In today’s cybersecurity news…
EU states to test age verification app
The European Commission announced that Denmark, France, Greece, Italy, and Spain will test a blueprint for an age verification app. This takes a white label approach, with a base app built on the technical specifications as the European Digital Identity Wallet set to debut next year. The specifications are open source, and the EC expects online platforms and “other interested parties” to start testing and integrating this blueprint as welll. The Commission also recently published its guidelines for protecting minors as part of the Digital Services Act.
(Reuters)
AAR pledges to start fixing 20-year old vulnerability next year
Modern trains use an End-of-Train device to transmit status data from… you guessed it the end of the train to the Head-of-Train, or HoT device. It can also receive breaking instructions from the HoT. CISA issued a new advisory warning that the protocol that links these two devices is not secure, with no authentication or encryption, allowing a threat actor to send rogue brake control commands to the EoT. Researcher Neil Smith discovered the vulnerability back in 2012 while doing research for ICS-CERT. Still, that agency failed to reach a consensus with the Association of American Railroads to get it fixed. Then in 2018, Eric Reuter disclosed technical details of the vulnerability at DEF CON. Smith claims that another researcher published details of the flaw as far back as 2005. In response to CISA’s advisory, the AAR said it is “pursuing new equipment and protocols which should replace traditional End-of-Train and Head-of-Train devices,” with the process expected to begin in 2026. Don’t worry, only about 70,000 total devices need to be upgraded. Fortunately for a 20-year-old vulnerability, there’s no evidence of exploitation in the wild.
Grok-4 jailbroken in two days
Researchers at NeuralTrust were able to get XAI’s latest LLM model to give step-by-step instructions to make a Molotov cocktail and other responses otherwise barred by its guardrails. This combined two jailbreaking techniques, first using an Echo Chamber attack to nudge the conversational context toward unsafe behavior subtly. Once shifting the model’s output tone, the researchers used a Crescendo technique to intensify prompts to escalate the model’s output. They were able to get instructions for Molotov cocktails 67% of the time, had a 50-50 chance of getting meth making instructions, while toxin-related responses were successful 30% of the time. The key takeaway from the researchers was “attacks can bypass intent or keyword-based filtering by exploiting the broader conversational context.”
DoD awards contracts for agentic AI
The US Department of Defense awarded contracts with up to $200 million each to Anthropic, Google, OpenAI, and xAI. DoD Chief Digital and AI Officer Doug Matty said these contracts will be used to create agentic AI workflows for critical national security challenges, although outside of “support our warfighters and maintain strategic advantage over our adversaries”, the announcement was light on specifics. This comes after an Executive Order in April, which directed federal agencies to develop AI strategies and remove barriers to responsible AI usage.
(Reuters)
Huge thanks to our sponsor, ThreatLocker
eSIM vulnerability exposes billions of IoT devices
Researchers at Security Explorations discovered a vulnerability in Kigen Embedded Universal Integrated Circuit Card, or eUICC, chips. These chips are where an eSIM lives. Using publicly known keys, a threat actor with physical access could install a malicious JavaCard applet and extract the eUICC identity certificate. This certificate opens the door to downloading profiles from mobile network operators in cleartext, accessing secrets, and transferring a profile to another eUICC chip. Only chips running the GSMA TS.48 Generic Test Profile v6 are vulnerable, used for eSIM compliance testing. The latest v7 release patches the issue.
UK launches Vulnerability Research Initiative
This is a new effort that will work in parallel and partnership with the UK’s National Cyber Security Centre. The NCSC will continue its extensive internal research, while the Vulnerability Research Initiative, VRI, will focus on quickly sharing insights from the community and private industry. NSCS will direct researchers partnered with VRI to investigate specific products of interest or proposed mitigations. The researchers will also share any tools and methodologies used in their research to help NCSC build out frameworks and best practices.
Interlock ransomware using FileFix for malware
Researchers at The DFIR Report and Proofpoint noticed a change in tactics for Interlock ransomware operators. Previously, the group used a ClickFix-type attack, using fake CAPTCHAs to paste a Run dialog saved to the clipboard that ran a PowerShell script to pull down a payload. The group has hit some notable targets with this approach, including Texas Tech and Kettering Health. Since June, the researchers have observed Interlock shifting to a FileFix variation, which mimics the Windows UI, specifically File Explorer, to prompt users to execute JavaScript or a PowerShell command with a fake file path. Once executed, this downloads the PHP RAT to exfiltrate system data and receive further updates from a C2 server.
Disinformation groups spoofs European journalists
The fact-checking initiative Gnida Project published details about a campaign attributed to the Russian threat actor Storm-1516, which impersonated journalists across Armenia, France, Germany, Moldova, and Norway. Active since at least 2023, the campaign used the names and likenesses of real reporters on fake news sites in attempts to discredit Ukraine or create discord between European allies. Many journalists only became aware of the spoofing with the release of the report. Back in May, French authorities said the group represents a marked threat to European public debate.
Elmo gets hacked
In “we can’t have nice things” news, Sesame Workshop announced the X account for Elmo, the eternally 3.5-year-old muppet beloved by toddlers, has been hacked. The compromised account began posting “disgusting messages, including antisemitic and racist posts.” As of July 14th, the Seasame Workshop is still trying to regain control of the account, as the offending messages were deleted, but a link to a Telegram channel remains in the profile. No word on how the account was breached, or how Big Bird is taking the news.
(AP News)
