Robert Grupe's AppSecNewsBits 2025-10-04

October 04, 2025

This Week’s Highlights:

Epic Fails

1. Japanese beer giant Asahi confirms ransomware attack

2. Allianz Life, WestJet, and Motility Software Solutions: 3.7M breach notification letters set to flood North America's mailboxes

3. 'Delightful' root-access bug in Red Hat OpenShift AI allows full cluster takeover

4. Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files

5. One line of malicious npm code led to massive Postmark email heist

6. Hackers steal identifiable Discord user data in third-party breach

7. ShinyHunters launches Salesforce data leak site to extort 39 victims

8. A breach every month raises doubts about South Korea’s digital defenses

9. Datacenter fire takes 647 South Korean government services offline

10. Microsoft hides key data flow information in plain sight

11. FCC mistakenly leaks confidential iPhone 16e schematics

12. CISA: Government flying partially blind to threats after key cyber law expires

13. Intel and AMD trusted enclaves, a foundation for network security, fall to physical attacks

14. Tile trackers are a stalker's dream, say Georgia Tech researchers

Hacking

1. Thwarted plot to cripple cell service in NY was bigger than first thought

2. That annoying SMS phish you just got may have come from a box like this

3. Oracle tells Clop-targeted EBS users to apply July patch, problem solved

4. Subpoena tracking platform blames outage on AWS social engineering attack

5. Fake North Korean IT workers sneaking into healthcare, finance, and AI

Security & Dev

1. Forget lengthy and complex passwords, NIST says

2. OpenSSL 3.6.0: New features, crypto support

3. HackerOne paid $81 million in bug bounties over the past year

4. The Software Essays that Shaped Me

Vendors & Platforms

1. The cloud reset is a financial reckoning in disguise

2. Harvard researchers hail quantum computing breakthrough with machine that can run for two hours
[rG: So why worry about quantum resistant cryptography now? So that data backups and systems will be ready once adversarial nation states are able to acquire sufficient capabilities to disrupt enterprise operations as we have experienced with ransomware and denial of service attack so far.]

3. Google confirms Android dev verification will have free and paid tiers, no public list of devs

4. Windows 11 2025 Update (25H2) is now available

5. IBM killing mainframe coding kit for PCs this year

6. Ladybird Browser Gains Cloudflare Support to Challenge the Status Quo

7. Microsoft Outlook stops displaying inline SVG images used in attacks

Legal

1. Jaguar Land Rover gets £1.5B government jump-start after cyber breakdown
[rG: “Too big to fail” only rewards those who under fund cybersecurity and ignore the need to ensure resilient operations.]

2. Dutch teen duo arrested over alleged 'Wi-Fi sniffing' for Russia

 

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Japanese beer giant Asahi confirms ransomware attack
The vast majority of Asahi Group’s 30 factories in Japan have not operated since a September 29 cyber attack led to the deployment of ransomware on its network and subsequent investigation has found evidence of data theft from compromised devices.
The Tokyo-based beverage holding company is the largest beer brewer in Japan, employing 30,000 people and producing 100 million hectoliters of beverages. The company also owns the Peroni, Pilsner Urquell, Grolsch, and Fullers brands, and it reported an annual revenue of nearly $20 billion in 2024.

 

 

'Delightful' root-access bug in Red Hat OpenShift AI allows full cluster takeover
A 9.9 out of 10 severity bug in Red Hat's OpenShift AI service could allow a remote attacker with minimal authentication to steal data, disrupt services, and fully hijack the platform.

OpenShift AI is an open platform for building and managing AI applications across hybrid cloud environments. It includes a ClusterRole named "kueue-batch-user-role." The security issue here exists because this role is incorrectly bound to the system:authenticated group.

This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.

 

Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files
A hacking crew claims to have broken into Red Hat's private GitHub repositories, exfiltrating some 570GB of compressed data, including sensitive documents belonging to customers. Alongside the documents, the group also asserts it found authentication tokens inside repos and reports, and says it has already used these to compromise downstream Red Hat customers.

 

One line of malicious npm code led to massive Postmark email heist
“A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC'd emails to an external server."

The malicious package was downloaded about 1,500 times in a week, integrated into hundreds of developer workflows, and likely stole thousands of emails every day before the developer removed the malicious package.

Postmark boasts "thousands" of customers, including Ikea, Asana, Minecraft, and 1Password, on its website. However, the company stated it knows of only one Postmark customer that actually used the affected package, and that its own systems were not breached and remain secure.

Postmark's MCP server allows businesses' AI assistants to send and manage emails.

The postmark-mcp backdoor isn't just about one malicious developer , it's a warning shot about the MCP ecosystem itself. MCP is an open protocol that allows AI systems to connect to external tools and data sources. Researchers have repeatedly shown since its rollout last year, it's also a veritable landmine of security threats.

"We're handing god-mode permissions to tools built by people we don't know, can't verify, and have no reason to trust. These aren't just npm packages - they're direct pipelines into our most sensitive operations, automated by AI assistants that will use them thousands of times without question."

 

Hackers steal identifiable Discord user data in third-party breach
The Scattered Lapsus$ Hunters (SLH) threat group claimed the attack saying that they breached a Zendesk instance used by Discord for customer support.

An image the hackers posted online shows a Kolide access control list for Discord employees with access to the admin console. Kolide is a device trust solution that connects to Okta cloud-based Identity and Access Management (IAM) service for multi-factor authentication.

 

ShinyHunters launches Salesforce data leak site to extort 39 victims
In these attacks, the threat actors tricked employees into linking a malicious OAuth app to their company's Salesforce instance. While a particular Salesforce instance may have been targeted, it also contained data for many of the subsidiaries, making the attacks more impactful. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters."

The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. Scattered Lapsus$ Hunters have been targeting Salesforce customers with voice phishing attacks since the beginning of the year, leading to breaches that have impacted companies such as Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance, Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).

 

A breach every month raises doubts about South Korea’s digital defenses
South Korea is world-famous for its blazing-fast internet, near-universal broadband coverage, and as a leader in digital innovation, hosting global tech brands like Hyundai, LG, and Samsung. But this very success has made the country a prime target for hackers and exposed how fragile its cybersecurity defenses remain. 

The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies, impacting vast swathes of the South Korean population. In each case, ministries and regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison.

 

Datacenter fire takes 647 South Korean government services offline
As is often the case with battery fires, firefighters struggled to control the blaze, which reached 234 batteries.

 

Microsoft hides key data flow information in plain sight
Microsoft’s own documentation confirms that data hosted in its hyperscale cloud architecture routinely traverses the globe, but the tech giant is actively obfuscating this vital information from its UK law enforcement customers. Policing data hosted in Microsoft’s hyperscale cloud infrastructure could be processed in more than 100 countries, but the tech giant is obfuscating this information from its customers.

Microsoft refused to hand over crucial information about its international data flows to the SPA and Police Scotland when asked.

The tech giant also refused to disclose its own risk assessments into the transfer of UK policing data to other jurisdictions, including China and others deemed “hostile” in the DPIA documents. This means Police Scotland and the SPA – which are jointly rolling out Office 365 – are unable to satisfy the law enforcement-specific data protection rules laid out in Part Three of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK.

The same documents also contain an admission from Microsoft – given while simultaneously refusing to divulge key information about data flows – that it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure.

This echoes the statements senior Microsoft representatives made to the French senate in June 2025, in which they admitted the company cannot guarantee the sovereignty of European data stored and processed in its services generally.

 So far, policing and other public organisations have not been asking for key information about  data flows because “nobody wants to open this Pandora’s Box. Nobody gets rewarded for taking a risk and asking these questions.

 

FCC mistakenly leaks confidential iPhone 16e schematics
As well as hardware, companies often have to supply documentation to regulators as part of certification processes. This tends to include information that is of a commercially-sensitive nature that companies don't want to release to public scrutiny.

Apple and others therefore make requests to regulators to keep the highly confidential documents away from public view.

The most likely reason for its release is an incorrect setting in the FCC database that permitted the accidental publication. It is more likely to be an accident than an intentional FCC act against Apple.

 

CISA: Government flying partially blind to threats after key cyber law expires
Without CISA 2015’s protections, key data might not get passed along. These protections include exemptions for private companies from federal antitrust laws and disclosure laws such as the Freedom of Information Act.

Data shared under CISA 2015 provides an essential tool for the federal government to understand how hackers are plotting attacks against the nation’s networks, which have been relentlessly targeted by Chinese, Russian, North Korean and Iranian operatives in recent years.

One such Chinese campaign, known as Volt Typhoon, was exposed in 2023 thanks in part to information from critical infrastructure and private sector cybersecurity groups. Without this open collaboration, understanding how Chinese hackers were able to burrow inside U.S. networks for years without detection — and better protecting networks from future attacks — would likely be far more challenging.

 

Intel and AMD trusted enclaves, a foundation for network security, fall to physical attacks
Researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.

They exploit both Intel’s and AMD’s use of deterministic encryption, which produces the same ciphertext each time the same plaintext is encrypted with a given key. In SGX and SEV-SNP, that means the same plaintext written to the same memory address always produces the same ciphertext.

Deterministic encryption is well-suited for certain uses, such as full disk encryption, where the data being protected never changes once the thing being protected (in this case, the drive) falls into an attacker’s hands. The same encryption is suboptimal for protecting data flowing between a CPU and a memory chip because adversaries can observe the ciphertext each time the plaintext changes, opening the system to replay attacks and other well-known exploit techniques. Probabilistic encryption, by contrast, resists such attacks because the same plaintext can encrypt to a wide range of ciphertexts that are randomly chosen during the encryption process.

 

Tile trackers are a stalker's dream, say Georgia Tech researchers
Life360's Tile servers continually collect tag locations, MAC addresses, and unique ID codes without end-to-end encryption, while the tags themselves broadcast unencrypted Bluetooth signals that can be sniffed to track someone else's device.

The Georgia Tech research team first reported their findings to Life360 in November of last year by reaching out to the company's CEO, Chris Hulls, and its support team because there was no official vulnerability disclosure channel available. Tile acknowledged the vulnerabilities and engaged in dialogue until February 4, 2025, after which communications ceased. The company was given an opportunity to reopen channels, the team said, but it doesn't appear to have ever done so.

 

What’s Weak This Week:

  • CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability:
    Contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices. Related CWEs: CWE-306| CWE-77

  • CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability:
    in libimagecodec[.]quram[.]so which allows remote attackers to execute arbitrary code.
    Related CWE: CWE-787

  • CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability:
    Could allow unauthorized remote administrative access to the device. Related CWE: CWE-287

  • CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability:
    Could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.

  • CVE-2014-6278 GNU Bash OS Command Injection Vulnerability:
    Allows remote attackers to execute arbitrary commands via a crafted environment. Related CWE: CWE-78

  • CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability:
    Allows a remote attacker to obtain potentially sensitive information. Related CWE: CWE-918

  • CVE-2025-20352 Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability:
    Allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Related CWE: CWE-121

  • CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability:
    Allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.Related CWEs: CWE-502| CWE-77 

 

HACKING

Thwarted plot to cripple cell service in NY was bigger than first thought
Agents from Homeland Security Investigations found an additional 200,000 SIM cards at a location in New Jersey, law enforcement sources told ABC News.  That's double the 100,000 SIM cards, along with hundreds of servers, that were recently seized at five other vacant offices and apartments in and around the city.

 

That annoying SMS phish you just got may have come from a box like this
Given the prevalence and massive volume of smishing messages, people often wonder how scammers manage to send billions of messages per month without getting caught or shut down. Sekoia’s investigation suggests that in many cases, the resources come from small, often-overlooked boxes tucked away in janitorial closets in industrial settings.

The routers, manufactured by China-based Milesight IoT Co., Ltd., are rugged Internet of Things devices that use cellular networks to connect traffic lights, electric power meters, and other sorts of remote industrial devices to central hubs. They come equipped with SIM cards that work with 3G/4G/5G cellular networks and can be controlled by text message, Python scripts, and web interfaces.

Researchers identified more than 18,000 such routers accessible on the Internet, with at least 572 of them allowing free access to programming interfaces to anyone who took the time to look for them. The vast majority of the routers were running firmware versions that were more than three years out of date and had known vulnerabilities. The researchers sent requests to the unauthenticated APIs that returned the contents of the routers’ SMS inboxes and outboxes.

 

Oracle tells Clop-targeted EBS users to apply July patch, problem solved
Some E-Business Suite (EBS) users have been targeted by cybercriminals claiming to have siphoned off sensitive data.

Attackers are waving around screenshots and file trees as proof of their handiwork, while slapping price tags as high as $50 million on their demands.

Rob Duhart, CSO of Oracle Security, said the firm "has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update," before repeating its standard advice to apply the latest fixes.

 

Subpoena tracking platform blames outage on AWS social engineering attack
A software platform used by law enforcement agencies and major tech companies to manage subpoenas and data requests went dark this week after attackers socially engineered AWS into freezing its domain.

Cyber sleuths identified that attackers attempted to transfer the domain to a different registrar. "While threat actors claimed responsibility for the disruption, ownership was never transferred; it was the registrar who improperly froze our domain as a result of the fraudulent legal order."

 

Fake North Korean IT workers sneaking into healthcare, finance, and AI
48% of companies targeted by the scam fall outside the IT sector, and fraudsters are increasingly applying for remote jobs in finance, healthcare, public administration and professional services. The scam has also expanded into other countries, with about 27% being outside of the US.

The roles targeted have expanded beyond software development to include back-office and financial processing roles in areas like payroll and accounting. This shift indicates an understanding on the part of the DPRK that there are other types of tasks, beyond software engineering, that provide similar opportunities: a targeted entity must be prepared to hire remotely, and a DPRK knowledge worker must be able to demonstrate some level of competency to perform it.

 

APPSEC, DEVSECOPS, DEV

Forget lengthy and complex passwords, NIST says
New NIST SP 800-64B password guidelines no longer require mandatory password changes. They should only be implemented when passwords are compromised, for example, when a data breach has occurred.

Requirements to choose passwords, like one or more digits, uppercases, and symbols, is less effective, while the impacts on usability and memorability are severe. Enforcing regular password changes can make this even worse.

Other mitigations, including blocklists, secure hashed storage, machine-generated random passwords, and rate limiting, are more effective at preventing modern brute-force attacks. Multi-factor authentication (MFA) and password managers can be added as additional precautions.

 

OpenSSL 3.6.0: New features, crypto support
For developers and security professionals, the headline items are the LMS signature verification support and FIPS 186-5 deterministic ECDSA, both of which align OpenSSL with evolving NIST standards. Developers should also check build toolchains for C99 compliance and note the removal of VxWorks support.

 

HackerOne paid $81 million in bug bounties over the past year
HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to many organizations.

The average yearly payout across all active programs is approximately $42,000.

Security issues such as XSS (cross-site scripting) and SQLi (SQL injection) are in decline, while authorization flaws, including improper access control and IDOR (insecure direct object reference), are experiencing a significant increase in reports.

The number of AI vulnerabilities has increased by more than 200%, with prompt injection vulnerabilities surging by a staggering 540%, confirming them as the quickest-growing threat in AI security.

In total, 1,121 bug bounty programs on HackerOne included AI in scope in 2025, a 270% increase YoY, with autonomous AI-powered agents submitting 560+ valid reports.

A new generation of 'bionic hackers'—security researchers using AI to enhance their hunting abilities—are driving the discovery of security issues at unprecedented scale. 70% of over 1,820 researchers surveyed over the last year have used AI tools in their workflow "to enhance their hunting abilities."

 

 

VENDORS & PLATFORMS

The cloud reset is a financial reckoning in disguise
Public cloud providers built their business models on a simple promise: pay only for what you use, when you use it. For many applications, this model delivers genuine value. Startups can launch global services without massive upfront infrastructure investments. Seasonal businesses and applications with unpredictable uses can scale computing resources to match demand patterns.

But the use of public cloud in large enterprises has proven to be more complex. Many business applications require consistent, predictable resources rather than elastic scaling. For these steady-state workloads, the cloud's pay-as-you-go pricing often costs more than traditional infrastructure ownership.

94% of enterprises believe some of their public cloud spend is wasted, and nearly 50% think that more than a quarter of it is. If any other line item on a company's balance sheet carried this kind of uncertainty, auditors would sound alarms.

Companies are reevaluating the real cost, control, and strategic fit of their cloud deployments.

1. Security
While hyperscalers boast massive security investments, they can't match the granular data governance, sovereignty, and compliance control private infrastructure allows, especially when dealing with regulated industries or confidential AI training data. 51 percent of repatriated workloads are security-sensitive, according to the same survey.

2. One-size-fits-all pricing model is under pressure.
What was once flexible is now unpredictable. Overprovisioning, unused and unmonitored resources, reserved instances, spot pricing, hundreds of consumption meters, shadow IT, and tiered services have created a minefield of complexity.

3. Modern private cloud platforms
Today's IT teams are building internal platforms with the same developer experience as hyperscalers, minus the vendor lock-in and cost overhang. And with better security controls.

 

Harvard researchers hail quantum computing breakthrough with machine that can run for two hours
A group of physicists from Harvard and MIT just built a quantum computer that ran continuously for more than two hours. Although it doesn’t sound like much versus regular computers (like servers that run 24/7 for months, if not years), this is a huge breakthrough in quantum computing.

The main difference between “regular” and quantum computing is that the latter uses qubits, which are subatomic particles, to hold and process data. But unlike the former, which retain information even without power, quantum computers can lose these qubits in a process called “atom loss”. This results in information loss and eventually system failure.

The research team addressed this by developing the “optical lattice conveyor belt” and “optical tweezers” to replace qubits as they’re lost. This system has 3,000 qubits and allows them to inject 300,000 atoms per second into the quantum computer, overcoming the qubit loss.

team members believe that this breakthrough will allow us to have quantum computers that can run forever in about three years. Before this, experts said that it was at least half a decade away, if not longer.

[rG: So why worry about quantum resistant cryptography now? So that data backups and systems will be ready once adversarial nation states are able to acquire sufficient capabilities to disrupt enterprise operations as we have experienced with ransomware and denial of service attack so far.]

 

Confirming app verification status will be the job of a new system component called the Android Developer Verifier, which will be rolled out to devices in the next major release of Android 16. Google explains that phones must ensure each app has a package name and signing keys that have been registered with Google at the time of installation. This process may break the popular FOSS storefront F-Droid.

It would be impossible for your phone to carry a database of all verified apps, so this process may require Internet access. Google plans to have a local cache of the most common sideloaded apps on devices, but for anything else, an Internet connection is required. Google suggests alternative app stores will be able to use a pre-auth token to bypass network calls, but it's still deciding how that will work.

The verification process will mirror the current Google Play registration fee of $25, which Google claims will go to cover administrative costs.

Google will let hobbyists and students sign up with only an email for a lesser tier of verification. This won't cost anything, but there will be an unclear limit on how many times these apps can be installed.

 

Windows 11 2025 Update (25H2) is now available
Microsoft noted that Windows 11 25H2 comes with better vulnerability detection. It also noted that Windows 11 25H2 enables "AI assisted secure coding," but Microsoft won't explain what it really means.

For enterprises, Windows 11 2025 Update brings Wi-Fi 7 and adds an optional feature that lets you remove select pre-installed Microsoft Store apps via Group Policy.

Windows 11 25H2 does not come with new features or exciting changes for consumers, but it removes PowerShell 2.0 and Windows Management Instrumentation command-line (WMIC).

 

IBM killing mainframe coding kit for PCs this year
Big Blue informed customers that it will cease marketing the System z Personal Development Tool (zPDT) as a standalone offering, effective from December 31 this year. Support for the product will be discontinued a year later, on December 31, 2026.

The intended replacement for zPDT is IBM's hosted on-demand program for independent software vendors (ISVs), which is set to provide them with on-demand IBM z/OS environments, dynamically provisioned through "near-seamless" automation for test and development purposes. The planned availability date for this particular offering is October 31, 2025.

 

Ladybird Browser Gains Cloudflare Support to Challenge the Status Quo
Cloudflare has announced its sponsorship of the Ladybird browser, an independent (still-in-development) open-source initiative aimed at developing a modern, standalone web browser engine. It’s a project launched by GitHub’s co-founder and former CEO, Chris Wanstrath, and tech visionary Andreas Kling. It’s written in C++, and designed to be fast, standards-compliant, and free of external dependencies. Its main selling point? Unlike most alternative browsers today, Ladybird doesn’t sit on top of Chromium or WebKit.

 

Microsoft Outlook stops displaying inline SVG images used in attacks
Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows. Instead, users will see blank spaces where these images would have appeared. SVG images sent as classic attachments will continue to be supported and viewable from the attachment well. This update helps mitigate potential security risks, such as cross-site scripting (XSS) attacks. 

 

LEGAL & REGULATORY

Jaguar Land Rover gets £1.5B government jump-start after cyber breakdown
A government-backed loan to the tune of £1.5 billion ($2 billion) will be made available to the carmaker to support its recovery and the companies in its extensive supply chain struggling as JLR brings its invoicing systems back online.
[rG: “Too big to fail” only rewards those who under fund cybersecurity and ignore the need to ensure resilient operations.]

 

Dutch teen duo arrested over alleged 'Wi-Fi sniffing' for Russia
Police in the Netherlands arrested two 17-year-olds last week over claims that Russian intelligence recruited them to spy on the headquarters of European law enforcement agencies. Authorities observed one of the teenagers carrying a "Wi-Fi sniffer" near the headquarters of Europol and the EU criminal investigation agency Eurojust, and near the Canadian embassy.

"He doesn’t go out, he has a job at a supermarket, and shows no interest in exploring the world," the father said. "We raise our kids to be prepared for dangers like smoking, vaping, alcohol, and drugs – but not for something like this. Who could ever anticipate it?"