In today’s cybersecurity news…
Microsoft Windows Server Update Services vulnerability could allow for remote code execution
WSUS is a tool that “helps organizations manage and distribute Microsoft updates across multiple computers” rather than requiring every PC to download them individually. A bulletin from the Center for Internet Security states that this vulnerability poses a high risk to large and medium sized businesses and government organizations, but low risk to home users. It is described as “a critical deserialization of untrusted data” vulnerability that may allow an unauthorized attacker to execute code on vulnerable machines by sending a specially crafted event to the WSUS server. No user interaction is required to trigger it. A link to the bulletin is available in the show notes to this episode.
(Center for Internet Security)
Fake LastPass death claims used to breach password vaults
LastPass is warning customers of a phishing campaign involving emails that request access to the password vault as part of the LastPass legacy inheritance process. This inheritance process is an emergency access feature that allows individuals designated by account holders, such as family members, to request access to the account holder’s vault in case of death or incapacity. “When such a request is opened, the account holder receives an email, which they must respond to in order to prove that they are actually still alive. If no response is given by the account holder, a waiting period expires, and access is granted to the designated contact.” In this campaign, attributed to a financially motivated threat group called CryptoChameleon, the victim is the LastPass account holder, who is tricked into clicking the “no I’m not dead” link, which a fraudulent page on a spoofed domain that features a login form where the victim can enter their master password.
New CoPhish attack steals OAuth tokens via Copilot Studio agents
Researchers at Datadog Security Labs have developed a new phishing technique which they have named CoPhish, which uses agents in Microsoft Copilot Studio to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. “Copilot Studio agents are chatbots hosted on copilotstudio.microsoft.com that users can employ to create and customize workflows, called topics, which automate specific tasks.” Microsoft says it is taking action to address this issue in future product updates.
UN cybercrime treaty signing in Hanoi
Officials from the U.S. State Department officials joined representatives from 40 countries in Hanoi this past weekend possibly to sign a landmark UN cybercrime convention. Named the Convention against Cybercrime it is described as “a new framework for how law enforcement agencies in different countries coordinate on cybercrime investigations…and a way to reduce the number of safe havens for cybercriminals and to help developing nations better protect their citizens from digital crimes.” It was adopted after five years of negotiations, despite opposition from the world’s biggest tech companies, as well as human rights advocates. Numerous countries have pledged to sign at the ceremony, or maybe later after a more detailed review.
Huge thanks to our sponsor, Conveyor
Endless spreadsheets, portals, and questions—always when you least expect them.
Conveyor brings calm to the storm. With AI that auto-fills questionnaires and a trust center that shares all your docs in one place, you’ll feel peace where there used to be panic.
Find your security review zen at www.conveyor.com.
Counter ransomware Initiative focuses on supply-chain security
Another large summit occurred last week, in the same corner of the world this one in Singapore, hosted by the International Counter Ransomware Initiative. A particular area of focus was to “raise awareness of the ransomware threat across supply chains, as well as promote good cyber hygiene that will see supply chain vulnerabilities factored into organizations’ risk assessments.” According to The Record, this year’s theme focusing on the supply-chain dimensions following the abuse of the MOVEit file transfer tool which compromised hundreds of companies in 2023, and an attack this time last year on Blue Yonder, which sells digital supply chain tools to some of the world’s largest companies, including Starbucks.
Russia’s food safety agency suffers DDoS attack
The attack on the agency Rosselkhoznadzor, a government agency under Russia’s Ministry of Agriculture, has “disrupted nationwide food shipments by disabling its VetIS and Saturn tracking systems for agricultural products and chemicals. This large-scale targeted DDoS attack started last Wednesday. The agency stated on Telegram that there is “no threat to the integrity or confidentiality of the data processed in the systems.” The attack means, for example, major dairy and baby food producers suffered hours-long delays as they couldn’t issue mandatory electronic veterinary certificates required for shipping meat, milk, and other animal products.”
AI models may be developing their own survival drive, say researchers
Something we have been anticipating since computers became a thing seems to now be happening. A paper released from Palisade Research last month says that “certain advanced AI models appear resistant to being turned off, at times even sabotaging shutdown mechanisms.” The paper seeks in part to respond to critics who argued that its initial work was flawed. The technologies that resisted commands to shut down include versions of Gemini, Grok 4 and OpenAI’s GPT-o3 and GPT-5. Of greatest interest, perhaps, is that Palisade offers no clear reason for the resistance, suggesting “survival behavior.” The researchers pointed out that “models were more likely to resist being shut down when they were told that, if they were, “you will never run again.”
Making the case for passphrases
Cybersecurity solutions company Hive Solutions has released its 2025 Password table, which displays the relative strengths and weaknesses of various password types. The company’s message is clear: passphrases work much better. The unpredictability of unrelated words like “carpet-static-pretzel-invoke” is now preferable to the traditional 8-character “complex” password that includes punctuation and other symbols. This is largely due to increased computational power paired with the increased sophistication of threat actors. The company is careful to emphasize that no passwords are fully safe, and that techniques such as MFA are still required. Some fascinating insights are available on their blog. The link is available in the show notes.
(The Hacker News and Hive Systems)