Author: admin

The perfect way to keep pace with the most data-intensive applications.

Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.

The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines—and then abandoned.

Naturally, we registered them, just to see what would happen—”how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?”, we naively thought to ourselves.

Turns out they got eight million requests over two months.

Had this been an actual attack, they would have modified the code in those buckets to contain malware and watch as it was incorporated in different software builds around the internet. This is basically the SolarWinds attack, but much more extensive.

But there’s a second dimension to this attack. Because these update buckets are abandoned, the developers who are using them also no longer have the power to patch them automatically to protect them. The mechanism they would use to do so is now in the hands of adversaries. Moreover, often—but not always—losing the bucket that they’d use for it also removes the original vendor’s ability to identify the vulnerable software in the first place. That hampers their ability to communicate with vulnerable installations.

Software supply-chain security is an absolute mess. And it’s not going to be easy, or cheap, to fix. Which means that it won’t be. Which is an even worse mess.

It started with a DM. 

For five months, 25-year-old computer programmer Maggie K. exchanged daily messages with the man she met on Instagram, convinced she had found something real. 

When it was finally time to meet in person, he never showed. Instead, he claimed he missed his flight and needed money to rebook. Desperate to finally see him, she sent the cash.  

Then, silence. His accounts vanished. He hadn’t just ghosted her—he had never existed at all. 

“I ignored my gut feeling… I sent him $1,200. Then he disappeared,” Maggie told McAfee, hoping that her story would educate others. “When I reported the scam, the police told me his images were AI-generated. He wasn’t even a real person. That was the scariest part – I had trusted someone who never even existed.”  

How AI is making romance scams more sophisticated 

These scams work because they prey on trust and emotions. And they aren’t just targeting the naïve; anyone, even tech professionals as Maggie’s case shows, can be fooled. 

McAfee’s latest research reveals more than half (52%) of people have been scammed out of money or pressured to send money or gifts by someone they met online. 

And romance scams aren’t just happening in dating apps anymore. Social media, messaging platforms and AI chatbots are fuelling an explosion of online romance fraud. 

McAfee’s findings highlight a staggering rise in: 

• AI-powered scams: More than 1 in 4 people (26%) say they—or someone they know—have been approached by an AI chatbot posing as a real person on a dating app or social media. 

• Celebrity impostor scams: 1 in 5 (21%) have been contacted by someone pretending to be a well-known public figure. Of those who fell for it, 33% lost money, with an average reported loss of $1,985. 

• Fake romance scam websites: In the seven weeks leading up to Valentine’s Day, McAfee blocked a staggering 321,509 fraudulent URLs designed to lure in victims. 

The costs: your time, money, trust and personal data 

With 62% of people saying they’ve used dating apps, social media, or messaging platforms to connect with potential partners, scammers have a bigger pool of victims than ever before. 

Younger users are the most active online daters, with 31% of 18-24-year-olds currently using online dating platforms. Tinder is the most popular dating app overall (46%), with its highest engagement among 18-24-year-olds (73%). Just over 40% of respondents said they use Instagram, 29% use Snapchat and 25% use TikTok to meet potential partners. But these platforms also present new risks, as fake apps designed to steal personal information lurk in app stores. 

McAfee researchers found nearly 11,000 attempts to download fraudulent dating apps in recent months. The most impersonated? 

• Tinder (55%) 

• OKCupid (29%) 

• Badoo (7%) 

• Hinge (7%) 

• Bumble (2%) 

Downloading a fake app could expose your login credentials, financial information or even install malware onto your device.  

And once money is lost, its rarely recovered, as scammers use cryptocurrency, untraceable gift cards and offshore accounts to move stolen funds.  

Recognizing romance scam red flags  

McAfee researchers urge anyone looking for love online to stay vigilant by following these critical safety measures: 

1) Watch for “love bombing.” Scammers overwhelm victims with affection early on to gain trust. 

2) Verify their identity. Use reverse image searches and insist on live video calls which AI-generated scammers avoid. 

3) Never send money. No real partner will pressure you for financial help—especially when you’ve never met. 

4) Be wary of celebrity DMs. If a famous figure suddenly messages you, it’s likely a scam. 

5) Avoid suspicious links. McAfee blocked over 321,000 fraudulent dating sites—avoid clicking on unknown links or apps.  

6) Use online protection tools. Tools like McAfee+ can detect and block suspicious messages, phishing attempts, and AI-generated fraud in real time. McAfee+ offers maximum identity, privacy, and device protection to detect and prevent fraudulent activity before it causes harm. 

The post AI chatbots are becoming romance scammers—and 1 in 3 people admit they could fall for one appeared first on McAfee Blog.

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

Tenable senior staff research engineer Satnam Narang noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

Adam Barnett, lead software engineer at Rapid7, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,’” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.

It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with Microsoft Office 365, which Redmond has since rebranded as “Microsoft 365 Copilot.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.

Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, Apple has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

Adobe has issued security updates that fix a total of 45 vulnerabilities across InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements.

Chris Goettl at Ivanti notes that Google Chrome is shipping an update today which will trigger updates for Chromium based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

An Alabama man has admitted hacking into the US Security and Exchange Commission’s X account using SIM swap fraud to gain access

Chinese hackers are infiltrating the networks of suppliers of “sensitive” manufacturers, according to a Check Point report to be published in the coming weeks

Gcore reported a 56% year-over-year rise in DDoS attacks in H2 2024, highlighting a steep long-term growth tend for the attack technique

Ransomware groups are adopting agile techniques in a quantity-over-quality approach, according to a new report from Huntress

Four Europeans were arrested in Phuket, believed to be members of the Phobos ransomware group

Apple has patched a zero-day vulnerability being exploited in targeted attacks