The deal will combine Securonix's security information and event management (SIEM) platform with ThreatQuotient's threat detection and incident response (TDIR) offering to build an all-in-one security operations stack.

Securonix Acquires Threat Intelligence Firm ThreatQuotient

Threat intelligence firm GreyNoise has warned of a "coordinated brute-force activity" targeting Apache Tomcat Manager interfaces.
The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to "identify and access exposed Tomcat services at scale."
To that end, 295 unique IP addresses have been found to be engaged

295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

Wednesday, June 11, 2025 09:47

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**catdoc zero-day vulnerabilities **

_Discovered by Ali Rizvi-Santiago of Cisco Talos._    

The catdoc program pulls plain text content from Microsoft Word, Excel, PowerPoint and Rich Text Format files. The vendor was unreachable, Debian will be merging our patches into their distribution. https://github.com/Cisco-Talos/catdoc-talos-fixes/releases/tag/talos-fixes.2025-05

TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 

TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger. 

**Parallel integer overflow vulnerability  **

_Discovered by KPC of Cisco Talos._    

Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.

TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).

*   TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl\_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
*   TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
*   TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.

**NVIDIA integer overflow vulnerability  **

_Discovered by Dimitrios Tatsis of Cisco Talos._    

NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard \`objdump\` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc. 

TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. 

**High-Logic out-of-bounds read vulnerability  **

_Discovered by KPC of Cisco Talos._    

High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts. 

An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

INTERPOL disrupts 20,000 infostealer domains in major cybercrime crackdown across Asia-Pacific, 32 arrested, 216K victims notified in Operation Secure.

An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region.

Dubbed Operation Secure, the four-month crackdown (January to April 2025) brought together law enforcement from 26 countries and private cybersecurity partners to disrupt a growing cybercriminal infrastructure built around data-stealing malware. The effort also led to 32 arrests, 41 server seizures and the collection of over 100 GB of criminal data.

****A Clear Target: Infostealers****

Infostealer malware has become a go-to tool for cybercriminals seeking quick access to personal and corporate information. Once installed, it quietly extracts browser credentials, email logins, cookies, crypto wallet data and more. This information is then sold on underground marketplaces, fueling a wide range of attacks including ransomware, business email compromise (BEC) and online fraud.

“Logs stolen by infostealers are often the starting point for wider breaches,” said INTERPOL Cybercrime Director Neal Jetton. “Cutting off these initial access points disrupts larger criminal operations.”

****Private Sector Intelligence Key to Operation****

The operation was powered by cyber intelligence reports from Group-IB, Kaspersky and Trend Micro. These reports helped INTERPOL and national agencies identify suspicious infrastructure ahead of time, contributing to a 79% takedown rate of the flagged IPs.

The Hong Kong Police played a critical role by analyzing over 1,700 leads and identifying 117 command-and-control servers spread across 89 internet service providers. These servers were used to coordinate phishing scams, social engineering attacks and account takeovers.

****Arrests, Raids and Seized Evidence****

Vietnamese authorities arrested 18 suspects, including a ringleader found with business registration documents, SIM cards and more than 300 million dong (about USD 11,500) in cash. Evidence suggests the group was involved in creating and selling corporate accounts.

Further arrests came from Sri Lanka and Nauru, where coordinated raids led to the detention of 14 individuals and the identification of 40 victims. Devices were seized from both homes and workplaces, pointing to structured cybercriminal operations rather than lone hackers.

****Victim Notification and Follow-up****

After dismantling infrastructure, authorities alerted over 216,000 victims and potential victims. Those notified were urged to change passwords, secure email accounts, freeze compromised financial services and scan their devices.

Via INTERPOL

Operation Secure was conducted under the ASPJOC (Asia and South Pacific Joint Operations Against Cybercrime) framework. Participating countries ranged from large players like India and Japan to smaller island nations including Kiribati, Vanuatu and Tonga, highlighting a region-wide commitment to fighting cybercrime at all levels.

While infostealer operations continue to spread, the results of this crackdown show that even widely distributed criminal infrastructure can be disrupted with the right mix of intelligence, speed and cross-border cooperation.

Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested

Many new Apple Intelligence features happen on your device rather than in the cloud. While it may not be flashy, the privacy-centric approach could be a competitive advantage.

As Apple’s Worldwide Developers Conference keynote concluded on Monday, market watchers couldn't help but notice that the company's stock price was down, perhaps a reaction to Apple's relatively low-key approach to incorporating AI compared to most of its competitors. Still, Apple Intelligence–based features and upgrades were plentiful, and while some are powered using the company's privacy- and security-focused cloud platform known as Private Cloud Compute, many run locally on Apple Intelligence–enabled devices.

Apple’s new Messages screening feature automatically moves texts from phone numbers and accounts you’ve never interacted with before to an “Unknown Sender” folder. The feature automatically detects time-sensitive messages like login codes or food delivery updates and will still deliver them to your main inbox, but it also scans for messages that seem to be scams and puts them in a separate spam folder. All of this sorting is done locally using Apple Intelligence. Similarly, the expanded Call Screening feature will automatically and locally pick up untrusted phone calls, ask for details about the caller, and transcribe the answers so you can decide whether you want to pick up the call. Even Live Translation adds real-time language translation to calls and messaging using local processing.

From a privacy perspective, local processing is the gold standard for AI features. Data never leaves your device, meaning there's no risk that it could end up somewhere unintended as a result of a journey through the cloud. And new features like spam and “Unknown Sender” sorting for Messages, call screening for untrusted phone numbers, and Live Translation tools all seemed to be designed with a strategy of using privacy as a differentiator in an already crowded AI field.

In addition to being privacy-friendly, local processing has other benefits like allowing AI-based services to be available offline and speeding up certain tasks, since data doesn’t have to be sent to the cloud, processed, and then sent back to a device. If AI features are going to be widely available and accessible, though, most companies are constrained by attempting to factor in the old, low-end devices that many of their customers are likely using that may not be able to handle local AI. Apple has less need to be inclusive, though, because it produces both hardware and software and has already imposed limitations that Apple Intelligence can only run on recent device models.

There are other limitations to Apple Intelligence, too, and the company offers opt-in integrations with some third-party generative AI services to expand functionality. For OpenAI’s ChatGPT, for example, users must turn the integration on, and Apple services will then prompt the user to confirm each time they go to submit a ChatGPT query. Additionally, users can elect to log in to a ChatGPT account, in which case their queries will be subject to OpenAI’s normal policies, or they can use ChatGPT without logging in. In this scenario, Apple says, it does not connect an Apple ID or other identifier to queries and obfuscates users‘ IP addresses.

Apple invested extensively to develop Private Cloud Compute to maintain strong security and privacy guarantees for AI processing in the cloud. Other companies have even begun to create similar secure AI cloud schemes for products and services that specifically center privacy as a crucial feature. But the fact that Apple still deploys local processing for new features when possible may indicate that privacy isn't just an intellectual priority in the company's approach to AI. It may be a business strategy.

Apple Intelligence Is Gambling on Privacy as a Killer Feature

June 2025 Patch Tuesday fixes 66 bugs, including a zero-day in WebDAV. Update Windows, Office, and more now to block active threats.

Microsoft’s June Patch Tuesday update has landed, bringing security fixes for 66 vulnerabilities across its product line. Among the patched flaws is one that was already being exploited in real-world attacks, making this month’s updates particularly important for both enterprises and individual users.

****One Zero-Day Actively Exploited****

The standout fix addresses CVE-2025-33053, a vulnerability in the WebDAV component of Windows. This flaw could allow attackers to execute code remotely if exploited correctly. Since it was already being used in attacks before today’s patch release, it falls into the “zero-day” category.

The WebDAV vulnerability affects both Windows 10 and Windows 11, along with related server versions. While Microsoft has not disclosed the full details of the attacks, they have confirmed that the bug was found in use in the wild.

****10 Critical Issues Fixed****

In addition to the zero-day, Microsoft patched 10 vulnerabilities rated Critical, which generally means they allow remote code execution or elevation of privilege without much user interaction. These include four bugs in Microsoft Office, which continue to be a regular target for attackers looking to send malicious documents through email.

Other products receiving fixes include Microsoft Edge, Power Automate, .NET, and components of Windows itself. While none of the other issues were reported as actively exploited, several are marked as more likely to be targeted in the near term.

****Windows Update Details****

The updated packages are available now and include:

*   **Windows 11**: KB5060842 (22H2 and 23H2)

*   **Windows 10**: KB5060533 and KB5060999

*   **Windows Server versions**: Also updated, depending on the build in use.

Admins should check their update management systems to confirm rollout and assess any compatibility concerns that may arise from the latest patches.

****Why This Month Matters****

The quick exploitation of CVE-2025-33053 once again shows how fast attackers move when new vulnerabilities are disclosed. While zero days often make headlines, the other fixes should not be ignored. Several of this month’s bugs involve components often exposed to the internet or frequently used in enterprise environments.

Companies that delay patching are not just risking data theft but also the cost of recovery from ransomware, which often begins with bugs like the ones patched today.

Nick Carroll, cyber incident response manager at Nightwing, the intelligence solutions company divested from RTX, commented on the Patch Tuesday event, stating, _“_There are a couple of vulnerabilities for the Windows Common Log File System (CVE-2025-32701 and CVE-2025-32706) which are Priv Esc vulnerabilities. Those aren’t critical, which means some organizations won’t prioritize patching them as quickly as they probably should. And if you look at what tends to get a lot of attention, critical vulnerabilities catch all the buzz,” noted Nick.

_“_But we see real world attacks abusing that Windows Log File subsystem pretty regularly. In fact, Nightwing has defended against exploits in the Windows Common Log File System in real world attacks last month related to the recently patched CVE-2025-29824 where the threat actors were abusing Living-off-the-Land tactics in conjunction with the exploit,” he added.

****What to Do Now****

*   **Apply all available June updates as soon as possible**, especially for systems using WebDAV

*   **Review your Office file handling policies**, especially if users frequently receive documents from outside the organization

*   **Monitor network traffic** for signs of suspicious activity linked to WebDAV or other patched services

*   **Test in staging environments** before rolling out company-wide, especially in environments with older or customized software stacks

Microsoft’s full advisory can be found on its official security update guide. Patching quickly remains one of the simplest and most effective defences against many forms of cyberattacks.

June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day

Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.

This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.

It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.

****Two Botnets, One Goal****

The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.

The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.

These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here_._ These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.

The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”

****Beyond Wazuh: Other Exploited Flaws****

While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.

Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.

Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.

Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools…

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools by malicious groups from countries like China, Russia, North Korea, and Iran.

In a new report released earlier this week, OpenAI announced it has successfully shut down ten major networks in just three months, demonstrating its commitment to combating online threats.

The report highlights how bad actors are using AI to create convincing online deceptions. For instance, groups connected to China used AI to post mass fake comments and articles on platforms like TikTok and X, pretending to be real users in a campaign called Sneer Review.

This included a false video accusing Pakistani activist Mahrang Baloch of appearing in a pornographic film. They also used AI to generate content for polarizing discussions within the US, including creating fake profiles of US veterans to influence debates on topics like tariffs, in an operation named Uncle Spam.

North Korean actors, on the other hand, crafted fake resumes and job applications using AI. They sought remote IT jobs globally, likely to steal data. Meanwhile, Russian groups employed AI to develop dangerous software and plan cyberattacks, with one operation, ScopeCreep, focusing on creating malware designed to steal information and hide from detection.

An Iranian group, STORM-2035 (aka APT42, Imperial Kitten and TA456), repeatedly used AI to generate tweets in Spanish and English about US immigration, Scottish independence, and other sensitive political issues. They created fake social media accounts, often with obscured profile pictures, to appear as local residents.

AI is also being used in widespread scams. In one notable case, an operation likely based in Cambodia, dubbed Wrong Number, used AI to translate messages for a task scam. This scheme promised high pay for simple online activities, like liking social media posts.

The scam followed a clear pattern: a “ping” (cold contact) offering high wages, a “zing” (building trust and excitement with fake earnings), and finally, a “sting” (demanding money from victims for supposed larger rewards). These scams operated across multiple languages, including English, Spanish, and German, directing victims to apps like WhatsApp and Telegram.

OpenAI actively detects and bans accounts involved in these activities, using AI as a ‘force multiplier’ for its investigative teams, the company claims. This proactive approach often means many of these malicious campaigns achieved little authentic engagement or limited real-world impact before being shut down.

Adding to its fight against AI misuse, OpenAI is also facing a significant legal challenge regarding user privacy. On May 13, a US court, led by Judge Ona T. Wang, ordered OpenAI to preserve ChatGPT conversations.

This order stems from a copyright infringement lawsuit filed by The New York Times and other publishers, who allege OpenAI unlawfully used millions of their copyrighted articles to train its AI models. They argue that ChatGPT’s ability to reproduce, summarize, or mimic their content without permission or compensation threatens their business model.

OpenAI has protested this order, stating it forces the company to go against its commitment to user privacy and control. The company highlighted that users often share sensitive personal information in chats, expecting it to be deleted or remain private. This legal demand creates a complex challenge for OpenAI.

OpenAI Shuts Down 10 Malicious AI Ops Linked to China, Russia, Iran, N. Korea

A contract obtained by 404 Media shows that an airline-owned data broker forbids the feds from revealing it sold them detailed passenger data.

A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected US travelers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest’s air travel across the country, in a purchase that has alarmed civil liberties experts.

The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

“The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,” senator Ron Wyden said in a statement.

ARC is owned and operated by at least eight major US airlines, other publicly released documents show. The company’s board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada’s Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

ARC’s other lines of business include being the conduit between airlines and travel agencies, finding travel trends in data with other firms like Expedia, and fraud prevention, according to material on ARC’s YouTube channel and website. The sale of US fliers’ travel information to the government is part of ARC’s Travel Intelligence Program (TIP).

A Statement of Work included in the newly obtained documents, which describes why an agency is buying a particular tool or capability, says CBP needs access to ARC’s TIP product “to support federal, state, and local law enforcement agencies to identify persons of interest’s US domestic air travel ticketing information.” 404 Media obtained the documents through a Freedom of Information Act (FOIA) request.

The new documents obtained by 404 Media also show ARC asking CBP to “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

The Statement of Work says that TIP can show a person’s paid intent to travel and tickets purchased through travel agencies in the US and its territories. The data from the Travel Intelligence Program (TIP) will provide “visibility on a subject’s or person of interest’s domestic air travel ticketing information as well as tickets acquired through travel agencies in the U.S. and its territories,” the documents say. They add that this data will be “crucial” in both administrative and criminal cases.

A DHS Privacy Impact Assessment (PIA) available online says that TIP data is updated daily with the previous day’s ticket sales, and contains more than one billion records spanning 39 months of past and future travel. The document says TIP can be searched by name, credit card, or airline, but ARC contains data from ARC-accredited travel agencies, such as Expedia, and not flights booked directly with an airline. “If the passenger buys a ticket directly from the airline, then the search done by ICE will not show up in an ARC report,” that PIA says. The PIA notes that the data impacts both US and non-US persons, meaning it does include information on US citizens.

“While obtaining domestic airline data—like many other transaction and purchase records—generally doesn't require a warrant, there's still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation,” Jake Laperruque, deputy director of the Center for Democracy & Technology's Security and Surveillance Project, told 404 Media in an email. “As with many other types of sensitive and revealing data, the government seems intent on using data brokers to buy their way around important guardrails and limits.”

CBP’s contract with ARC started in June 2024 and may extend to 2029, according to the documents. The CBP contract 404 Media obtained documents for was an $11,025 transaction. Last Tuesday, a public procurement database added a $6,847.50 update to that contract, which said it was exercising “Option Year 1,” meaning it was extending the contract. The documents are redacted but briefly mention CBP’s OPR, or Office of Professional Responsibility, which in part investigates corruption by CBP employees.

“CBP is committed to protecting individuals’ privacy during the execution of its mission to protect the American people, safeguard our borders, and enhance the nation’s economic prosperity. CBP follows a robust privacy policy as we protect the homeland through the air, land and maritime environments against illegal entry, illicit activity or other threats to national sovereignty and economic security,” a CBP spokesperson said in a statement. CBP added that the data is only used when an OPR investigation is open, and the agency needs to locate someone related to that investigation. The agency says the data can act as a good starting point to identify a relevant flight record before then getting more information through legal processes.

On May 1, ICE published details about its own ARC data purchase. In response, on May 2, 404 Media filed FOIA requests with ICE and a range of other agencies that 404 Media found had bought ARC’s services, including CBP, the Secret Service, SEC, DEA, the Air Force, US Marshals Service, TSA, and ATF. 404 Media found these by searching US procurement databases. Around a week later, The Lever covered the ICE contract.

Airlines contacted by 404 Media declined to comment, didn’t respond, or deferred to either ARC or DHS instead. ARC declined to comment. The company previously told The Lever that TIP “was established after the Sept. 11 terrorist attacks to provide certain data to law enforcement … for the purpose of national security matters” and criminal investigations.

“ARC has refused to answer oversight questions from Congress, so I have already contacted the major airlines that own ARC—like Delta, American Airlines, and United—to find out why they gave the green light to sell their customers' data to the government,” Wyden’s statement added.

US law enforcement agencies have repeatedly turned to private companies to buy data rather than obtain it through legal processes such as search warrants or subpoenas. That includes location data harvested from smartphones, utility data, and internet backbone data.

“Overall it strikes me as yet another alarming example of how the ‘Big Data Surveillance Complex’ is becoming the digital-age version of the military-industrial complex,” Laperruque says, referring to the purchase of airline data.

“It's clear the data broker loophole is pushing the government back towards a pernicious ‘collect it all’ mentality, gobbling up as much sensitive data as it can about all Americans by default. A decade ago the public rejected that approach, and Congress passed surveillance reform legislation that banned domestic bulk collection. Clearly it's time for Congress to step in again, and stop the data broker loophole from being used to circumvent that ban,” he added.

According to ARC’s website, the company only introduced multifactor authentication on May 15.

Airlines Don’t Want You to Know They Sold Your Flight Data to DHS

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London…

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London trial. Stability AI calls the lawsuit an “overt threat” to the generative AI industry.

London’s High Court began hearing a major legal case on June 9, 2025, involving Getty Images and Stability AI. This highly anticipated trial, expected to last three weeks, is being called “the most significant case to reach the High Court” by leading intellectual property lawyers.

****The Dispute****

At the heart of the case is Getty Images’ accusation that Stability AI, a London-based developer of generative AI systems, illegally collected millions of Getty’s copyrighted images without permission, hence breaching copyright laws.

Getty, a prominent visual media company and stock photography licensor, alleges that Stability AI copied and altered content from its website, gathered via the LAION-5B dataset, which includes billions of image-text pairs scraped from various websites including Getty’s, to train its Stable Diffusion model. This model can create new, synthetic images based on user commands.

Getty points to Stability AI’s UK presence and English-language website as evidence of targeting UK users, arguing that Stability altered its content by adding noise and creating further copies during the decoding process for training, all without consent.

Additionally, Getty claims that not just images created by Stable Diffusion copied significant portions of their copyrighted content, these sometimes even displayed Getty’s watermarks. They also allege that if users provide Getty images as prompts, the AI’s output can be almost identical.

This landmark case extends beyond just copyright. Getty also alleges trademark infringement and database rights infringement. They claim Stability AI used Getty’s registered trademarks, “GETTY IMAGES” and “ISTOCK” in both the training data and the generated outputs.

****Stability AI’s Counter Claims:****

Stability admits using some Getty images for training but argues the training happened outside the UK. It denies infringement, stating that it didn’t use Getty’s trademarks in the course of trade and its generated images don’t use Getty’s copyrighted works, so, any similarities are accidental since users are responsible for any copying, not the platform itself.

Additionally, Getty’s claim that Stability AI unlawfully extracted and reused a significant portion of its database content for AI training, is challenged by questioning the validity of Getty’s asserted database rights.

Stability lawyer Hugo Cuddigan states that Getty’s lawsuit is “an overt threat” to its business and the broader generative AI industry. Its spokesperson claims that artists using their tools are creating works based on “collective human knowledge,” which aligns with “fair use and freedom of expression.”

However, Lindsay Lane, Getty Images’ lawyer, clarified that their case is not against technology but against the use of copyrighted works “without payment,” asserting that AI and creative industries can coexist.

****Impact on AI and Creativity****

This case has emerged at a time when creative industries are grappling with the implications of AI models trained on existing copyrighted material. Legal experts believe this case is expected to deliver one of the first substantive judgments in the global wave of AI-related intellectual property disputes.

Legal expert Iain Connor, an intellectual property partner at Michelmores LLP, shared his comment with Hackread.com, emphasizing the case’s importance in setting boundaries for copyright in the AI era.

“This is the most significant AI case to reach the English High Court. The legal community is waiting with bated breath to see how far the judgment will go to rule on the legality or otherwise of the use of AI models.”

“The case is much more nuanced than ‘big tech vs creative industries’ and the legal arguments are even more nuanced as one of the big issues to be determined is ‘where did the ingestion of information which allegedly infringes Getty Images take place?” added Iain.

“The judge may take the opportunity to rule widely on the lawfulness of AI’s use of ‘input materials” and whether “AI output” infringes third-party rights,” he explained. _“_Alternatively, the decision could be a damp squib and deal with the case on the narrow jurisdictional issue of where Stability AI trained its AI model which, if outside the UK, could leave us without a meaningful verdict.”

Tag

#intel