Our blog has covered vulnerabilities in some unusual gadgets — from smart mattress covers and robot vacuums to traffic signal audio buttons, children’s toys, pet feeders, and even bicycles. But the case we’re discussing today might just be the most… exotic yet. Recently, cybersecurity researchers uncovered two extremely serious vulnerabilities in the remote control apps for… Lovense sex toys.

Everything about this story is wild: the nature of the vulnerable gadgets, the company’s intention to take 14 months (!) to fix the problems, and the scandalous details that emerged after researchers published their findings. So let’s… get stuck straight in to right into this tale, which is as absurd as it is fantastic.

The Lovense online ecosystem

The first thing that makes this story so unusual is that Lovense, a maker of intimate toys, caters to both long-distance couples and cam models (human models that use webcams) working on streaming platforms.

To control devices and enable user interaction, the company has developed an entire suite of software products tailored for a variety of scenarios:

• Lovense Remote: the main mobile app for controlling intimate devices.
• Lovense Connect: a companion app that acts as a bridge between Lovense devices and other apps or online services. It’s installed on a smartphone or computer and allows a toy to connect via Bluetooth, and then relays control commands from external sources.
• Lovense Cam Extension: a browser extension for Chrome and Edge that links Lovense devices with streaming platforms. It’s used with the Lovense Connect app and the OBS Toolset streaming software for interactive control during live broadcasts.
• Lovense Stream Master: an all-in-one app for streamers and cam models combining device control features with live streaming functionality.
• Cam101: Lovense’s online educational platform for models working on streaming sites.

Of course, this whole setup also includes APIs, SDKs, an internal platform for mini-apps, and more. In short, Lovense isn’t just about internet-connected intimate toys — it’s a full-fledged ecosystem.

UI of the Stream Master app, which combines device management and video streaming. Source

If you create an account in the Lovense infrastructure, you’re required to provide an email address. Whereas some services offer the option to sign in with Google or Apple, an email address is the primary sign-up method for a Lovense account. This detail might seem insignificant, but it’s at the core of the vulnerabilities that were discovered.

Two vulnerabilities in Lovense online products

So, how did this all unfold? In late July 2025, a researcher known as BobDaHacker published on his blog a detailed post about two vulnerabilities in Lovense’s online products. Many of the products (including Lovense Remote) have social-interaction features. These features allow users to chat, add friends, send requests and subscribe to other users, including people they don’t know.

While using the social-interaction features of one of the Lovense apps, BobDaHacker spotted the first vulnerability: when he disabled notifications from another user, the app sent an API request to the Lovense server. After examining the body of this request, BobDaHacker was surprised to find that, instead of the user’s ID, the request contained their actual email address.

When a simple action (like disabling notifications) was performed, the app would send a request to the server that included another user’s real email address. Source

Upon further investigation, the researcher found that Lovense’s API architecture was designed so that for any action that concerned another user (like disabling their notifications), the app sends a request to the server. And in this request the user’s account is always identified by the real email address they signed up with.

In practice, this meant that any user who intercepted their own network traffic could get access to the real email addresses of other people on the app. It’s important to remember that the Lovense apps have social-interaction features and allow communication with cam models. In many cases, users don’t know each other outside of the platform, and exposing the email addresses linked to their profiles could lead to deanonymization.

BobDaHacker discussed his findings with another cybersecurity researcher named Eva, and together they examined the Lovense Connect app. This led them to discover an even more serious vulnerability: generating an authentication token in the app only required the user’s email address — no password was needed.

This meant that any technically skilled person could gain access to any Lovense user’s account — as long as they knew the user’s email address. And as we just learned, that address could easily be obtained by exploiting the first vulnerability.

To generate an authentication token in the Lovense app, only the user’s email was required — without the password. Source

These tokens were used for authentication across various products in the Lovense ecosystem, including:

• Lovense Cam Extension
• Lovense Connect
• Stream Master
• Cam101

Furthermore, the researchers successfully used this method to gain access to not only regular user profiles but also accounts with administrator privileges.

Lovense’s response to vulnerability reports

In late March 2025, BobDaHacker and Eva reported the vulnerabilities they’d discovered in Lovense products through The Internet Of Dongs Project — a group dedicated to researching and improving the security of internet-connected intimate devices. The following month, in April 2025, they also posted both vulnerabilities on HackerOne, a more traditional platform for engaging with security researchers and paying bug bounties.

Lovense, the adult-toy manufacturer, acknowledged the report and even paid BobDaHacker and Eva a total of $4000 in bounties. However, in May and then again in June, the researchers noticed the vulnerabilities still hadn’t been fixed. They continued talking to Lovense, which is when the most bizarre part of the story began to unfold.

First, Lovense told the researchers that the account takeover vulnerability had been fixed on April. But BobDaHacker and Eva checked and confirmed this was false: it was still possible to get an authentication token for another user’s account without a password.

The situation with the email disclosure vulnerability was even more absurd. The company stated it’d take 14 months to fully resolve the issue. Lovense admitted they had a fix that could be implemented in just one month, but they decided against it to avoid compatibility problems and maintain support for older app versions.

The back-and-forth between the researchers and the manufacturer continued for several more months. The company would repeatedly claim the vulnerabilities were fixed, and the researchers would just as consistently prove they could still access both emails and accounts.

Finally, in late July, BobDaHacker published a detailed blogpost describing the vulnerabilities and Lovense’s inaction, but only after giving the company advance notice. Journalists from TechCrunch and other outlets contacted BobDaHacker and were able to confirm that in early August — four months after the company was first notified — the researcher could still ascertain any user’s email address.

And that was far from the end of it. The most scandalous details were revealed to BobDaHacker and Eva only after their research was published.

A history of negligence: who warned Lovense and when

BobDaHacker’s work made waves across media, blogs, and social networks. As a result, just two days after the report was published, Lovense finally patched both vulnerabilities — and this time, it seems, for real.

However, it soon came to light that this story started long before BobDaHacker’s report. Other researchers had already warned Lovense about the very same vulnerabilities for years, but their messages were either ignored or hushed up. These researchers shared their stories with BobDaHacker and the publications that covered his investigation.

To truly grasp the extent of Lovense’s indifference to user security and privacy, you just need to look at the timeline of these reports:

• 2023: a researcher known as @postypoo reported both bugs to Lovense, and was offered… two free adult toys in response, but the vulnerabilities were never fixed.
• Also2023: researchers @Krissy and @SkeletalDemise discovered the vulnerability related to account takeovers. Lovense claimed the issue had been fixed, and paid a bounty in the same month. However, @Krissy’s follow-up message stating that the vulnerability was still present went unanswered.
• 2022: a researcher named @radiantnmyheart discovered the bug that exposed emails, and reported it. The message was ignored.
• 2017: the company Pen Test Partners reported the email exposure vulnerability and the lack of chat encryption in the Lovense Body Chat app, and published its study on this. The report was ignored.
• 2016: The Internet Of Dongs Project identified three similar email exposure vulnerabilities. This all means that Lovense asked BobDaHacker to give it 14 months to patch vulnerabilities they’d known about for at least eight years!

What’s more, after BobDaHacker’s report was published, they heard not only from the ethical hackers who’d previously reported these bugs, but also from the creator of an OSINT website and their friends, who were anything but happy. These individuals had apparently been exploiting the vulnerabilities for their own purposes — specifically, harvesting user emails and subsequent deanonymization. This isn’t surprising though given that the Pen Test Partners report had been publicly available since 2017.

Protecting your privacy

Lovense’s approach to user privacy and security clearly leaves a lot to be desired — to put it mildly. Whether to continue using the brand’s devices after this — especially connecting them to the company’s online services — is a decision each user needs to make for themselves.

For our part, we offer some tips on how to protect yourself and maintain your privacy should you interact with adult online services.

• Always create a separate email address when you register for these types of services. It shouldn’t contain any information that can be used to identify you.
• Don’t use this email address for any other activities.
• When registering, don’t use your real first name, surname, age, date of birth, city of residence, or any other data that could identify you.
• Don’t upload real photos of yourself that could easily be used to recognize you.
• Protect your account with a strong password. It should contain at least 16 characters and ideally include a mix of uppercase and lowercase letters, numbers, and special characters.
• This password must be unique. Never use it for other services so you don’t put them at risk in the event of a data leak.
• To avoid forgetting the password and email address you created specifically for this service, use a reliable password manager. KPM can also help you generate a random, strong, and unique password.

And if you want to be more… boned up when it comes to choosing adult toys and relevant services, we recommend looking at specialized resources like The Internet Of Dongs Project, where you can find information about brands that interest you.

Check out our other posts on how to protect your private life from prying eyes:

• The Naked Truth
• Fifty shades of sextortion
• Watching porn safely: a guide for grown-ups
• What really goes on when your device is in repair

Kaspersky official blog – ​Read More

In today’s world, cybersecurity incidents are not a matter of if, but when and how. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

Why engage an IR team? 

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

• Speed and availability: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
• Expertise: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
• Vendor-agnostic approach: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
• Comprehensive services: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

Overview of the IR lifecycle 

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

1. Preparation 
2. Identification 
3. Containment 
4. Eradication 
5. Recovery 
6. Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

Phase 1: Preparation (before the incident) 

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

• Emergency response: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
• Proactive services: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
• Relationship building: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

Phase 2: Identification (beginning of incident) 

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

Initial call

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

• Nature of the incident: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
• Affected systems: Which servers, endpoints, or networks are impacted? 
• Business impact: Is the incident disrupting operations or exposing sensitive data? 
• Existing actions: What steps have been taken so far? 
• Visibility: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

Triage, scoping and analysis 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

• Log analysis: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
• Threat intelligence: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
• Digital forensics: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

• Initial access vector: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here. 
• Adversary goals: Is the attacker after data theft, ransomware deployment, or persistent access? 
• Scope: How many systems, users, or networks are affected? 
• Persistence mechanisms: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
• Data exfiltration: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

Phase 3: Containment (stopping the attack) 

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

Short-term containment 

Immediate actions to isolate the threat typically include: 

• Network segmentation: Isolating affected systems or subnets to prevent lateral movement
• Account lockdown and/or password changes: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
• Process termination: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
• Firewall rules: Blocking malicious IPs or domains identified through Talos’ threat intelligence

Long-term security hardening 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

• Patching vulnerabilities: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
• Endpoint protection: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
• Strengthening resilience: Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
• Improving efficiency and consistency: Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

Phase 4: Eradication (removing the threat) 

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

• Account remediation: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
• System rebuilds: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
• Reverting adversary changes: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

• Threat hunting: Scanning for residual IOCs or anomalous behavior
• Log reviews: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

Phase 5: Recovery (restoring operations) 

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

• Restoring from backups: Deploying clean backups to affected systems, ensuring they’re free of malware
• Application testing: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
• User access: Gradually restoring user access with strengthened controls, such as MFA
• Alternative processes: Implementing manual or temporary workflows if systems remain offline
• Stakeholder communication: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
• Employee training: Educating staff on phishing awareness or secure practices to prevent future incidents
• Logging improvements: Enhancing visibility to overcome the logging deficiencies
• Patch management: Establishing processes to prevent exploitation of known vulnerabilities

Phase 6: Lessons learned (building resilience) 

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

• Incident summary: A timeline of events, from initial detection to resolution 
• Findings: Details on the attacker’s TTPs, entry points and impact
• Recommendations: Specific actions to ensure long-term and short-term improvements

Ongoing partnership 

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

“With the [Talos IR] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO. 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

Cisco Talos Blog – ​Read More

A team of researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has published a research paper demonstrating how a Spectre v2 attack can be used for a sandbox escape in a virtualized environment. With access to only a single isolated virtual machine, the researchers were able to steal valuable data normally accessible only to the server administrator. Servers based on AMD CPUs (including AMD’s newest – with Zen 5 architecture) or Intel’s Coffee Lake are susceptible to the attack.

The danger of Spectre attacks for virtual environments

We regularly write about CPU vulnerabilities that employ speculative execution, where standard hardware features are exploited to steal secrets. You can read our previous posts on this subject, which describe the general principles of these attacks in detail, here, here, and here.

Although this type of vulnerability was first discovered back in 2018, up until this paper researchers haven’t demonstrated a single realistic attack. All their efforts have culminated in the notion that, theoretically, a sophisticated and targeted Spectre-like attack is feasible. Furthermore, in most of these papers, the researchers restricted themselves to the most basic attack scenario: they’d take a computer, install malware on it, and then use the CPU hardware vulnerability to steal secrets. The drawback of this approach is that if an attacker successfully installs malware on a PC, they can steal data in numerous other, significantly simpler methods. Because of this, Spectre and similar attacks are unlikely to ever pose a threat to end-user devices. However, when it comes to cloud environments, one shouldn’t dismiss Spectre.

Imagine a provider that rents virtual servers to organizations or individuals. Each client is assigned their own virtual machine, which allows them to run any software they want. Other clients’ virtual systems can be running on the same server. Separating data-access privileges is crucial in this situation. You must prevent an attacker who has gained access to one virtual machine from reading the confidential data of an adjacent client, or compromising the provider’s infrastructure by gaining access to the host’s data. It is precisely in this scenario that Spectre attacks start appearing as a significantly more perilous threat.

VMScape: a practical look at a Spectre v2 attack

In previous research papers on the feasibility of the Spectre attack, researchers didn’t delve into a realistic attack scenario. For an academic paper, this is normal. A theoretical proof of concept for a data leak is typically enough to get CPU makers and software developers to beef up their defenses and develop countermeasures.

The authors of the new paper from ETH Zurich directly address this gap, pointing out that previously examined scenarios for attacks on virtualized environments – such as those in this paper, also by ETH Zurich – made an extremely broad assumption: that the attackers had already managed to install malware on the host. Just like with attacks on regular desktop computers, this doesn’t make much practical sense. If the server is already compromised, the damage is already done.

The new attack proposed in their paper – dubbed VMScape – uses the same branch target injection mechanism as the one found in all attacks since Spectre v2. We’ve talked about it several times before, but here’s a quick summary.

Branch target injection is a way to train a CPU’s branch prediction system, which speeds up programs by using speculative execution. This means the CPU tries to run the next set of commands before it even knows the results of the previous computations. If it guesses the right direction (branch) the software will take, the performance significantly increases. If it guesses wrong, the results are simply discarded.

Branch target injection is an attack during which an attacker can trick the CPU into accessing secret data and move it into the cache during speculative execution. The attacker then retrieves this data indirectly through a side channel.

The researchers discovered that the privilege separation between the host and guest operating systems during speculative execution is imperfect. This allows for a new version of the branch target injection attack, which they’ve named “Virtualization-based Spectre-BTI” or vBTI.

As a result, the researchers were able to read arbitrary data from the host’s memory while only having access to a virtual machine with default settings. The data reading speed was 32 bytes per second on an AMD Zen 4 CPU, with nearly 100% reliability. That’s fast enough to steal things like data encryption keys, which opens a direct path to stealing information from adjacent virtual machines.

Is VMScape a threat in the real world?

AMD CPUs with Zen architecture from the first through the latest fifth generation have proved vulnerable to this attack. This is because of the subtle differences in how these CPUs implement Spectre attack protections, as well as the unique way the authors’ vBTI primitives operate. For Intel CPUs, this attack is only possible on servers with older Coffee Lake CPUs from 2017. Newer Intel architectures have improved protections that make the current version of the VMScape attack impossible.

The researchers’ achievement was designing the first-ever Spectre v2 attack in a virtual environment that’s close to real-world conditions. It doesn’t rely on overly permissive assumptions or crutches like malicious hypervisor-level software. The VMScape attack is effective; it bypasses many standard security measures, including KASLR, and successfully steals a valuable secret: an encryption key.

Fortunately, immediately after designing the attack, the researchers also proposed a fix. The issue was assigned the vulnerability identifier CVE-2025-40300, and it was patched in the Linux kernel. This particular patch doesn’t significantly reduce computational performance, which is often a concern with software-based protections against Spectre attacks.

Methods for protecting confidential data in virtual environments have existed for a while. AMD has a technology named “Secure Encrypted Virtualization” and its subtype, SEV-SNP, while Intel has Trusted Domain Extensions (TDX). These technologies encrypt secrets, making it pointless to try to steal them directly. The researchers confirmed that SEV provides additional protection against the VMScape attack on AMD CPUs. In other words, a real-world VMScape attack against modern servers is unlikely. However, with each new study, Spectre attacks look more and more realistic.

Despite the academic nature of the research, attacks that exploit speculative execution in modern CPUs remain relevant. Operators of virtualized environments should continue to consider these vulnerabilities and potential attacks in their threat models.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is always a breach happening somewhere, your company is always under attack, there is always a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1. Learn and enforce boundaries. You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2. Peer support. Whether it’s a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3. Unplugged self-care. This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4. Mandatory decompression/vacation. After an incident, be it VPN Filter or a breach, leaders: look after your people. Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

The one big thing 

In Talos’ latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

Why do I care? 

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

So now what? 

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

Top security headlines of the week 

New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts 
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit 
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

Google nukes 224 Android malware apps behind massive ad fraud campaign 
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

Former FinWise employee may have accessed nearly 700K customer records 
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

Can’t get enough Talos? 

• Alex Ryan: From zero chill to quiet confidence 
  Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
• Beers with Talos: How to ruin an APT’s day 
  The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
• Tampered Chef: When malvertising serves up infostealers 
  Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in “malvertising” and challenges in defense.

Upcoming events where you can find Talos 

• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany 
• Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: executable.exe 
Claimed Product: N/A   
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Typical Filename: nwx3hgsl.exe 
Claimed Product: Self-extracting archive 
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Typical Filename: werrx01USAHTML 
Claimed Product: N/A 
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Typical Filename: ~3B6A.tmp 
Claimed Product: N/A 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: img001.exe 
Claimed Product: 
Detection Name: Win.Dropper.Miner::95.sbx.tg

Cisco Talos Blog – ​Read More

Welcome to another episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe.

This time, we sit down with Alex Ryan, a seasoned Incident Commander from Cisco Talos Incident Response. Read (or watch) on to hear her candid reflections on the emotional intensity of incident response, the critical role of a supportive team in preventing burnout, and invaluable advice for aspiring cybersecurity professionals.

Amy Ciminnisi: Alex, you were recently on the Beers with Talos podcast, and during that, we learned that you have two liberal arts degrees, but you found yourself really loving how machines and systems worked, and then you work your way through the cybersecurity ranks. I’d love to know: What brought you to Talos?

Alex Ryan: During my career inside companies doing incident response, vulnerability management, and risk management, Talos Intelligence was often one of my sources. I often looked at intelligence from vendors who were using their own datasets to generate the finished intelligence, rather than those who just took whatever intelligence was already out there, re-mashed it, and enriched it a bit. I have a lot of respect for Talos from using them as a source for guiding how I would do incident response and prioritize my defenses and things like that. When the opportunity came up to join Cisco Talos Incident Response as an Incident Commander, it was that reputation (and having used their material for so long which showed that there was really good quality people and research being done) that put this job at the top of my list of choices.

AC: You have a very difficult job as an Incident Commander, acting as the point person in situations where people are possibly going through the worst days of their careers. What’s something about your day-to-day role that people might be surprised by or interested in?

AR: Incident response is a very high pressure situation to be in. You need to exude quiet confidence and build a trust relationships quickly with your customer. But on the back end, things can be chaotic: trying to get access to machines, trying to find the right machines. “Do we have the right IOCs?” “What is this thing? Let me reverse engineer it.” Trying to distill all of that activity into larger topics and give progress to the customer on it is critical.

It’s also high risk for the business being impacted. I think that there was a statistic at one point that about 70% of small to medium businesses that paid the ransom after being compromised went out of business within a year, because the ransom was such a financial hit that they just couldn’t absorb that kind of impact. So while the customer is trying to not freak out, I’m trying to exude quiet confidence while managing the forensics analysis activity. Trying to balance all of that is quite difficult, so incident response has a very high burnout rate.

After I came back from raising my children, it took me about two years to detox completely from incident response. I was really high strung, and I had no chill. Zero chill. I had to learn how to say no and how to prioritize my family over this hero complex that I was having at work. I would say I’m a much more well-rounded person now, and perhaps I’m better at my job because of that.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!

Cisco Talos Blog – ​Read More