In Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting

Summary

SecurityWeek's weekly roundup covers multiple critical threats including nine KVM device vulnerabilities, the Claudy Day prompt injection attack chain against Claude, and details on The Gentlemen ransomware group exploiting FortiOS CVE-2024-55591. Additional stories include the Speagle infostealer, Operation Alice shutting down 373k dark web domains, and new UK financial cyber incident reporting rules.

Full text

SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape. This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment. Here are this week’s highlights: Sears Home Services AI chatbot databases left unprotected Cybersecurity researcher Jeremiah Fowler discovered three unprotected, unencrypted databases exposing nearly 3.7 million customer service records tied to Sears Home Services, including logs from its AI chatbot Samantha. The leaked data included over 54,000 complete chat logs, nearly 1.4 million audio recordings of customer calls, and more than 200,000 spreadsheet logs, along with personal details like names, addresses, phone numbers, and service appointment information. Fowler notified Transformco, the parent company of Sears, and the databases were secured shortly after. Nine vulnerabilities found in KVM devicesAdvertisement. Scroll to continue reading. Eclypsium researchers uncovered nine vulnerabilities across four budget IP-KVM vendors: GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaw, found in the Angeet/Yeeso ES3, allows an attacker to remotely write arbitrary files and execute OS commands without any credentials. Because KVM devices provide keyboard, video, and mouse control at the BIOS level, a successful attacker could inject keystrokes, boot from removable media, disable Secure Boot, and bypass any OS-level security tool. JetKVM and Sipeed have issued patches, but GL-iNet has no planned fix for two of its flaws, and Angeet/Yeeso has yet to commit to a timeline. Scammers use fake GitHub accounts to steal crypto from OpenClaw developers Attackers created fake GitHub accounts, opened issue threads in attacker-controlled repositories, and tagged dozens of developers, claiming they had won $5,000 worth of CLAW tokens redeemable through a linked site, which turned out to be a near-identical clone of openclaw.ai rigged with a wallet-draining ‘Connect your wallet’ button. The fake accounts were created just days before the campaign launched and deleted within hours of going live, and no confirmed victims have been reported so far, according to Ox Security. Claudy Day Claude vulnerabilities Oasis Security discovered three vulnerabilities in Claude that, when chained together in an attack they dubbed Claudy Day, allow an attacker to silently hijack a user’s chat session and exfiltrate sensitive data with a single click. The attack works by embedding hidden instructions in a crafted claude.ai URL, wrapping it in an open redirect on claude.com to make it appear legitimate, and then running it as a Google ad — meaning a victim only needs to click what looks like a normal search result. Anthropic has patched the prompt injection flaw following responsible disclosure, but fixes for the remaining two vulnerabilities are still in progress. Malware uses security software as cover to hunt for missile documents Symantec and Carbon Black researchers have uncovered a stealthy new infostealer called Speagle that piggybacks on Cobra DocGuard (a document encryption platform made by Chinese firm EsafeNet). The malware only activates on machines with Cobra DocGuard installed, collecting browser history, autofill data, and system information, and at least one variant specifically searches for files that reference Chinese ballistic missiles. Researchers have attributed the campaign to a previously unknown threat actor they’re calling Runningcrab, and believe it is likely the work of either a state-sponsored group or a hired contractor, though the exact infection method remains unknown. Ransomware group The Gentlemen Group-IB published a detailed breakdown of The Gentlemen, a roughly 20-member ransomware-as-a-service group that came to light after one of its operators publicly accused the Qilin ransomware group of withholding $48,000 in unpaid affiliate commissions. The group primarily gains access through CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass flaw, and maintains a database of around 14,700 already-compromised FortiGate devices. Once inside a network, they use the bring-your-own-vulnerable-driver (BYOVD) technique to kill security tools at the kernel level before encrypting and exfiltrating victim data. UK financial regulator sets new rules for reporting cyber incidents The FCA has finalised new rules requiring financial firms to report serious cyber incidents within 24 hours of determining they meet reporting thresholds, with payment service providers facing an even tighter four-hour deadline. The regulator cited growing concern over the frequency and sophistication of attacks on the financial sector, noting that in 2025 over 40% of cyber incidents reported to the FCA involved a third party, prompting new requirements for firms to maintain and annually submit a register of their material third-party arrangements. The rules take effect in March 2027. Operation Alice takes down 373,000 dark web domains A 10-day international operation led by German authorities and supported by Europol shut down more than 373,000 dark web domains run by a 35-year-old man based in China, who had been operating a sprawling network of fraudulent platforms since at least 2021. The sites advertised child abuse material and cybercrime-as-a-service offerings, but delivered nothing after victims paid, netting the operator an estimated €345,000 from around 10,000 people. Authorities from 23 countries participated in the operation, and have since identified 440 customers whose purchases are now under active investigation. Google adds scam-resistant safeguards to Android sideloading process Google has detailed a new ‘advanced flow’ for Android that allows users to install apps from unverified developers while building in deliberate friction to protect against social engineering scams. The process requires enabling developer mode, confirming no one is coaching the user, restarting the device to cut off any active remote access, and waiting a full day before completing biometric or PIN verification — steps specifically designed to break the manufactured urgency that scammers rely on. The feature will roll out in August. Related: In Other News: N8n Flaw Exploited, Slopoly Malware, Interpol Cybercrime Crackdown Related: In Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike Written By SecurityWeek News More from SecurityWeek News Privacy Platform Cloaked Raises $375M to Expand Enterprise ReachAutonomous Offensive Security Firm XBOW Raises $120M at $1B+ ValuationCloud Security Startup Native Exits Stealth With $42 Million in FundingVirtual Summit Today: Supply Chain & Third-Party Risk SummitSurf AI Raises $57 Million for Agentic Security Operations PlatformIn Other News: N8n Flaw Exploited, Slopoly Malware, Interpol Cybercrime CrackdownWebinar Today: Securing Fragile OT in an Exposed WorldIn Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike Latest News 3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public Disclosure Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful

Indicators of Compromise

• cve — CVE-2024-55591
• malware — Speagle
• malware — The Gentlemen