SharePoint server software security flaw sparked global attacks

A Special Request

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Microsoft's SharePoint server software was exploited by unidentified hackers, with analysts warning of widespread cybersecurity breaches across the globe.

Microsoft said it had released a new security patch for customers to apply to their SharePoint servers “to mitigate active attacks targeting on-premises servers,” adding it was working to roll out others. However, the patch applies to only one version of SharePoint. Two other versions remain vulnerable, and Microsoft said it is continuing to work to develop a patch.

The vulnerability allowed hackers to access file systems and internal configurations, as well as execute code, the US Cybersecurity and Infrastructure Security Agency said.

Silas Cutler, a researcher at Michigan-based cybersecurity firm Censys, estimated that more than 10,000 companies with SharePoint servers were at risk. The US had the largest number of those companies, followed by the Netherlands, the UK, and Canada, he said.

Palo Alto Networks Inc. warned that “these exploits are real, in-the-wild, and pose a serious threat.” Google Threat Intelligence Group said in an emailed statement it had observed hackers exploiting the vulnerability, adding it allows “persistent, unauthenticated access and presents a significant risk to affected organizations.”

According to sources, hackers exploited the flaw to breach US federal and state agencies, universities, energy companies, and an Asian telecommunications company.

The US government and partners in Canada and Australia are investigating the compromise of SharePoint servers, which provide a platform for sharing and managing documents. Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond.

It was not immediately clear who was behind the hacking of Global Reach or what its ultimate goal was. One private research company found the hackers targeting servers in China as well as a state legislature in the eastern United States. Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies.

At least two US. Federal agencies have seen their servers breached, according to researchers, who said victim confidentiality agreements prevent them from naming the targets.

One state official in the eastern US said the attackers had “hijacked” a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material, but it wasn’t clear whether it was deleted. (Mark Anderson and Jane Lanhee Lee / Bloomberg and Ellen Nakashima, Yvonne Wingett Sanchez and Joseph Menn / Washington Post)

Related: Microsoft, CISA, Eye Research, BleepingComputer, CISA, Business Today, Bloomberg, Help Net Security, Reuters, Digit, The Hacker News, Livemint, AskWoody, Security Week, BleepingComputer, iTnews,  SiliconANGLE, The Register,  NewsMax.com, Cryptopolitan, SANS Internet Storm Center, Forbes, The Stack, Cyber Security News, Hacker News (ycombinator), r/blueteamsec, r/cybersecurity, Chosun Biz, Tweaktown, GBHackers On Security, Cyber Security News, Security Affairs, Digit, Intelligent CIO Europe, CSO Online, Beta News, Bleeping Computer

The French government launched a criminal investigation into Elon Musk’s X over “the alleged manipulation of its algorithm” and “fraudulent” data extraction, the social media platform said.

X said that French authorities had requested access to the company’s recommendation algorithm, as well as data “about all user posts on the platform”. X said it “remains in the dark” about the specific allegations, which it denies, and that it “has not acceded to the French authorities’ demands."

The social media group also said that investigators had asked for access to its “recommendation algorithm” and data about users’ posts, so two experts could examine them.

Musk’s company also criticised the investigation as politically motivated, saying it was “instigated” by a French lawmaker, Éric Bothorel, who is a member of President Emmanuel Macron’s party, Renaissance. (Leila Abboud and Philip Georgiadis / Financial Times)

Related: CNBC, Reuters

Senior British officials say Sir Keir Starmer’s government is seeking a way out of a clash with the Trump administration over the UK’s demand that Apple provide it with access to encrypted cloud customer data.

The officials both said the Home Office, which ordered the tech giant in January to grant access to its most secure cloud storage system, would probably have to retreat in the face of pressure from senior leaders in Washington, including Vice President JD Vance.

The officials said the UK decision to force Apple to break its end-to-end encryption, which has been raised multiple times by top officials in Donald Trump’s administration, could impede technology agreements with the US.

One senior government official added that the Home Office had handled the issue of Apple encryption very badly and now had “its back against the wall”, adding: “It’s a problem of the Home Office’s own making, and they’re working on a way around it now”. In its order in January, the Home Office told Apple to build in a “back door” to allow law enforcement or security services to tap into the cloud storage system that stores user data that even the iPhone maker itself is currently unable to access. (Anna Gross, Tim Bradshaw and Lauren Fedor / Financial Times)

Related: The Verge, AppleInsider, MacRumors, Forbes, iClarified, WinBuzzer, Cryptopolitan, r/unitedkingdom, r/ukpolitics, r/technology, Fudzilla

Microsoft said it will stop using China-based engineers to provide technical assistance to the US military after a report in investigative journalism outlet ProPublica sparked questions from a US senator and prompted Defense Secretary Pete Hegseth to order a two-week review of Pentagon cloud deals.

The report detailed Microsoft's use of Chinese engineers to work on US military cloud computing systems under the supervision of US "digital escorts" hired through subcontractors who have security clearances but often lack the technical skills to assess whether the work of the Chinese engineers posed a cybersecurity threat.

Microsoft spokesperson Frank Shaw said on social media website X that the company changed how it supports US government customers "in response to concerns raised earlier this week ... to assure that no China-based engineering teams are providing technical assistance" for services used by the Pentagon.

Senator Tom Cotton, an Arkansas Republican who chairs the chamber's intelligence committee and also serves on its armed services committee, sent a letter to Defense Secretary Pete Hegseth about Microsoft's reported practices. (Stephen Nellis / Reuters)

Related:  ProPublica, CNBC, Cryptopolitan, Benzinga, Washington Times, PCMag, Neowin, Tech Xplore

WhatsApp should prepare to leave the Russian market, a lawmaker who regulates the IT sector said, warning that the messaging app owned by Meta was likely to be put on a list of restricted software.

President Vladimir Putin last month signed a law authorising the development of a state-backed messaging app integrated with government services, as Russia strives to reduce its dependence on platforms such as WhatsApp and Telegram.

Anton Gorelkin, deputy head of the lower house of parliament's information technology committee, said in a statement on Telegram that the state-backed app, MAX, could gain market share if WhatsApp, used by 68% of Russians daily, left.

"It's time for WhatsApp to prepare to leave the Russian market," Gorelkin said, adding that Meta is designated as an extremist organisation in Russia. (Alexander Marrow / Reuters)

Related: The Tech Portal, WION, APA.az

Hong Kong’s privacy watchdog is investigating a data leak affecting about 419,000 customers of Louis Vuitton, as the luxury giant suffers from a string of cyber attacks across its key markets in recent months.

Leaked data of the Hong Kong customers include names, passport numbers, birth dates, addresses, email addresses, phone numbers, shopping history, and product preferences, the Office of the Privacy Commissioner for Personal Data said. The affected database doesn’t contain any payment information, a spokesperson for Louis Vuitton in Hong Kong said.

The office is looking into the case, including whether there’s any delay in notifying authorities involved, according to the statement. It added that it hasn’t received any complaints or queries regarding the leak.

The data breach in Hong Kong followed similar incidents in the UK and South Korea earlier this month, where hackers stole customer data from Louis Vuitton, the biggest brand of LVMH Moet Hennessy Louis Vuitton SE. Christian Dior Couture, another LVMH label, also reported in May that its customer data were compromised in a cyber attack. (Shirley Zhao / Bloomberg)

Related: Reuters, South China Morning Post, Seeking Alpha, Inside Retail, The Business Times

Singapore Defense Minister Chan Chun Sing said select units from the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF) are part of a whole-of-government effort to deal with an ongoing cyberattack on Singapore's critical infrastructure by the group known as UNC3886, which has ties to China.

While he did not give specifics about which units are involved, the Digital and Intelligence Service established in October 2022 is the SAF service responsible for securing Singapore’s cyber domain.

In particular, the Defence Cyber Command, which was launched in March, is the unit tasked with defending Mindef and SAF against cyber threats.

Separately, Coordinating Minister for National Security K. Shanmugam said on July 19 that the Government decided to name the state-sponsored espionage group behind the ongoing cyber attack because “Singaporeans ought to know where (it) was from."

The ongoing attack on Singapore’s critical infrastructure was made public by Mr Shanmugam during the Cyber Security Agency of Singapore’s (CSA) 10th anniversary dinner on July 18.

Describing UNC3886 as highly sophisticated and persistent, Mr Shanmugam said the group is going after high-value, strategic targets that deliver essential services to the country. (Kok Yufeng / The Straits Times)

Related: Government of Singapore, The Straits Times, Channel News Asia, The Financial Express, France24, Frontier Enterprise, Mothership

Dell has acknowledged that a newly rebranded extortion gang known as "World Leaks" breached one of its product demonstration platforms earlier this month and is now trying to extort the company into paying a ransom.

Dell said that the threat actor had breached its Customer Solution Centers platform, which is used to demonstrate Dell products and solutions to customers and is separated from other customer platforms.

Dell said, "Data used in the solution center is primarily synthetic (fake) data, publicly available datasets used solely for product demonstration purposes or Dell scripts, systems data, non-sensitive information and testing outputs. Based on our ongoing investigation, the data obtained by the threat actor is primarily synthetic, publicly available or Dell systems/test data."

While the threat actors likely believe it contains valuable data, as it includes sample medical data and financial information, this data is reportedly entirely fabricated. 

World Leaks is a rebrand of the Hunters International ransomware, which shifted its focus away from file encryption toward pure data extortion. (Lawrence Abrams / Bleeping Computer)

Related: Cyber Security News

A team of medical researchers from UC San Diego made an effort to quantify the cost of CrowdStrike's errant update on July 19, 2024, which crippled millions of Microsoft Windows computers around the world, in the potential harm to hospitals and their patients across the US, concluding that at least 759 US hospitals faced disruptions during the incident.

By scanning internet-exposed parts of hospital networks before, during, and after the crisis, they detected that at least 759 hospitals in the US appear to have experienced network disruption of some kind on that day. They found that more than 200 of those hospitals seemed to have been explicitly hit with outages that directly affected patients, from inaccessible health records and test scans to fetal monitoring systems that went offline. Of the 2,232 hospital networks they were able to scan, the researchers detected that fully 34 percent of them appear to have suffered from some disruption.

All of that indicates the CrowdStrike outage could have been a “significant public health issue,” argues Christian Dameff, a UCSD emergency medicine doctor and cybersecurity researcher, and one of the paper's authors. “If we had had this paper's data a year ago when this happened," he adds, “I think we would have been much more concerned about how much impact it really had on US health care.” (Andy Greenberg / Wired)

Related: JAMA Network

The UK National Cyber Security Centre (NCSC) formally attributed ‘Authentic Antics’ espionage malware attacks to APT28 (Fancy Bear), a threat actor already linked to Russia’s military intelligence service (GRU).

The NCSC revealed in a detailed technical analysis of the Authentic Antics malware that it is stealing credentials and OAuth 2.0 tokens that allow access to a target's email account.

The malware was observed in use in 2023 and runs inside the Outlook process and produces multiple Microsoft login prompts in its attempts to intercept the victim's sign-in data and authorization code.

The agency says that because Microsoft 365 apps are configurable per tenant, it is possible that sensitive data also works for Exchange Online, SharePoint, and OneDrive.

Authentic Antics exfiltrates the stolen data by using the victim’s own Outlook account to send it to an attacker-controlled email address, and hides the operation by disabling the “save to sent” option.

The NCSC did not make any attribution for Authentic Antics, but the agency announced today that it found evidence that links the malware to the APT28 state group, also known as Fancy Bear, Sednit, Sofacy, Pawn Storm, STRONTIUM, Tsar Team, and Forest Blizzard.

“The Government has today (July 18) exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts, in a move that will keep the UK and its allies safer,” UK's NCSC says. (Bill Toulas / Bleeping Computer)

Related: NCSC, Computer Weekly, SC Media, Industrial Cyber, Infosecurity Magazine, Digit, Reuters

Cyber specialists from Ukraine's military intelligence agency (HUR) claim to have carried out a large-scale cyberattack against the network infrastructure of Russian energy giant Gazprom to damage the company's information systems further, causing significant disruptions.

The alleged operation took place on July 17 and targeted systems used by Gazprom and its subsidiaries, which Ukraine's intelligence claims are directly involved in supporting Russia's war effort.

Gazprom is Russia's state-owned energy company, one of the world's largest gas producers and exporters.

The cyberattack allegedly destroyed large volumes of data and installed custom software designed to damage the company's information systems further.

"The degradation of Russian information systems to the technological Middle Ages continues," the source within the HUR told the Kyiv Independent.

According to the source, access to Gazprom's internal systems was disabled for nearly 20,000 system administrators, and backup copies of key databases were wiped. The attack reportedly affected approximately 390 subsidiary companies and branches, including Gazprom Teplo Energo, Gazprom Obl Energo, and Gazprom Energozbyt. (Anna Fratsyvir, Andrea Januta / The Kyiv Independent)

Related: United24, Kyiv Post

French senators accused the French State of “political fault” because it is outsourcing essential data infrastructure to US companies subject to US extraterritorial laws, including Microsoft, despite repeated warnings and alternatives.

France is subject to US extraterritorial law,” the report stated, warning that public data, including from health, education and critical sectors, was exposed to foreign surveillance under US legislation such as the Foreign Intelligence Surveillance Act (FISA) and the Clarifying Lawful Overseas Use of Data Act (CLOUD).

This legislation allowed the US Government to demand that companies subject to US law disclose the data they stored, simply by obtaining a judge’s authorisation.

The Senate report cited Microsoft France’s legal director, Anton Carniaux, as admitting the company could not guarantee that French data it hosted would not be handed over to foreign authorities.

“Carniaux … was asked by the [French Senate] commission to guarantee that French citizens’ data hosted by Microsoft would never be transmitted to foreign authorities without the agreement of the French authorities. He replied: ‘No, I can’t guarantee that,'” the report stated.

While France deepened its digital dependency, other European nations have been pushing back.

In June 2025, Denmark’s Minister for Digitalisation, Caroline Stage Olsen, announced a full pivot away from Microsoft, replacing it with LibreOffice, a Berlin-based open-source alternative.

Citing concerns over financial cost, market dominance and political tension with Washington, Denmark’s two largest cities, Copenhagen and Aarhus, had already begun ditching Microsoft earlier this year. (Anne-Laure Dufeal / Brussels Signal)

Related: Hacker News (ycombinator), PPC Land, r/europe, Pixel Envy, WERD/io

The Information Commissioner’s Office (ICO) has said the breach of data on Afghan relocations at the Ministry of Defence (MoD) was “unacceptable” and should never happen again.

It has published a statement, with an explanatory note, in response to the Government’s announcement of the breach, in which highly sensitive information on applicants for the Afghan Relocations and Assistance Policy was circulated online.

The statement and note follow the UK Government’s announcement acknowledging the breach, of which the MoD became aware in August 2023, 18 months after the incident, and lifting the injunction on any reporting of the story.

It was revealed that details of people from Afghanistan who had worked with British forces during the war in the country had been visible online. Details of a handful of the people later appeared in a post on Facebook.

The ICO said an MoD investigation of the breach determined that a spreadsheet, initially shared in 2022, and thought to contain data related to a small number of applicants, had contained hidden data related to more than 18,000 people. 

When it became aware of the breach, the information was quickly removed, and efforts stepped up to relocate Afghan people at risk to the UK. (Mark Say / UKAuthority)

Related: ICO, ICO, The Independent, Public Technology

The personal details of thousands of people across south-east Queensland have potentially been stolen in a major data breach, with a man, Joseph Kelly, accused of breaking into multiple mortgage brokers and tax offices.

Kelly is accused of breaking into Mortgage Choice offices and an ITP Tax office between Monday and Wednesday last week.

He allegedly targeted three buildings on the Gold Coast, along with one in Logan and another in Ipswich.

Police allege Kelly stole computers and filing cabinets, transferring an unknown amount of sensitive client data onto his own encrypted device.

It's understood that the stolen data may include driver's licences, passports, payslips, and mortgage applications. Police sources say he could face separate fraud charges for each customer whose information was allegedly taken.

TP Queensland says they have contacted 64 affected clients, while Mortgage Choice is still working to identify how many of its customers have been impacted. (9News)

Related: Economic Times

Indian cryptocurrency exchange CoinDCX was hacked, leaving the exchange drained of $44 million.

The hackers compromised one of CoinDCX’s internal accounts used for “liquidity provisions” with another exchange through a server breach.

No user funds were affected by the exploit, according to CoinDCX CEO Sumit Gupta. The CEO also said that all customer funds remain safe. (Vince Quill / Cointelegraph)

Related: Tech-Economic Times, Live Mint, The Block, CoinDesk, The Tribune, The Indian Express, Crypto Briefing, Bitcoinist, ZNews, OKX, NDTV, CIO News, The Cyber Express

The official Twitter account for Shift Up and Sony's popular 2024 game Stellar Blade was hit by hackers, taking over the game's account to sell a fraudulent cryptocurrency.

Several posts promoting a link to “stellar-coin.com” popped up in the feed, with links encouraging people to click through for a chance to claim massive sums of money in the form of crypto. The account also turned off comments, with an accompanying message saying it did so “to protect our holders from phishing, fake replies, and scam bots.”

Many of the posts used Stellar Blade characters and imagery to promote airdrops for a “Stellar Blade Coin” digital currency. The posts made wild claims about how much money has been claimed so far, likely to entice unsuspecting individuals to click on the links in the posts.

Some of the posts also promise in-game items, including exo-suit and weapon upgrades, with the same link to the supposed “Stellar Coin” website.

As of 9 am EDT on 7/21, the hacked posts remain on the Stellar Coin X account. (Amanda Kay Oaks / Comic Book)

Related: CryptoRank, BitGet, Vice, Bitcoinist, Cryptopolitan, GameRant

Researchers at CheckFirst in Finland managed to outline the structure and geographic footprint of a highly secretive Russian signals intelligence (SIGINT) unit by studying commemorative badges or challenge coins issued by the Russian government.

The coins relate to Military Unit 71330, Center 16, which is a secretive SIGINT unit that houses most of the cyber espionage capabilities of Russia’s Federal Security Service (FSB).

Challenge coins from various agencies are often resold on websites such as eBay or displayed online on websites maintained by private collectors. CheckFirst researchers tracked down several versions of Center 16 challenge coins found on a variety of publicly available websites, as well as on the websites of Russian challenge coin manufacturers, such as GosZnak, SpetsZnak, or Breget.

Based on this OSINT methodology, CheckFirst researchers were able to identify 10 distinct directorates within Center 16, which specialize in various aspects of defensive and offensive cyber espionage.

Previously, only a single Center 16 directorate had been identified in the unclassified domain.

Moreover, by examining geographic indicators found on several of the challenge coins, such as maps or coordinates, CheckFirst researchers were able to partly map out the geographic structure of Center 16, locating nearly a dozen interception facilities throughout Russia. (Joseph Fitsanakis / Intel News)

Related: CheckFirst, CheckFirst

The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.

Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators.

While it is unclear how they were able to create the decryptor, it is believed it was made possible through information obtained during this year's disruption of the ransomware gang.

The decryptor can be downloaded from the Japanese police's website, with instructions shared in English. The decryptor is also available from Europol's NoMoreRansom platform and is being promoted by Europol and the FBI to demonstrate its official status.

Web browsers, including Google Chrome and Mozilla Firefox, are detecting the decryptor as malware, making it difficult to download and use. However, BleepingComputer has tested the decryptor, and not only is it not malicious, but it also successfully decrypts encrypted files from recent encryptors. (Lawrence Abrams / Bleeping Computer)

Related: Japanese Police, No More Ransom, The Cyber Express, The Record

OpenAI debuted a new feature for ChatGPT, and with it, a host of new security risks and ramifications.

Called the “ChatGPT agent,” this new feature is an optional mode that ChatGPT paying subscribers can engage by clicking “Tools” in the prompt entry box and selecting “agent mode,” at which point, they can ask ChatGPT to log into their email and other web accounts; write and respond to emails; download, modify, and create files; and do a host of other tasks on their behalf, autonomously, much like a real person using a computer with their login credentials.

Looking at OpenAI’s ChatGPT agent system card, the “read team” employed by the company to test the feature faced a challenging mission: specifically, 16 PhD security researchers who were given 40 hours to test it out.

Through systematic testing, the red team discovered seven universal exploits that could compromise the system, revealing critical vulnerabilities in how AI agents handle real-world interactions.

What followed next was extensive security testing, much of it predicated on red teaming. The Red Teaming Network submitted 110 attacks, from prompt injections to biological information extraction attempts. Sixteen exceeded internal risk thresholds. Each finding gave OpenAI engineers the insights they needed to get fixes written and deployed before launch. (Louis Columbus / Venture Beat)

Related: OpenAI, Gizchina.com, OpenAI

Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials in Aruba Instant On Access Points that allow attackers to bypass normal device authentication and access the web interface.

Aruba Instant On Access Points are compact, plug-and-play wireless (Wi-Fi) devices, designed primarily for small to medium-sized businesses, offering enterprise-grade features (guest networks, traffic segmentation) with cloud/mobile app management.

The security issue, tracked as CVE-2025-37103 and rated “critical” (CVSS v3.1 score: 9.8), impacts Instant On Access Points running firmware version 3.2.0.1 and below.

“Hardcoded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” explained HPE in the bulletin.

“Successful exploitation could allow a remote attacker to gain administrative access to the system.”

This flaw can be chained with CVE-2025-37103, as admin access is required for its exploitation, allowing threat actors to inject arbitrary commands into the CLI for data exfiltration, security disabling, and establishing persistence. (Bill Toulas / Bleeping Computer)

Related: HPE, Cyber Security News

Researchers at Trellix report that a new wave of malware targeting financial institutions in Hong Kong has been identified, featuring SquidLoader.

This stealthy loader deploys the Cobalt Strike Beacon and boasts advanced anti-analysis tactics.

The campaign begins with targeted spear-phishing emails. These messages, written in Mandarin, impersonate financial institutions and contain a password-protected RAR archive disguised as an invoice.

Once opened, users find a malicious PE binary camouflaged as a Microsoft Word document. This file, while visually deceptive, mimics the legitimate “AMDRSServ.exe” to aid in social engineering.

Once executed, SquidLoader embeds itself in the system and begins a multi-stage infection process.

One of SquidLoader’s defining traits is its extensive anti-analysis strategy. It uses environmental checks, string obfuscation, control flow confusion, and undocumented Windows syscalls to stay hidden. The malware terminates itself if any known analysis tools or antivirus processes are detected, including “windbg.exe,” “ida64.exe” and “MsMpEng.exe.”

The campaign is geographically focused, with strong indicators of targeting institutions in Hong Kong. However, similar samples suggest related attacks may be underway in Singapore and Australia.

To defend against threats such as SquidLoader, organizations should consider strengthening email filtering, endpoint monitoring, and behavioral analysis capabilities. (Alessandro Mascellino / Infosecurity Magazine)

Related: Trellix, HackRead, SC Media, gbhackers

CloudSEK has exposed a large-scale illegal financial operation in India, allegedly run by individuals laundering over $580 million (₹5,000 crores) annually.

This shadow banking empire uses illegal payment gateways, fake mobile apps, and a network of mule accounts to move dirty money, posing a significant threat to India’s financial and national security.

The operation involves recruiting Indian citizens as money mules. Often, vulnerable individuals like unemployed youth or students are targeted through deceptive earning apps distributed via Telegram and WhatsApp.

These apps trick users into giving up sensitive banking information or even intercepting One-Time Passwords (OTPs), effectively taking control of their accounts. In other cases, people are paid to open new bank accounts and hand over debit cards, cheque books, and linked SIM cards to the syndicate.

Once obtained, these mule accounts become part of an illegal payment gateway system controlled by Chinese operators. This system processes funds for various illicit activities, including illegal gambling, Ponzi schemes, predatory digital lending, “digital arrest” scams, and fake stock trading platforms. Unlike legitimate payment gateways regulated by the Reserve Bank of India (RBI), these operate entirely outside legal oversight.

The funds are then laundered through a complex, multi-layered process. (Deeba Ahmed / HackRead)

Related: CloudSEK

Houston-based The Alcohol & Drug Testing Service (TADTS), which conducts drug and alcohol testing for private employers and state and federal agencies, including the Department of Transportation, disclosed to regulators that a July 2024 hacking incident affected nearly 750,000 people.

While TADTS earlier reported the incident to Texas regulators in December 2024 as affecting 250 Texans, the company filed a breach report to Maine's attorney general on Thursday saying the hack affected a total 748,763 individuals, including two Maine residents.

Last July, cybercrime group Bian Lian listed the company on its dark website as one of its victims. (Marianne Kolbasuk McGee / BankInfoSecurity)

Related: Maine Attorney General, The Daily HODL, Digwatch

Researchers at LLM security firm General Analysis showed that by abusing Claude's iMessage integration, an attacker can mint unlimited Stripe "coupons" (i.e., account credits in your payment system), or invoke any tool with arbitrary parameters, without alerting the user.

The attack exploits Claude's inability to verify the true origin of a message received through iMessage: by injecting metadata-like tags into the body of a message, formatted as escaped text that mimics internal server annotations, an attacker can spoof trusted instructions, since Claude interprets everything as plain text without distinguishing between genuine system metadata and user-injected content.

In a simulated attack that exploits Claude's inability to verify the true origin of a message received through iMessage, General Analysis LLM researchers were able to create a $50,000 Stripe coupon. (General Analysis)

Related: Hacker News (ycombinator)

SLED, SMB, and enterprise security startup emerged from stealth, backed by a $30 million Series A venture funding round.

SYN Ventures led the round (Eduard Kovacs / Security Week)

Related: SecurityWeek,  iCOUNTER, InfoRiskToday.com, FinTech Global, Dallas Innovates, VC News Daily, Axios

CertifID, an Austin-based company tackling wire fraud in real estate transactions, raised $47.5 million in a Series C venture funding round.

Centana Growth Partners led the round with continued participation from Arthur Ventures. (Ryan Lawler / Axios)

Related: CertifID, Biometric Update, VC News Daily, Pulse 2.0, FinSMEs, FinTech Global

Best Thing of the Day: Understanding the Heritage of Chinese Hackers

Eugenio Benincasa at ETH Zürich examined a core group of red hackers from the 1990s and 2000s who laid the groundwork for China’s modern cyber capabilities and traced their trajectories from early red hacker groups into professional cybersecurity roles. (via Wired)

Worst Thing of the Day: Data Breaches Can Kill

The Taliban have killed the brother of an elite Afghan soldier who worked with British forces after the serviceman’s name appeared on a major data leak.

Bonus Worst Thing of the Day: The Call Is Coming From Inside the House

A Moscow court ordered the arrest of seven people in a major data trafficking case that appears to have direct links to the Ministry of Internal Affairs’ own central database.

Closing Thought