The Top Red Teamer in the US Is an AI Bot

Article Link: https://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.html

• AI chatbot “Xbow” has outperformed human red teamers to claim the top spot on HackerOne’s ethical hacking leaderboard. Over the last 90 days, the fully autonomous system discovered and submitted more than 1,000 vulnerabilities, including remote code execution and SQL injection flaws.
• Xbow simulates the behavior of a skilled penetration tester, completing exhaustive assessments in hours. The tool scored highest among 100 active researchers on HackerOne and was credited with exposing a novel flaw in Palo Alto’s GlobalProtect VPN, affecting over 2,000 hosts.
• Of the vulnerabilities Xbow submitted, 54 were rated as severe, with 45% still unresolved, demonstrating both the scale of the findings and the difficulty companies face in timely remediation.
• Security teams are now grappling with how to respond to increasingly scalable automated attack methods. To match the speed and scope of machine-driven discovery, defenses must evolve to operate with comparable speed across threat detection, validation, and response layers.

FDA Expands Premarket Medical Device Cyber Guidance

Article Link: https://www.govinfosecurity.com/fda-expands-premarket-medical-device-cyber-guidance-a-28850

• The FDA has published finalized guidance for medical device submissions, clarifying what security documentation is expected for devices seeking market authorization.
• The draft calls for detailed software bills of materials (SBOMs), attack surface analysis, and secure development lifecycle evidence. Device makers must now account for legacy systems, supply chain risk, and third-party components during evaluation.
• This updated guidance from September 2023 follows incidents where approved devices and the hospital networks they operate in were rendered inoperable, disrupting critical patient care across the U.S. and globally. With expanded authority conferred over medical device cybersecurity, the FDA seeks to raise the standard for security assurance before devices reach hospitals or consumers.
• Developers are urged to integrate risk assessments early in the product lifecycle and document mitigations for known vulnerabilities. Clear maintenance planning and patch management protocols must also be part of submissions to address long-term risk.
• FDA medical device guidance: https://www.fda.gov/media/119933/download

Malicious AI Models Are Behind a New Wave of Cybercrime

Article Link: https://hackread.com/malicious-ai-models-wave-of-cybercrime-cisco-talos/

• Cisco Talos researchers report a sharp rise in AI-powered malware and phishing campaigns, with threat actors now training their own large language models for malicious use.
• The models assist attackers in crafting evasive code, generating convincing phishing content, and conducting reconnaissance at scale and tailored to specific industries or targets.
• Talos observed attackers employing three primary methods of LLM abuse: uncensored LLMs, models lacking safety constraints; custom-built criminal LLMs, models built by the cybercriminals themselves; and jailbroken legitimate LLMs, models designed to ignore safety protocols through prompt injection.
• Defensive strategies must now account for dynamic content generation and increased automation in attack chains. Security controls should prioritize behavior-based detection and isolate anomalous activity even when traditional indicators are absent.

Google’s Emissions Up 51% As AI Electricity Demand Derails Efforts to Go Green

Article Link: https://theguardian.com/technology/2025/jun/27/google-emissions-ai-electricity-demand-derail-efforts-green

• Google revealed in its 2024 Environmental Report that its greenhouse gas emissions have surged by 51% since 2019, largely due to AI-driven energy demands. Data center growth tied to artificial intelligence workloads has outpaced the company’s previous decarbonization forecasts.
• While cloud computing and AI expansion have fueled product development, they’ve also triggered a spike in electricity usage globally. Google’s electricity consumption alone rose 27% year over year.
• The company’s latest estimates suggest it may not reach its 2030 net-zero targets, citing the difficulty of aligning rapid compute growth with clean energy procurement. Google reports slow progress on the creation of Small Modular Reactors (SMRs), purported to decarbonize datacenters.
• These findings may serve as a cautionary tale for organizations investing heavily in AI infrastructure. Strategic sourcing of renewable energy is now a pressing concern for sustainability-focused IT leaders.

Hunters Ransomware Group Shuts Doors, Blames Changing Times

Article Link: https://www.theregister.com/2025/07/03/hunters_international_shutdown/

• Hunters International ransomware group, a rebrand of the defunct Hive gang, announced it is ceasing operations and offering decryption keys to its victims. In a farewell message posted to its dark web leak site, the group claimed the decision was due to “changes happening in the world right now.”
• Analysts suspect declining ransom payments and mounting law enforcement pressure led to the closure. The group had been linked to dozens of attacks, including several on healthcare entities.
• Hunters inherited much of Hive’s infrastructure after the latter was dismantled by the FBI in 2023. Researchers at Group-IB believe they are simply rebranding as World Leaks, a group operating on an “extortion-only model”, wherein attackers hold company data to ransom without encrypting files.
• Although one group’s departure may reduce short-term risk, the ransomware-as-a-service ecosystem remains fluid. Organizations are advised to maintain strong backup strategies, isolate critical systems, and review recovery procedures regularly.

New FileFix Method Emerges as Threat Actor Tactic to Bypass Windows Protections

Article Link: https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html?m=1

• A researcher known as mrd0x introduced a new technique dubbed “FileFix”, a variation of the prevalent ClickFix attacks, which leverages Windows File Explorer’s address bar to execute malicious PowerShell commands without requiring user access to the Run dialog or PowerShell directly.
• FileFix works by tricking users into pasting an executable script masquerading as a benign file path into File Explorer’s address bar. The manipulation bypasses traditional warnings or prompts typically accompanying command execution using comment symbols to visually conceal the payload.
• The article details a host of recent phishing campaigns coinciding with the rise of ClickFix, wherein content is delivered through phishing pages designed to imitate legitimate services, where users unknowingly copy malicious clipboard content while following trusted instructions.
• Displaying full file extensions and disabling clipboard scripting behaviors are recommended to reduce the success rate of such attacks. Awareness training should include guidance on the risks of pasting content into system-level interfaces like File Explorer’s address bar.

Criminals Posing as Insurance Companies to Steal Health Records

Article Link: https://theregister.com/2025/06/27/patients_providers_records_payment_scam/

• The FBI reports fraudsters have launched a wave of phishing attacks impersonating U.S. insurance companies in a scheme targeting both patients and healthcare providers. The activity seeks to exfiltrate sensitive health records and financial credentials using convincing email lures.
• Attackers are using real logos and spoofed email domains of trusted entities to impersonate providers, directing victims to credential-harvesting pages designed to mimic insurance portals. These lures trick recipients into surrendering login details, bank information, and EHR access credentials.
• This campaign has gained traction recently as it exploits ongoing confusion in the healthcare sector following recent cyber incidents. The targeting of both sides of the healthcare system, patients and providers, increases the risk of widespread data compromise.
• Security teams must warn users against clicking links in unsolicited messages and should inspect DNS records to detect spoofing attempts. Multifactor authentication, along with mail filtering rules, can help restrict the success of these impersonation campaigns.
• FBI public-service announcement: https://www.ic3.gov/PSA/2025/PSA250627

AT&T Deploys New Account Lock Feature to Counter SIM Swapping

Article Link: https://cyberscoop.com/att-wireless-account-lock-sim-swapping-protection/

• AT&T has launched a new “account lock” feature aimed at preventing unauthorized SIM swaps, a tactic commonly used to hijack phone numbers for account takeovers. The feature allows postpaid customers to lock their lines, blocking SIM transfers through retail stores or call centers.
• The control must be enabled manually via the myAT&T app or website and is designed to mitigate insider threats and social engineering attacks targeting carrier support staff. Account holders must disable the lock themselves before making legitimate line changes.
• SIM swapping remains a favored method for bypassing multi-factor authentication, with attacks leading to theft of digital assets, credential compromise, and identity fraud. Law enforcement and consumer advocates have pressured carriers to bolster protections.
• The article references a December 2024 article reporting on guidelines published by the Cybersecurity and Infrastructure Security Agency (CISA) for protecting mobile communications, including steps for preventing SIM swapping.
• CISA’s Mobile Communications Best Practice Guidance: https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf

Medical Device Company Surmodics Reports Cyberattack

Article Link: https://therecord.media/surmodics-medical-device-company-reports-cybersecurity-incident

• Minnesota-based medical device maker Surmodics disclosed a cyber incident that caused operational disruption and led to the shutdown of several internal systems.
• The attack, expected to be covered mostly by cyber insurance, temporarily affected portions of Surmodics’ IT infrastructure, including applications tied to product development and manufacturing.
• This event illustrates the criticality of security incidents in the medical device sector, where operational downtime can ripple into patient care and supply chain continuity. Surmodics has notified the U.S. Securities and Exchange Commission (SEC) and law enforcement as part of its response.
• Organizations supporting medical technology should continuously validate network segmentation and access controls across critical systems. Regularly tested incident response plans and immutable backups remain key to minimizing damage during disruptions.