Read Time: 8 minutes

Brought to you by:

Howdy friends!

Just got back from HouSecCon - and wow has that thing grown. I was speaking there over a decade ago and it was a small, but content rich con. Now is an absolute powerhouse for the region. Over 3,000 people with tons of sponsors and fantastic content. Congrats to the team on the hard work putting out a great con and inviting me.

I’m going to be doing some recaps with speakers over on my YouTube in the coming weeks because there were some stellar talks.

ICYMI

🖊️ Something I wrote: This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

🎧️ Something I heard: help, Im going through a midlife crisis...

🎤 Something I said: Did the Secret Service just take down a massive cyber threat?

🔖 Something I read: Rachel Tobac’s thread warning about Sora 2’s impact on fooling our families.

Vulnerable News

Red Hat confirms security incident after hackers breach GitLab instance

Red Hat just confirmed they got pwned by a group calling themselves "Crimson Collective" who claim to have made off with nearly 570GB of data from their GitLab instance (not GitHub, as initially reported). They allegedly grabbed around 800 Customer Engagement Reports spanning 2020-2025, which is consultant-speak for documents that often contain all the good stuff - infrastructure details, auth tokens, database URIs, and other goodies that could let you hop into customer networks.

The leaked CER directory includes: Bank of America, T-Mobile, AT&T, Kaiser, Mayo Clinic, even the U.S. Navy and House of Representatives. Red Hat's playing it close to the vest, confirming the incident but not verifying any claims about what was actually stolen. Meanwhile, the hackers say they tried the whole extortion route but just got bounced around Red Hat's support system with templated responses. (read more)

Is the browser you work on designed for work?*

What if you no longer had to surround the browser with agents, proxies, and gateways, because the browser you used at work was actually designed for work?

This is Island, the Enterprise Browser. It embeds core security, IT, and productivity into the workspace. Smart boundaries keep data where it belongs. Orgs see literally everything happening at work.

Users access everything they need, even internal apps, right from the browser. That’s why the banks, hospitals, stores, and airlines you use today run on Island. It’s one small change. But sometimes, changing one thing changes everything.

Ok, I’m listening. Tell me more.

*Sponsored

How Three New Gemini Vulnerabilities in Cloud Assist, Search Model, and Browsing Allowed Private Data Exfiltration

I’m loving all this AI security research coming out. Tenable put out these Gemini vulnerabilities they dubbed the "Gemini Trifecta.” The bugs created a neat infiltration-to-exfiltration chain: attackers could inject prompts through log entries (via User-Agent headers that get summarized by Cloud Assist), manipulate Chrome search history with JavaScript to poison Gemini's personalization model, and then use the browsing tool to exfiltrate private data by embedding it in URL parameters sent to attacker-controlled servers.

Google had already locked down the obvious stuff like image markdown and hyperlink rendering, but the researchers found that tool execution - specifically getting Gemini to "browse" malicious URLs - was still a viable exfiltration channel. The search history injection was especially sneaky since it just required victims to visit a malicious website, and the Cloud Assist bug could be triggered unauthenticated against any public GCP service. Google's response was swift: they disabled hyperlink rendering in log summaries, rolled back the vulnerable personalization model, and blocked browsing-based exfiltration in indirect prompt injections. (read more)

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

A new Chinese APT group dubbed "Phantom Taurus" has been unmasked after 2.5 years of surveillance by Unit 42. They've been hitting government and telecom targets across Africa, Middle East, and Asia - with a particular taste for foreign ministries and embassies. They even have a shiny new malware suite named NET-STAR, which is great at compromising IIS web servers. The suite includes a fileless modular backdoor and two flavors of .NET assembly loaders that can execute payloads directly in memory.

The group recently pivoted from email server raids to directly targeting databases, using some SQL scripts to extract specific data about countries like Afghanistan and Pakistan. They're running their ops through infrastructure shared with other known Chinese APTs like Iron Taurus and Starchy Taurus, but with their own dedicated segments - keeping their tradecraft distinct. Between the custom tools, the targeting patterns, and their infrastructure choices, Unit 42 is confident enough to promote them from a "maybe Chinese" cluster to a full-fledged Chinese state actor. (read more)

30M Domains Later, Here’s What We Found Hiding In Shadow IT*

How much Shadow IT can you uncover with only public data? We ran the experiment and the answer was: too much. From backups holding live credentials to admin panels with no authentication, these exposures stay invisible to you but wide open to attackers. Read the research to see what we found and how Intruder helps you find it first.

See what we found.

*Sponsored

Threat Insights: Active Exploitation of Cisco ASA Zero Days

I talked to a ton of people who had to chase these Cisco 0days around this week. Someone in my DMs even said they had to turn the whole corporate VPN off while they remediated. Wild!

Cisco put out emergency patches for these three zero-days in their ASA and FTD firewalls, with two already being hammered by what looks like the same state-sponsored crew behind ArcaneDoor. The attackers are targeting government networks worldwide and they're actively disabling logging to cover their movements. CVE-2025-20333 is the nastiest one with a 9.9 CVSS score allowing remote code execution, while the other two let attackers access restricted endpoints and plant persistent malware that survives reboots.

CISA's so worried they issued an emergency directive forcing federal agencies to patch immediately, and the UK's NCSC already published a detailed malware analysis of the RayInitiator bootkit and LINE VIPER shellcode loader being used in these attacks. If you're running Cisco ASA or FTD gear, this is a drop-everything-and-patch situation. The attackers have figured out how to maintain persistence even through firmware upgrades, so temporary mitigations aren't going to cut it - you need those patches installed ASAP. (read more)

Landlords Demand Tenants’ Workplace Logins to Scrape Their Paystubs

mattjayy

136K followers

View more on Instagram

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

Google's threat intel team with a massive playbook on UNC6040, a group that's been absolutely crushing it with voice phishing campaigns targeting Salesforce instances. They call employees pretending to be IT support, trick them into authorizing malicious "Data Loader" apps, then vacuum up all the Salesforce data they can get their hands on. They're using Mullvad VPN for access and sometimes name-drop ShinyHunters during extortion attempts to sound scarier.

The response from Google/Mandiant is basically a small novel of hardening recommendations covering everything from identity verification (they want video calls with photo ID for password resets) to Salesforce-specific controls like restricting API access and implementing "deny by default" for connected apps. They've also included a bunch of detection rules for spotting the typical "OAuth approval followed immediately by data exfiltration" pattern. It's a solid resource if you're running Salesforce and want to button up your defenses, though implementing all of this would be quite the undertaking for most organizations. (read more)

Here is the email Clop attackers sent to Oracle customers

Clop ransomware crew is back at it, this time targeting Oracle customers with some truly cringe-worthy extortion emails. The messages are packed with broken English gems like "We advice not reach point of no return" and "Time is ticking on clock." And we were worried about AI powered super phishing…

They're claiming to have breached Oracle apps and stolen data, offering to show victims "any 3 files you ask or data row" as proof, while promising they just want money and aren't interested in politics or destroying businesses.

Oracle confirmed they're aware of the situation and linked it to vulnerabilities from their July critical patch update, which included 309 fixes. The attackers are using hundreds of compromised third-party email accounts to send these messages - likely grabbed from infostealer malware sold on underground forums. While Clop hasn't posted anything on their leak site yet and researchers haven't verified the claims, the contact info matches previous Clop campaigns. (read more)

China court sentences 11 people to death over alleged role in family-run Myanmar scam operations

China just handed out death sentences to 11 members of the Ming family crime syndicate for running massive scam operations out of Myanmar. These weren't your typical romance scammers - we're talking about a $1.4 billion operation that used armed compounds to trap workers and killed 14 people, including 10 who tried to escape or disobeyed orders. The Wenzhou court didn't mess around, throwing in another five suspended death sentences and prison terms up to 24 years for the remaining defendants.

This is part of China's broader crackdown on the estimated $40 billion annual scam industry that's exploded across Southeast Asia. These operations use trafficked workers to run sophisticated online cons targeting victims globally, often romance-based investment scams. The Ming family's setup sounds particularly brutal - armed compounds, financial backers getting protection services, and literally shooting people to prevent escapes. China's been coordinating with Myanmar and Thailand to shut these down, freeing over 7,000 workers earlier this year. Jeez. Cybercrime goes full cartel. (read more)

Shutdown Threat Puts Federal Cyber on Edge

Congress is cutting it close again with a potential government shutdown looming in just four days. The big worry isn't just the usual funding drama - it's that key cyber programs like the Cybersecurity Information Sharing Act and state/local cybersecurity grants could expire right alongside the budget. CISA's already down about a third of its workforce, and now Trump's administration is threatening mass federal layoffs on top of potential shutdown cuts.

The White House pulled all the public contingency plans earlier this year, so nobody really knows how deep the cuts will go or which cyber functions would stay online. Former CISA officials are warning the country could be "dangerously exposed" if threat monitoring and incident response get hampered. (read more)

Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin

Holy moly, the UK just wrapped up what might be the biggest bitcoin bust in history. Chinese national Zhimin Qian pleaded guilty to running a massive Ponzi scheme that ripped off over 128,000 victims for billions between 2014-2017. She promised investors 300% returns (where do I sign?), then when Beijing cracked down on crypto in 2017, she fled to the UK with a fake passport and started buying up luxury properties to launder the proceeds.

The Met Police seized 61,000 bitcoin during a 2018 raid - now worth nearly $7 billion and officially the largest crypto seizure ever recorded. This took seven years of coordination between UK and Chinese law enforcement to nail down. Now there's apparently an epic battle brewing over who gets to keep the money, with the UK government eyeing it for their budget and Chinese investors demanding it back. Her money laundering partner already got six years, so Qian's probably looking at serious time when sentencing rolls around. (read more)

New spyware campaigns target privacy-conscious Android users in the UAE

Some new research on two gnarly Android spyware campaigns hitting privacy-conscious users. They're targeting people specifically looking for secure messaging by creating fake versions of Signal and ToTok apps. ProSpy masquerades as a "Signal Encryption Plugin" (which doesn't actually exist) or "ToTok Pro," while ToSpy goes all-in on impersonating ToTok. Both require manual installation from sketchy websites that mimic legitimate app stores, including one that looked like Samsung's Galaxy Store.

What makes ToSpy particularly interesting is that it specifically hunts for .ttkmbackup files - those are ToTok data backups, so they're clearly after chat histories. Both families are pretty persistent once installed, running foreground services and auto-restarting after reboots. The campaigns seem laser-focused on UAE users, which makes sense given ToTok's popularity there after getting booted from official app stores in 2019. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay