The IT Nerd

Cybernews has published new research evaluating popular LLMs. The findings show that Gemini 2.5 Pro was the most compliant when prompted to provide animal abuse methods, advice on stalking, and other questionable content.

Key points from the study:

• Gemini 2.5 Pro performed worst on stereotypes, hate speech, animal abuse, cruelty, and stalking.
• In the stereotypes category, fifty questions were asked and Gemini 2.5 Pro scored a total of 48 points; the second-worst performer, OpenAI’s GPT-5, scored five.
• Gemini 2.5 Pro was the most easily tricked into engaging in what Cybernews researchers defined as hateful speech.
• The model produced the highest number of unsafe outputs on animal abuse and generated graphic and violent scenarios in the cruelty category.
• Gemini 2.5 Pro was the most vulnerable model in terms of producing unsafe output related to stalking.

Curiously, Gemini 2.5 Flash performed significantly better across many of the same categories.

For more information, here’s the full research: https://cybernews.com/security/google-gemini-pro-safety-problem/

A Cybernews journalist ran a hands-on experiment that reveals how popular AI assistants like ChatGPT, Gemini, and Claude can unintentionally sabotage home network security.

“With the help of AI, I’ve spent nearly the whole day experimenting and setting up an NGINX reverse proxy,” the author writes. “My prompt was simple: ‘For my home lab, I registered a .com domain, so I can use secure TLS. But how do I do that?'”

The chatbots’ responses turned out to be dangerous.

“It then instructed that I need my public DNS to point to my home WAN. This is terrible advice. Not only does it expose my home IP address, but it also provides potential attackers with insights into the internal structure of my services and devices.”

“And it gets even worse. For this method to work, following the path down the road, you would need to further expose the network and run services on the open internet. The chatbots suggest exactly that – to open ports 80 and 443. Thousands of malicious bots scan each IP address every day for any exposed vulnerability.”

The experiment shows how AI tools can produce confident but unsafe recommendations, leading users to expose their systems online.

“Chatbots might be solving PhD-level problems in benchmarks,” the author notes, “but when it comes to real-life situations, they just produce generic advice that sometimes works, but neither optimally, nor will they ask about your specific situation to do better.”

For more information, here’s the full article: https://cybernews.com/security/experiment-ai-assistant-sabotaging-home-lab-security/ 

By Stefanie Schappert

The Google Threat Intelligence Group published an updated report on Wednesday highlighting a critical shift in the cyber-threat landscape – and it’s all about AI. 

This “just-in-time” AI malware marks what Google is calling a “new operational phase of AI abuse.” Moreover, it’s already being actively used by low-level cybercriminals and nation-state actors alike.  

Google makes it clear that attackers have moved from using AI as a simple productivity tool to creating the first-of-its-kind adaptive malware that weaponizes large language models (LLMs) to dynamically generate scripts, obfuscate their own code, and adapt on the fly.

Don’t get it wrong, attackers are still using artificial intelligence to generate basic and yet hard-to-detect phishing lures for social engineering attacks. But adding to their arsenal are built-to-go modular, self-mutating tools that can evade conventional defenses. 

As Google puts it: “These tools can leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware. While still nascent, this represents a significant step toward more autonomous and adaptive malware.” 

And while the research indicates that some of these novel AI techniques are still in the experimental stage, they are a surefire harbinger of things to come. 

What also makes this evolution particularly worrying is the lowered barrier to entry. Google found that underground marketplaces are offering multifunctional AI toolkits for phishing, malware development, and vulnerability research, so even less-sophisticated actors can tap into the toolset.

Meanwhile, nation-state groups, such as Russia, North Korea, Iran, and China, have already figured out how to leverage AI tools across the full attack lifecycle, from reconnaissance and initial compromise to maintaining a persistent presence, moving laterally through the target network, and developing command-and-control capabilities and data exfiltration.

In effect, defenders must now prepare for an era of adaptive and autonomous malware and AI tools that learn, evolve, and evade in real-time, creating new challenges for this generation of cyber defenders, who must learn to combat self-rewriting code, AI-generated attack chains, and an underground AI toolkit economy.  

Traditional static signature defenses will soon become ineffective, leaving already burnt-out CISOs scrambling to quickly pivot to anomaly-based detection, model-aware threat intelligence, and real-time behavioural monitoring.

Furthermore, AI-enabled tooling will almost certainly raise attackers’ success rates; not because every attack is flawless, but because automation, real-time adaptation, and hyper-personalised lures will massively widen the attack surface.

And let’s not forget the trickle-down effect that these AI-driven cyberattacks will have on the average person. 

What happens when AI, which can already ingest a person’s public posts, bios, photos, and leaked data to mimic their language, references, and relationships, begins to tailor its attack strategy against its target in real-time? 

AI-fueled scams, phishing emails, fake websites, and voice or video deepfakes will sound and look far more convincing than ever before, putting personal finances, privacy, and even digital identity at greater risk.

The result? An era where cyber deception feels authentic, the line between real and fake blurs, and the average person is exposed to attacks that feel real, personal, and nearly impossible to detect.

ABOUT THE AUTHOR

Stefanie Schappert, MSCY, CC, Senior Journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines. 

According to Ransomlooker, a tool developed by Cybernews that tracks ransomware attacks, October was a record month for notorious ransomware gang Qilin – 200 attacks were recorded during the month. Attacks by Qilin have been steadily growing throughout all of 2025, but October’s spike is unprecedented. 

Key insights:

• Qilin claimed 200 ransomware attacks in October, 2025, by far the most ever carried out by the group in one month.
• Attacks more than doubled compared to September, when 84 attacks were recorded.
• Qilin is already responsible for 723 attacks in 2025 (as of November 3rd, 2025).
• Qilin’s October victims include Israel’s 4th largest hospital, Shamir Medical Center, a large pharmacy benefit manager MedImpact, and Texas electric cooperatives.
• In 2024, Qilin claimed 181 attacks. In 2023, there were 45, and in 2022, the gang claimed just 5 attacks.

Notorious for targeting hospitals and the manufacturing sector, the Qilin gang – once known as Agenda – first appeared on the ransomware circuit in 2022. However, its dark leak site claims it began operating in 2021.

Qilin has moved into the number one position as the most active ransomware gang in the past 12 months, aggressively outperforming ransomware rivals Cl0p Play, INC Ransom, and Akira.

Known for using a ransomware-as-a-service (RaaS) business model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second payout to guarantee it will not leak the stolen files on the dark web after the fact.

Here’s a screenshot from the Ransomlooker tool, showing just how active Qilin has become in October compared to previous months:

The Cybernews research team has discovered an unprotected MongoDB database leaking massive amounts of sensitive information. The dataset, attributed to crypto trading platform NCX, revealed several data collections that, when combined, reveal over five million records.

Many businesses utilize MongoDB to handle large swaths of unstructured data. However, NCX appears to be plagued with a common issue: databases are left unprotected without authentication, often due to human error. 

The exposed information includes:

• Full names, usernames, and dates of birth;
• Email addresses; 
• Links to user-uploaded identity documents (KYC);
• Two-factor authentication (TFA) codes and URLs;
• Internal API keys; 
• IP addresses;
• Hashed passwords;
• Profile photo URLs;
• Secret keys (obfuscated or encoded);
• Wallet addresses and related blockchain transaction info;
• Deposit/withdrawal history, currency types, block statuses;
• Admin support logs and Help Center communications.

The Cybernews team responsibly disclosed the issue to the company immediately after discovering the leaky database. However, the company did not react to multiple attempts to reach out. 

For more information, here’s the full report: https://cybernews.com/security/ncx-exchange-data-leak-wallets-exposed/

A new analysis by Cybernews reveals a potential link between AI innovation and the surge in cybercrime. Google Trends data shows global searches for “free voice AI” skyrocketed by 147% since August 2024 – just as AI impersonation scams jumped 148%.

The findings point to a dangerous shift: while overall phishing complaints have dropped by 40% since 2021, average financial losses keep climbing. AI may be making scams more convincing – and more profitable.

With voice generation tools like ElevenLabs surpassing a $5 billion valuation and deepfake tech becoming mainstream, Cybernews warns that AI may be silently fueling the next wave of cybercrime.

For more information on this, here’s the full report: https://cybernews.com/ai-news/ai-influence-on-crime-cybercrime-losses-soar-as-searches-for-free-voice-ai-surge-by-147/ 

By Stefanie Schappert

Yesterday Amazon Web Services (AWS) went down in the US causing a ripple effect, from governments and local municipalities, to enterprises, small businesses and the individuals who rely on these services daily. 

AWS is a cloud-based service thousands of major companies use to not only store their data, but run their apps and software for many critical business services.  

Whether basic communications using apps such as Snapchat, Signal and Reddit to airlines such as Delta and United reporting disruptions to their customer facing operations, when these services go down it highlights the reliance on just a few cloud services companies (AWS, Microsoft Azure, ANd Google Cloud) to run the country so to speak. 

The AWS outage has further impacted shopping websites, banking apps, and even streaming and smart homes devices.

And while organizations scramble to ensure business operations continue to run, it’s also an opportunity for individuals to do a quick check-in on their own cyber hygiene. 

Cybercriminals and hackers can easily take advantage of these types of outages to deploy an array of social engineering attacks. 

Whether in the office or at home, nothing is more frustrating than losing the ability to access files and documents, and communicate with business associates or loved ones, especially in an emergency or crisis.  

Hackers who rely on mass urgency and panic will see this as an opportunity to take advantage of people’s heightened emotions with phishing emails offering to “fix” the issue and get you back online and into your accounts or apps.  

But in reality, these scammers are looking to steal your personal information, such as login credentials by tricking you into updating your software or resetting your password.   

During major outages, users should avoid clicking on any links in emails, texts and pop-ups claiming to be able to fix the outage. 

Additionally, double check that any alerts or update messages from organizations, such as your bank or payment apps, are verified from the official website or app.   

This is the time to make sure you are using a strong password and multifactor authentication to prevent any unauthorized access to your accounts. 

However, individuals should also delay making sensitive transactions, such as major financial transactions, resetting your password, or installing critical software updates, until the service in question has been announced as officially restored. 

Furthermore, when the service disruption has ended, users should also monitor any affected accounts for unusual activity, discrepancies, and duplicate or fraudulent transactions. 

Finally, this is an excellent reminder for individuals to make sure they have a back-up system in place to access important documents and for communications.  

This can be as easy as keeping a secondary email account or even a back-up mobile phone.

ABOUT THE AUTHOR

Stefanie Schappert, MSCY, CC, Senior Journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines. 

The Cybernews research team has recently discovered that a decentralized video call app, Huddle01, was leaking real-time user logs through an exposed instance of Kafka Broker. No authentication, no encryption, or other access controls were used to protect the data, meaning that any third party could access it.

The exposed data included:

• Usernames (sometimes real names);
• Email addresses;
• Crypto wallet addresses (Huddle01 supports a wide array of wallets that operate on different blockchains (Bitcoin, Ethereum, etc.);
• Detailed activity data: which users joined specific calls, participants in each call, country, time, date, duration of the calls, etc.
• Other identifiers.

The leak was discovered on August 26th, 2025. Cybernews responsibly disclosed the data leak to the company. However, it did not respond to the initial disclosure and subsequent attempts. After one month, the exposed server remained accessible. It’s unclear how many other third parties might have accessed the data.

For more information on this, here’s the full report:

https://cybernews.com/security/video-call-app-huddle01-leaks-sensitive-user-data

The latest Cybernews research team findings show that Lifeprint, a portable photo printer for iPhone and Android, spilled millions of private photos onto the open internet.

Any internet user could have accessed over 8 million files, including 2 million unique photos, exported user data in JSON and CSV formats, and lists of usernames, email addresses, and printing stats for more than 100,000 users.

Key research takeaways: 

• The leak was caused by a misconfigured bucket that lacked authentication.
• According to the stored metadata, these users printed 1.6 million photos together.
• The research team also found that the public cloud bucket contained multiple versions of the printer’s firmware. Buried inside the files was a private encryption key, left in plain text, which appeared to be used to sign the firmware.

Possible threats

Lifeprint users face multiple risks, such as identity exposure through leaked personal information. Leaked photos can often be intimate, exposing the user’s private life to anyone on the internet. Also, the leaked personal information could be used in identity theft, harassment, and doxxing attacks.

Also, affected users are in theoretical danger of malicious firmware taking over their devices. Cybernews contacted the company, but no response was received.

To read the full research, please click here.

Cybernews conducted a survey on employees in the US to figure out how they use AI tools at work. The research revealed that the vast majority of respondents used AI tools that were not approved by their employers.

Here are the key findings:

• 59% of employees use AI tools that their employer has not approved.
• Out of those using unapproved tools, 57% claim that their direct managers are OK with it and support it, and 16% claim their direct manager doesn’t care.
• 75% of those who use unapproved AI tools at work admit to sharing sensitive data with them.
• Executives and senior managers are most likely to use unapproved AI tools at work.

For more information, here’s the full report: https://cybernews.com/ai-news/59-of-employees-use-unapproved-ai-tools-at-work-most-of-them-also-share-sensitive-data-with-them/