OpenAI's new report warns hackers are combining multiple AI tools for cyberattacks, scams, and influence ops linked to China, Russia, and North Korea.

OpenAI’s latest “Disrupting Malicious Uses of AI” report shows that hackers and influence operators are moving toward a more organised use of artificial intelligence (**AI**). The findings reveal that adversaries are spreading their operations across multiple AI systems, for instance, using **ChatGPT** for reconnaissance and planning, while relying on other models for execution and automation.

The company noted that attackers haven’t changed their methods but have simply added AI to make their existing tactics faster and more efficient, whether that’s writing malware, refining phishing lures, or managing online scams.

While malicious AI tools such as **WormGPT and FraudGPT** are already known, **new ones** are now surfacing. SpamGPT helps cybercriminals bypass email security filters with targeted spam, while MatrixPDF turns ordinary PDF files into malware.

It is worth noting that this latest report comes four months after OpenAI’s **earlier publication**, which revealed that the company had shut down ten malicious AI operations linked to China, Russia, Iran, and North Korea, where adversaries heavily misused ChatGPT for malicious purposes.

****Russian, Korean and Chinese Operators Using AI for Targeted Attacks****

In one instance, Russian-speaking actors used ChatGPT to write and refine code for remote-access tools and **credential stealers**. The model refused direct malicious prompts, but the users extracted functional snippets to later assemble their tools elsewhere. OpenAI found no indication that these interactions gave the hackers capabilities they couldn’t already find through open-source code.

Korean-language operators used ChatGPT to assist with code debugging, credential theft routines, and phishing messages **related to cryptocurrency**. Each account handled specific technical tasks, such as browser extension conversion or VPN configuration, showing structured workflows similar to corporate development teams.

Chinese-language operators went further, asking the model to generate phishing content in multiple languages and help with malware debugging. Their activity coincided with campaigns reported by **Volexity** and **Proofpoint** that targeted academia, think tanks, and the semiconductor sector. According to OpenAI, these users aimed to increase efficiency rather than develop new attack methods.

****Organised Crime and Scam Operations****

The **report** also shows how AI is being exploited in established scam networks. Operations traced to Cambodia, Myanmar, and Nigeria used ChatGPT to translate messages, write fake investment pitches, and manage day-to-day logistics within “large-scale scam centers.”

In one example, scammers posed as financial advisors running fake trading groups on WhatsApp. They generated all the chat content with AI to make conversations seem authentic and convincing. Another network used ChatGPT to design fake online investment firm profiles, complete with fabricated employee biographies.

Interestingly, OpenAI found that ChatGPT is being used to detect scams about three times more often than it is used to create them, as people turn to the model to verify suspicious messages.

****State-Linked Abuses of AI****

OpenAI also reported accounts linked to Chinese government entities using ChatGPT to draft proposals for large-scale social media monitoring systems. One user requested help outlining a “High-Risk Uyghur-Related Inflow Warning Model,” which aimed to track individuals through travel and police data.

Other users focused on profiling and information gathering, asking ChatGPT to summarise posts by activists or identify petition organisers. The company said its models returned only public data, but the intent behind these requests raised concerns about surveillance-related use.

****Influence Operations in Russia and China****

The Russia-origin “Stop News” operation, previously disrupted by OpenAI and other tech firms, resurfaced using AI to write video scripts and promotional text. These were translated and turned into short videos shared on YouTube and TikTok, praising Russia and criticising Western nations. Although the campaign produced a steady stream of content, engagement remained low.

A separate operation, “Nine emdash Line,” appeared linked to China and focused on regional disputes in the **South China Sea**. The group generated English and Cantonese social media posts criticising the Philippines, Vietnam, and Hong Kong democracy activists. They also sought advice on boosting engagement through TikTok challenges and hashtags. Most of their posts gained little attention before the accounts were suspended.

****Expert Perspective****

“For the average reader, this might sound like a not particularly surprising trend. AI is being used in everything from generating cool chilli recipes to college essays, so why wouldn’t it be writing the code and other exploits needed for cyberattacks?” said **Evan Powell**, CEO of DeepTempo.

“What most may not realise is that cybersecurity defences are uniquely vulnerable to AI-powered attacks. Today’s defences are almost entirely based on static rules: if you see A and B while C, then that’s an attack and take action. Today’s AI attackers train their systems to avoid these fixed pattern detections, which allows them to slip into enterprises and government systems at an increasing rate,” he explained.

He added that attackers are now using AI not only to build tools but also to plan campaigns. “These types of campaigns, which combine detailed research, customised attacks, and repeated attempts to gain access, used to require expertise, patience, and a large team. Today, AI boosts the productivity of attackers, enabling even one person to carry out operations that once required a well-funded organisation or nation-state. The implications are terrifying.”

1.  **ShadowLeak Exploit Exposed Gmail Data via ChatGPT Agent**
2.  **Savvy Seahorse Using Fake ChatGPT in DNS Investment Scam**
3.  **Leaked ChatGPT Chats: Users Treat AI as Therapist, Lawyer, Confidant**
4.  **LegalPwn Tricks GenAI Tools Into Misclassifying Malware as Safe Code**
5.  **Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos**

OpenAI Finds Growing Exploitation of AI Tools by Foreign Threat Groups

Researchers warn of Shuyal Stealer, malware that gathers browser logins, system details, and Discord tokens, then erases evidence via Telegram.

Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have found a new infostealer called Shuyal Stealer, a malware strain designed to steal login credentials from not one or two, but 17 different web browsers.

****How Shuyal Stealer Profiles and Exploits Systems****

Shuyal Stealer is also capable of profiling targeted machines in depth, collecting information about disks, input devices and display setups by using Windows Management Instrumentation commands. That kind of device mapping gives attackers a clear picture of a victim’s system, which can be used for targeted **identity theft** or other follow-on attacks.

The malware also captures contextual data that many infostealers ignore. It takes screenshots, records clipboard contents and extracts **Discord** authentication tokens. These capabilities let attackers have real context into what the victim is doing on their device, which can turn a straightforward password stealing into a complete account takeover and know more about the victim’s online activities than other malware would.

****Data Exfiltration and Persistence Methods****

According to the Lat61 **blog post** shared with HackRead.com, the malware compresses the collected files with PowerShell and sends them through a hardcoded **Telegram bot**. Researchers found a specific bot token and chat ID used to deliver the archive directly to the attacker’s account. After the transfer completes, Shuyal deletes the archive and clears traces to complicate forensic work.

Shuyal quietly copies its executable into the Windows Startup folder using the CopyFileA API. It also shuts down Task Manager processes and modifies the registry to disable Task Manager entirely, preventing users from spotting or stopping it.

Infection chain flow (Via Point Wild)

****Browser Targeting and Data Theft****

When analysing how it steals data, Point Wild’s researchers noted Shuyal’s efficiency. It specifically looks for the “Login Data” file found in browser directories, running a SQL query to extract URLs, usernames, and encrypted passwords.

Each stolen session or token is saved locally and then zipped for exfiltration. Files such as tokens.txt, clipboard.txt and ss.png document different parts of the victim’s digital life, from saved passwords to copied text and active windows. The malware keeps a history.txt log of which browsers and apps it scanned. Here is the list of targeted browsers:

1.  Tor
2.  Edge
3.  Epic
4.  Brave
5.  Opera
6.  Vivaldi
7.  Coc Coc
8.  Maxthon
9.  Chromium
10.  Waterfox
11.  Comodo
12.  Slimjet
13.  Yandex
14.  Falkon
15.  Chrome
16.  Opera GX
17.  360 Browser

****Self-Deletion, Expert Insight and Mitigation****

After exfiltration finishes, Shuyal runs a self-deletion routine. It launches a batch script named util.bat that removes the archive and related files, making incident response and attribution harder.

**Dr Zulfikar Ramzan**, CTO of Point Wild and head of the Lat61 Threat Intelligence Team, summarised the threat as a powerful infostealer that targets many browsers, disables Task Manager and quietly sends harvested data over Telegram, then removes its traces.

“Shuyal is an infostealer extraordinaire, built for breadth and stealth. It raids credentials from browsers, kills the Windows Task Manager, and quietly exfiltrates data over Telegram. It’s a smash-and-grab, then vanishes,” he said.

Unlike other infostealers, Shuyal Stealer is both a privacy and security risk because it takes credentials plus contextual data that help attackers turn stolen secrets into account takeovers. Its combination of system profiling, wide browser coverage and clean-up process places it among the more capable infostealers active today.

If you suspect an infection, Point Wild advises rebooting into Safe Mode with Networking and scanning with a **reliable antivirus**. The malware is detected as Trojan.W64.100925.Shuyal.YR.

New Shuyal Stealer Targets 17 Web Browsers for Login Data and Discord Tokens

Critical Redis flaw RediShell (CVE-2025-49844) exposes 60,000 servers to remote code execution. Patch immediately to prevent full system compromise.

A new vulnerability in **Redis**, now known as RediShell (CVE-2025-49844), has put tens of thousands of servers at risk of remote compromise. The flaw, rated with a maximum CVSS score of 10.0, has existed unnoticed in Redis code for over a decade and is now being called one of the most serious issues ever found in the open-source database.

The issue lies in a use-after-free bug in Redis’s Lua interpreter, which can be exploited through a malicious Lua script. Attackers can escape the interpreter’s sandbox and run arbitrary code on the host system. This level of access can allow theft of data, installation of malware, or the use of compromised servers for additional attacks.

Cybersecurity researchers from Wiz, who found the issue, estimate that about 330,000 Redis instances are currently exposed to the internet, with roughly 60,000 running without any authentication. Redis is commonly used in cloud environments for caching and session management, which means the reach of this vulnerability is far greater than typical software bugs.

The Redis team responded quickly, releasing a patched version and a security advisory on October 3. Wiz researchers had privately reported the issue in May after identifying it during **Pwn2Own Berlin**. The disclosure process was handled collaboratively, with Redis engineers coordinating fixes before public release.

The risk varies depending on how Redis is deployed. Instances exposed directly to the internet without authentication face the highest danger. In those setups, anyone could connect and run Lua scripts remotely, which provides a direct path for exploitation.

Even within internal networks, the bug poses significant exposure if authentication is weak or absent, as attackers already inside a corporate environment could exploit it for lateral movement.

Wiz’s **analysis** shared with Hackrad.com found that 57% of Redis deployments in cloud environments run as container images. Many of these containers are deployed without proper access controls or configuration checks, making them particularly vulnerable.

If exploited, an attacker could send a crafted Lua script to trigger the memory corruption, escape the sandbox, and establish full control over the host. Once inside, they could exfiltrate credentials, install miners or backdoors, and use stolen tokens to move across connected cloud systems.

Researchers are urging all Redis users to upgrade to the **latest version** and verify their configurations. Enabling authentication, disabling Lua scripting when not needed, restricting network access, and running Redis under a non-root account are key mitigation steps. Logging and monitoring should also be turned on to detect unusual activity.

“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code; it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved,” said **Anders Askasen**, VP of Product Marketing at Radiant Logic.

When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems,” he added. “The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control, validation, and remediation needed to uncover these blind spots before attackers do.”

The RediShell vulnerability shows how much modern infrastructure depends on open-source software and how old code can carry hidden risks for years. Redis is used by more than three-quarters of cloud environments, so patching and tightening security configurations should be treated as an immediate priority.

13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk

Latest reports suggest the critical GoAnywhere MFT vulnerability (CVE-2025-10035, CVSS 10.0) is actively exploited by the Medusa ransomware gang for unauthenticated RCE. Patch immediately.

A CVSS 10.0 deserialization vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution is now being actively exploited by the Medusa ransomware group, according to a latest update from Microsoft.

The flaw, reported on September 25 by Hackread.com, is a dangerous deserialization vulnerability residing in the MFT’s License Servlet. This allows an attacker to achieve unauthenticated Remote Code Execution (RCE) and full system takeover.

By forging a license response signature, an attacker can bypass security checks, forcing the software to execute malicious code. This high-risk RCE capability makes all internet-exposed GoAnywhere instances highly vulnerable.

****The Exploitation Timeline and Independent Confirmation****

Although Fortra published an alert and patch on September 18, 2025, security researchers from watchTowr Labs found exploitation activity dating back to September 10, 2025, eight days before Fortra’s public advisory.

Detailed post-exploitation analysis from watchTowr Labs shows a consistent pattern: After achieving RCE, attackers established persistence by creating a covert administrative account named ‘admin-go’.

They then moved laterally by dropping binaries for legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and MeshAgent. The watchTowr team also suggested that Fortra’s advisory section on “Am I Impacted?” was a veiled method to share signs of compromise without fully admitting to the in-the-wild exploitation.

****Medusa Ransomware Confirmed****

The risk escalated significantly with an October 6, 2025, update from Microsoft Threat Intelligence. Microsoft confirmed that a cybercriminal group they track as Storm-1175, a known affiliate of Medusa ransomware, was observed actively targeting organisations starting on September 11, 2025.

In detailing this multi-stage attack, Microsoft confirmed the vulnerability exploitation led to command injection, system discovery, the use of RMM tools for persistent access, and ultimately, the successful deployment of Medusa ransomware in at least one compromised environment. Attackers were also observed using data transfer tools like Rclone for data exfiltration and setting up Cloudflare tunnels for secure Command and Control (C2).

“Just weeks after we confirmed evidence of in-the-wild exploitation of CVE-2025-10035, Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared,” said watchTowr CEO and Founder, Benjamin Harris. Harris stressed that organisations using GoAnywhere MFT “have effectively been under silent assault since at least September 11, with little clarity from Fortra.”

****Immediate Action Required****

Fortra has urgently advised customers to upgrade to the patched versions: version 7.8.4 or the Sustain Release 7.6.3. The vulnerability’s severe nature has led to its addition to the CISA Known Exploited Vulnerabilities (KEV) Catalogue.

All organisations with exposed systems must apply the patch immediately to prevent future attacks. Given the confirmed exploitation activity, a full forensic review is necessary for systems that were exposed to determine if an initial compromise occurred before the update was applied.

Medusa Ransomware Exploiting GoAnywhere MFT Flaw, Confirms Microsoft

Raleigh, United States, 7th October 2025, CyberNewsWire

**Raleigh, United States, October 7th, 2025, CyberNewsWire**

****Report Shows Cross-Training as Strategic Solution to Operational Friction Between Networking and Cybersecurity Teams** **

INE Security, a leading provider of cybersecurity training and certifications, today announced the results of a global study examining the convergence of networking and cybersecurity disciplines. “Wired Together: The Case for Cross-Training in Networking and Cybersecurity” is based on insights from nearly 1,000 IT and cybersecurity professionals worldwide. The report documents operational challenges created by this convergence and presents cross-training as the strategic solution.

> “Our research reveals that while three-quarters of professionals recognize networking and cybersecurity as integrated disciplines, the majority still struggle with daily operational friction between these teams,” said Lindsey Rinehart, CEO of INE Security. “Organizations with high levels of security and IT complexity face breach costs averaging $1.2 million higher than those with streamlined, integrated environments. This isn’t just about future preparedness—it’s about solving problems that are costing organizations money today.”

The report reveals that only 33% of professionals feel “very well” or “extremely well” prepared to handle the intersection of networking and cybersecurity, while 41% report being only “moderately well” prepared. This preparedness gap creates significant operational challenges but also presents strategic opportunities for organizations that invest in cross-domain expertise.

> “Cross-trained professionals don’t just respond to incidents faster—they prevent the implement-break-fix cycles that plague most organizations,” Rinehart added. “When teams understand both networking and security domains, projects deploy successfully the first time, emergency rollbacks become rare, and operational costs decrease substantially.”

****Key findings from the report include:****

*   **Integration Reality**: 75% of respondents view networking and cybersecurity as either “completely integrated” (29%) or “highly interconnected” (46%), with only 7% still viewing them as separate disciplines.
*   **Preparedness Gap**: Only 33% feel well-prepared to handle networking-cybersecurity intersection, creating operational vulnerabilities and increased costs.
*   **Collaboration Challenges**: While 37% collaborate with counterparts “most of the time” or “always,” 34% collaborate only “sometimes,” and 23% work together “about half the time.”
*   **Critical Friction Points**: Nearly one in five professionals (18%) identified knowledge gaps as their primary challenge, while organizational misalignment affects nearly a quarter of respondents.
*   **Convergence Drivers**: 77% cite growing cyber threat complexity as the primary convergence driver, with widespread cloud adoption, remote work, and IoT device proliferation accelerating integration.
*   **Six Critical Overlap Areas**: Network monitoring, security monitoring, firewalls, configuration management, detection, and access control represent the most significant convergence points where cross-training delivers immediate benefits.

****INE Security’s recommendations for organizations include:****

*   **Four-Step Cross-Training Implementation**: Conduct skill assessments, deploy varied training methodologies, measure impact and ROI, and scale successful programs
*   **Enhanced Threat Detection**: Develop comprehensive visibility across network architecture and security implications to reduce incident response times
*   **Operational Excellence**: Streamline workflows to reduce handoffs between specialized teams and eliminate failed implementations
*   **Cost Optimization**: Reduce downtime costs (averaging $5,600 per minute) through improved incident response and integrated operations

The report emphasizes that successful cross-training transforms organizational culture by creating common language between teams, enabling balanced decision-making, streamlining operations, and improving talent retention through reduced workplace friction.

> “Breaking down security silos and fostering cross-team cooperation is essential for responding to the accelerating pace of cyber threats,” Rinehart concluded. “Organizations that invest in developing professionals who can speak both languages will gain measurable advantages in threat detection, operational efficiency, and business resilience.”

The full report is available for download at learn.ine.com/report/wired-together.

**About INE Security:**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s cybersecurity certifications are requested by HR departments worldwide, and its suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Chief Marketing Officer**  
**Kim Lucht**  
**INE Security**  
**\[email protected\]**

INE Security Releases Industry Benchmark Report: “Wired Together: The Case for Cross-Training in Networking and Cybersecurity”

Security researchers at UC Irvine reveal the 'Mic-E-Mouse' attack, showing how high-DPI optical sensors in modern mice can detect desk vibrations and reconstruct user speech with high accuracy. Learn how this side-channel vulnerability affects your privacy.

A team of researchers from the University of California, Irvine, has discovered a security risk right on your desk. It turns out that your high-performance computer mouse, an item you probably trust completely, can be turned into a hidden listening device. This new type of attack is called Mic-E-Mouse, and it has the potential to change our understanding of what computer privacy means.

The idea, which the researchers described as “our computer mouse has big ears” and published on their official Google research site, is an interesting one. It focuses on the highly sensitive optical sensors found in modern gaming and professional mice.

These sensors, which track movement with extreme accuracy (sometimes 20,000 DPI (Dots Per Inch) or even higher), are sensitive enough to detect minute vibrations caused by sound waves travelling through your desk.

Basically, your conversation causes your desk surface to shake just a little bit, and the mouse sensor picks up those tiny tremors. This vulnerability is formally known as a side-channel attack, which means it secretly gathers information through an unintended pathway, in this case, the mouse’s movement data.

****Turning Vibrations into Voice****

A study (PDF) posted on arXiv on 16 September 2025 by Habib Fakih, Rahul Dharmaji, Youssef Mahmoud, Halima Bouzidi, and Mohammad Abdullah Al Faruque from the Department of Electrical Engineering and Computer Science, University of California, Irvine, explains how the researchers created a process that converts raw, seemingly random mouse movement data into clear audio signals.

The raw data is initially messy and incomplete, a problem the researchers solved with a multi-step “pipeline” that uses advanced signal processing and machine learning. This process filters out noise and pieces together the actual speech.

The team’s experiments showed that they could significantly clean up the audio, achieving an increase of up to +19 dB in signal quality and a speech recognition accuracy between 42% and 61% on common speech datasets.

For your information, this attack does not require a complicated virus or deep system access. An attacker only needs a way to collect the mouse’s packet data, which could be done through common software like video games or creative applications that naturally demand high-speed mouse data.

The whole process of data collection is invisible to the average user because it only captures the device’s normal movement reporting, and all the audio reconstruction can happen remotely on the attacker’s own server.

The research team has demonstrated the attack with a video to encourage manufacturers to implement safeguards that can help prevent this unexpected privacy threat.

The implications of this eavesdropping can be extensive. This research shows that as devices become more advanced, the risk of them being misused also increases. Considering that these high-precision mice have become more common and less expensive, the number of potential targets from businesses to everyday homes will grow.

New Mic-E-Mouse Attack Shows Computer Mice Can Capture Conversations

ESET warns of fake Signal and ToTok apps spreading Android spyware in the UAE, stealing contacts, messages, and chat backups from users.

If you use messaging apps in the United Arab Emirates (**UAE**), cybersecurity researchers at ESET have identified two mobile spyware campaigns that trick users into installing fake versions of Signal and ToTok, then steal personal data, including contacts, messages, backups, files, and more from infected devices.

One malware strain, called, called ProSpy (Android/Spy.ProSpy), was offered as a fake Signal “encryption plugin” and as a ToTok Pro add-on. The other, ToSpy (Android/Spy.ToSpy), impersonates ToTok itself. Neither app appears in official app stores; victims have to manually install APK files from cloned websites or third-party pages designed to look like legitimate services.

Signal, as we know, is a popular encrypted messaging app. ToTok, on the other hand, has a controversial history. As **reported** by Hackread.com in December 2019, ToTok was a UAE-developed messaging app accused of spying on users in the country, which led Apple and Google to remove it from their stores. Today, the app is available only through unreliable third-party sources.

The malware scam is a perfect example of a **social engineering** attack using people’s trust in recognised brands, copying their logos, onboarding screens and store layouts. According to ESET’s long technical **blog post**, in some cases, the fake Signal app even changes its icon and name to look like Google Play Services after setup, which makes it harder for users to spot and remove.

Fake Signal and fake ToTok site (Image via ESET)

When the spyware runs, it asks for permissions that many apps legitimately need, like contacts and storage access. If granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.

ToSpy was observed targeting ToTok backup files in particular, which suggests the attackers are interested in chat history. All collected data is encrypted with a hardcoded AES key, then sent to command and control servers.

ESET’s research shows that this is not a new operation. The company’s telemetry and domain data trace samples back as far as mid-2022, with ongoing activity and active C&C servers detected in 2025.

To reduce risk, users should stick to official app stores, avoid enabling installation from unknown sources, and keep Google Play Protect turned on if their device supports it. ESET has shared its findings with Google, and Play Protect now blocks known variants of these spyware families by default on Android devices with Google Play Services.

Spyware Disguised as Signal and ToTok Apps Targets UAE Android Users

Paris, France, 6th October 2025, CyberNewsWire

**Paris, France, October 6th, 2025, CyberNewsWire**

**Reemo continues its mission to secure enterprise remote access and becomes the first French cybersecurity provider to protect all remote access within a single platform.**

Reemo announces **Bastion+**, a next-generation bastion solution deployable without limits.

> “Companies don’t need another bastion. They need a global vision that remains simple and secure as infrastructure scales,” said Yann Fourré, co-founder of Reemo. “With Bastion+, each user only sees the authorized sites and resources upon connection, policies are applied everywhere in a uniform way, and the solution offers unlimited scalability.”

Designed for CISOs, Bastion+ unifies visibility and supervision of privileged access, consolidates logs and session recordings into a single console, and simplifies audit and compliance requirements.

> “Bastion+ is at the core of our mission to free companies from traditional remote access solutions, by opening up a world where security and performance coexist in perfect harmony,” added Bertrand Jeannet, CEO of Reemo.

**Why is this a first**

Bastion+ combines a global vision of privileged access with unlimited deployment scalability. Moreover, Bastion+ is natively integrated into the Reemo platform, which already offers, in a single interface, Remote Desktop, Remote Browser Isolation (RBI), third-party access security, and Restricted Information Systems (SI Diffusion Restreinte). With this full range of solutions, Reemo becomes the first French cybersecurity provider to secure all remote access within one unified platform.

**Availability**

Bastion+ is available starting today. Demonstrations available upon request.

Reemo Bastion+

**About Reemo**

Reemo is a sovereign cybersecurity platform that secures all enterprise remote access to critical resources, with no compromise on performance. From remote desktops (Remote Desktop) to virtualized environments (DaaS/VDI), to web and business applications (RBI, third-party access, legacy apps), and even the most sensitive environments (Restricted Information Systems and bastion)… Reemo provides unified, granular, and traceable access. The company is ISO 27001 and SOC 2 certified across all operations. Users can learn more about Reemo on https://reemo.io.

**Contact**

**Head of Marketing & Communications**  
**Florent Paret**  
**Reemo**  
**\[email protected\]**

Reemo Unveils Bastion+: A Scalable Solution for Global Privileged Access Management

A misconfigured database belonging to a pet insurance company, "Rainwalk Pet Insurance," exposed sensitive PII and veterinary claim data. The data exposure reveals new fraud tactics, including microchip and reimbursement scams.

A large amount of private data belonging to pet owners and their animals was left exposed after a database from Rainwalk Pet, a South Carolina-based firm, was found publicly accessible online.

Cybersecurity researcher **Jeremiah Fowler** discovered the misconfigured database and reported it to Website Planet, which verified the exposure. The open database reportedly contained sensitive customer information, though the full extent of the leak has not yet been confirmed.

The database, which was not password-protected or encrypted, reportedly exposed 158 GB of data containing around 85,361 files, including sensitive records such as pet insurance claims and veterinary bills.

For customers, the breach exposed names, phone numbers, physical and email addresses, and even partial credit card numbers. Details about the pets were also included, such as their names, breeds, medical history, and microchip numbers. Here are some screenshots of exposed data shared by the researcher:

Fowler immediately sent a disclosure notice to Rainwalk, but the database remained accessible for almost a month before it was secured. It remains unclear how long the data was exposed or if a third party with malicious intent accessed it. The **research** detailing this exposure was shared with Hackread.com.

****The Financial Threat****

The combination of pet and owner data creates serious privacy and financial risks. Unlike human health records, there are no direct privacy laws, like **HIPAA**, for pet information. However, when pet details are connected to personal identifying information (PII), it becomes an attractive target for cyber criminals.

Recent research (**PDF**) shows that most cybercrimes are financially motivated. With veterinary bills sometimes reaching thousands of dollars, there is also risk for the company itself, which could face financial losses if criminals exploit the data to submit fraudulent insurance claims.

The exposure of microchip numbers adds another concern. As seen in previous incidents, thousands of **pet owners have already been targeted by scam emails** claiming their pet’s microchip needs to be “renewed” for a fee, even though microchips never expire.

****Staying Safe****

Another risk to owners involves how the company handles refunds. Fowler noted that some emails from customers suggested they could receive refunds via **Venmo** by sending their QR code to the company. This process could allow criminals to intercept payments by inserting their own information to steal a customer’s reimbursement money.

It is also common for scammers to exploit the emotional bond between owners and their animals to make their messages seem believable. They could send fake invoices that appear legitimate by referencing genuine claim amounts or dates.

To prevent such scams, Fowler advises pet insurance companies to secure data through encryption and proper access controls. For customers, he recommends verifying the identity of anyone claiming to represent the company and communicating only through official channels.

Rainwalk Pet Insurance Exposes 158 GB of US Customer and Pet Data

WatchTowr finds a serious flaw in Dell UnityVSA (CVE-2025-36604) letting attackers run commands without login. Dell issues patch 5.5.1 - update now.

Cybersecurity researchers at WatchTowr have published their analysis revealing a vulnerability in Dell UnityVSA, tracked as CVE-2025-36604. The flaw allows an attacker with no authentication to issue commands on the appliance, all by exploiting a flaw in the login redirection logic.

In simple terms, UnityVSA is Dell’s software version of its Unity storage system. Instead of running on dedicated hardware, it runs inside a virtual machine on hypervisors like VMware ESXi. Because storage systems are a prime target (they host critical data), any vulnerability here is especially sensitive.

****How the Attack Works****

The exploit originates from the way UnityVSA handles login redirect URIs. Under certain conditions, a user-controlled URI is inserted directly into a command execution string, without proper sanitisation.

When a request arrives without the expected authentication cookie, the system invokes a redirect to the login flow. That redirect logic funnels a raw URI into a function (getCASURL) where, if the “type” parameter equals “login,” the URI is concatenated into a command executed via Perl’s backtick operator.

In short, an attacker can embed shell metacharacters in that URI and cause arbitrary commands to run on the appliance. From there, they could alter configurations, access or destroy data, plant further scripts, or take full control.

****Scope, Risks, and Patch Status****

WatchTowr’s analysis indicates that multiple versions before 5.5.1 are vulnerable. Dell’s own advisory (DSA-2025-281) confirms that versions 5.5 and earlier are affected, and recommends upgrading to 5.5.1 or later.

Dell rates the issue as “High” severity (CVSS 7.3) for their internal advisory. Meanwhile, the NVD listing cites a vector that could drive it to “Critical” level (9.8) under an alternative assessment.

Dell’s advisory also mentions related issues such as XSS (CVE-2025-36605) and additional command injection risks in internal utilities, affecting unified platforms like Unity, UnityVSA, and Unity XT.

WatchTowr also released a short demonstration video alongside its “Detection Artefact Generator,” showing how the tool scans for and flags vulnerable UnityVSA instances. The generator helps security teams confirm whether their environments are exposed before or after applying the patch, making it easier to validate remediation efforts and maintain confidence that no unpatched systems remain online.

**What Organisations Should Do Immediately**

*   Check versions and note which ones run below 5.5.1.

*   Upgrade to version 5.5.1 as soon as possible. Dell has confirmed this version addresses CVE-2025-36604 along with other vulnerabilities.

*   WatchTowr has released a Detection Artefact Generator (Python script) that can test whether an instance is vulnerable.

*   Even after patching, check logs for unexpected redirect URIs, unusual shell executions, or other suspicious behaviour near web access points.

Source

HackRead