Friday, July 11, 2025

Compliance Roundup - July 11, 2025

         

Compliance Roundup - July 11, 2025

Top 5 Critical Compliance Alerts

  • Assume Enforcement Has Eased? The SEC's $1.8 Billion Hindsight Says Otherwise. — The SEC upheld record fines in April, proving mobile compliance is not a political issue but a permanent regulatory priority. Read more
  • Request for Comments: PCI Secure Software Standard v2.0 — Eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Secure Software Standard v2.0 during a 30-day request for comments (RFC) period, from 10 July to 11 August. Read more
  • Webinar summary: Latest antitrust enforcement tools and guidance on antitrust compliance programs – Tuesday 10 June 2025 — Authorities are stepping up antitrust enforcement, using AI and data scraping to detect infringements. The panel discussed managing cross-border investigations and effective compliance in 2025. Read more
  • Annual Compliance Conference summary: Supply chains – Navigating ESG and Trade-related Risks — The session examined the intensifying ESG and trade-related risks facing global supply chains, shaped by shifting political priorities and evolving regulatory frameworks. Read more
  • What Policymakers Must Prioritize in the Next Decade of Financial Regulation — Technological innovation and cross-border finance are pushing 20th-century regulatory frameworks to their breaking point. Read more

Compliance Frameworks

  • Request for Comments: PCI Secure Software Standard v2.0 — Eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Secure Software Standard v2.0 during a 30-day request for comments (RFC) period, from 10 July to 11 August. Read more

Regulatory Updates

  • Assume Enforcement Has Eased? The SEC's $1.8 Billion Hindsight Says Otherwise. — The SEC upheld record fines in April, proving mobile compliance is not a political issue but a permanent regulatory priority. Read more

Third-Party Risk & Due Diligence

  • Annual Compliance Conference summary: Supply chains – Navigating ESG and Trade-related Risks — The session examined the intensifying ESG and trade-related risks facing global supply chains, shaped by shifting political priorities and evolving regulatory frameworks. Read more

Continue reading

Privacy Insights Digest - July 11, 2025

         

Privacy Insights Digest - July 11, 2025

Critical Privacy Alert

  • Eighth Circuit Vacates FTC Negative Option Rule — The Eighth Circuit vacated the FTC's revised Negative Option Rule, effective upon court mandate. Read more

Privacy Laws & Regulations (GDPR, CPRA, CCPA, AI Acts)

  • How to Build on Washington's "My Health, My Data" Act — EFF suggests ways for legislators and advocates to build on Washington's strong consumer data privacy law. Read more

Continue reading

Security Threat Summary - July 11, 2025

         

Security Threat Summary - July 11, 2025

Top 5 Critical Security Alerts

  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads — A critical vulnerability (CVE-2025-6514, CVSS 9.6) in the mcp-remote project allows attackers to execute arbitrary OS commands. Read more
  • eSIM Bug in Millions of Phones Enables Spying, Takeover — A 6-year-old Oracle vulnerability affects eSIMs, potentially enabling physical and network attacks. Read more

Threat Intelligence

  • UK Arrests Four in 'Scattered Spider' Ransom Group — UK authorities arrested four individuals believed to be members of the Scattered Spider ransomware group, which targeted airlines and retailers. Read more
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord — Cryptocurrency users are targeted by social engineering campaigns using fake AI and gaming companies to distribute malware. Read more
  • New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App — A new variant of the ZuRu macOS malware is targeting developers through trojanized versions of the Termius SSH client. Read more

Security Breaches & Incidents

  • Customer, Employee Data Exposed in Nippon Steel Breach — Customer and employee data from Nippon Steel's NS Solutions subsidiary was exposed in a breach. Read more
  • Ingram Micro Up and Running After Ransomware Attack — Ingram Micro recovered after a ransomware attack disrupted its website and order placement. Read more
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods — UK authorities arrested four individuals in connection with cyberattacks targeting major retailers. Read more

Security Tools & Best Practices

  • Patch, track, repeat — Consistent tracking and patching remain critical in the evolving vulnerability landscape of 2025. Read more
  • SIM Swap Fraud Is Surging — and That's a Good Thing — The surge in SIM swap fraud highlights the need for more robust authentication systems. Read more

Emerging Security Technologies

  • Agentic AI's Risky MCP Backbone Opens Brand-New Attack Vectors — Vulnerabilities in the Model Context Protocol (MCP) ecosystem pose risks as organizations integrate AI models. Read more
  • What Security Leaders Need to Know About AI Governance for SaaS — Security leaders need to address AI governance as generative AI integrates into SaaS applications. Read more

Vulnerability Roundup

  • Asus and Adobe vulnerabilities — Cisco Talos disclosed vulnerabilities in Asus Armoury Crate and Adobe Acrobat products. Read more

Cloud & Network Security

  • ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs — A high-severity flaw in ServiceNow could lead to data exposure via misconfigured ACLs (CVE-2025-3648). Read more

Security Standards & Frameworks

  • AMD Warns of New Transient Scheduler Attacks Impacting a Wide Range of CPUs — AMD warns of Transient Scheduler Attacks (TSA), a new set of vulnerabilities affecting a broad range of CPUs. Read more

Continue reading

Thursday, July 10, 2025

🚨 Alert: New Breach Reported via HaveIBeenPwned on July 10, 2025

         
Catwatchful Logo

Catwatchful

Domain: catwatchful.com

Breach Date: 2025-06-09

Record Added: 7/3/2025, 11:04:01 PM

Modified Date: 7/3/2025, 11:04:01 PM

Total Records Exposed: 61,641

Description

In June 2025, spyware maker Catwatchful suffered a data breach that exposed over 60k customer records. The breach was due to a SQL injection vulnerability that enabled email addresses and plain text passwords to be extracted from the system.

Data Compromised

  • Email addresses
  • Passwords

Verified Breach: Yes

Continue reading

[CVE] 1 change on Microsoft

         
New OpenCVE notification

This email has been sent from the Critical Vulnerabilities notification of the securityinsights/CVE project.

1 vulnerabilities have been updated on 2025-07-10 between 01:00 and 01:59.

Critical Vulnerabilities (1)

Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites (with previously granted permissions) to add new permissions when the user clicks anywhere on the website.

Changes: first_time, cpes, vendors
Subscriptions: Microsoft

© 2025 OpenCVE, All rights reserved
Update your notifications to unsubscribe this notification

Continue reading

Compliance Roundup - July 10, 2025

         

Compliance Roundup - July 10, 2025

Top 2 Critical Compliance Alerts

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

Anti-Corruption

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

Anti-bribery

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

Corruption

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

Europe

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

North America

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

UK

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

USA

  • Annual Compliance Conference summary: Keynote Speaker Session with Baroness Margaret Hodge (Former Chair, Public Accounts Committee; Anti-Corruption Champion) — Baroness Hodge provided insights on the UK's challenges in tackling economic crime, tax avoidance, and illicit finance. Read more
  • Annual Compliance Conference summary: US and UK Enforcement in the Current Climate – Strategic Shifts and Global Implications — Discussion on the evolving enforcement landscape in the UK, US, and Latin America, focusing on strategic priorities and inter-agency cooperation. Read more

Continue reading

Privacy Insights Digest - July 10, 2025

         

Privacy Insights Digest - July 10, 2025

Top 5 Critical Privacy Alerts

  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets — ICE is using a health and car insurance claims database to track down individuals for deportation. Read more
  • Google Settles Privacy Class Action Over Period Tracking App — Google settled a class action alleging it surreptitiously collected sensitive health data from users of the Flo period tracking app. Read more
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges — A Tennessee resident was sentenced to 30 months in federal prison for cyberstalking fourteen victims. Read more
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children — The DOJ has sent subpoenas to doctors and clinics involved in performing transgender medical procedures on children. Read more

Privacy Laws & Regulations (GDPR, CPRA, CCPA, AI Acts)

  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets — ICE is using a health and car insurance claims database to track down individuals for deportation. Read more

Regulatory Fines & Enforcement Actions

  • Google Settles Privacy Class Action Over Period Tracking App — Google settled a class action alleging it surreptitiously collected sensitive health data from users of the Flo period tracking app. Read more
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges — A Tennessee resident was sentenced to 30 months in federal prison for cyberstalking fourteen victims. Read more

Continue reading

Security Threat Summary - July 10, 2025

         

Security Threat Summary - July 10, 2025

Top 5 Critical Security Alerts

  • Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server — Microsoft addressed 130 vulnerabilities, including critical flaws in SPNEGO and SQL Server. Read more
  • New AI Malware PoC Reliably Evades Microsoft Defender — A new AI malware proof-of-concept uses targeted reinforcement learning to evade Microsoft Defender. Read more
  • Gold Melody IAB Exploits Exposed ASP.NET Machine Keys for Unauthorized Access to Targets — Gold Melody IAB exploits leaked ASP.NET machine keys to gain unauthorized access to organizations. Read more
  • An NVIDIA Container Bug & Chance to Harden Kubernetes — A container escape flaw in the NVIDIA Container Toolkit could allow access to AI datasets. Read more
  • Smashing Security podcast #425: Call of Duty: From pew-pew to pwned — "Call of Duty: WWII" is weaponized, allowing hackers to hijack PCs; scammers target the recently incarcerated. Read more

Threat Intelligence

  • AiLock ransomware: What you need to know — The AiLock ransomware gang threatens to report victims to regulators, email competitors, and leak data if they don't pay within five days. Read more
  • DoNot APT Expands Operations, Targets European Foreign Ministries with LoptikMod Malware — DoNot APT is targeting European foreign affairs ministries using LoptikMod malware to harvest sensitive data. Read more
  • North American APT Uses Exchange Zero-Day to Attack China — Researchers have identified a North American APT exploiting a Microsoft Exchange zero-day to attack a Chinese entity. Read more
  • U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme — The U.S. sanctioned a North Korean hacker from the Andariel group for involvement in a fraudulent IT worker scheme. Read more
  • Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks — A Chinese national was arrested in Italy for ties to the Silk Typhoon group and cyberattacks against U.S. organizations. Read more

Security Tools & Best Practices

  • Setting up Your Own Certificate Authority for Development: Why and How. — Setting up an internal certificate authority can support strong authentication and provide flexibility for developers. Read more
  • How To Automate Ticket Creation, Device Identification and Threat Triage With Tines — Tines library offers pre-built workflows for security automation, including a standout workflow for malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Read more

Emerging Security Technologies

  • Rubio Impersonator Signals Growing Security Threat From Deepfakes — An impostor posing as a secretary of state demonstrates the growing security threat from deepfakes. Read more

Continue reading

[CVE] 1 change on Microsoft

         
New OpenCVE notification

This email has been sent from the Critical Vulnerabilities notification of the securityinsights/CVE project.

1 vulnerabilities have been updated on 2025-07-10 between 00:00 and 00:59.

Critical Vulnerabilities (1)

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Changes: first_time, cpes, vendors
Subscriptions: Microsoft

© 2025 OpenCVE, All rights reserved
Update your notifications to unsubscribe this notification

Continue reading

Wednesday, July 9, 2025

Compliance Roundup - July 9, 2025

         

Compliance Roundup - July 9, 2025

Critical Compliance Alert

  • Regulatory Pullback Amplifies Need for Strategic Risk Controls — Deregulatory environments can mask growing hidden risks from shareholder litigation to reputational damage. Read more

Compliance Frameworks

  • Outsourced Compliance: A Strategic Response to Regulatory Strain — Outsourced compliance services provide access to experienced professionals with regulatory knowledge and operational capacity, offering industry perspective that internal teams may lack. Read more

Policy & Governance Updates

  • An Ounce of Prevention is Worth a Pound of Cure: 4 Powerful Examples of Ethical Decision-Making — Ethical management is challenging in gray areas. This article explores test cases illustrating the importance of ethical decision-making. Read more

Third-Party Risk & Due Diligence

  • Regulatory Pullback Amplifies Need for Strategic Risk Controls — Deregulatory environments can mask growing hidden risks from shareholder litigation to reputational damage. Read more

Continue reading

Privacy Insights Digest - July 9, 2025

         

Privacy Insights Digest - July 9, 2025

Top 3 Critical Privacy Alerts

  • District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care — Texas court halts Biden Administration's changes to HIPAA Privacy Rule concerning reproductive health information. Read more
  • Texas Age Verification Law Upheld: U.S. Supreme Court Balances Free Speech and Child Protection in the Digital Age — Supreme Court validates Texas law mandating age verification for sites with substantial sexually explicit content. Read more
  • FERC Finalizes New Internal Network Security Monitoring Requirements for Bulk Electric Systems — FERC approves CIP-015-1, mandating internal network security monitoring for bulk electric systems. Read more

Privacy Laws & Regulations (GDPR, CPRA, CCPA, AI Acts)

  • Texas Age Verification Law Upheld: U.S. Supreme Court Balances Free Speech and Child Protection in the Digital Age — Supreme Court validates Texas law mandating age verification for sites with substantial sexually explicit content. Read more

Regulatory Fines & Enforcement Actions

  • District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care — Texas court halts Biden Administration's changes to HIPAA Privacy Rule concerning reproductive health information. Read more

Continue reading

Security Threat Summary - July 9, 2025

         

Security Threat Summary - July 9, 2025

Top 5 Critical Security Alerts

  • Microsoft Patch Tuesday, July 2025 Edition — Microsoft released updates to fix 137 security vulnerabilities, including 14 critical ones that could allow attackers to seize control of Windows PCs. Read more
  • Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities — Microsoft's monthly security update includes 132 vulnerabilities, with 14 marked as critical. Read more
  • CISA Adds Four Critical Vulnerabilities to KEV Catalog Due to Active Exploitation — CISA added four actively exploited vulnerabilities to its KEV catalog, including a buffer overflow in Multi-Router Looking Glass (MRLG). Read more

Threat Intelligence

  • Malicious Open Source Packages Spike 188% YoY — Data exfiltration was the most common malware, with over 4,400 packages designed to steal secrets and credentials. Read more
  • Suspected Hacker Linked to Silk Typhoon Arrested in Milan — The alleged Chinese state-sponsored hacker faces charges including wire fraud and unauthorized access. Read more
  • Hackers Use Leaked Shellter Tool License to Spread Lumma Stealer and SectopRAT Malware — Hackers are exploiting a leaked license of the Shellter red teaming tool to distribute stealer malware. Read more
  • Hackers 'Shellter' Various Stealers in Red-Team Tool to Evade Detection — Campaigns spreading Lumma, Arechclient2, and Rhadamanthys malware leverage key features of the AV/EDR evasion framework. Read more
  • RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks — A new botnet called RondoDox is exploiting security flaws in TBK DVRs and Four-Faith routers. Read more
  • Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms — An ongoing campaign targets Russian organizations with a previously undocumented Windows spyware called Batavia. Read more
  • TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure — Threat actors trick victims into opening a malicious script, leading to the execution of the BroaderAspect .NET loader. Read more

Security Breaches & Incidents

  • South Korean Government Imposes Penalties on SK Telecom for Breach — A breach at SK Telecom exposed 27 million records, leading to penalties and regulatory requirements. Read more
  • 5 Ways Identity-based Attacks Are Breaching Retail — Major retailers like Adidas and Victoria's Secret have been breached through cracks of trust and access. Read more
  • BaitTrap: Over 17,000 Fake News Websites Caught Fueling Investment Fraud Globally — A large-scale scam operation uses fake news websites to deceive users into online investment fraud. Read more

Security Tools & Best Practices

  • 4 Critical Steps in Advance of 47-Day SSL/TLS Certificates — IT teams need to plan for shorter certificate lifespans by 2029 to avoid operational disruptions. Read more

Emerging Security Technologies

  • The AI Fix #58: An AI runs a shop into the ground, and AI's obsession with the number 27 — Podcast discusses AI headphones, Microsoft's "medical superintelligence," and AI's fascination with the number 27. Read more

Continue reading

Tuesday, July 8, 2025

Security Threat Summary - July 8, 2025

         

Security Threat Summary - July 8, 2025

Top 5 Critical Security Alerts

  • Ransomware Attack Triggers Widespread Outage at Ingram Micro — Disruption of customer ordering and services due to a ransomware attack. Read more
  • Chrome Store Features Extension Poisoned With Sophisticated Spyware — A popular color picker extension is hijacking sessions and redirecting users to malicious sites. Read more
  • Bert Blitzes Linux & Windows Systems — A new ransomware strain uses aggressive multithreading and cross-platform capabilities. Read more
  • SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools — Malvertising delivers Oyster malware loader via trojanized versions of legitimate tools. Read more
  • Employee arrested after Brazil's central bank service provider hacked for US $140 million — Approximately US $140 million was stolen from the reserve accounts of six financial institutions after a cyber attack hit a service provider. Read more

Threat Intelligence (APT, malware, ransomware)

  • Bert Blitzes Linux & Windows Systems — A new ransomware strain uses aggressive multithreading and cross-platform capabilities. Read more
  • DPRK macOS 'NimDoor' Malware Targets Web3, Crypto Platforms — North Korean threat actors are targeting cryptocurrency and Web3 platforms with malicious Zoom meeting requests. Read more
  • 'Hunters International' RaaS Group Closes Its Doors — The ransomware-as-a-service group is reportedly rebranding to a data theft outfit called World Leaks. Read more
  • SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools — Malvertising delivers Oyster malware loader via trojanized versions of legitimate tools. Read more
  • TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors — A hacking group with ties to Pakistan targets Indian government organizations with a modified remote access trojan. Read more

Security Breaches & Incidents

  • Ransomware Attack Triggers Widespread Outage at Ingram Micro — Disruption of customer ordering and services due to a ransomware attack. Read more
  • Employee arrested after Brazil's central bank service provider hacked for US $140 million — Approximately US $140 million was stolen from the reserve accounts of six financial institutions after a cyber attack hit a service provider. Read more

Security Tools & Best Practices

  • Manufacturing Security: Why Default Passwords Must Go — CISA urges manufacturers to eliminate default passwords after Iranian hackers breached a US water facility. Read more
  • What's My (File)Name?, (Mon, Jul 7th) — Article discusses anti-debugging and anti-analysis features in modern malware and suggests renaming suspicious files to avoid detection during analysis. Read more

Endpoint Security

  • Chrome Store Features Extension Poisoned With Sophisticated Spyware — A popular color picker extension is hijacking sessions and redirecting users to malicious sites. Read more

Continue reading

Subscribe to: Posts (Atom)