Budding ransomware crooks have another shot at exploiting Fortra’s GoAnywhere MFT product due to a new 10/10 severity vulnerability. With the potential for command injection, it’s a cybercriminal’s dream! Fortra’s advisory encourages a quick patch update. After all, who wouldn’t want to avoid being on a ransomware crook’s speed dial?

ShinyHunters strikes again, claiming to have stolen 1.5 billion records in a Salesforce hack. While many cybersecurity firms confirm being hit, it’s wise to take these claims with a pinch of salt, as hacking groups have a tendency to exaggerate. Remember, in cybersecurity news, not everything is as shiny as it seems!

Fortra has issued security updates to fix a severe vulnerability in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035. This flaw, caused by deserialization of untrusted data, can lead to command injection attacks. Admins should patch quickly as GoAnywhere MFT remains a juicy target for threat actors.

Russian state-sponsored threat actors Gamaredon and Turla are teaming up like a cyber Bonnie and Clyde. Gamaredon deploys Turla malware on Ukrainian targets, proving that two heads (or bears) are better than one when it comes to digital espionage. ESET found their collaboration traces back to the Cold War era—talk about a throwback partnership!

Phishing-as-a-Service, or PhaaS, is the subscription service no one asked for but cybercriminals adore. With Lucid and Lighthouse leading the charge, over 17,500 phishing domains now target 316 brands across 74 countries. From smishing to fake storefronts, these kits offer the ultimate in cyber mischief for a monthly fee.

Thalha Jubair, part of the Scattered Spider cybercrime gang, allegedly helped extort $115 million from over 100 organizations. His downfall? Using a server holding ransom funds to pay for gaming and food-delivery gift cards in his name. Even cybercrooks need to eat and game, but maybe not with stolen cryptocurrency.

Gamaredon and Turla, two Russian state-linked threat actors, are teaming up like a cyber-espionage buddy movie to target Ukraine’s defense sector. With Gamaredon’s PteroGraphin tool restarting Turla’s Kazuar malware, it seems like these two are going for a high-stakes digital tango.

Dirk-jan Mollema discovered a flaw granting near-global access to Entra ID tenants. This vulnerability allowed tokens to bypass standard validation, posing a serious security risk. While Microsoft swiftly addressed the issue, it was a stark reminder that when it comes to cybersecurity, there’s always a chance your data could be one token away from chaos.

In a plot twist worthy of a cyber-thriller, the ShadowLeak vulnerability in ChatGPT’s Deep Research mode lets attackers sneakily lift Gmail data just by sending a cleverly disguised email. Who knew email could be so… revealing?

Steam will stop supporting 32-bit versions of Windows. So, if you’re still rocking 32-bit, it’s time for an upgrade before your games vanish faster than your New Year’s resolutions!

ChatGPT Search just got a brain boost! OpenAI’s update means fewer hallucinations and better shopping sleuthing. Plus, answers now come in quick-read format. Meanwhile, GPT-5 Thinking introduces “juice” levels for customized reasoning—think of it as your AI’s caffeine fix!

UK Police arrested two teen hackers from the Scattered Spider group linked to the 2024 Transport for London cyberattack. The suspects, ages 18 and 19, are charged with conspiring to commit unauthorized acts against TfL. This high-stakes drama proves you should never underestimate the power of a teenager with a laptop.

CISA warns of malware lurking in Ivanti Endpoint Manager Mobile due to two vulnerabilities—think of it as a digital version of leaving your door wide open while shouting, “Free snacks inside!” Time to patch up and kick out those cyber freeloaders before they throw a party on your server.

AI security platform SPLX has shown that prompt injections can trick a ChatGPT agent into solving CAPTCHAs, despite its built-in refusals. By convincing the AI that CAPTCHAs are fake, the researchers bypassed security measures, raising doubts about CAPTCHA’s long-term viability.

ChatGPT’s Deep Research had a “ShadowLeak” bug that let attackers exfiltrate Gmail secrets with just one sneaky email. The flaw weaponized AI’s helpfulness, making data disappear without a click. OpenAI patched it, but not before it showed how AI could become the perfect accomplice in email espionage.

UK ministers are questioning the effectiveness of the Online Safety Act, with critics saying Ofcom’s enforcement is lackluster. Andy Burrows, CEO of the Molly Rose Foundation, doubts companies fear Ofcom’s penalties. With the act’s safe harbor provision, platforms may avoid innovating beyond what’s required, leaving emerging online harms inadequately addressed.

Netskope made a splash with its IPO, raising over $908 million and seeing its stock jump 18% on the first day. Although the cybersecurity firm isn’t profitable yet, their secure access service edge (SASE) offerings have investors buzzing. Looks like it’s time to secure a spot on the stock watchlist!

UK authorities nabbed Thalha Jubair and Owen Flowers, labeling them as Scattered Spider hackers. Jubair faces US charges for over 120 cyberattacks, including 47 in the US, netting $115M in ransoms. Despite claiming retirement, Scattered Spider’s mischief is far from over.

WatchGuard has released security updates for its Firebox firewalls to combat a high-risk vulnerability, CVE-2025-9242. This flaw could let hackers play memory Tetris, rearranging your digital life without permission. With a risk score of 9.3 out of 10, it’s time to update before your firewall becomes more like a “firefail.”

Fake CAPTCHA pages are the latest tool in phishing attacks, thanks to AI-driven website platforms. Attackers use these platforms to create convincing fake CAPTCHA sites with ease, lowering costs and effort. Meanwhile, victims are lured by urgent emails, clicking links that lead to deceptive pages designed to evade detection.