BankInfoSecurity.com

AI Tool Used to Discover Bugs, Which Included 2 Maximum Severity Vulnerabilities
Researchers at security firm AISLE said they recently identified 38 vulnerabilities, including two maximum-severity zero-day flaws in OpenEMR, an open-source electronic medical record software platform used by about 100,000 healthcare providers globally. OpenEMR has patched the problems.

Claude-Powered Tool Deletes Production Data, Then Explains Its Failures
A Claude Opus 4.6-powered coding agent erased three months of PocketOS production data in a single API call after misusing an over-permissioned token. The system later, when prompted, admitted to violating safety rules.

An On Demand video from ID Dataweb
Scattered Spider is rapidly expanding its reach, exploiting identity processes and help desks to infiltrate organizations. Discover their tactics and the steps you can take now to reduce risk. Watch the webinar.

Digital Passkeys That Synchronize Across Devices Are Easier, Faster, More Secure
Forget passwords: British cybersecurity officials now recommend using digital passkeys whenever they're available, finding that passkeys offer better and faster security, with lower costs for services that provide them, compared to widely despised passwords.

Why AI and Traditional Penetration Testing Must Converge
As artificial intelligence red teaming evolves beyond prompt injection, security teams must combine data science, model testing and traditional penetration testing to assess risks across the full attack surface.

Prolific ShinyHunters Extortion Group Made 'Pay or Leak' Threat to Victim
Home security giant ADT has suffered a data breach that appears to have exposed personally identifiable information tied to 5.5 million customers. Prolific extortionist group ShinyHunters claimed credit for the attack, saying it stole Salesforce data after socially engineering an ADT employee.

Video of Industry Figures Harvested During Meetings and Used to Lure Future Victims
North Korean hackers are pretending to be cryptocurrency insiders, in an attempt to trick targets into accepting Calendly calendar invites. The social engineering ruse is designed to infect Windows and macOS systems with crypto stealers, and to harvest video of real-life people for future lures.

Cybercrime Gang ShinyHunters Claimed to Steal 9M Records
Medtronic has told federal authorities that cybercriminals hacked its corporate IT systems, but said the incident did not affect the medical device makers' products, manufacturing or distribution operations. Cybercrime gang ShinyHunters reportedly claimed responsibility for the hack.

Former Officials, Tech Groups Say Anthropic Designation Is Illegal - and Dangerous
Former U.S. defense and intelligence officials argue the Pentagon's designation of Anthropic as a supply-chain risk was politically motivated and legally flawed, warning it could erode trust in government contracting and weaken the defense AI ecosystem.

Also: Embedded AI in Pharmaceutical Sector, the Story Behind Apple's CEO Change
In this week's panel, four ISMG editors examine what’s really behind Apple's CEO transition, how pharmaceutical giants are racing to embed artificial intelligence across core operations, and why AI-driven threats are forcing a rethink of how quickly defenders can respond.

'Firestarter' Backdoor Can Survive Reboots, Upgrades and Standard Fixes
The Cybersecurity and Infrastructure Security Agency issued an emergency directive warning a newly-discovered Cisco backdoor can survive routine remediation processes, forcing agencies to investigate edge devices that anchor federal firewall and VPN security.

HHS OCR Breach Investigators Again Find All-Too-Common Risk Analysis Failures
Faulty or non-existent security risk analyses cost a medical imaging provider, a women's healthcare group, a health plan and a third-party insurance administrator a collective $1.7 million in fines after federal regulators concluded they didn't do enough to prevent ransomware attacks.

Acquisition Adds Advisory, GRC and Vulnerability Services to ImagineX's MDR Core
TekStream acquired ImagineX’s cyber division to integrate advisory, vulnerability management and GRC with its MDR services, aiming to help CISOs defend against faster, AI-driven attacks by unifying proactive and reactive security into a single operational model.

Okta's Shiven Ramji on Visibility, Identity and Hidden Risk
Enterprises are rapidly deploying AI agents, but many don't know where they are or what they're accessing. Shiven Ramji of Okta explains why "shadow agents" are the next major security risk and how identity, visibility and governance must evolve to keep up.

Agencies Urged to Track and Disrupt Coordinated AI Extraction Campaigns
The White House is escalating coordination with AI firms after identifying large-scale foreign campaigns using proxy accounts and jailbreaking techniques to extract capabilities from U.S. models, raising national security concerns and prompting new detection, logging and accountability measures.

Continuous Integration Has Its Downsides
As supply-chain attacks against widely-used, open-source software repositories continue, experts are urging developers to not only rely on code integrity tools, but also to introduce a delay before merging new repos, since unfolding attacks tend to get spotted in days, if not hours or minutes.

HHS OCR Breach Investigators Again Find All-Too-Common Risk Analysis Failures
Faulty or non-existent security risk analyses cost a medical imaging provider, a women's healthcare group, a health plan and a third-party insurance administrator a collective $1.7 million in fines after federal regulators concluded they didn't do enough to prevent ransomware attacks.

AMA Wants Privacy, Security AI Tool Protections, Especially in Mental Health
The American Medical Association says using artificial intelligence chatbots carries risks - including data privacy and security breaches - and the largest U.S. professional association for physicians and medical students is urging Congress to take action to protect patients from potential harm.

Berlin Proposes 3 Month Requirement to Store IP Addresses
The German government says it's unlocked the secret to passing a law that would require internet service providers to keep customer data without running afoul of privacy and security concerns that sunk earlier attempts. Critics say that's impossible