#cybersecurity

Anyone get this when the logged in this morning. Of course makes me ultra paranoid to have seen a security patch reboot prompt as soon as I unlocked my computer

Att quickly discovered some unauthorized access to customer online accounts in August. User is and answers to security questions were obtained from outside of att and used to log in. Impacted accounts have been locked by att.

So here’s the story, folks. This company, a very smart company, didn’t care about security for years. Total disaster. Then bo-m! They get hacked. Suddenly, they “find” all this money for cybersecurity, like it was hiding under the CEO’s golf clubs. Now they’re bragging about their “massive investment” in security and even rolled out a shiny new “promise to customers”. Very touching, very emotional stuff. But behind the scenes? They cut the budget for training the people who actually use and develop the systems. Brilliant strategy! They say it’s about protecting customers, but everybody knows it’s just about protecting their image. “We take security very seriously,” they say. Sure they do. About as seriously as they took it the day before the breach. Sad!

On October 15, 2025, CISA issued Emergency Directive ED 26-01 (https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices), marking an extraordinary federal response to the F5 breach. The directive's language is strikingly urgent, warning of "imminent risk to federal agencies" and scenarios "potentially leading to a catastrophic compromise of critical information systems." CISA explicitly stated that the stolen material enables threat actors to "penetrate core networks" and "decrypt a significant portion of global Internet traffic." This language reveals just how catastrophic CISA believes this breach could become. The directive mandated that federal agencies inventory ALL F5 devices and apply patches by October 22, 2025, giving them just seven days to respond. While Deep Specter claims CISA "never issued Emergency Directives for breaches before," this is technically incorrect. CISA has issued approximately 10 EDs previously, including ED 21-01 for the SolarWinds compromise. However, Deep Specter's broader point stands: Emergency Directives are extraordinarily rare and reserved for critical national security threats. The fact that CISA used such alarm-raising language and demanded such rapid action indicates they view this breach as an existential threat to federal networks.

The cybersecurity community's reaction to the F5 breach has been notably alarmed. Bruce Schneier, one of the world's most respected cryptographers and security experts, titled his analysis simply "Serious F5 Breach". This is significant because Schneier rarely sounds public alarms, and his choice to call out this incident by name signals its gravity. Robert Huber, Chief Security Officer at Tenable, called it "a five-alarm fire for national security," invoking the highest level of emergency response. CISA's Acting Director stated that "the alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action." This language emphasizes not just the threat but the accessibility of exploitation. Perhaps most starkly, Chris Woods, a former HP security executive and founder of CyberQ Group, advised that "since that vulnerability information is out there, everyone using F5 should assume they're compromised." When experienced security professionals abandon nuance and tell customers to assume the worst, it reflects a consensus that this breach represents a fundamental breakdown in security that cannot be easily remediated.

https://www.reddit.com/r/f5networks/comments/1okn55c/factchecking_the_deep_specter_report_on_f5/?rdt=45343

The actor dwell time inside their network is being quoted as 393 days. Let that sink in. Then consider this is being attributed to APT27 (China). I’m working from a position that they have everything (EVERYTHING) and are potentially still inside the network.

If you were one of the people that did download the list, I received an email from Cybersecurity letting me know I broke policy by accessing sensitive information. They only asked to respond back to confirm any copies have been deleted, and if you distributed the list, to let them know where you shared it. My director was CCd on the email, but they didn’t think it was a big deal and moved on. There will only be action taken if you don’t respond to the email.

Just curious if cyber security was impacted in Irvine ca

What is the deal over there? I keep hearing terrible things and I applied for a position internally not long ago but hasn't gone anywhere.

so far so good today. but... are we just left for latter and will there be a massive cut within these groups as well? i kind of have a feeling that we have been sloted for a later cut but i am basing this only on my personal gut feeling and i do not have any insder information. i was talking to one director level person and she thinks that we'll be fine but i am unsure if i should trust this. i am not too concerned but given how crazy all of this i'd say anything is possible.

They are laying off tons of Cyber Security employees at the moment

Just saw a post on LinkedIn: CDK issuing a "State of Cybersecurity" white paper - hahaha I guess they would know, right? haha I'd link it, but I fell out of my chair laughing.

The Department of Justice filed charges against Peter Williams, an Australian national who served as general manager of Trenchant, a specialized cybersecurity division within L3Harris.

Federal prosecutors have accused a former executive at L3Harris Technologies’ cyber division of stealing trade secrets and selling them to an undisclosed buyer in Russia, according to court documents obtained by CyberScoop.

The Department of Justice filed charges against Peter Williams, an Australian national who served as general manager of Trenchant, a specialized cybersecurity division within L3Harris, which provides hacking and surveillance tools to Western intelligence agencies. The DOJ alleges Williams misappropriated eight trade secrets from two unnamed companies between April 2022 and August 2025, charging that he earned $1.3 million in connection with the sales.

While the filings do not specify the nature of the stolen trade secrets nor do they identify the Russian buyer, they allege Williams systematically transferred confidential proprietary data over a period spanning more than three years. Prosecutors are seeking the forfeiture of Williams’ assets, including his residence, luxury watches, jewelry, and funds in seven bank and cryptocurrency accounts, claiming these were derived from the criminal activity.

Neither Trenchant nor its parent, L3Harris, is accused of any wrongdoing in the federal complaint. An arraignment and possible plea agreement are scheduled for Oct. 29 in Washington, D.C.

Trenchant, formed in 2018 following L3Harris’s acquisition of Azimuth Security and Linchpin Labs — Australian startups that developed zero-day exploits — caters to governments in the intelligence-sharing Five Eyes alliance. These technologies, based on undisclosed vulnerabilities, are considered valuable assets in intelligence and defense circles, sometimes commanding prices in the millions, and are tightly held given their national security implications.

The allegations against Williams arrive in the wake of an internal investigation at Trenchant earlier this year, reportedly prompted by a leak of hacking tools. According to multiple former employees interviewed by TechCrunch, one former exploit developer was wrongly accused by company officials of leaking the tools, particularly exploits targeting products like Google Chrome.

Whether the Justice Department’s action is tied directly to this internal leak investigation remains unclear. Court filings do not explicitly connect the sale of secrets to the incident or elaborate on overlaps between the two events.

L3Harris, headquartered in Melbourne, Fla., declined to comment. Williams’ attorney did not reply to CyberScoop requests for comment.

https://cyberscoop.com/ex-l3harris-executive-accused-of-selling-trade-secrets-to-russia/

Comcast has a cyber attack today. All 6 petabytes of minio data was deleted. People are checking if it was retaliation for the divisions layoffs.

Maybe Newsweek should look at that a little closer. How do you get ranked a high CS company when their internal security is complete garbage, they have customer apps that have clear passwords stored and can easily be bypassed, nothing is written to follow standards, best practice as far as design or security and you have Directors mandating their staff NOT use corporate approved communication applications, that are by the way Chinese based. Would be one of the LAST companies Id pin "one of the best" on.

Dozens of Oracle customers impacted by Clop data theft for extortion campaign: Researchers said malicious activity dates back to early July and active exploitation was observed two months ago.

Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday.

I can only imagine how many people will experience identity theft as a result of this.

“ LOUISVILLE, Ky.--(BUSINESS WIRE)-- Humana Inc. (NYSE: HUM) and Providence, a Washington-based health system, today announced a pioneering initiative to streamline and secure data exchange between payers and providers – setting a new standard for interoperability in support of value-based care.”

I bet in coming days, we will hear about lawsuits where major data breaches occurred as a result to this. Mark your calendars.

Not sure what defines highly sophisticated hacker or not but clearly they went for the Jackpot Bingo. Application Delivery Controller or ADC is a single point of exposure of all traffic that goes through F5 that would be a magnet for hackers. It breaks all norms of security by concentrating in the same venue all the secret keys for every service that is on-boarded to the ADC. It is a matter of time until someone gets its hands on it. Otherwise no hacker would bother to go to break F5 if the traffic that goes through it is end to end encrypted. It was unwise and d-mb idea from the begining and only to support security of lax architecture in the back end. Now those all that were calling that is the only secure way to go about it are reaping their fruits. It was not at all driven from security point of view but more about sales, project check mark and also about sniffing transfers in the internal network for data loss prevention or DLP. Well those who pushed it all are not anymore around to be asked about it. Next all the secret vaults and smillar things.

https://forums.theregister.com/forum/all/2025/10/15/highly_sophisticated_government_hackers_breached/

Cyber: F5 experienced the same breach in March 2021. In Nov 2021 they announced they’re doubling their India staff which is now 20% of their headcount.

The WFH engineering is entirely in India. Only pre-sales and service engineers in US. None of these cyber SME’s will investigate India or the Beijing operations but I bet they’ll find a previously unknown vulnerability.

BTW India outlaws VPNs and these dudes WFH on Huawei networks. What happens to encrypted data traveling through China where encryption is illegal? Good question - cryptologists don’t seem to know. Bet they had anonymous security groups and no one checked logs so they didn’t even know. 95% of breaches involve insiders - negligence or intentional theft. I call it the offshore 401K.

so much for f5 being a security company

https://www.securityweek.com/f5-blames-nation-state-hackers-for-theft-of-source-code-and-vulnerability-data/

When will the EC wake up that they have a CISO problem? The mind map done a while back showed the CISO has no support, respect, nor leadership of his group.

Used to work in a department of PP, they recently hired a bunch of people that live in India and then PP did a mass layoff of almost all of the US and Canada support teams, including me. I'm just frustrated.

Has everyone seen this? Georgia and Gainwell announced a data breach this week, that supposedly happened in July. This has got to be someone in India getting access and login information, doesn't it? I don't believe the information about the phone call.

Here's the link to the announcement, and another press release inside the link.

https://dch.georgia.gov/announcement/2025-10-01/medicaid-members-offered-free-credit-monitoring-after-possible-data-breach

https://finance.yahoo.com/news/oracle-investigating-hacks-customers-e-214339029.html

Previously, ORCL never acknowledge a security breach !

Any heads up for new employees? Seems they are pretty open to remote work across the States. It is concerning they farm out to India.
Curious to know how low into the 'talentless' pool they dip.

Cybersecurity being ran by the most incompetent non cyber people ever. Staples really forgot they’re supposed to protect the network, not promote their friends.

Why again ??????

leaders are asking to suspend all products until further notice.

The FBI has released a PSA warning that Russian FSB cyber actors are exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability in Cisco Smart Install (SMI) to target entities across critical infrastructure sectors.

The actors have used unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.
https://www.ic3.gov/PSA/2025/PSA250820

Will cybersecurity employees become contractors?

https://cybernews.com/security/att-data-breach-impacted-millions-hackers-say/

I hope they pay the ransom again...

AT&T Wireless: In April 2024, hackers affiliated with ShinyHunters hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data

On Aug 7, there was an event celebrating 100 years of innovation at AT&T in Middletown highlighting past AT&T inventions. It was organized by Raj Savoor, VP of AT&T Labs. Retirees were invited because they were the last ones to see any innovation.

Highlight: keynote by Ed Amoroso, past CSO at AT&T who puts Rich Baich to shame. Talked about the future of cyber security (he started his own company after leaving) and gave the top 10 things in Letterman style that AT&T should be doing in the future. Am pretty sure not too many things AT&T is actually doing were on his list.

Lowlight: Some ex VP level retiree stood up during Q&A and said something like "I hear morale at AT&T is now in the toilet, what are you doing to engage employees such that the innovations we have heard about today will continue?" Andy Markus who was on the panel said "we are using AI to drive down costs and save the company money."

https://www.tomshardware.com/tech-industry/cyber-security/researcher-downloaded-the-data-of-all-270-000-intel-employees-from-an-internal-business-card-website-massive-data-breach-dubbed-intel-outside-didnt-qualify-for-bug-bounty and they got some shots in on the products too

Seems this hack is being kept quite with all the uproar about Accenture suing L3Harris for $81 million and the Accenture I.T. contract ending with L3Harris on 12/15/2025. Karma? 450+ employees "sold" to Accenture without any severance options and then a year later the contract is terminated. This from a company that requires the employees to take yearly ethics classes.

https://www.cyberdaily.au/security/12488-exclusive-world-leaks-ransomware-gang-claims-hack-of-defence-contractor-l3harris-list

Oops

Since dell will never tell us this info on their own and will pretend it didnt happen.....

https://finance.yahoo.com/news/hr-giant-workday-says-hackers-130410698.html

https://techcrunch.com/2025/08/18/hr-giant-workday-says-hackers-stole-personal-data-in-recent-breach/

Workday, one of the largest providers of human resources technology, has confirmed a data breach that allowed hackers to steal personal information from one of its third-party customer relationship databases.