In today’s cybersecurity news…
Microsoft to offer free Windows 10 security updates in Europe
Microsoft says it will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. The decision was made after pressure was exerted by Euroconsumers, a Luxembourg-based consumer protection organization that represents 1.5 million households across Europe and Brazil. The group has also asked that Microsoft “postpone the Windows 10 end-of-support date beyond October 14, 2025, noting that previous versions, such as Windows 7 and Windows XP, were supported for more than 7 years after Windows 8 and Windows Vista were introduced.”
Teenage Vegas casino hacker released to parents
Following up on a story we covered exactly 2 years ago, a 17-year-old hacker who “surrendered to face charges over cyberattacks targeting Las Vegas casinos in 2023 has been released into the custody of his parents, according to a family court judge ruling. The teen is believed to be part of the Scattered Spider group which compromised the networks of MGM Resorts and Caesars Entertainment casinos, deploying BlackCat/ALPHV ransomware. The attack cost MGM more than $100 million in damages. The teen has had his access to the internet restricted to educational use only. Speculation abounds as to whether he still is in possession of $1.8 million in bitcoin which is believed to be related to the attacks.
Boyd Gaming hacked, employee data stolen
In other casino related news, the Las Vegas company Boyd Gaming has announced the theft of employee information that was stolen during a recent cyberattack. In a notification to the Securities and Exchange Commission, the company stated that data on employees and “a limited number of other individuals” was stolen from its internal IT system on Tuesday evening, but that the attack had no impact on Boyd Gaming properties or business operations. The company did not say when the attack occurred or whether it involved ransomware. Boyd Gaming operates casinos and resorts across the U.S, with facilities in 11 states.
Supermicro BMC flaws can create persistent backdoors
Researchers at firmware security company Binarly are warning of two vulnerabilities affecting firmware from Supermicro, a manufacturer of servers, motherboards, and data center hardware. The vulnerabilities in the Baseboard Management Controller product allow attackers to update systems with maliciously crafted images. The researchers discovered a bypass for a flaw (CVE-2024-10237) that Supermicro had actually patched this past January along with another vulnerability. (CVE-2025-6198). The say the issue “could allow potential attackers to gain complete and persistent control of both the BMC system and the main server OS.”
Huge thanks to our sponsor, Conveyor
Conveyor AI is your fast path to calm. It finds every question no matter the format and fills in the answers—across portals, spreadsheets, PDFs, you name it.
So instead of grinding through copy-paste, you get a first pass of accurate answers in minutes.
Find your Friday Zen at www.conveyor.com.
Salesforce patches AI indirect prompt injection bug
Cybersecurity researchers from Noma Security have disclosed a critical flaw impacting Salesforce Agentforce, which is a platform for building artificial intelligence (AI) agents. The flaw could allow attackers to exfiltrate sensitive data from its CRM tool by way of an indirect prompt injection. The vulnerability, named ForcedLeak, has a CVSS score of 9.4. and affects any organization using Salesforce Agentforce with the Web-to-Lead functionality enabled. Indirect prompt injection occurs “when malicious instructions are inserted into external data sources accessed by the service, effectively causing it to generate otherwise prohibited content or take unintended actions.”
Preschool network attacked, toddlers’ data published
In an attack described by people in the cybersecurity business as reprehensible, and sinking to the lowest depths possible, a cybercrime outfit named the Radiant Group has successfully targeted Kido International, a preschool and daycare organization. They then leaked sensitive details about pupils and parents, including images, names, and home addresses, parents’ contact details and in some cases places of work. “All the affected individuals thus far appear to all be based in the UK.”
Volvo North America discloses data breach following ransomware attack on third-party supplier
The attack exposed the personal data of Volvo North America employees following a ransomware attack on third-party supplier Miljödata. As we reported last month, this attack occurred in August and impacted at least 25 companies, including Scandinavian airline SAS, as well as 200 Swedish municipalities. “The affected systems are used by managers and HR to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries.” “The ransomware group DataCarry claimed responsibility for the attack on Miljödata and also published allegedly stolen data on its Tor leak site.”
ZendTo discloses flaw
A critical path traversal flaw in the file transfer app ZendTo has been assigned a CVE number (CVE-2025-34508) after researchers discovered that versions 6.15–7 and prior “enable authenticated users to manipulate file paths and retrieve sensitive data from the host system.” Security company Horizon3.ai reported that the server-side sanitization routine strips non-alphanumeric characters from the file dropoff process, but if an attacker supplies a line of non-alphanumeric characters, the sanitization leaves an empty or dot-only string. This leads to a method that can enumerate and exfiltrate any user-uploaded content or critical system files.