All SonicWall Cloud Backup Customers Affected by Breach; Salesforce Won't Pay Ransom; Germany Opposes EU Chat Control Legislation

Following the completion of an investigation conducted collaboratively with Mandiant, SonicWall now says that a data breach disclosed last month affects all customers who use the company's cloud backup services to store firewall configuration files, which contain sensitive information. Initially, SonicWall said the September incident affected just five percent of the company's customers. In a write-up of the incident, SonicWall says that the compromised files “contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks." The document also offers affected users containment and mitigation guidance, including deleting existing cloud backups, changing account credentials, rotating shared secrets and passwords, and recreating new backup files locally.

Salesforce does not intend to pay a ransom demanded by cyberthreat actors who claim to have stolen 1 billion records from Salesforce customers. The CRM company contacted their affected customers earlier this week, warning of "credible threat intelligence" that the data thieves plan to leak the stolen information. The threat actors said that they would not release the data if Salesforce paid the demanded ransom by Friday, October 10. A Salesforce representative has confirmed that the company "will not engage, negotiate with, or pay any extortion demand."

In a statement posted to social media, Germany's Federal Justice Minister Stefanie Hubig said that "Germany will not agree to" a European Union proposal that would allow private messages, even those sent over end-to-end encrypted messaging platforms, to be scanned. Hubig added that "random chat monitoring must be taboo in a constitutional state; Private communication must never be placed under general suspicion." Known as Chat Control, the proposal is mean to help law enforcement protect children from abuse. Signal Foundation President Meredith Whittaker said that the end-to-end encrypted messaging app will leave the EU market if Chat Control becomes law.

California's Governor has signed into law several bills that gives that state's residents more control over their own data. Specifically, one of the bills, AB 656, "requir[es] social media companies to make canceling an account straightforward and clear – and ensur[es] that cancellation triggers full deletion of the user’s personal data." Another bill, AB 566, "requires browsers to give users the ability to opt out of the sale of their personal data across the web with one click instead of requiring Californians to exercise this right with each individual website they visit." A third bill, SB 361, "strengthens the Data Broker Registration Law by providing consumers with more information about the personal information collected by data brokers and who may have access to consumers’ data."

Washington, DC-based law firm Williams & Connolly has disclosed a "cybersecurity incident" in which threat actors breached some systems and accessed attorneys' email accounts. The firm is known to represent high-profile clients, including politicians, tech companies, and financial institutions. A statement from Williams & Connolly reads, in part, "Based on the Firm’s investigation, conducted in conjunction with cyber experts at CrowdStrike, the threat actor is believed to be affiliated with a nation-state actor responsible for recent attacks on a number of law firms and companies." While Williams & Connolly did not name a particular nation-state, some news outlets have suggested that Chinese threat actors are responsible for those attacks. In a September 24 blog, Mandiant Incident Response and Google Threat Intelligence Group (GTIG) reported that they were "tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States," including legal services, and "attribute this activity to UNC5221 and closely related, suspected China-nexus threat clusters that employ sophisticated capabilities."

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a stored cross-site scripting vulnerability in Zimbra Collaboration Suite (ZCS) to the Known Exploited Vulnerabilities (KEV) catalog. The flaw "exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files." The vulnerability was exploited earlier this year in cyberattacks targeting Brazil's military. Zimbra addressed the vulnerability in updates released in January 2025. Researchers at StrikeReady recently published a blog detailing the vulnerability and the attack, which "leveraged a malicious .ICS file, a popular calendar format." US Federal Civilian Executive Branch (FCEB) agencies have until October 28 to mitigate the vulnerability.

Researchers at Microsoft Threat Intelligence are investigating "payroll pirate" attacks that have been targeting employee profiles on "third-party human resources (HR) software as a service (SaaS)" to redirect salary payments from legitimate accounts to accounts controlled by the attackers. Microsoft writes that "these attacks don’t represent any vulnerability in [a particular] platform or product, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts." Microsoft's blog includes an analysis of the campaign: how the attackers gained initial access to systems, evaded detection, and maintained persistence. It follows with mitigation and protection guidance.

On January 19, 2038, at eight seconds past 3:14 UTC, 2,147,483,648 seconds will have passed since the start of the Unix epoch (midnight UTC on January 1, 1970), and consequently any 32-bit signed integer variable storing this number will overflow in computer systems that measure Unix time. This overflow will create a value interpreted as a negative number representing December 13, 1901, and may cause systems to crash. While this and the similar Network Time Protocol (NTP) rollover have been known for decades, researchers at the Epochalypse Project are warning that 32-bit timestamps are widespread in critical infrastructure systems. Legacy industrial control systems, internet of things devices, transportation and energy systems, medical equipment, financial systems, telecom infrastructure, certain vehicles, and many more systems are vulnerable to possible "cascading" failures well before the deadline if manipulated by a threat actor through "GPS spoofing, NTP injection, file format field tampering, [or] protocol timestamp manipulation." The researchers note that many vulnerable systems may be difficult to interface with and update, despite the extent of integration and reliance on them. The project's website lists specific testing and remediation guidelines for the general public and for many roles in industry, government, and technology. Dover Fueling Solutions released a security update for ProGauge fuel tank gauge products in mid-September 2025 to fix a vulnerability that would allow an attacker to change the system time.

Google has announced the creation of a new dedicated program to incentivize the reporting of AI flaws in Google and Alphabet AI products: the AI Vulnerability Reward Program (AI VRP). Since 2023, AI issues had been integrated into the existing Abuse Vulnerability Reward Program, but following the success of this integration came the need for additional clarity on scope and rewards for reporting abuse risks and security issues, prompting the launch of a separate program. Google's AI VRP includes "issues where interaction with a Large Language Model (LLM) or other Generative AI (GenAI) system, such as a natural language interaction, is an integral part of the vulnerability or abuse issue," but similar issues in Vertex AI and Google Cloud fall under the Google Cloud Vulnerability Rewards Program instead. The program's scope excludes "prompt injections, jailbreaks, and alignment issues," though the company still encourages users to report these "content-related issues" through "in-product feedback, and not through the VRP." The updated program rules offer specific lists of qualifying and non-qualifying vulnerabilities and report types. Rewards ascend by severity of the vulnerability and by "product tier" within Google: "Flagship" products such as Google search, Gemini Apps, and core Google Workspace applications; "Standard" products such as Google AI Studio, Jules, and non-core Workspace applications; and "Other" products such as lower-tier integrations and third-party applications. The largest base reward is US$20,000 — for reporting "Rogue Actions" in a Flagship product — and possible bonuses for novelty and report quality can raise the amount to US$30,000.

In a Form 8-K filing with the US Securities and Exchange Commission (SEC), BK Technologies Corporation disclosed that it "detected potentially suspicious activity involving its information technology ("IT") systems" in mid-September 2025. The incident resulted in minor disruption to "a limited number of non-critical systems." The company also disclosed "an unauthorized third-party may have obtained access to and acquired non-public information within the Company’s custody and control, which potentially includes records pertaining to current and former employees," but did not provide details about how many individuals were affected. BK Technologies manufactures handheld and vehicle radios used by US police, fire, and military organizations.