Threat Intel

Follow @ekiledjian on Micro.blog.

From credentials to cloud admin in 8 minutes: AI supercharges AWS attack chain | CSO Online

A recent attack demonstrated how AI-assisted attackers can weaponize exposed AWS credentials and permissive roles to gain full administrative control in under eight minutes. The attackers exploited a public S3 bucket containing credentials, escalated privileges through a Lambda function, moved laterally across multiple principals, and abused cloud resources for GPU workloads, highlighting the drastically reduced attack lifecycle due to AI automation.

→ 12:50 PM, Feb 3

Foxit PDF Editor Vulnerabilities Let Attackers Execute Arbitrary JavaScript

Critical cross-site scripting (XSS) vulnerabilities, CVE-2026-1591 and CVE-2026-1592, in Foxit PDF Editor Cloud allow attackers to execute arbitrary JavaScript code by exploiting insecure handling of file attachments and layer names. Foxit has released security patches, with automatic updates for the Cloud version and desktop users advised to update manually.

→ 12:48 PM, Feb 3

Hackers Exploiting React Native’s Metro Server in the Wild to Attack Developers

Hackers are actively exploiting a critical remote code execution vulnerability (CVE-2025-11953) in React Native’s Metro Development Server to deliver malware on Windows and Linux systems. The vulnerability, dubbed Metro4Shell, stems from an OS command injection flaw in the /open-url endpoint and has a critical CVSS score of 9.8, yet exploitation is occurring before widespread public awareness.

→ 12:46 PM, Feb 3

Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

A critical vulnerability named DockerDash in Docker’s Ask Gordon AI assistant allowed code execution and data exfiltration by exploiting unverified image metadata. Docker has since patched this flaw in version 4.50.0.

→ 12:45 PM, Feb 3

UK investigating first suspected breach of cyber sanctions | The Record from Recorded Future News

The UK is investigating its first suspected breaches of cyber sanctions since the regime began over five years ago, with up to five potential violations involving financial services firms. This marks the first known suspected breaches, following improvements in the Office of Financial Sanctions Implementation (OFSI) monitoring capabilities.

→ 12:44 PM, Feb 3

Iron Mountain: Data breach mostly limited to marketing materials

Iron Mountain states that a data breach claimed by the Everest extortion gang was limited to a single folder of marketing materials shared with third-party vendors. The company confirmed that no customer confidential or sensitive information was involved, and no other Iron Mountain systems were breached, with no ransomware or malware deployed.

→ 12:43 PM, Feb 3

An AI plush toy exposed thousands of private chats with children | Malwarebytes

The Bondus AI plush toy exposed approximately 50,000 private chats between children and their toys through an unsecured web console, revealing sensitive personal information. While Bondus implemented fixes and security measures, the incident highlights the privacy risks associated with AI-powered children’s toys, emphasizing the need for parental oversight and skepticism.

→ 12:42 PM, Feb 3

Russian Hacker Alliance Targeting Denmark in Large-Scale Cyberattack

A new Russian hacker alliance, Russian Legion, has launched a large-scale cyberattack against Denmark, targeting critical infrastructure and government services with DDoS attacks. The group demands Denmark withdraw military aid to Ukraine, threatening further action if ignored.

→ 9:45 PM, Feb 2

DynoWiper Data-Wiping Malware Attacking Energy Companies to Destroy Data

A new data-wiping malware named DynoWiper is targeting energy companies in Poland, aiming to destroy critical data rather than encrypt it for ransom. This sophisticated malware, attributed to the Russia-aligned Sandworm threat group, was deployed using Active Directory exploitation and shares similarities with the ZOV wiper.

→ 9:43 PM, Feb 2

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

A security audit of ClawHub skills revealed 341 malicious skills designed to steal data from OpenClaw users, with 335 of them using fake prerequisites to install a macOS stealer named Atomic Stealer (AMOS), codenamed ClawHavoc. OpenClaw’s creator has since implemented a reporting feature to help mitigate the issue of malicious skills being uploaded to the platform.

→ 9:42 PM, Feb 2

Mozilla announces switch to disable all Firefox AI features

Mozilla is introducing new controls in Firefox 148, rolling out February 24th, allowing users to disable all AI features or manage them individually. This update responds to user feedback and ensures users have agency over AI integration, with options to block or enable features like translation, image alt text generation, and chatbot access.

→ 9:41 PM, Feb 2

Ex-Google Engineer Convicted of Stealing AI Data for China

A former Google engineer, Linwei Ding, has been convicted of stealing thousands of pages of confidential AI data and transferring it to Chinese technology companies. He faces decades in prison for economic espionage and trade secret theft, having used the stolen information to establish competing ventures in China.

→ 9:39 PM, Feb 2

Phishing Scam Uses Clean Emails and PDFs to Steal Dropbox Logins – Hackread – Cybersecurity News, Data Breaches, AI, and More

A new phishing scam uses clean emails with PDF attachments that contain hidden links, leading victims to fake Dropbox login pages hosted on Vercel cloud storage to steal credentials. The stolen data is then sent to a Telegram bot for the attackers.

→ 9:38 PM, Feb 2

GitHub - RootUp/claude-poc: Claude Code Remote Code Execution

A GitHub post details a code execution vulnerability in the claude-poc repository, specifically within the apiKeyHelper script. This script, designed to generate authentication headers, can be abused because it accepts and executes system commands, potentially leading to silent code execution if the parent folder is already trusted.

→ 9:36 PM, Feb 2

Panera Bread breach affected 5.1 Million accounts, HIBP Confirms

A Panera Bread breach impacted 5.1 million accounts, according to Have I Been Pwned, with attackers claiming to have accessed data using a compromised Microsoft Entra SSO code. The exposed information primarily consists of contact details, and Panera Bread has notified authorities.

→ 9:35 PM, Feb 2

Russian hackers exploit recently patched Microsoft Office bug in attacks

Russian hackers, identified as APT28, are actively exploiting a recently patched Microsoft Office vulnerability (CVE-2026-21509) to deploy malware, including the COVENANT framework, via malicious documents. These attacks, targeting Ukrainian and other EU organizations, utilize a complex download chain involving COM hijacking and cloud storage for command-and-control.

→ 9:34 PM, Feb 2

Spain Ministry Data Breach: Actor Claims IDOR Hack - TechNadu

A threat actor known as GordonFreeman claims to have breached Spain’s Ministry of Science, Innovation, and Universities by exploiting an IDOR vulnerability and leaked credentials. The alleged breach reportedly exposed sensitive data including passport scans, DNI/NIE records, academic transcripts, and financial information.

→ 12:24 PM, Feb 2

Match, Hinge, OkCupid, and Panera Bread breached by ransomware group | Malwarebytes

The ShinyHunters ransomware group has claimed responsibility for data breaches affecting Match Group and Panera Bread, compromising millions of user records. While Match Group’s breach involves user PII and tracking data, Panera Bread’s breach also exposed PII, though both companies state that sensitive information like login credentials and financial data were not accessed.

→ 6:03 PM, Feb 1

New Apple privacy feature limits location tracking on iPhones, iPads

Apple’s new “Limit Precise Location” feature, available on select iPhone and iPad models with iOS 26.3+, restricts the location data mobile carriers can access via cell tower connections, offering a more approximate location instead of precise addresses. This privacy enhancement does not affect location sharing with emergency responders or apps like Find My, but its availability depends on carrier support and is currently limited to a few networks globally.

→ 6:01 PM, Feb 1

Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks

A critical SQL injection vulnerability (CVE-2025-26385) with a maximum CVSS score of 10.0 affects multiple Johnson Controls products, including Application and Data Server (ADS) and Extended Application and Data Server (ADX), allowing remote attackers to execute arbitrary SQL commands without authentication. The vulnerability impacts systems used in critical infrastructure sectors such as commercial facilities, energy, government, and transportation, and CISA recommends network isolation, firewalls, and VPNs for mitigation.

→ 6:00 PM, Feb 1

Exposed MongoDB instances still targeted in data extortion attacks

A single threat actor is actively targeting exposed MongoDB instances in automated data extortion attacks, demanding around $500 in Bitcoin for data restoration. Researchers found that nearly half of publicly accessible MongoDB servers were compromised, with ransom notes indicating a single attacker responsible for the majority of attacks.

→ 5:59 PM, Feb 1

depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys

A critical 1-Click Remote Code Execution (RCE) vulnerability has been discovered in OpenClaw (formerly Moltbot), an AI personal assistant trusted by over 100,000 developers. The exploit, chained by Mav Levin, leverages a logic flaw identified by depthfirst that allows an attacker to steal authentication tokens and execute arbitrary code on a victim’s machine with a single click on a malicious webpage. The vulnerability has been patched, and users are advised to upgrade and rotate tokens if compromised.

→ 5:58 PM, Feb 1

Comcast agrees to $117.5 million settlement to resolve lawsuits over 2023 Citrix Bleed data breach – DataBreaches.Net

Comcast has reached a preliminary $117.5 million settlement to resolve lawsuits stemming from a 2023 data breach that affected over 30 million customers. If finalized, the settlement would offer impacted individuals three years of identity-theft protection and either expense reimbursement up to $10,000 or a $50 cash payment, though Comcast denies liability.

→ 11:43 AM, Feb 1

BD: 14,000 journos’ personal data leaked online – DataBreaches.Net

The personal data of approximately 14,000 journalists, including their National ID numbers and mobile phone numbers, was exposed online due to a technical failure at the Bangladesh Election Commission’s website. The breach occurred on the EC’s portal for modernizing the accreditation process, and access was disabled shortly after the vulnerability was discovered.

→ 11:42 AM, Feb 1

Nobel Hacking Likely Leaked Peace Prize Winner Name, Probe Finds - Slashdot

An investigation by the Norwegian Nobel Institute suggests that a hacking of their computer systems likely led to the premature leak of Maria Corina Machado as the Nobel Peace Prize winner. This leak caused an unusual surge in betting on Machado hours before the official announcement, despite her not being a previous favorite for the award.

→ 11:40 AM, Feb 1