In today’s cybersecurity news…
EDR-Freeze tool suspends security software
Security researcher Zero Salarium published a proof-of-concept tool called EDR-Freeze, which uses the Windows Error Reporting (WER) system to indefinitely suspect DR and antivirus processes. It does so by using the crash dump collection component WerFaultSecure to trigger the MiniDumpWriteDump API, which suspends threads in a target process to generate a snapshot of memory and state. By suspending WerFaultSecure, the targeted process is left suspended. Security researcher Steven Lim created a tool to map WerFaultSecure to Microsoft Defender processes, making it easy to see any potential abuse.
DeepMind updates Frontier Safety Framework
The Google subsidiary added a new category to this framework, now stating the risks models pose for “harmful manipulation,” defined around “AI models with powerful manipulative capabilities that could be misused to systematically and substantially change beliefs and behaviors in identified high-stakes contexts.” This comes after some AI models have shown the ability to deceive individual users to achieve overall goals. DeepMind said it adds these new capability levels when frontier AI models “pose heightened risk of severe harm” without any other mitigations. Axios pointed out that this comes after OpenAI removed a “persuasiveness” specific risk category in its model evaluation process earlier this year.
(Axios)
Major vendors withdraw from MITRE EDR Evaluations
Both SentinelOne and Palo Alto Networks announced this month that they would not take part in MITRE’s Engenuity ATT&CK Evaluation, following a similar announcement from Microsoft back in June. All three companies said the move was done to better focus on product development. Last year, Microsoft topped MITRE’s EDR tests, with SentinelOne ranked fifth, and Palo Alto 12th. MITRE CTO Charles Clancy told Infosecurity Magazine that participating in the tests is resource-intensive for vendors, with the company seeking to make them harder each year, including adding cloud environments in the 2025 edition. Clancy said MITRE will re-establish its vendor forum in 2026 to address some of these concerns.
Fake repos target macOS with infostealer campaign
The password manager LastPass warned about this ongoing campaign that uses SEO poisoning to serve up links to malicious GitHub sites in search, claiming to offer Mac downloads for LastPass, 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, and Salesloft. These repos actually download the Atomic infostealer, a piece of malware generally used by financially motivated threat groups. LastPass published a post with a full list of malicious URLs and other indicators of compromise.
Huge thanks to our sponsor, Conveyor
AI fills in the questionnaires, your trust center is always ready, and sales cycles move without stalls.
Breathe easier—check out Conveyor at www.conveyor.com.
Russia steps up misinformation in Moldova
Moldova is set to elect a new parliament on September 28th, with ramifications for the country’s potential entry into the European Union in the coming years. The BBC reports that over the weekend, a network funded by Russia paid people in the country the equivalent of $170 USD a month to post propaganda on social media. These recruits were told to use LLM systems to attack the ruling Party of Action and Solidarity with claims of rigged voting and child trafficking. Bloomberg reports that leaked documents show this is specifically part of a Russian campaign to mobilize diaspora voters from Moldova and weaken Moldovan President Sandu.
(The Record, BBC, Bloomberg)
Microsoft patches critical Entra flaw
Back in July, Microsoft patched a critical Entra ID flaw that opened the door to impersonating any user across any tenant. There was no evidence of exploitation in the wild. Security researcher Dirk-Jan Mollema reported the flaw, which used service-to-service actor tokens from Entra’s Access Control Service to be used for cross-tenant access due to a lack of adequate validation in the Azure AD Graph API. The blast radius on this could have been nasty, as threat actors with Graph API access could have made unauthorized modifications to Conditional Access policies. A lack of API level logging means this could have been done without much of a trace. Aside from the patch, the attack is now mostly academic, as Microsoft retired the Graph API on August 31, 2025.
Steam game caught distributing malware
The 2D platformer game BlockBlasters was released on Valve’s Steam store on July 30th. Vx Underground reports the developer tried to increase downloads of the title by messaging cryptocurrency holders to try out the game as a paid promotion. On August 30th, the game was updated to include malware files, collecting information on browser extensions and crypto wallets. Researchers estimate the threat actors used this information to drain funds from 261 users, including one users seeing the attack on live stream from a fund for their cancer treatment. Researchers discovered a similar Trojan game on the Steam store called Chemia back in July.
(PC Mag)
Stellantis is investigating “unauthorized access”
Over the weekend, the multinational car maker said an incident at a third-party provider supporting its North American branch’s customer service exposed customer data. This incident did not impact any system with financial or sensitive data, and appears limited to leaking contact data. The company warned customers to be on the alert for any phishing attacks using this data. Bleeping Computers’ sources say this breach was part of the ShinyHunters Saleforce data breaches.
(The Record, Bleeping Computer)
Mozilla lets devs roll back add-on updates
Firefox added the ability for developers to revert versions of an add-on to an earlier state. Once reverted, the browser will automatically revert to the previous version within 24 hours, preventing downloads of the latest version. Up until now, developers had to get an update approved by Mozilla before it could be released, creating a lag time for addressing security vulnerabilities. Self-distributing developers can revert to any version, while those distributing on addons.mozilla.org are limited to two previous versions.