If they don't get you online, they'll try in person. A data-theft and extortion gang has targeted “dozens” of banks, law firms, and other professional services companies in the US from January through May, using fake help desk calls and other social-engineering techniques to gain access to corporate IT environments, according to Google’s Mandiant incident response team. And when those remote-deception methods don’t work, the criminals sometimes show up at victims’ physical offices, posing as IT technicians, and attempt to steal sensitive files using thumb drives. Google’s threat hunters track the extortion threat group as UNC3753, while other analysts call it Luna Moth, Chatty Spider, and Silent Ransom Group. The crew has been around since 2022, originally using fake software renewal emails and other billing lures, typically with PDF attachments containing phone numbers for attacker-controlled call centers, as their means of gaining initial access to corporate networks. Beginning around March 2025, the crims shifted tactics and started posing as IT help desk staff. “While UNC3753 primarily relies on digital vectors, GTIG assesses that associated threat actors have also attempted direct data theft using physical, in person access,” Google incident responders and researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said in a Friday blog. The authors also pointed to a May FBI alert to corroborate this in-person tactic. According to the feds, Silent Ransom Group crooks have been walking into law firms’ physical offices as recently as this spring. Once they are on-site, they claim to be IT support staff needing to image a device or create local backups for security reasons. If that line works, they plug a thumb drive into the victim’s computer and steal data the old-fashioned way. “Although limited forensic evidence and the absence of a subsequent extortion attempt prevent formal attribution, GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps,” the blog said. Google won’t say how many dozens of firms have been targeted in these attacks, or how many ended in the data thieves paying a visit to the victims’ locations. “While we can’t share additional details regarding specific investigations, Mandiant CTO Charles Carmakal notes that this tactic has been observed over the years,” a spokesperson told The Register. “Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks.” Another noteworthy thing about UNC3753’s attacks: they are very fast. In many of Mandiant’s investigated incidents, the entire operation from initial contact to data extortion occurred in just one day. “Recently, Mandiant observed data searches, staging, and theft initiated in under an hour,” the threat analysts warned. These intrusions typically begin with an invoice-themed email - but these don’t usually contain any malicious links or attachments. The email’s sole purpose is to give the miscreants a plausible reason to follow up via phone, so that the recipient is more likely to believe the call is legitimate. Most of the crew’s entry mechanisms involve voice-phishing, using a method that has worked so well for other groups like ShinyHunters and Scattered Spider over the past few years. UNC3753 calls organizations’ employees directly and purports to be a help desk worker or member of the security team. The criminals say they need the target’s help addressing a security issue or aiding with a corporate data migration project, and convince the individual to join a screen-sharing session via Zoom, Microsoft Terminal Services, Microsoft Teams, or Quick Assist. In one such intrusion, using Teams to gain access to the victim’s computer, the attacker jumped on five separate calls with the same target over a three-day period, we’re told. And in more than one incident that Mandiant responded to, UNC3753 established Zoom sessions directly on targets' personal laptops, using these machines to access corporate virtual desktop infrastructure (VDI) using native client platforms, such as Windows 365 or Citrix clients. Once they’re in the corporate systems, the intruders map local directories and network drives, and target specific legal and document storage repositories. The crooks also use very-specific keyword searches to find sensitive folders containing tax logs (Forms W-2, W-9, and 1099), audit files, corporate client agreements, and Social Security numbers, before staging this data for exfiltration. UNC3753 uses several methods to sneak the data out of the corporate IT environment without setting off any security alarm bells, including using portable versions of free Windows file manager WinSCP or another open source filesystem like Rclone. The crew has also been known to log into a file-sharing account from the victim’s browser and upload the stolen files that way - or even instruct the victims to send the files to an attacker-controlled email address. After stealing the data, they send the extortion email, usually within 30 minutes of exiting the victim’s environment, and set a three-day deadline to respond and begin the negotiation process. “We hope to find a financial solution that will be acceptable for both parties,” reads one such extortion email. It continues: In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data. You will receive claims from individuals, and legal entities for information leakage and breach of contracts, your current deals will be terminated. Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close. Stay safe, friends In the Friday report, Google’s threat hunters list IP addresses and other indicators of compromise, including these phishing domains that UNC3753 uses in its social-engineering attacks, all designed to look like the target organization’s help desk: -itdesk[.]com, -it[.]com, and -helpdesk[.]com. The security shop also suggests a range of things companies can do to avoid falling victim to this group and other voice-phishing scams or physical office intrusions. Some of the physical controls include requiring visitors to display official credentials and photo identification, and mandating front-desk staff log all visitor IDs before granting access. Also, check pre-scheduled work orders to ensure the “technician” at the front desk is who they say they are, and make sure any visiting technical service workers are always accompanied by a corporate, in-office supervisor. Because the bulk of these intrusions occur without any physical entry into the office, however, companies should also implement remote access conditional access policies to ensure only corporate-owned devices can authenticate to any VDIs or VPNs. Plus, block the installation and execution of unauthorized remote monitoring and support utilities. ®

Prime Day is earlier this year, so I've rounded up some of the best early laptop deals live now, including the latest MacBooks and gaming laptops.

Father's Day is coming up, and we found the most useful items your father figure will appreciate, based on our testing.

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and

Meet the 'too good to be true' portable charger. Here's my general buying advice for these types of products.

The threat is real. Unknown miscreants are exploiting a high-severity, zero-day bug in Cisco’s SD-WAN management software, and the networking giant hasn’t said when it will patch the flaw. Cisco issued an advisory on Thursday for the Catalyst SD-WAN Manager vulnerability, tracked as CVE-2026-20245, and it sounds like attackers have been exploiting this security failure for at least the last week. It’s due to a validation error - the software fails to properly validate user-supplied input - and an authenticated, local attacker can exploit the flaw by uploading a specially crafted file to vulnerable systems. From there, they can escalate privileges and execute commands with root privileges. The vulnerability affects all versions of the SD-WAN software, regardless of device configuration, and across all deployment types including on-premises, cloud-based, and FedRAMP-certified deployments. Switchzilla says it became aware of attacks against this vulnerability in June. “To exploit this vulnerability, an attacker must have netadmin privileges on an affected system,” the vendor said. “This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods.” Both of these earlier SD-WAN security holes have also been hit by attackers in previous months. The good news: an attacker needs valid credentials to abuse the new hole. The bad news: exposed credentials aren’t hard to find (or buy) online. We don’t know the scope of exploitation or exactly when attackers began hitting this SD-WAN hole. Cisco declined to answer The Register’s questions, and instead sent us a statement via email. “Cisco recommends customers upgrade to the fixed software released in May 2026 for CVE-2026-20182 as a protective measure,” a spokesperson said. “A patch for this vulnerability will be provided on a future date. Customers needing assistance should contact Cisco TAC.” This latest bug is the sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months. The most recent is the one the Cisco spokesperson mentioned in an email to The Register. In May, Switchzilla disclosed a max-severity make-me-admin bug (CVE-2026-20182) affecting Catalyst SD-WAN Controller and Manager, and warned that attackers had already found and exploited the hole before it issued a patch. A month earlier, America's lead cyber-defense agency said that three Cisco Catalyst SD-WAN Manager bugs (CVE-2026-20128, CVE-2026-20133, and CVE-2026-20122) were under attack, and gave federal agencies just four days to patch the security holes. Cisco fixed all three CVEs in late February, and in March warned of attackers abusing two of them. Also in February, the networking vendor patched a max-severity improper authentication flaw (CVE-2026-20127) affecting the same SD-WAN software, prompting a Five Eyes countries’ joint intelligence alert urgently warning defenders to patch it - plus an old SD-WAN vulnerability (CVE-2022-20775) - or risk root takeover. "Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally," the UK's lead cyber agency said at the time. "These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN." And while this one isn't listed as under active exploitation (yet), on Wednesday, Cisco warned about a proof-of-concept exploit for CVE-2026-20230, a critical bug in its Unified Communications Manager that also allows attackers to gain root privileges. ®

submitted by /u/LowerGrand9303
[link] [comments]

Your car's built-in screen may look modern, but Android Auto is still the easier, smarter way to drive. Here's why.

One gaming cyberattack this week exposed nearly 64,000 users. 

Another has already infected more than 116,000 players.  

Both are connected by the same common gaming behavior: looking for a cheat, mod, or shortcut. 

This week in scam news, a popular Grand Theft Auto V cheat service was hacked, exposing tens of thousands of users. At the same time, McAfee researchers uncovered a massive malware campaign spreading through fake Minecraft mods, cheats, and game clients. 

The takeaway is simple: some of the biggest threats facing gamers aren’t happening inside games. They’re hiding in the downloads, websites, and tools players use around them. 

Let’s start with the GTA breach. 

GTA Cheat Service Breach Exposes Nearly 64,000 Users 

Atlas Menu, a cheat service for Grand Theft Auto V, was reportedly hacked, exposing data belonging to nearly 64,000 users. 

According to reports, the leaked information included: 

• Email addresses 
• Usernames 
• Scrambled passwords 
• IP addresses 
• Customer support tickets

The hacker who claimed responsibility later posted the data online. 

Why This Matters 

Many players think of cheats as harmless tools that unlock special abilities, provide advantages, or simply make games more entertaining. 

But unofficial cheat services often operate outside the protections offered by legitimate gaming platforms. 

That means users may be: 

• Sharing personal information with unknown developers 
• Downloading unverified software 
• Exposing themselves to malware 
• Putting gaming accounts at risk 

And that brings us to an even bigger threat. 

Minecraft Malware Campaign Has Already Infected 116,000 Players 

McAfee researchers recently uncovered a large-scale malware operation targeting gamers searching for Minecraft mods, clients, and cheats. 

The campaign is called WeedHack. 

What Is WeedHack? 

WeedHack is a type of Malware-as-a-Service (MaaS). 

That means cybercriminals package malware into a subscription service that other attackers can use. 

Researchers found that: 

• More than 116,000 victims have been infected since January 
• The campaign continues to add roughly 2,000 to 3,000 new victims every day 
• More than 3,800 malicious files have been identified 
• More than 240 malicious download URLs have been linked to the operation 

Premium versions reportedly cost as little as $5 per month and include tools that allow attackers to remotely access victims’ devices and webcams. 

What WeedHack Can Steal 

Once installed, the malware can collect: 

• Minecraft account credentials and session IDs 
• Discord, Steam, and Telegram credentials 
• Browser passwords and cookies 
• Cryptocurrency wallet information 
• Screenshots and device information 
• Files stored on a victim’s computer 

Premium versions can also provide: 

• Live webcam access 
• Live screen sharing 
• Remote keyboard and mouse control 
• Keylogging capabilities 
• Full remote access to the infected device

Get the full explainer here. 

How McAfee+ Advanced Helps Protect Gamers 

Gaming malware campaigns rely on three things: 

1. Getting users to visit malicious websites 
2. Convincing them to download infected files 
3. Encouraging them to ignore security warnings  

The post GTA Cheat Users Exposed in Breach as Minecraft Malware Hits 116,000 Players appeared first on McAfee Blog.

Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin, according to findings from ESET. The Slovakian cybersecurity company said it first detected the malware spread via multiple campaigns in early 2025, with each attack wave making use of distinct websites mimicking utilities, war-related updates, and a government news source: govlens[.]net, which

submitted by /u/fagnerbrack
[link] [comments]

Few smart speakers have assistants with as much potential as Siri. A meaningful upgrade would make the HomePod my first choice.

The smartest way to use AI may not be letting it touch your files, but asking it to write software that handles them safely.

Apple's partnership with Google could supercharge its own health suite and wearable. Here's how.

Humanitarian organization World Food Programme (WFP) says one of its systems was breached, and around 600,000 Gazan households receiving aid had their details improperly accessed. Its announcement, made via Telegram on May 31, confirmed there was “a security incident” in the self-registration application used by Gazans to register for aid and applicants’ names, ID numbers, phone numbers, and location information were among the data types accessed. “We understand this may be concerning, and we want to assure you that protecting your data and privacy is our top priority,” the WFP said. “The program is treating this situation with the utmost seriousness and priority.” The organization said it temporarily suspended the registration platform to urgently apply the necessary security improvements. Its most recent update on the situation came on June 2, when it said the platform was still down, but added that aid recipients did not need to do anything, while their support would continue to be delivered uninterrupted. “The WFP wants to assure all those registered via the link that food assistance, cash assistance, nutritional supplementation, and all other WFP programs are continuing as usual,” it said. “If you are already registered on the Self-Registration Application (SRA), your registration remains valid. There is no need to update, delete, or re-register your information at this time.” WFP told The New Humanitarian, which first reported the story, that the attack was detected on May 14, and confirmed the scale to be in the region of 600,000 households. The news organization also claimed, citing a whistleblower’s account of matters, that an anonymous “independent expert” contacted WFP’s Palestine team, alerting it to vulnerabilities in the SRA two days before the organization detected the breach. The Register contacted WFP’s Rome headquarters for more details, but it did not immediately respond. WFP, which is a division of the UN and the largest welfare organization in the world, supports 1.6 million Palestinians every month who face a malnutrition crisis amid fierce conflict between the territory and neighboring Israel. This represents around 77 percent of the country’s population, and an estimated 80 percent of the population is unemployed, unable to earn the money required to pay for a nutritionally sound diet. WFP delivers wheat flour, high-energy biscuits, and fortified snacks to families, community kitchens, and bakeries in its effort to push back famine, as well as facilitating cash transfers. The organization is also helping individuals get back into paid work, maintains roads, and says that when conditions allow, it will stay in the region and help local people rebuild communities, markets, and other food systems. ®

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where "OP" stands for "opponent") that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. "OP-512 was highly

submitted by /u/dn3t
[link] [comments]

The right VPN can help you unlock YouTube TV content on a smartphone, laptop, or smart TV. Check out our tested top picks.

Eighteen months ago, the AI SOC was a marketing line. Today it's a budget item. The category has crossed over from interesting to inevitable, with billions of dollars now flowing into AI-powered security operations platforms, agentic SOC tools, and AI co-pilots built into every layer of the security stack. The data shows SOCs are buying, deploying, and standing up AI capabilities at the fastest

Malwarebytes Premium combines excellent threat protection and helpful security tools in an easy-to-use package.