Archive for October 23, 2025

Shadow Escape 0-Click Attack in AI Assistants Puts A Lot Of Data At Risk

Posted in Commentary with tags on October 23, 2025 by itnerd

Researchers have uncovered a new privacy risk with Shadow Escape that exploits the Model Context Protocol (MCP) businesses use to connect to LLMs. The attack enables hackers to steal volumes of data such as Social Security Numbers, medical records, and business information that use AI assistants without the user ever clicking a suspicious link or making a mistake. 

The details can be found here: https://www.operant.ai/art-kubed/shadow-escape

Roger Grimes, CISO Advisor at KnowBe4, provided the following comments:

“I’m familiar with at least one other similar attack involving another, more popular AI tool, that the research plans to publicly release soon after practicing responsible disclosure with the vendor. They seem to be coming out of the woodwork so to speak. This zero-click attack is just going to be one of thousands coming out over the next few years. These initial reports are just the beginning stages of what promises to be years and years of new types of exploits. That’s because AI and the way they interact with other AIs and humans are just starting to be discovered and explored. The sheer amount of ways that any AI can interact with something else makes it far harder, if not impossible, for the vendor or a cyber defender to test before the AI is released.

“We didn’t do a great job at testing non-AI, more deterministic software and systems, to make sure they didn’t have vulnerabilities. Heck, we had over 40K separate publicly announced vulnerabilities last year and we are on our way to having over 47K this year. Non-deterministic AIs with the ability to have thousands of different types of interactions is just going to make that number explode. We are just now opening pandora’s box, and we are definitely not going to like what we see. I thought stuff was complex in the past. We will think of the past decades of vulnerabilities as the “good times” before AI everywhere arrived. It’s getting ready to be very stormy.”

Organizations need to look at the use of AI by their employees. They need to ensure that they are using only company approved AI tools and making sure that anything that connects to an LLM is secure. Otherwise, they are wide open to this sort of attack.

Leave a comment »

Hackers begin to exploit SessionReaper vulnerability

Posted in Commentary with tags on October 23, 2025 by itnerd

Hackers are actively exploiting a critical vulnerability (CVE-2025-54236, CVSS 9.1) in Adobe Commerce and Magento Open Source, known as SessionReaper. The flaw, stemming from improper input validation, allows attackers to bypass security features and potentially take over customer accounts via the Commerce REST API. Although Adobe released a hotfix on September 9, exploitation began after the patch was leaked early, and only 38% of affected sites have applied the fix. Sansec has observed roughly 250 attacks already, with exploitation expected to escalate rapidly following the public release of technical details by Searchlight Cyber. Adobe has confirmed the vulnerability is now being exploited in the wild.

 Dale Hoak, CISO, RegScale had this to say:

     “The rapid exploitation of SessionReaper underscores how compliance and security controls must operate continuously, not periodically. Many organizations treat patch management and vulnerability response as checklist items, but real resilience comes from continuous monitoring of control drift and evidence of remediation. When technical writeups go public, automation and compliance-as-code can make the difference between being patched in hours versus weeks.”

We are now in an age of patch everything ASAP before the bad guys try to pwn you. This illustrates how bad things have become and why things need to change ASAP.

Leave a comment »

Nelson Focuses on AI in Education with Upcoming Keynote at Canadian EdTEch Leadership Summit and its Launch of AI Literacy Resources for Educators 

Posted in Commentary with tags on October 23, 2025 by itnerd

Nelson will focus on addressing a gap in education with a keynote from its President and CEO Steve Brown at the Canadian EdTech Leadership Summit in Toronto, and an upcoming launch of resources related to Artificial Intelligence (AI) for educators.

According to a recent study from KPMG, Canada is lagging global peers in AI literacy and trust, ranking among the least AI literate nations globally. To help address that gap, Nelson is taking steps to support educators as they look to understand and navigate AI in education. The company will offer trusted resources in Edwin, including lessons and activities, to provide educators and students with information to better understand AI; to learn how it can be used appropriately; to see how AI literacy can be integrated into cross-curricular learning experiences; and more.

For example, one lesson will provide educators with an overview of how to provide an introduction to AI, giving students basic shared vocabulary and a conceptual understanding of what AI is, examples of AI in our world, and options for further learning about AI, including bias, ethics, and responsible usage. Educators will find these resources in Edwin beginning in mid-November. 

Nigel Romany, a Grade 6 and 7 teacher from Brant Haldimand Norfolk Catholic District School Board (BHNCDSB) and an avid Edwin user, talked about how he complements the use of Edwin with AI in his teaching. He explained that he started using Edwin in lessons that were outside of his core subjects, such as science. Edwin provides rich curriculum-aligned materials, which he said allows him to provide the proper information for his students in an effective forum. Within the first week of using Edwin, he was able to guide students to develop a commercial on biodiversity. Now, he said he uses AI to complement and assist in his teaching practice. For example, AI helps him narrow down vast amounts of information and gives him alternatives in his lesson planning. Additionally, we know students use AI in some capacity to do their assignments. He said that as educators, we have to find different ways to assess our students, review the work and educate them to use AI properly. He noted that teaching has always been more of an art form than an exact science and AI, in his opinion, cannot replace the interaction between student and teacher but rather enhances it. He is looking forward to using the new resources on Edwin to help him engage in conversations with his students about AI, helping them develop skills to question, analyze and use AI responsibly.

dTech: Sharing AI Insights and Trends
Taking place on October 29 and 30, 2025 at the state-of-the-art Innovation Complex at the University of Toronto Mississauga, the theme of this year’s EdTech Leadership Summit is “Empowering Human-Centered Sustainable Learning in an AI-Inspired World.” Brown will present his keynote, “The Intersection of Human and Artificial Intelligence,” on October 30 at 11 a.m., during which he’ll share a perspective on the rise of AI in education, its opportunities and challenges, and the importance on focusing on the right learning pathways to drive human intelligence.

The 16th annual event is targeted at senior level leadership in K-12, post secondary and EdTech industry partners, policymakers, teacher leaders, investors, students, parents, and EdTech startups who are passionate about refining the future of learning to help all students thrive. It will provide attendees an opportunity to access evidence-based research, success stories, and best practices to future-proof their learning environment and empower every learner in an AI-powered age. Attendees will also gain insider knowledge on the latest global and national trends, from AI adoption in classrooms to digital equity strategies, with concrete case studies they can quickly apply.

Supporting Teachers to Succeed in the Classroom
Nelson continues to support educators across the country with current curriculum-aligned materials they need for their classrooms. For example, resources and content in Edwin were updated for the 2025/2026 school year based on the renewed K-12 curriculum in Manitoba.

The company also recently launched the Edwin Academy, where teachers can not only access classroom resources, but also training and just-in-time support. The Academy is designed to empower educators, curriculum leads and administrators with the tools they need to succeed when they use Edwin. It helps educators with common teaching and learning challenges, whether they’re integrating Edwin into lessons, supporting teachers in schools, or scaling professional learning across a district. While resources are available to all Edwin users, the Edwin Academy is available to all teachers. Additionally, parents can now access the same engaging educational resources to be used at home to complement and support their children’s learning journey. Learn more here.

Edwin AI resources will be available for educators from Nelson on edwin.app beginning mid-November 2025.

For more information about the Canadian EdTech Leadership Summit, or to register for the event, visit https://summit.canamedtechalliance.com/.

Leave a comment »

TELUS announces #StandWithOwners 2025 winners

Posted in Commentary with tags on October 23, 2025 by itnerd

TELUS has announced the winners of its sixth #StandWithOwners – Canada’s largest small business contest – celebrating the owners who have made it in Canada. From the thousands of applications received, 20 outstanding Canadian businesses representing a broad selection of industries have been recognized for demonstrating how they leverage technology to drive innovation and stand out, while creating meaningful change in their local economy and community.

Their recognition is part of TELUS’ ongoing dedication to supporting Canadian businesses. Since 2020, TELUS has invested over $6 million through the #StandWithOwners program, providing essential funding, technology and exposure to help businesses thrive in a digital world.

This year’s five grand prize winners are:

  • Ashored Innovations: Led by owner Aaron Stevenson, Ashored Innovations addresses a critical environmental issue by tackling marine life entanglement in fishing gear through innovative “rope-on-demand” technology. Inspired by a 2017 North Atlantic right whale unusual mortality event, Ashored retrofits existing lobster and crab traps with underwater buoys that use acoustic release technology to surface only when remotely activated by fishermen. This system stows the rope in a cage connected to the traps, preventing both gear loss and marine entanglements. The technology is now used across three continents for commercial fishing and scientific monitoring of subsea noise pollution and climate-related environmental variables.
  • mddl: Owners Darlene Jehn and Alkharim Devani recognized the critical need for accessible housing options, creating mddl, a real estate company dedicated to empowering communities to build diverse, sustainable “missing middle” housing through education, technology, and policy advocacy by fostering a more equitable approach to development. Their training programs support small-scale developers while partnering with cities to modernize zoning and unlock public land, creating more accessible and equitable housing solutions. 
  • Sepura Home Ltd.: Revolutionizing kitchen waste management with its innovative IoT-enabled composting garbage disposal system, owner Victor Nicolov developed a clean, compact, and hands-free solution that seamlessly integrates into modern kitchens. The system addresses the growing burden traditional garbage disposals place on wastewater infrastructure while eliminating the inconvenience of existing composting methods. Through an integrated mobile app, Sepura Home Ltd. provides users with system control, environmental impact insights, and over-the-air software updates, currently making it the only food waste system that continuously improves over time.
  • UKKÖ Robotics: Owners Daniel Badiou and Katrina Jean-Laflamme created UKKÖ Robotics, addressing the need for efficient solutions to automate livestock pasture management, providing unique, solar-powered, autonomous barns for livestock, promoting regenerative agriculture and supporting small farmers. Their flagship product, the ROVA Barn, features a floorless design and autonomously moves small livestock to fresh pasture areas multiple times daily. This innovative approach reduces the environmental impact of livestock farming while significantly decreasing the labour required for pasture management. 
  • Vets Around the Corner: Not just a veterinary clinic, owners Dr. Devon Barnes, Dr. Lindsay Patterson, James Clague, and William Woodstock created Vets Around the Corner, a community-driven animal hospital that launched the Community Veterinarian Program, a mobile, not-for-profit initiative eliminating barriers to veterinary care for marginalized, low-income, and underserved populations. By retrofitting a decommissioned ambulance into a mobile veterinary exam room, they are bringing wellness exams, medical treatments, and health education directly to retirement residences, shelters, community centers, and First Nations communities.

The five grand prize winners each receive a $200,000 prize package, including $75,000 in direct funding, $80,000 in advertising and business exposure, $35,000 in TELUS and Samsung technology, and $10,000 in TELUS Health wellbeing support. An additional 15 winners each receive $20,000 in funding and technology. 

To learn more about all 20 of our inspiring winners visit telus.com/winners

Leave a comment »

1 in 3 Canadian organizations hit by Ransomware, but only 25% fully recover

Posted in Commentary with tags , on October 23, 2025 by itnerd

 OpenText today released the findings of its fourth annual Global Ransomware Survey. The survey of almost 1,800 security practitioners and business leaders highlighted a rising tension between confidence and risk: confidence in ransomware readiness is rising yet concern over AI-driven attacks and third-party vulnerabilities are growing just as fast.

Organizations believe they’re ready to bounce back from ransomware — but AI is rapidly changing the threat landscape. New attack methods, weak governance, and supply chain vulnerabilities are exposing critical gaps between preparation and performance, creating a higher-stakes environment for defenders and leaders alike. This is especially true for SMBs that have fewer formal AI policies. 

Key survey findings include:

False Sense of Confidence Grows, as AI Raises the Stakes
Organizations feel more prepared than ever to recover from ransomware attacks, but AI introduces a growing layer of complexity that’s causing unease. While internal GenAI use is rising, so are external AI-powered threats. Organizations are navigating a high-stake balancing act to enable innovation while managing risk.

  • Ninety-four percent of Canadian respondents are confident in their ability to recover from a ransomware attack, but only 25% of those attacked fully recovered their data.
  • Eighty-two percent allow employees to use GenAI tools, yet less than half (40%) have a formal AI use policy fully implemented.
  • Thirty-nine percent report increased phishing or ransomware due to AI; 30% have seen deepfake-style impersonation attempts.
  • Top AI-related concerns among Canadian respondents include data leakage (30%), AI-enabled attacks (25%), and deepfakes (14%).

Unmanaged Supply Chain Pathways Create Hidden Risks
While much of the ransomware conversation centers on AI, supply chain and third-party risks remain a quiet but dangerous threat. Attacks are both more frequent and distributed, often entering through vendors, partners, or unmanaged digital pathways.

  • One in three Canadian companies (31%) experienced a ransomware attack in the past year; nearly half of those (48%) were hit more than once.
  • Thirty-two percent of Canadian victims paid a ransom; 21% paid $250K or more.
  • Only 25% of those hit fully recovered their data; 3% recovered nothing.
  • Eleven percent experienced ransomware attacks originating from a software vendor.
  • Over two-thirds (67%) of Canadian organizations now assess software supplier cybersecurity; 75% have patch management in place.

Sophistication of Ransomware Attacks Raises Awareness
The rise of AI and the spread of ransomware across critical business systems have pushed cybersecurity into the spotlight. What was once seen as an IT issue is now recognized as a core strategic concern for boards and executive teams.

  • Sixty percent of Canadian respondents say their executive team sees ransomware as a top three business risk.
  • Nearly half (48%) have been asked by customers or partners about ransomware readiness in the past year.
  • 2026 investment priorities include network protection (54%), cloud security (53%), and backup technologies (48%).
  • A majority (64%) conduct regular security awareness training; 11% offer none.

For additional findings from the OpenText Cybersecurity 2025 Global Ransomware survey, view the infographic.

Protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations, partners, and technology providers work together to close security gaps before they’re exploited. To learn more about their enterprise solutions, explore OpenText Cybersecurity Cloud. To learn more about their offerings for SMBs, click here.

Survey Methodology

In September 2025, OpenText Cybersecurity surveyed 1,773 C-level executives, security professionals, and security and technical directors from SMBs and enterprises in the United States, Canada, the United Kingdom, Australia, France, and Germany. Respondents represented multiple industries, including technology, financial services, retail, manufacturing, healthcare, education, and more.

Leave a comment »

New Research Reveals Coordinated Campaign Targeting Perplexity Comet Users Across Various Attack Vectors

Posted in Commentary with tags on October 23, 2025 by itnerd

Today, BforeAI released the company’s research of an investigation into fraudulent and malicious activities targeting users seeking to download Perplexity’s Comet AI browser.

The analysis reveals a coordinated campaign of domain squatting, fraudulent mobile applications, and deceptive advertising designed to capitalize on the legitimate Comet browser’s popularity.

The research dives reveals:

  • Suspicious domains investigated with varying threat levels
  • Critical-level mobile app threats identified on Google Play Store
  • Domains registered in 2025 following Comet’s launch timeline
  • Multiple attack vectors including fake downloads, malvertising, and brand impersonation observed on search engines.

You can find the research here: https://bfore.ai/report/malicious-activity-surrounding-perplexity-comet-browser-launch-threat-research/

Leave a comment »

Consumers Expose Passwords in Password Manager/VPN Exchanges New Study Shows

Posted in Commentary with tags on October 23, 2025 by itnerd

Researchers with Ontario Tech University, PureSquare, and CQR Cybersecurity have published a new study warning that consumers and businesses that use separate VPNs and password managers are susceptible to concurrent multi-vector attacks that put their data at risk.

The use of disparate password managers and VPNs from different vendors (security tool fragmentation) creates a previously unknown security gap. Threat actors exploit this gap and consumer ‘alert fatigue’ to steal credentials.

The measured cost of security tools fragmentation:

  • 44% of users receive overlapping alerts.
  • 38% receiving overlapping alerts say they ignore them.
  • 29–34% of people leave tools disabled or miss paid features entirely.
  • Redundant subscriptions account for 24% of annual security tool costs.
  • The high cost of tool fragmentation and alert chaos: $400 million is lost every year to multi-surface attacks (see below).
  • Personal pre-breach costs to consumers: duplicative “chaos tax” expenditures can cost more than $850 per consumer, per year.
  • The average person now manages 3.4 security apps, spends up to 27 hours a year maintaining them, and wastes between $574 and $850 annually on redundant subscriptions and unmanaged risks.

Ironically, this results in people spend hundreds of dollars and dozens of hours every year managing overlapping, non-integrated security tools, but are actually spending more and working harder to be less secure.

The “alert fatigue” blind spot that stems from notification flood cycles became especially visible during the 2025 Google breach affecting 2.5 billion Gmail accounts. The breach drove individuals to flood forums and search engines with urgent “what to do” queries while scrambling across multiple apps.

One App, Complete Protection

Leading from this research, PureVPN has unified VPN, Password Manager, Dark Web Monitoring, Tracker & Ad Blocker, and Data Removal into a single unified platform. Instead of multiple apps competing for the consumer’s attention, users receive one alert stream, one workflow, and one place to act.

Notifications are consolidated and prioritized to reduce false alarms, while the new bottom navigation keeps breach-response tools easily accessible under stress.

You can read the study here.

Leave a comment »

Pave Bank raises $39 million to scale world’s first programmable bank built for digital assets and AI era 

Posted in Commentary with tags on October 23, 2025 by itnerd

The future of finance is shifting on-chain. As that shift accelerates, the world’s financial system is being rebuilt around tokenisation, the programmability of money and assets, along with a focus on regulation, risk and compliance. Pave Bank, a fully licensed commercial bank built for this new financial architecture, today announced it has raised over $39 million in funding led by Accel, with participation from Tether Investments, Quona Capital, Wintermute, Helios Digital Ventures, Financial Technology Partners, Yolo Investments, Kazea Fund, and GC&H Investments. The round brings the company’s total funding to more than $44 million and positions Pave Bank to expand its regulatory footprint, accelerate product development, continue to build institutional grade infrastructure and scale its client coverage across global markets.

Pave Bank was founded on two core ideas: that the future of money is programmable, and that businesses need a regulated, bank-grade counterparty capable of operating seamlessly across both traditional and digital asset rails. Today, the company offers a single platform that unifies commercial banking services – deposit accounts, broad payment coverage, deep FX liquidity, payment card issuance and corporate treasury management – with institutional-grade digital asset management, an instant settlement network and an OTC trading desk. Instead of managing multiple providers for fiat banking, custody, and liquidity, clients can operate across both systems under one regulatory framework, one compliance standard, and one interface.

Businesses using Pave Bank can manage both fiat and digital assets in real time, automate treasury operations, and reduce reliance on intermediaries. An exchange or market maker can manage both digital assets, fiat and fixed income treasury products in one place, and at the same time, deal with their counterparties using the Pave Network – enhancing operational liquidity and mitigating operational risk. Corporates exploring using stablecoins in their operations can unify digital assets and fiat corporate treasuries with regulatory clarity and in a secure manner – improving speed, control, and cost efficiency. 

Since launching, Pave Bank has focused on building a sustainable, technology-driven operating model rather than chasing top-line growth. The company achieved profitability in seven of its first nine months of operation – a rare milestone for a newly licensed bank – by leveraging automation and AI across software engineering, compliance, operations, and treasury functions. With a team of just over fifty people, the bank expects to continue to scale intelligently while maintaining profitability along with a core focus on risk and compliance. 

The financing reflects growing institutional demand for a new kind of financial institution – one that can manage regulated digital assets, from stablecoins to bitcoin, alongside everything that is expected from a commercial bank, provide instant settlement and programmable flows, and have prudential oversight. Pave Bank has been building within regulatory frameworks for digital assets from day one, and as these regulations mature and harmonize, Pave Bank is working directly with regulators to ensure compliance and interoperability across jurisdictions.

Looking ahead, Pave Bank plans to expand its licensing coverage, deepen its programmable treasury and institutional financial products, and integrate with major financial and digital asset ecosystems. The long-term vision is to become the trusted corporate and institutional global financial institution -the place where the traditional and digital economies finally operate as one.

Leave a comment »

Apache Syncope Allows Malicious Admins to Inject Groovy Code 

Posted in Commentary with tags on October 23, 2025 by itnerd

A researcher has uncovered an RCE vulnerability in open-source identity management system Apache Syncope through its Groovy scripting feature. On versions prior to 3.0.14 and 4.0.2, an administrator can upload Groovy code that executes with the privileges of the running Syncope Core process, enabling remote code execution (RCE).

You can find more details here:

 https://gist.github.com/N3mes1s/213e20931ea2d27af5c47e90dedbe05f

Henrique Teixeira, SVP of Strategy, Saviynt, commented:

“First, credit to the researcher and Apache for identifying and resolving this issue. CVEs like this matter. If exploited, attackers could execute code, exfiltrate secrets, or pivot across environments. But we also need to look at the threat model: exploitation requires administrative access to the tenant or domain. And if someone already has admin rights in an identity system, it’s effectively game over. That person can create or remove users, escalate privileges, and move laterally across systems.

This highlights why identity controls are so critical. Organizations should upgrade to the patched Syncope versions, avoid Groovy in favor of Java implementations, and enforce least privilege and strong authentication. Log everything, continuously audit admin activity, and prioritize identity hygiene by removing unused permissions and applying just-in-time privilege access. The bigger picture is that while patching vulnerabilities is essential, most breaches still start with exposed or misused identities. Securing them must remain the first line of defense.”

This was fixed pretty quickly. But next time, because there is always a next time, the world may not be so lucky. Thus having a layered defensive structure that includes the suggestions that Mr. Teixeira made above is the best advice that organizations could receive.

Leave a comment »

Qilin Ransomware: Now the most prolific gang of the last few years says Comparitech

Posted in Commentary with tags on October 23, 2025 by itnerd

Comparitech researchers has published a research study diving into this very ransomware gang.

Key findings for Qilin in 2025 include:

  • 701 victims (118 of these attacks have been confirmed)
  • 45 attacks on healthcare providers (14 confirmed)
  • 40 attacks on government entities (22 confirmed)
  • 26 attacks on the education sector (7 confirmed)
  • 590 attacks on businesses (75 confirmed):
    • 143 on manufacturers (11 confirmed)
    • 108 on service-based businesses (9 confirmed)
    • 69 on finance companies (27 confirmed)
    • 50 on retailers (2 confirmed)
    • 34 on construction companies (2 confirmed)
  • 788,377 records breached in the confirmed attacks
  • 116 TB of data stolen across all attacks (47 TB in confirmed attacks)
  • The US accounts for the most attacks (375), followed by France (41), Canada (39), South Korea (33), and Spain (26)

You can read more here: https://www.comparitech.com/news/qilin-ransomware-stats-on-attacks-ransoms-data-breaches/

Leave a comment »