In today’s cybersecurity news…
Legacy Windows protocols still expose theft
A Resecurity study warns that legacy Windows protocols LLMNR and NetBIOS Name Service still expose networks to credential theft, even without software exploits. Attackers on that same local network can capture usernames and password hashes using tools like Responder. Once obtained, credentials can be cracked or reused in relay attacks to access corporate systems and escalate privileges. Researchers encourage disabling LLMNR and NBT-NS, block UDP port 5355, enforce SMB signing, and use Kerberos authentication. (Infosecurity Magazine)
Fortra admits exploitation of GoAnywhere defect
Fortra confirmed that a critical vulnerability in its GoAnywhere MFT file-transfer software has been actively exploited, weeks after researchers and CISA independently verified attacks. Researchers from watchTowr, Rapid7, and VulnCheck say the exploit’s success raises questions about how attackers accessed a private key believed to be held only by Fortra. CISA says the flaw has been used in ransomware campaigns linked to Microsoft-tracked group Storm-1175. (CyberScoop)
Taiwan claims surge in Chinese attack efforts
Taiwan’s National Security Bureau says China has intensified cyberattacks and disinformation campaigns ahead of Taiwan’s 2026 local elections. Government networks reportedly face 2.8 million intrusion attempts daily this year, up 17% from 2024. The bureau identified more than 10,000 fake social media accounts spreading 1.5 million pieces of pro-China or anti-government content, including AI-generated memes and videos. Officials describe the effort as a coordinated, state-level campaign involving China’s PLA and intelligence agencies. (The Record)
‘Pixnapping’ can steal everything on an Android screen
Researchers from UC Berkeley, UC San Diego, University of Washington, and Carnegie Mellon uncovered an Android exploit known as “Pixnapping” that can steal anything displayed on a user’s screen, including 2FA codes, without special app permissions. This side-channel attack abuses Android’s rendering APIs and GPU compression to capture pixels from apps like Google Authenticator, Signal, and Gmail. Google promises a full fix in December. (ZDNet) (Dark Reading)
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale.
Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME.
With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Qantas confirms released customer data
Qantas confirmed published data stolen in a July attack that exposed information on around 5.7 million customers through that third-party platform linked to Salesforce. The Scattered LAPSUS$ Hunters group leaked the data after Salesforce refused to pay ransom. Exposed details include names, emails, Frequent Flyer numbers, and in some cases, addresses, phone numbers, or birthdates, though no credit cards or passports appear to be compromised. Qantas obtained a court order restricting access to the leaked data and warned customers of rising phishing scams impersonating the airline. (The Record)
TA585 emerges with advanced attack infrastructure
Proofpoint team researchers reported TA585, a cybercriminal group distributing MonsterV2, a RAT/stealer/loader that snatches credentials, crypto wallets, and browser data, and allows remote access, webcam capture, and payload delivery. TA585 uses phishing campaigns mimicking the IRS, Small Business Administration, and GitHub, exploiting the ClickFix method via compromised sites with fake CAPTCHAs. (Infosecurity Magazine)
Asahi breach continues, personal data feared exposed
Japanese brewer Asahi confirmed that personal data may have been exposed in a September ransomware attack by the Qilin (chee-leen) gang, which disrupted ordering, shipping, and call center systems. Around 27 GB of files, including employee records and contracts, were allegedly stolen, with samples showing ID cards and other personal documents. The incident delayed shipments and forced manual order processing. Asahi also postponed its Q3 financial results. (The Register)
Harvard update: 1.3 TB of data leaked
Harvard University has confirmed it was targeted in the Cl0p (clop) ransomware Oracle E-Business Suite campaign, with the group claiming to have leaked 1.3 TB of data, though Harvard says only an administrative unit appears affected. Attackers exploited a July-patched EBS flaw, stealing financial, HR, and operational data. Oracle issued an emergency patch to fix the vulnerability. (Security Affairs)