In today’s cybersecurity news…
EU grants Google approval for Wiz
Google has secured unconditional EU antitrust approval for its $32 billion acquisition of cloud security firm Wiz, Google’s biggest-ever deal. European regulators said the purchase wouldn’t raise competition concerns because customers would still have alternatives to Google in cloud infrastructure, like Amazon and Microsoft. The deal was first announced in March of 2025 and is expected to strengthen Google’s cybersecurity offerings and its position in the cloud market. (Reuters)
Microsoft rolls out Secure Boot certificates before expiration
Microsoft started rolling out new Secure Boot certificates through monthly Windows updates ahead of the expiration of the original 2011 certificates in June. Secure Boot prevents untrusted bootloaders and rootkits from running at startup, and the refresh affects millions of devices across different hardware vendors. Most supported Windows 11 systems will receive the new certificates automatically, though some PCs may need firmware updates from manufacturers. Devices that miss the update will still work but will enter a degraded security state without full boot-level protections. (BleepingComputer)
North Korean hackers target crypto exec
North Korea-linked UNC1069 hackers targeted a cryptocurrency executive using a fake Zoom meeting that allegedly featured a deepfake CEO, according to incident responders at Mandiant. The attackers used a ClickFix-style trick to get the victim to run commands that installed multiple backdoors and data-stealing tools, harvesting credentials, browser data, Telegram messages, and Apple Notes. Mandiant says the attack likely sought both direct crypto theft and material for future social-engineering campaigns, noting North Korean hackers stole more than $2 billion in crypto in 2025 to fund weapons programs. (The Record)
SolarWinds attacks highlight risks of exposed apps
Attackers are exploiting vulnerabilities in SolarWinds Web Help Desk, with incidents tied to Internet-exposed instances that gave threat actors an initial foothold, according to Microsoft and Huntress. CISA recently added a critical deserialization bug to its Known Exploited Vulnerabilities list, while scans found around 170 vulnerable systems online. Once inside, attackers used living-off-the-land tools and remote management software to move laterally, deploy tunnels and forensics tools, and target high-value assets. (Dark Reading)
Huge thanks to our episode sponsor, ThreatLocker
Microsoft 365 outage takes down admin center
Microsoft is investigating a Microsoft 365 outage affecting some business and enterprise admins in North America, blocking access to the admin center and, in some cases, the Microsoft 365 app. The company says it’s analyzing telemetry, usage patterns, CPU utilization, and user-provided data to isolate the root cause, while thousands of users have reported connection issues and slow performance (BleepingComputer)
Linux botnet SSHStalker uses old-school IRC
Researchers at Flare say a new Linux botnet called SSHStalker is using old-school IRC for command-and-control, relying on noisy SSH brute-force attacks, one-minute cron jobs, and exploits for more than a dozen Linux vulnerabilities dating back more than 15 years. The malware spreads worm-style across cloud hosts, compiles payloads locally, and includes tools for AWS key theft, cryptomining, and potential DDoS attacks, though current bots mostly sit idle. (BleepingComputer)
ZeroDayRAT is ‘textbook stalkerware’
Mobile security firm iVerify says a spyware family called ZeroDayRAT is being sold openly on Telegram, giving buyers full remote access to infected Android and iOS devices through smishing and other social-engineering lures. The malware can read SMS messages, capture SIM and location data, log keystrokes, record audio and screen activity, and send texts to bypass MFA, enabling account takeovers and targeted scams. Researchers say the roughly $2,000 kit reflects the growing commercialization of surveillance tools once limited to nation-state actors. (Dark Reading)
Google-Intel security audit reveals TDX vulnerability
Google and Intel found five vulnerabilities and more than 35 bugs in Intel’s Trust Domain Extensions (TDX), a hardware-based confidential computing feature designed to protect virtual machines in cloud environments. One flaw could let a malicious host fully compromise a protected virtual machine and access its decrypted state. Intel says it has patched the issues, which were uncovered during a five-month joint security review by Google’s cloud security team and Intel researchers. (SecurityWeek)