San Mateo, CA, October 20, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Amazon’s Ring links doorbells to police via Flock deal
Amazon-owned Ring announced a new partnership with Flock, an AI-powered surveillance company whose cameras already share footage with law enforcement. The deal allows agencies using Flock to request video from Ring doorbell users for “evidence collection and investigative work.” Flock cameras can capture identifying vehicle details, such as license plates. The announcement coincided with reports that ICE, the Secret Service, and the Navy have accessed Flock’s camera network. The partnership could vastly expand that reach, linking millions of Ring devices to law enforcement systems. Ring previously paid $5.8 million in FTC fines over employee access abuses. Read more.
Hackers hijack airport systems with pro-Hamas messages
Harrisburg International Airport in Pennsylvania and Kelowna International Airport in British Columbia had their public address systems and flight displays hijacked to broadcast pro-Hamas messages and insults toward President Trump and Israeli Prime Minister Benjamin Netanyahu. Officials said the incidents amounted to cyber-vandalism, not physical threats, and both airports quickly shut down their systems. Harrisburg police and Canadian authorities, including the RCMP, have opened investigations. Kelowna screens also displayed “Free Palestine” messages before being restored and some flights were delayed. No group has claimed responsibility, though pro-Palestinian hacktivists have conducted similar digital intrusions since the start of the 2023 Israel-Gaza conflict. Read more.
Microsoft patches record-severity ASP.NET Core flaw
Microsoft has patched a severe vulnerability in its ASP.NET Core web server, describing it as the “highest ever” rated flaw for the framework. The HTTP request smuggling bug, tracked as CVE-2025-55315, was found in the Kestrel ASP.NET Core web server. “An attacker who successfully exploited this vulnerability could view sensitive information such as other users’ credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability),” Microsoft said. The company released updates for .NET 8, .NET 2.3, Visual Studio 2022, and Kestrel Core. Technical program manager Barry Dorrans said real-world risk depends on each app’s code, but warned developers to patch immediately. Read more.
U.S. seizes $15B Bitcoin haul from South Asian crime ring
U.S. authorities have seized 127,271 Bitcoin, worth about $15 billion, from Chen Zhi, the alleged leader of Cambodia’s Prince Group, marking the largest financial seizure ever recorded. Chen, a dual U.K. and Cambodian national, is accused of running a vast cybercrime and human trafficking network that operated scam compounds across more than 30 countries. The Justice Department unsealed an indictment in New York charging Chen with crimes that carry up to 40 years in prison. Officials said the coordinated action by the U.S. and U.K. included sanctions on 146 individuals and entities linked to the Prince Group, along with measures severing the Cambodia-based Huione Group from the U.S. financial system. Treasury officials said the network laundered billions in illicit proceeds from online investment scams and cyberattacks. Chen remains at large. Read more.
Pixnapping exploit steals 2FA codes from Android phones
A team of academic researchers has demonstrated a new Android attack called “Pixnapping” that can steal two-factor authentication codes and other private data in under 30 seconds by reading data displayed on the screen. “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.” Google issued a September patch that mitigates the flaw, but the researchers showed variants can bypass it. Read more.
Proofpoint exposes TA585, a highly autonomous threat group
Researchers at Proofpoint have uncovered a cybercriminal group known as TA585 that runs one of the most autonomous and technically advanced operations active today. The group controls every aspect of its attacks, including infrastructure, phishing, and malware deployment, and has been identified as a key distributor of MonsterV2, a premium malware family. Sold on a subscription model ranging from $800 to $2,000 per month, MonsterV2 enables data theft, remote access, and payload delivery. TA585’s early campaigns impersonated the IRS and SBA, using the ClickFix technique to trick users into executing PowerShell scripts that installed the malware. Later attacks exploited GitHub notifications to lure victims to fake pages, again deploying MonsterV2 or other payloads such as Rhadamanthys. Read more.
Attackers abuse Edge’s Internet Explorer mode for malware
A new campaign targeting “the inherent security weaknesses of legacy browser technology to compromise unsuspecting users’ devices” has set its sights on Microsoft Edge’s Internet Explorer mode. The technique “combines social engineering with zero-day exploits targeting Internet Explorer’s Chakra JavaScript engine.” When victims land on a malicious site, they are prompted to transition from Edge’s Chromium-based environment to Internet Explorer’s legacy framework, which lacks the security found in modern browsers and exposes users to risks that they would otherwise be able to avoid. The campaign involves victims being infected with malware, having their systems compromised, and subsequently turning over control of their systems to threat actors. Read more.
AI wipes out entry-level tech and security jobs
Entry-level workers aged 22-25 may struggle to find work, as jobs for this age demographic have declined by around 13% due to the adoption of generative AI. These new tools can replace young workers who are developing the skills they need, which raises questions about how young professionals are to gain the experience required to advance their careers. “Everybody says the security industry is growing rapidly, but it’s getting harder and harder to get in,” says Jessica Sica, CISO at Weave Communications. “And I think part of that is maybe more and more people want to get into security, but the entry-level jobs I think are getting more difficult. Companies are getting more demanding.” Read more.
Stealit malware hides in fake VPN and game installers
FortiGuard Labs has uncovered a new info-stealing campaign that disguises the Stealit malware in applications that pose as game and VPN installers. Once installed, Stealit can extract data from web browsers and other applications, including game marketplaces, instant messaging apps, and cryptocurrency wallets. This new campaign is noteworthy for initially using Node.js Single Executable Apps (SEA), an “experimental feature designed to package Node.js applications, their dependencies and assets into a standalone executable,” to distribute malicious scripts. However, researchers observed that the actors behind the scheme changed tactics and adopted the Electron framework. Stealit is marketed as a “professional data extraction solution” that threat actors can access with a subscription. Read more.
Global botnet targets RDP services from 100,000 IPs
A large-scale botnet, originating from over 100,000 IP addresses, has been targeting Remote Desktop Protocol (RDP) services since October 8th. Researchers believe that the botnet, which relies on RD Web Access timing attacks and RDP web client login enumeration, spans multiple countries. The campaign was discovered by threat monitoring platform GreyNoise, which believes that the threat actors have compromised devices in more than 100 countries. To defend against this threat, administrators are being told to “block the IP addresses that launch the attacks and to check the logs for suspicious RDP probing.” Remote Desktop connections should not be exposed to the public internet; additionally, the use of VPNs and multi-factor authentication is recommended. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
