Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for The Cyber Express We ...

 Firewall Daily

As January 2026 comes to a close, The Cyber Express takes a comprehensive look at the events defining the global cybersecurity landscape. Over the past week, organizations worldwide faced high-profile cyberattacks, emerging threats in AI and ad fraud, critical software vulnerabilities, and intensifying regulatory   show more ...

scrutiny affecting both public and private sectors. This week’s coverage highlights significant attacks on Russian and U.S. companies, the discovery of advanced post-exploitation frameworks, trends in EU data breach reporting, and actionable guidance for brands to enhance privacy, security, and compliance in an increasingly complex digital ecosystem. The Cyber Express Weekly Roundup  Cyberattack Hits Russian Security Firm Delta  On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more...  Ad Fraud and Data Privacy: Brands Must Act Now  Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more…  Ivanti Patches Critical Mobile Manager Zero-Days  Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more...  Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework  Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more...  EU Data Breach Notifications Rise Amid GDPR Reform Talks  Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more...  New Cyberattacks Target U.S. Companies  Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more...  Weekly Takeaway  The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.  

image for Cyble Research Disco ...

 Firewall Daily

Cyble Research & Intelligence Labs (CRIL) has uncovered a post-exploitation Linux framework called ShadowHS, designed for stealthy, in-memory operations. Unlike traditional malware, ShadowHS leverages a fileless architecture and a weaponized version of hackshell, enabling attackers to maintain long-term,   show more ...

operator-controlled access to compromised Linux systems.  Fileless Execution and Weaponized Hackshell  The ShadowHS Linux framework operates entirely in memory, leaving no persistent binaries on disk. CRIL’s analysis revealed that the framework uses an encrypted shell loader to deploy a heavily modified version of hackshell, enabling an interactive post-exploitation environment. The loader decrypts and reconstructs the payload in memory using AES‑256‑CBC encryption, Perl byte skipping, and gzip decompression. The payload is executed via /proc/<pid>/fd/<fd> with a spoofed argv[0], ensuring that no filesystem artifacts remain. [caption id="" align="alignnone" width="918"] Payload Reconstruction & Fileless Execution (Source: CRIL)[/caption] Once active, ShadowHS prioritizes reconnaissance, fingerprinting host security measures, evaluating prior compromises, and providing an operator-controlled interface. Its runtime behavior is deliberately restrained, allowing attackers to selectively invoke capabilities such as credential access, lateral movement, privilege escalation, cryptomining, and covert data exfiltration.  CRIL Observations on Operator-Centric Design  According to CRIL, ShadowHS reflects mature operator tradecraft rather than the patterns of opportunistic Linux malware. Its in-memory design allows operators to assess system security posture while avoiding traditional detection mechanisms. The payload performs aggressive EDR and AV fingerprinting, checking for commercial endpoint tools such as CrowdStrike, Tanium, Sophos, and Microsoft Defender, as well as cloud and OT/ICS telemetry agents.  [caption id="" align="alignnone" width="903"] Runtime Dependency Validation (Source: CRIL)[/caption] “ShadowHS demonstrates a clear separation between restrained runtime activity and extensive dormant capabilities,” CRIL notes. “This is indicative of a deliberate operator-driven post-exploitation platform rather than automated malware.”  Covert Data Exfiltration  One of ShadowHS’s most notable features is its ability to exfiltrate data without using standard network channels. The Linux framework implements user-space tunneling over GSocket, replacing rsync’s default transport. This allows files to be transferred stealthily across firewalls and restrictive network environments. CRIL observed two variants: one using DBus-based tunneling and another employing netcat-style GSocket tunnels, both preserving timestamps, permissions, and partial transfer state.  Dormant Capabilities and Lateral Movement  ShadowHS also contains dormant modules that operators can activate on demand. These include:  Memory dumping for credential theft  SSH-based lateral movement and brute-force scanning  Privilege escalation using kernel exploits  Cryptocurrency mining via XMRig, GMiner, and lolMiner  The framework incorporates anti-competition logic to detect and terminate rival malware, including miners like Rondo and Kinsing, as well as credential-stealing backdoors such as Ebury. It also evaluates kernel integrity and loaded modules, helping the operator determine if the host is already compromised or actively monitored.  Implications for Threat Defense  The discovery of ShadowHS stresses the challenges organizations face in defending Linux environments against fileless, in-memory threats. CRIL notes that traditional signature-based antivirus solutions and file-based detection mechanisms are insufficient to detect frameworks like ShadowHS. Effective defense requires monitoring process behavior, kernel-level telemetry, and memory-resident activity.  “ShadowHS represents a fully operator-controlled, adaptive Linux framework designed for stealth and long-term access,” CRIL stated. “Its use of a weaponized hackshell, fileless execution, and exfiltration methods highlights the growing need for proactive threat intelligence and advanced monitoring strategies.”  See ShadowHS and new cyber threats in action, schedule your Cyble demo today, and gain real-time visibility into cyber risks before they impact your organization. 

image for Default Credentials, ...

 Cyber News

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer   show more ...

emergency response team. The new report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities. CERT Polska attributed the campaign to Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago. The Polish report notes that the DynoWiper malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.” The attackers’ activities began between March and May 2025, months before the December 29 attack. Polish Energy Grid Attack Could Have Been Worse The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system. “It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.” Dragos noted that in its incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.” “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.” “An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.” Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA. The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a firewall. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said. The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used,” CERT Polska said. The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.” In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.” After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials. The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify security settings, which were executed weekly. The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations. In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.” The attackers also pivoted to cloud services, the report said.

image for Ivanti Patches Two Z ...

 Vulnerability News

Two code injection vulnerabilities allowed unauthenticated attackers to execute arbitrary code and access sensitive device information across compromised networks. Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile after discovering attackers exploited the flaws to   show more ...

compromise customer systems. The company confirmed a limited number of organizations fell victim to attacks leveraging CVE-2026-1281, which CISA added to its Known Exploited Vulnerabilities catalog with a February 1 remediation deadline for federal agencies. The Code Injection Zero-Days Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM's In-House Application Distribution and Android File Transfer Configuration features. Rated critical with CVSS scores of 9.8, the vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti stated in its security advisory released Thursday. The company acknowledged it lacks sufficient information about the threat actors or comprehensive indicators of compromise due to the sophistication of the attacks. The vulnerabilities affect only on-premises EPMM deployments and do not impact cloud-hosted Ivanti Neurons for Mobile Device Management, Ivanti Endpoint Manager, the Ivanti Sentry secure mobile gateway or any other Ivanti products. However, the company recommends organizations review Sentry logs alongside EPMM systems for potential lateral movement. What Attackers Can Siphon Successful exploitation grants attackers access to mobile device management infrastructure. Compromised EPMM appliances expose administrator and user credentials, including usernames and email addresses. Attackers gain visibility into managed mobile devices, accessing phone numbers, IP addresses, installed applications and device identifiers like IMEI and MAC addresses. Organizations with location tracking enabled face additional exposure. Attackers accessing compromised systems can retrieve device location data including GPS coordinates and cellular tower information. More critically, attackers can leverage EPMM's API or web console to modify device configurations, including authentication settings. Urgent Remediation Called For Ivanti released RPM scripts providing temporary mitigation for affected EPMM versions. Organizations running versions 12.5.0.x, 12.6.0.x and 12.7.0.x should deploy RPM 12.x.0.x, while those operating versions 12.5.1.0 and 12.6.1.0 require RPM 12.x.1.x. The company emphasized that applying patches requires no downtime and causes no functional impact. "If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM," Ivanti warned. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0," scheduled for release later in Q1 2026. Also read: Ivanti Bugs Exploited Even After Three Months of Patch Availability Organizations suspecting compromise should not attempt to clean affected systems. Ivanti recommends either restoring EPMM from known-good backups taken before exploitation occurred or rebuilding the appliance and migrating data to replacement systems. After restoration, administrators must reset passwords for local EPMM accounts, LDAP and KDC service accounts, revoke and replace public certificates, and reset passwords for all internal and external service accounts configured with EPMM. The company's analysis guidance shows particular risks around Sentry integration. While EPMM can be restricted to demilitarized zones with minimal corporate network access, Sentry specifically tunnels traffic from mobile devices to internal network assets. Organizations should review systems accessible through Sentry for potential reconnaissance or lateral movement. CISA Issues a Tight Two-Day Deadline CISA's addition of CVE-2026-1281 to the KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal civilian agencies must apply vendor mitigations or discontinue using vulnerable systems by February 1, 2026. CISA strongly urges all organizations, not just federal agencies, to prioritize remediation as part of vulnerability management practices. Notably, CISA added only CVE-2026-1281 to the KEV catalog despite Ivanti confirming exploitation of both vulnerabilities. The agency has not explained this discrepancy. Also read: CISA Warns of New Malware Campaign Exploiting Ivanti EPMM Vulnerabilities The disclosure continues Ivanti's troubled 2025, which saw widespread exploitation of multiple zero-day vulnerabilities across its product portfolio. Security researchers previously linked EPMM attacks to sophisticated threat actors, with some incidents attributed to China-nexus advanced persistent threat groups. Also read: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation These management platforms represent high-value targets because compromising them effectively transforms the system into enterprise-wide command-and-control infrastructure. Organizations should apply patches immediately and conduct thorough security assessments of potentially compromised systems to prevent further damage from these actively exploited vulnerabilities.

image for Ad Fraud Is Explodin ...

 Cyber Essentials

Ad fraud isn’t just a marketing problem anymore — it’s a full-scale threat to the trust that powers the digital economy. As Data Privacy Week 2026 puts a global spotlight on protecting personal information and ensuring accountability online, the growing fraud crisis in digital advertising feels more urgent than   show more ...

ever. In 2024 alone, fraud in mobile advertising jumped 21%, while programmatic ad fraud drained nearly $50 billion from the industry. During data privacy week 2026, these numbers serve as a reminder that ad fraud is not only about wasted budgets — it’s also about how consumer data moves, gets tracked, and sometimes misused across complex ecosystems. This urgency is reflected in the rapid growth of the ad fraud detection tools market, expected to rise from $410.7 million in 2024 to more than $2 billion by 2034. And in the context of data privacy week 2026, the conversation is shifting beyond fraud prevention to a bigger question: if ads are being manipulated and user data is being shared without clear oversight, who is truly in control? To unpack these challenges, The Cyber Express team, during data privacy week 2026, spoke with Dhiraj Gupta, CTO & Co-founder of mFilterIt,  a technology leader at the forefront of helping brands win the battle against ad fraud and restore integrity across the advertising ecosystem. With a background in telecom and a passion for building AI-driven solutions, Gupta argues that brands can no longer rely on surface-level compliance or platform-reported metrics. As he puts it, “Independent verification and data-flow audits are critical because they validate what actually happens in a campaign, not just what media plans, platforms, or dashboards report.” Read the excerpt from the data privacy week 2026 interview below to understand why real-time audits, stronger privacy controls, and continuous accountability are quickly becoming non-negotiable in the fight against fraud — and in rebuilding consumer trust in digital advertising. Interview Excerpt: Data Privacy Week 2026 Special TCE: Why are independent verification and data-flow audits becoming essential for brands beyond just detecting ad fraud? Gupta: Independent verification and data-flow audits are critical because they validate what actually happens in a campaign, not just what media plans, platforms, or dashboards report. They provide evidence-based accountability to regulators, advertisers, and agencies, allowing brands to move from assumed compliance to provable control. Importantly, these audits don’t only verify whether impressions are real; they also assess whether user data is being accessed, shared, or reused - such as for remarketing or profiling, in ways the brand never explicitly approved. In today’s regulatory environment, intent is no longer enough. Brands must be able to demonstrate operational control over how data moves across their digital ecosystem. TCE: How can unauthorized or excessive tracking of users occur even when a brand believes it is compliant with privacy norms? Gupta: In many cases, this happens not due to malicious intent, but because of operational complexity and the push for funnel optimization and deeper data mapping. Common scenarios include tags or SDKs triggering secondary or tertiary data calls that are not disclosed to the advertiser, and vendors activating new data parameters, such as device IDs or lead identifiers without explicit approval. Over time, incremental changes in tracking configurations can significantly expand data collection beyond what was originally consented to or contractually permitted, even though the brand may still believe it is operating within compliance frameworks. TCE: How does programmatic advertising contribute to widespread sharing of user data across multiple intermediaries? Gupta: Programmatic advertising is inherently multi-layered. A single ad impression can involve dozens of intermediaries like DSPs, SSPs, data providers, verification partners, and identity resolution platforms, each receiving some form of user signal for bidding, measurement, or optimization. While consent is often collected once, the data derived from that consent may be replicated, enriched, and reused multiple times across the supply chain. Without real-time data-flow monitoring, brands have very limited visibility into how far that data travels, who ultimately accesses it, or how long it persists across partner systems. TCE: What risks do brands face if they don’t fully track the activities of their data partners, even when they don’t directly handle consumer information? Gupta: Even when brands do not directly process personally identifiable information, they remain accountable for how their broader ecosystem behaves. The risks include regulatory exposure, reputational damage, erosion of consumer trust, and an inability to defend compliance claims during audits or investigations. Regulators are increasingly asking brands to demonstrate active control, not just contractual intent. Without independent verification and documented evidence, brands effectively carry residual compliance risk by default. TCE: Why do consent frameworks sometimes fail to ensure that user data is controlled as intended? Gupta: Consent frameworks are effective at capturing permission, but far less effective at enforcing downstream behaviour. They typically do not monitor what happens after consent is granted, whether data usage aligns with stated purposes, whether new vendors are added, or whether data access expands over time. Without execution-level oversight, consent becomes symbolic rather than operational. For example, data that was shared for campaign measurement may later be reused by third parties for audience profiling, without the user’s awareness and often without the brand’s visibility. TCE: How can brands bridge the gap between regulatory intent and real-world implementation of privacy rules? Gupta: Brands need to shift from document-based compliance to behaviour-based verification. This means auditing live campaigns, tracking actual data access, and continuously validating that data usage aligns with both consent terms and declared purposes. For instance, in quick-commerce or hyperlocal advertising, sensitive data like precise pin codes can be captured through data layers or partner integrations without the brand’s direct knowledge. Only runtime monitoring can surface such risks and align real-world execution with regulatory intent. TCE: What strategies or tools can brands use to identify unauthorized data access within complex digital ecosystems? Gupta: Effective control requires continuous, not one-time, oversight. Key strategies include independent runtime audits, continuous monitoring of data calls, partner-level risk scoring, and full data-journey mapping across platforms and vendors. Rather than relying solely on contractual assurances or annual audits, brands need ongoing visibility into how data is accessed and shared, especially as campaign structures, vendors, and technologies change rapidly. TCE: How does excessive tracking or shadow profiling affect consumers’ privacy and trust in digital services? Gupta: Consumers are becoming increasingly aware of how their data is used, and excessive or opaque tracking creates a perception of surveillance rather than value exchange. When users feel they have lost control over their personal information, trust declines, not only in platforms, but also in the brands advertising on them. For example, when consumers receive hyper-local ads on social media for products they were discussing offline, they often perceive it as continuous tracking, even if the data correlation occurred through indirect signals. This perception alone can damage brand credibility and long-term loyalty. TCE: In your view, what will become the most critical privacy controls for organizations in the next 2–3 years? What practical steps can organizations take today? Gupta: The most critical controls will be data-flow transparency, strict enforcement of purpose limitation, and continuous partner accountability. Organizations will be expected to prove where data goes, why it goes there, and whether that usage aligns with user consent and regulatory expectations. Privacy will increasingly be measured by operational evidence, not policy declarations. Practically, brands should start by independently auditing all live trackers and data endpoints, not just approved vendors. Privacy indicators should be reviewed alongside media and performance KPIs, and verification must be continuous rather than episodic. Most importantly, privacy must be treated as part of the brand’s trust infrastructure, not merely as a compliance checklist. Brands that invest in transparency and control today will be far better positioned as regulations tighten and consumer expectations continue to rise.

image for Cybersecurity Expert ...

 Firewall Daily

Two cybersecurity experts arrested during a sanctioned security assessment at the Dallas County Courthouse have reached a $600,000 settlement with Dallas County, Iowa, and its former sheriff, closing a legal dispute that lasted more than five years. The case has become a reference point in discussions around how   show more ...

law enforcement and public institutions handle legitimate cybersecurity operations.  In September 2015, Gary DeMercurio and Justin Wynn, then employees of cybersecurity firm Coalfire, were contracted by the Iowa Judicial Branch to conduct security testing at multiple state facilities. The scope included evaluating physical access controls at the Dallas County Courthouse in Adel, Iowa.  Upon arrival, the cybersecurity testers found the courthouse’s front door unlocked. To properly assess the alarm system and response procedures, they closed the door to activate the alarm and then reopened it using a plastic cutting board, an accepted physical penetration testing technique, triggering the alarm as intended under the contract.  Cybersecurity Experts Arrested: Law Enforcement Response Officers from the Adel Police Department and the Dallas County Sheriff’s Office responded within minutes. Body camera footage shows Wynn explaining the situation and presenting official authorization documents. “What are you doing in our courthouse with the alarm going off, sir? The state testing security hires us. Here’s our paperwork, here’s our IDs, go ahead and run us, we’ll just hang out,” Wynn said.  Despite the documentation, the situation escalated after former Sheriff Chad Leonard arrived.  “Well, yeah, they’re going to jail,” Leonard said, according to body camera footage.  The two cybersecurity experts were handcuffed, arrested, and booked into the Dallas County jail, where they were held for nearly 20 hours. All charges were later dropped.  Professional and Personal Impact  Although no criminal charges remained, the arrest had lasting consequences. Publicly released mug shots affected professional credibility and employment opportunities.  “You see somebody in a mug shot, dude’s guilty,” Wynn said. “That has lasted with us in our personal lives and professional opportunities.”  The incident ultimately led DeMercurio and Wynn to leave their employer and later form Kaiju Security, rebuilding their careers independently.  Settlement Reached After Five Years  This week, the parties reached a $600,000 settlement, formally resolving the civil case. DeMercurio emphasized that the outcome affirmed their original position.  “We told you from the get-go that we didn’t do anything wrong,” he said.  Both men stressed that the case highlights systemic misunderstandings around cybersecurity testing in public institutions.  “If Iowa doesn’t revisit how it handles this, it’s going to remain vulnerable,” one said.  The situation underscores the risk of discouraging legitimate security assessments at a time when public-sector systems face cyber threats.  County Position Going Forward  Dallas County Attorney Matt Schultz issued a firm statement following the settlement.  “I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.”  The Dallas County case illustrates the consequences of misaligned expectations between cybersecurity professionals and law enforcement. As governments rely more heavily on penetration testing to secure critical infrastructure, the arrest of authorized cybersecurity experts remains a direct example of how procedural failures can undermine broader cybersecurity goals. 

image for CNIL Fine on France ...

 Cyber News

On January 22, 2026, France’s data protection authority, the CNIL, imposed a €5 million fine on France Travail (formerly Pôle Emploi) for failing to properly secure the personal data of job seekers. The CNIL fine on France Travail highlights growing regulatory pressure across Europe to strengthen GDPR data   show more ...

security measures, especially when sensitive public-sector systems are involved. The decision follows a major cyberattack in early 2024 that exposed personal information linked to millions of individuals registered with France’s national employment services over the last two decades. CNIL Fine on France Travail After Major Job Seekers’ Data Breach The CNIL fine on France Travail comes after hackers successfully infiltrated the organisation’s information system during the first quarter of 2024. According to investigators, the attackers relied on social engineering, a method that exploits human trust and behaviour rather than purely technical vulnerabilities. Using these tactics, hackers were able to hijack the accounts of advisers working with CAP EMPLOI — organisations responsible for supporting employment access for people with disabilities. This breach allowed attackers to gain entry into France Travail’s broader digital environment. Hackers Accessed 20 Years of Personal Data Investigations confirmed that the attackers accessed data relating to all individuals currently registered, or previously registered, with France Travail over the past 20 years. This also included individuals holding candidate accounts on the official francetravail.fr platform. The compromised information included: National Insurance numbers Email addresses Postal addresses Telephone numbers While the hackers did not access complete job seeker files — which may contain health-related information — the CNIL still considered the exposed dataset highly sensitive due to its scale and the nature of the identifiers involved. The breach affected an extremely large portion of the French population, making it one of the most significant recent incidents involving a public institution. GDPR Article 32 and Failure to Ensure Data Security The CNIL’s decision focuses heavily on failure to ensure the security of personal data processed, a requirement under Article 32 of the GDPR. Under GDPR data security rules, organisations must implement security measures that are appropriate to the risks involved. The CNIL concluded that France Travail’s technical and organisational safeguards were inadequate and could have made the attack more difficult if properly applied. The restricted committee identified several key weaknesses. Weak Authentication and Poor Monitoring Measures One of the main concerns raised was the lack of authentication procedures for CAP EMPLOI advisers accessing the France Travail system. Weak access controls made it easier for hackers to take over adviser accounts and move through the network. The CNIL also highlighted insufficient logging and monitoring capabilities, which reduced the organisation’s ability to detect abnormal behaviour or suspicious activity early. Additionally, CAP EMPLOI adviser permissions were defined too broadly. Advisers could access data on individuals they were not directly supporting, significantly increasing the volume of information available once an account was compromised. This overexposure amplified the scale of the breach. Security Measures Were Identified but Not Implemented In determining the sanction, the restricted committee noted that many appropriate security measures had already been identified by France Travail during earlier impact assessments. However, these measures were not actually implemented before the processing began. This gap between awareness and execution played an important role in the CNIL’s decision to impose a multi-million-euro penalty. As regulators increasingly stress proactive security compliance, failure to act on known risks is being treated as a serious breach of responsibility. Beyond the financial penalty, the CNIL has ordered France Travail to justify the corrective measures taken, along with a precise implementation schedule. If the organisation fails to meet these requirements, it will face an additional penalty of €5,000 per day of delay, increasing the pressure to demonstrate meaningful improvements quickly. Why CNIL Fine on France Travail Is Not Based on Turnover France Travail is a national public administrative institution funded mainly through social security contributions rather than commercial revenue. As a result, the CNIL explained that the fine is not based on turnover, but instead falls under the GDPR framework for public-sector bodies, with a maximum limit of €10 million for a data security breach. “All fines imposed by the CNIL, whether they concern private or public actors, are collected by the Treasury and paid into the State budget.” CNIL’s Role for Individuals Affected The CNIL reminded the public that it serves as France’s personal data regulator, responding to requests and complaints from both individuals and professionals. Anyone can lodge a complaint with the CNIL when facing difficulties exercising their rights or when reporting violations of personal data protection rules. The authority can investigate organisations and issue sanctions where necessary. However, the CNIL does not have the power to compensate affected individuals directly. Those seeking compensation may file a complaint with the police. The France Travail data breach and subsequent CNIL sanction underline the importance of strong cybersecurity practices, especially for institutions handling large-scale citizen data. With regulators enforcing GDPR obligations more strictly, public bodies and private organisations alike are being reminded that data security is no longer optional — it is a legal and operational necessity.

 Feed

Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog. The critical-severity vulnerabilities are listed below - CVE-2026-1281 (CVSS score:

 Feed

A former Google engineer accused of stealing thousands of the company's confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday. Linwei Ding (aka Leon Ding), 38, was convicted by a federal jury on seven counts of economic espionage and seven counts of theft of trade secrets for taking over 2,000 documents containing

 Feed

SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API

 Feed

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome

 Feed

Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026. The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently

 Feed

Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape? Introduction: One view on the scattered fight against cybercrime The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly

2026-01
Aggregator history
Friday, January 30
THU
FRI
SAT
SUN
MON
TUE
WED
JanuaryFebruaryMarch