Google has fixed a vulnerability in its account recovery flow which could have allowed attackers to find linked phone numbers.

Google has fixed vulnerabilities that made it possible to retrieve the phone numbers of almost any Google user. The flaw was found in the flow that allows users to recover their Google account using a phone number.

A cybersecurity researcher called Brutecat was able to figure out the phone number linked to any Google account, information that is usually not public and is considered sensitive.

Brutecat found that the page where users can recover their Google account if they have forgotten their login details lacked BotGuard protection. BotGuard is a cloud-based cybersecurity solution designed to protect websites and web applications from malicious bots, automated attacks, crawlers, and scrapers.

However, BotGuard does not work on websites that do not use Javascript. This is because many of its advanced detection techniques rely on executing Javascript in the visitor’s browser to gather client-side data. If a website does not serve Javascript, or if a user or bot disables Javascript, BotGuard cannot collect the necessary information for fingerprinting or behavioral analysis.

Brutecat also had to use rotating IP addresses and a trick to bypass the occasional CAPTCHAs but was able to manage 40k requests per second. At that rate, if the attacker knew the country code of the phone number, it would take about 20 minutes in the US to find out the recovery phone number. In the UK that would come down to 4 minutes because they have shorter phone numbers.

For those doing the math and finding this is impossible, it’s important to know that Google displays the last two numbers of the phone number as a hint and Brutecat used Google’s own library ‘libphonenumber’ to generate valid number formats.

But the researcher also needed the full display name of a targeted account. The researcher discovered a method to leak Google account display names by exploiting a feature in Looker Studio (formerly Google Data Studio). The researcher made a report/document in Google’s Looker Studio tool. Then changed the document’s owner to the victim’s Google account (using the victim’s email address). After transferring ownership, the victim’s full name automatically appeared on the Looker Studio home page’s “Recent documents” list even if the victim never opened the document, interacted with it, or knew about it. The key to this was finding that Looker Studio’s interface still displayed names for document transfers without requiring any action from the victim, unlike other Google services that now require prior interaction.

Google spokesperson Kimberly Samra told TechCrunch:

> “This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Google also says it’s not aware of any confirmed reports about exploits of these vulnerabilities.

Nonetheless, a weakness allowing an attacker to trace phone numbers to Google accounts like this creates a massive risk for phishing and SIM-swapping attacks—especially since the majority of users will have their primary phone number as their account recovery number.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Google bug allowed phone number of almost any user to be discovered 

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. […]

**About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities.** When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode.

The impact of exploiting these vulnerabilities is identical: an attacker can gain SYSTEM privileges. Their CVSS vectors are also the same (Base Score: 7.8).

What’s the difference? Bug type: for CVE-2025-32701 it’s CWE-416: Use After Free, while for CVE-2025-32706 it’s CWE-20: Improper Input Validation. CVE-2025-32701 credits MSTIC, while CVE-2025-32706 credits Google TIG and CrowdStrike ART.

No public exploits or exploitation details yet. 🤷‍♂️ But these vulns are likely being used in ransomware attacks, just like the EoP in CLFS (CVE-2025-29824) from April MSPT. 😉

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

Google has stepped in to address a security flaw that could have made it possible to brute-force an account's recovery phone number, potentially exposing them to privacy and security risks.
The issue, according to Singaporean security researcher "brutecat," leverages an issue in the company's account recovery feature.
That said, exploiting the vulnerability hinges on several moving parts,

Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account

Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.

A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.

The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples’ personal information.

“I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,” the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts.

In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account.

“Essentially, it's bruting the number,” brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they’re after. Typically that’s in the context of finding someone’s password, but here brutecat is doing something similar to determine a Google user’s phone number.

Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said.

In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target’s Google display name. They find this by first transferring ownership of a document from Google’s Looker Studio product to the target, the video says. They say they modified the document’s name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.

“The victim isn’t notified at all :)” a caption in the video reads.

A Google spokesperson told 404 Media in a statement “This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe.

Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim’s valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts.

On its website, the FBI recommends people do not publicly advertise their phone number for this reason. “Protect your personal and financial information. Don’t advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,” the site reads.

In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat’s write-up.

A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account

You don’t need a rogue employee to suffer a breach.
All it takes is a free trial that someone forgot to cancel. An AI-powered note-taker quietly syncing with your Google Drive. A personal Gmail account tied to a business-critical tool. That’s shadow IT. And today, it’s not just about unsanctioned apps, but also dormant accounts, unmanaged identities, over-permissioned SaaS

Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise

It seems not a day goes by without news of another crypto scam targeting unsuspecting holders. Those owning…

It seems not a day goes by without news of another crypto scam targeting unsuspecting holders. Those owning popular cryptocurrencies like Bitcoin (BTC) and Litecoin (LTC) are also exposed to cyberattacks.

While Bitcoin is often referred to as the gold of crypto, Litecoin is considered its silver, valued for speed, lower fees, and practical use. But, in the end, both are targets of scams including phishing and malware attacks. In this article, we are discussing security for LTC wallets and protecting yourself from scams that have become nothing but sophisticated.

****Spotting Common Litecoin Scams****

Knowledge is your first line of protection against crypto fraud types because scammers aren’t getting any less creative. They exploit both the need for urgency in humans and security vulnerabilities in systems to separate you from your funds. Knowing how these scams work makes it easier to spot them, especially social engineering tricks common in crypto. The key rule is don’t just trust; verify. It’s one of the best ways to protect your Litecoin.

****Phishing and Malicious Links****

The most common type of crypto scam there is? Phishing attacks masquerading as legitimate emails, social media messages, or fake Litecoin websites. Scammers create spoofing attacks that look identical to trusted platforms, using subtle URL misspellings or deceptive subdomains to fool even careful users.

How to recognize phishing?

*   A link may look like a legitimate site but have a slightly different URL

*   The website requests sensitive data like private keys or seed phrases

How not to fall for email phishing crypto scams?

*   Double- and triple-check URLs before clicking anything

*   Remember: legitimate services never request your private keys or seed phrases

*   Open websites directly from bookmarks rather than clicking malicious links

****Fake Giveaways, Investment Scams, and Impersonation****

Scammers love exploiting Fear of Missing Out (FoMO) with Litecoin giveaway scams and crypto investment fraud. The classic “send LTC to receive more” scheme never gets old. Imposter scams often involve celebrities (from Charlie Lee to Elon Musk), exchanges, or support staff sliding into your DMs with unsolicited offers.

How to recognize these social media crypto scams?

*   You’re being asked to send crypto to “verify” your wallet

*   The persuasion comes from someone masquerading as a trusted party

*   Fake customer service accounts demand remote access or sensitive information

How to not fall for these schemes?

*   If an offer seems too good to be true, it probably is

*   Verify identities directly through official channels, not DMs

*   Take responsibility for your own choices, when things get sketchy, dip out

****Malware and Malicious Software****

Crypto malware are sophisticated that can steal your funds through keystroke logging, clipboard hijacking, or directly accessing wallet files. The worst part? They’re often disguised as legitimate wallet software, browser extensions, or crypto tools.

How to avoid wallet draining software?

*   Be extra cautious with unofficial apps or browser extensions

*   Only download from official sources and verify file authenticity

*   Keep an escape plan in mind if something feels off about new software

Even an apparently harmless download can contain a script that hijacks your transactions or drains your account entirely.

****What Can You Do to Safeguard Your LTC?****

Getting Litecoin is simple enough with a trustworthy provider such as ChangeHero, which has been around since 2017 and now supports 200+ coins and tokens in addition to Litecoin. With their crypto exchange with the lowest fees, getting your own LTC securely is easier than a walk in the park. Securing it, though, is a tad more complicated.

Protecting your Litecoin requires more than wishful thinking; you need battle-tested crypto protection tips that work. The best defence? Proactive measures rooted in solid Litecoin security best practices. This section arms you with actionable strategies to prevent crypto fraud, from hardware wallets to from hardware wallets to thinking critically online. Your online security is up to you, stay prepared and protect yourself from whatever scammers try next.

****Hardware Wallets and Authentication****

If you take your Litecoin holdings seriously, cold storage crypto through a hardware wallet is a must. Devices like Ledger and Trezor keep your private keys offline and away from internet vulnerabilities, making it nearly impossible for hackers to reach your funds remotely. And, it shouldn’t end with a hardware wallet. Strengthen your Litecoin security by using solid authentication methods:

*   **Strong, unique passwords**: Never reuse passwords across platforms. Each crypto-related account should have its own unique password.

*   **Enable 2FA crypto the right way**: Use authenticator apps like Google Authenticator or physical keys like YubiKey. SMS-based 2FA? Skip it: SIM-swapping attacks make it vulnerable.

*   **Secure your backup seeds**: Store them offline, never digitally. A piece of paper in a safe beats a screenshot on your phone every time.

****Keeping Software Updated****

Stay up to date with crypto security updates. Running outdated software increases the risk of attacks. Make sure your operating system, browser, and antivirus tools are regularly updated to patch known security issues.

Staying updated on software is just one part of the equation. Cybersecurity training and education against scams are keys to staying protected against new threats. Follow credible crypto news sources and security professionals, but always verify the information. Avoid click-driven content and cross-check facts before acting.

****What If It’s Too Late?****

Think you’ve been targeted by Litecoin fraud or a crypto hack? Time is critical. Acting quickly can help reduce the damage. The first rule is to stop all communication with the scammer immediately. Don’t engage, don’t negotiate, don’t try to outsmart them! Just cut contact to prevent further exposure.

Start by changing the passwords on all affected accounts, making sure each one is strong and unique. If your wallet has been compromised, transfer your funds to a new, secure wallet, preferably a hardware wallet.

Additionally, disconnect any devices you think may be infected to stop further malicious activity. Time is critical in these situations. The faster you respond, the better your chances of protecting what’s left and blocking further access.

****Report and Document****

Document everything, and we mean everything. Screenshots, transaction IDs, emails, messages, phone numbers, website URLs. This crypto scam evidence isn’t just for your records; it’s ammunition for investigators trying to track down these scammers.

Where to report crypto fraud:

*   Your exchange’s security team (they need to know ASAP)

*   Local police and national cybercrime units like the FBI’s IC3

*   Cybersecurity organizations for broader community awareness

The crypto space offers real opportunities, but when it comes to Litecoin security, it’s your responsibility, no one else’s. Protecting your digital assets is up to you. By staying alert, using hardware wallets, and keeping your knowledge up to date, you make it harder for scammers to succeed.

(Image by Eivind Pedersen from Pixabay)

Litecoin Security: How to Spot, Avoid, and Recover from Crypto Scams

A list of topics we covered in the week of June 1 to June 7 of 2025

June 6, 2025 - How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

June 6, 2025 - Cybercriminals are abusing the hospitality industry and its booking platforms to defraud the travelers that visit them

June 5, 2025 - Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

June 4, 2025 - Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

June 3, 2025 - As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.

 A week in security (June 1 &#8211; June 7) 

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing).

According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.

****How the Scam Works****

UNC6040 doesn’t rely on exploits or security vulnerabilities. Instead, it counts on human error. The attackers call employees and walk them through approving a connected app inside Salesforce. But this isn’t just any app, it’s often a modified version of Salesforce’s legitimate Data Loader tool.

With this access, attackers can query and extract vast amounts of data from the targeted organization. In some cases, they disguise the tool as “My Ticket Portal,” a name aligned with the IT support theme of the scam.

Once access is granted, UNC6040 pulls data in stages. Sometimes, they start small to avoid detection, using test queries and limited batch sizes. If the initial probing goes unnoticed, they scale up the operation and begin large-volume exfiltration.

****Extortion Comes Later****

Interestingly, data theft doesn’t always lead to immediate demands. In several incidents, months passed before victims received extortion messages. During those messages, attackers claimed to be associated with the well-known hacking group ShinyHunters, a move likely aimed at increasing pressure on victims to pay up.

This delayed approach hints that UNC6040 might be working with other actors who specialize in monetizing stolen data. Whether they’re selling access or handing off the data for follow-up attacks, the long pause makes incident detection and response more complicated for security teams.

While the primary target is Salesforce, the group’s ambitions don’t end there. Once they gain credentials, UNC6040 has been observed moving laterally through corporate systems, targeting platforms like Okta and Microsoft 365. This broader access allows them to collect additional valuable data, deepen their presence, and build leverage for future extortion attempts.

Attack flow (Google)

****Protecting Against These Attacks****

GTIG advises taking a few clear steps to make these types of breaches less likely. First, limit who has access to powerful tools like Data Loader, only users who genuinely need it should have permissions, and those should be reviewed regularly. It’s also important to manage which connected apps can access your Salesforce setup; any new app should go through a formal approval process.

To prevent unauthorized access, especially from attackers using VPNs, logins and app authorizations should be restricted to trusted IP ranges. Monitoring is another key piece, platforms like Salesforce Shield can flag and react to large-scale data exports in real time. While multi-factor authentication (MFA) isn’t perfect, it still plays a major role in protecting accounts, especially when users are trained to spot tricks like phishing calls that try to get around it.

Hackers Using Fake IT Support Calls to Breach Corporate Systems, Google

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.

These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

****How the Scam Works****

According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity (Credit: Cyble)

In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.

The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:

*   bullxnisbs
*   hyperliqwsbs
*   raydifloydcz
*   sushijamessbs
*   pancakefentfloydcz

These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:

1.  Raydium
2.  SushiSwap
3.  Suiet Wallet
4.  Hyperliquid
5.  BullX Crypto
6.  Pancake Swap
7.  Meteora Exchange
8.  OpenOcean Exchange
9.  Harvest Finance Blog

Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.

This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.

This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:

Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.

*   Avoid downloading and installing unnecessary apps.

*   Enable Google Play Protect to help identify potentially harmful apps.

*   Use biometric security and two-factor authentication where available.

*   Always watch out while downloading apps from third-party as well as official stores.

*   Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

Since it’s already chaos out there, this week, we thought we’d lean into the madness by envisioning the future threats that you’re not ready for. From cyberattacks on the US grid to GPS blackouts, rampant deepfake scams, AI-powered super hackers, and widespread communication system collapse, there’s a whole spectrum of scenarios that could take things from bad to worse.

All is not lost, however—at least if you’re Ross Ulbricht. The creator of the Silk Road dark web market, who was pardoned by President Donald Trump earlier this year, received a mysterious $31 million bitcoin donation last weekend. Crypto-tracing firm Chainalysis now suspects the lavish gift may have come from a vendor at another now-defunct black market, AlphaBay.

A trove of public records reviewed by WIRED this week reveal a years-long effort by a farming industry group to get the FBI to treat animal rights activists as a “bioterrorist” threat. The Animal Agriculture Alliance (AAA) was repeatedly in contact with the bureau’s Weapons of Mass Destruction Directorate about the activities of groups like Direct Action Everywhere, or DxE. The records show that AAA fed intelligence about DxE to the FBI and used corporate spies to infiltrate the group’s activities.

Immigration and Customs Enforcement recently updated its guidance for agents who carry out courthouse raids and other “enforcement actions” in and nearby court houses, according to an agency document reviewed by WIRED. The updated policy removes language that explicitly instructed agents to ensure they followed local and state laws.

Anyone who was trying to play a new video game on Christmas Day in 2014 likely remembers the infamous Lizardsquad hack of Xbox Live and Playstation Network. Now, more than a decade later, we finally have the full story.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Mysterious iPhone Crashes Hint at a Chinese Hacks. Apple Denies It**

The security firm iVerify this week brought to light a series of suspicious iPhone crashes that researchers say might just indicate a stealthy, unprecedented Chinese zero-click hacking campaign victimizing American phones, including even those of staffers for the Harris-Walz presidential campaign. Or it’s a random, not-particularly-dangerous bug that Apple has already squashed.

In a report released Thursday, iVerify assessed with “moderate confidence” that China-linked hackers may have targeted a series of iPhones with a sophisticated exploit, going after activists and dissidents critical of China, an EU government official, tech executives at AI firms competing with Chinese ones, and US political staffers—revealed by NBC News to be employees of the Harris-Walz campaign. iVerify didn’t have a sample of the malware that might have infected those phones or other definitive proof that any hacking occurred. But it pointed to signs that seem like more than coincidences: The staffers whose phones had experienced the crashes had also been warned by the FBI that they’d already been targeted in China’s Salt Typhoon hacking campaign against US telecoms. Another owner of the devices that crashed in the same way was later warned by Apple itself that he or she had been targeted by sophisticated hackers.

All of that would represent a serious threat to national security. Except that, strangely, Apple flatly denies it happened. “We strongly disagree with the claims of a targeted attack against our users,” Apple’s head of security engineering, Ivan Krstić, wrote in a statement to WIRED. Apple has patched the issue that iVerify highlighted in its report, which caused iPhones to crash in certain cases when a message sender changed their own nickname and avatar. But it calls those crashes the result of a “conventional software bug,” not evidence of a targeted exploitation. (That blanket denial certainly isn’t Apple’s usual response to confirmed iPhone hacking. The company has, for instance, sued hacking firm NSO group for its targeting of Apple customers.)

The result is that what might have been a four-alarm fire in the counterintelligence world is reduced—for now—to a very troubling enigma.

**A 22-Year-Old Is Running a Key US Anti-Terrorism Program**

A 22-year-old former intern at the Heritage Foundation with no national security experience has reportedly been appointed to a key Department of Homeland Security role overseeing a major program designed to combat domestic terrorism.

According to Propublica, Thomas Fugate last month assumed leadership of the Center for Programs and Partnerships (CP3), a DHS office tasked with funding nationwide efforts to prevent politically motivated violence—including school shootings and other forms of domestic terrorism.

Fugate, a 2024 graduate of the University of Texas at San Antonio, replaced the former CP3 director, Bill Braniff, an Army veteran with 20 years of national security experience who resigned in March following staff cuts ordered by the Trump administration.

According to CP3’s most recent report to Congress, the office has funded more than 1,100 initiatives aimed at disrupting violent extremism. In recent months, the US has seen a string of high-profile targeted attacks, including a car bombing in California and the shooting of two Israeli Embassy aids in Washington, DC. Its $18 million grant program, designed to support local prevention efforts, is reportedly now under Fugate’s supervision.

**Threat Intelligence Firms (Finally) Agree to a Glossary of Hacker Group Names**

Hacker group names have long been an unavoidable absurdity in the cybersecurity industry. Every threat intelligence company, in a scientifically defensible attempt to not make any assumption that they’re tracking the same hackers as another firm, comes up with their own code name for any group they observe. The result is a somewhat silly profusion of overlapping naming systems based on elements, weather, and zoology: “Fancy Bear” is “Forest Blizzard” is “APT28” is “Strontium.” Now, several major threat intelligence players, including Google, Microsoft, CrowdStrike, and Palo Alto Networks, have finally shared enough of their internal research to agree to a glossary that confirms that they’re referring to the same entities. The companies did _not,_ however, agree to consolidate their naming systems into a single taxonomy. So this agreement doesn’t mean the end of sentences in security reporting such as “the hacker group Sandworm, also known as Telebots, Voodoo Bear, Hades, Iron Viking, Electrum, or Seashell Blizzard.” It just means we cybersecurity reporters can write that sentence with a little more confidence.

**Phone-Hacking Firm Corellium Acquired for $200 Million—After Trump Pardons Its Founder**

Chris Wade, the founder and CTO of mobile device reverse-engineering company Corellium, has had a wild last few decades: In 2005, he was convicted on criminal charges of enabling spammers by providing them proxy servers, and agreed to work undercover for law enforcement while avoiding prison. Then in 2020, he mysteriously received a pardon from President Donald Trump. He also settled a major copyright lawsuit from Apple. Now his company, which creates virtual images of Android and iOS devices so that customers can find ways to break into them, is being acquired by phone-hacking firm Cellebrite, a major law enforcement contractor, for $200 million—a significant payday for a hacker who has found himself on both sides of the law.

Tag

#google