Top news stories this week
- US cyber secrets sold! US defense contractor charged with selling trade secrets.
- Data dig. Exposed database reveals sensitive data of US House of Representatives applicants.
- Fake breach. Google corrects claims about origin of breached credentials.
- Clear and present. Notorious cybercrime forum is back (again).
- Ghost writer. Android banking malware mimics human behaviour to evade detection.
- Patch now. Critical Microsoft WSUS vulnerability is being actively exploited.
1. US defense contractor charged with selling cyber trade secrets to Russia
Authorities have charged a former executive of the US defense contractor L3Harris Trenchant with selling trade secrets to a Russian-based buyer for USD 1.3 million. L3Harris’s cyber division provides hacking tools and communications equipment for US national security operations.
So what?
Nefarious actors gaining knowledge of hacking tools used by US and other countries' intelligence services could facilitate attacks on federal systems and give adversaries opportunities to prepare their defenses.
[Researcher: Steve Ross]
2. Details of US government job applicants exposed online
A database containing the personal details of over 7,000 applicants for roles with Democrats in the US House of Representatives was left publicly exposed on the internet. The data allegedly included details of more than 450 people holding ‘top secret’ US government security clearances. An investigation is currently underway to review and remediate security vulnerabilities on the affected website.
So what?
Regular audits of databases storing sensitive information are essential to identify misconfigurations and prevent unauthorized access.
[Researcher: Adelaide Parker]
3. Google corrects claims about origin of breached credentials
Google has denied claims of a data breach affecting over 180 million Gmail accounts, stating that the accusations are false. According to the company, the confusion stems from a misunderstanding involving a collection of breached credentials gathered from various sources, rather than any single recent incident.
So what?
Organizations should monitor dark web sources for leaked credentials containing their domain to detect and response to potential account takeover.
[Researcher: Jenny Eysert]
4. Notorious cybercrime forum is back (again)
The infamous cybercrime forum BreachForums has resurfaced with a twist. The forum now operates on a clearnet domain, making it accessible without specialised tools. This shift to a clearnet platform, along with “-as-a-service” offerings, highlights a trend towards increased accessibility for potential criminals.
SO WHAT?
Lowering barriers to entry by moving to accessible platforms and offering turnkey criminal services will likely increase both the volume and diversity of cybercrime in the near future.
[Researcher: Lester Lim]
5. Banking malware Herodotus targets Android devices
A new Android banking malware named Herodotus can evade detection by mimicking human behavior, such as incorporating random pauses during typing, while remotely controlling infected devices. Spread through SMS messages that trick users into installing it, Herodotus targets banking apps by overlaying fake interfaces to steal credentials and intercept SMS passcodes.
So What?
This development highlights the need for organizations to invest in security solutions with behavioral analytics capabilities as well as multi layered authentication beyond SMS-based verification.
[Researcher: Lena Krummeich]
6. Critical Microsoft WSUS vulnerability is being actively exploited
Security researchers warn that threat actors are actively exploiting a critical-severity Windows Server Update Services (WSUS) vulnerability, tracked as CVE-2025-59287. The vulnerability enables remote execution without user interaction or administrative privileges, allowing for low-complexity attacks. Microsoft has released security updates for the affected WSUS versions and provided workarounds for administrators unable to install these emergency patches.
SO WHAT?
Security teams should apply the emergency patches immediately, as threat actors are actively scanning the internet indiscriminately to identify and exploit vulnerable organisations.
[Researcher: Milda Petraityte]
