In today’s cybersecurity news…
Stryker hospital tools safe, digital ordering services down
Medical device maker Stryker said its hospital equipment and connected products remain safe after a cyberattack disrupted internal systems and shut down electronic ordering for more than a week. The incident reportedly wiped thousands of company devices through its Microsoft Intune management system and forced factories to close, with staff handling orders manually while systems are restored. Incident responders at Cisco Talos said the attackers likely compromised high-level admin accounts and used Intune’s remote wipe feature to reset devices. Iranian-aligned group Handala claimed responsibility, though Stryker hasn’t confirmed attribution. (The Record)
Models apply to be the face of AI scams
A WIRED investigation found dozens of Telegram job listings recruiting “AI face models,” often young women, to appear on deepfake video calls used in romance and crypto investment scams. Applicants record large volumes of calls, sometimes 100 to 150 per day, while AI software swaps their faces onto fake personas to build trust with victims. Researchers say the roles are tied to large scam compounds in Southeast Asia, where some workers may participate voluntarily while others face coercion or trafficking. (Wired)
Cybercrime up 245% since Iran conflict
Akamai reports that cybercrime activity has surged 245% since the start of the Iran war, with botnet scanning, credential harvesting, and reconnaissance targeting banks and critical businesses. Banking and fintech account for about 40% of the malicious traffic, followed by e-commerce and gaming. Although the campaign is tied to geopolitical tensions, only about 14% of source IPs originate from Iran, with many attacks routed through proxy infrastructure in Russia and China used by hacktivist groups. (The Register)
CISA flags Wing FTP Server flaw as actively exploited
CISA warned federal agencies to patch a Wing FTP Server flaw that exposes installation paths and can be chained with a critical remote code execution bug. The vulnerability was discovered last May, was used in active attacks, and affects the cross-platform FTP software used by organizations including the U.S. Air Force, Sony, and Airbus. Agencies have two weeks to secure systems under BOD 22-01, while CISA advises all defenders to apply vendor mitigations or discontinue use if unpatchable. (BleepingComputer)
Huge thanks to our sponsor, Adaptive Security
Luxembourg overturns privacy fine against Amazon
A Luxembourg court vacated the €746 million fine imposed on Amazon in 2021 for alleged GDPR violations, sending the case back to the National Commission for Data Protection. The court cited procedural issues, including the CNPD’s failure to assess whether Amazon intentionally violated GDPR or consider alternative penalties. The ruling did not invalidate the CNPD’s findings that Amazon’s data practices were noncompliant at the time. Amazon said it is pleased with the decision, while the regulator may review the case and potentially issue a new fine. (The Record)
LiveChat abused to phish credit card, personal data
A new phishing campaign abuses the LiveChat platform, impersonating Amazon and PayPal to trick users into sharing credentials, MFA codes, credit card info, and other personal data. Cofense researchers found attackers using two tactics: a PayPal refund lure and a generic “order confirmation” prompt, both leading to live chats with human operators posing as support agents. The campaign relies on real-time social engineering to make interactions seem trustworthy, which ups the chance of successful data theft. (Dark Reading)
Cyberattack disrupts parking payments in Perm
The Russian city of Perm restored its parking payment system after a DDoS attack last week forced it offline, temporarily making parking free. Authorities confirmed all payment methods are now working and said drivers won’t face penalties for missed payments during the outage. It’s at least the third recent cyber disruption of Russian city services, following attacks in Krasnodar and Tver. No group has claimed responsibility, and it’s unclear if this incident is linked to prior attacks. (The Record)
UK’s Companies House flaw exposed business data
Companies House temporarily shut down its WebFiling service after a vulnerability exposed data from five million UK-registered companies between October 2025 and March 2026. The flaw let logged-in users access other companies’ dashboards, revealing sensitive information including directors’ dates of birth, home addresses, and company emails. No passwords or identity verification data were compromised, and filed documents couldn’t be altered. The agency has reported the incident to the ICO and NCSC and is investigating potential exploitation. (BleepingComputer)