The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
Article Link: https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/
- Unit 42 documented a technique where benign webpages generate phishing JavaScript at runtime through large language model APIs.
- Engineered text prompts bypass model safeguards, returning malicious code fragments that are assembled and executed within the browser.
- Every page visit produces a distinct phishing variant delivered from trusted domains, weakening network and file-based inspection.
- The report identifies in-browser runtime behavior analysis and limits on unsanctioned workplace LLM access as key defenses.
NIST, MITRE Announce $20 million Research Effort on AI Cybersecurity
Article Link: https://cyberscoop.com/nist-mitre-announce-20-million-dollar-research-effort-on-ai-cybersecurity/
- NIST announced a $20 million partnership with MITRE to launch two federal AI research centers.
- One center will study advanced manufacturing, while the second will examine how AI affects digital risk across essential services such as water, power, and communications.
- The initiative reflects growing concern that AI-driven threats may strain already stretched teams responsible for national services.
- Officials said the centers will focus on evaluation methods, applied research, and collaboration with industry partners to guide safer AI use.
Missing MFA Strikes Again: Hacker Hits Collaboration Tools
Article Link: https://www.databreachtoday.com/missing-mfa-strikes-again-hacker-hits-collaboration-tools-a-30452
- Researchers at Hudson Rock reported that dozens of organizations lost data from cloud-based collaboration platforms after accounts lacked multifactor authentication.
- An access broker known as Zestix used information-stealing malware to collect valid credentials, then logged in as legitimate users to extract terabytes of data.
- Exposed information included military police health records, transit schematics, legal files, medical data, and utility maps across multiple countries and sectors.
- Vendors reiterated the importance of multifactor authentication, regular maintenance, and built-in monitoring features to reduce credential-based access abuse.
Fortinet Firewalls Hit with Malicious Configuration Changes
Article Link: https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
- Researchers from Arctic Wolf Labs observed threat actors accessing Fortinet FortiGate firewalls and stealing configuration files, including on devices believed to be fully updated.
- The activity involved single sign-on logins that allowed attackers to create accounts, grant VPN access, and export configurations, with behavior suggesting automated execution.
- Reports from multiple regions and user forums raised concern that earlier fixes for known flaws in FortiCloud SSO did not fully stop the activity.
- Fortinet confirmed the issue affects SAML-based SSO and said customers should restrict management access, reset credentials, and consider disabling FortiCloud SSO until new fixes are released.
New Veeam Vulnerabilities Expose Backup Servers to RCE Attacks
Article Link: https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabilities-expose-backup-servers-to-rce-attacks/
- Veeam released updates for multiple flaws in its Backup & Replication software, including a remote code execution issue affecting version 13 builds.
- The primary flaw allows users with Backup or Tape Operator roles to run code as the database user by sending specially crafted parameters.
- Backup servers remain frequent targets because access can support data theft and disrupt restoration, a pattern linked to past ransomware activity.
- Veeam said customers can apply the January updates, safeguard privileged roles, and follow published security guidance to reduce exposure.
Minnesota Agency Notifies 304,000 of Vendor Breach
Article Link: https://www.govinfosecurity.com/minnesota-agency-notifies-304000-vendor-breach-a-30570
- Minnesota Department of Human Services said it is notifying about 304,000 people after inappropriate data access tied to a healthcare provider using a vendor-managed system.
- The activity involved the MnChoices platform, managed by FEI Systems, where a licensed provider accessed more records than required between late August and September 2025.
- Information involved demographic data for nearly all affected individuals, with a smaller group exposed to additional eligibility and benefit details.
- State officials removed access, reported the incident as a HIPAA breach, and said monitoring is underway to watch for improper use of the data.
Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds
Article Link: https://hackread.com/russian-bluedelta-fancy-bear-pdfs-steal-login/
- Research from Recorded Future found that the Russian state-linked group BlueDelta used PDF documents to capture login credentials within seconds.
- Victims were shown legitimate-looking reports before pages quickly switched to counterfeit Google, Microsoft, or VPN login screens designed to collect usernames and passwords.
- The activity focused on professionals in energy, nuclear research, government, and academia across Europe and Türkiye between February and September 2025.
- Researchers advised verifying links, watching for sudden login prompts, and using multifactor authentication on professional accounts to limit credential misuse.
6 Cyber Insurance Gotchas Security Leaders Must Avoid
Article Link: https://www.csoonline.com/article/4110018/6-cyber-insurance-gotchas-security-leaders-must-avoid.html
- An industry review outlined six common insurance gaps that can leave organizations exposed after a digital incident despite having coverage in place.
- Analysts said narrow definitions, exclusions, retroactive date clauses, and misunderstood coverage types often limit payouts when claims are filed.
- The article noted that misunderstanding policy language or misaligning operational practices with contract terms can result in denied or reduced claims.
- Contributors recommended legal review of policies, scenario testing with brokers, and confirming both direct-loss and liability coverage before purchase.
Why Palo Alto Is Eyeing a $400M Buy of Endpoint Vendor Koi
Article Link: https://www.inforisktoday.com/blogs/palo-alto-eyeing-400m-buy-endpoint-vendor-koi-p-4018
- Palo Alto Networks is reportedly in talks to acquire endpoint startup Koi for about $400 million, signaling a shift back to smaller acquisitions.
- The potential deal follows several multi-billion-dollar purchases and would target Koi’s focus on securing extensions, code packages, containers, and AI models.
- The move suggests Palo Alto is looking to address gaps tied to newer, non-binary software types that traditional endpoint tools were not built to monitor.
- Analysts noted the acquisition could extend platform coverage but carries integration risk given the company’s recent string of large transactions.
Greek Police Arrest Scammers Using Fake Cell Tower Hidden in Car Trunk
Article Link: https://therecord.media/greek-police-arrest-scammers-using-hidden-cell-towers
- Hellenic Police arrested suspects accused of operating a fake mobile base station from a car to send scam messages across the Athens area.
- Officers found a mobile system in the trunk linked to a roof antenna that forced nearby phones onto a weaker network and delivered phishing texts posing as banks or couriers.
- Authorities tied the operation to fraud cases in multiple locations, with messages used to capture payment details and carry out unauthorized transactions.
- Investigators said the suspects were brought before a prosecutor as inquiries continue into the scope, equipment source, and related activity.
