A

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, October 20, 2025. I'm Steve Prentiss. Europol dismantles 49 million fake account Simpharm On Friday, the European Union's law enforcement agency Europol announced the disruption of a sophisticated cybercrime as a service platform that ran a SIM farm which enabled PH punishing and investment fraud. The agency's Operation SIM cartel involved 26 searches and made seven arrests, along with the seizure of 1,200 SIM box devices with 40,000 active SIM cards, which had enabled the creation of more than 49 million online accounts. The operation, which involved the cooperation of Austria, Estonia, Finland, Latvia, Europol and Eurojust, the European Union Agency for Criminal Justice Cooperation targeted a network linked to over 3,200 cyber fraud cases in Austria and Latvia, causing combined losses exceeding 4.9 million euros. China's Silver Fox Group takes Ynos 4.0 to Japan and Malaysia the group behind the Ynos 4.0 malware family, that is spelled W I N O S is making headlines once again, expanding their footprint of targets beyond China and Taiwan to include Japan and Malaysia and including another remote access trojan, which is being tracked as holding hands rat, also known as ghost bins, a researcher with Fortinet's FortiGuard Labs, stated in a report that the campaign relied on phishing emails with PDFs that contained embedded malicious links and that these files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered the YNOS 4.0. The malware is generally attributed to a Chinese cybercrime group known as Silver Fox. Increased use of AI in extortion and ransomware cyber attacks, says Microsoft, following up on a story we covered on Friday's cybersecurity headlines, as well as in a great discussion in the Week in Review show. Microsoft's annual digital threats report shows that in addition to the proliferation of password attacks, that AI is increasingly being used by threat actors to boost their power by quote, automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster and creating malware that can adapt itself, end quote. The report also adds that defenders are also increasing their usage of AI to spot threats, close detection gaps, catch phishing attempts and protect vulnerable users, end quote. A link to the Microsoft report is available in the show. Notes to this episode. Envoy Air confirms Oracle E Business Suite compromise the airline, which is a regional and wholly owned subsidiary of American Airlines has become the second company to confirm the theft of information as a result of a breach of their Oracle E Business Suite application. The hacking campaign is alleged to be run by the Russian Klopp Group and it obtained what is being described as a limited amount of business information and commercial contact details. The Klopp gang apparently made a claim that it had stolen information from American Airlines by adding the company to its leak site. However, a spokesperson for American Airlines said the claim pertained to Envoy Air and that American Airlines itself does not use the Oracle E Business Suite application. End quote. Huge thanks to our sponsor ThreatLocker. Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default. That's what ThreatLocker delivers as a zero trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control. Don't just react to threats, stop them with ThreatLocker, Google Ads for fake homebrew and LogMe insights push infostealers Back on September 2, we reported on cybercriminals abusing Meta's advertising platforms with fake offers of a free TradingView Premium app that spread the Broquil malware for Android. Now a new campaign is targeting macOS developers with fake platforms for TradingView, Homebrew and LogMeIn to deliver info stealing malware like Amos, which is the atomic Mac OS stealer, and Odyssey. This new campaign uses click fix techniques that fool people into executing commands in terminal by trying to fix a problem on a login dialog box or a connection security confirmation step, for example. These techniques lead the victims to infect themselves with malware when checking some of the fake domains included in this campaign. Bleeping Computer discovered that in some cases the traffic to the sites was driven via Google Ads indicating that the threat actor promoted them to appear in Google search results. Cybercrime group Everest claims Collins Aerospace hack But mystery surrounds the story. The attack on European airports including Heathrow, Brussels and Berlin dominated the news in September and even resulted in the arrest of one individual. Now the Everest Group has claimed responsibility for the cyber attack on Collins Aerospace that resulted in chaos for these airports and as well as for their employees and passengers. However, shortly after making the statement, their leak site went dark, showing only a fatal error message as posted in Security Affairs. The Everest Group itself is part of a new generation of cybercriminal organizations that operate with a hybrid model. Instead of executing full scale attacks alone, they often act as brokers, selling stolen access or partnering with affiliates who specialize in different stages of the intrusion chain. Speculation now abounds as to the closure of their site, which might be due to a law enforcement takedown or could simply be a tactical retreat. Info Stealing from space is easier than you think. Researchers from the University of Maryland and the University of California, San Diego, say they were able to intercept sensitive data from the US Military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe. The team focused on geostationary satellites and used inexpensive, commercially available equipment. They stated that many organizations do not routinely monitor the security of their own satellite communication links, and that content scrambling is surprisingly unlikely to be used for private networks using geo satellites to backhaul IP network traffic from remote areas. A link to this report is available in the show. Notes to this episode SolarWinds security chief Tim Brown reflects on the 2020 hack. Speaking at Melbourne's CyberCon last Friday, Brown recalls the December 12 hack and its implications for the company he worked for, as well as for its 300,000 customers, occurring as it did during the peak of the COVID 19 pandemic. The email platform his team relied on for communication during lockdown was unavailable and and all of his team had to return to the office, he said. You get the world wanting verbal communication, not written communication, and that is a kind of an important lesson. You can write things down, but they want to talk to the ciso. The stress and resulting lawsuits led to Brown suffering a heart attack. He is still CISO@SolarWinds. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.