Multistage prompt-injection attack against Copilot

In this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, joined by a special guest. BBC World Cyber Correspondent Joe Tidy is a long time listener and he pops in for a ride-along in the news segment plus a chat about his new book.

This week news includes:

• Did the US cyber Venezuela’s power grid, or do they just want us to think they coulda?
• US govt might boycott the RSAC Conference ‘cause Jen Easterly being CEO makes them mad
• MS Patch Tuesday fixes CVSS5.5 bug and … stops you shutting down
• Wiz pulls off cloud stunt hack that ends with control of everyone’s AWS console
• Millions of Bluetooth devices that use Google’s Fast Pairing will pair with anyone, any time
• GNU inet-tools’ telnetd parties like it’s 2007, and brings -f root unauthed remote login back

Thinkst is this week’s sponsor, and long time friend of the show Haroon Meer joins. As always they’re polishing their Canary tokens - adding breadcrumbs to lead you to them - but they’re also a bunch of giant nerds who now run South Africa’s Computer Olympiad.

This episode is also available on Youtube.

Show notes

• Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities - The New York Times
• Why I’m withholding certainty that “precise” US cyber-op disrupted Venezuelan electricity - Ars Technica
• Layered Ambiguity: US Cyber Capabilities in the Raid to Extract Maduro from Venezuela | Royal United Services Institute
• Former CISA Director Jen Easterly Will Lead RSAC Conference | WIRED
• Trump officials consider skipping premier cyber conference after Biden-era cyber leader named CEO - Nextgov/FCW
• Federal agencies ordered to patch Microsoft Desktop Windows Manager bug | The Record from Recorded Future News
• Windows 11 shutdown bug forces Microsoft into damage control • The Register
• CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig | Wiz Blog
• Critical flaw in AWS Console risked compromise of build environment | Cybersecurity Dive
• Never-before-seen Linux malware is “far more advanced than typical” - Ars Technica
• VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun - Check Point Research
• Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking | WIRED
• Critical flaw in Fortinet FortiSIEM targeted in exploitation threat | Cybersecurity Dive
• CVE-2025-64155: 3 Years of Remotely Rooting the FortiSIEM
• A single click mounted a covert, multistage attack against Copilot - Ars Technica
• Police raid homes of alleged Black Basta hackers, hunt suspected Russian ringleader | The Record from Recorded Future News
• Jordanian initial access broker pleads guilty to helping target 50 companies | The Record from Recorded Future News
• Supreme Court hacker posted stolen government data on Instagram | TechCrunch
• oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• How crypto criminals stole $700 million from people - often using age-old tricks
• Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet