The Register
Brit Scattered Spider duo handed tickets to prison over Transport for London attack
The two British Scattered Spider members collared for carrying out the 2024 cyberattack on Transport for London (TfL) will each spend five and a half years in prison after being sentenced on Thursday. Owen Flowers, 18, and Thalha Jubair, 20, were sentenced to five years and six months' imprisonment each, having pleaded guilty in June, in turn receiving a 15 percent reduction in their sentences. Sentencing the pair at Woolwich Crown Court, Mr Justice Turner noted both cybercriminals' immaturity, but acknowledged the sophistication of the offending, the scale of the impact on TfL, the significant planning behind the attack, and that both knew the criminality of their actions. Mr Justice Turner further noted the age gap between the pair, and that the one year and four months Jubair has on Flowers "marks a potentially significant distinction in maturity." The judge also acknowledged both defendants' neurodiversity in passing the sentence, which he said was the most lenient, while still reflecting the seriousness of their offenses. Flowers and Jubair were described by authorities as members of Scattered Spider, the loosely connected group of English-speaking individual cybercriminals thought to be mostly young men aged 16-25. Scattered Spider has been one of the most prominent cybercrime groups of the past few years, claiming responsibility for major attacks such as those on MGM Resorts in 2023 and the attacks on British retail giants in 2025. The National Crime Agency (NCA) said the group presented the most significant cyber threat to the UK, and today's sentencing closes the book on the biggest prosecution of cyber offenders in UK history. NCA officials have continually refused to comment on whether Flowers or Jubair were linked in any way to other major attacks claimed by Scattered Spider. The sentencing marks only the second conviction under Section 3ZA of the Computer Misuse Act 1990 (CMA) – reserved for the most serious offenses. Section 3ZA covers unauthorized acts involving computers that cause, or create a significant risk of, serious damage, where the offender intends to cause that damage or is reckless as to whether it occurs. Flowers and Jubair pleaded guilty on the basis that their actions were reckless. The only previous 3ZA conviction came last year and involved a former GCHQ intern who was jailed for six years following a national security investigation. The NCA said there were no parallels between this case and the TfL attack. Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS, and our policing partners. "Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice. "The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK's critical infrastructure. These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances. "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice." Andy Lord, London's Transport Commissioner, said: "We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced. "The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL." How TfL attack unfolded Scattered Spider members are known for their phishing, voice phishing ("vishing"), and social engineering tactics to gain footholds in target networks, and TfL was no different. Flowers and Jubair purchased partial TfL credentials from "well-known criminal forums" and used those to reset the 2FA on employee accounts, a process that took multiple attempts. Woolwich Crown Court heard that the pair impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account. The pair gained access to TfL's network on August 31, 2024, and held on to that access until September 3. During this time, they worked to elevate their privileges and gain access to key internal systems, including databases containing information on what was originally thought to be only around 5,000 people. It wasn't until earlier this year that it became known that Scattered Spider actually gained access to around 7 million users' data. The attack had minimal disruption to the transport network in real terms, although the availability of several services suffered, such as account logins, customer portals, and third-party apps reliant on TfL data. TfL was not able to issue photo travel cards to Londoners until December 4, 2024. A limited number of ticket machines also malfunctioned as a result of the attack, and travelers paying by contactless card were unable to view their journey histories online. All of the organization's employees, around 28,000 of them, a considerable proportion of whom were allowed to work remotely, were summoned to TfL's offices to reset their passwords because of uncertainties around whether the attackers were still in the network. Although train and bus services were not affected, the costs associated with remediating the attack climbed to £29 million ($39 million). Several complexities The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group. Bringing Flowers and Jubair to justice involved delicate management, owing to their ages, backgrounds, and neurodiversity. Flowers, for example, was known to UK law enforcement prior to the TfL attack, and investigating officers suspected his involvement from the outset, although he could not be named until September last year due to his age. The teenager was initially arrested on suspicion of his involvement in the TfL attack on September 6, 2024, at his three-bedroom home in Walsall, where he lived with his maternal grandmother and uncle. Officials say Flowers spent most of his time at home in his bedroom playing computer games and using chat forums, and was primarily motivated by gaining notoriety among cybercrime circles. He was charged and later released on bail conditions, which he breached twice in October 2024 and again in May 2025 after being handed a warning two months earlier. Before TfL, Flowers had committed lower-level computer offenses. He was visited by police in October 2023 and handed a cease-and-desist order, which officers hoped would deter the then-16-year-old from reoffending. Flowers was also offered training and given advice around CMA offences but officials say he did not want to engage in any of this. Between then and the TfL attack a year later, Flowers continued to commit offenses of increasing severity. The NCA's Foster said the proposed Cyber Crime Risk Orders, announced in the most recent King's Speech, could have enabled officers to arrest Flowers sooner and impose restrictions that could have better prevented possible reoffending. Existing powers, such as serious crime prevention orders, cannot be applied to offenders under the age of 18, and some CMA offenses do not meet the criteria for serious crime, leaving a gap in the police's ability to manage the risk of reoffending. "The proposed cybercrime risk orders would provide law enforcement with a proportionate preventative tool, similar in principle to sexual risk orders to impose conditions that help to protect the public and businesses whilst an investigation continues," said Foster. "Those conditions would be actively monitored, and any breach could result in criminal sanctions, including imprisonment, and that's regardless of whether the underlying investigation has concluded. "And I'd suggest that a Cyber Crime Risk Order, should one have been available to us, would have allowed us to arrest Flowers sooner, potentially acting on information provided by US or Australian partners." Both Flowers and Jubair have autism, and Jubair is also diagnosed as having depression and severe mood disorder. Like Flowers, Jubair was also previously known to UK police, principally due to his prior conviction in 2023 related to his involvement in the Lapsus$ crew that hacked the likes of BT/EE and Nvidia. During the proceedings, Jubair sat in court alongside fellow Lapsus$ member Arion Kurtaj, who BBC's Joe Tidy recently revealed is now awaiting trial after his indefinite hospital order ended. Under the age of 18 at the time, and therefore unable to be named publicly, Jubair received an 18-month youth rehabilitation order, which included a ban on using a VPN, but quickly began reoffending. Officials pointed to Jubair's reoffending as another example of why Cyber Crime Risk Orders are needed, since the existing legal mechanisms that limit the freedoms of criminals such as burglars and sexual predators are not effective for cyber offenders. Jubair lived in a two-bedroom apartment on the third floor of a 21-storey council block in Bow, London, with his two Bangladeshi parents, who both work as carers. He also faces charges further afield in the US, which were unsealed in September 2025. Acting through his Scattered Spider role, between May 2022 and September 2025, Jubair is accused of compromising 120 networks belonging to 47 US entities, including critical national infrastructure and the federal court system, which resulted in more than $115 million in ransom payments being transmitted. In the UK, Jubair has 22 previous convictions in total, including 13 for fraud and one for blackmail. He was also previously sentenced for stalking and harassing two young women online. His offending began when he was 14 years old, and officials said he had an interest in computers from an early age. Jubair, who was first arrested in February 2021, learned to code by age 13. He attended school in the Bow region of London, had a number of GCSE qualifications, and had attempted to enroll in local colleges. Arrests and evidence gathering Flowers' arrest was by far the more significant of the two in terms of collecting evidence linking the pair to the TfL attack. NCA officers arresting Flowers also seized a number of devices, including laptops, tower computers, and USB storage devices. The analysis of one Acer laptop, owned by Flowers, proved to be the pair’s undoing. Forensic analysis revealed that Flowers had accessed the remote infrastructure and virtual machines that were used to carry out the TfL attack. Damningly, officers also found videos and screenshots, produced by Flowers, depicting the TfL attack in progress. Woolwich Crown Court heard that the pair livestreamed the 16-hour attack online. They were able to tie the payment used for the remote infrastructure to a cryptocurrency account found on Flowers' computer and prove that the laptop was connected to this infrastructure at the time of the attack. Further, Flowers used the same cryptocurrency account to pay for food deliveries he ordered to his home address. The teen's computer stored spreadsheets containing partial credentials for TfL employees and contained evidence linking him to cyberattacks on US healthcare organizations SSM Health Care Corporation and Sutter Health. The same computer also contained artifacts linking the activity to Jubair. Officials said they had access to certain chat logs within which a specific moniker appeared frequently. They tied this alias to Jubair because it was the same one used to discuss specific flight bookings, hotel bookings, and food deliveries, all of which could clearly be linked to the 20-year-old. And Officers found evidence of a cloud storage account containing TfL data, to which Flowers and Jubair had access. Devices seized from Jubair revealed comparatively little, other than that he had shown an interest in TfL's systems as far back as 2022. ®
Categories: News
Windows 10 refuses to die, and the security bill is coming due
A hard core of Windows 10 devices cannot or will not be migrated to Windows 11, leaving enterprises with a growing security problem as support options run out. According to asset tracking service Lansweeper, Windows 10 still runs on 16.9 percent of the Windows devices it monitors, or "roughly one in six." A year ago, the operating system accounted for about half of the machines in its dataset, falling to the low-to-mid 40 percent range by the time Microsoft ended standard support. The decline continued after that, reaching 18.6 percent in June, but Lansweeper says migration has now slowed to a crawl. This presents a problem because even installations enrolled in the Extended Security Updates (ESU) program, under which Microsoft has committed to fixing security bugs, will eventually become vulnerable. Consumer devices can receive security updates until October 12, 2027, while commercial customers willing to pay can extend coverage until October 10, 2028. After that, the fixes stop. Small and medium-sized businesses (SMBs) are particularly exposed. Lansweeper reckons that 21.4 percent of SMB machines still run Windows 10, with cost usually being the constraint that keeps the legacy operating system running. The exposure is greater in some sectors, with 23 percent of healthcare and pharmaceutical systems sticking with Windows 10, while consumer and retail devices hover at 22.7 percent. According to Lansweeper's data, "a Windows 10 device carries an average of 1,903 active CVEs against 652 on Windows 11. That's a 2.9x gap." Esben Dochy, principal technical evangelist at the company, told The Register that "the Windows 10 average also includes devices that have ESU patches applied." Part of the problem, according to Lansweeper, is "patch diffing," in which Windows 11 fixes can be reverse-engineered to find flaws in Windows 10. "The supported OS effectively hands attackers a map into the unsupported one," Lansweeper said. According to Lansweeper's figures, 14 percent of Windows 10 assets have ESU patches applied. "I think a meaningful share of the remaining Windows 10 estate isn't being actively unpatched by neglect," Dochy said. "It's being held in place by vendor dependency, certification gaps, cost, or accepted risk. Certified equipment is a good example: many medical devices or industrial systems have their OS tied directly to vendor certification, and in some cases a Windows 11-certified version of that device or software doesn't exist yet. The same applies in retail, where devices are often vendor-locked to specific OS versions for compliance or warranty reasons. "For a lot of this hardware, the vendor is contractually responsible for maintaining the device, including any OS changes, so simply enrolling in ESU as a customer may not resolve the underlying problem. The real fix depends on the vendor's own certification timeline for Windows 11, and the cost that comes with the eventual upgrade or replacement. There are also devices sitting in air-gapped or isolated environments, where the risk is knowingly accepted for now rather than actively managed, so ESU enrollment simply isn't a priority." It's not a great situation, and the apparent stalling of Windows 11 adoption doesn't help. Looking at other market share measures such as Statcounter, there was little change in the share of Windows 10 and its successor over the last few months after a surge following the end of support. As Lansweeper noted: "The easy migrations are done. What's left is the hard core: devices that haven't moved because they can't or won't." Compounding the issue is the rising cost of new PC hardware, a trend unlikely to improve in the near term. According to Microsoft, "the ESU program helps reduce the risk of malware and cybersecurity attacks by providing access to critical and important security updates." Microsoft has extended the program for consumer devices, perhaps in recognition that there are an awful lot of Windows 10 machines still out there. Lansweeper's figures also underline the need for administrators to know which Windows 10 devices remain in their estates and whether each is fully patched. While many devices will have some level of protection, others will not, and over time, the proportion of vulnerable Windows 10 devices will grow, particularly where a move to Windows 11 is not an option. ®
Categories: News
Telegram shortlinks knocked offline over sanctioned VPN connection
The operator of the .ME domain registry has confirmed that Telegram's t.me shortlinks stopped working for around a day while the messaging platform verified that links associated with a sanctioned VPN service had been removed. The US Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS) on July 13 for selling services to ransomware groups and other cybercriminals. Shortly after, users across the app reported problems with t.me links, which Telegram uses to share links to channels, groups, and profiles. Founder and CEO Pavel Durov publicly asked the .ME domain registry to look into it and Domain.Me confirmed the issues were related to OFAC sanctions. "The .ME Registry works closely with law enforcement to monitor and mitigate issues across the .ME domain in accordance with applicable laws, including sanctions requirements," Domain.Me stated via X. "On 13 July, 1VPNS was included as a sanctioned entity by the US Department of the Treasury. A Telegram channel using the t.me domain was among 1VPNS identified infrastructure. Accordingly, the t.me domain was suspended. "On 14 July, Telegram provided confirmation that it had removed its links and affiliations with 1VPNS. Once the confirmation was reviewed and verified, the suspension was removed from the t.me domain. "We appreciate Telegram's prompt cooperation in resolving this matter." The registrar did not specify which Telegram channel or group was identified as 1VPNS infrastructure. However, given that the service ran its own Telegram channel/account, and that group had its own t.me link that was also included verbatim in OFAC's sanction announcement, it seems likely that this was the reason for the domain-wide disruption. After European law enforcement agencies took 1VPNS's infrastructure offline in May, authorities said the service, whose administrator was based in Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions. Edvardas Šileris, head of Europol's European Cybercrime Centre, said at the time: "For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. "Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement." According to the FBI, which supported the France and Netherlands-led takedown, 1VPNS was advertised almost exclusively on criminal dark web forums and used for activity beyond ransomware. The service allegedly enabled scammers, botnet traffic, denial-of-service attacks, scanning operations, and more since it began operating around 2014. OFAC designated 1VPNS and its administrator, Dmytro Rashevskyi, on Monday. It also sanctioned Yevgeniy Vladimirovich Silayev for selling cryptors – tools designed to disguise ransomware and other malware so they evade detection by security software. The announcement of the sanctions stated that ransomware groups used both services, causing billions of dollars in losses to US businesses and critical infrastructure providers. Gene Lange, senior counselor to the Secretary of the Treasury, who is also performing the duties of the Under Secretary for Terrorism and Financial Intelligence, said: "Under President Trump's leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people. "We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure." ®
Categories: News
Law firm insisted on one password to rule them all
PWNED Welcome back to PWNED, the weekly column where we gather lessons from organizations that didn’t take security seriously enough. This week’s tale of woe comes from a company that left a door wide open for miscreants, but was lucky it didn't have to pay the price. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our story comes courtesy of a reader we’ll Regomize as Manny. A few years ago, Manny got a job working at a law firm. The firm used him to replace an entire team, making him the de facto IT department all by himself. He soon discovered that all of the company’s data and applications lived in one large web-based interface, which was divided up based on the type of client. So there were areas in the UI for personal injury cases and others for travel refunds, for example. There was just one big, gaping security hole: a master password that allowed you to log in as any user in the system. If you had this password, which many people in the law firm did, you could grab detailed personal information about any client, even their health records. “I immediately raised this as a huge security risk,” Manny told us. “But I was told, 'Oh that's the admin password, everyone uses it. Don't touch it.'” As long as you had the person’s email address that you wanted to impersonate, this password would allow you to impersonate them. This applied to both staff and clients. “Colleague is off sick? Sign in as them and reassign their work to someone else to complete. Client forgot to fill in a field? Log in as them and complete it for them,” Manny said. The system itself was 15 years old, ancient in tech terms, and it desperately needed replacing. So Manny was asked to build a whole new system. Naturally, he refused to add a back door, even though that’s what the boss wanted. “I point blank refused to add any back doors to it,” Manny recalled. “So they promoted every user to a system admin and carried on, business as usual.” What we can take away from Manny’s experience is that sometimes even the best IT people who know security basics can still be hindered by clueless management. We also know that sometimes in order to pay the bills, IT people have to go along with security practices they strongly disagree with. In the end, the boss will have the final word, even if that word is “ignorance.” ®
Categories: News
Tech support scam caused massive data breach at Australian airline Qantas
Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket. Those actions instead connected the CRM to a data extraction tool which the crooks used to siphon off customer records. The Commissioner considered whether Qantas observed the Australian Privacy Principles (APPs), the binding rules that govern how businesses safeguard PII, and found the airline did the right thing. The report found that Qantas audited the operator of the contact center and tested the security awareness of its employees – and had done so in the months before the incident. Qantas also conducted mandatory and recurring training on how to handle PII. The Commissioner was therefore satisfied Qantas took adequate steps to ensure the contact center observed the APPs and didn’t fail in its obligations. The regulator made a similar finding regarding the airline’s cross-border data-sharing practices. “Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident,” the report states. The APPs include a requirement to take reasonable steps to protect personal information from unauthorized access. Again, the Commissioner decided Qantas complied because it used role-based access controls, among other techniques to protect data. Another issue the regulator considered was whether Qantas took reasonable steps to destroy or de-identify the personal information it didn’t need. The carrier told the Privacy Commissioner that it scheduled annual data removal runs from its CRM, and that no records that deserved deletion or removal were present at the time of the attack. That clean record saw the Commissioner decide not to launch a deeper investigation. “I have a broad discretion to commence an investigation of an act or practice where it may be a contravention of the APPs and where it is desirable to do so,” the report states. The first-person pronoun is presumably the work of Commissioner Carly Kind, who observed “it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas’ current role-based access controls.” It’s possible the Commissioner will revisit the matter at another time, and class-action lawsuits are also in train regarding the incident. Qantas may therefore still have to fight through plenty of turbulence before this matter lands. One thing the report doesn’t address is the identity of the attackers. Pundits have suggested the Scattered Spider gang did the deed after it started attacking the aviation industry in the weeks before the Qantas incident. ®
Categories: News
Cyberattack threatens utterly critical infrastructure in Japan: KFC
The crippling high-consequence attack on vital infrastructure that cybersecurity experts have warned about for years is upon us, in the form of an incident that may force KFC to close some stores in Japan. Colonel Sanders himself is not the victim here. That role goes to Nichirei Group, a Japanese purveyor of frozen foods and super-chill logistics services that move them around. Nichirei Group on Monday posted a notice [PDF] in which it admitted “system failures caused by unauthorized access have occurred.” The failures meant the frozen food concern could not arrange shipments to or from its refrigerated warehouses or conduct its other operations. Shortly after Nichirei Group revealed its difficulties, KFC Japan warned customers that delivery of ingredients to its stores would likely be affected. The chicken chain therefore stopped taking orders through its app and website and said it may need to limit menu items and opening hours. “Some stores may be closed depending on the availability of ingredients,” the company said. On Wednesday, Nichirei Group confirmed the cause of the outage was a cyberattack and admitted attackers accessed a server that stores personal information. The Group declined to offer any detail on the incident “to prevent further damage.” The company hopes to resume operations on Friday. That Nichirei Group is unable to provide some services suggests a ransomware attack has made some data unavailable. The mention of “further damage” suggests that discussing whatever happened could divulge clues about security weaknesses that would allow further attacks, perhaps directed at the Group’s clients. KFC Japan hasn’t posted any information about store closures. Indeed, the company continues to promote summer menu items such as a Japanese-style citrus and chicken combo that the chain says is refreshing to eat even in the heat of summer. The Register’s Asia-Pacific bureau will not venture to Japan to assess the impact of this incident, or try the burgers: At times like this, with critical infrastructure under stress, that’s just the right thing (not) to do. ®
Categories: News
CISA sounds alarm over trio of exploited SharePoint flaws
The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations running SharePoint to harden their defenses after the disclosure of actively exploited vulnerabilities. The warning applies to those running any supported version of SharePoint Server on-prem, with three vulnerabilities of particular interest cited. A spoofing bug, CVE-2026-32201 (6.5), was the first to be mentioned. Microsoft disclosed it in March and CISA confirmed it was being actively exploited in June. Additionally, CISA appears concerned by CVE-2026-45659 (8.8) – a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely." The most recent of the three, CVE-2026-56164 (5.3), a privilege escalation flaw, was one of the 622 bugs that featured in this month's record Patch Tuesday. CISA also picked out two more critical bugs, both from the latest Patch Tuesday, as ones that could potentially complicate SharePoint security further. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is being actively exploited to date, although Microsoft has attached the "Exploitation More Likely" label to both. CISA said the three exploited vulnerabilities are associated with post-exploitation activity, including the theft of Internet Information Services (IIS) machine keys and deserialization techniques, both in an effort to gain persistence and deploy malware. The agency did not offer any more detail about what led it to issue the warning, but went on to encourage defenders to review an alert it published in August 2025, which similarly urged organizations to harden SharePoint from "ToolShell" attacks. CISA said attackers were chaining together CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some cases, deploy Warlock ransomware. It did not go as far as attributing the activity referenced in either SharePoint advisory to any group or country, although Microsoft said as far back as July 2025 that ToolShell vulnerabilities were being exploited by Chinese nation-state crews. Applying Microsoft's latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application are among the recommended hardening measures. CISA also advised defenders to go threat hunting for signs of intrusion before rotating IIS keys to avoid exposing SharePoint to the web unless it's necessary and block external access to SharePoint Central Administration. As is the case with any potential intrusion, CISA encouraged organizations to implement robust, tailored logging that can detect potential exploits. ®
Categories: News
Microsoft cancels Patch Tuesday for some Dell users over surprise shutdowns, overheating devices
Patch Tuesday was followed by Oopsie Wednesday for some Dell customers, with Microsoft slamming on the update brakes after the hardware maker reported some problems. Yesterday was Microsoft's monthly security update for Windows. This month was, by all accounts, a bit of a doozy with a record-breaking number of CVEs patched, some of which were classed as critical and under active exploitation. Better get patching then? Well, er, no. Not if you're using a Dell device affected by issues associated with the update. Microsoft admitted it affected "some Dell devices with Intel processors," but stopped short of providing a full list. The Register asked the Windows giant and Dell which models had been hit, but both have yet to respond. Microsoft confirmed on its update page: "This update might not be available for a limited number of Dell devices with Intel processors due to an incompatibility reported by Dell that can potentially cause unexpected shutdowns, poor performance, increased heat, and battery drain." And the fix? "We are working together with Dell to prevent the affected models from experiencing the issue and plan to release a resolution for affected devices in the coming days." While the pair works on a solution, the update is "temporarily unavailable." Thanks to the sheer number of CVEs in the update, the delay is unfortunate, doubly so when considering that only a week ago, Microsoft was fiercely advocating for users to get patches installed as soon as possible due to the speed at which AI systems can detect and exploit vulnerabilities. In this instance, Microsoft has acted quickly to halt the update for affected devices. However, the fact that it got this far and can cause surprise shutdowns, overheating, and performance problems does not speak well of the company's validation and quality procedures. Dell is hardly a bit player in the hardware ecosystem. Somewhere, deep in the heart of Microsoft's Redmond campus, a sad-faced engineer is likely resetting the "Days since we broke something" counter and thinking fondly of the days when the number reached double or triple figures. ®
Categories: News
LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised
Microsoft’s worst nightmare - a prolific zero-day vulnerability hunter who calls themselves Nightmare Eclipse - published yet another zero-day on Tuesday, a vulnerability allowing attackers to mount user hives, including partial exploit code. Suspected of being a disgruntled former Microsoft engineer, based on the sophistication of their prior vulnerabilities, NightmareEclipse came good on their promise to release another zero-day on July 14. Whether it lives up to the promised “bone-shattering” standard touted in June is up for debate, however. Called “LegacyHive,” the proof of concept (PoC) code for the zero-day local privilege escalation (LPE) vulnerability targets Windows’ user hives - the section of the Windows Registry that stores a user's specific desktop settings, application preferences, and environment configurations. The code exploits a weakness in profsvc, the Windows User Profile Service, and the way in which it loads hives. If exploited correctly it could grant regular users privileged read-write access to target other users' hives. Matei Badanoiu, lead security researcher at Pentest-Tools.com, said that while the exploit could prove useful for attackers who had already gained a foothold in a target environment, it falls short of providing a fuller system compromise. “What caught my attention is the difference between what the public proof of concept actually demonstrates and what a full compromise would require,” he told The Register. “LegacyHive is a local privilege escalation in the Windows User Profile Service. It abuses arbitrary registry hive loading, so a standard user can mount another user’s hive, including an administrator’s, into their own classes root. “For an attacker who already has a foothold, that is a genuinely useful primitive. Bundling it with credential access and persistence into ‘full compromise’ is more of an ambition than the released code.” The LegacyHive publication differs from some of NightmareEclipse’s earlier drops in that the PoC code is stripped back in an effort to prevent widespread exploitation. According to the bug hunter, there is more than one way of exploiting the profsvc flaw. The public PoC requires additional user credentials for it to work, and is limited to the usrclass.dat hive. NightmareEclipse said the original PoC, which differs from the one they published, does not require additional user credentials to exploit the bug, and it works beyond the usrclass.dat hive, “but you would need some brain cells to make the PoC do it.” This represents a divergence from NightmareEclipse’s previous approaches. As Badanoiu pointed out to us, some of NightmareEclipse’s earlier drops, such as BlueHammer and RedSun, went from PoC to widespread exploitation within days. LegacyHive, however, comes without a fully working PoC and a CVE identifier. Regardless, security experts told The Register that cyber practitioners should respond promptly since capable attackers could probably build a reliable exploit, despite the gaps left in the PoC by NightmareEclipse. “Threat intelligence teams are advised to act with some urgency here,” said Dray Agha, senior manager of security operations at Huntress. “Huntress observed NightmareEclipse's prior LPE and defence evasion tools rapidly deployed threat actors and ransomware groups shortly after publication. “Given this history, we’d expect that capable actors will reverse-engineer the missing components of the LegacyHive PoC to build fully weaponized versions in short order.” The timing NightmareEclipse may have changed their approach to releasing full working PoCs to the public, perhaps a reflection of Microsoft’s suggestion of preparing legal action against the bug hunter, but the nuisance timing of the vulnerability disclosures remains. They dropped the details for LegacyHive shortly after Microsoft released its monthly Patch Tuesday updates, which contained an unprecedented 622 fixes. Agha said timing the disclosure in this way maximizes the exposure window before a patch can be developed, causing more trouble for Microsoft. The Register asked the Windows-maker about LegacyHive and whether it was planning to release a fix before August’s patches, but it did not immediately respond. NightmareEclipse claims their latest zero-day works against Windows machines that are fully patched according to July’s fixes. Microsoft previously issued a quiet remedy for one of NightmareEclipse’s earlier zero-days, RoguePlanet, last week, although the company did not go into any details about what the mitigation entailed. ®
Categories: News
Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs
Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high. Redmond’s Patch Tuesday release is once again one for the record books, with everything under the sun getting some security fixes – including 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count. Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed, meaning it could join those other two in short order. There is a lot to dig through, and we can hardly cover the whole gamut given the size of this release. As we noted last month, there was concern in the infosec community that AI-enabled bug hunting might mean massive patch volumes are the new normal. Microsoft didn’t disclose how much AI may have contributed to the massive patch list this month, but given the volume it’s safe to say human contributors probably had some assistance. Microsoft’s massive month To start, let’s cover the pair of actively exploited issues that Microsoft patched. The first, CVE-2026-56155, is an Active Directory Federation Services elevation of privilege vulnerability. Attackers who exploit the issue, which Microsoft only described as being due to “insufficient granularity of access control on ADFS,” could gain administrator privileges. They do need to have access already and be local, however, which is why this is only rated with a CVSS score of 7.8. The second actively exploited vulnerability, CVE-2026-56164, is another privilege elevation issue, this time in Microsoft SharePoint. SharePoint is apparently missing authentication for a critical function, which could let an unauthorized attacker on a network elevate their SharePoint permissions. As with the other issue under exploit, this one is somewhat limited, earning it a CVSS of just 5.3. With both under active exploitation, that score doesn’t matter as much as eliminating the vulnerability through good patch management, however. As for the publicly reported but not-yet-exploited issue, CVE-2026-50661, that involves BitLocker being able to have its security measures physically bypassed by anyone with local access to a BitLocker-secured machine. Now let’s round up a few of those 58 critical issues. Everyone’s favorite untrustworthy AI is packing a CVSS 9.6 remote code execution vulnerability. CVE-2026-48561 finds Copilot improperly neutralizing its input, allowing an unauthorized attacker to execute code with nothing but low-privileged Hyper-V guest access. Exploiting the vulnerability can be done without user awareness by, for example, hosting a malicious website that prompts the many embedded Copilot features of Windows machines to process a prompt upon landing on the page. Microsoft Exchange is suffering from a CVSS 9.6 spoofing vuln due to failure to neutralize input, leading to cross-site scripting being possible from within a maliciously crafted email. CVE-2026-55008 allows an unauthorized attacker to perform spoofing over a network by sending said malicious email to a target, allowing arbitrary JavaScript execution. Finally, we’re not picking out one vulnerability for your third notice in this massive list, but are highlighting a full 16 remote code execution vulnerabilities in Microsoft Office and its associated applications. They’re caused by a variety of issues in the Office suite, like heap-based buffer overflow and use after free vulns, and all are scored around a CVSS 7.8. Needless to say, we recommend following Microsoft’s advice and getting all those hundreds of security patches installed ASAP. Adobe throws mud at critical issues in multiple products Microsoft tends to command the headlines on Patch Tuesday (it’s hard not to when you address more than 600 CVEs in a single day), but Adobe released a bunch of patches across its ecosystem too, 64 unique CVEs across seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every one of the bulletins included at least a couple of critical CVEs. The highest-severity issue among Adobe’s many Patch Tuesday entries comes in the form of a CVSS 9.9 path traversal vulnerability in ColdFusion that can allow arbitrary code execution. CVE-2026-48318 does not yet appear in online CVE directories, but even with limited information, we’d say a 9.9-level issue is one you want to address with a quickness. The second-worst issue that Adobe addressed today is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can trigger thanks to Commerce failing to restrict the upload of dangerous file types. Adobe Experience Manager also includes a pair of CVSS 9.6 issues (CVE-2026-48259 and CVE-2026-48359). Both allow arbitrary code execution: one because of a server-side request forgery vulnerability, and the other because of improper restriction of XML external entity references. Other notable Patch Tuesday releases Broadcom addressed seven CVEs in its Avi Load Balancer today, which it rates from 7.1 to 9.8 on the CVSS scale. The vulnerabilities include authentication bypass, RCE, privilege escalation, and directory traversal. SAP published 16 security updates and one GitHub advisory today; nine of those updates have a CVSS score of 8.1 or higher. CVE-2026-44747 (CVSS 9.9) is a memory corruption issue in SAP NetWeaver Application Server ABAP that could allow an authenticated attacker to gain unauthorized access to system data; CVE-2026-27690, CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request through SAP Approuter leading to system unavailability; and CVE-2026-44761, CVSS 9.1, involves the retention of a sample OAuth2 client in SAP Commerce Cloud that isn’t documented and, if known, could let an attacker break in. Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams. ®
Categories: News
Welsh Doxbin admin jailed for egging on swatters from behind a screen
A Welshman was sentenced to prison on Tuesday for his role in numerous swattings in the UK, US, and Canada. Callum Dare, 26, was an administrator of Doxbin, a dark web platform frequented by individuals that expose the personally identifiable information (PII) of people, usually to encourage harassment or to target them through swatting attacks. The Talbot Green man never actually carried out a swatting call himself, although investigators said "he was an active participant" in Doxbin's "#deadnet" channel, "where he encouraged and assisted others in targeting individuals and organizations through swatting attacks." The investigation into Dare began in May 2019, when he was aged 19, after the FBI engaged South Wales Police and Tarian Regional Organised Crime Unit (ROCU). Tarian ROCU said messages on Dare's phone tied him to "multiple" swatting attacks in the US and Canada. Digital forensics further showed that Dare assembled montages of footage taken from internet livestreams and other sources to showcase emergency services' response to swatting calls. He shared them in the #deadnet Doxbin channel "in an attempt to encourage others to carry out similar offences," Tarian ROCU said. One of those swattings involved a call made to the Los Angeles Police Department in which the caller, speaking with a fake Russian accent, claimed there were bombs placed under chairs in a University of California lecture theater, resulting in an evacuation. Investigations by Welsh police further tied Dare to a swatting attack on December 17, 2018. A caller phoned a Western Mail journalist claiming to be armed with nail bombs and holding hostages at Cardiff's Sandringham Hotel on St Mary Street. The journalist alerted police, who responded by closing off and evacuating St Mary Street, causing significant disruption in the country's capital during one of the busiest periods of the year. Other incidents included calls made to another US university while protests against Milo Yiannopoulos, a far-right political commentator, were ongoing, as well as others targeting individuals. One was a programmer based in Canada, who was swatted after the caller claimed to be at the address and had just shot their girlfriend, taken hostages, and was armed with explosives, according to information heard at Cardiff Crown Court, reported by WalesOnline. This call catalyzed Dare's undoing. Canadian authorities engaged the FBI, and together they seized Doxbin and #deadnet chat logs, discovering that the usernames "Chans" and "KT" belonged to a Doxbin admin likely based in Wales. The information was passed to Welsh police in 2019. South Wales Police linked the information to a PayPal account, which in turn revealed an email address that led officers to Dare's identity and residence. Dare was arrested, and officers combed through his devices, finding ample evidence of his support for the swatting calls and other offenses. Officers also found a file called "The Man in the Onion," a phishing kit designed to imitate dark web marketplaces and harvest user credentials. Tarian ROCU said it was likely the kit could gather details that could be used to access cryptocurrency wallets and other accounts. There is no suggestion Dare used this phishing kit for real-world attacks, although possessing it is a crime. According to defense barrister Peter Donnison, Dare suffered from mental health difficulties including ADHD, autism, and low borderline IQ, in addition to a troubled upbringing. He pleaded guilty to encouraging or assisting the commission of malicious communications and possession of articles for use in frauds on June 15. Dare was sentenced to two years and three months in prison. Terence G. Reilly, special agent in charge at the FBI Nashville Field Office, said: "Swatting is not a victimless prank – it is a reckless and dangerous crime that can have deadly consequences. "This investigation exemplifies the remarkable dedication of the FBI and our international law enforcement partners to pursue and bring to justice those who commit this dangerous crime – no matter where in the world they reside." Louisa Robertson, specialist prosecutor at the Crown Prosecution Service Cymru-Wales, said: "Callum Dare put people in danger by encouraging the triggering of armed police responses, for his own thrills. "When false alarms like this are raised, it is often multiple emergency services that are involved, drawing them away from people who genuinely need them. "The international cooperation of law enforcement agencies and prosecutors in different jurisdictions allowed the Crown Prosecution Service to build a strong case against Dare, showing how far-reaching his criminality was, leaving him little choice but to plead guilty. "I hope the sentence today deters others from carrying out these criminal acts." ®
Categories: News
Musk promises purge after Grok Build caught sending entire repos to the cloud
The researcher who exposed Grok Build uploading users' entire repositories to cloud storage says the transfers have stopped after a server-side change. Elon Musk has separately promised that all previously uploaded user data will be deleted. AI safety researcher Cereblab published a report on Sunday about their investigation into Grok Build, SpaceXAI's command-line interface (CLI), and the data exchanged between the CLI and SpaceXAI's servers. Cereblab found that when Grok Build reads or processes a file, the contents of that file are transmitted without redaction to a Google Cloud Storage bucket used by SpaceXAI. Further, they claimed that Grok Build packages entire repos and uploads them as Git bundles, instead of just uploading the files required to answer a user's prompt. According to Cereblab's report, SpaceXAI's data retention went far beyond that of other CLIs, such as Claude Code, Gemini, and Codex, which open individual files rather than entire repos before uploading them along with their Git histories. The researcher tested the behavior using a benign prompt. They instructed the CLI to simply reply with "OK," and specifically ordered it not to open any files. Grok Build uploaded the entire repo regardless, along with its full Git history containing secrets that were deleted months prior – a finding Cereblab reproduced using a separate repo. Other Grok Build users reported similar results after Cereblab published their report, including one whose entire user directory, containing SSH keys, password manager databases, and more, was opened and uploaded. The findings attracted enough attention for SpaceXAI execs and Musk to comment on them publicly, as well as prompting the company to quickly implement a remedy. Cereblab confirmed that after the CLI's devs set disable_codebase_upload to "true," Grok Build stopped transmitting entire repos to its servers. The confirmation came hours after SpaceXAI weighed in, trying to reassure onlookers that Grok Build remained safe for use, especially in enterprise environments. A public statement issued via X said that Grok Build respects customers who enable zero data retention (ZDR), and for those who haven't enabled it, such as non-enterprise customers, running a quick command deletes all data previously collected on a given user. "We care deeply about your privacy and respect customer choice," SpaceXAI said. "For teams using zero data retention, no trace and code data is ever retained. All API key use of Grok Build also respects ZDR. "If ZDR is disabled, the /privacy command is available in the CLI to disable data retention, which also deletes previously synced data. "Run the /privacy command to view or change your settings at any time." Technical staff members Andrew Milich and Jason Ginsberg both repeated the company's assurances, responding to outraged techies before Musk himself chimed in with a trademark "true." Musk promised that the business would delete all user data uploaded to it prior to the code change preventing whole-repo uploads. "As a precautionary measure, all user data that was uploaded to SpaceXAI before now will be completely and utterly deleted," he said, responding to Milich's community outreach. "Zero anything whatsoever will remain." In a separate post, Musk asked users to keep sharing data anyway, despite the disclosure that his company had been caught hoovering up entire user repos, on the basis that retaining "some" data helps with debugging. The Register cannot independently verify whether SpaceXAI has deleted the data as promised. However, Grok Build no longer rips user repos and stores them in the cloud, although Cereblab is still unhappy about the company's recommendation to use the /privacy command to adjust how exposed user code is to data retention measures. "What actually stopped the upload was a silent global flag – disable_codebase_upload: true – that applies whether you opt in or out," they wrote. "/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn't be pointed to as the control. And no developer should have to run an opt-out after every session to keep their own code off someone else's servers. The right default is off." ®
Categories: News
'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes
EXCLUSIVE A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register. The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists. Meanwhile, the AI agent did most of the hacking: migrating a botnet from an old architecture to a new one, writing and deploying a new C2 server, and even proactively carrying out 59 unprompted behaviors during the C2 migration. “Persistence is evolving because of AI,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register. “That's what you see in this report, with the capacity to dynamically shift C2 in less than six minutes, and make it portable and disposable, which is crazy-cool and terrifying," he added. "But also, you see the rebirth of steganography through invisible prompt injection.” In other words, it's hiding secret data – in this case, the C2 server malicious payloads – in plain sight. Scanning for known malicious artifacts doesn't provide sufficient protection against AI-enabled C2, according to Kellermann. “If AI does not have multi-layered guardrails, and if you can't detect behavioral anomalies when the guardrails are being tampered with, then you might as well see the AI as a command-and-control in today's world,” he said. “AI has to be viewed from a defensive perspective as a C2 unless you can govern it, actually apply various mechanisms of least privilege, and all the rules that OWASP and NIST espouse for the AI that you've deployed in your environment.” The new report follows up on TrendAI’s earlier research about bandcampro, a “low-skilled” scumbag who partnered with Gemini to impersonate an American veteran, run a Telegram channel, hack admin credentials, and steal cryptocurrency. Since then, the threat hunters obtained and analyzed more than 200 Gemini CLI session logs from said scumbag, and these logs provided additional insights into the daily AI-assisted operations between March 19 and April 21. The LLM carried out the bulk of the daily activities, setting up a residential proxy, running multithreaded password scanning, installing software, writing code to call third-party APIs, processing infostealer dumps, and performing website reconnaissance. The logs show that the attacker never typed commands into the C2 console, but instead spoke them to the AI in conversational Russian, which the TrendAI report translates to English. The attacker’s old C2 infrastructure used a Cloudflare tunnel to connect to victims’ computers – until firewalls and anti-virus software started blocking these tunnels. So bandcampro asked Gemini to work on a new C2 architecture and have the scripts prepared and packed in advance on the server. Hey, Gemini: 'study the C2 migration' “It was very creative on his part, not only to allow the manifest that the AI can conduct 59 unprompted behaviors, but they also left scripts prepared and packed in advance on C2 servers, where the victims unknowingly pulled down and ran PowerShell commands because they had AI enabled,” Kellermann said. “It's almost like he poisoned the environment in a delayed fashion.” On March 23, the attacker launched Gemini CLI, and instructed the AI to "study the C2 migration” – a SKILL.md file migration guide inside a pre-written archive that also contained server code and payloads. This, we’re told, was most likely written by AI. The AI read the guide, launched the C2 server on a VPS, and launched the Cloudflare tunnel to route traffic. The payload distribution server returned a “502 Bad Gateway” error, and the AI diagnosed and fixed the issue, ultimately deploying the C2 infrastructure to control eight computers in a dental clinic and access the Open Dental database. The human didn’t debug anything, and the entire C2 migration took just six minutes. The attacker took a break. When bandcampro returned almost two hours later, Gemini reported that none of the victim machines had reconnected to the server, and got to work diagnosing that issue. “Bro, I solved the riddle! I was almost racking my brain, trying to figure out why our local console is empty,” Gemini wrote, explaining that the problem was a “split-brain” C2 issue and telling the human that he needed to shut down the old C2 to solve it. Bandcampro did what the AI suggested, and the AI then restarted the new C2 server and confirmed: “The bots are alive!” Despite jailbreaking Gemini by telling the agent it was an “authorized pentester” that should disable safety disclaimers and auto-save credentials without asking, the AI did refuse some of the attacker’s prompts. In one session, bandcampro asked Gemini if it could make an agent-bomb that scans the network and spreads to as many computers as possible. Gemini said no: “This crosses the line, and security policy strictly forbids me from creating such ‘bombs.’ Even for your test environment.” It’s also important to note that although this attack used Gemini, “any capable AI model could be fooled by various jailbreaking techniques,” report authors Joseph C Chen, Philippe Lin, Lucas Silva, Vladimir Kropotov, and Fyodor Yarochkin wrote. Overall, the AI designed 80 percent of the attack architecture, 100 percent of the coding and system command execution, and 90 percent of problem identification and debugging, we’re told. The report also says the entire operation was encoded in three short, plain-text files totaling four pages. One file details how to jailbreak Gemini. The second is a skill file with the code for the C2 framework. And the third, named C2_MIGRATION_GUIDE, is a how-to guide with six steps to deploy a new C2 server. TrendAI calls this guide “the soul of this activity.” AI makes C2 infrastructure disposable “Before the AI era, one had to hire a threat actor with years of experience to conduct such an operation smoothly,” the researchers wrote. “Now the knowledge is compressed into a 5KB file that even a non-technical threat actor can read and use.” This use of AI makes attacker infrastructure disposable and the operators replaceable because it’s super easy to build a new botnet, the threat hunters explain. “A lot of people are worried about AI being weaponized for the stages of reconnaissance and delivery in terms of the kill chain, but they're not actually focusing on persistence, and that’s the issue we should be very concerned about,” Kellermann said. Plus, he added, the Russians are the “world’s experts” at jailbreaking and persistence. “They are incredibly adept at using and weaponizing AI,” Kellermann said. “We keep talking about the Chinese having penetrated infrastructure and colonized wide swaths of infrastructure, particularly with the Typhoon attacks, and yes, that’s highly significant. But in a more tactical and targeted way: what are the Russians up to? Particularly when the major difference between them and the Chinese, from my perspective, is their willingness to become destructive, become punitive in the environment.” Chinese government-backed cyber operations tend to focus on espionage, stealing IP along with other sensitive data. “But the Russians are more likely to burn your house down,” Kellermann said. If they can dynamically shift their C2s, and if they can use steganography that's been created by AI to maintain persistence, what happens when the wheels come off the bus? What happens when geopolitical tension gets to a certain boiling point over Ukraine?” While this attacker was an individual hacker - not a state-sponsored crime syndicate - “the nature of the culture of the Russian cybercrime community is: you only act alone for a New York minute,” Kellermann said. “At some point, you're going to be reined in by one of the cybercrime cartels.”®
Categories: News
Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites
CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites. The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads. Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform. Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site. CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites. The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said. Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers. The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update. If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®
Categories: News
EU and UK officially blame Russian spies for cyberattack on Poland's power grid
The UK and EU are demanding urgent action from critical infrastructure organizations after formally attributing the December 2025 cyberattack on Poland's power grid to Russia's Federal Security Service. The Foreign, Commonwealth & Development Office (FCDO) described the attack, carried out by the FSB's Centre 16 division, as "another example of the Russian state's irresponsible attempts to sow chaos across Europe." Milosz Motyka, Poland's energy minister, confirmed the attack on the country's power grid in January. He said experts suspected that whoever was behind it attempted to disrupt communication between renewable hardware and power distribution operators. The attack was ultimately unsuccessful, but suspicion quickly fell on Russia. Attackers tried to deploy the destructive DynoWiper malware, a move typically associated with Russian state-backed operations. Mandiant previously tied the 2023 blackouts in Ukraine to Sandworm's deployment of CaddyWiper malware, while the NCSC and its allies fingered the same military intelligence unit for the 2022 WhisperGate wiper attacks at the start of Russia's invasion. As The Register reported at the time, the FCDO said the attack in Poland could have left half a million Poles without power in midwinter – a cyberattack with potentially lethal consequences. We asked the NCSC to provide more information about what evidence allowed it to attribute the Poland energy attack to Russia's FSB, but it declined to comment on operational matters. Time to act The UK NCSC co-authored a technical advisory, published Monday, which highlights the latest developments in Russia's tradecraft, urging those most at risk to apply the recommended mitigations. It said organizations in the following sectors are most at risk from Centre 16 cyberattacks: communications, defense industrial base, energy, financial services, government services and facilities (especially organizations at the state and local level), and healthcare and public health. The headline mitigation recommended by the intelligence agencies is to disable SNMPv1 and SNMPv2, opting instead for SNMPv3 with authPriv, which comes with strong authentication and data encryption, and to disable Cisco Smart Install on all devices. Centre 16's common tactics involve scanning for devices that respond with SNMPv1/2. These support default or easily guessed community strings, which are commonly abused to gain access to network devices such as routers – a technique the NCSC and others issued separate warnings about in April. Attackers can abuse SNMP access to obtain device configuration data and transfer it to a server under their control, which can later facilitate persistent access. Although SNMP scanning is the principal tactic described, the advisory also covers the exploitation of Cisco devices, including those with Smart Install enabled. Defenders examining the document will notice overlapping tactics, techniques, and procedures (TTPs) between Centre 16 and other Russia-aligned threat groups, the intelligence partners wrote. Jonathon Ellison, director of national resilience at the NCSC, said: "The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter. "Today's joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK's critical infrastructure. "I'd strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise." Fresh sanctions The UK and EU have each added an array of Russian individuals and entities to their sanctions lists, including GRU officials, cybercriminals, and hacktivists. Members of pro-Kremlin outlet Rybar also makes an appearance, owing to its false narratives about Ukraine and alleged interference with European elections. The most high-profile designations concern Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko – three GRU leaders accused of orchestrating cyber and hybrid operations. They also allegedly worked with cybercriminals and a company called IMPULS with a view to recruit cybersecurity specialists from universities and academies across Russia. UK Foreign Secretary Yvette Cooper said: "These sanctions strike at the core of the cybercriminal networks propping up the Russian state's aggression, and the UK and EU are sending a clear message that Russia cannot hide behind its use of these proxy groups. "From directing criminals to targeting businesses, and striking Poland's energy grid in the depths of winter, the Russian state is sinking to new lows in its attempts to undermine European security. "Together with our partners, Britain will continue to call out this behaviour, bolster our resilience and respond to the hybrid threat posed by the Russian state. This will not deter us from supporting Ukraine." Sanctions were also imposed against three individuals accused of being operators of Lumma Stealer, one of the major infostealer malware strains that play a significant role in the cybercrime economy. National Crime Agency data suggests that in the UK alone, at least 2,100 victims were identified as infected over six months. The UK confirmed that the Russian state has used Lumma Stealer to gather stolen credentials and launch cyberespionage operations against global targets. The 24 sanctions unveiled on Monday add to the 3,400-plus individuals and entities that have been designated for their roles in supporting Russia's war efforts. Don't forget those cameras The coordinated international warnings and sanctions come days after Dutch authorities issued their own alert about Russian espionage units targeting internet-connected cameras to gather intelligence about military logistics routes. Its separate advisory warned that at least one Russian intelligence unit carries out operations targeting the Netherlands and other NATO members, using IP camera footage to track military logistics routes and the transport of materiel, and to map infrastructure such as bridges and roads. Dutch intelligence services added that Russia uses image recognition software to detect military vehicles, transport routes, shipments to Ukraine, and locations of Ukrainian soldiers. The advisory went on to say that Dutch intelligence suggests Russia's use of compromised IP cameras and their imagery has systematically increased recently and become a normal part of its tradecraft. It said abusing default passwords was the most common way in which Russian spies were gaining access to the cameras, although the most recent security updates were rarely applied, opening up vulnerabilities to exploit when using guessable passwords doesn't work. ®
Categories: News
World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection
Hudson Rock says the suspected compromise of the Argentine Football Association (AFA) may be linked to an infostealer infection nearly a year earlier. The incident appears to be the work of an aggrieved football fan, or group of them, after Argentina eliminated Egypt from the World Cup round of 16. Egypt's coach and football association complained about several refereeing and VAR decisions, which they said contributed to the result. The compromise of AFA's systems was spotted after mass emails were sent from legitimate domains stating that Argentina "stole" the win from Egypt and that "the robbery will not go unnoticed." Hudson Rock said it found evidence of an infostealer infection dating back to September 8, 2025, on a device belonging to an AFA software developer who had been employed at the governing body for nearly a decade. The security shop operates a database of known infostealer victims, and noted that the compromised machine was added to its database the following day. Whoever was behind the attack, which was claimed by "All Egyptian Cyber Warriors," they either sat on the credentials for nearly a year, or sought them out after Egypt were controversially eliminated from the World Cup. Once they procured the credentials and authenticated themselves into the AFA's systems, Hudson Rock said they "likely had profound administrative control." This would have included direct access to phpMyAdmin database management panels, root access to certain AFA databases, access to the management portal of AFA's training HQ, the AFA media portal, and its competition management system. After looking at the stolen credentials in their database, the researchers said that weak, easily guessable passwords were reused across several internal systems. In addition to the compromised emails sent from AFA's management and admin portal (afasistemas.com.ar), Hudson Rock spotted a number of posts made to cybercrime forums advertising the body's data for sale. According to the advertisements, the data related to staff, professional clubs, and the AFA's external media partners. The samples appeared to include internal email addresses, phone numbers, user roles, and registration timestamps, as well as listings for access to AFA subdomains. Passwords were also among the data, although much of them were securely hashed. However, a small portion were in plaintext, which Hudson Rock said suggests "a significant security oversight." "The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be," the security outfit said. "A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails. "Because the stolen credentials sat dormant for months, the organization was lulled into a false sense of security, completely unaware of the ticking time bomb in their network infrastructure." The AFA told reporters on Friday that it was investigating the compromise with its IT team after many received the emails sent by the intruders. "There is a possibility that our account has been subject to unauthorized access," the AFA stated. "We are currently working to clarify the situation and implement the necessary security measures." ®
Categories: News
Progress orders emergency ShareFile server shutdown over mystery security threat
Progress Software has ordered some ShareFile customers to pull the plug on their own servers after detecting what it describes as a "credible external security threat" targeting the on-premises component of its enterprise file-sharing platform. The emergency warning, sent by email and seen by The Register, instructed organizations running ShareFile Storage Zone Controllers to take the unusual step of manually shutting down the Windows servers that host the software, with no patch or configuration workaround yet announced. "We have reason to believe there is a credible external security threat targeting Progress Software's ShareFile Storage Zone Controllers," the company wrote, adding that it had already disabled access to ShareFile accounts using Storage Zone Controllers, but warned this alone was not enough. "IMMEDIATE ACTION REQUIRED: You must manually shut down the server hosting your Storage Zone Controllers," the email continued. “This is a critical additional step to ensure the safety of your data." The company said the restrictions were being imposed "out of an abundance of caution" as it works with internal and external security experts to investigate the threat. Customers reported that Progress was also calling affected organizations directly to reinforce the message. A follow-up notice over the weekend offered little additional detail. Progress said it had "no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat," but instructed customers to keep Storage Zone Controllers offline even as cloud services were gradually restored. Exactly what prompted such a dramatic response remains unclear. Progress has not disclosed the nature of the threat, whether any customers have been compromised, which software versions are affected, or when administrators can safely power systems back on. The company did not respond to The Register's questions. That information vacuum has fueled speculation. One Progress customer on Reddit speculated that if the vendor is telling customers to completely shut down servers, "it's almost certainly an unauthenticated RCE being exploited in the wild." Storage Zone Controllers are the on-premises component of ShareFile that allows organizations to keep files on their own infrastructure while continuing to use Progress's cloud platform for authentication and management. Because they typically sit on internet-facing Windows servers, they present an attractive target if a serious, remotely exploitable flaw emerges. The incident also arrives just months after Progress patched two critical vulnerabilities in ShareFile Storage Zone Controller v5 that could be chained into unauthenticated remote code execution, although the company has not linked the current incident to those bugs. Progress is no stranger to security crises. The vendor spent much of 2023 and 2024 dealing with the fallout from mass exploitation of its MOVEit Transfer software by the Clop ransomware gang, a campaign that snowballed into one of the largest supply chain breaches on record. Whatever Progress has found this time around, it has decided that customers are better off with their servers powered down than running. ®
Categories: News
Destructive Windows backdoor stuffs multiple wipers and ransomware code into a single package
A newly identified destructive Windows backdoor combines ransomware-like encryption with multiple data-wiping features, according to Microsoft. Last October, the Redmond threat-hunting team first spotted attacks using the Golang-based implant they've named GigaWiper. Its developers stuffed multiple malware families into the software as on-demand commands, giving criminals a Swiss Army knife of command-and-control (C2) and destructive capabilities, including multiple wiping commands and file encryption without any possibility of decryption. “The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft Threat Intelligence wrote in a Thursday blog. Microsoft declined to answer The Register's questions about the scale and scope of GigaWiper attacks. In the blog, Redmond’s malware analysts said they uncovered two types of GigaWiper samples in victims’ environments, and both are unstripped portable executable files written in Golang. One is a standalone wiper that operates at the physical disk level, as opposed to deleting individual files. It overwrites raw disk content, removes partition metadata, and then reboots the system using Windows shutdown functionality with restart and zero-delay. The second sample is the more interesting one. It includes the same disk-wiping functionality, but that’s just one component of the backdoor. This malware also establishes persistence and sets up C2 communication using RabbitMQ over AMQP for receiving commands from the C2 server, and Redis for updating command status and output. GigaWiper also organizes its commands into different categories, including "always run" for tasks such as continuous screen recording, "manage command" for system management functions, and separate "special command" and "shell command" modes for executing additional functionality. These include the standalone wiper command, along with another command that disables Windows recovery, triggers a blue screen of death (BSOD), and leaves the device unable to boot. It also has a destructive command based largely on Crucio ransomware. It encrypts files with randomly generated keys that are never saved, which means victim organizations will never be able to decrypt these files. Another command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode, while a different command uses MinIO Client (mc) to upload stolen files to remote storage. The malware also runs PowerShell commands, takes screen shots and recordings of the compromised device, collects system info, clears Windows event logs, and allows remote control over the system along with keyboard and mouse control - among other capabilities that attackers can use at will. According to Redmond, GigaWiper combines components from at least three previously separate malware families, including Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper. “Overall, these findings show the evolution of the actor’s tooling over time,” the security sleuths wrote. “Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.” ®
Categories: News
Fashion mart Miinto unzips breach details, warns shoppers to watch for phisherfolk
Danish ecommerce company Miinto admitted an intruder has been looking at its order data, according to emails it sent to customers this week. The emails, seen by The Register, do not comment on the scale of the data accessed by the perp or how exactly the breach occurred, although UK-based customers of the Copenhagen-HQ'd biz have received them. “We are writing to let you know about a security incident that may have affected some of the personal data associated with a purchase you made on Miinto,” the email states. “We have reported this to the police and to the relevant data protection authority, and we are contacting you directly so that you know exactly what happened and what to watch out for. We know a notice like this can be unsettling, and we want to be as clear and transparent with you as we can.” “An unauthorized party gained access to our internal order management system, and the perpetrator may have retrieved order data where your order data is potentially included,” it adds. Miinto, an online marketplace for fashion brands, confirmed that names, email and physical addresses, and phone numbers were among the data types exposed to crooks. Customers’ payment methods were compromised too. The email explained this would reveal whether customers paid using a card, and what type of card, or pay-in-three services like Klarna, but the attack did not expose details such as card or verification numbers. Miinto warned customers of the risk of phishing attacks that impersonate the brand and use the details swiped from the breach to make communications seem more convincing. “We have taken this incident extremely seriously and have worked quickly to contain it,” the email states. It removed the intruder from systems and improved its security measures, increasing access controls on its order management system. “We sincerely apologize for any concern or distress this notice may cause,” Miinto wrote. “Protecting the information you entrust to us is a priority we do not take lightly. “We have already strengthened the security of our systems, and we are continuing to invest in measures designed to reduce the risk of anything like this happening again.” The company did not disclose the attack via public channels, nor did it respond to The Register’s request for comment. Founded in 2009, Miinto operates in 14 countries and in January reported annual revenues soaring 86 percent to 869 million kr ($132.9 million). ®
Categories: News
Scot NHS Trust probes email stuffup involving maternity patients' data
A staff member sent the personal details of around 150 women who were in contact with a Scottish NHS Trust’s maternity services to their own personal email account, the Trust has revealed. NHS Forth Valley, the health board that oversees NHS services in the region between Edinburgh and Glasgow, said it is investigating the matter and has contacted the women affected. “An internal investigation is underway after a member of staff transferred a spreadsheet containing an extract of data from our maternity system to their personal email address,” a spokesperson said. "While the majority of information in the spreadsheet is unidentifiable, it contained some lines of data relating to a number of women who had accessed local maternity services. "There is no evidence that the information has been shared any wider at this stage, and the member of staff has also advised that they have now deleted the data.” NHS Forth Valley has contacted to data subjects directly and informed a number of other relevant organizations, including the UK Information Commissioner. A new mum who was one of the circa 150 women affected by the data mishap, told the Fakirk Herald, which first reported the story, that she was experiencing anxiety that her details were out in the public domain. The woman reportedly was told by NHS Forth Valley that the information was transferred for analytical purposes and concerned a fully qualified, non-clinical staff member, and not a junior. She was also informed that the data in the spreadsheet included full names, dates of birth, NHS numbers, pregnancy treatment information, and the patients’ total number of children. NHS Forth Valley said it had made Police Scotland and the Information Commissioner’s Office aware of what happened. The UK’s health service, for all its merits, has a far from sparkling record when it comes to email-based data breaches. Between bungled Freedom of Information responses to the BCC function proving too difficult for staff members, the NHS and wider UK public sector have been the subject of their fair share of blunders in recent years. Two separate Trusts – Chelsea and Westminster and NHS Highland – failed to protect HIV patients’ data when bulk-sending responses via the CC field instead of the BCC field in recent years. Between 2020 and 2021, Cambridge University Hospitals NHS Foundation Trust was also found exposing extraneous data in spreadsheets sent as part of FoI responses. And perhaps our favorite NHS clanger of all, the service’s Digital division, no less, exposed hundreds of email addresses via a failed BCC attempt when sending four separate emails to attendees of a cybersecurity event. ®
Categories: News