Top stories.
- New phishing kit targets Microsoft 365 accounts.
- Anthropic says Mythos has found over 23,000 flaws in open-source software.
- Dutch police arrest two alleged bulletproof hosting admins.
New phishing kit targets Microsoft 365 accounts.
The US Federal Bureau of Investigation (FBI) has issued an alert outlining a phishing-as-a-service platform called "Kali365" that emerged last month. The phishing kit targets OAuth tokens to gain access to Microsoft 365 accounts without needing to steal credentials or MFA tokens.
The FBI notes, "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities."
Anthropic says Mythos has found over 23,000 flaws in open-source software.
Anthropic has provided an update on Project Glasswing, an initiative through which around fifty organizations were granted early access to Anthropic's cybersecurity-focused Claude Mythos model. The company says Mythos has identified more than 23,000 potential vulnerabilities in open-source software, over 1,500 of which have been confirmed to be high- or critical-severity. Anthropic has disclosed 530 of these vulnerabilities to maintainers, and is working to disclose the rest. So far, 75 of the disclosed bugs have been patched.
Anthropic states, "The number of patches is still relatively low for three reasons. First, we’re still early in the 90-day window that’s set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon. Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we’re reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem."
Dutch police arrest two alleged bulletproof hosting admins.
Dutch authorities have arrested two men who allegedly ran bulletproof hosting services that were widely used by Russian threat actors, SecurityWeek reports. The suspects, a 57-year-old from Amsterdam and a 39-year-old from The Hague, owned web hosting companies that were sanctioned by the European Union for facilitating Russian cyberattacks against EU countries. The police searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk, seizing over 800 servers.
