weerapat1003 - stock.adobe.com News Capital One pushes out data tokenisation Organisations using the Databricks and Snowflake platforms will be able to use Capital One’s Databolt tool to secure their data By Cliff Saran, Managing Editor Published: 21 May 2025 11:15 The software arm of Capital One has expanded the availability of a tool that enables IT departments to improve their data security using data tokenisation. The business-to-business software division of the financial services company has made its Databolt data tokenisation software available on two major data platforms – Databricks and Snowflake. Capital One describes its implementation of data tokenisation as the process of replacing raw data with a digital representation. In a blog post discussing the benefits of the technology, the company said: “In data security, tokenisation replaces sensitive data with randomised, nonsensitive substitutes, called tokens, that have no traceable relationship back to the original data.” Application areas include using data tokenisation to secure corporate data when training artificial intelligence (AI) models and protecting personally identifiable data, to comply with data protection regulations like General Data Protection Regulation and payment card regulations such as PCI DSS for ecommerce transactions. Tokenisation is seen as an alternative to encryption, but is generally easier to integrate into existing IT systems. It effectively gives cyber security chiefs the ability to remove sensitive data from IT systems, which reduces the impact of data loss due to an IT security breach. It’s a technique used in financial services to protect payment data. Among the benefits, according to Capital One, is that tokenisation preserves the length and format of data. Data tokenisation also maintains database relationships. This means it can be implemented in existing IT systems and applications without breaking how the applications process the data. Analysis from McKinsey suggests that tokenised market capitalisation could reach around $2tn by 2030, driven by tokenisation of financial assets. Tokenisation is also a fundamental part of how large language models work where it is used to convert words and sentences into numerical values that can then be processed. Read more stories about securing data How non-fungible tokens can be used to manage health data: Non-fungible tokens will give patients more ownership and control over their health data and improve its transparency in healthcare research, according to SingHealth clinicians. How to create a data security policy, with template:  When it comes to data security, the devil is in the details. One critical detail organisations shouldn't overlook is a succinct yet detailed data security policy. Capital One said its implementation of data tokenisation through Databolt enables companies to tokenise sensitive data directly within Databricks and Snowflake, making it easier for companies to protect their sensitive data where it resides. According to Capital One, this means IT security leaders can strengthen data security without slowing down innovation. Desikan Madhvanur, senior vice-president, and chief product and technology officer at Capital One Software, said: “Today’s companies are managing data across a vast ecosystem. Integrating Databolt with Databricks and Snowflake is key to helping companies secure their data where it resides so they can confidently build applications and deploy AI models knowing their data is protected.” Databolt provides data tokenisation via the Databricks Unity Catalog. Capital One said the integration allows Databolt customers to define tokenisation policies, ingest Databricks user groups for role-based access control, initiate tokenisation jobs and configure workflows. It’s also available on the Snowflake Marketplace. Here, Databolt uses Snowpark Container Services and the Snowflake Native App Framework to provide native integration with the data platform. According to Capital One, the integration means sensitive data does not need to leave a customer’s Snowflake environment. Capital One said the integration of Databolt on the Snowflake platform allows customers to deploy their tokenisation engine directly in their Snowflake environment, define access for tokenisation based on pre-existing Snowflake roles and access tokenisation functionality through user-defined functions. In The Current Issue: UK critical systems at risk from ‘digital divide’ created by AI threats UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal Standard Chartered grounds AI ambitions in data governance Download Current Issue Mobile Pixels Glance monitor range – Inspect-a-Gadget RAD RHEL, Red Hat Advanced Developer Suite  – CW Developer Network View All Blogs

May 20, 2025The Hacker NewsPenetration Testing / Risk Management In the newly released 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from global enterprises (200 from within the USA) to understand the strategies, tactics, and tools they use to cope with the thousands of security alerts, the persisting breaches and the growing cyber risks they have to handle. The findings reveal a complex picture of progress, challenges, and a shifting mindset about how enterprises approach security testing. More Tools, More Data, More Protection… No Guarantees Over the past year, 45% of enterprises expanded their security technology stacks, with organizations now managing an average of 75 different security solutions​. Yet despite these layers of security tools, 67% of U.S. enterprises experienced a breach in the past 24 months​. The growing number of deployed tools has a few effects on the daily operation and the overall cyber posture of the organization. Although it seems obvious, the findings tell a clear story - more security tools do mean better security posture. However, there is no silver bullet. Among organizations with fewer than 50 security tools, 93% reported a breach. That percentage steadily declines as stack size increases, dropping to 61% among those using more than 100 tools. Alert Fatigue Is Real The flip side of larger security stacks is that CISOs and their teams must contend with a much larger influx of information. Enterprises managing over 75 security solutions now face an average of 2,000 alerts per week — double the volume compared to organizations with smaller stacks, and those with over 100 tools receive over 3000 (3x the alerts). This in turn, puts much more emphasis on effective prioritization, otherwise, critical threats may get buried in a sea of alerts. In this environment, where alert volumes are high and time to triage is short, organizations benefit most when they can frequently test for exploitable gaps, so they know which issues truly matter before threat actors find them first. Software-Based Pentesting Gains Ground Trust in software-based security testing is growing rapidly. Only 5-10 years ago, many enterprises would never have permitted automated tools to run pentests in their environments for fear of causing outages, but sentiment is changing. As CISOs continue to recognize the advantages of software in scaling adversarial testing and keeping pace with constantly changing IT environments, software-based pentesting is becoming the standard. Over half of enterprises now use these tools to support in-house testing, driven by trust in their reliability and the need for scalable, continuous validation strategies. Today, 50% of CISOs cite software-based pentesting solutions as their primary method for uncovering exploitable gaps​. Insurance Providers Become Unexpected Influencers Beyond internal management and Boards of Directors, a surprising new force is shaping security strategy: Cyber insurance providers. 59% of CISOs admitted that they have implemented at least one cybersecurity solution that they were not previously considering as a result of their cyber insurers. It's a clear sign that insurers aren't just pricing risk, they're actively prescribing how to reduce it, and reshaping enterprise security priorities in the process.​. Low Confidence in Government Support While governmental agencies like CISA (in the US) and ENISA (in the EU) play an important role in threat visibility and coordination, confidence in government cybersecurity support is surprisingly low. Only 14% of CISOs believe the government is adequately supporting the private sector's cyber challenges​, while 64% feel that government efforts, though acknowledged, are insufficient​. 22% believe that they cannot rely on the government at all for cybersecurity help. To benchmark your organization's pentesting practices, budgets, and priorities against other global enterprises, register for the webinar on May 27, 2025 where senior security analysts will discuss the key findings. Alternatively, get the full 2025 State of Pentesting Report and see all the insights for yourself!Note: This article was written and contributed by Jay Mar Tang, Field CISO at Pentera. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Cybersecurity leaders aren't just dealing with attacks—they're also protecting trust, keeping systems running, and maintaining their organization's reputation. This week's developments highlight a bigger issue: as we rely more on digital tools, hidden weaknesses can quietly grow. Just fixing problems isn't enough anymore—resilience needs to be built into everything from the ground up. That means better systems, stronger teams, and clearer visibility across the entire organization. What's showing up now isn't just risk—it's a clear signal that acting fast and making smart decisions matters more than being perfect. Here's what surfaced—and what security teams can't afford to overlook. ⚡ Threat of the Week Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a total of 78 security flaws in its Patch Tuesday update for May 2025 last week, out of which five of them have come under active exploitation in the wild. The vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. It's currently not known in what context these defects have been exploited, who is behind them, and who was targeted in these attacks. Download the Report ➝ 🔔 Top News Marbled Dust Exploits Output Messenger 0-Day — Microsoft revealed that a Türkiye-affiliated threat actor codenamed Marbled Dust exploited as zero-day a security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. The attacks, the company said, are associated with the Kurdish military operating in Iraq. The attacks exploited CVE-2025-27920, a directory traversal vulnerability affecting version 2.0.62 that allows remote attackers to access or execute arbitrary files. It was addressed in December 2024. Konni APT Focuses on Ukraine in New Phishing Campaign — The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia amidst the ongoing Russo-Ukrainian war. Proofpoint, which disclosed details of the activity, said the objective of the attacks is to collect intelligence on the "trajectory of the Russian invasion." The attack chains entail the use of phishing emails that impersonate a fictitious senior fellow at a non-existent think tank, tricking recipients into visiting credential harvesting pages or downloading malware that can conduct extensive reconnaissance of the compromised machines. Coinbase Discloses Data Breach — Cryptocurrency giant Coinbase disclosed that unknown cyber actors broke into its systems and stole account data for a small subset of its customers. The activity bribed its customer support agents based in India to obtain a list of customers, who were then approached as part of a social engineering attack to transfer their digital assets to a wallet under the threat actor's control. The attackers also unsuccessfully attempted to extort the company for $20 million on May 11, 2025, by claiming to have information about certain customer accounts as well as internal documents. The compromised agents have since been terminated. While no passwords, private keys, or funds were exposed, the attackers made away with some amount of personal information, including names, addresses, phone numbers, email addresses, government ID images, and account balances. Coinbase did not disclose how many of its customers fell for the scam. Besides voluntarily reimbursing retail customers who were duped into sending cryptocurrency to scammers, Coinbase is offering a $20 million reward to anyone who can help identify and bring down the perpetrators of the cyber attack. APT28 Behind Attacks Targeting Webmail Services — APT28, a hacking group linked to Russia's Main Intelligence Directorate (GRU), has been targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities. The attacks, ongoing since at least 2023, targeted governmental entities and defense companies in Eastern Europe, although governments in Africa, Europe, and South America were also singled out. The victims in 2024 alone included officials from regional national governments in Ukraine, Greece, Cameroon and Serbia, military officials in Ukraine and Ecuador, and employees of defense contracting firms in Ukraine, Romania and Bulgaria. The group's spear-phishing campaign used fake headlines mimicking prominent Ukrainian news outlets like the Kyiv Post about the Russia-Ukraine war, seemingly in an attempt to entice targets into opening the messages using the affected webmail clients. Those who opened the email messages using the affected webmail clients were served, via the XSS flaws, a custom JavaScript payload capable of exfiltrating contacts and email data from their mailboxes. One of the payloads could steal passwords and two-factor authentication codes, allowing the attackers to bypass account protections. The malware is also designed to harvest the email credentials, either by tricking the browser or password manager into pasting those credentials into a hidden form or getting the user to log out, whereupon they were served a bogus login page. Earth Ammit Breaches Drone Supply Chains to Target Taiwan and South Korea — The threat actor known as Earth Ammit targeted a broader range of organizations than just Taiwanese drone manufacturers, as initially supposed. While the set of attacks was believed to be confined to drone manufacturers in Taiwan, a subsequent analysis has uncovered that the campaign is more broader and sustained in scope than previously thought, hitting the heavy industry, media, technology, software services, healthcare, satellite, and military-adjacent supply chains, and payment service providers in both South Korea and Taiwan. The attacks targeted software vendors and service providers as a way to reach their desired victims, who were the vendors' downstream customers. "Earth Ammit's strategy centered around infiltrating the upstream segment of the drone supply chain. By compromising trusted vendors, the group positioned itself to target downstream customers – demonstrating how supply chain attacks can ripple out and cause broad, global consequences," Trend Micro noted. "Earth Ammit's long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach." ‎️‍🔥 Trending CVEs Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out. This week's list includes — CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 (Microsoft Windows), CVE-2025-42999 (SAP NetWeaver), CVE-2024-11182 (MDaemon), CVE-2025-4664 (Google Chrome), CVE-2025-4632 (Samsung MagicINFO 9 Server), CVE-2025-32756 (Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera), CVE-2025-4427, CVE-2025-4428 (Ivanti Endpoint Manager Mobile), CVE-2025-3462, CVE-2025-3463 (ASUS DriverHub), CVE-2025-47729 (TeleMessage TM SGNL), CVE-2025-31644 (F5 BIG-IP), CVE-2025-22249 (VMware Aria Automation), CVE-2025-27696 (Apache Superset), CVE-2025-4317 (TheGem WordPress theme), CVE-2025-23166 (Node.js), CVE-2025-47884 (Jenkins OpenID Connect Provider Plugin), CVE-2025-47889 (Jenkins WSO2 Oauth Plugin), CVE-2025-4802 (Linux glibc), and CVE-2025-47539 (Eventin plugin). 📰 Around the Cyber World Attackers Leverage PyInstaller to Drop Infostealers on Macs — Attackers are using PyInstaller to deploy information stealers on macOS systems. These ad-hoc signed samples bundle Python code into Mach-O executables using PyInstaller, allowing them to be run without requiring Python to be installed or meet version compatibility requirements. "As infostealers continue to become more prevalent in the macOS threat landscape, threat actors will continue the search for new ways to distribute them," Jamf said. "While the use of PyInstaller to package malware is not uncommon, this marks the first time we've observed it being used to deploy an infostealer on macOS." Kosovo National Extradited to the U.S. for Running BlackDB.cc — A 33-year-old Kosovo national named Liridon Masurica has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. He has been charged with five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. If convicted on all counts, Masurica faces a maximum penalty of 55 years in federal prison. He was taken into custody by authorities in Kosovo on December 12, 2024. Masurica is alleged to be the lead administrator of BlackDB.cc from 2018 to the present. "BlackDB.cc illegally offered for sale compromised account and server credentials, credit card information, and other personally identifiable information of individuals primarily located in the United States," the Justice Department said. "Once purchased, cybercriminals used the items purchased on BlackDB.cc to facilitate a wide range of illegal activity, including tax fraud, credit card fraud, and identity theft." Former BreachForums Admin to Pay $700k in Healthcare Breach — Conor Brian Fitzpatrick, aka Pompompurin, a former administrator of the BreachForums cybercrime forum, will forfeit roughly $700,000 in a civil lawsuit settlement related to Nonstop Health, a health insurance company whose customer data was posted for sale on the forum in 2023. Fitzpatrick was sentenced to time served last year, but he went on to violate the terms of his release. He is set to be resentenced next month. Tor Announces Oniux for Kernel-Level Tor Isolation — The Tor project has announced a new command-line utility called oniux that provides Tor network isolation for third-party applications using Linux namespaces. This effectively creates a fully isolated network environment for each application, preventing data leaks even if the app is malicious or misconfigured. "Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks," the Tor project said. "If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it." DoJ Charges 12 More in RICO Conspiracy — The U.S. Department of Justice announced charges against 12 more people for their alleged involvement in a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million. Several of these individuals are said to have been arrested in the U.S., with two others living in Dubai. They face charges related to RICO conspiracy, conspiracy to commit wire fraud, money laundering, and obstruction of justice. The defendants are also accused of stealing over $230 million in cryptocurrency from a victim in Washington D.C. "The enterprise began no later than October 2023 and continued through March 2025," the Justice Department said. "It grew from friendships developed on online gaming platforms. Members of the enterprise held different responsibilities. The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets." The attacks involved database hackers breaking into websites and servers to obtain cryptocurrency-related databases or acquiring databases on the dark web. The miscreants then determined the most valuable targets and cold-called them, using social engineering to convince them their accounts were the subject of cyber attacks and that they were helping them take steps to secure their accounts. The end goal of these attacks was to siphon the cryptocurrency assets, which were then laundered and converted into fiat U.S. currency in the form of bulk cash or wire transfers. The money was then used to fund a lavish lifestyle for the defendants. "Following his arrest in September 2024 and continuing while in pretrial detention, Lam is alleged to have continued working with members of the enterprise to pass and receive directions, collect stolen cryptocurrency, and have enterprise members buy luxury Hermes Birkin bags and hand-deliver them to his girlfriend in Miami, Florida," the agency said. ENISA Launches EUVD Vulnerability Database — The European Union launched a new vulnerability database called the European Vulnerability Database (EUVD) to provide aggregated information regarding security issues affecting various products and services. "The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services," the European Union Agency for Cybersecurity (ENISA) said. The development comes in the wake of uncertainty over MITRE's CVE program in the U.S., after which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stepped in at the last minute to extend their contract with MITRE for another 11 months to keep the initiative running. 3 Information Stealers Detected in the Wild — Cybersecurity researchers have exposed the workings of three different information stealer malware families, codenamed DarkCloud Stealer, Chihuahua Stealer, and Pentagon Stealer, that are capable of extracting sensitive data from compromised hosts. While DarkCloud has been advertised in hacking forums as early as January 2023, attacks distributing the malware have primarily focused on government organizations since late January 2025. DarkCloud is distributed as AutoIt payloads via phishing emails using PDF purchase order lures that display a message claiming their Adobe Flash Player is out of date. Chihuahua Stealer, on the other hand, is a .NET-based malware that employs an obfuscated PowerShell script shared through a malicious Google Drive document. First discovered in March 2025, Pentagon Stealer makes use of Golang to realize its goals. However, a Python variant of the same stealer was detected at least a year prior when it was propagated via fake Python packages uploaded to the PyPI repository. Kaspersky Outlines Malware Trends for Industrial Systems in Q1 2025 — Kaspersky revealed that the percentage of ICS computers on which malicious objects were blocked in Q1 2025 remained unchanged from Q4 2024 at 21.9%. "Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 10.7% in Northern Europe to 29.6% in Africa," the Russian security company said. "The biometrics sector led the ranking of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked." The primary categories of detected malicious objects included malicious scripts and phishing pages, denylisted internet resources, and backdoors, and keyloggers. Linux Flaws Surge by 967% in 2024 — The number of newly discovered Linux and macOS vulnerabilities increased dramatically in 2024, rising by 967% and 95% in 2024. The year was also marked by a 96% jump in exploited vulnerabilities from 101 in 2023 to 198 in 2024, and an unprecedented 37% rise in critical flaws across key enterprise applications. "The total number of software vulnerabilities grew by 61% YoY in 2024, with critical vulnerabilities rising by 37.1% – a significant expansion of the global attack surface and exposure of critical weaknesses across diverse software categories," Action1 said. "Exploits spiked 657% in browsers and 433% in Microsoft Office, with Chrome leading all products in known attacks." But in a bit of good news, there was a decrease in remote code execution vulnerabilities for Linux (-85% YoY) and macOS (-44% YoY). Europol Announces Takedown of Fake Trading Platform — Law enforcement authorities have disrupted an organized crime group that's assessed to be responsible for defrauding more than 100 victims of over €3 million ($3.4 million) through a fake online investment platform. The effort, a joint exercise conducted by Germany, Albania, Cyprus, and Israel, has also led to the arrest of a suspect in Cyprus. "The criminal network lured victims with the promise of high returns on investments through a fraudulent online trading platform," Europol said. "After the victims made initial smaller deposits, they were pressured to invest larger amounts of money, manipulated by fake charts showing fabricated profits. Criminals posing as brokers used psychological tactics to convince the victims to transfer substantial funds, which were never invested but directly pocketed by the group." Two other suspects were previously arrested from Latvia in September 2022 as part of the multi-year probe into the criminal network. New "defendnot" Tool Can Disable Windows Defender — A security researcher who goes by the online alias es3n1n has released a tool called "defendnot" that can disable Windows Defender by means of a little-known API. "There's a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there's some other antivirus in the hood and it should disable Windows Defender," the researcher explained. "This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation." Rogue Communication Devices Found in Some Chinese Solar Power Inverters — Reuters reported that U.S. energy officials are reassessing the risk posed by Chinese-made solar power inverters after unexplained communication equipment was found inside some of them. The rogue components are designed to provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, according to two people familiar with the matter. This could then be used to switch off inverters remotely or change their settings, enabling bad actors to destabilize power grids, damage energy infrastructure, and trigger widespread blackouts. Undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, the report added. Israel Arrest Suspect Behind 2022 Nomad Bridge Crypto Hack — Israeli authorities have arrested and approved the extradition of a Russian-Israeli dual national Alexander Gurevich over his alleged involvement in the Nomad Bridge hack in August 2022 that allowed hackers to steal $190 million. Gurevich is said to have conspired with others to execute an exploit for the bridge's Replica smart contract and launder the resulting proceeds through a sophisticated, multi-layered operation involving privacy coins, mixers, and offshore financial entities. "Gurevich played a central role in laundering a portion of the stolen funds. Blockchain analysis shows that wallets linked to Gurevich received stolen assets within hours of the bridge breach and began fragmenting the funds across multiple blockchains," TRM Labs said. "He then employed a classic mixer stack: moving assets through Tornado Cash on Ethereum, then converting ETH to privacy coins such as Monero (XMR) and Dash." Using V8 Browser Exploits to Bypass WDAC — Researchers have uncovered a sophisticated technique that leverages vulnerable versions of the V8 JavaScript engine to bypass Windows Defender Application Control (WDAC). "The attack scenario is a familiar one: bring along a vulnerable but trusted binary, and abuse the fact that it is trusted to gain a foothold on the system," IBM X-Force said. "In this case, we use a trusted Electron application with a vulnerable version of V8, replacing main.js with a V8 exploit that executes stage 2 as the payload, and voila, we have native shellcode execution. If the exploited application is whitelisted/signed by a trusted entity (such as Microsoft) and would normally be allowed to run under the employed WDAC policy, it can be used as a vessel for the malicious payload." The technique builds upon previous findings that make it possible to sidestep WDAC policies by backdooring trusted Electron applications. Last month, CerberSec detailed another method that employs WinDbg Preview to get around WDAC policies. 🎥 Cybersecurity WebinarsDevSecOps Is Broken — This Fix Connects Code to Cloud to SOC Modern applications don't live in one place—they span code, cloud, and runtime. Yet security is still siloed. This webinar shows why securing just the code isn't enough. You'll learn how unifying AppSec, cloud, and SOC teams can close critical gaps, reduce response times, and stop attacks before they spread. If you're still treating dev, infra, and operations as separate problems, it's time to rethink. 🔧 Cybersecurity Tools Qtap → It is a lightweight eBPF tool for Linux that shows what data is being sent and received—before or after encryption—without changing your apps or adding proxies. It runs with minimal overhead and captures full context like process, user, and container info. Useful for auditing, debugging, or analyzing app behavior when source code isn't available. Checkov → It is a fast, open-source tool that scans infrastructure-as-code and container packages for misconfigurations, exposed secrets, and known vulnerabilities. It supports Terraform, Kubernetes, Docker, and more—using built-in security policies and Sigma-style rules to catch issues early in the development process. TrailAlerts → It is a lightweight, serverless AWS-native tool that gives you full control over CloudTrail detections using Sigma rules—without needing a SIEM. It's ideal for teams who want to write, version, and manage their own alert logic as code, but find CloudWatch rules too limited or complex. Built entirely on AWS services like Lambda, S3, and DynamoDB, TrailAlerts lets you detect suspicious activity, correlate events, and send alerts through SNS or SES—without managing infrastructure or paying for unused capacity. 🔒 Tip of the Week Catch Hidden Threats in Files Users Trust Too Much → Hackers are using a quiet but dangerous trick: hiding malicious code inside files that look safe — like desktop shortcuts, installer files, or web links. These aren't classic malware files. Instead, they run trusted apps like PowerShell or curl in the background, using basic user actions (like opening a file) to silently infect systems. These attacks often go undetected because the files seem harmless, and no exploits are used — just misuse of normal features. To detect this, focus on behavior. For example, .desktop files in Linux that run hidden shell commands, .lnk files in Windows launching PowerShell or remote scripts, or macOS .app files silently calling terminal tools. These aren't rare anymore — attackers know defenders often ignore these paths. They're especially dangerous because they don't need admin rights and are easy to hide in shared folders or phishing links. You can spot these threats using free tools and simple rules. On Windows, use Sysmon and Sigma rules to alert on .lnk files starting PowerShell or suspicious child processes from explorer.exe. On Linux or macOS, use grep or find to scan .desktop and .plist files for odd execution patterns. To test your defenses, simulate these attack paths using MITRE CALDERA — it's free and lets you safely model real-world attacker behavior. Focusing on these overlooked execution paths can close a major gap attackers rely on every day. Conclusion The headlines may be over, but the work isn't. Whether it's rechecking assumptions, prioritizing patches, or updating your response playbooks, the right next step is rarely dramatic—but always decisive. Choose one, and move with intent. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Forward-looking: In today's world and age, having a centralized resource for collecting and sharing information about security vulnerabilities is essential. The US administration recently signaled it doesn't have this kind of priorities anymore, so the European Union is preparing a potential alternative for keeping the technology world safe and informed. The European Commission has launched a new vulnerability database managed by the EU Agency for Cybersecurity (ENISA). The beta version of the European Vulnerability Database (EUVD) is already live, promising a more effective approach to cybersecurity and critical information sharing for professionals and organizations across the continent. The EUVD meets the vulnerability management requirements of the NIS2 Directive, a 2023 framework adopted by the European Parliament to improve cybersecurity in critical sectors like energy, transport, and healthcare. It also helps implement the Cyber Resilience Act, which requires stronger protections for products with digital components. European officials have described the initiative as a move to strengthen the EU's technological sovereignty. Henna Virkkunen, the European Commission's executive vice president for Tech Sovereignty, Security, and Democracy, welcomed the EUVD as a key step toward Europe's digital security and resiliency. "By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling public and private stakeholders to better protect our shared digital spaces with greater efficiency and autonomy," Virkkunen said. The ENISA says this data consolidation will make it easier for organizations to identify and respond to vulnerabilities, fostering a more proactive cybersecurity environment across the continent. By centralizing and streamlining the information, the EUVD aims to reduce the time it takes to address critical security issues, ultimately enhancing the region's digital resilience. // Related Stories The EUVD features three dashboards highlighting critical vulnerabilities, exploited bugs, and "EU-coordinated" flaws. The latter includes issues managed by European CSIRTs. Most data comes from open-source databases, while national CSIRTs provide additional details through advisories and alerts. Starting September 2026, the EU will require hardware and software manufacturers to report actively exploited vulnerabilities. While Brussels authorities mention the CVE database only tangentially, the EUVD is a practical response to the Trump administration's attempts to defund critical bug tracking. Should future efforts to slash funding for cyber initiatives succeed, data from the CVE system could seamlessly migrate to the EUVD.

The European Union Agency for Cybersecurity (Enisa) has debuted a European Union Vulnerability Database (EUVD) to provide “aggregated, reliable and actionable” information on newly disclosed cyber security vulnerabilities in IT products and services. The EUVD, which is mandated by the NIS2 Directive, is designed to gather publicly available information from sources such as EU member state national computer security incident response teams (CSIRTs), industry threat researchers, and other vulnerability databases, including Mitre’s CVE Program. Enisa said that to meet this goal, it has constructed its platform on a holistic approach as an interconnected database that it believes will allow for better analysis and help the community correlate vulnerabilities. It said this would ultimately make it a more trustworthy, transparent and broader information source. “The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience,” said Henna Virkkunen, European Commission executive vice-president for tech sovereignty, security and democracy. “By bringing together vulnerability information relevant to the EU market, we are raising cyber security standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.” Enisa executive director Juhan Lepassaar added: “Enisa achieves a milestone with the implementation of the vulnerability database requirement from the NIS2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with them. “The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.” The launch of the EUVD comes mere weeks after the security community was rocked by the near-death experience of Mitre’s long-running CVE Program, a US government-backed and -funded resource that over the past two decades has become a fixture in the security world. Although Mitre’s funding was, in the end, restored at the last minute by the US authorities, the 24 hours of uncertainty prompted much soul-searching and many cyber professionals have begun to consider or discuss the idea of alternatives to a programme that is ultimately backed by a single government. Although EUVD is not designed to replace the US programme, Enisa said it had worked with Mitre on its development, and continues to work alongside the non-profit body to understand the impact of the funding crisis on the EUVD project. For now, data on common vulnerabilities and exposures (CVE), data provided by those disclosing vulnerabilities, and other sources such as the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities catalogue will be automatically transposed into EUVD with support from EU member state CSIRTs. For example, CVE-2025-32709, a privilege escalation vulnerability in Windows Ancillary Function Driver for WinSock – disclosed this week on Patch Tuesday – appears in the EUVD with the designation EUVD-2025-14439. Sylvain Cortes, strategy vice-president at Hackuity, said: “Enisa’s new EUVD is a good initiative when you consider the recent funding issues around Mitre’s CVE Program. “There’s also still some uncertainty around whether the Mitre database will continue to exist after the new contract expires in 10 months’ time, so having a European option in place means the industry can be less reliant on one vulnerability enrichment source. It’s an even greater alternative when you consider the fact that the NVD [the US National Vulnerability Database] has suffered backlogs in the past. “Ultimately, we need a source for all vulnerabilities that is reliable and open, and we hope that the new EUVD promises will provide this,” said Cortes. Crystal Morin, cyber security strategist at Sysdig, also welcomed the launch as part of the ongoing effort to strengthen global cyber security amid an uncertain future. She said she hoped the EUVD would complement the CVE Program. “Having both in play means more organisations handling CVE requests and, ultimately, faster public disclosure,” she said. “For security teams, the EUVD is simply another trusted source for vulnerability intelligence. As long as vulnerability submissions are streamlined – only submitted to one programme – we avoid duplication and confusion, and gain speed and resilience.” Read more about vulnerability disclosure practice The US National Institute of Standards and Technology is deferring future updates to thousands of cyber vulnerabilities discovered prior to 2018 amid surging volumes of new submissions. Many trends, notably a big shift to open source tools, are behind an expected boom in the number of disclosed vulnerabilities in 2025. New benchmarking data can help security practitioners identify gaps in healthcare vulnerability management and make the case for a proactive versus reactive approach to managing vulnerabilities.