Researchers found that an encryption algorithm likely used by law enforcement and special forces can have weaknesses that could allow an attacker to listen in.

Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure–as well as police, intelligence agencies, and military forces around the world–that made any communication secured with the algorithm vulnerable to eavesdropping.

When the researchers publicly disclosed the issue in 2023, the European Telecommunications Standards Institute (ETSI), which developed the algorithm, advised anyone using it for sensitive communication to deploy an end-to-end encryption solution on top of the flawed algorithm to bolster the security of their communications.

But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It’s not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them.

The end-to-end encryption the researchers examined, which is expensive to deploy, is most commonly used in radios for law enforcement agencies, special forces, and covert military and intelligence teams that are involved in national security work and therefore need an extra layer of security. But ETSI’s endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time.

In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm Midnight Blue, based in the Netherlands, discovered vulnerabilities in encryption algorithms that are part of a European radio standard created by ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms. The end-to-end encryption the researchers examined recently is designed to run on top of TETRA encryption algorithms.

The researchers found the issue with the end-to-end encryption (E2EE) only after extracting and reverse-engineering the E2EE algorithm used in a radio made by Sepura. The researchers plan to present their findings today at the BlackHat security conference in Las Vegas.

ETSI, when contacted about the issue, noted that the end-to-end encryption used with TETRA-based radios is not part of the ETSI standard, nor was it created by the organization. Instead it was produced by The Critical Communications Association’s (TCCA) security and fraud prevention group (SFPG). But ETSI and TCCA work closely with one another, and the two organizations include many of the same people. Brian Murgatroyd, former chair of the technical body at ETSI responsible for the TETRA standard as well as the TCCA group that developed the E2EE solution, wrote in an email on behalf of ETSI and the TCCA that end-to-end encryption was not included in the ETSI standard “because at the time it was considered that E2EE would only be used by government groups where national security concerns were involved, and these groups often have special security needs.

For this reason, Murgatroyd noted that purchasers of TETRA-based radios are free to deploy other solutions for end-to-end encryption on their radios, but he acknowledges that the one produced by the TCCA and endorsed by ETSI “is widely used as far as we can tell.”

Although TETRA-based radio devices are not used by police and military in the US, the majority of police forces around the world do use them. These include police forces in Belgium and Scandinavian countries, as well as East European countries like Serbia, Moldova, Bulgaria, and Macedonia, and in the Middle East in Iran, Iraq, Lebanon, and Syria. The Ministries of Defense in Bulgaria, Kazakhstan, and Syria also use them, as do the Polish military counterintelligence agency, the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence services. It’s not clear, however, how many of these also deploy end-to-end decryption with their radios.

The TETRA standard includes four encryption algorithms—TEA1, TEA2, TEA3 and TEA4—that can be used by radio manufacturers in different products, depending on the intended customer and usage. The algorithms have different levels of security based on whether the radios will be sold in or outside Europe. TEA2, for example, is restricted for use in radios used by police, emergency services, military, and intelligence agencies in Europe. TEA3 is available for police and emergency services radios used outside Europe but only in countries deemed “friendly” to the EU. Only TEA1 is available for radios used by public safety agencies, police agencies, and militaries in countries deemed not friendly to Europe, such as Iran. But it’s also used in critical infrastructure in the US and other countries for machine-to-machine communication in industrial control settings such as pipelines, railways, and electric grids.

All four TETRA encryption algorithms use 80-bit keys to secure communication. But the Dutch researchers revealed in 2023 that TEA1 has a feature that causes its key to get reduced to just 32 bits, which allowed the researchers to crack it in less than a minute.

In the case of the E2EE, the researchers found that the implementation they examined starts with a key that is more secure than ones used in the TETRA algorithms, but it gets reduced to 56 bits, which would potentially let someone decrypt voice and data communications. They also found a second vulnerability that would let someone send fraudulent messages or replay legitimate ones to spread misinformation or confusion to personnel using the radios.

The ability to inject voice traffic and replay messages affects all users of the TCCA end-to-end encryption scheme, according to the researchers. They say this is the result of flaws in the TCCA E2EE protocol design rather than a particular implementation. They also say that “law enforcement end users” have confirmed to them that this flaw is in radios produced by vendors other than Sepura.

But the researchers say only a subset of end-to-end encryption users are likely affected by the reduced-key vulnerability because it depends how the encryption was implemented in radios sold to various countries.

ETSI’s Murgatroyd said in 2023 that the TEA1 key was reduced to meet export controls for encryption sold to customers outside Europe. He said when the algorithm was created, a key with 32 bits of entropy was considered secure for most uses. Advances in computing power make it less secure now, so when the Dutch researchers exposed the reduced key two years ago, ETSI recommended that customers using TEA1 deploy TCCA's end-to-end encryption solution on top of it.

But Murgatroyd said the end-to-end encryption algorithm designed by TCCA is different. It doesn’t specify the key length the radios should use because governments using the end-to-end encryption have their own “specific and often proprietary security rules” for the devices they use. Therefore they are able to customize the TCCA encryption algorithm in their devices by working with their radio supplier to select the “encryption algorithm, key management and so on” that is right for them—but only to a degree.

“The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection—nor knowledge of which algorithms and key lengths are in use in any system,” he said. But he added that radio manufacturers and customers “will always have to abide by export control regulations.”

The researchers say they cannot verify that the TCCA E2EE doesn’t specify a key length because the TCCA documentation describing the solution is protected by nondisclosure agreement and provided only to radio vendors. But they note that the E2EE system calls out an “algorithm identifier" number, which means it calls out the specific algorithm it’s using for the end-to-end encryption. These identifiers are not vendor specific, the researchers say, which suggests the identifiers refer to different key variants produced by TCCA—meaning TCCA provides specifications for algorithms that use a 126 bit key or 56 bit key, and radio vendors can configure their devices to use either of these variants, depending on the export controls in place for the purchasing country.

Whether users know their radios could have this vulnerability is unclear. The researchers found a confidential 2006 Sepura product bulletin that someone leaked online, which mentions that “the length of the traffic key … is subject to export control regulations and hence the \[encryption system in the device\] will be factory configured to support 128, 64, or 56 bit key lengths.” But it’s not clear what Sepura customers receive or if other manufacturers whose radios use a reduced key disclose to customers if their radios use a reduced-key algorithm.

“Some manufacturers have this in brochures; others only mention this in internal communications, and others don’t mention it at all,” says Wetzels. He says they did extensive open-source research to examine vendor documentation and “ found no clear sign of weakening being communicated to end users. So while … there are ‘some’ mentions of the algorithm being weakened, it is not fully transparent at all.”

Sepura did not respond to an inquiry from WIRED.

But Murgatroyd says that because government customers who have opted to use TCCA’s E2EE solution need to know the security of their devices, they are likely to be aware if their systems are using a reduced key.

“As end-to-end encryption is primarily used for government communications, we would expect that the relevant government National Security agencies are fully aware of the capabilities of their end-to-end encryption systems and can advise their users appropriately,” Murgatroyd wrote in his email.

Wetzels is skeptical of this, however. “We consider it highly unlikely non-Western governments are willing to spend literally millions of dollars if they know they're only getting 56 bits of security,” he says.

Encryption Made for Police and Military Radios May Be Easily Cracked

Can AI really write safer code? Martin dusts off his software engineer skills to put it it to the test. Find out what AI code failed at, and what it was surprisingly good at. Also, we discuss new research on how AI LLM models can be used to assist in the reverse engineering of malware.

Thursday, August 7, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Vulnerabilities within software are a persistent challenge. Software engineers inadvertently tend to make the same mistakes repeatedly, with the same entries appearing in the annual top 25 list of Common Weakness Enumerations each year. 

The truth is, writing software is difficult. Software engineering is a craft demands concentration, knowledge and time, all coupled with extensive testing. Even the most skilled software engineer can get distracted or have a bad day, leading to a hidden vulnerability inadvertently making its way into a production codebase. 

Identifying vulnerabilities early in the software development process is one of the promises of AI. The idea being that an AI agent would write perfect code under the direction of a software engineer or verify and correct code written by a human. 

Last weekend, I decided to put this premise to the test. As a somewhat rusty software engineer, I resolved to see if AI could assist me with a personal software project. Initially, I was impressed, the AI agent offered an engaging discussion about high-level architecture and the trade-offs of various approaches. I was amazed at the lines of code that the AI generated on request. All the software for my project written at the press of a button! 

Then came the testing. Although the code looked convincing, it failed to interface with the required libraries. Parameters were incorrect, it tried to call fictional functions. It seemed that the way the AI imagined the library to work didn’t reflect reality or the available documentation. Similarly, there were less sanity checks or verification of variable values than I was comfortable with; especially since many of these were derived from external inputs. 

To be fair, the AI code resolved a tricky threading issue that had defeated me, and the ‘boilerplate’ code necessary to form the skeleton structure of the software was flawless. I felt that I achieved a productivity boost from the AI’s exposure to ‘frequently encountered’ coding issues. However, when it came to more esoteric APIs with which I was moderately familiar, the AI was unable to generate functional code or correctly diagnose reported errors. 

After some debugging and manual rewriting, I managed to create a working prototype. The code is clearly not bulletproof, but then again, I hadn’t explicitly asked for code that was secured against all potential hacks. Like many software engineers, myself and my AI assistant focused on quickly delivering the desired functionality, rather than considering the long-term operation of the code in a potentially hostile environment. 

I remain optimistic that AI assisted coding is the pathway to a software vulnerability free future. However, my recent limited personal experience leads me to think that we still have a considerable journey ahead before we can definitively resolve software vulnerabilities for good. 

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

Continuing the AI theme, Guilherme describes how AI LLM models can be used to assist in the reverse engineering of malware. Used correctly, LLMs can provide valuable insights and facilitate the analysis of malware. 

**Why do I care? **

Reverse engineering malware is the often time-consuming task of identifying the execution path of malicious software. Frequently malware writers obfuscate their code to make it difficult to understand and follow what their code is doing. Advances in technology that can speed up this process make fighting malware easier.  

**So now what? **

Investigate if the tools and approaches described in the blog can be used to improve your reverse engineering process, or as a means to begin learning about reverse engineering. 

**Top security headlines of the week ****As ransomware gangs threaten physical harm, 'I am afraid of what's next,' ex-negotiator says**

In an effort to increase the pressure on victims, ransomware gangs are now using threats of physical violence. (The Register)

**‘Shadow AI’ increases cost of data breaches, report finds**

Unmanaged and unsecured use of AI is leading to data breaches. (Cybersecurity Dive)

****Enough to drive a cybersecurity officer mad: one rule here, a different rule there****

Chief information security officers call for less fragmentation in global cybersecurity regulations. (ASPI)

****UK Online Safety Act promotes insecurity****

The implementation of the UK Online Safety Act requiring age verification for content deemed harmful to children introduces some security quandaries. (Tech HQ)

**Can’t get enough Talos? ****Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**

A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). **Watch here.**

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**Vulnerability roundup**

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module. **Read more.**

**Talos Takes**

Hazel is joined by threat intelligence researcher James Nutland to discuss Cisco Talos’ latest findings on the newly emerged Chaos ransomware group. **Listen here.**

**Upcoming events where you can find Talos **

It’s the summer. We’ll be on the beach. 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe     
Detection Name: Simple\_Custom\_Detection 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**   
MD5: 85bbddc502f7b10871621fd460243fbc    
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details   
Typical Filename: N/A   
Claimed Product: Self-extracting archive   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details    
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

AI wrote my code and all I got was this broken prototype

Google confirms a data breach by ShinyHunters hackers, who used a vishing scam to access a Salesforce database with small business customer info.

In a recent revelation, Google has confirmed that one of its internal databases was breached by a well-known cybercriminal organization. The Google Threat Intelligence Group (GTIC), which was already investigating the activities of the group known as ShinyHunters (or UNC6040), disclosed that its own Salesforce database was accessed in June. The attack exposed information belonging to Google’s small and medium-sized business clients.

The company stated that the breach was contained quickly, and the hackers had access for only a “small window of time.” The stolen data was described as “basic and largely publicly available,” consisting of business names, contact details, and some related notes. While Google did not disclose the full scale of the breach, the incident highlights a growing security concern for all businesses, including technology giants.

****Deception, Not Technical Flaws****

This attack was not a traditional hack exploiting a software flaw, but a sophisticated social engineering scheme. The hackers used a method called vishing (voice phishing) where they impersonated a company’s IT support staff in a phone call.

During the call, they tricked a Google employee into approving a malicious application disguised as a legitimate tool, the Salesforce Data Loader. This fraudulent app granted the hackers access to the database, allowing them to steal information.

Attack Flow Illustration (Source: Google)

As per Google Threat Intelligence Group’s (GTIG) research, UNC6040 is responsible for intrusions, while a separate group, UNC6240, handles the extortion, demanding Bitcoin payments within 72 hours. The company also warns that hackers have updated their tools and may be planning to launch a Data Leak Site (DLS) to pressure victims.

“The news that Google has suffered a data breach in the recent wave of attacks executed by ShinyHunters highlights that no organisation is immune to cybercrime,_”_ said William Wright, CEO of Closed Door Security. “It doesn’t matter if you are a small business or one of the world’s leading technology firms, all organisations are vulnerable._”_

He also emphasised that employee training and the use of MFA are key to blocking these attacks in their early stages.

****A Bigger and Growing Threat****

This breach is part of a larger trend of attacks by the ShinyHunters group. Over the past year, Hackread.com has reported the group’s links to several high-profile incidents, including a massive breach at Santander bank in May 2024 and another at Ticketmaster that affected over 560 million customers globally.

The threat is still active, as luxury fashion brand Chanel also recently announced it suffered a data breach in July, affecting some of its US customers via a third-party Salesforce database. Google’s report also warns that ShinyHunters may be planning to escalate its activities by launching a public data leak site.

In response to the attack, Google said it took immediate action to secure its systems and notify affected clients. The company also advises other businesses to strengthen their defences with better employee training, multi-factor authentication, and stricter access controls to prevent similar social engineering attacks.

Google Confirms Salesforce Data Breach by ShinyHunters via Vishing Scam

Menlo Park, California, USA, 7th August 2025, CyberNewsWire

**Menlo Park, California, USA, August 7th, 2025, CyberNewsWire**

AccuKnox, a global leader in Zero Trust Cloud Native Application Protection Platforms (CNAPP), has partnered with SecuVerse.ai to deliver ASPM for Lonaci Loterie Nationale de Côte d’Ivoire (LONACI), the state-operated national lottery authority of Côte d’Ivoire.

This milestone partnership comes as LONACI advances its ambitious 2025–2030 digital transformation strategy, focusing on secure digital innovation, the modernization of gaming platforms, and stringent compliance with international data and operational standards.

**Why LONACI Selected AccuKnox**

LONACI’s key selection criteria included strict adherence to PCI-DSS, ISO 27001, and GDPR standards, as well as the need for deep observability, real-time threat mitigation, and least-privilege access enforcement across its hybrid cloud and distributed outlet systems.

Following a rigorous evaluation, AccuKnox stood out by delivering:

*   Comprehensive ASPM (Application Security Posture Management) solution that delivers integrated SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Source Code Analysis)
*   Reduce triaging and remediation efforts by using AI-assisted remediation steps. This provides users with precise remediation approaches based on assets, findings, and repositories under consideration. 
*   Customized dashboards and reporting capabilities
*   SOAR (Security, Orchestration, Automation, and Response) for addressing alerts in the most efficient manner

**Quotes from Key Stakeholders**

> “**LONACI sought to unify various fragmented tools into a single cohesive platform, exactly what our ASPM (Application Security Posture Management) solution delivers. We equipped LONACI with a prioritized view, actionable insights, and streamlined lifecycle management, significantly enhancing their ROI. We’re proud to collaborate with SecuVerse in delivering a compelling and differentiated value proposition to LONACI.**“

— Gaurav Mishra, Team Lead – Product Management & Solutions Engineering, AccuKnox

> “**We are pleased to partner with AccuKnox, a leader in code-to-cognition security. Their integrated AppSec, CloudSec, and AI security is exactly what LONACI needed to protect itself from both current and emerging threats. Our regional intelligence combined with their technical firepower helped us outpace incumbents by staying agile, secure, and local.**”

— Samir Boukharta, Founder, SecuVerse.ai

Secure Your Infrastructure the Zero Trust Way: book your free demo now 

**About AccuKnox**

AccuKnox provides a Zero Trust Code to the Cognition CNAPP Security platform. AccuKnox is the industry’s only platform that secures all public clouds and all private clouds; modern workloads like Kubernetes, IAC, AI/LLM, and Edge/IoT; and traditional workloads like virtual machines and bare metal. AccuKnox is funded by leading security investors, including National Grid Partners, MDSV, Avanta Venture Partners, Dolby Family Ventures, DreamIT Ventures, 5G Open Innovation Lab, and Seedop. AccuKnox was formed in partnership with SRI International (previously Stanford Research Institute) and has seminal patents on different aspects of Zero Trust security. AccuKnox is a core contributor to the CNCF Kubernetes run-time security project, KubeArmor, which has achieved 2M+ downloads.

https://accuknox.com/

**About** **Secuverse.ai** 

SecuVerse.ai is based in Casablanca, Morocco, with a presence in North, West, and Central Africa. SecuVerse.ai’s mission is to provide its clients with innovative, next-generation technology solutions to accelerate cybersecurity and AI programs. SecuVerse.ai works with companies around the world to offer a complete range of cybersecurity services, covering areas like DataSec, AppSec, CloudSec, IASec, and infrastructure security. https://wwww.secuverseai.com

**Contact**

**PMM**  
**Syed Hadi**  
**AccKnox**  
**\[email protected\]**

AccuKnox partners with SecuVerse.ai to deliver Zero Trust CNAPP Security for National Gaming Infrastructure

Hackers tricked workers over the phone at Google, Adidas, and more to grant access to Salesforce data.

At the heart of multiple data breaches against sophisticated and robust companies, including Google, Adidas, Louis Vuitton, and Chanel, was a rudimentary attack method that required little technical finesse—making a phone call.

By disguising themselves as IT support personnel on the phone, hackers belonging to the group “ShinyHunters” successfully tricked the employees at several multinational corporations into handing over the data within their own Salesforce platforms. The attacks underscore the vulnerability that all businesses face—large or small—in preventing cyberattacks that begin through basic social engineering scams.

In a bizarre twist of irony, security researchers at Google Threat Intelligence Group (GITG) originally uncovered the hacking campaign in June, only to announce that Google itself had been hit by the very same tactic this week. Other victims in the hacking campaign include Allianz Life, the airline Qantas, and the jeweler Pandora.

The data breaches all leverage a Salesforce feature that allows users to connect to various, external apps. This functionality allows business owners and employees to, for instance, connect their Salesforce data to mapping tools to visualize the locations of a customer base, or to connect their Salesforce data with a newsletter platform to deliver email marketing campaigns to specific customer segments.  

In the attacks, the hackers trick employees into connecting to a fraudulent version of Salesforce’s “Data Loader” app, which lets users import, export, update, and delete large quantities of data that are stored or managed within Salesforce itself. The process for connecting to an external app is simple, as employees just enter an 8-digit code when prompted by Salesforce. But once ensnared in the phone scam, employees are tricked into entering an 8-digit code that will connect to a data exfiltration program owned and operated entirely by the hackers.

Once connected, the hackers are free to roam inside the company’s Salesforce data and steal what they see fit. Some attacks reportedly included an expansion by the hackers into other corporate online accounts, including Microsoft 365, which could reveal a company’s emails and other sensitive messages.

In the attack against Google, the hackers accessed a Salesforce “instance,” which is a term used to describe a company or user’s implementation of software and the data they manage through that software (Think of it like when a hacker breaches an online account and then pilfers all the data related to that account and what it can access). In the Google attack, the Salesforce instance “was used to store contact information and related notes for small and medium businesses.”

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

According to the outlet Bleeping Computer, the ShinyHunters cybercrime group is still stealing business data through this attack campaign. Once the hackers have the data, they then extort the victims to pay a hefty ransom or risk having the data exposed online.

****How to stay safe from the Salesforce scam****

Because this attack is so targeted—every corporate victim uses Salesforce—the defense strategies are clear and actionable. Here’s how you can help yourself and your staff in avoiding this attack.

*   **Audit your Salesforce access**. Ensure that the only employees or staff who have access to Salesforce are those who need to use it for their job. When there are fewer employees who can access Salesforce, there are fewer entry points for hackers.
*   **Train your staff**. Recognizing a social engineering scam is important for any workforce, no matter the size. Inform your employees and yourself about your current IT support provider so that any rogue phone calls are immediately caught.
*   **Use multifactor authentication (MFA) for important accounts**. The hackers in these attacks managed to gain access to other cloud applications like Microsoft 365. Protect all your employee accounts on sensitive platforms with MFA.

Social engineering scams are some of the most effective and serious threats to small businesses. It’s important to recognize them when they happen. And for all else, use always-on cybersecurity to protect your business from malware, viruses, and nefarious break-in attempts.

 How Google, Adidas, and more were breached in a Salesforce scam 

Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden:

Secure AI embedded in every part of the business.
Use AI to defend faster and smarter.
Fight AI-powered threats that execute in minutes—or seconds.

Security

The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense

The Hague, Netherlands, 7th August 2025, CyberNewsWire

The Hague, Netherlands, August 7th, 2025, CyberNewsWire

Over 1.2 million internet-connected healthcare devices and systems with exposure that endangers patient data, as shown in new research by European cybersecurity company Modat. Global findings showing Top 10 Regions (most results are across Europe, the USA, and South Africa):

*   United States (174K+)
*   South Africa (172K+)
*   Australia (111K+)
*   Brazil (82K+)
*   Germany (81K+)
*   Ireland (81K+)
*   Great Britain (77K+)
*   France (75K+)
*   Sweden (74K+)
*   Japan (48K+)

Research was conducted using Modat’s unique internet scanning platform, Modat Magnify. Findings range across more than 70 different types of medical devices and systems, including: MRI, CT, X-rays, DICOM viewers, Blood test systems, hospital management systems, and other accessible medical systems.

Multiple Reasons for Vulnerable Devices include misconfigurations and insecure management settings, default or weak passwords, and unpatched vulnerabilities in firmware or software.

Researchers discovered that many systems lacked even basic authentication, and some used factory-default or weak passwords like “admin” or “123456.” In other cases, outdated or unpatched software left critical devices vulnerable to exploitation. These oversights not only compromise patient confidentiality but may also open a path for cybercriminals to carry out fraud, extortion, or network infiltration.

One scan, for instance, exposed a patient’s chest and brain MRI results, complete with names and medical history. Records include highly sensitive information such as Personal Health Information (PHI) and Personal Identifying Information (PII). Their researchers have uncovered and identified brain scan images, complete with patients’ names and scan dates.

Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients suffering from lung cancer. A wide number of exposed medical documents. All accessible via the open internet – and in some cases, dating back to previous years.

Modat worked with international partners Health-ISAC and Dutch CERT Z-CERT to ensure responsible disclosure.

The findings emphasise that cybersecurity in healthcare is not only an IT concern, but it’s a matter of patient safety. They immediately initiated the process of Responsible Disclosure by reaching out to affected organisations to assist them in fixing these security breaches through organisations like Z-CERT and Health-ISAC. Here is a link to the Health-ISAC post for their Monthly Threat Briefing (Monthly Threat Briefing)

> These systems should never be exposed to the internet in the first place. Soufian El Yadmani, Modat CEO stated, “The question we should be asking is: Why are there MRI scanners with internet connectivity that lack proper security measures?”

> El Yadmani went on to say, “The primary risk is unnecessary network exposure. These medical systems should only be connected to secure, properly configured networks when there is a legitimate clinical need for remote access. While remote MRI operations are becoming more common to address staffing shortages and provide specialized expertise, many systems remain exposed to the internet without adequate cybersecurity measures.”

Recommendations in the research include the need for organisations to implement regular security assessments and maintain comprehensive asset inventories, as personnel changes and operational modifications can introduce configuration drift and security gaps.

Continuous monitoring of network-connected devices is essential for identifying potential exposures, misconfigurations, or emerging vulnerabilities. By doing that, healthcare facilities can significantly reduce their cybersecurity risk profile. As remote medical services expand and connected devices become more common, securing digital infrastructure is critical.

The full blog post, including data visualisations and a detailed breakdown of findings, is available at http://bit.ly/4moChak

****About Modat** **

Founded in 2024, Modat is a European research-driven cybersecurity company focused on strengthening cyber resilience for individuals, companies, and governments. Our flagship platform, Modat Magnify, leverages the world’s largest Internet “Device DNA” dataset to fingerprint and catalogue every internet-connected device, creating a unique profile, enabling faster threat intelligence.

Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Our products enable the security community by giving access to unparalleled speed, contextualised data, and predictive insights. We are actively joining the fight to get ahead of cyberattacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast.

Users can learn more by visiting modat.io, and to access the platform, visit magnify.modat.io.

Visit: ​

*   LinkedIn
*   X
*   BSky 

**Contact**

Head of Marketing  
Bessie Schenk  
Modat  
\[email protected\]

1.2 Million Healthcare Devices and Systems Found Exposed Online – Patient Records at Risk of Exposure, Latest Research from Modat

**The Hague, Netherlands, August 7th, 2025, CyberNewsWire**

**Over 1.2 million internet-connected healthcare devices and systems with exposure** that endanger patient data shown in new research by European cybersecurity company Modat. Global findings showing Top 10 Regions (most results are across Europe, the USA, and South Africa): 

*   United States (174K+)  
*   South Africa (172K+)  
*   Australia (111K+)  
*   Brazil (82K+)  
*   Germany (81K+)  
*   Ireland (81K+)  
*   Great Britain (77K+)  
*   France (75K+)  
*   Sweden (74K+)  
*   Japan (48K+) 

Research was conducted using Modat’s unique internet scanning platform, Modat Magnify. Findings range across more than 70 different types of medical devices and systems including: MRI, CT, X-rays, DICOM viewers, Blood test systems, hospital management systems, and other accessible medical systems. **Multiple Reasons for Vulnerable Devices include** misconfigurations and insecure management settings, default or weak passwords, and unpatched vulnerabilities in firmware or software. 

Researchers discovered that many systems lacked even basic authentication, and some used factory-default or weak passwords like, “admin” or “123456.” In other cases, outdated or unpatched software left critical devices vulnerable to exploitation. These oversights not only compromise patient confidentiality but may also open a path for cybercriminals to carry out fraud, extortion, or network infiltration. 

One scan, for instance, exposed a patient’s chest and brain MRI results, complete with names and medical history. Records include highly sensitive information such as Personal Health Information (PHI) and Personal Identifying Information (PII). Their researchers have uncovered and identified brain scan images, complete with patients’ names and scan dates. Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients suffering from lung cancer. A wide number of exposed medical documents. All accessible via the open internet – and in some cases, dating back to previous years. 

Modat worked with international partners Health-ISAC and Dutch CERT Z-CERT to ensure responsible disclosure. 

The findings emphasize that cybersecurity in healthcare is not only an IT concern, but it’s a matter of patient safety. They immediately initiated the process of Responsible Disclosure by reaching out to affected organisations to assist them in fixing these security breaches through organizations like Z-CERT and Health-ISAC. Here is a link to the Health-ISAC post for their Monthly Threat Briefing (Monthly Threat Briefing) 

> These systems should never be exposed to the internet in the first place. Soufian El Yadmani, Modat CEO stated, “The question we should be asking is: Why are there MRI scanners with internet connectivity that lack proper security measures?” 

> El Yadmani went on to say, “The primary risk is unnecessary network exposure. These medical systems should only be connected to secure, properly configured networks when there is a legitimate clinical need for remote access. While remote MRI operations are becoming more common to address staffing shortages and provide specialized expertise, many systems remain exposed to the internet without adequate cybersecurity measures.” 

Recommendations in the research include the need for organizations to implement regular security assessments and maintain comprehensive asset inventories, as personnel changes and operational modifications can introduce configuration drift and security gaps. Continuous monitoring of network-connected devices is essential for identifying potential exposures, misconfigurations, or emerging vulnerabilities. By doing that, healthcare facilities can significantly reduce their cybersecurity risk profile. As remote medical services expand and connected devices become more common, securing digital infrastructure is critical. 

The full blog post, including data visualizations and a detailed breakdown of findings, is available at http://bit.ly/4moChak 

**About Modat** 

Founded in 2024, Modat is a European research-driven cybersecurity company focused on strengthening cyber resilience for individuals, companies, and governments. Our flagship platform, Modat Magnify, leverages the world’s largest Internet “Device DNA” dataset to fingerprint and catalogue every internet-connected device, creating a unique profile, enabling faster threat intelligence. 

Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Our products enable the security community by giving access to unparalleled speed, contextualized data, and predictive insights. We are actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast. 

Users can learn more by visiting modat.io, and to access the platform, visit magnify.modat.io 

Visit: ​

*   LinkedIn
*   X 
*   BSky 

**Contact**

**Head of Marketing**  
**Bessie Schenk**  
**Modat**  
**\[email protected\]**

The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google's official app storefronts under the guise of seemingly useful applications.
These apps masquerade as VPNs, device "monitoring" apps, RAM cleaners, dating services, and spam blockers, DNS threat intelligence firm Infoblox said in an exhaustive

Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud, Subscription Scams

Using invisible prompts, the attacks demonstrate a physical risk that could soon become reality as the world increasingly becomes more interconnected with artificial intelligence.

Tag

#intel