Kirsten Doyle

A zero-day that Microsoft patched in July remained active long after the fix. China-based attackers weaponized the SharePoint “ToolShell” flaw (CVE-2025-53770) to break into a Middle Eastern telecom and a string of government networks across Africa and South America, researchers at Symantec and Carbon Black say.   Two days after Microsoft published emergency patches, intruders had a foothold. On 21 July, the adversaries dropped a webshell and moved fast to sideload backdoors and trojans, turning trusted binaries into door openers. That rapid follow-on shows how quickly exploit code can be weaponized once a vulnerability is public. Well-known Tools and Techniques Across…

Salt Typhoon, a China-linked espionage group, has once again surfaced, this time in the systems of a European telecommunications provider. Darktrace spotted the signs early: a faint digital pulse of DLL sideloading, a whisper of Citrix exploitation, the careful footsteps of an adversary that knows how to stay unseen. Salt Typhoon is no newcomer. Active since at least 2019, the group (also known as Earth Estries, GhostEmperor, and UNC2286) has spent years burrowing into critical infrastructure. From telecoms to energy grids and government systems, it has moved through more than 80 countries. The campaign’s hallmarks are precision and patience: custom…

Late Sunday, Japanese retailer Muji confirmed that “logistics failures” had disrupted its online store and subscription services. It happened because its logistics partner, Askul, was taken offline by a ransomware attack.  Askul, a major player in Japan’s e-commerce and logistics space, said the infection triggered a systemwide outage. Orders, shipments, and even customer service functions have been halted as investigators assess the damage and possible data exposure. The company’s announcement lists nearly every core function as suspended. Online shopping carts lead to error screens. Fax orders fail to send. New user registrations, returns, and catalog requests are paused. Even pharmaceutical…

Envoy Air, a regional carrier owned by American Airlines, has confirmed it was the target of a sophisticated ransomware attack attributed to the Clop cybercrime group. The breach, which happened in August 2025, exploited a zero-day vulnerability in Oracle’s E-Business Suite, one of the most severe flaws to hit enterprise software this year.  Clop, which first listed “American Airlines” on its dark web leak site on October 16, misidentified the victim. Envoy operates under the American Eagle brand, serving as a regional arm of the airline giant. The distinction matters little to attackers, but it underscores a pattern that’s becoming…

An international law enforcement operation in Latvia has brought down a major cybercrime-as-a-service network. Seven suspects were arrested, most of them Latvian nationals. The coordinated action, codenamed SIMCARTEL, took place on 10 October. Police from Latvia, Austria, and Estonia worked alongside Europol and Eurojust. Investigators say the group was behind thousands of scams across Europe, defrauding victims through sophisticated telecom schemes. More than 3,200 cases have been reported (roughly 1,700 in Austria and 1,500 in Latvia) with losses nearing €5 million. Authorities seized the network’s infrastructure, including 1,200 SIM box devices and 40,000 active SIM cards used to mask and…

The internet cannot be separated from modern life. It’s a shared utility that connects, informs, and empowers us. But the more we rely on it, the greater the risks become. Every click, login, or search leaves a trail, and each device, app, or interaction can open the door (sometimes obvious, often unseen) to data breaches, identity theft, or other digital threats. “Stay Safe Online” has become a survival skill. This year, Cybersecurity Awareness Month is at a turning point. The tools that once protected us (antivirus, passwords, firewalls) now have to share space with generative AI, autonomous agents, and a digital underground where nation-state…

Getting locked out of your Google account is more than an annoyance, it can be a major headache. You can lose hours in endless recovery loops, and still end up nowhere. Now, Google says it’s found a simpler fix: you can call a friend for help. As CNET reports, Google’s new Recovery Contacts feature lets you nominate a trusted friend to verify your identity if you get locked out. Setup is simple: choose your most reliable ally (a partner, sibling, or friend) and send them an invite through your Google Account’s Security settings. Once they accept, they’ll be your backup lifeline. If you’re ever locked out, they’ll receive a prompt…

Sotheby’s has confirmed a data breach following unauthorized access to its internal systems, exposing sensitive personal information belonging to clients. The breach happened on 24 July 2025, and was discovered two months later, on 24 September. An investigation led by external forensic specialists found that an unknown actor had exfiltrated internal data.   The review process, downloading, cataloging, and analyzing the stolen files, ended in late September. While Sotheby’s has not disclosed how many individuals were affected, the compromised data possibly includes names, Social Security numbers, and financial account details. Only two Maine residents are confirmed among the victims, though the there may be many more. Founded in 1744, Sotheby’s is one…

When bad actors can weaponize trusted software so effectively that a vendor has to rewrite its own documentation, something fundamental has shifted. That’s exactly what happened when the China-backed advanced persistent threat (APT) group known as Flax Typhoon, maintained year-long access to an ArcGIS server without deploying a single piece of traditional malware.  “This was the first documented case of a malicious SOE being used in this way,” ArcGIS said after working with ReliaQuest investigators. “It prompted updates to our internal documentation.” Turning Trust into a Weapon For more than twelve months, Flax Typhoon quietly controlled a customer’s ArcGIS environment…

SimonMed Imaging, one of the largest outpatient medical imaging providers in the US, has confirmed that it fell victim to a cyberattack that potentially exposed sensitive patient information earlier this year.  The company said it was first alerted on 27 January 2025, when one of its vendors reported a security incident. A day later, SimonMed detected suspicious activity within its own network, prompting what it describes as an immediate and comprehensive response. In a statement, the company said it “promptly began an investigation and took steps to contain the situation,” including resetting passwords, tightening multifactor authentication, enhancing endpoint monitoring, and…