This Week
A condensed format this week because I’m travelling. Some interesting bits coming out of Hacker Summer Camp (Black Hat, DEF CON, et al):
-
Ghost Call tactic abuses MS Teams and Zoom to open and tunnel command and control (C2) traffic via TURN and WebRTC protocols. GHOST CALL
-
Promptware stacks embedding Gemini instructions in Google Calendar invites and using these to control Google Home devices and manipulate other apps. PROMPTWARE
-
Satellites: Lots of vulnerabilities in open source packages and libraries used to control satellites. The Register highlights that hacking a foreign satellite may be cheaper than throwing a rocket at it. SATELLITES
-
Autonomous vulnerability remediation: Team Atlanta, Trail of Bits and Theori were announced as winners of the AI Cyber Challenge at DEF CON this week, placing first, second, and third, respectively. The two-year competition, organised by the Defence Advanced Research Projects Agency (DARPA), aimed to stimulate the development of AI tools that can autonomously find and fix software vulnerabilities. Of the 70 synthetic vulnerabilities that the agency created in millions of lines of code, the finalists discovered 54 (a 77% success rate) and patched 43 (61%). Seven teams made it to the finals, and all have committed to open-sourcing their tools. RESULTS, AIxCC, REPOS
Interesting stats
320 incidents over the past 12 months (up 220%) of North Koreans posing as IT workers or software developers, according to CrowdStrike
$17 million in bug bounties paid to 334 security researchers who discovered 1,469 eligible security vulnerabilities in the past year, in Microsoft’s programme
1/4 organisations have an incident response plan and have rehearsed it, according to Microsoft
If you’re part of the 75% that doesn’t have a plan, and haven’t rehearsed it, you can grab Cydea’s free, open source IR plan and drop us a line if you’re interested in an IR exercise.
In brief
-
🧰 Guidance and tools: NCSC’s Cyber Assessment Framework (CAF) v4.0 was released this week. Changes include new sections on attacker methods and motivations, as well as software development and maintenance security, updates to monitoring and threat hunting, and enhanced coverage of AI-related risks. The CAF is primarily designed for critical infrastructure organisations operating essential services. CAF
-
⚠️ Incidents: Bouygues, France’s third largest telco, says that it has suffered a cyberattack that resulted in the compromise of 6.4 million customers’ data. Bouygues has over 18 million mobile and over 4 million fibre broadband customers. BOUYGUES
-
🪲 Vulnerabilities: Patch Microsoft Exchange, if you run it on-prem. A high-severity vulnerability in the email and collaboration software, CVE-2025-53786 (8.0/10), can allow an attacker to jump to hybrid-joined Microsoft tenants and gain full control of the cloud systems. CISA joined Microsoft in warning users. The April 2025 Exchange Server Hotfix Update (what a mouthful) addresses the issue, if you haven’t already applied it. SonicWall is telling customers to turn off SSLVPN functionality following suspicions that cybercriminals are exploiting a zero-day vulnerability to launch ransomware attacks. There is a critical vulnerability among five discovered in the firmware of Broadcom’s ControlVault security chip, which Dell uses in over 100 laptop models. It’s firmware-level stuff that could allow malicious code to be hidden from security tooling. EXCHANGE (CISA, ADVISORY), SONICWALL (STATEMENT), BROADCOM (ADVISORY)
-
💰 Investments, mergers and acquisitions: SAFE has raised $70M Series C round as it diversifies from cyber risk quantification to third-party risk management, continuous threat exposure management, and a ‘CyberAGI’. European cyber business WithSecure may be going private, with a consortium of CVC Capital Partners and founder Risto Siilasmaa announcing a cash offer for shareholders, amounting to a 94% premium on the twelve-month trading price. SAFE, WITH
And finally
- A Thai hospital has been fined 1.21 million baht ($37,000) after patient records ended up being used as street food wrappers. Thailand’s Personal Data Protection Committee (PDPC) fined the unnamed hospital, having found 1,000 records ended up adorning fast food. The hospital had sent them for destruction with a “secure disposal” business, which admitted fault and stated that the records had leaked after being stored at their home. THAI