ChatGPT crawler flaw opens door to DDoS, prompt injection • The Register - OpenAI’s web crawler has been weaponized by researches creating 20 - 5k requests per single API call to the crawler.
GM settles charges it shared driver location data • The Register - GM collected up to the second GPS data of vehicles, then sold it to Insurance companies to justify raising their premiums
Fortinet: FortiGate config leaks are genuine but misleading • The Register - 15k Fortinet routers hacked, downloads of the Fortinet config, as well as credentials for the VPN users were also made available. Iran was the only country not included in the breach which is either because it was an Iranian threat actor, or because someone wanted to make it look like an Iranian threat actor. The TA’s name “Belsen Group” appears to be a reference to the infamous concentration camp Bergen-Belsen.
MikroTik botnet uses misconfigured SPF DNS records to spread malware - SPF records included +all can be overly permissive, in this case allowing 20k domains to be spoofed.
CISA shares guidance for Microsoft expanded logging capabilities - Microsoft is expanding its logs and CISA has the 60 page workbook - PDF to help you make sense of them
Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers -
- CVE-2024-7595 (GRE and GRE6)
- CVE-2024-7596 (Generic UDP Encapsulation)
- CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6)
- CVE-2025-23019 (IPv6-in-IPv4) “An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers,” Top10VPN’s Simon Migliano explained.
Over 660,000 Rsync servers exposed to code execution attacks - RSync has a bunch of vulns, highest being a 9.8. Patch now.
Good Hackers
Hackers game out infowar against China with the US Navy • The Register - US Hackers working with Taiwanese Military to stave off Chinese attacks
FCC CALEA
Salt Typhoon spies spotted on US govt networks before telcos • The Register -
FCC says US telcos by law must secure networks from spies • The Register - FBI reckons Salt Typhoon stole months of their agents’ calls and text logs, according to Bloomberg, which cited a document that stated the crew compromised all FBI devices that were using AT&T’s service for public safety agencies.
Treasury sanctions Salt Typhoon hacking group behind breaches of major US telecom firms | TechCrunch
Executive Orders
Biden signs executive order to bolster national cybersecurity
- Improving cybersecurity against cyberattacks that disrupt the delivery of critical services
- Improving the security and integrity of software used by the Federal Government
- Improving cybersecurity across federal systems by adopting proven security practices from industry
- Securing Federal Government communications against adversarial nations and criminals
- Accepting digital identity documents to combat cybercrime and fraud
- Promoting security with and in Artificial Intelligence (AI)
- Aligning federal agencies’ investments and priorities to improve security controls
FTC GoDaddy
FTC orders GoDaddy to fix poor web hosting security practices - According to a proposed settlement order, the FTC will require GoDaddy to establish a robust information security program and prohibits the company from misleading customers about its security protections. The order also mandates that GoDaddy hire an independent third-party assessor to conduct biennial reviews of its information security program. The company is also required to add mandatory MFA for all customers, employees, and contractors’ staff “to any Hosting Service supporting tool or asset, including connecting to any database” and “at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security key.”
PlugX Malware
FBI deletes Chinese PlugX malware from thousands of US computers - US computer users may get a notification from their ISP that they were infected, and their computer cleaned…by the FBI. Of malware that’s been making its rounds since 2008.