In today’s cybersecurity news…
Two key cyber laws are back as president signs bill to end shutdown
On Wednesday, the President signed a government funding bill that ended the record 43-day government shutdown, and which temporarily revives two major cybersecurity laws that lapsed at the end of September, being the 2015 Cybersecurity and Infrastructure Security Act, and the State and Local Cybersecurity Grant Program, through January 30. Congress must now find a more permanent fix before another funding deadline.
Microsoft’s screen capture prevention for Teams users is finally rolling out
Microsoft has a new Teams feature for Premium customers that will automatically block screenshots and recordings during meetings. This had first been announced in May 2025. Named “Prevent screen capture,” it restricts access to visual meeting content. On Windows desktop devices, screenshots will show a black rectangle around the meeting window. On platforms that don’t support it, meeting attendees will join in audio-only mode. This feature is disabled by default and must be manually enabled by organizers for each meeting via Meeting Options.
FBI calls Akira top five ransomware variant out of 130 targeting U.S. businesses
Akira, a major ransomware group active since March 2023, uses double-extortion attacks that steal and encrypt data to pressure victims. U.S. cyber authorities say the group has earned more than $244 million and mainly targets small and medium-sized businesses across manufacturing, education, IT, health care, finance and agriculture. Akira is linked to several other threat groups and may have ties to the former Conti gang. The FBI ranks Akira among its top five most consequential ransomware variants and notes that ransomware overall remains its leading cybercrime threat, with more than 130 active variants attacking U.S. organizations.
Fortinet FortiWeb flaw with public PoC exploited to create admin users
“A Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The issue is fixed in FortiWeb 8.0.2, and admins are urged to update as soon as possible and check for signs of unauthorized access. The threat intelligence company Defused spotted the exploitation on October 6, and since then, attacks have increased globally. Threat actors are sending HTTP POST requests to a specific endpoint on this path containing payloads that create local admin-level accounts on the targeted device.
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME. With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Checkout.com refuses to pay ShinyHunters ransom, donates the cash to research instead
The payment services provider Checkout.com, having recently been attacked by the ShinyHunters ransomware group has stated publicly that not only has it refused to pay the ransom, it has instead donated the demanded amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research. In addition, the company’s Chief Technology Officer Mariano Albera said that his company “takes full responsibility for the security incident and apologized for the circumstances that allowed the breach to happen.” The company’s investigation showed that the criminals “had broken into a “legacy third-party cloud file storage system” that wasn’t properly decommissioned and was used in 2020 and prior years.
Akira ransomware Linux encryptor targeting Nutanix VMs
In further Akira news, a joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), is warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks. These attacks started in June and continue up to the present. This means the group has expanded beyond VMware ESXi and Hyper-V by leveraging a CVE numbered vulnerability. Nutanix’s AHV platform is a Linux-based virtualization solution that runs and manages virtual machines on Nutanix’s infrastructure.
Operation Endgame: Police reveal takedowns of three key cybercrime tools
Authorities from numerous European countries along with Canada, the U.S. and the UK have announced that the takedown affects the Rhadamanthys infostealer, the VenomRAT remote access trojan and the Elysium botnet. This third phase of Operation Endgame, which started in 2024, focused on these tools, which the authorities say had been “responsible for infecting hundreds of thousands of victims worldwide with malware.” This action also coincides with the recent arrest in Greece of the main suspect behind the VenomRAT.
Washington Post confirms data stolen from its Oracle environment
This act of data theft and extortion was performed on the media company’s Oracle E-Business Suite, compromising human resources data on nearly 10,000 current and former employees and contractors. The Post said it confirmed that the September 29 attack resulted in the theft of personal information on 9,720 people, including names, bank account numbers and routing numbers, and Social Security numbers were exposed. The Clop gang is believed to be behind this attack.