Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit.

Tika detects and extracts metadata from over 1,000 different file formats. Last August, Apache reported CVE-2025-54988, an 8.4 rated flaw that it warned allows an attacker to carry out XML External Entity injection via a crafted XFA file inside a PDF.

Apache fixed that flaw but last Friday announced a related, and worse, problem known as CVE-2025-66516.

As Apache explained, the entry point for CVE-2025-54988 was Tika’s tika-parser-pdf-module, but the vulnerability and its fix were in another piece of code called tika-core. “Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable,” the organization advised.

The org’s new advisory also admits that its original report “failed to mention that in the 1.x Tika releases, the PDFParser was in the org.apache.tika:tika-parsers module.”

Tika’s developers have tidied things up in recent releases, and now users get to revisit this mess too. – Simon Sharwood

New kind of ‘DDOS’ erupts from the Americas

France-based cloud OVH is adding 2-3Tbps of DDOS protection capacity weekly, to head off a rising tide of attacks from across the Atlantic.

“Since Sep’25, we have seen new kind of DDoS coming from US and South America (Brazil, Chile, Argentina, Mexico, Columbia),” OVH CEO Octave Klaba reported last week. “The size is around 15-16Tbps coming thought Miami, FL Dallas, TX and Los Angeles, CA.”

OVH is adding the extra DDOS protection capacity to deal with the threat. Klaba said OVH aims to deploy 100Tbps of DDOS-deflectors, ASAP, to defend its operations.

– Simon Sharwood

Cyber Deterrence and Response Act resurfaces

Not content to wait for the White House to develop a plan to deter America’s enemies from attacking US critical infrastructure, one Republican representative has introduced his own bill to establish a way to fight off foreign hackers.

Rep. August Pfluger (R-TX) last week introduced The Cyber Deterrence and Response Act, which proposes to grant the National Cyber Director formal authority to identify and sanction threat actors.

The bill would do this by establishing "the first government-wide process for cyber attribution," according to Pfluger’s office. The process would include defining evidentiary standards and verification methods. A press release describing the bill explains that the method would align various agencies under a single set of rules to help ensure accurate attribution. The bill also includes provisions to allow contributions from private companies. It also mandates threat sharing with international allies.

"We must ensure the Trump administration and all future administrations have a strong framework to hold bad actors accountable and safeguard our national security," Pfluger said. "Protecting America’s critical infrastructure from malicious cyberattacks is essential, and this bill does exactly that."

This isn’t the first time US lawmakers have proposed an identically-named bill with similar objectives – attempts to pass similar bills took place in 2018, 2019, and 2022. All stalled in committee.

It’s also worth pointing out that National Cyber Director Sean Cairncross is working on his own measures to help the federal government identify and deter foreign hackers, as we reported last month, and Cairncross’ objectives seem to go even further, suggesting the US might start hacking back.

• Swiss government says give M365, and all SaaS, a miss as it lacks end-to-end encryption
• Weaponized file name flaw makes updating glob an urgent job
• Logitech leaks data after zero-day attack
• Louvre’s pathetic passwords belong in a museum, just not that one

NIST wants YOU to secure your IoT devices

Manage a lot of IoT tech? Then listen up: the National Institute of Standards and Technology’s Cybersecurity Center of Excellence has just published three new IoT onboarding publications to help secure that sensitive kit.

Internet of Things devices are a security nightmare, often built without regard for their potential to be an ingress point for attacks, and NIST thinks its trio of new publications can help prevent such problems.

The first document covers secure provisioning of IoT devices on their own network layer with unique local credentials, the second looks at why device network layer onboarding is important and why you should do it, and the third goes through device network layer onboarding processes themselves and addresses IoT device lifecycle management.

Predator spyware maker still going strong

Intellexa, makers of the Predator commercial spyware used to target people around the globe, have been sanctioned by the United States and forced out of Europe, but that’s not really slowing the firm down, says Google.

A report from the Chocolate Factory’s Threat Intelligence Group published last week concluded that Intellexa has "adapted, evaded restrictions, and continues selling digital weapons to the highest bidders."

Predator functions similarly to Pegasus spyware. Users are often nation-states and install the software on targets’ devices. It’s dangerous, too: Of the 70 zero-day vulnerabilities discovered by Google threat hunters since 2021, Intellexa is responsible for 15 unique ones.

Intellexa’s operations aren’t completely airtight. Some of its secrets were leaked to Amnesty International, which recently published a profile of the company based on documents it acquired and verified.

Regardless of whether there’s a mole among Predator’s people, Amnesty, like Google, says the spyware and its maker "poses an ongoing threat to civil society" and sanctions haven’t been effective.

DoJ takes down another crypto fraud website

Bad actors continue to build platforms that mimic legitimate trading sites and suckering folks into handing over their digicash, with the DoJ busting another one last week.

The Justice Department’s Scam Center Task Force seized Tickmilleas.com, which sports a name similar to the legitimate Tickmill asset trading website. Tickmill is not available in the US, and the scam site apparently used the name as bait to draw victims.

Believed to be affiliated with Chinese organized criminal gangs and Burma-based scam centers, Tickmilleas.com functioned similarly to other so-called pig-butchering scams in which fraudsters trick victims into investing in fake cryptocurrency trading platforms. Promises of big returns and fake account balances trick users into depositing cash on the platform, which the scammers walk off with, leaving victims with little to no recourse.

In this case, Tickmilleas.com also published fraudulent apps on Google Play and Apple’s App Store, which have been removed, the DOJ says.

The seizure comes less than three weeks after the DoJ stood up the Scam Center Task Force, which continues to go after scam centers that are proliferating in Asia and elsewhere in the world. ®