In today’s cybersecurity news…
UNC3886 targets Singapore telecom sector
Singapore’s Cyber Security Agency says China-linked APT group UNC3886 carried out a targeted espionage campaign against all four of the country’s major telecom operators. The group used a zero-day exploit and rootkits, to gain access to parts of critical systems. Authorities say the intrusion didn’t disrupt services or expose customer data. Singapore launched a counter-operation called CYBER GUARDIAN and says the attackers’ access has since been cut off. (The Hacker News)
VoidLink exhibits multi-cloud capabilities and AI code
Researchers at Ontinue analyzed a Linux-based malware framework called VoidLink that can persist across enterprise and multi-cloud environments, including AWS, Azure, Google Cloud, Alibaba, and Tencent. It steals credentials, fingerprints systems, escapes containers, and hides at the kernel level, while using encrypted traffic that mimics normal web activity. Analysts say the code shows clear signs of AI-assisted development, with leftover debug logs and structured phase labels, suggesting it was generated by an LLM with limited human review. (Infosecurity Magazine)
135,000+ OpenClaw instances exposed to internet
SecurityScorecard researchers say more than 135,000 internet-exposed instances of the open-source AI agent platform OpenClaw are vulnerable, in part because the software listens to all network interfaces by default and a lot of users never change the setting. The tool’s been linked to multiple high-risk flaws and data-leak issues, and more than 50,000 exposed systems are still susceptible to a patched remote-code-execution bug. The platform’s design and widespread insecure deployments could give attackers access to credentials, files, and other sensitive data across both personal and corporate systems. (The Register)
New zero-click flaw in Claude Desktop Extensions
LayerX researchers found a zero-click vulnerability in Claude Desktop Extensions that could let attackers execute code on a victim’s system using a malicious Google Calendar event, affecting more than 10,000 users and earning a CVSS 10.0 rating. The flaw stems from how the extensions chain tools together with full system privileges and no sandboxing, letting low-risk inputs trigger high-risk actions. LayerX says Anthropic declined to fix it based on the fact that the issue falls outside its threat model, because users choose which extensions and permissions to enable. (Infosecurity Magazine)
Huge thanks to our episode sponsor, ThreatLocker
China rehearsing cyberattacks on critical infrastructure
Leaked technical documents reviewed by Recorded Future show China using a secret cyber-range platform called “Expedition Cloud” to rehearse attacks on the critical infrastructure of nearby countries. The system replicates real-world power, transport, and smart-home networks, letting reconnaissance and attack teams practice operations and analyze results in detail, potentially with AI-assisted automation. The platform suggests state sponsorship and potential evidence of China preparing offensive cyber campaigns despite official denials. (The Record)
BridgePay confirms ransomware attack
BridgePay says a ransomware attack caused a system-wide outage affecting its payments platform, disrupting card transactions for some restaurants, retailers, and municipal services. The company says initial forensics show no payment card data was compromised and any accessed data was encrypted. The FBI and Secret Service are assisting in the investigation. (Infosecurity Magazine)
Fallout from latest Ivanti zero-days spreads
Ivanti’s Endpoint Manager Mobile zero-day flaws have now been linked to around 100 victims, with Shadowserver identifying 86 compromised instances and warning that multiple threat groups are exploiting the bugs. The two unauthenticated remote-code-execution vulnerabilities, each rated 9.8, have hit organizations including Dutch government agencies, and infrastructure at the European Commission. Rapid7 says exploitation attempts increased after disclosure, with hundreds of attacks observed in a day, with nearly 1,300 internet-exposed EPMM instances still at risk. (CyberScoop)
Warlock gang breaches SmarterTools via SmarterMail bugs
SmarterTools says the Warlock ransomware group breached its network by exploiting two critical SmarterMail vulnerabilities, including an unauthenticated remote-code execution bug and an authentication bypass flaw, both fixed in January. The attackers gained access through an unpatched server, compromising about a dozen Windows machines, though the company says business apps and account data weren’t affected. SmarterTools also observed similar attacks on customer systems, with the group targeting Active Directory to spread ransomware. (Dark Reading)