Cryptocurrency Stolen in Zoom Social Engineering Campaign; Cursor AI Bot Hallucinates Company Policy; Scammers Claim to be FBI IC3

The Security Alliance (SEAL) has published a security advisory warning of a social engineering campaign targeting cryptocurrency users that has already led to significant thefts. The campaign hinges on luring a target to Zoom and abusing the remote control functionality to install infostealer or remote access Trojan (RAT) malware. The threat actor, dubbed "Elusive Comet," leverages a comprehensively-established online appearance and social media presence to build credibility as Aureon Capital, a supposed venture capital firm, and associated Aureon Press and "OnChain Podcast"; the attackers have also reportedly claimed to represent a "Bloomberg Crypto" interview. The threat actor invites the target through X direct messages or email to participate in a podcast via Zoom call, engineering a balance of normalcy and urgency in the scheduling process. The threat actor prompts the victim to present their work by sharing their screen once on the call, and then uses Zoom's remote control feature to request control of the victim's computer. "If the potential victim is not paying close attention, they may accidentally grant remote access, which allows ELUSIVE COMET to install their malware to the victim's device." SEAL provides indicators of compromise (IoCs) including known social media profiles, and urges users and organizations to disable Zoom's remote control request functionality, which is on by default.

The AI chatbot for AI-powered code editor Cursor appears to have invented a policy that upset some users enough to cancel their subscriptions with the service. Last week, a developer using Cursor noticed that switching between devices immediately logged those devices out. The developer contacted Cursor support by email and received a reply from an 'agent' named Sam saying that the logouts were 'expected behavior' under a new company policy. However, the agent was a bot, and Cursor has no such policy. Cursor has apologized for the incident and says that 'any AI responses used for email support are now clearly labeled as such.' This is not the first time AI has hallucinated a policy. In 2024, A Canadian tribunal rejected Air Canada's argument that 'the chatbot is a separate legal entity that is responsible for its own actions' and ordered Air Canada to abide by a refund policy the company's AI chatbot had invented.

The FBI has published a public service announcement warning of scammers pretending to be FBI Internet Crime Complaint Center (IC3) employees. "Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams." The scammers have reached out to victims, who have already lost money to scammers, in a variety of ways: phone calls, email, social media, or online forums. They then claim "to have recovered the victim's lost funds or offered to assist in recovering funds," but instead gain access to the victims' account information and steal from them again.

Japan's Financial Services Agency (FSA) has published a warning regarding "a sharp increase in the number of cases of unauthorized access and unauthorized trading (trading by third parties) on Internet trading services using stolen customer information (login IDs, passwords, etc.) from fake websites (phishing sites) disguised as websites of real securities companies." Between February 1 and April 16 of this year, FSA recorded reports of 3,312 unauthorized accesses of securities firms resulting in 1,454 fraudulent transactions. In all, a dozen securities companies reported fraudulent transactions totaling $350 million in sales and $315 million in purchases.

ASUS has released firmware updates to address a critical authentication bypass flaw affecting routers with the AiCloud remote access feature enabled. The "vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions." ASUS has released firmware updates for 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 series. ASUS advises users who are unable to update right away to disable services that can be accessed from the internet.

Cisco has published a security advisory disclosing a vulnerability in the Webex video/audio conferencing app on all operating systems, affecting version 44.6 (fixed release 44.6.2.30589) and 44.7 (fixed release 44.8 and later); 44.5 and earlier is not vulnerable. CVE-2025-20236, CVSS score 8.8, is an insufficient input validation flaw in the custom URL parser allowing an unauthenticated remote attacker to execute arbitrary commands with the targeted user's privileges by persuading that user to click a crafted a meeting invite link and download arbitrary files. Users must update to a fixed version, as there are no workarounds. At the same time, Cisco also released updates to address two medium severity vulnerabilities: one in the web-based management interface of Cisco Secure Network Analytics, and a second in Cisco Nexus Dashboard.

Draft bill SB 868, "Social Media Use by Minors," has passed committee votes and will soon reach the Florida State Senate floor, amending existing law to include an obligation by social media platforms "to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," as well as opening minor account holders' messages to their parents and guardians, and prohibiting minors' use of and access to disappearing message features. The Electronic Frontier Foundation urges senators to reject the bill, stating in concert with other advocates that by weakening encrypted privacy these changes further endanger those the bill aims to protect. This bill follows similar legislative initiatives in the UK and EU to break end-to-end-encrypted communication on behalf of law enforcement.

Police in Oklahoma City have arrested Jeffrey Bowie, charging him with two counts of violating Oklahoma's Computer Crimes Act. Bowie, who is the CEO of a cybersecurity firm in Oklahoma, allegedly deliberately placed malware on a computer at SSM Health's St. Anthony Hospital in August 2024. While Bowie maintained he needed to use the computer while a family member was undergoing surgery at the hospital, security camera footage revealed that he attempted to enter several offices in the hospital and used two computers, one of which was for employees only. A forensic investigation revealed "malware [on one of the computers that] was programmed to take screenshots every 20 seconds and transmit the images to an external IP address."

The US Department of Health and Human Services' Office for Civil Rights has reached a settlement with Guam Memorial Hospital Authority (GMHA) over a 2018 ransomware incident that affected personal information of 5,000 people and a subsequent discovery that in March 2023, former employees accessed the hospitals network after they were no longer employed there. GMHA will pay a fine of $25,000. Molecular Testing Labs (MTL) in Vancouver, Washington, is suing managed service provider and business associate Ntirety for failing to abide by the business associate agreement, including failure to implement HIPAA safeguards. MGTL learned in mid-March that patient data had been compromised through a cyberattack against Ntirety. Fairview Health Services in Minnesota has filed a class action lawsuit against Change Healthcare over the latter's ransomware 2024 attack. The lawsuit seeks to recover $7 million in losses, much of which was incurred as a result of having been unable to bill for anesthesia services.

Microsoft's most recent Secure Future Initiative (SFI) Progress Report details steps the company has taken toward "improv[ing] the security posture of Microsoft, [their] customers, and the industry at large." Of the 28 objectives identified at SFIÕs outset nearly a year and a half ago, five are nearly complete and significant progress has been made on 11 more. The accomplishments recognized in the report include the launch of a Secure by Design Toolkit for Microsoft developers that has been deployed to 22,000 employees; phishing-resistant multi-factor authentication is being used on 92 percent of employee productivity accounts and 100 percent of production system accounts; and "90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated using one standard identity SDK."