This week
A condensed format this week because I’m travelling.
-
The FBI says Salt Typhoon compromised at least 200 US companies, substantially more than the nine telcos previously disclosed. US authorities have attributed Salt Typhoon to a Chinese-backed group. When news of the campaign originally broke, the emphasis was on the theft of call records useful for espionage purposes. A joint advisory from US, Australian, Canadian, New Zealand, UK, Czech, Finnish, German, Italian, Japanese, Dutch, Polish, and Spanish intelligence this week warns that the group’s interests are broader. The group “focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers” to siphon off Internet traffic. SALT TYPHOON, ADVISORY (PDF)
-
Anthropic issued a report this week saying cybercriminals had used its systems to commit large-scale, automated campaigns. Amongst the six ‘case studies’ were North Korean’s scaling their fraudulent IT worker scams, vibe coding AI agents to improve data extortion operations, and an AI-generated ransomware-as-a-service campaign. Anthropic was quick to point out that they have “developed sophisticated safety and security measures to prevent the misuse of our AI models”. It’s great that they are sharing details (the report is an interesting read), but obviously not great that you could use their platform to run an entire ransomware attack. (h/t Tim) ANTHROPIC, MORE, REPORT (PDF)
-
South Korea’s privacy commissioner has fined SK Telecom (SKT) a record ₩134.5 billion ($97 million) for failing to secure its customers’ information. SK disclosed a staggering breach in April this year, requiring it to offer replacement SIMs to its 27 million subscribers (South Korea’s population is 50 million). The Personal Information Protection Commission (PIPC) report is damning, with failures at every turn: SK “did not even implement basic access controls”, it did not monitor IDS logs, stored 4,899 credentials for 2,365 servers in plaintext on a management server, did not encrypt the USIM authentication keys for its subscribers, and more. It’s a staggering lack of cyber security consideration. SKT
Interesting stats
76% of CISOs feel at risk of experiencing a material cyberattack in the next 12 months, though just 58% say they are unprepared to respond, and 66% say they would consider paying a ransom to prevent data leaks or restore systems, according to a survey of 1,600 CISOs by Proofpoint. LINK
$1.5 million stolen by a BEC scammer who tricked The City of Baltimore into changing the bank details of a contractor. LINK
In brief
-
⚠️ Incidents: Salesforce breaches rumble on: Farmers Insurance has disclosed a breach affecting 1.1 million customers, the latest in a string of Salesforce CRM compromises for high-profile brands. Credit agency TransUnion has disclosed a breach impacting over 4.4 million people, though it says “no credit information was accessed”. Google security researchers believe that over 700 organisations may have been compromised after UNC6395 (potentially linked to ShinyHunters or Scattered Spider) compromised Salesloft’s SalesDrift AI chat integration, and used OAuth tokens to access customer environments. FARMERS, TRANSUNION, SALESLOFT
-
🧿 Privacy: Department of Government Exfiltration: A Social Security Administration whistleblower says that the Department of Government Efficiency (DOGE) employees made a copy of 450 million Social Security records to a cloud environment that “circumvents oversight”, leaving the personal data of hundreds of millions of Americans at risk of compromise. SOCIAL SECURITY
-
🕵️ Threat Intel: Fake NDAs: Threat actors are targeting industrial and tech companies with malware-laden fake ‘non-disclosure agreements’ (NDAs) in PDFs submitted via contact forms on the target’s website. Some organisations trust submissions via these more than general enquiry emails, and they may bypass other security protections. NDAs
-
🪲 Vulnerabilities: Citrix NetScaler admins need to patch three vulnerabilities, including a critical remote code execution issue (CVE-2025-7775; 9.2/10). CITRIX (ADVISORY)
And finally
- Dan Goodin, senior security editor at As Technica, has written a takedown of the “Passkeys Pwned” presentation given on the main stage at this year’s DEFCON. Instead of “[breaking] the myth that passkeys cannot be stolen”, Goodin points out that the research relies on a compromised web browser — not something passkeys are intended to protect against, and at that point, broadly, all bets would be off. Coincidentally, the researchers all work for a browser security company. DEBUNK, PRESENTATION