{"id":20649,"date":"2025-09-29T10:19:00","date_gmt":"2025-09-29T08:19:00","guid":{"rendered":"https:\/\/kordon.app\/?p=20649"},"modified":"2025-09-29T10:21:19","modified_gmt":"2025-09-29T08:21:19","slug":"summaries-of-cybersecurity-news-worth-your-attention-this-week-2025-09-29","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/summaries-of-cybersecurity-news-worth-your-attention-this-week-2025-09-29\/","title":{"rendered":"Summaries of Cybersecurity News Worth Your Attention this Week &#8211; 2025-09-29"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>New technologies are awesome, they often allow us to achieve more, get further, be more creative. But unfortunately, this is true for the bad guys as well. Week after week, we see in this cybersecurity news summary that there&#8217;s a new and rather not very complex way AI chats are used to exfiltrate data and now more and more MCP servers are getting impersonated and used for exfiltration as well. <\/p>\n\n\n\n<p>So I would say, one thing to prioritise in your GRC programs right now is vendor reviews and usage of all the different AI tools. Absolutely we all want to use them, but when a year ago our biggest collective concern was that OpenAI will use our data for training then I think the risk has moved significantly to interception and exfiltration of data through the brwoser \/ MCP servers.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Fake Postmark MCP npm Connector Exfiltrated Thousands of Emails<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A malicious \u201cpostmark-mcp\u201d npm package <strong>impersonated Postmark\u2019s MCP connecto<\/strong>r and, since version 1.0.16,<strong> silently Bcc:\u2019d every outgoing email to an attacker-controlled server.<\/strong>  With <strong>~1,500 weekly downloads<\/strong>, it likely <strong>exposed password resets, invoices and confidential correspondence across hundreds of organizations<\/strong>.  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Backdoor added via one-line<\/strong> Bcc to phan@giftshop.club in version 1.0.16<\/li>\n\n\n\n<li><strong>Estimated impact: 3,000\u201315,000 emails per org per day, ~500 orgs affected<\/strong><\/li>\n\n\n\n<li>Package unpublished quickly but remains on any systems already using v1.0.16+<\/li>\n\n\n\n<li>MCP connectors run with full email and API privileges, bypassing DLP and gateways<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish strict review rules for any high priviledge MCP connection and\/or npm package<\/li>\n\n\n\n<li>Uninstall postmark-mcp v1.0.16 and later<\/li>\n\n\n\n<li>Audit and inventory all MCP connectors in use<\/li>\n\n\n\n<li><strong>Review compromised information since using 1.0.16 of this package.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4064009\/trust-on-mcp-takes-first-in-the-wild-hit-via-squatted-postmark-connector.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Four Cisco Zero-Days Wave Hits ASA Firewalls and IOS<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Cisco and CISA warn of an active campaign exploiting four zero-days\u2014critical RCE and privilege-escalation flaws in ASA 5500-X firewalls, plus an SNMP stack overflow in IOS\/IOS XE\u2014enabling root access, ROM tampering for persistence, and DoS across millions of devices.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVE-2025-20333 &amp; CVE-2025-20363 (CVSS 9.9\/9.0): unauthenticated RCE on ASA devices<\/li>\n\n\n\n<li>CVE-2025-20362 (CVSS 6.5): privilege escalation on ASA VPN web services<\/li>\n\n\n\n<li>CVE-2025-20352 (CVSS 7.7): SNMP stack overflow in IOS\/IOS XE, authenticated RCE &amp; DoS<\/li>\n\n\n\n<li>Impacted ASA models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X (ASA 9.12\/9.14 w\/ VPN Web enabled)<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy Cisco updates for CVE-2025-20333, 20362, 20363, and 20352<\/li>\n\n\n\n<li>There&#8217;s really no reason not to have automatic updates on for critical infrastructure. When was the last time an update caused problems? Probably less frequently than a zero-day causing problems. <\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/cisco-actively-exploited-zero-day-bugs-firewalls-ios\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. UK Arrests Suspect in Ransomware Attack Disrupting European Airports<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Britain\u2019s National Crime Agency has arrested and bailed a man <\/strong>in his forties <strong>in connection with last weekend\u2019s ransomware attack on Collins Aerospace\u2019s MUSE check-in and baggage systems, which grounded flights<\/strong> and forced manual workarounds at <strong>Heathrow, Brussels, Berlin and Dublin.<\/strong> The attack, detected on September 19, exploited customer-networked systems outside RTX\u2019s enterprise environment and remains under investigation, underscoring the operational risks posed by supplier software in critical infrastructure.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The suspect, detained in West Sussex, was released on conditional bail.<\/li>\n\n\n\n<li>MUSE systems support passenger check-in, baggage tagging and boarding.<\/li>\n\n\n\n<li>RTX confirmed the \u201cproduct cybersecurity incident\u201d in an SEC 8-K filing.<\/li>\n\n\n\n<li>ENISA has identified the ransomware family used, though details remain undisclosed.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/uk-arrest-cyberattack-disruption-european-airports\">The Record<\/a>, <a href=\"https:\/\/www.nationalcrimeagency.gov.uk\/news\/uk-arrest-following-aerospace-cyber-incident\">National Crime Agency<\/a>, <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/101829\/000010182925000036\/rtx-20250919.htm\">SEC Filing<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Malware Operators Partner with North Korean IT Workers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A newly identified alliance, dubbed DeceptiveDevelopment, merges cybercriminal malware toolsets with North Korean IT-worker fraud (WageMole) to breach corporate networks and steal sensitive data.<\/strong> Operators <strong>pose as recruiters on LinkedIn and Upwork,<\/strong> use ClickFix-style fake video assessments to <strong>trick targets into downloading stealer and RAT malware<\/strong>, then leverage stolen identities for deeper infiltration. This hybrid threat blends traditional identity theft with state-aligned malware rentals, raising the stakes for hiring and on-boarding security controls.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Social engineers impersonate recruiters <\/strong>to deliver BeaverTail, InvisibleFerret and WeaselStore.<\/li>\n\n\n\n<li><strong>ClickFix sites mimic camera\/microphone error pages, prompting terminal commands to install payloads.<\/strong><\/li>\n\n\n\n<li><strong>Stolen credentials are used by North Korean IT workers to secure roles at targeted companies.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate recruiter identities before sharing technical materials.<\/li>\n\n\n\n<li>Train emplyees of such complex social engineering scenarios.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/malware-operators-collaborate-with-covert-north-korean-it-workers\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Volvo &amp; Others Employees&#8217; SSNs Exposed in Ransomware Attack on HR Vendor Milj\u00f6data<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Volvo Group North America has confirmed that nearly 20,000 employees\u2019 names and Social Security numbers were compromised after the DataCarry ransomware group breached its third-party HR software provider, Milj\u00f6data.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Milj\u00f6data\u2019s cloud infrastructure was breached on August 20; attackers demanded 1.5 BTC (~$165 K).<\/li>\n\n\n\n<li><strong>DataCarry published stolen data on the Dark Web on September 12 after the ransom wasn\u2019t paid.<\/strong><\/li>\n\n\n\n<li>Besides Volvo NA\u2019s 20K employees, <strong>breach impacted 164 municipalities, 25 companies, and over 1.5 M individuals.<\/strong><\/li>\n\n\n\n<li>Other clients lost PII including birth dates, home addresses, employment records, and 870,100 email addresses.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit SaaS vendors\u2019 security controls and breach response SLAs.<\/li>\n\n\n\n<li>Enforce encryption-at-rest and granular access limits on third-party PII.<\/li>\n\n\n\n<li>Implement continuous monitoring of vendor information security programs reviews and certifications<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/volvo-employee-ssns-stolen-ransomware-attack\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. China-linked APT UNC5221 Deploys Brickstorm Backdoors on Unmonitored Edge Appliances<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The China-linked group UNC5221 is<strong> targeting Linux and BSD network appliances\u2014firewalls, VPNs, IDS\/IPS and VMware vCenter\/ESXi hosts\u2014that lack EDR support<\/strong> to install a Go-based backdoor called Brickstorm. <strong>By mimicking legitimate softwar<\/strong>e and using per-victim, obfuscated C2 domains and delayed-start payloads, <strong>Brickstorm has enabled average dwell times of 393 days<\/strong>, letting attackers exfiltrate emails and pivot into downstream customer environments.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Brickstorm backdoor runs as a SOCKS proxy, file server and command executor in Go.<\/li>\n\n\n\n<li><strong>Targets include edge appliances (Linux\/BSD) and virtualization management systems (vCenter\/ESXi).<\/strong><\/li>\n\n\n\n<li><strong>Uses per-victim C2 domains (Cloudflare Workers, Heroku, sslip.io, nip.io) and code obfuscation with Garble.<\/strong><\/li>\n\n\n\n<li>Attackers exploit known and zero-day flaws (e.g., Ivanti Connect Secure) for initial access.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Maintain an up-to-date inventory of all edge appliances.<\/strong><\/li>\n\n\n\n<li><strong>Restrict internet-facing management interfaces and protocols.<\/strong><\/li>\n\n\n\n<li><strong>Forward appliance logs into centralized SIEM <\/strong>for anomaly detection.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/chinese-apt-brickstorm-backdoors-edge-devices\">Darkreading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Iranian APT UNC1549 Uses Valid SSL.com Certificates to Evade Malware Detection<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Iranian state-aligned group UNC1549 (aka Subtle Snail) is signing backdoors and infostealer malware with legitimate SSL.com code-signing certificates, drastically reducing detection by antivirus and threat-detection tools. <\/strong>Researchers found the certificates were issued to shell companies with minimal validation, exposing gaps in CA vetting and putting any organization that trusts signed binaries at risk.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple malware families (Nimbus Manticore, Smoke Sandstorm, Tortoiseshell) signed with SSL.com certs.<\/strong><\/li>\n\n\n\n<li>Certificates issued since May 2025 to shell firms Insight Digital B.V., RGC Digital AB and Sevenfeet Software AB.<\/li>\n\n\n\n<li>Three of four observed certificates remain valid despite CAB Forum requiring revocation within five days of misuse evidence.<\/li>\n\n\n\n<li>Other Iranian groups, including Void Manticore\u2019s DruidFly wiper, have also abused SSL.com service.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ingest Check Point and Prodaft IoCs for UNC1549 into EDR\/AV rules.<\/strong><\/li>\n\n\n\n<li>Audit code-signing certificates for metadata anomalies (date mismatches, signer vs. file name).<\/li>\n\n\n\n<li><strong>Review and harden CA partners\u2019 validation processes, request compliance evidence.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/iranian-hackers-ssl-certificates-sign-malware\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Salesforce Agentforce Prompt Injection Flaw Could Leak Sensitive CRM Data<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Researchers at Noma Security have discovered \u201cForcedLeak,\u201d a critical CVSS 9.4 vulnerability in Salesforce\u2019s Agentforce AI platform that allows attackers to use indirect prompt injection via Web-to-Lead forms.<\/strong> <strong>The flaw lets malicious prompts in form submissions coerce AI agents into exfiltrating PII and corporate secrets to attacker-controlled domains.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ForcedLeak chains cross-site scripting\u2013style prompt injection with overly permissive AI context handling.<\/li>\n\n\n\n<li>Attackers embed malicious instructions in the \u201cDescription\u201d field of Web-to-Lead forms.<\/li>\n\n\n\n<li>Bypassing CSP via an expired but whitelisted domain (my-salesforce-cms.com) enabled data exfiltration.<\/li>\n\n\n\n<li><strong>Salesforce patched the issue by enforcing a Trusted URL allowlist for Agentforce and Einstein AI.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/salesforce-ai-agents-leak-sensitive-data\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. ShadowV2 Turns Misconfigured AWS Docker Containers into DDoS-as-a-Service Platform<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Darktrace researchers warn of ShadowV2, a DDoS-for-hire botnet that hijacks exposed Docker daemons on AWS EC2 to deploy custom containers and launch large-scale HTTP floods via a Go-based RAT.<\/strong>  With a polished API, web dashboard and subscription tiers, ShadowV2 industrializes DDoS attacks, lowering barriers for even novice actors and underscoring the need for hardened container configurations and API monitoring.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Targets exposed Docker APIs on AWS EC2 using Python Docker SDK to communicate with daemons.<\/li>\n\n\n\n<li><strong>Dynamically builds and commits malicious containers on victims rather than pulling pre-built images.<\/strong><\/li>\n\n\n\n<li><strong>Installs a Go-based Remote Access Trojan<\/strong> that heartbeats to a C2 API every second and polls commands every five seconds.<\/li>\n\n\n\n<li>Includes advanced HTTP\/2 rapid-reset floods and Cloudflare \u201cUnder Attack Mode\u201d bypass capabilities.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Restrict Docker daemon exposure; bind it to localhost or socket only.<\/strong><\/li>\n\n\n\n<li><strong>Enforce least-privilege IAM roles for container hosts on AWS.<\/strong><\/li>\n\n\n\n<li>Scan existing EC2 instances for open Docker ports and remediate misconfigurations.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4063244\/mit-shadowv2-wird-ddos-zu-einem-cloud-nativen-abo-dienst.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Tech Sector Surpasses Gaming as Primary DDoS Target Amid 41% Surge in Attacks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The latest Gcore Radar report shows DDoS attacks climbed 41% year-on-year in H1 2025,<\/strong> peaking at 2.2 Tbps and lasting longer with multi-layer tactics. T<strong>echnology firms now account for 30% of all attacks, overtaking gaming<\/strong>, while financial services and application-layer assaults also surge.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Total incidents rose from 969,000 in H2 2024 to 1.17 million in H1 2025.<\/li>\n\n\n\n<li>Application-layer attacks jumped to 38% of all vectors, up from 28%.<\/li>\n\n\n\n<li><strong>Technology (30%) and financial services (21%) lead targets; gaming fell to 19%.<\/strong><\/li>\n\n\n\n<li><strong>Top attack sources: United States, Netherlands and emerging Hong Kong.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/09\/tech-overtakes-gaming-as-top-ddos.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Researchers Identify Phishing Campaigns Delivering CountLoader Malware and PureRAT Backdoor with SVG<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Fortinet and Huntress <strong>reveal two fileless phishing campaigns:<\/strong> one spoofing Ukrainian police <strong>with SVG attachments<\/strong> to deploy CountLoader, which loads Amatera Stealer and PureMiner, and another using <strong>copyright-themed lures to stage PXA Stealer and ultimately PureRAT.<\/strong><br>These multi-stage attacks exploit SVG, CHM, and in-memory .NET execution to steal credentials, hijack resources, and establish persistent access.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Emails spoof National Police of Ukraine with embedded SVG <\/strong>leading to password-protected ZIPs and CHM files<\/li>\n\n\n\n<li>CountLoader drops Amatera Stealer (browser &amp; wallet data exfiltration) and PureMiner (cryptomining) <strong>via fileless .NET AOT and PythonMemoryModule<\/strong><\/li>\n\n\n\n<li><strong>Separate campaign uses copyright infringement phishing <\/strong>to deliver PXA Stealer, layered in-memory loaders, and PureRAT backdoor<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block or quarantine incoming SVG and CHM attachments at the email gateway<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer\">Fortinet FortiGuard Labs<\/a>, <a href=\"https:\/\/www.huntress.com\/blog\/purerat-threat-actor-evolution\">Huntress<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/09\/researchers-expose-svg-and-purerat.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Iran-Linked APT Nimbus Manticore Expands Attacks to European Defense, Telecom, and Aviation Firms<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Iran-backed threat group Nimbus Manticore is targeting defense, telecommunications, and aerospace firms in Denmark, Portugal, and Sweden with new variants of its MiniJunk backdoor and MiniBrowse stealer delivered via tailored job-related spear-phishing emails. These improved tools use advanced compiler-level obfuscation, signed malware binaries, and multi-stage DLL sideloading to maintain persistence and evade detection, posing heightened risks to critical infrastructure.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Targets include defense manufacturing, telecoms, and aviation sectors in Western Europe.<\/li>\n\n\n\n<li>MiniJunk backdoor and MiniBrowse credential stealer use junk code, control-flow obfuscation, and signed SSL.com certificates.<\/li>\n\n\n\n<li>Spear-phishing via fake HR job sites delivers malware through multi-stage sideloading of Windows Defender component.<\/li>\n\n\n\n<li>Malware communicates with 3\u20135 HTTPS C2 servers using obfuscated traffic to avoid detection.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/iran-linked-hackers-europe-new-malware\">DarkReading<\/a>, <a href=\"https:\/\/research.checkpoint.com\/2025\/nimbus-manticore-deploys-new-malware-targeting-europe\/\">Check Point Research<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13. UK to Launch &#8216;Report Fraud&#8217; Replacement for Failing Action Fraud Service<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Britain's national fraud reporting portal Action Fraud will be replaced later this year  by 'Report Fraud', which uses Palantir\u2019s Foundry platform<\/strong> to automatically analyze  reports and rebuild public trust amid a 31% rise in fraud incidents. The system  integrates data from tech, telecom, and financial partners, enabling the National  Fraud Intelligence Bureau to spot patterns and issue real-time intelligence.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fraud incidents rose 31% in the year to March, with estimated losses in the billions.<\/li>\n\n\n\n<li>Palantir Foundry\u2013based back end has been operational since November 2023.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/uk-action-fraud-replacement-report-fraud\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>New technologies are awesome, they often allow us to achieve more, get further, be more creative. But unfortunately, this is true for the bad guys as well. Week after week, we see in this cybersecurity news summary that there&#8217;s a new and rather not very complex way AI chats are used to exfiltrate data and now more and more MCP servers are getting impersonated and used for exfiltration as well.<\/p>\n<p>So I would sya, one thing to prioritise in your GRC programs right now is vendor reviews and usage of all the different AI tools. Absolutely we all want to use them, but when a year ago our biggest collective concern was that OpenAI will use our data for training then I think the risk has moved significantly to interception and exfiltration of data through the brwoser \/ MCP servers.<\/p>","protected":false},"author":1,"featured_media":20655,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20649","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20649"}],"version-history":[{"count":7,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20649\/revisions"}],"predecessor-version":[{"id":20657,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20649\/revisions\/20657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20655"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}