Attacks & Vulnerabilities
|
Cyberattack on Co-op leaves shelves empty, data stolen, and $275M in lost revenue (2 minute read)
The DragonForce cybercrime group's April attack on UK retailer Co-op resulted in $275 million in lost revenue, weeks of empty shelves, and the theft of data from 6.5 million members, including names, contact details, and dates of birth (though passwords and payment information were not compromised). Co-op initially claimed no customer data was affected, but later confirmed the breach after hackers contacted executives via Microsoft Teams and phone, claiming to possess data on 20 million membership scheme participants. In July, the UK's National Crime Agency arrested four suspects aged 17-20 in London and the West Midlands on charges including Computer Misuse Act offenses, blackmail, money laundering, and organized crime participation, with DragonForce also claiming responsibility for attacks on M&S and an attempted breach of Harrods.
|
Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks (3 minute read)
Microsoft has discovered a new XCSSET macOS malware variant being used in targeted attacks. It builds on the 2020 threat with advanced features, including stealing Firefox credentials via a modified HackBrowserData, hijacking cryptocurrency clipboard addresses using regular expressions, and increasing persistence through LaunchDaemon entries with AppleScripts and AES-encrypted C2 configurations. The four-stage infection chain uses modular payloads for info theft (vexyeqj/bnk), file exfiltration (neq_cdyd_ilvcmwx), persistence (xmyyeqjx creates fake System Settings apps and disables updates), and browser data extraction (iewmilh_cdyd targets passwords, cookies, and credit cards in Firefox). Security teams should review Xcode projects before use, deploy Microsoft Defender on macOS with cloud protection and PUA blocking, verify clipboard content before pasting sensitive information, and monitor for malicious LaunchDaemon entries (e.g., com.google.plists) and unusual creation of the ~/.root folder.
|
Hackers Contact Harrods After 430K Customer Records Hit by IT Breach (2 minute read)
Luxury department store Harrods was approached by attackers who stole 430,000 customer records. The compromised data contains only basic personal details like names and contact information, along with marketing information such as loyalty card data. Importantly, it does not include passwords or financial information. Harrods has announced that it will not pay the ransom.
|
|
APT35 plays the same music again (3 minute read)
Stormshield's CTI team discovered two previously unreported servers (84.200.193[.]20 and 79.132.131[.]184) linked to Iranian APT35 (Charming Kitten) by hunting for a distinctive HTML loading page pattern using ssdeep fuzzy hashing and queries in SilentPush and VirusTotal. The servers, active since July, host 49+ phishing domains impersonating video conferencing services, such as Google Meet, with typosquatting tactics (e.g., meet.go0gle[.]online), primarily targeting Israeli victims based on URL submission patterns. Defenders can track ongoing APT35 infrastructure using simple VirusTotal queries, such as "entity:url url:online/?invitation" or "entity:domain domain:viliam.*", to identify phishing domains that follow consistent naming conventions despite the campaign being publicly documented.
|
Silent Push Examines the Dark Side of Dynamic DNS Providers (8 minute read)
Silent Push identified around 70,000 domains offering rentable subdomains (Dynamic DNS providers) exploited by threat actors due to minimal oversight, cryptocurrency payments, no KYC, and ignoring takedown requests. Major APT groups like APT28, APT29, APT33, Gamaredon, and Scattered Spider extensively use these for C2 infrastructure. While individual malicious subdomains can be blocklisted, parent domains often remain active and spawn new threats. The team created data exports (from the Public Suffix List, afraid[.]org, DuckDNS, NoIP) to help security teams implement risk-based blocking or alerting, balancing security with avoiding disruption to legitimate access.
|
Building an AWS GuardDuty Alert Triage Agent (8 minute read)
This article explores how to create a GuardDuty triage agent using PydanticAI and Discord. A user can call the agent using !triage in a Discord channel, and it will investigate a specific alert, IAM user, etc, and provide additional context as well as a verdict. The author was impressed with how well the LLM could triage alerts, but definitely felt that there was a lot of engineering effort in creating the tools and fine-tuning the agent.
|
|
AIDR Bastion (GitHub Repo)
AIDR Bastion is an open-source GenAI security system that defends against malicious prompts using five detection methods: regex, vector similarity, static analysis, ML classification, and LLM analysis. It supports standard and custom rules, integrating with SigmaHQ, SOC Prime, and mapping to MITRE ATLAS and OWASP Top 10, enabling configurable blocking, notifications, and logging. Built on FastAPI, it offers real-time protection and attack diagnostics, with tools for converting rules for enhanced detection.
|
EnumEDR (GitHub Repo)
EnumEDR is a tool that enumerates EDRsrunning on a system by enumerating current processes and loaded drivers.
|
Hound (GitHub Repo)
Hound is a language-agnostic AI code auditor that autonomously builds and refines adaptive knowledge graphs for deep, interactive code reasoning.
|
|
Hardening Google Cloud: Insights from the latest Cloud VRP bugSWAT (5 minute read)
Google Cloud's record-breaking bugSWAT event brought together 20 elite security researchers who submitted 130 reports, uncovering 91 vulnerabilities across the platform. The event resulted in approximately $1.6 million in bounty rewards (with 100% bonuses applied), pushing Google's total Cloud VRP payouts to ~$2.5M for 2025. High-severity findings included a network egress filter bypass that enabled SSRF attacks and SQL injection vulnerabilities in database connectors, both of which have now been patched.
|
DoD Issues Replacement for Risk Management Framework (3 minute read)
The Department of Defense (DoD) unveiled a new Cybersecurity Risk Management Construct to replace its previous risk management system. The new system defines a five-phased lifecycle which includes: a design phase which incorporates security from the outset, a build phase where secure designs are implemented to achieve Initial Operating Capacity, a test phase where validation and stress testing are performed before Full Operating Capacity, an onboarding phase where automated continuous monitoring is activated, and finally an operations phase where real-time dashboards and alerting mechanisms provide immediate detection and response.
|
Microsoft Forced to Make Windows 10 Extended Security Updates Truly Free in Europe (2 minute read)
Windows 10 will reach end-of-life on October 14. Microsoft had previously announced that users who enabled Windows Backup would be entitled to a year of free extended security updates. This move drew some controversy due to its requiring the use of OneDrive to receive security updates. Following pressure from the Euroconsumers consumer advocacy group, Microsoft has dropped the Windows Backup requirement for European users, but will still require the use of a Microsoft account.
|
|
AI-Powered AppSec (Sponsor)
Predicts which of your websites and applications are most likely to be vulnerable to attacks. Correlates runtime-validated DAST findings with broader ASPM data, evaluating exploitability, reachability, and business and compliance impact. Get a demo →
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
Want to advertise in TLDR? 📰
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? 💼
Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email!
Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
|
|
