Russia implicated in hack of federal court system documents

Please, please help us keep the lights on

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Sources say investigators uncovered evidence that Russia is at least partly responsible for a recent hack of the computer system that manages federal court documents, including highly sensitive records with information that could reveal sources and people charged with national security crimes.

It is not clear what entity is responsible, whether an arm of Russian intelligence might be behind the intrusion, or if other countries were also involved, which some of the people familiar with the matter described as a years-long effort to infiltrate the system. Some of the searches included mid-level criminal cases in the New York City area and several other jurisdictions, with some cases involving people with Russian and Eastern European surnames.

The disclosure comes as President Trump is expected to meet with his Russian counterpart, Vladimir V. Putin, in Alaska on Friday, where Mr. Trump is planning to discuss his push to end the war in Ukraine.

Administrators with the court system recently informed Justice Department officials, clerks, and chief judges in federal courts that “persistent and sophisticated cyber threat actors have recently compromised sealed records,” in the CM/ECF (Case Management/Electronic Case Files) and PACER (Public Access to Court Electronic Records) systems.

“This remains an URGENT MATTER that requires immediate action,” officials wrote, referring to guidance that the Justice Department had issued in early 2021 after the system was first infiltrated.

Documents related to criminal activity with an overseas tie, across at least eight district courts, were initially believed to have been targeted. 

In recent weeks, judges of the Eastern District of New York have been taking corrective measures. On Friday, the chief judge of the district, Margo K. Brodie, issued an order prohibiting the uploading of sealed documents to PACER, the searchable public database for documents and court dockets. (Adam Goldman, Glenn Thrush, and Mattathias Schwartz / New York Times)

Related: Politico, The Sun, TechCrunch, Bloomberg Law, InfoRiskToday.com, Newser, The Kyiv Independent, The Verge, PYMNTS.com, Engadget, The Independent, Reuters, r/technology, r/law, r/news, r/politics, Slashdot, Mezha, Ukrainska Pravda, RBC-Ukraine, Security Week, Times of India, PYMNTS, Daily Mail, ABC7Chicago

According to sources, US authorities have secretly placed location tracking devices in targeted shipments of advanced chips they see as being at high risk of illegal diversion to China.

The measures aim to detect AI chips being diverted to destinations that are under US export restrictions, and apply only to select shipments under investigation.

The sources said the trackers can help build cases against people and companies who profit from violating US export controls.

Five other people actively involved in the AI server supply chain say they are aware of the use of the trackers in shipments of servers from manufacturers such as Dell and Super Micro, which include chips from Nvidia and AMD. Those people said the trackers are typically hidden in the packaging of the server shipments. (Fanny Potkin, Karen Freifeld and Jun Yuan Yong / Reuters)

Related: The American Bazaar, TheStreet

The UK Home Office announced that more live facial recognition (LFR) vans will be rolled out across seven police forces in England to locate suspects for crimes including sexual offences, violent assaults, and homicides.

The forces will get access to 10 new vans equipped with cameras, which scan the faces of people walking past and check them against a list of wanted people.

The government says the technology has been used in London to make 580 arrests in 12 months, including 52 registered sex offenders who breached their conditions.

However, campaign group Big Brother Watch said the "significant expansion of the surveillance state" was "alarming."

The government is now funding 10 vans equipped with LFR to be shared between seven forces, approximately doubling the number of vehicles.

The seven forces are Greater Manchester, West Yorkshire, Bedfordshire, Surrey, Sussex, Thames Valley, and Hampshire.

The technology identifies people by taking measurements of facial features, including the distance between the eyes and the length of the jawline, and then comparing the data to an existing watchlist.

Each van will be staffed with a trained officer who checks the matches identified by the technology.

Simultaneously, the government is consulting on what safeguards are needed to "ensure transparency and public confidence", ahead of drawing up a new legal framework. (Kate Whannel / BBC News)

Related: Gov.uk, The Independent, Sky News, About Manchester, The Mirror, City A.M. - Technology, Digit

In its August Patch Tuesday batch of fixes, Microsoft released updates to fix more than 100 security flaws in its Windows operating systems and other software, with at least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

The fixes include an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.

The fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.

CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.

Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.

One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence that the vulnerability is being exploited at the moment. (Brian Krebs / Krebs on Security)

Related: Security Week, Bleeping Computer, Infosecurity Magazine, Qualys, The Register, CSO Online, XDA Developers, CyberScoop, Thurrott, CrowdStrike, Dark Reading, ComputerWeekly, The Cyber Express, Rapid7, SANS Internet Storm Center, AskWoody, Hack Read

Bus passengers in Moscow were ordered to take cover in bomb shelters over warnings of a ‘nuclear bombardment’ from Ukraine.

A video filmed in Russia’s capital captured the moment an alert was broadcast over the bus intercom system. The announcement said: ‘Attention, attention! Ukraine is threatening us with a nuclear bombardment.

‘I repeat! Attention, attention! Ukraine is threatening us with a nuclear bombardment! ‘Everyone to the shelters! Attention! Attention! Ukraine is threatening us with a nuclear bombardment!’

But transport officials in Moscow say the alert was broadcast by hackers, who have not yet been identified. (Katie Boyden / Metro)

Related: Metro on Facebook, Daily Mail, The Mirror

National Public Data, a website infamous for its role in leaking millions of Social Security numbers last year, has returned with the ability to look up anyone's personal information.

The new site functions as a “free people search engine,” which might alarm the public since National Public Data housed a massive trove of sensitive data on Americans.

The site shut down in December amid a wave of lawsuits against parent company Jericho Pictures after a breach exposed an estimated 272 million unique SSNs and 600 million phone numbers. Since then, the site has been relatively dormant. But now, the nationalpublicdata.com domain has sprung back to life with a new interface.

It looks like the domain has changed hands: In a page about last year’s breach, the site’s new owners write: “Important Notice: Jerico Pictures, Inc., the Florida company that suffered a major data breach in 2024, no longer operates this site. We have zero affiliation with them. We’re keeping this page, originally posted by Jerico Pictures, Inc., intact so its history remains traceable.”

The site doesn’t explain who the new owners are, but a domain lookup shows that it's registered to Florida-based “Perfect Privacy LLC,” a company known to help users register a web domain, anonymously. (Michael Kan / PCMag)

Related: Tom's Guide, Mashable

Hackers released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks.

Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th.

While the company did not name the provider, BleepingComputer first reported that the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.

Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches.

Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase.

One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances.

These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors.

The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. (Lawrence Abrams / Bleeping Computer)

Related: Security Affairs, The Register, FalconFeeds.io, Cyber Daily

Chipmakers Nvidia and Advanced Micro Devices continue to face challenges in shipping advanced AI processors to China, with both national security and hardware security at issue for both China and the US.

In 2022, the US government placed a ban on exporting high-end AI chips, until last month, when the Trump administration decided to allow the shipment to China of less sophisticated processors, as long as manufacturers pay the US government a 15% fee.

Now, however, China has demanded that the most significant chipmaker, NVIDIA, prove that its processors do not have exploitable security flaws or backdoors, with Chinese state media claiming that NVIDIA's H2O chips are not safe.

The Cyberspace Administration of China called for the company to address risks that its H2O chips have backdoor capabilities, according to China Daily, an English-language news outlet owned by the Central Propaganda Department of the Chinese Communist Party. (Robert Lemos / Dark Reading)

Related: Bloomberg, Reuters, CNBC, The Wall Street Journal, South China Morning Post

Smartphone startup Unplugged said it will start assembling its privacy-focused "UP Phone" in Nevada this fall, marking a strategic pivot toward onshore production as the Trump administration pushes to expand domestic manufacturing.

The phones will be assembled in Nevada, and the company aims to keep the device priced under $1,000, despite the high labor costs, CEO Joe Weil, a former Apple executive, told Reuters. The devices are currently made in Indonesia and priced at $989. (Akash Sriram / Reuters)

Related: MacDailyNews

Researches at Binarly report that the XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.

Binarly reported the images to Debian, one of the maintainers still offering backdoored images, who decided not to take them offline, citing low risk and the importance of archiving continuity.

The XZ-Utils backdoor, tracked under CVE-2024-3094, was malicious code hidden in the liblzma.so library of the xz-utils compression tool, versions 5.6.0 and 5.6.1.

It hooked the RSA_public_decrypt function in OpenSSH via glibc's IFUNC mechanism, so if an attacker with a special private key connected over SSH to an affected system, they could bypass authentication and remotely run commands as root.

The backdoor was stealthily injected by a long-time project contributor named "Jia Tan," and shipped in official Linux distro packages like Debian, Fedora, OpenSUSE, and Red Hat, making it one of the most severe software supply chain compromises last year. (Bill Toulas / Bleeping Computer)

Related: Binarly

Identity proofing and passwordless authentication company 1Kosmos1 announced it had raised $57 million in a Series B venture funding round, including a $10 million line of credit from Bridge Bank.

Forgepoint Capital and Origami’s Oquirrh Ventures led the round with participation by Craig Abod, Founder and President of Carahsoft, NextEra Energy Ventures, Gula Tech Adventures, and the 1Kosmos management team. (Duncan Riley / Silicon Angle)

Related: 1Kosmos1, The Hindu BusinessLine, SecurityWeek

Best Thing of the Day: Silly Silicon Chip Doodles

In the 1970s and 1980s, designers etched microscopic doodles onto silicon chips to leave their marks they never intended the world to see.

Worst Thing of the Day: AI is Killing the Wayback Machine

Reddit says that it has caught AI companies scraping its data from the Internet Archive’s Wayback Machine, so it’s going to start blocking the Internet Archive from indexing the vast majority of Reddit.

Closing Thought