The City of Cambridge has released an important update regarding the OnSolve CodeRED emergency notifications system, also known locally as Cambridge’s reverse 911 system. The platform, widely used by thousands of local governments and public safety agencies across the country, was taken offline in November following a nationwide OnSolve CodeRED cyberattack. Residents who rely on CodeRED alerts for information about snow emergencies, evacuations, water outages, or other service disruptions are being asked to take immediate steps to secure their accounts and continue receiving notifications.

Impact of the OnSolve CodeRED Cyberattack on User Data

According to city officials, the data breach affected CodeRED databases nationwide, including Cambridge. The compromised information may include phone numbers, email addresses, and passwords of registered users. Importantly, the attack targeted the OnSolve CodeRED system itself, not the City of Cambridge or its departments. This OnSolve CodeRED cyberattack incident mirrors similar concerns raised in Monroe County, Georgia, where officials confirmed that residents’ personal information was also exposed. The Monroe County Emergency Management Agency emphasized that the breach was part of a nationwide cybersecurity incident and not a local failure.

Transition to CodeRED by Crisis24

In response, OnSolve permanently decommissioned the old CodeRED platform and migrated services to a new, secure environment known as CodeRED by Crisis24. The new system has undergone comprehensive security audits, including penetration testing and system hardening, to ensure stronger protection against future threats. For Cambridge residents, previously registered contact information has been imported into the new platform. However, due to security concerns, all passwords have been removed. Users must now reset their credentials before accessing their accounts.

Steps for City of Cambridge Residents and Users

To continue receiving emergency notifications, residents should:

• Visit accountportal.onsolve.net/cambridgema
• Enter their username (usually an email address)
• Select “forgot password” to verify and reset credentials
• If unsure of their username, use the “forgot username” option

Officials strongly advise against reusing old CodeRED passwords, as they may have been compromised. Instead, users should create strong, unique passwords and update their information once logged in. Additionally, anyone who used the same password across multiple accounts is urged to change those credentials immediately to reduce the risk of further exposure.

Broader National Context

The Monroe County cyberattack highlights the scale of the issue. Officials there reported that data such as names, addresses, phone numbers, and passwords were compromised. Residents who enrolled before March 31, 2025, had their information migrated to the new Crisis24 CodeRED platform, while those who signed up afterward must re‑enroll. OnSolve has reassured communities that the intrusion was contained within the original system and did not spread to other networks. While there is currently no evidence of identity theft, the incident underscores the growing risks of cyber intrusions nationwide.

Resources for Cybersecurity Protection

Residents who believe they may have been victims of cyber‑enabled fraud are encouraged to report incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Additional resources are available to help protect individuals and families from fraud and cybercrime. Security experts note that the rising frequency of attacks highlights the importance of independent threat‑intelligence providers. Companies such as Cyble track vulnerabilities and cybercriminal activity across global networks, offering organizations tools to strengthen defenses and respond more quickly to incidents.

Looking Ahead

The City of Cambridge has thanked residents for their patience as staff worked with OnSolve to restore emergency alert capabilities. Officials emphasized that any breach of security is a serious concern and confirmed that they will continue monitoring the new CodeRED by Crisis24 platform to ensure its standards are upheld. In addition, the City is evaluating other emergency alerting systems to determine the most effective long‑term solution for community safety.

Reporters Without Borders (RSF) has determined that a phishing operation targeting the organization in early 2025 was carried out by a group associated with Russia’s Federal Security Service (FSB). The RSF cyberattack conclusion follows a months-long technical investigation conducted with the support of French cybersecurity firm Sekoia.   According to RSF, the attempted RSF cyberattack was first identified in March 2025 when an employee received a message written in French that appeared to come from a trusted contact. The email requested the recipient to open an attachment that was, in fact, missing, an established phishing technique designed to prompt a reply, allowing attackers to later send infected documents or malicious links.  

The Failed RSF Cyberattack

When the response from the supposed sender arrived in English instead of French, the inconsistency raised immediate suspicion. The employee reported the exchange to RSF’s cybersecurity team, preventing the RSF cyberattack from progressing.  RSF then sought Sekoia’s assistance to conduct a deeper inquiry. The company later published a detailed account attributing the attack to the group known as Callisto or Calisto, also identified as UNC4057, Star Blizzard, or ColdRiver. Intelligence agencies in the United States, the United Kingdom, New Zealand, and Australia have connected this group to the FSB. Sekoia describes Callisto as an advanced persistent threat capable of maintaining hidden, long-term access to targeted information systems. 

Kremlin Pressure and Designation as an “Undesirable Organization” 

In its statement, Reporters Without Borders noted that the organization frequently faces digital interference from Russian state services and pro-Kremlin actors. RSF has long been involved in defending press freedom in Russia and supporting journalists fleeing the country, making it a recurring target of Russian-linked operations.  RSF Director of Advocacy and Assistance Antoine Bernard said the March attack was not accidental. “RSF, which defends global press freedom and actively assists Russian journalists fleeing their country, is a regular target of the Kremlin and the constellation surrounding Vladimir Putin’s regime,” he stated. Bernard added that this incident was one of multiple politically motivated operations directed at the organization in recent months. In August 2025, Russian authorities escalated their pressure by officially declaring RSF an “undesirable organization,” exposing anyone connected to it to prison sentences of up to four years under Russian law.  RSF Chief Information Security Officer Nicolas Diaz emphasized ongoing cybersecurity challenges. “In the face of cyberthreats, RSF benefits from cutting-edge technical solutions as well as external expertise capable of detecting and characterizing the cyberoperations that target us,” he explained. Diaz highlighted the need to strengthen cyber defense capabilities and ensure users recognize the subtle warning signs that often precede an attempted intrusion we saw in the RSF cyberattack.

Disinformation Campaigns and Broader Press Freedom Concerns 

RSF reported that the phishing operation fits into a larger pattern of attempts to undermine its work. In March 2025, the NGO denounced a disinformation campaign that used doctored videos falsely claiming to show statements by RSF leadership. A year earlier, in 2024, RSF filed a complaint against platform X (previously Twitter) after repeated posts containing disinformation against the organization remained unaddressed.   Among the most notable examples was a fabricated BBC-style video alleging that RSF had produced a study accusing Ukrainian soldiers of harboring Nazi sympathies. This false content was later circulated by Russian authorities and amplified by pro-Kremlin influencers.  The organization released its annual press freedom report, stating that Russia currently detains more foreign journalists than any other country. RSF also co-led an investigation into the final weeks of Ukrainian freelance journalist Viktoria Roshchyna, 27, who died in Russian captivity in 2024. According to the report, only Israel and organized crime groups were responsible for more journalist deaths worldwide in 2025. 

Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.  The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network. The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service. 

Hundreds of Legal Proceedings Underway Following the HSE Cyberattack 

As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”  According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.  The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.  As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”  In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period. 

Cybersecurity Overhaul Following the Conti Attack 

Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE. The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.  The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms. 

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

A nationwide cybersecurity incident involving the OnSolve CodeRED mass notification network has placed Monroe County, Georgia residents at risk, prompting local officials to warn the public and begin transitioning to a new emergency alert system. The Monroe County cyberattack, which officials emphasize did not originate locally, has compromised personal information belonging to users enrolled in the county’s emergency alert service.  In its formal notification, Monroe County Emergency Management Agency (EMA) informed residents that a nationwide data breach affecting all OnSolve CodeRED customers had been confirmed. The county stated, “This has been an issue nationwide,” stressing that the breach stemmed from an attack on the vendor system rather than any action by Monroe County personnel. According to the county, the incident was attributed to “an organized cybercriminal group that has victimized our platform and our customers.” 

Compromised Monroe County’s User Data

The cyberattack on Monroe County users occurred within the broader CodeRED environment, which supports emergency alerts issued across the United States. Once the breach was discovered, OnSolve immediately discontinued its CodeRED service nationwide and shifted resources to a new platform known as Crisis24 CodeRED. Officials said the intrusion was contained within the original system and did not spread to other networks.  According to OnSolve’s assessment, the compromised data includes names, addresses, email addresses, phone numbers, and passwords associated with CodeRED user accounts. County officials urged residents who use the same password for multiple accounts to change those passwords immediately to reduce the risk of further exposure.  Enrollment timing also affects the extent of data loss. Monroe County explained that residents who signed up for CodeRED before March 31, 2025, will have their information migrated to the new Crisis24 CodeRED platform. However, all data added after March 31, 2025, was lost during the incident, meaning those users will need to re-enroll once the new system becomes fully operational. The county noted that it is working closely with Crisis24 staff to expedite the setup of the replacement alert service. 

Vendor Response, FAQ Details, and System Transition 

Although the breach occurred entirely within a third-party vendor system, Monroe County EMA acknowledged that the incident is likely to cause worry within the community. Officials pledged ongoing communication, stating they will share any additional updates provided by OnSolve.  OnSolve also released a detailed FAQ explaining the breach. The vendor reported that personal contact information “may be published” as a result of the attack, but said forensic analysis indicates no impact on municipal systems beyond emergency alerts. According to the provider, the newly launched Crisis24 CodeRED platform resides in a separate, non-compromised environment and has undergone a comprehensive security audit, including external penetration testing and system hardening.  The company stated that the cybersecurity incident was detected in November and that it acted quickly to secure the affected systems, launch an investigation, and engage outside experts. The original OnSolve CodeRED platform has since been permanently decommissioned. 

No Evidence of Identity Theft, but Rising Cyber Risks Cited 

Despite concerns surrounding the Monroe County cyberattack, officials report no evidence that the compromised data has been used for identity theft or fraud. They noted that the breach reflects a broader rise in cyber intrusions nationwide, highlighting the need for stronger threat monitoring and rapid detection.   As the county works to restore its emergency alert system, officials reiterated their commitment to transparency and continued oversight. The growing frequency of attacks also stresses why organizations increasingly rely on independent threat-intelligence providers such as Cyble, whose research regularly tracks new vulnerabilities and cybercriminal activity across global networks.  To better understand how organizations can strengthen their defenses against incidents like the Monroe County cyberattack, security teams can request a guided demonstration of Cyble’s AI-native threat-intelligence capabilities. A personalized demo provides a practical look at how Cyble identifies exposures, tracks threat actors, and supports faster response decisions. 

Artificial intelligence isn’t just another tool in the security stack anymore – it’s changing how software is written, how vulnerabilities spread and how long attackers can sit undetected inside complex environments. Security researcher and startup founder Guy Arazi unpacks why AI has become both a powerful defensive accelerator and a force multiplier for adversaries, especially..

The post The Dual Role of AI in Cybersecurity: Shield or Weapon? appeared first on Security Boulevard.

An Australian man has been sentenced to more than seven years in jail on charges that he created ‘evil twin’ WiFi networks to hack into women’s online accounts to steal intimate photos and videos. The Australian Federal Police (AFP) didn’t name the man in announcing the sentencing, but several Australian news outlets identified him as Michael Clapsis, 44, of Perth, an IT professional who allegedly used his skills to carry out the attacks. He was sentenced to seven years and four months in Perth District Court on November 28, and will be eligible for parole after serving half that time, according to the Sydney Morning Herald. The AFP said Clapsis pled guilty to 15 charges, ranging from unauthorised access or modification of restricted data to unauthorised impairment of electronic communication, failure to comply with an order, and attempted destruction of evidence, among other charges.

‘Evil Twin’ WiFi Network Detected on Australian Domestic Flight

The AFP investigation began in April 2024, when an airline reported that its employees had identified a suspicious WiFi network mimicking a legitimate access point – known as an “evil twin” – during a domestic flight. On April 19, 2024, AFP investigators searched the man’s luggage when he arrived at Perth Airport , where they seized a portable wireless access device, a laptop and a mobile phone. They later executed a search warrant “at a Palmyra home.” Forensic analysis of data and seized devices “identified thousands of intimate images and videos, personal credentials belonging to other people, and records of fraudulent WiFi pages,” the AFP said. The day after the search warrant, the man deleted more than 1,700 items from his account on a data storage application and “unsuccessfully tried to remotely wipe his mobile phone,” the AFP said. Between April 22 and 23, 2024, the AFP said the man “used a computer software tool to gain access to his employer’s laptop to access confidential online meetings between his employer and the AFP regarding the investigation.” The man allegedly used a portable wireless access device, called a “WiFi Pineapple,” to detect device probe requests and instantly create a network with the same name. A device would then connect to the evil twin network automatically. The network took people to a webpage and prompted them to log in using an email or social media account, where their credentials were then captured. AFP said its cybercrime investigators identified data related to use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, as well as on domestic flights, “while the man also used his IT privileges to access restricted and personal data from his previous employment.” “The man unlawfully accessed social media and other online accounts linked to multiple unsuspecting women to monitor their communications and steal private and intimate images and videos,” the AFP said.

Victims of Evil Twin WiFi Attack Enter Statements

At the sentencing, a prosecutor read from emotional impact statements from the man’s victims, detailing the distress they suffered and the enduring feelings of shame and loss of privacy. One said, “I feel like I have eyes on me 24/7,” according to the Morning Herald. Another said, “Thoughts of hatred, disgust and shame have impacted me severely. Even though they were only pictures, they were mine not yours.” The paper said Clapsis’ attorney told the court that “He’s sought to seek help, to seek insight, to seek understanding and address his way of thinking.” The case highlights the importance of avoiding free public WiFi when possible – and not accessing sensitive websites or applications if one must be used. Any network that requests personal details should be avoided. “If you do want to use public WiFi, ensure your devices are equipped with a reputable virtual private network (VPN) to encrypt and secure your data,” the AFP said. “Disable file sharing, don’t use things like online banking while connected to public WiFi and, once you disconnect, change your device settings to ‘forget network’.”

Japanese beverage giant Asahi Group Holdings has confirmed new findings in its ongoing investigation into the Asahi Group cyberattack, revealing that personal information linked to around 2 million customers, employees, and external contacts may have been exposed. The update follows a detailed forensic review of the system disruption that struck its domestic servers on September 29. President and Group CEO Atsushi Katsuki addressed the media in Tokyo, offering an apology while outlining the company’s path toward full recovery. Katsuki said Asahi expects to resume automated orders and shipments by December, with full logistics normalization anticipated by February.

Asahi Group Cyberattack Investigation Reveals Scale of Data Exposure

According to the company, the Asahi Group cyberattack involved ransomware, which encrypted files across multiple servers and some company-issued PCs. Asahi confirmed that while systems in Japan were affected, no impact has been identified on overseas operations. A hacker group known as Qilin has claimed responsibility on the dark web, stating it had stolen internal documents and employee data. Asahi, however, reported no evidence that personal data has been published online. Katsuki also clarified that no ransom payment was made. The attack previously forced Asahi to delay its January–September financial results, initially scheduled for November 12.

Timeline and Technical Findings

Asahi’s latest report outlines the internal timeline and technical assessment:

• At 7:00 a.m. JST on September 29, systems began malfunctioning, and encrypted files were soon discovered.
• By 11:00 a.m. JST, the company disconnected its network and isolated the data center to contain the attack.
• Investigators later revealed the attacker gained entry via network equipment at a Group site, deploying ransomware simultaneously across multiple servers.
• Forensic reviews confirmed potential exposure of data stored on both servers and employee PCs.
• The impact remains limited to Japan-managed systems.

As part of regulatory requirements, Asahi submitted its final report to the Personal Information Protection Commission on November 26.

Details of Potentially Exposed Personal Information

As of November 27, the company has identified the following potentially affected groups and data types:

• Customer Service Center contacts from Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods Name, gender, address, phone number, email address — 1,525,000 individuals
• External contacts receiving congratulatory or condolence telegrams Name, address, phone number — 114,000 individuals
• Employees and retirees Name, date of birth, gender, address, phone number, email address, other details — 107,000 individuals
• Family members of employees/retirees Name, date of birth, gender — 168,000 individuals

Asahi confirmed that no credit card information was included in the exposed data sets. The company has set up a dedicated helpline (0120-235-923) for concerned individuals.

System Restoration and Strengthened Cybersecurity Measures

Following the Asahi Group cyberattack, the company spent two months containing the incident, restoring essential systems, and reinforcing security defences. These measures include:

• A full forensic investigation by external cybersecurity experts
• Integrity verification of affected systems and devices
• Gradual restoration of systems confirmed to be secure

Preventive actions now underway include:

• Redesigned network communication routes and stricter connection controls
• Limiting internet-facing connections to secure zones
• Upgraded security monitoring for improved threat detection
• Revised backup strategies and refreshed business continuity plans
• Enhanced security governance through employee training and external audits

In his public statement, Katsuki said, “We apologize for any difficulties caused to our stakeholders by the recent system disruption. We are making every effort to restore systems quickly while strengthening information security across the Group.” He added that product shipments are being restored in phases as recovery progresses. With investigation findings now submitted to regulators and system restoration underway, the company aims to prevent any recurrence while reassuring customers and partners affected by the Asahi Group cyberattack.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

Three London councils are responding to a major cybersecurity incident that has disrupted public services and triggered alerts across the capital. The Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and Hammersmith and Fulham Council confirmed on Tuesday evening (November 25) that they were investigating a serious Account Takeover Fraud–related cyber issue affecting shared systems. The situation has raised concerns as local authorities increase monitoring and coordinate with national agencies to understand the scale of the London councils cyberattack.

London Councils Confirm Cybersecurity Incident

RBKC issued an official statement revealing that both its systems and those of Westminster City Council were impacted by what it described as a “cyber security issue.” The London councils cyberattack incident, detected early on Monday morning (November 24), prompted both councils to notify the UK Information Commissioner’s Office (ICO) and work closely with the National Cyber Security Centre (NCSC) and specialist cyber incident responders. Officials said the focus remains on securing systems, protecting data, and restoring essential services. The first public indication of disruption came when RBKC posted on X around 1pm on Monday, warning of “system issues” affecting online services. By Tuesday morning, the council described the situation as a “serious IT issue,” confirming wider service interruptions as investigations continued. [caption id="attachment_107162" align="aligncenter" width="488"] Source: X[/caption] WCC issued a similar update, explaining that its computer networks were temporarily shut down as a precaution. The council apologised to residents for the inconvenience but emphasised that immediate action was necessary to prevent further impact. “We are taking swift and effective action to bring all our systems back online as soon as possible,” the council stated on its website. Emergency contact numbers were provided for urgent issues.

Multiple London Authorities Heighten Threat Levels

In the wake of the London councils cyberattack, Hackney Council circulated an internal “urgent communication,” warning staff that intelligence indicated multiple London councils had been targeted by cyberattacks within the last 24 to 48 hours. As a result, the borough escalated its internal cyber threat level to Critical. Hackney officials have experience responding to major cybersecurity incidents, following a severe attack in 2020 that affected hundreds of thousands of residents and staff. Hammersmith and Fulham Council also reported that it had responded to a serious cybersecurity incident, although the local authority stated that, so far, there was no evidence that its systems had been breached. Across the affected boroughs, several IT systems, online portals, and phone lines remain disrupted. To maintain essential services, councils activated business continuity and emergency plans, prioritising support for vulnerable residents. Additional staff have been assigned to monitor phone lines and emails while restoration work continues.

Authorities Investigating Potential Data Exposure

RBKC and WCC noted that it is still too early to determine the root cause, the extent of the incident, or whether any personal data has been compromised. However, officials confirmed that investigations are underway to determine whether the attack involved techniques similar to Account Takeover Fraud or other targeted compromise attempts. “We don’t have all the answers yet,” RBKC said, “but we know people will have concerns, so we will be updating residents and partners further over the coming days.” Council IT teams worked overnight on Monday to apply several mitigation measures, and officials said they remain vigilant for any potential follow-up attempts.

National Agencies Monitoring the Situation

A spokesperson for the National Cyber Security Centre confirmed awareness of the incident and said the agency is “working to understand any potential impact.” The NCSC continues to support local authorities in managing the wider threat. The Metropolitan Police Cyber Crime Unit also confirmed it received a referral from Action Fraud on Monday following reports of a suspected cyber-attack against several London borough councils. “Enquiries remain in the early stages,” a spokesperson said, adding that no arrests have been made so far. All affected councils apologised for the disruption and urged residents to expect delays in accessing some services. They also committed to providing further updates as system recovery progresses. For concerns related to Westminster or Hammersmith and Fulham, residents were advised to contact those authorities directly.

From Anthropic:

In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree­—using AI not just as an advisor, but to execute the cyberattacks themselves.

The threat actor—­whom we assess with high confidence was a Chinese state-sponsored group—­manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention...

The post AI as Cyberattacker appeared first on Security Boulevard.

The City of Middletown has released a new update as part of its ongoing cybersecurity restoration following the significant City of Middletown cyberattack that disrupted multiple municipal services earlier this year. The latest announcement, dated November 20, 2025, provides details on the resumption of utility billing, the status of delinquent accounts, and broader system recovery efforts. As part of the continuing cybersecurity restoration process, Middletown officials confirmed that utility billing will restart in December. Because billing systems were offline for several months, the first bills will be based on estimated usage from the same period last year, plus an additional 25% to account for service charges accrued during the outage. Flat-fee services, including refuse, stormwater, and toter charges—will also be back-billed in full and are expected to return to standard billing cycles in January 2026. While the city aims to restore traditional meter readings, officials noted that a firm timeline is not yet available. Until systems are fully repaired, estimated billing will continue into early 2026. Once meter readings resume, actual usage during the outage will be calculated and spread across six billing cycles to minimize financial burden on residents.

Delinquent Accounts and Service Continuity

During the City of Middletown cyberattack, the city temporarily paused all utility shutoffs, including for accounts already delinquent before the incident. Shutoffs will now resume only for those pre-existing delinquent accounts. Residents with outstanding balances will receive individual notices outlining payment options and steps to prevent service interruption. For support or questions, residents may contact the Utility Billing Office at (513) 425-7870.

City of Middletown Cyberattack: Ongoing System Recovery 

In an earlier update on October 27, 2025, Middletown reported steady progress in restoring core systems. Phone lines, Wi-Fi, and city email accounts are now fully operational, allowing staff to return to regular communication channels with residents. However, certain departments continue to rely on temporary backup processes while the broader network rebuild continues. The cyber event occurred in mid-August, prompting officials to immediately shut down affected systems and bring in third-party cybersecurity specialists to assist with secure restoration and forensic investigation.

Current Department-Level Impact

• Utility Billing: Still unable to generate new bills until system restoration is complete.
• Payments: Residents may continue paying previously issued bills via InvoiceCloud or at the City Building.
• Court Records: In-person court record searches remain available.
• Police Fingerprint Checks: Not currently available; residents may obtain checks from county, state, or federal agencies.

Data Impact and Ongoing Forensics

The city’s investigation into the cyber event continues with support from external cybersecurity experts. It remains unclear whether any resident data was affected. Officials emphasized that determining what information may have been accessed, and who may be impacted, is a complex, ongoing process. Should the investigation confirm exposure of personal information, the city will notify and assist affected individuals. Middletown also confirmed that it is coordinating with federal, state, and local law enforcement agencies throughout the investigation. At this time, there is no evidence that compromised data has been used for fraudulent activity or identity theft.

From Anthropic:

In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree­—using AI not just as an advisor, but to execute the cyberattacks themselves.

The threat actor—­whom we assess with high confidence was a Chinese state-sponsored group—­manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention.

[…]

The attack relied on several features of AI models that did not exist, or were in much more nascent form, just a year ago:

1. Intelligence. Models’ general levels of capability have increased to the point that they can follow complex instructions and understand context in ways that make very sophisticated tasks possible. Not only that, but several of their well-developed specific skills—in particular, software coding­—lend themselves to being used in cyberattacks.
2. Agency. Models can act as agents—­that is, they can run in loops where they take autonomous actions, chain together tasks, and make decisions with only minimal, occasional human input.
3. Tools. Models have access to a wide array of software tools (often via the open standard Model Context Protocol). They can now search the web, retrieve data, and perform many other actions that were previously the sole domain of human operators. In the case of cyberattacks, the tools might include password crackers, network scanners, and other security-related software.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

A major Cloudflare outage struck on 18 November 2025, beginning at 11:20 UTC and spreading across its global network within minutes. Although the issue initially looked like a large-scale Cloudflare cyberattack, it was later confirmed to be an internal configuration error that disrupted company’s core traffic-routing systems.

According to Cloudflare, the disruption began when one of the company’s database systems generated incorrect data and published it across the network. The problem stemmed from altered permissions in a ClickHouse database cluster, which inadvertently caused the system to output duplicate rows into a “feature file” used by Cloudflare’s Bot Management module. The feature file, normally stable in size, doubled unexpectedly. Once this oversized file propagated across Cloudflare’s machines, the software responsible for distributing global traffic encountered a hard limit and failed. This internal malfunction translated into widespread HTTP 5xx errors for users trying to reach websites that rely on Cloudflare’s network. A screenshot shared by the company showed the generic error page millions of users saw during the outage. Cloudflare initially suspected that the symptoms resembled a hyper-scale DDoS attack, a concern shaped partly by recent “Aisuru” attack campaigns, raising fears of a potential cyberattack on Cloudflare. The company later clarified that “the issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind.” Once engineers discovered the faulty feature file, they halted its propagation and reinserted an earlier, stable version.  Core traffic began recovering by 14:30 UTC, and Cloudflare reported full restoration of all systems by 17:06 UTC. “Given Cloudflare’s importance in the Internet ecosystem, any outage of any of our systems is unacceptable,” the company wrote, noting that the incident was “deeply painful to every member of our team.” 

Why the System Failed During the Cloudflare Outage 

The root cause of the Cloudflare outage originated with a permissions change applied at 11:05 UTC. Cloudflare engineers were in the process of improving how distributed queries run in ClickHouse. Historically, internal processes assumed that metadata queries returned results only from the “default” database. The new permissions change allowed these queries to also surface metadata from the underlying “r0” database.  A machine learning–related query, used to build the Bot Management feature configuration file, combined metadata from both locations without filtering database names. The oversight caused the file to double in size as duplicate features were added. Bot Management modules preallocate memory based on a strict feature limit of 200 entries; the malformed file exceeded this threshold, triggering a Rust panic within the proxy system.  Because Cloudflare’s core proxy (called FL, or “Frontline”) touches nearly every request on the network, the failure cascaded quickly. The newer version of the proxy system, FL2, also encountered 5xx errors. Legacy FL systems did not crash, but they produced invalid bot scores, defaulting everything to zero and potentially leading to false positives for customers who blocked bot traffic. 

Systems Impacted 

The Cloudflare outage disrupted multiple services: 

• Core CDN and security services returned widespread HTTP 5xx errors. 

• Turnstile, Cloudflare’s verification system, failed to load, preventing many users from logging into the Cloudflare dashboard. 

• Workers KV experienced a sharp increase in error rates until engineers applied a bypass patch at 13:04, stabilizing dependent services. 

• Cloudflare Access experienced authentication failures from the start of the incident. Existing sessions remained valid, but new attempts failed and returned error pages. 

• Email Security continued processing email but temporarily lost access to an IP reputation source, slightly reducing spam-detection accuracy. 

Cloudflare also noted latency spikes across its CDN during the incident as debugging and observability tools consumed excess CPU while attempting to analyze the errors.  Complicating the investigation further, Cloudflare’s external status page briefly went offline, despite being completely hosted outside Cloudflare’s network, adding to internal suspicion that an attacker might be targeting multiple systems simultaneously. This coincidence reinforced early fears of a potential Cloudflare cyberattack, though this theory was later dismissed. 

Post-Incident Actions and Next Steps 

After restoring service, Cloudflare implemented a series of fixes, strengthening configuration protection, improving kill-switch controls, refining proxy error-handling, and preventing diagnostic tools from overwhelming system resources. The company described the event as its most serious outage since 2019, noting that while it briefly raised concerns about a potential cyberattack on Cloudflare, the root cause was purely internal.   Events like this highlight the value of proactive threat intelligence. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies on Gartner Peer Insights, provides AI-native, autonomous threat detection and attack-surface visibility. To assess your organization’s exposure and strengthen resilience, book a personized demo or start a free External Threat Assessment today. 

The revelation that a Chinese state-sponsored group (GTG-1002) used Claude Code to execute a large-scale autonomous AI cyberattack marks a turning point for every leadership role tied to security, technology, or business risk. This was not an AI-assisted intrusion; it was a fully operational AI-powered cyber threat where the model carried out reconnaissance, exploitation, credential harvesting, and data exfiltration with minimal human involvement. Anthropic confirmed that attackers launched thousands of requests per second, targeting 30 global organizations at a speed no human operator could match. With humans directing just 10–20% of the campaign, this autonomous AI cyberattack is the strongest evidence yet that the threat landscape has shifted from human-paced attacks to machine-paced operations. For CISOs, CTOs, and even CFOs, this is not just a technical incident — it’s a strategic leadership warning.

1. Machine-Speed Attacks Redefine Detection Expectations

The GTG-1002 actors didn’t use AI as a side tool — they let it run the operation end-to-end. The autonomous AI cyberattack mapped internal services, analyzed authentication paths, tailored exploitation payloads, escalated privileges, and extracted intelligence without stopping to “wait” for a human.

• CISO takeaway: Detection windows must shrink from hours to minutes.
• CTO takeaway: Environments must be designed to withstand parallelized, machine-speed probing.
• CFO takeaway: Investments in real-time detection are no longer “nice to have,” but essential risk mitigation.

Example: Claude autonomously mapped hundreds of internal services across multiple IP ranges and identified high-value databases — work that would take humans days, executed in minutes.

2. Social Engineering Now Targets AI — Not the User

One of the most important elements of this autonomous AI cyberattack is that attackers didn’t technically “hack” Claude. They manipulated it. GTG-1002 socially engineered the model by posing as a cybersecurity firm performing legitimate penetration tests. By breaking tasks into isolated, harmless-looking requests, they bypassed safety guardrails without triggering suspicion.

• CISO takeaway: AI governance and model-behavior monitoring must become core security functions.
• CTO takeaway: Treat enterprise AI systems as employees vulnerable to manipulation.
• CFO takeaway: AI misuse prevention deserves dedicated budget.

Example: Each isolated task Claude executed seemed benign — but together, they formed a full exploitation chain.

3. AI Can Now Run a Multi-Stage Intrusion With Minimal Human Input

This wasn’t a proof-of-concept; it produced real compromises. The GTG-1002 cyberattack involved:

• autonomous reconnaissance
• autonomous exploitation
• autonomous privilege escalation
• autonomous lateral movement
• autonomous intelligence extraction
• autonomous backdoor creation

The entire intrusion lifecycle was carried out by an autonomous threat actor, with humans stepping in only for strategy approvals.

• CISO takeaway: Assume attackers can automate everything.
• CTO takeaway: Zero trust and continuous authentication must be strengthened.
• CFO takeaway: Business continuity plans must consider rapid compromise — not week-long dwell times.

Example: In one case, Claude spent 2–6 hours mapping a database environment, extracting sensitive data, and summarizing findings for human approval — all without manual analysis.

4. AI Hallucinations Are a Defensive Advantage

Anthropic’s investigation uncovered a critical flaw: Claude frequently hallucinated during the autonomous AI cyberattack, misidentifying credentials, fabricating discoveries, or mistaking public information for sensitive intelligence. For attackers, this is a reliability gap. For defenders, it’s an opportunity.

• CISO takeaway: Honeytokens, fake credentials, and decoy environments can confuse AI-driven intrusions.
• CTO takeaway: Build detection rules for high-speed but inconsistent behavior — a hallmark of hallucinating AI.
• CFO takeaway: Deception tech becomes a high-ROI strategy in an AI-augmented threat landscape.

Example: Some of Claude’s “critical intelligence findings” were completely fabricated — decoys could amplify this confusion.

5. AI for Defense Is Now a Necessity, Not a Strategy Discussion

Anthropic’s response made something very clear: defenders must adopt AI at the same speed attackers are. During the Anthropic AI investigation, their threat intelligence team deployed Claude to analyze large volumes of telemetry, correlate distributed attack patterns, and validate activity. This marks the era where defensive AI systems become operational requirements.

• CISO takeaway: Begin integrating AI into SOC workflows now.
• CTO takeaway: Implement AI-driven alert correlation and proactive threat detection.
• CFO takeaway: AI reduces operational load while expanding detection scope, a strategic investment.

Leadership Must Evolve Before the Next Wave Arrives

This incident represents the beginning of AI-powered cyber threats, not the peak. Executives must collaborate to:

• adopt AI for defense
• redesign detection for machine-speed adversaries
• secure internal AI platforms
• prepare for attacks requiring almost no human attacker involvement

As attackers automate reconnaissance, exploitation, lateral movement, and exfiltration, defenders must automate detection, response, and containment. The autonomous AI cyberattack era has begun. Leaders who adapt now will weather the next wave, leaders who don’t will be overwhelmed by it.

The Government of Kenya cyberattack on Monday morning left several ministry websites defaced with racist and white supremacist messages, disrupting access for hours and prompting an urgent response from national cybersecurity teams. The cyberattack on Government of Kenya targeted multiple high-profile platforms, raising new concerns about the security of public-sector digital infrastructure. According to officials, the Government of Kenya cyberattack affected websites belonging to the ministries of Interior, Health, Education, Energy, Labour, and Water. Users attempting to access the pages were met with extremist messages including “We will rise again,” “White power worldwide,” and “14:88 Heil Hitler.”

Government of Kenya Cyberattack Under Investigation

The Interior Ministry confirmed the Government of Kenya cyberattack, stating that a group identifying itself as “PCP@Kenya” is suspected to be behind the intrusion. Several government websites were rendered temporarily inaccessible while national teams worked to secure affected systems. “Preliminary investigations indicate that the attack is suspected to have been carried out by a group identifying itself as 'PCP@Kenya',” the ministry said. “Following the incident, we immediately activated our incident response and recovery procedures, working closely with relevant stakeholders to mitigate the impact and restore access to the affected platforms.” [caption id="attachment_106846" align="aligncenter" width="533"] Source: X[/caption] Officials confirmed that the situation has since been contained, with systems placed under continuous monitoring to prevent further disruption. Citizens have been encouraged to reach out to the National KE-CIRT if they have information relevant to the breach.

Regional Cyber Issues Reported Within 24 Hours

The Kenyan incident took place just a day after Somalia reported a cyberattack on its Immigration and Citizenship Agency. Somali officials said they detected a breach involving data from individuals who had entered the country using its e-Visa system. Early findings suggest that leaked data may include names, dates of birth, photos, marital status, email addresses, and home addresses. Authorities are now assessing how many people were affected and how attackers gained access to the system. The U.S. Embassy in Somalia referenced claims from November 11, when hackers alleged they had infiltrated the e-visa system and accessed information belonging to at least 35,000 applicants — potentially including U.S. citizens. “While Embassy Mogadishu is unable to confirm whether an individual’s data is part of the breach, individuals who have applied for a Somali e-visa may be affected,” the embassy said. [caption id="attachment_106848" align="aligncenter" width="377"] Source: X[/caption]

No Claim of Responsibility So Far

As of Monday afternoon, no threat group has formally claimed responsibility for either the Kenya or Somalia cyber incidents. Investigators are assessing whether the timing suggests any form of coordination or shared exploitation methods. For now, authorities emphasize that sensitive financial information, core government systems, and essential services in Kenya were not impacted. The cyberattack on Government of Kenya appears to have been limited to public-facing platforms.

This is why AIs are not ready to be personal assistants:

A new attack called ‘CometJacking’ exploits URL parameters to pass to Perplexity’s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar.

In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users.

[…]

CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the ‘collection’ parameter of the URL.

LayerX researchers say that the prompt tells the agent to consult its memory and connected services instead of searching the web. As the AI tool is connected to various services, an attacker leveraging the CometJacking method could exfiltrate available data.

In their tests, the connected services and accessible data include Google Calendar invites and Gmail messages and the malicious prompt included instructions to encode the sensitive data in base64 and then exfiltrate them to an external endpoint.

According to the researchers, Comet followed the instructions and delivered the information to an external system controlled by the attacker, evading Perplexity’s checks.

I wrote previously:

Prompt injection isn’t just a minor security problem we need to deal with. It’s a fundamental property of current LLM technology. The systems have no ability to separate trusted commands from untrusted data, and there are an infinite number of prompt injection attacks with no way to block them as a class. We need some new fundamental science of LLMs before we can solve this.

As Japan enters its busiest beer-drinking period, the nation’s biggest brewer, Asahi Group Holdings Ltd., continues to face the brunt of the Asahi cyberattack that has crippled its operations for more than a month. The Asahi cyberattack, identified as a ransomware incident, has severely disrupted the company’s internal systems that manage online orders and shipments, forcing the brewer to fall back on manual processes and slow production to a near standstill.  According to company representatives, Asahi’s shipments have dropped to just 10 percent of normal levels as the firm processes orders in person, over the phone, and even by fax, a throwback to pre-digital business methods. The disruption comes at a critical time: December typically marks Asahi’s strongest sales period, with its signature Super Dry beer accounting for 12 percent of annual sales.  Industry analysts expect that the beer shipment data for October, due out on Thursday, will shed light on how much market share Asahi may have lost to competitors in the wake of the attack, as reported by China Daily. 

The Asahi Cyberattack Supply Struggles Hit Bars and Restaurants 

The impact of the Asahi cyberattack has been felt sharply across Tokyo’s bustling bar scene. In Shimbashi, Kohei Matsuo, owner of Bier Reise ’98, said that 80 percent of his beer sales once came from Asahi’s Maruefu brand. Within a week of the attack, he was out of stock and had to pivot to other domestic and imported beers.  “If supply doesn’t recover and I have to suspend the all-you-can-drink plan, it’s likely to hurt year-end party attendance,” Matsuo said.  Meanwhile, in Ueno, Hiroyuki Iida, manager of Izakaya Ueno Ichiba Honten, said his restaurant briefly switched to products from Sapporo Holdings Ltd. and Suntory Holdings Ltd. before receiving limited shipments of Super Dry. However, other Asahi items, including Maruefu and its non-alcoholic beers, remain unavailable.  “Wholesalers may be prioritizing larger volume accounts,” Iida noted, adding that the damage has been somewhat milder than initially feared. 

Rivals Step In 

Competitors have been quick to seize the opportunity. Kirin Holdings Co., Suntory, and Sapporo have been replacing Asahi-branded taps, glassware, and other bar equipment through wholesalers — moves that could make it harder for Asahi to reclaim its presence once supply stabilizes. Analyst Euan Mcleish of Sanford C. Bernstein Japan believes Sapporo stands to gain the most, thanks to its full-malt beer lineup.  Following the October 6 attack, Asahi even lost its No. 1 position in Japan’s retail beer market to Kirin, driven by a surge in sales of Kirin’s Ichiban Shibori brand, according to Nikkei point-of-sale data.  Kirin has adjusted its shipments to ensure a stable supply as demand grows, while Suntory confirmed receiving numerous distributor inquiries and is scaling production. Sapporo also reported ramping up shipments to meet stronger-than-expected demand. 

Retail Market Offers Mixed Picture 

Despite the widespread disruption, retail stores show a more varied situation. Some OK Corp outlets in central Tokyo continue to stock Super Dry and Maruefu, though shelves for other Asahi products are emptying fast. Major convenience store chains such as Seven & i Holdings Co., FamilyMart Co., and Lawson Inc. still have a steady supply of Super Dry, though shortages of soft drinks and energy beverages from Monster Beverage Corp., which Asahi distributes, are becoming noticeable.  Online retailers show a similar pattern: Amazon Japan lists a 24-pack of Super Dry for ¥5,040, while Aeon Co. offers a 10-can gift set for ¥2,380, with delivery scheduled between December 1 and January 10. In contrast, department stores such as Isetan Mitsukoshi Holdings Ltd. and Takashimaya Co. list many Asahi beer gifts as sold out, a setback for Japan’s year-end gifting tradition, when premium food and beverages are exchanged to express gratitude. 

Financial Fallout and Future Risks 

The Asahi cyberattack highlights how even major corporations can falter when outdated systems meet modern threats. Analyst Euan Mcleish predicts a ¥15 billion fourth-quarter loss and a 13 percent profit shortfall, while experts like Professor Tetsutaro Uehara point to Asahi’s fragmented legacy systems as a key weakness exploited during the cyberattack on Asahi.   To prevent similar crises, organizations must embrace AI-native cybersecurity built for today’s threat landscape. Platforms like Cyble, recognized by Gartner and Forrester, autonomously predict, hunt, and neutralize attacks before they strike. Businesses can book a free demo or start a complimentary external threat assessment with Cyble to uncover vulnerabilities and experience how AI that hunts, thinks, and protects keeps them a step ahead of the next cyber threat. 

The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities.  Initially, the University of Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.” 

The University of Pennsylvania Breach and Attack Details

The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.”  According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained.  An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement.  When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page. 

Scope of the Data Theft

While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts.  Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced. 

Investigation and Legal Fallout

The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data.  The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement. 

Marks And Spencer Group Plc (M&S) has reported a dramatic decline in its first-half profit, largely from the financial impact arising from a recent cyberattack. The company, disclosed their half-year results on Wednesday, revealing how the one-off costs from the cyber incident sharply affected their earnings performance.  According to the retail group, profit before tax plunged 99.1 percent to £3.4 million for the 26 weeks ending in the first half of the financial year, compared to £391.9 million during the same period last year. Attributable profit after tax also dropped 97.8 percent to £6.2 million, down from £282.1 million a year ago. Basic earnings per share followed a similar trend, falling 97.9 percent to 0.3 pence from 14.0 pence.  M&S stated that the severe profit decline was driven by adjusting items amounting to £167.8 million, of which £101.6 million was directly linked to the cyberattack that took place during the first few weeks of the financial year. In comparison, the company recorded just £15.9 million in adjusting items last year. These one-time charges dented the retailer’s bottom line. 

Marks And Spencer's Sales Growth Resilient Despite Operational Disruptions 

Despite the disruption, M&S maintained its resilience in sales performance. Group revenue surged 22.5 percent to £7.942 billion from £6.481 billion a year earlier. Group sales also climbed 22.1 percent to £7.965 billion, reflecting strong consumer demand across several categories.  In terms of business segments, Food sales saw a notable rise of 7.8 percent year-on-year, reaching £4.532 billion. However, the Fashion, Home & Beauty segment recorded a 16.4 percent decline, with sales falling to £1.70 billion. M&S attributed this decrease to a temporary suspension of online operations following the cyberattack, which occurred between late April and early June. The company noted that online services gradually recovered over the summer months.  International sales were also down, falling 11.6 percent to £255.8 million. Meanwhile, adjusted profit before tax came in at £184.1 million, down from £413.1 million last year. Adjusted basic earnings per share dropped to 6.6 pence from 14.7 pence. The retailer explained that profits in both its Food and Fashion, Home & Beauty divisions were affected by the trading disruption caused by the cyberattack, though this was partially offset by insurance income. 

Outlook Remains Cautiously Optimistic 

Marks And Spencer expects second-half profits to remain at least in line with last year’s performance. The company noted that the residual impact of the cyber incident is gradually easing and should continue to diminish in the coming months. Nonetheless, M&S acknowledged that the consumer environment remains “as uncertain as ever” heading into the second half of the financial year.  In a sign of confidence, M&S declared an interim dividend of 1.2 pence per share—an increase of 20 percent from last year’s 1 pence. The dividend will be payable on January 9, 2026, to shareholders on record as of November 28, 2025.  Despite the temporary setback from the cyberattack, Marks And Spencer remains optimistic about recovery. The company expressed confidence that it will be “back on track” by the end of the financial year, with operational stability expected to return as it moves past the aftermath of the incident. 

FCC Chair Brendan Carr said the agency will look to eliminate a declaratory ruling made by his predecessor that aimed to give the government more power to force carriers to strengthen the security of their networks in the wake of the widespread hacks by China nation-state threat group Salt Typhoon last year.

The post FCC Chair Carr Looks to Eliminate Telecom Cybersecurity Ruling appeared first on Security Boulevard.

WazirX, one of India’s popular cryptocurrency exchanges, is set to restart its operations on October 24, nearly 15 months after a cyberattack forced the platform to halt all activities. The decision to resume trading follows the approval of WazirX’s restructuring plan by Singapore’s High Court. In July 2024, WazirX experienced a devastating cyberattack that resulted in the loss of approximately 45% of its crypto assets, valued at $234 million. This breach compelled the platform to suspend its operations indefinitely, leaving its user base without access to trading or withdrawals during a period when the cryptocurrency market witnessed substantial growth. Token prices surged across the board, increasing the stakes for users awaiting the platform’s reopening.

Court Approval and Restructuring Scheme 

Earlier this year, WazirX proposed a restructuring scheme aimed at recovering and redistributing tokens covering nearly 85% of creditors’ balances. This plan requires majority approval from its user base. Following a re-vote in August, a striking 95.7% of voting creditors, accounting for 94.6% by value, endorsed the revised scheme.  The High Court of Singapore officially sanctioned the restructuring plan in mid-October, paving the way for the exchange’s return to the market. This court’s approval was a critical step for WazirX, as it legitimizes the company’s approach to restoring user funds and relaunching services. 

WazirX Relaunch Strategy and User Benefits 

WazirX’s comeback will begin with selecting crypto-to-crypto trading pairs, along with the USD/INR pair, with plans to expand market offerings gradually. To incentivize users during this relaunch phase, WazirX is introducing a "Restart Offer," which waives trading fees across all pairs for users.  While the exchange token rebalancing page is currently live, enabling users to view their adjusted holdings, WazirX is still finalizing features related to withdrawals and trading. In preparation for the relaunch, the platform completed a series of technical updates, including token swaps, mergers, delisting, migration, and any necessary rebranding.  To upgrade security and transparency moving forward, WazirX has partnered with BitGo, a well-known digital asset trust company, to safeguard users’ funds more effectively. 

Reaffirming Commitment 

Nischal Shetty, the founder of WazirX, addressed the community on the occasion of the relaunch. Expressing gratitude for the users’ patience during the difficult period, Shetty highlighted the company’s dedication to making cryptocurrency accessible to every Indian.  “This isn’t just a return to operations; it’s a reinforcement of our integrity, which we’ve always strived for,” Shetty remarked. His message underscored the exchange’s determination not only to resume trading but to emerge stronger and more reliable in the crypto landscape.  The resumption of WazirX’s operations marks a notable recovery from one of the most challenging periods the exchange has faced. The cyberattack in mid-2024 had a profound impact on both the company and its users, but the successful court-approved restructuring and partnership with BitGo suggest a more secure and transparent future. 

A cyberattack on hospitals in North Central Massachusetts has caused major operational disruptions at Heywood Hospital in Gardner and Athol Hospital, a smaller critical access facility in Athol. Both hospitals are operated by Heywood Healthcare, a non-profit organization serving the region.  The incident, which was first detected last week, led to an immediate network shutdown as part of emergency response protocols to contain the breach and protect patient data and hospital systems. Following detection, a “Code Black” was declared, a designation used in healthcare settings to indicate a critical system outage, and emergency departments were closed to ambulance arrivals. Ambulances had to be rerouted to other regional hospitals due to system inaccessibility. 

Decoding the Athol and Heywood Hospital Cyberattack

The hospital cyberattack disrupted vital services, including Internet access, email communication, and phone lines. Radiology and laboratory operations were also affected. While communication systems have since been partially restored, hospital officials confirmed on October 16, 2025, that the outage was due to a cybersecurity incident. A third-party cybersecurity firm has been brought in to investigate the breach and support recovery efforts.  Despite the disruption, both Heywood Hospital and Athol Hospital have remained open for patient care, including outpatient services provided by Heywood Medical Group. Officials stressed that patient safety remains the top priority, and that care delivery continues, though some services are operating at reduced capacity.  As a temporary workaround, the Athena patient portal has been made accessible to facilitate communication between patients and providers. Patients unable to access the portal are advised to use the hospital’s answering service. 

Why is the Healthcare Sector a Prime Target for Cybercriminals?

Healthcare facilities are prime targets for cybercriminals, particularly ransomware groups. According to a recent study conducted by the Ponemon Institute, 93% of healthcare organizations surveyed experienced a cybersecurity incident in the past year. Alarmingly, 72% of those incidents led to patient care disruptions, highlighting the direct impact such breaches have on healthcare delivery.  The same study pointed to consequences such as appointment cancellations, delayed intakes, extended hospital stays, worsened patient outcomes, and even increased mortality rates following cyberattacks. These findings emphasize the potentially life-threatening implications of cybersecurity lapses in healthcare environments. 

Investigation Ongoing, No Timeline for Full Recovery 

Heywood Hospital and Athol Hospital continue to work with cybersecurity professionals to investigate the breach and restore normal operations. While communication tools and some functions are back online, full system functionality has yet to be reestablished, and no specific timeline has been shared publicly.  The hospitals have not confirmed whether ransomware was involved, nor have they reported any evidence of stolen or exposed patient data. Heywood Healthcare has assured the public that it will continue to monitor the situation and provide updates as more information becomes available. 

AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything.

Over the summer, hackers proved the concept, industry institutionalized it, and criminals operationalized it. In June, AI company XBOW took the top spot on HackerOne’s US leaderboard after submitting over 1,000 new vulnerabilities in just a few months. In August, the seven teams competing in DARPA’s AI Cyber Challenge collectively found 54 new vulnerabilities in a target system, in four hours (of compute). Also in August, Google announced that its Big Sleep AI found dozens of new vulnerabilities in open-source projects.

It gets worse. In July Ukraine’s CERT discovered a piece of Russian malware that used an LLM to automate the cyberattack process, generating both system reconnaissance and data theft commands in real-time. In August, Anthropic reported that they disrupted a threat actor that used Claude, Anthropic’s AI model, to automate the entire cyberattack process. It was an impressive use of the AI, which performed network reconnaissance, penetrated networks, and harvested victims’ credentials. The AI was able to figure out which data to steal, how much money to extort out of the victims, and how to best write extortion emails.

Another hacker used Claude to create and market his own ransomware, complete with “advanced evasion capabilities, encryption, and anti-recovery mechanisms.” And in September, Checkpoint reported on hackers using HexStrike-AI to create autonomous agents that can scan, exploit, and persist inside target networks. Also in September, a research team showed how they can quickly and easily reproduce hundreds of vulnerabilities from public information. These tools are increasingly free for anyone to use. Villager, a recently released AI pentesting tool from Chinese company Cyberspike, uses the Deepseek model to completely automate attack chains.

This is all well beyond AIs capabilities in 2016, at DARPA’s Cyber Grand Challenge. The annual Chinese AI hacking challenge, Robot Hacking Games, might be on this level, but little is known outside of China.

Tipping point on the horizon

AI agents now rival and sometimes surpass even elite human hackers in sophistication. They automate operations at machine speed and global scale. The scope of their capabilities allows these AI agents to completely automate a criminal’s command to maximize profit, or structure advanced attacks to a government’s precise specifications, such as to avoid detection.

In this future, attack capabilities could accelerate beyond our individual and collective capability to handle. We have long taken it for granted that we have time to patch systems after vulnerabilities become known, or that withholding vulnerability details prevents attackers from exploiting them. This is no longer the case.

The cyberattack/cyberdefense balance has long skewed towards the attackers; these developments threaten to tip the scales completely. We’re potentially looking at a singularity event for cyber attackers. Key parts of the attack chain are becoming automated and integrated: persistence, obfuscation, command-and-control, and endpoint evasion. Vulnerability research could potentially be carried out during operations instead of months in advance.

The most skilled will likely retain an edge for now. But AI agents don’t have to be better at a human task in order to be useful. They just have to excel in one of four dimensions: speed, scale, scope, or sophistication. But there is every indication that they will eventually excel at all four. By reducing the skill, cost, and time required to find and exploit flaws, AI can turn rare expertise into commodity capabilities and gives average criminals an outsized advantage.

The AI-assisted evolution of cyberdefense

AI technologies can benefit defenders as well. We don’t know how the different technologies of cyber-offense and cyber-defense will be amenable to AI enhancement, but we can extrapolate a possible series of overlapping developments.

Phase One: The Transformation of the Vulnerability Researcher. AI-based hacking benefits defenders as well as attackers. In this scenario, AI empowers defenders to do more. It simplifies capabilities, providing far more people the ability to perform previously complex tasks, and empowers researchers previously busy with these tasks to accelerate or move beyond them, freeing time to work on problems that require human creativity. History suggests a pattern. Reverse engineering was a laborious manual process until tools such as IDA Pro made the capability available to many. AI vulnerability discovery could follow a similar trajectory, evolving through scriptable interfaces, automated workflows, and automated research before reaching broad accessibility.

Phase Two: The Emergence of VulnOps. Between research breakthroughs and enterprise adoption, a new discipline might emerge: VulnOps. Large research teams are already building operational pipelines around their tooling. Their evolution could mirror how DevOps professionalized software delivery. In this scenario, specialized research tools become developer products. These products may emerge as a SaaS platform, or some internal operational framework, or something entirely different. Think of it as AI-assisted vulnerability research available to everyone, at scale, repeatable, and integrated into enterprise operations.

Phase Three: The Disruption of the Enterprise Software Model. If enterprises adopt AI-powered security the way they adopted continuous integration/continuous delivery (CI/CD), several paths open up. AI vulnerability discovery could become a built-in stage in delivery pipelines. We can envision a world where AI vulnerability discovery becomes an integral part of the software development process, where vulnerabilities are automatically patched even before reaching production—a shift we might call continuous discovery/continuous repair (CD/CR). Third-party risk management (TPRM) offers a natural adoption route, lower-risk vendor testing, integration into procurement and certification gates, and a proving ground before wider rollout.

Phase Four: The Self-Healing Network. If organizations can independently discover and patch vulnerabilities in running software, they will not have to wait for vendors to issue fixes. Building in-house research teams is costly, but AI agents could perform such discovery and generate patches for many kinds of code, including third-party and vendor products. Organizations may develop independent capabilities that create and deploy third-party patches on vendor timelines, extending the current trend of independent open-source patching. This would increase security, but having customers patch software without vendor approval raises questions about patch correctness, compatibility, liability, right-to-repair, and long-term vendor relationships.

These are all speculations. Maybe AI-enhanced cyberattacks won’t evolve the ways we fear. Maybe AI-enhanced cyberdefense will give us capabilities we can’t yet anticipate. What will surprise us most might not be the paths we can see, but the ones we can’t imagine yet.

This essay was written with Heather Adkins and Gadi Evron, and originally appeared in CSO.

His conclusion:

Context wins

Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest.

And if you’re on the inside you know what the applications do. You know what’s important and what isn’t. And you can use all that internal knowledge to fix things­—hopefully before the baddies take advantage.

Summary and prediction

1. Attackers will have the advantage for 3-5 years. For less-advanced defender teams, this will take much longer.
2. After that point, AI/SPQA will have the additional internal context to give Defenders the advantage.

LLM tech is nowhere near ready to handle the context of an entire company right now. That’s why this will take 3-5 years for true AI-enabled Blue to become a thing.

And in the meantime, Red will be able to use publicly-available context from OSINT, Recon, etc. to power their attacks.

I agree.

By the way, this is the SPQA architecture.

This is a weird story:

The US Secret Service disrupted a network of telecommunications devices that could have shut down cellular systems as leaders gather for the United Nations General Assembly in New York City.

The agency said on Tuesday that last month it found more than 300 SIM servers and 100,000 SIM cards that could have been used for telecom attacks within the area encompassing parts of New York, New Jersey and Connecticut.

“This network had the power to disable cell phone towers and essentially shut down the cellular network in New York City,” said special agent in charge Matt McCool.

The devices were discovered within 35 miles (56km) of the UN, where leaders are meeting this week.

McCool said the “well-organised and well-funded” scheme involved “nation-state threat actors and individuals that are known to federal law enforcement.”

The unidentified nation-state actors were sending encrypted messages to organised crime groups, cartels and terrorist organisations, he added.

The equipment was capable of texting the entire population of the US within 12 minutes, officials say. It could also have disabled mobile phone towers and launched distributed denial of service attacks that might have blocked emergency dispatch communications.

The devices were seized from SIM farms at abandoned apartment buildings across more than five sites. Officials did not specify the locations.

Wait; seriously? “Special agent in charge Matt McCool”? If I wanted to pick a fake-sounding name, I couldn’t do better than that.

Wired has some more information and a lot more speculation:

The phenomenon of SIM farms, even at the scale found in this instance around New York, is far from new. Cybercriminals have long used the massive collections of centrally operated SIM cards for everything from spam to swatting to fake account creation and fraudulent engagement with social media or advertising campaigns.

[…]

SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.”

This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.:

Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context. TOCTOU arises when an agent validates external state (e.g., a file or API response) that is later modified before use, enabling practical attacks such as malicious configuration swaps or payload injection. In this work, we present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to evaluate this class of vulnerabilities. As countermeasures, we adapt detection and mitigation techniques from systems security to this setting and propose prompt rewriting, state integrity monitoring, and tool-fusing. Our study highlights challenges unique to agentic workflows, where we achieve up to 25% detection accuracy using automated detection methods, a 3% decrease in vulnerable plan generation, and a 95% reduction in the attack window. When combining all three approaches, we reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%. Our findings open a new research direction at the intersection of AI safety and systems security.

Interesting analysis:

When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry.

When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. Victims often do not trust these notifications, as cyber criminals often use the pretext of an account compromise as a phishing lure.

[…]

This report explores the challenges associated with developing the native-notification concept and lays out a roadmap for overcoming them. It also examines other opportunities for more narrow changes that could both increase the likelihood that victims will both receive and trust notifications and be able to access support resources.

The report concludes with three main recommendations for cloud service providers (CSPs) and other stakeholders:

1. Improve existing notification processes and develop best practices for industry.
2. Support the development of “middleware” necessary to share notifications with victims privately, securely, and across multiple platforms including through native notifications.
3. Improve support for victims following notification.

While further work remains to be done to develop and evaluate the CSRB’s proposed native notification capability, much progress can be made by implementing better notification and support practices by cloud service providers and other stakeholders in the near term.

Really good research on practical attacks against LLM agents.

“Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous”

Abstract: The growing integration of LLMs into applications has introduced new security risks, notably known as Promptware­—maliciously engineered prompts designed to manipulate LLMs to compromise the CIA triad of these applications. While prior research warned about a potential shift in the threat landscape for LLM-powered applications, the risk posed by Promptware is frequently perceived as low. In this paper, we investigate the risk Promptware poses to users of Gemini-powered assistants (web application, mobile application, and Google Assistant). We propose a novel Threat Analysis and Risk Assessment (TARA) framework to assess Promptware risks for end users. Our analysis focuses on a new variant of Promptware called Targeted Promptware Attacks, which leverage indirect prompt injection via common user interactions such as emails, calendar invitations, and shared documents. We demonstrate 14 attack scenarios applied against Gemini-powered assistants across five identified threat classes: Short-term Context Poisoning, Permanent Memory Poisoning, Tool Misuse, Automatic Agent Invocation, and Automatic App Invocation. These attacks highlight both digital and physical consequences, including spamming, phishing, disinformation campaigns, data exfiltration, unapproved user video streaming, and control of home automation devices. We reveal Promptware’s potential for on-device lateral movement, escaping the boundaries of the LLM-powered application, to trigger malicious actions using a device’s applications. Our TARA reveals that 73% of the analyzed threats pose High-Critical risk to end users. We discuss mitigations and reassess the risk (in response to deployed mitigations) and show that the risk could be reduced significantly to Very Low-Medium. We disclosed our findings to Google, which deployed dedicated mitigations.

Defcon talk. News articles on the research.

Prompt injection isn’t just a minor security problem we need to deal with. It’s a fundamental property of current LLM technology. The systems have no ability to separate trusted commands from untrusted data, and there are an infinite number of prompt injection attacks with no way to block them as a class. We need some new fundamental science of LLMs before we can solve this.

Nice indirect prompt injection attack:

Bargury’s attack starts with a poisoned document, which is shared to a potential victim’s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks like an official document on company meeting policies. But inside the document, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read.

In a proof of concept video of the attack, Bargury shows the victim asking ChatGPT to “summarize my last meeting with Sam,” referencing a set of notes with OpenAI CEO Sam Altman. (The examples in the attack are fictitious.) Instead, the hidden prompt tells the LLM that there was a “mistake” and the document doesn’t actually need to be summarized. The prompt says the person is actually a “developer racing against a deadline” and they need the AI to search Google Drive for API keys and attach them to the end of a URL that is provided in the prompt.

That URL is actually a command in the Markdown language to connect to an external server and pull in the image that is stored there. But as per the prompt’s instructions, the URL now also contains the API keys the AI has found in the Google Drive account.

This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment—and by this I mean that it may encounter untrusted training data or input—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there.