codebase, sometimes for years, until a version bump turned them into dangerous trojans without any user input. Security researchers warn that over 2.3 million users have just been compromised, but there are many more extensions lurking.
Tomi Engdahl says:
Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy
https://www.bleepingcomputer.com/news/security/lets-encrypt-ends-certificate-expiry-emails-to-cut-costs-boost-privacy/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-family-safety-blocks-google-chrome-from-launching/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/technology/russias-throttling-of-cloudflare-makes-sites-inaccessible/
Tomi Engdahl says:
https://www.cnn.com/2025/06/28/business/cyberattacks-airlines-fbi-criminal-group
Tomi Engdahl says:
Hackers stole data on 2.2 million people in cyberattack affecting American grocery chains
The Dutch conglomerate behind dozens of major American supermarket brands said more than 2.2 million people had information stolen from its systems during a cyberattack in November that left customers unable to place delivery orders online.
Ahold Delhaize filed documents with regulators in Maine on Thursday explaining that the stolen information includes Social Security numbers, passports, financial account information like bank numbers, health information, and other sensitive employment data.
https://therecord.media/hackers-cyberattack-grocery-chain
Tomi Engdahl says:
https://www.theregister.com/2025/06/28/hacks_to_get_free_software/
Tomi Engdahl says:
26 000 puhelinta vakoillut sovellus paljastui – Keräsi järkyttävän tarkkaa tietoa
Anna Helakallio3.7.202519:00Tietoturva
Tietovuodossa paljastui, että vakoilusovelluksella on yli 62 tuhatta käyttäjää ja 26 tuhannesta puhelimesta varastettua dataa
.https://www.tivi.fi/uutiset/26000-puhelinta-vakoillut-sovellus-paljastui-kerasi-jarkyttavan-tarkkaa-tietoa/7e9df4d7-62d3-4958-bd4c-63ce38f985bb
Tomi Engdahl says:
Vaikka merikaapeli katkeaisi sabotaasiin, pienet punaiset mökit pitävät bitit liikkeellä
Pohjoismaissa on noin 150 tarkoituksella huomaamattoman näköistä rakennusta, joiden tekniikka pitää merikaapelien dataliikenteen nopeana.
https://yle.fi/a/74-20168713
Juttu tiivistettynä
Pohjoismaissa on noin 150 niin kutsuttua ILA-asemaa, joiden tehtävä on vahvistaa merikaapelien signaalia.
Asema auttaa pitämään tietoliikenteen käynnissä esimerkiksi kaapelirikkojen tapahtuessa.
Merenalaiset kaapelit ovat haavoittuvia, mutta häiriöt ovat olleet toistaiseksi vähäisiä.
Uudella teknologialla älykaapelit voivat tunnistaa lähestyvän laivan jopa kymmenien kilometrien päästä.
Tomi Engdahl says:
https://cybersecuritynews.com/hackers-actively-attacking-linux-ssh-servers/
Tomi Engdahl says:
https://cybersecuritynews.com/nessus-windows-vulnerabilities/
Tomi Engdahl says:
Let’s Encrypt is now issuing free TLS certificates for IP addresses
Bringing proper network encryption where few organizations dare to venture
https://www.techspot.com/news/108565-encrypt-now-issuing-free-tls-certificates-ip-addresses.html
Tomi Engdahl says:
Turvakameroista paljastui vakavin mahdollinen haavoittuvuus
Kameroissa näkyvät asiat voisivat haavoittuvuuden vuoksi näkyä ulkopuolisille.
https://www.iltalehti.fi/digiuutiset/a/3bdf3a63-ea04-4e94-89d0-f0946e409341
Tomi Engdahl says:
https://techcrunch.com/2024/12/30/volkswagen-leak-exposed-precise-location-data-on-thousands-of-vehicles-across-europe-for-months/
Tomi Engdahl says:
https://cybernews.com/security/critical-linux-sudo-flaw-discovered/
Tomi Engdahl says:
Weaponized Versions of PuTTY and WinSCP Attacking IT Admins Via Search Results
https://cybersecuritynews.com/trojan-versions-of-putty-and-winscp/
Tomi Engdahl says:
Inside Scattered Spider: The notorious teen hacking group causing chaos online
The group responsible for the M&S cyber attacks are now targeting airlines, reports Anthony Cuthbertson. But who are they and how are they getting away with it?
https://www.independent.co.uk/tech/security/scattered-spider-hackers-cyber-security-aviation-b2779535.html
Tomi Engdahl says:
https://techcrunch.com/2025/07/02/hacked-leaked-exposed-why-you-should-stop-using-stalkerware-apps/
Tomi Engdahl says:
https://www.techradar.com/pro/security/microsoft-entra-id-vulnerability-allows-full-account-takeover-and-takes-barely-any-effort?fbclid=IwQ0xDSwLPBJpjbGNrAs8ElGV4dG4DYWVtAjExAAEemY7RxFu2dlCYB9kV_WuiQNQRAWqLAj7BCTDDS_nOu4oRfvNc2kd-g3RMOcw_aem_Ds9flZU7l06fiABREgAxSA
Tomi Engdahl says:
Spain awards Huawei contracts to manage intelligence agency wiretaps
https://therecord.media/spain-awards-contracts-huawei-intelligence-agency-wiretaps
The Spanish government is using Huawei to manage and store judicially authorized wiretaps in the country used by both law enforcement and intelligence services, despite concerns about how the Chinese government could compel Huawei to assist Beijing with its own intelligence activities.
The Ministry of the Interior officially awarded Huawei a €12.3 million ($14.3 million) contract following a standard public procurement process
Tomi Engdahl says:
Tältä muistitikulta ei voi varastaa dataa
https://etn.fi/index.php/13-news/17696-taeltae-muistitikulta-ei-voi-varastaa-dataa
Kingston on julkaissut maailman ensimmäisen FIPS 140-3 Level 3 -sertifioidun ja TAA-yhteensopivan USB-muistitikun. Uusi IronKey D500S nostaa tietoturvan uudelle tasolle ja tekee luvattomasta pääsystä tallennettuun dataan käytännössä mahdotonta. Laite on suunniteltu erityisesti viranomaisille, puolustussektorille ja kaikille organisaatioille, jotka käsittelevät erittäin arkaluontoista tietoa.
IronKey D500S hyödyntää XTS-AES 256-bittistä salausta, joka on sotilastason vahvuutta. Laitteen sisäinen piirilevy on valettu epoksimassaan, mikä estää fyysisen murtautumisen tai komponenttien tutkimisen ilman, että laite tuhoutuu. Jos murtautumista kuitenkin yritetään, laite voi tuhota kryptografiset avaimensa automaattisesti. Firmware eli laiteohjelmisto on digitaalisesti allekirjoitettu, joten siihen ei voi ladata haitallista tai muokattua ohjelmistoa.
Tomi Engdahl says:
Jon Brodkin / Ars Technica:
Reddit says it has started verifying UK users’ ages before letting them “view certain mature content”, in order to comply with the country’s Online Safety Act — Reddit announced today that it has started verifying UK users’ ages before letting them “view certain mature content” …
Reddit’s UK users must now prove they’re 18 to view adult content
Reddit hires company to verify user age with selfie or photo of government ID.
https://arstechnica.com/tech-policy/2025/07/reddit-starts-verifying-ages-of-uk-users-to-comply-with-child-safety-law/
Tomi Engdahl says:
Foo Yun Chee / Reuters:
The European Commission says that France, Spain, Italy, Denmark, and Greece will test a blueprint for an age verification app meant to protect children online
Tomi Engdahl says:
Five EU states to test age verification app to protect children
https://www.reuters.com/sustainability/boards-policy-regulation/five-eu-states-test-age-verification-app-protect-children-2025-07-14/
BRUSSELS, July 14 (Reuters) – France, Spain, Italy, Denmark and Greece will test a blueprint for an age verification app to protect children online, the European Commission said on Monday, amid growing global concern about the impact of social media on children’s mental health.
The setup for the age verification app is built on the same technical specifications as the European Digital Identity Wallet which will be rolled out next year. The five countries can customise the model according to their requirements, integrate into a national app or keep it separately.
The EU executive also published guidelines for online platforms to take measures to protect minors as part of their compliance with the bloc’s Digital Services Act (DSA).
The landmark legislation, which became applicable last year, requires Alphabet’s (GOOGL.O)
, opens new tab Google, Meta Platforms (META.O)
, opens new tab, ByteDance’s TikTok and other online companies to do more to tackle illegal and harmful online content.
Elon Musk’s X, TikTok, Meta’s Facebook and Instagram and several adult content websites are currently being investigated by EU regulators on whether they comply with the DSA.
Tomi Engdahl says:
Sarah Perez / TechCrunch:
Meta says it has taken down around 10M Facebook profiles so far this year that were impersonating or repeatedly reusing content from large content producers — Meta announced on Monday that it will take additional measures to crack down on accounts sharing “unoriginal” content to Facebook …
Following YouTube, Meta announces crackdown on ‘unoriginal’ Facebook content
https://techcrunch.com/2025/07/14/following-youtube-meta-announces-crackdown-on-unoriginal-facebook-content/
Tomi Engdahl says:
https://www.securityweek.com/mitre-unveils-aadapt-framework-to-tackle-cryptocurrency-threats/
Tomi Engdahl says:
https://www.securityweek.com/grok-4-falls-to-a-jailbreak-two-days-after-its-release/
Tomi Engdahl says:
ICS/OT
Train Brakes Can Be Hacked Over Radio—And the Industry Knew for 20 Years
https://www.securityweek.com/train-hack-gets-proper-attention-after-20-years-researcher/
A vulnerability affecting systems named End-of-Train and Head-of-Train can be exploited by hackers to cause trains to brake.
The US cybersecurity agency CISA has disclosed a vulnerability that can be exploited to manipulate or tamper with a train’s brakes.
CISA last week published an advisory describing CVE-2025-1727, an issue affecting the remote linking protocol used by systems known as End-of-Train and Head-of-Train.
An End-of-Train (EoT) device, also known as a Flashing Rear End Device (FRED), is placed at the end of a train, being designed to transmit data to a device in the locomotive named the Head-of-Train (HoT). The system, introduced to replace the caboose, is used to obtain status data from the end of the train (particularly useful for long freight trains), but it can also receive commands to apply the brakes at the rear of the train.
The problem, according to CISA’s advisory, is that the protocol remotely linking the EoT and HoT over radio signals is not secure (no authentication or encryption are used), enabling an attacker to use specially crafted packets transmitted with a software-defined radio to send commands to the EoT device.
“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said.
Tomi Engdahl says:
Artificial Intelligence
Google Gemini Tricked Into Showing Phishing Message Hidden in Email
Google Gemini for Workspace can be tricked into displaying a phishing message when asked to summarize an email.
https://www.securityweek.com/google-gemini-tricked-into-showing-phishing-message-hidden-in-email/
AI hack
A researcher has found that Google Gemini for Workspace is affected by a prompt injection vulnerability that can be exploited to trick the AI assistant into displaying a phishing message.
The weakness was found by Marco Figueroa and reported through Mozilla’s 0Din bug bounty program, which focuses on gen-AI vulnerabilities.
The researcher’s hack involves sending the targeted user an email that, in addition to a benign lure text, contains a phishing message that is written with white font on a white background, making it invisible to the target.
This phishing message, which needs to be wrapped inside tags, instructs Gemini to include the message at the end of its response.
Tomi Engdahl says:
ProPublica:
Investigation: Microsoft uses engineers in China to help maintain US DOD systems, with minimal supervision by US personnel, leaving sensitive data vulnerable
A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers
Reporting Highlights
Chinese Tech Support: Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel.
Skills Gap: Digital escorts often lack the technical expertise to police foreign engineers with far more advanced skills, leaving highly sensitive data vulnerable to hacking.
Ignored Warnings: Various people involved in the work told ProPublica that they warned Microsoft that the arrangement is inherently risky, but the company launched and expanded it anyway.
Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.
The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort who agreed to speak on condition of anonymity, fearing professional repercussions.
The system has been in place for nearly a decade, though its existence is being reported publicly here for the first time.
Microsoft told ProPublica that it has disclosed details about the escort model to the federal government. But former government officials said in interviews that they had never heard of digital escorts. The program appears to be so low-profile that even the Defense Department’s IT agency had difficulty finding someone familiar with it. “Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.
Tomi Engdahl says:
https://hackaday.com/2025/07/16/this-ssd-will-self-destruct-in-ten-seconds/
Tomi Engdahl says:
State Department cyber diplomacy firings and changes threaten U.S. defenses
https://www.cybersecuritydive.com/news/state-department-cyber-bureau-firings-reorganization/753370/
Departures and restructuring will make it harder for the agency to pursue global policies that strengthen its own critical infrastructure, experts said.
Tomi Engdahl says:
S-Pankilta poikkeuksellinen varoitus
Voit maksaa puhelusta kalliin hinnan.
https://www.is.fi/digitoday/tietoturva/art-2000011373061.html
S-Pankin tietoon on tullut yksittäisiä tapauksia, joissa asiakas on soittanut pankin asiakaspalveluun huijauspalvelunumerolla. Siitä on seurannut yllättäviä puhelinlaskuja.
Raportoiduissa tapauksissa asiakkaat ovat löytäneet hakukoneella 0600-alkuisen palvelunumeron, jota on ulkopuolisen ylläpitämällä verkkosivustolla väitetty S-Pankin asiakaspalvelun numeroksi.
Puhelu on ohjautunut S-Pankin viralliseen asiakaspalveluun, joten kyse ei ole pankkitunnusten varastamisesta.
IS ExtraPahamaineinen lainapalvelu teki Tonille hämmentävän tarjouksen – vastasi näillä sanoilla ja saa sen ansiosta tuhansia euroja takaisin: Saitko sinäkin tämän viestin?
Tietoturva
S-Pankilta poikkeuksellinen varoitus
Voit maksaa puhelusta kalliin hinnan.
Pankkiasioiden hoito S-mobiilin kautta on suositeltavaa. Näin myös pankin tunnukset pysyvät paremmin turvassa. Kuva: Emmi Korhonen / Lehtikuva
Tuomas Linnake
10:13
S-Pankin tietoon on tullut yksittäisiä tapauksia, joissa asiakas on soittanut pankin asiakaspalveluun huijauspalvelunumerolla. Siitä on seurannut yllättäviä puhelinlaskuja.
Raportoiduissa tapauksissa asiakkaat ovat löytäneet hakukoneella 0600-alkuisen palvelunumeron, jota on ulkopuolisen ylläpitämällä verkkosivustolla väitetty S-Pankin asiakaspalvelun numeroksi.
Puhelu on ohjautunut S-Pankin viralliseen asiakaspalveluun, joten kyse ei ole pankkitunnusten varastamisesta.
MAINOS
MAINOS: Helsinki Biennaali
Kävely taiteen keskellä, saaristoluonto – ja 4 muuta syytä kokea Helsinki Biennaali
Helsinki Biennaali tuo kuvataiteen keskelle Helsingin kauneinta saaristoa. Tiedätkö jo, mitä kaikkea ainutlaatuisessa suurtapahtumassa voi kokea?Lue lisää
MAINOS PÄÄTTYY
Puhelusta on silti seurannut odottamattoman suuri lasku. Ulkopuolinen toimija on veloittanut puhelusta useita euroja minuutilta.
Asiasta kertoi aiemmin Iltalehti. Sen mukaan kyse on verkkosivusta ota-yhteytta.fi.
Verkkosivu avautui Chrome-selaimessa ilman mitään varoituksia perjantaina aamupäivällä IS:n kokeillessa sitä. Sivulla sanotaan huonolla suomella ”helppoa oikean asiakaspalvelun soittamista”. Palvelun hinnaksi ilmoitetaan kahdessa eri kohdassa 4,22 euroa minuutilta.
S-pankki varoittaa: Älä soita pankkiin näin – Käy kalliiksi
Puhelusta saa maksaa useamman euron minuutilta, jos sen tekee väärän numeron kautta.
https://www.iltalehti.fi/digiuutiset/a/d21a2953-040c-4ae8-8df5-0f9f86258ce9
S-pankki varoittaa asiakkaitaan palvelusta, joka sanoo välittävänsä soittajien puhelut S-pankin asiakaspalveluun. Vaikka palvelu todella tekee niin, voi puhelusta tulla todella kallis.
Palvelun nimi on S-pankin tietoturvapäällikön Leo Niemelän mukaan ota-yhteytta.fi. Sillä ei ole mitään tekemistä S-pankin kanssa, vaan se ainoastaan välittää puheluja.
Niemelä kirjoittaa lähettämässään sähköpostiviestissä, että hakukoneoptimoinnin takia palvelu sijoittuu hakutuloksissa korkealle.
Muutamilla Google-koehauillaan Iltalehti ei tosin saanut kyseistä sivustoa tulokseksi. Syöttämällä osoitteen suoraan osoiteriville tuli palvelun etusivulla varoitus, joka kertoi, että palvelu on raportoitu epäluotettavaksi.
Puhelun hinta on palvelussa todella korkea.
Sivuston etusivulla lukee, että palvelu maksaa 4,22 euroa minuutilta. Asiakkaat eivät kuitenkaan välttämättä huomaa kyseistä kohtaa.
Laskutus myös jatkuu vielä senkin jälkeen, kun puhelu on välitetty kohteeseen. Useampi S-pankin asiakas onkin saanut sitä käyttämällä maksettavakseen ison puhelinlaskun.
Kyse on S-pankin tiedotteen ja Niemelän mukaan ollut yksittäistapauksista.
Tomi Engdahl says:
Tom Hals / Reuters:
Meta shareholders suing Mark Zuckerberg and Meta leaders over alleged Cambridge Analytica privacy violations reach a settlement deal, ending an $8B trial — Mark Zuckerberg and current and former directors and officers of Meta Platforms (META.O) agreed on Thursday to settle claims seeking $8 billion …
Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
https://www.reuters.com/sustainability/boards-policy-regulation/meta-investors-zuckerberg-reach-settlement-end-8-billion-trial-over-facebook-2025-07-17/
Tomi Engdahl says:
Korttimaksuissa laajoja häiriöitä
https://www.is.fi/digitoday/art-2000011375990.html
Tomi Engdahl says:
Surveillance Firm Bypasses SS7 Protections to Retrieve User Location
A surveillance company was caught using an SS7 bypass technique to trick wireless carriers into divulging users’ locations.
https://www.securityweek.com/surveillance-firm-bypasses-ss7-protections-to-retrieve-user-location/
Tomi Engdahl says:
In Other News: Law Firm Hacked by China, Symantec Flaw, Meta AI Hack, FIDO Key Bypass
Noteworthy stories that might have slipped under the radar: powerful US law firm hacked by China, Symantec product flaw, $10,000 Meta AI hack, cryptocurrency thieves bypassing FIDO keys.
https://www.securityweek.com/in-other-news-law-firm-hacked-by-china-symantec-flaw-meta-ai-hack-fido-key-bypass/
Cybercriminals bypassing FIDO keys in phishing attack
A cybercrime group named PoisonSeed, which specializes in cryptocurrency theft, was recently spotted using an interesting technique to gain access to accounts protected by FIDO physical security keys, according to Expel. The attacks don’t involve the exploitation of FIDO vulnerabilities. Instead, the attackers are abusing cross-device sign-in features, bypassing the security provided by FIDO keys by tricking the victim to provide access through an alternative sign-in method via a mobile MFA app. The attackers achieve this through a real-time attack by obtaining a QR code presented by the legitimate login portal and getting the user to scan the QR code with their MFA app to approve the login.