"Donncha Ó Cearbhaill, the head of Amnesty International's security lab, suggested attackers used the flaws in a highly specialized attack, which from past experience suggests that a commercial surveillanceware vendor is using it in highly targeted attacks against specific individuals. Surveillanceware is supposed to be used against state criminals but is also used against journalists, human rights campaigners, and anyone else certain governments don't like."
"From October 1, Microsoft will begin requiring multi-factor authentication on Azure systems for everything but read-only access. Redmond's advisory states that "MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation. Read operations won't require MFA." There are special cases that could get a deadline extension, however."
Meta disclosed CVE-2025-55177 in WhatsApp allowing incomplete authorization of linked device synchronization messages, enabling an unrelated user to trigger processing of content from an arbitrary URL on a target device. Meta linked CVE-2025-55177 and Apple's zero-click CVE-2025-43300 as potentially exploited in a sophisticated attack against specific targeted users. Amnesty International's security lab head indicated the pattern matches commercial surveillanceware use in highly targeted attacks against journalists, human rights campaigners, and other individuals. Microsoft will require multi-factor authentication on Azure for Create/Update/Delete operations from October 1, with limited extensions for complex environments until July 1 next year.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]