Infosec News

cyclone

OpenAI GPT-5 - Mixed User Reception

GPT-5 is now the default in ChatGPT with selectable “thinking” modes and an auto-router. After user backlash, OpenAI restored legacy 4 models behind a toggle and promised better deprecation hygiene. “Thinking” usage now has a 3,000 per week cap for paid Plus users.

Early writeups and reporting show jailbreakability remains (narrative/multi-turn attacks still work).

Backlash on removals/personality: Users complained about 4o being pulled and GPT-5 feeling “colder.” OpenAI rolled 4o back (opt-in) and pledged advance notice before removing models next time; personality tweaks inbound.

Media/dev takes: Coverage spans “smarter coding/agents, messier lineup.” BleepingComputer called the new menu “a mess (again)” after OpenAI added options while saying GPT-5 would simplify things.

OpenAI’s claims: Fewer hallucinations, better instruction-following, less sycophancy; strongest coding model to date.

Sources:

cyclone

Storm0501 Ransomware Gang Wipes Data and Backups in Azure

A financially motivated threat group known as Storm0501 has executed one of the most destructive cloud ransomware attacks seen to date. According to Microsoft Threat Intelligence, the group infiltrated a large enterprise operating multiple subsidiaries and successfully pivoted from on premises systems into Microsoft Azure.

Once inside, Storm0501 exfiltrated large volumes of data using the AzCopy CLI tool before deleting backups and encrypting what remained. The attackers exploited weaknesses in Microsoft Entra ID by compromising synchronization servers and abusing a non human global administrator account that lacked multifactor authentication. With full global admin access, the group granted itself ownership of Azure subscriptions, stole storage account keys, and ultimately wiped or encrypted critical resources.

This tactic prevented the victim from restoring operations, forcing them into a difficult recovery scenario. The incident shows how ransomware actors are evolving beyond traditional malware and now weaponizing cloud features to maximize damage.

Microsoft has warned that other threat groups are likely to adopt these same methods and recommends several defensive measures. Organizations should enforce least privilege across Azure environments, enable blob and VM backups, log activity in Key Vault, and harden hybrid cloud attack paths.

Storm0501 has previously targeted schools and healthcare organizations, and with this latest pivot to cloud only operations the group has raised the stakes for enterprises everywhere.

Sources:

cyclone

RAID Failure Causes Matrix.org Outage - Sep 2–3, 2025

What happened: On Sep 2, a RAID failure took out Matrix.org’s DB secondary (11:17 UTC), and later the primary failed (17:26 UTC). Engineers abandoned an unsafe filesystem recovery and instead restored a full 55 TB PostgreSQL snapshot from the previous night, rebuilt the DB, and replayed queued traffic. The homeserver came back online around 17:00 UTC on Sep 3 and was then monitored as it caught up.

Who was affected: Users on the matrix.org homeserver (e.g., @user:matrix.org) lost service during the restore/catch-up window. Folks running their own homeservers were not impacted.

Timeline (UTC):

Sep 2, 11:17 — DB secondary lost its filesystem due to a RAID failure.
Sep 2, 17:26 — DB primary failed.
Sep 2, 17:39 — Incident acknowledged on the status page (“identified an issue with the matrix.org database”).
Sep 2, 19:02 — Public post confirms RAID failure + plan (point-in-time restore).
Sep 2, 19:42 — Begin restoring from backup; matrix.org homeserver kept offline.
Sep 2, 21:41 — “Bad news”: switching to full 55 TB snapshot restore.
Sep 3, 07:13 — Progress: 47 TB/55 TB restored; still need DB rebuild + ~17 h traffic replay.
Sep 3, 08:49 — Status page: restoration ongoing; live-updates link shared.
Sep 3, 10:56 — “Snapshot + incrementals restored; about to replay remaining traffic” (ETA 3–4 h if all goes well).
Sep 3, 17:00 — matrix.org back online (reported).
Sep 3, 17:03 — Status: “Database restored; verification complete; Synapse started” — monitoring.
Sep 3, 17:37 — Continued monitoring.

Sources:

Incident history timestamps: https://status.matrix.org/incidents/mm9hdm78svgv
Matrix.org Mastodon updates (Sep 2–3, 2025):
- https://mastodon.matrix.org/@matrix/115136866878237078
- https://mastodon.matrix.org/@matrix
Live update link shared by Matrix.org: https://bsky.app/profile/matrix.org/post/3lxuslbzjuc2t

cyclone

Plex Breached... Again - Reset Your Passwords Now

Plex breached again, change your password and sign out everywhere.

Plex says an attacker got into one of its databases and pulled a limited set of user data, email, username, hashed passwords, authentication data. No payment info was stored. Plex is telling all users to reset their password, tick “Sign out connected devices” during the reset, then re-enable 2FA. If you use SSO, sign out of all devices from your account security page. Expect phishing around this, Plex won’t ask for your password or card details by email.

This mirrors the 2022 incident, so treat it seriously.

Sources:

cyclone

WhatsApp Zero-Click Hack - CVE-2025-55177

A recently patched zero-click exploit in WhatsApp (CVE-2025-55177), combined with an Apple OS flaw (CVE-2025-43300), allowed attackers to silently install spyware on iOS and Mac devices. The campaign ran for 90 days and targeted fewer than 200 people worldwide, mainly activists and journalists. Victims’ messages, photos, locations, and device data could be exposed without any user action. While mass users were not affected, the flaw remained dangerous until fixed.

Sources:

cyclone

Plot to Cripple NYC Cell Networks Foiled by U.S. Secret Service

The U.S. Secret Service uncovered a massive underground telecom operation just days before the UN General Assembly in Manhattan. Agents seized more than 300 SIM servers and over 100,000 SIM cards hidden across multiple sites within 35 miles of the UN headquarters.

According to officials, the devices had the ability to launch devastating telecom attacks, from spamming up to 30 million texts per minute to jamming 911 lines and disabling cell towers. Investigators say such an attack could have paralyzed New York’s communications network, echoing the cellular outages that followed 9/11.

Authorities are probing possible foreign government links. The timing and sophistication raised concerns about espionage, with experts suggesting state-level actors like Russia or China could be behind it. The Secret Service launched the investigation earlier this year after telecom threats were made against senior U.S. officials.

Rows of servers and shelves stacked with SIM cards were discovered, many already activated. Officials warn the system could have been used for encrypted communication between organized crime, cartels, or even terrorist groups. Forensics teams now face the daunting task of analyzing 100,000 devices to trace connections.

Sources:

cyclone

Akira Ransomware Bypassing MFA on SonicWall VPNs

Akira ransomware operators are still hitting SonicWall SSL VPNs, even when OTP-based MFA is enabled.

Key points:

Root cause linked to CVE-2024-40766, an access control flaw exploited in 2024.
Attackers appear to have stolen both credentials and OTP seeds during earlier breaches.
MFA bypass observed: multiple OTP prompts issued, then successful logins.
Once inside, actors quickly scan networks, enumerate AD, and target Veeam servers for stored creds.
BYOVD attacks used to kill endpoint protection via vulnerable drivers like rwdrv.sys.
Even patched SonicOS 7.3.0 devices are being impacted.

Mitigation:

Reset all VPN credentials, rotate MFA seeds, and monitor login patterns for anomalies. Backup servers should be treated as high-risk targets.
MFA cannot protect against stolen seeds. If your SonicWall appliance ever ran vulnerable firmware, reset everything.

Sources:

cyclone

Gen Z Failing at Identifying Phishing Attacks

A new global survey from Yubico reveals that Gen Z, those born between 1997–2012, is the most vulnerable group to phishing attacks, with 62% admitting to engaging with a phishing message in the past year, and are most likely to click on phishing links, attachments, or scams, with AI-powered social engineering attacks driving a new wave of deepfakes and voice-clone phishing.

The 2025 Global State of Authentication Survey, covering 18,000 participants across nine countries, found that:

44% of all respondents interacted with a phishing attempt in the past year.
70% believe AI has made phishing more effective, and 78% say attacks have grown more sophisticated.
54% of people shown a phishing email believed it was genuine or were unsure, highlighting the rising danger of AI-crafted scams.
Only 48% of companies enforce MFA, and 40% of workers report no cybersecurity training at all.

Sources:

cyclone

Scattered Lapsus$ Hunters Demand Neary $1 Billion in Ransom

A newly revived threat group calling itself Scattered Lapsus$ Hunters, a collaboration between members of Scattered Spider, Lapsus$, and ShinyHunters, has claimed responsibility for stealing over 1 billion Salesforce-related records and is demanding nearly $1 billion in ransom to prevent public release.

According to news reports, the attackers exploited Salesloft’s Drift integration, using stolen OAuth and refresh tokens to access Salesforce APIs and extract customer data, including contact information and case objects. Salesforce itself was not directly breached.

The group has launched a public extortion site listing roughly 40 affected organizations, including major names like Cloudflare, Palo Alto Networks, Zscaler, and Tenable. Victims are urged to “negotiate” to prevent leaks.

Salesforce maintains that its core platform remains secure, stating:

“There is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

Security researchers note that the campaign resembles previous Lapsus$ and Scattered Spider operations, focusing on third-party integrations to bypass enterprise protections. Google TAG and Mandiant are investigating the breach’s scope and potential secondary access vectors.

Sources:

cyclone

Harvard Probes Data Breach Tied to Oracle Zero-Day Exploit

Harvard University is investigating a potential data breach after the Clop ransomware gang claimed to have stolen data by exploiting a zero-day flaw in Oracle’s E-Business Suite (CVE-2025-61882).

The university confirmed it was affected by the vulnerability, which has impacted multiple Oracle customers, but said the incident appears limited to a small administrative unit. Harvard stated it applied Oracle’s emergency patch and found no evidence of compromise in other systems.

The Clop group, known for high-profile zero-day exploits in platforms such as MOVEit Transfer and GoAnywhere MFT, recently began targeting Oracle users in a new extortion campaign. Harvard is the first organization publicly linked to the attacks, though more victims are expected to surface in the coming weeks.

Sources

hashpwn

Infosec News

Who's Online [Full List]

Board Statistics