A group that Google is tracking as UNC6040 has been tricking users at many organizations into installing a malicious version of a Salesforce app to gain access and steal data from the platform.

Vishing Crew Targets Salesforce Data

Google has disclosed details of a financially motivated threat cluster that it said "specialises" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion.
The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with

Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader App

Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

Google has released an update for the Chrome browser to patch an actively exploited flaw.

The update brings the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the “**more menu**” (three stacked dots) **\>**  **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from the vulnerability.

_The About Chrome menu while updating_

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to exploit a specially crafted HTML page (website).

**Technical details**

The vulnerability tracked as CVE-2025-5419 is an out-of-bounds read and write in Google Chrome’s “V8,” which is the engine that Google developed for processing JavaScript. Prior to Google Chrome version 137.0.7151.68, this vulnerability allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

V8 has been a significant source of security problems in the past.

An out-of-bounds read and write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Google knows that attackers currently exploit CVE-2025-5419 in the wild, but released no details yet on who exploits the flaw, how they do it in real-world attacks, or who the targets are in those attacks. However, the Google Threat Analysis Group (TAG) team, which discovered the exploit, focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability.

**We don’t just report on** **browser vulnerabilities**. Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

 Google fixes another actively exploited vulnerability in Chrome, so update now! 

Traditional data leakage prevention (DLP) tools aren't keeping pace with the realities of how modern businesses use SaaS applications.
Companies today rely heavily on SaaS platforms like Google Workspace, Salesforce, Slack, and generative AI tools, significantly altering the way sensitive information is handled. In these environments, data rarely appears as traditional files or crosses networks

Your SaaS Data Isn't Safe: Why Traditional DLP Solutions Fail in the Browser Era

GPS jamming and spoofing attacks are on the rise. If the global navigation system the US relies on were to go down entirely, it would send the world into unprecedented chaos.

Around 12,500 miles above our heads, the satellites that make up the Global Positioning System (GPS) quietly keep the world running. A blackout would result in almost instantaneous chaos.

“You would see traffic jams, a lot more traffic accidents, because transportation is going to see the first most immediate impact,” says Dana Goward, the founder of the Resilient Navigation and Timing Foundation, a charity which works to strengthen GPS.

Thousands of planes in the air, which use GPS among other systems for navigation and precision landing, would face a wave of uncertainty. Then other critical parts of society—from financial transactions to energy production systems—which have come to rely upon the precision positioning, navigation and timing (PNT) provided by the US-owned constellation of 31 GPS satellites may start to stutter. The ripples would be felt around the world.

“If it was a catastrophic moment that happened at a blink of an eye and we lost GPS entirely, you would see this global seizure of everything that moves, every piece of data that moves, every human that moves. All of that would shut down,” says Erik Daehler, the vice president of defense, satellites, and spacecraft systems at Sierra Space. The timing signals included in GPS would be one of the most impactful losses. Cell phone connections would likely collapse. Billions would quickly be wiped from stock markets amid the disruption.

A GPS outage could be particularly ruinous to the United States, which has a heavy reliance on its sovereign space system and has dragged its feet in building backups that can provide the required resilience needed to keep the country running. The US has fallen behind, the National Space-based PNT Advisory Board warned last year. In contrast, China has reinforced its own more modern satellite navigation system—BeiDou—with a sprawling network of fiber-optic cables and terrestrial radio signals.

The conditions needed to cause the entire GPS network to be entirely knocked out would be extraordinary and likely would come with wider societal ramifications. Such an outage, for instance, could be caused by China or Russia firing anti-satellite weapons against the GPS satellites (the US also has anti-satellite weapons), a powerful geomagnetic storm, or an escalation in the capabilities of electronic warfare.

Despite the improbability of a total outage, GPS isn’t infallible. It has its demons. “What really happens is, regionally, GPS gets messed with and jammed and interfered with on a regular basis,” Daehler says. Thousands of planes and ships are having their GPS interfered with each week, and signals are regularly disrupted around war zones.

“America is not well prepared at all,” Goward says. More should be done to build out PNT systems that can act as a backstop to the space-based GPS signals, he says. “There’s not a general overall awareness. We certainly don’t have a resilient PNT architecture or a PNT architecture of any kind other than GPS.”

The GPS constellation of 31 satellites, which has received several hardware updates over the years, has been in operation for the past 40 years. The system typically broadcasts at 100 percent availability and provides accurate location data to within 7 meters.

The GPS satellites are just one of the four so-called global navigation satellite systems (GNSS) in operation. As well as China’s BeiDou, there is Russia’s GLONASS and Europe’s Galileo constellation. Over the past half decade, though, GNSS signals have increasingly been attacked as the technology to disrupt them has become cheaper and more sophisticated. Most commonly, disruption happens around Russia, Israel, Myanmar, the South China sea, areas of the Middle East, and the Baltic countries in Europe.

Broadly, there are two main forms of attack against GNSS signals: jamming and spoofing. Jamming involves blocking signals so that positioning isn’t available, while spoofing involves creating mock signals that make something appear somewhere else on the map. Ships have been made to appear inland at airports, while planes are made to look like they are flying in tight circles. In one video shared by the Resilient Navigation and Timing Foundation that appears to show GPS interference, a plane’s systems blast out a warning message to “pull up” when its pilots reported they were flying higher than Mount Everest.

“I’m most concerned about aviation,” says Todd Humphreys, the director of the University of Texas at Austin’s radio navigation laboratory. “At least one fatal aviation accident in Europe can be traced to GNSS interference as a primary cause. A deliberate attack against US aviation, as opposed to the collateral attacks in Europe, would cause astounding economic harm.” The number of spoofing incidents last year was 500 percent higher than in 2023, according to aviation officials.

The US Space Force, which is responsible for the GPS satellites, did not respond to a request for comment for this article from WIRED.

Across the US, PNT data is crucial to almost all critical infrastructure—from communications and health care monitoring systems to food production and wastewater management—but GPS is often the “sole” source of this information, according to the Cybersecurity and Infrastructure Security Agency, making the systems more vulnerable. (The military uses a more robust GPS setup than commercial applications).

“There is no one sector that doesn’t use GPS, and some are more reliant than others. Users in these sectors are not all acutely aware of the risks associated with their dependency on it and the ways that the system can be disrupted or degraded,” says Caitlin Durkovich, a former national security official and critical infrastructure expert.

Building a “layered” approach could help to make GPS less vulnerable to attack, experts say. Both Europe’s Galileo and China’s BeiDou are newer than GPS and, in some ways, more resilient. Last year, the National Space–based PNT Advisory Board produced a comparison of GPS and BeiDou that flagged a broader series of backups to Beijing’s system.

While GPS satellites are located only in middle Earth orbit, BeiDou has satellites in multiple orbits and is further along in deploying them into low Earth orbit. China also has a terrestrial radio broadcast network, called eLoran, and has laid 20,000 kilometers of fiber-optic cables that link up with 295 timing centers to broadcast alternatives.

“In the case of BeiDou, the system’s enhanced resiliency and capability should be considered an element of ‘soft power’ and an element of great power competition,” the advisory board wrote last year. The board, led by Admiral Thad Allen, a former leader of the US Coast Guard, called for a more joined-up approach to managing PNT across the US government and for GPS to be specifically designated as “critical infrastructure.”

On April 26, 2024, the first of two Finnair flights were forced to turn around due to GPS interference likely carried out by Russia. After a second aircraft was diverted the following day, Finnair suspended its daily flights between Helsinki and Tartu, Estonia. _Source: AirNav_

“I think there has to be a federal role in this, both because the system and signals are operated and provisioned by the federal government. But because of the complexity of the system and the fact that you need a common standard,” Durkovich says.

“We’d like to see a core national PNT architecture,” Goward says. “Then we would suggest some form of fiber network and a terrestrial broadcast. We think it would be a substantial deterrent and it would actually make space-based systems safer because folks would be less likely to interfere with it.”

Across the country, there are various levels of backup systems in place that have been sporadically introduced and multiple ongoing efforts to improve the GPS setup. Financial institutions, for instance, have been deploying atomic clocks to ensure they have backups for the timing element provided by GPS and telecoms networks have some capacity in place.

“It’s not to say that the US doesn’t have a robust timing infrastructure, actually it’s quite robust,” says Jeremy Bennington, the vice president of PNT Assurance at Spirent Communications, adding that much of it is spread across commercial entities, a stark difference to China’s national approach. “I do think that a backup is going to be required so that you end up with that layered approach.”

The calls to modernize PNT have increasingly become more urgent. In 2020, a first-term Trump executive order called for making PNT systems more resilient. At the end of March this year, the Federal Communications Commission opened an inquiry to identify GPS alternatives that can provide backups. “Relying on GPS alone as the primary source of PNT data leaves America exposed to a single point of failure and leaves our PNT system open to disruption or manipulation by adversaries,” the FCC said at the time.

There are multiple ways to add more resilience and upgrade the existing GPS system. The military has long been working on upgrades to be used in defense situations. Bennington says that GPS satellites could be added to other orbits and the further rollout of more capable signals. Daehler and colleagues at Sierra Space are working on creating ways to reduce the impact of jamming and spoofing.

Lisa Dyer, the executive director of the GPS Innovation Alliance, says the GPS system could build in authentication to confirm its signals are genuine, like Galileo and BeiDou. Dyer says that rolling out the newer L5 signal can also build in more protection for planes and aviation. “To me that's an important national objective of the United States: that GPS remains the de facto international navigation standard,” Dyer says.

There are also hardware updates happening, though some of them are slow and have dragged on for years. The US Space Force has recently been funding multiple companies to develop low Earth orbit satellite GPS constellations and quickly launching systems into space. Elsewhere, quantum technologies are being used to create new navigation systems. SandboxAQ, a Google spinout, is working on magnetic navigation.

Ultimately, as well as better government management around GPS, organizations need to spend money to upgrade their systems and protections, Bennington says. That means spending money. “If GPS jamming or spoofing were to happen at any major airport, whether it's Heathrow, Frankfurt, Munich, New York, the amount of cancellation and delays in the cost incurred by the airlines just in several hours would be more than the cost to upgrade their fleets,” he says.

A GPS Blackout Would Shut Down the World

In the very near future, victory will belong to the savvy blackhat hacker who uses AI to generate code at scale.

In the near future one hacker may be able to unleash 20 zero-day attacks on different systems across the world all at once. Polymorphic malware could rampage across a codebase, using a bespoke generative AI system to rewrite itself as it learns and adapts. Armies of script kiddies could use purpose-built LLMs to unleash a torrent of malicious code at the push of a button.

Case in point: as of this writing, an AI system is sitting at the top of several leaderboards on HackerOne—an enterprise bug bounty system. The AI is XBOW, a system aimed at whitehat pentesters that “autonomously finds and exploits vulnerabilities in 75 percent of web benchmarks,” according to the company’s website.

AI-assisted hackers are a major fear in the cybersecurity industry, even if their potential hasn’t quite been realized yet. “I compare it to being on an emergency landing on an aircraft where it’s like ‘brace, brace, brace’ but we still have yet to impact anything,” Hayden Smith, the cofounder of security company Hunted Labs, tells WIRED. “We’re still waiting to have that mass event.”

Generative AI has made it easier for anyone to code. The LLMs improve every day, new models spit out more efficient code, and companies like Microsoft say they’re using AI agents to help write their codebase. Anyone can spit out a Python script using ChatGPT now, and vibe coding—asking an AI to write code for you, even if you don’t have much of an idea how to do it yourself—is popular; but there’s also vibe hacking.

“We’re going to see vibe hacking. And people without previous knowledge or deep knowledge will be able to tell AI what it wants to create and be able to go ahead and get that problem solved,” Katie Moussouris, the founder and CEO of Luta Security, tells WIRED.

Vibe hacking frontends have existed since 2023. Back then, a purpose-built LLM for generating malicious code called WormGPT spread on Discord groups, Telegram servers, and darknet forums. When security professionals and the media discovered it, its creators pulled the plug.

WormGPT faded away, but other services that billed themselves as blackhat LLMs, like FraudGPT, replaced it. But WormGPT’s successors had problems. As security firm Abnormal AI notes, many of these apps may have just been jailbroken versions of ChatGPT with some extra code to make them appear as if they were a stand-alone product.

Better then, if you’re a bad actor, to just go to the source. ChatGPT, Gemini, and Claude are easily jailbroken. Most LLMs have guard rails that prevent them from generating malicious code, but there are whole communities online dedicated to bypassing those guardrails. Anthropic even offers a bug bounty to people who discover new ones in Claude.

“It’s very important to us that we develop our models safely,” an OpenAI spokesperson tells WIRED. “We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits like jailbreaks. For example, you can read our research and approach to jailbreaks in the GPT-4.5 system card, or in the OpenAI o3 and o4-mini system card.”

Google did not respond to a request for comment.

In 2023, security researchers at Trend Micro got ChatGPT to generate malicious code by prompting it into the role of a security researcher and pentester. ChatGPT would then happily generate PowerShell scripts based on databases of malicious code.

“You can use it to create malware,” Moussouris says. “The easiest way to get around those safeguards put in place by the makers of the AI models is to say that you’re competing in a capture-the-flag exercise, and it will happily generate malicious code for you.”

Unsophisticated actors like script kiddies are an age-old problem in the world of cybersecurity, and AI may well amplify their profile. “It lowers the barrier to entry to cybercrime,” Hayley Benedict, a Cyber Intelligence Analyst at RANE, tells WIRED.

But, she says, the real threat may come from established hacking groups who will use AI to further enhance their already fearsome abilities.

“It’s the hackers that already have the capabilities and already have these operations,” she says. “It’s being able to drastically scale up these cybercriminal operations, and they can create the malicious code a lot faster.”

Moussouris agrees. “The acceleration is what is going to make it extremely difficult to control,” she says.

Hunted Labs’ Smith also says that the real threat of AI-generated code is in the hands of someone who already knows the code in and out who uses it to scale up an attack. “When you’re working with someone who has deep experience and you combine that with, ‘Hey, I can do things a lot faster that otherwise would have taken me a couple days or three days, and now it takes me 30 minutes.’ That's a really interesting and dynamic part of the situation,” he says.

According to Smith, an experienced hacker could design a system that defeats multiple security protections and learns as it goes. The malicious bit of code would rewrite its malicious payload as it learns on the fly. “That would be completely insane and difficult to triage,” he says.

Smith imagines a world where 20 zero-day events all happen at the same time. “That makes it a little bit more scary,” he says.

Moussouris says that the tools to make that kind of attack a reality exist now. “They are good enough in the hands of a good enough operator,” she says, but AI is not quite good enough yet for an inexperienced hacker to operate hands-off.

“We’re not quite there in terms of AI being able to fully take over the function of a human in offensive security,” she says.

The primal fear that chatbot code sparks is that anyone will be able to do it, but the reality is that a sophisticated actor with deep knowledge of existing code is much more frightening. XBOW may be the closest thing to an autonomous “AI hacker” that exists in the wild, and it’s the creation of a team of more than 20 skilled people whose previous work experience includes GitHub, Microsoft, and a half a dozen assorted security companies.

It also points to another truth. “The best defense against a bad guy with AI is a good guy with AI,” Benedict says.

For Moussouris, the use of AI by both blackhats and whitehats is just the next evolution of a cybersecurity arms race she’s watched unfold over 30 years. “It went from: ‘I’m going to perform this hack manually or create my own custom exploit,’ to, ‘I’m going to create a tool that anyone can run and perform some of these checks automatically,’” she says.

“AI is just another tool in the toolbox, and those who do know how to steer it appropriately now are going to be the ones that make those vibey frontends that anyone could use.”

The Rise of ‘Vibe Hacking’ Is the Next AI Nightmare

Digital certificates authorized by the authorities will no longer have trust by default in the browser starting in August, over what Google said is a loss of integrity in actions by the respective companies.

Chrome Drops Trust for Chunghwa, Netlock Certificates

Silver Spring, Maryland, 3rd June 2025, CyberNewsWire

**Silver Spring, Maryland, June 3rd, 2025, CyberNewsWire**

Aembit, the workload identity and access management (IAM) company, today announced a major expansion of its platform to support Microsoft environments. With this launch, enterprises can now enforce secure, policy-based access for software workloads and agentic AI running on Windows Server, Active Directory, Microsoft Entra ID, and Azure – while extending that same access model to third-party clouds, SaaS tools, and partner environments.

Modern infrastructure rarely lives in one place. While Microsoft technologies remain core to many enterprises, workloads routinely connect across trust boundaries – from on-prem infrastructure to Azure, AWS, Google Cloud, and external APIs.

As infrastructure shifts to the cloud, identity and access management across all these resources becomes increasingly fragmented and complex, especially for non-human entities such as applications, scripts, AI agents, and services. With this launch, Aembit enables a unified approach to secure workload access management across the Microsoft ecosystem and beyond, reducing operational complexity while improving visibility, automation, and risk posture.

> “Security teams require consistent enforcement across all environments – not different tools and rules for every platform,” said Kevin Sapp, co-founder and CTO of Aembit. “We built this integration to help enterprises modernize without compromise, providing policy-driven access across all Microsoft workloads, whether they run on-prem or in the cloud.”

With this launch, Aembit delivers:

*   **Consistent access control for non-human identities**: Teams can now centrally define and enforce access policies for applications, agents, and services across Windows Server, Active Directory, Microsoft Entra ID, and Azure. They can extend the same model to non-Microsoft resources such as AWS, GCP, or SaaS services.
*   **Accelerated cloud migrations without added risk**: As workloads move from on-prem to Azure, Aembit ensures their access remains secure, secretless, and aligned with zero trust principles.
*   **Elimination of static credentials**: By replacing long-lived secrets with short-lived, identity-based access, Aembit helps reduce attack surface and developer overhead.
*   **Unified visibility for audit and compliance**: All workload access is logged and attributed, making it easier to investigate incidents and meet compliance requirements across hybrid Microsoft environments.

These features build on Aembit’s mission to proactively secure access for the growing number of non-human identities operating across modern IT environments. Aembit replaces static credentials with just-in-time, identity-based access – helping builders move faster while giving security teams confidence in how workloads connect across hybrid environments.

Aembit is now available in the Azure Marketplace, making it easier for organizations to integrate workload IAM into their Microsoft-based infrastructure with familiar procurement workflows.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like applications, AI agents, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit aembit.io and follow us on LinkedIn.

**Contact**

**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Extends Workload IAM to Microsoft Ecosystem, Securing Hybrid Access for Non-Human Identities

This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

> “Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

**Have any juicers actually been jacked?**

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

**Oh, and don’t use public Wi-Fi, says TSA**

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi \[sic\].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Juice jacking warnings are back, with a new twist 

Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year."
The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137. 
The update will affect all Transport Layer Security (TLS)

Tag

#google