Участники закрытого форума могут столкнуться с уголовным преследованием из-за утечки данных в ФБР.

Цифры в даташитах, "поставил и забыл" и другие дорогостоящие ошибки при выборе NGFW.

Ассистент, которому мало почты и календаря.

Польша усилит защиту энергосетей после атаки на системы связи распределенной генерации

Киберпреступники начали эксплуатировать бреши в системе аутентификации SAML для обхода паролей.

NexPhone предлагает сразу несколько миров в одном корпусе.

Разбираемся, почему привычка доверять глазам в интернете становится всё более опасной роскошью.

Цифровая анонимность не спасла от масштабной полицейской операции.

Гуманоид PM01 из Шэньчжэня научился акробатике перед космическим дебютом.

В DevOps-среде компрометация приводит не к утечке кода, а к нарушению целостности артефактов сборки и программных компонентов, что затрагивает всю цепочку поставок.

Безопасность теперь должна отвечать не на вопрос «что агент сказал», а на вопрос «что он сделал, имел ли на это право и в каком контексте».

Вредоносные инструкции теперь внедряются не в прямой пользовательский запрос, а в контекст выполнения задачи, который агент считает доверенным.

Уязвимость была связана не с ошибкой модели, а с тем, что агент интерпретировал содержимое письма как допустимую инструкцию в рамках задачи.

Рынок защиты ИИ в России в 2026 году оценивается минимум в 1 млрд рублей, а к 2029 году прогнозируется рост д…

ФСТЭК России утвердила правила анализа защищённости: под проверку попали ИИ-системы, контейнеры и промышленная автоматизация.

Что конкретно изменится для ИБ-специалистов, проводящих или заказывающих проведение работ по анализу защищённости, и как новые требования могут повлиять на бюджет и сроки работ?

Для бизнеса и госкомпаний это означает, что под прицел проверки попадают те компоненты, которые часто внедрялись «экспериментально» и жили в полутени ИБ‑процессов.

Переход к зрелой и бизнес-ориентированной безопасностиНовая методика анализа защищённости формирует практический и риск-ориентированный подход к выявлению уязвимостей.

Роль экспертизы: как выбрать Исполнителя и не переплатитьКомпан…

ВведениеПредыдущее сравнение WAF на Anti-Malware.ru вышло до событий и перемен 2022 года, и в нём фигурировали главным образом зарубежные продукты и решения, которые доминировали тогда на рынке ИБ в целом и в отдельных его сегментах.

Сервисы класса WAF, в рамках которых файрвол веб-приложений предоставляется как услуга, в охват этого исследования не включаются.

Да Нет Да Поддержка JSON Да Да Да Да Да Проверка данных в запросах и ответах на соответствие JSON Schema Да Да Да Да Нет(только верификация формата) Поддержка разбора JSON Web Token (JWT) с проверкой его валидности Да Да Да Да Нет Поддержка REST Да Да Да Да Да Поддержка GraphQL Да Да Да Да Нет Поддержка BASE64 Да Да Да Да Да Поддержк…

Рынок ИБ в 2026 году требует стратегов, способных соединить глубокие технические знания с пониманием бизнеса и человеческого фактора.

Сергей Зеленин добавил, что в 2025 году на рынок вернулись люди, которые покинули Россию в 2022: это опытные специалисты.

Во втором опросе зрители поделились, на что они в первую очередь ориентируются при выборе программы обучения в ИБ (мультивыбор):На соотношение теория/практика — 68 %.

Сергей Зеленин: «Hard skills позволяют повысить вашу квалификацию, но именно soft skills станут главным помощником в карьерном продвижении как в ИБ, так и в ИТ в целом.

Четвёртый опрос показал, каково мнение зрителей о построении карьеры в ИБ после эфира:Будут внедрять то, о …

В процессе сертификации проводится тщательный аудит ПО, в результате чего могут быть выявлены и устранены скрытые недостатки.

Рассмотрим регулируемые отрасли и нормативные документы, которые устанавливают основные требования к использованию в них СЗИ и обеспечению ИБ программных продуктов или систем.

Хотя подтверждение соответствия ПО в России является добровольной процедурой, но для продвижения в регулируемых отраслях становится реальной необходимостью.

Нахождение ПО в реестре делает возможным использовать его в рамках импортозамещения.

Сертификат AM Test Lab (шаблон)ВыводыСейчас под сертификацией программного обеспечения понимают разнообразные процедуры оценки соответствия продукта устано…

В первую волну (в марте 2025 года) злоумышленники вводили в заблуждение получателей писем тем, что приглашали принять участие в общественно-экономическом форуме «Примаковские чтения» в РАН.

Паоло Лецци, CEO компаний Memento Labs (ранее — Hacking Team) и InTheCyberПричём здесь Hacking Team?

Речь пойдёт об итальянской компании Hacking Team, которая в результате продажи и ребрендинга превратилась в 2019 году в компанию Memento Labs.

Участие Hacking TeamИстория взлома серверов на Hacking Team прояснила также некоторые другие важные детали, касающиеся её разработки коммерческого spyware-софта.

Лецци также отметил, что не может «уверенно назвать, кто именно из клиентов компании оказался виновным …

В таких условиях формальный подход к ИБ превращается в источник новых рисков.

Понимание ограничений технологий и отказ от иллюзий — первый шаг к построению устойчивой и живой системы защиты, способной адаптироваться к реальным, а не «учебным» угрозам.

В-третьих, многофакторную аутентификацию (MFA), которая является одной из самых эффективных мер для защиты от атак с использованием украденных учётных данных.

Когда атаки не укладываются в сценарииЕсли автоматизация и стандартные сценарии защиты не обнаруживают всех атак, реальность оказывается ещё сложнее.

Иллюзия полной защищённостиРеальные компрометации редко укладываются в учебные сценарии, а ошибки в проектировании создают ложное ощущение…

По направлению миграцииИз локальной инфраструктуры в облако — перенос сервисов и данных из собственной вычислительной среды заказчика в публичное или частное облако.

Rehost (Lift and Shift) — перенос приложений и данных в облачную инфраструктуру практически без изменений архитектуры и логики работы.

Сложности в процессе миграции и типичные ошибкиМиграция в облако редко проходит гладко: могут возникнуть технические несовместимости или скрытые архитектурные зависимости.

Чек-лист по миграции в облакоВыше мы рассмотрели теорию, проанализировали ключевые аспекты миграции и изучили реальные кейсы российских компаний.

Именно такой подход позволял переносить в облако не только вспомогательные, но и…

Атаки на роботов.

В целом атака на роботов может приводить к различным последствиям:Физический ущерб людям и имуществу вследствие потери контроля (в том числе самоконтроля).

Через взломанного робота можно распространять атаку и на неподключённые экземпляры из группы.

Средства защиты должны стать неотъемлемой частью архитектуры роботов и включать изоляцию компонентов, строгую аутентификацию команд, минимальные привилегии и тотальный контроль всех взаимодействий.

Они направлены не только на соблюдение требований безопасности, но и на обеспечение стабильной, предсказуемой работы систем.

Большинство экспертов оценили объём российского рынка ITSM-систем в 2024 году в диапазоне 10–35 млрд рублей, в зависимости от методологии расчёта.

По мнению TAdviser, среди отечественных вендоров уже который год лидирует компания Naumen — как по объёму выручки, так и по количеству подтверждённых внедрений.

Из независимых обзоров, по мнению редакции, внимания достоин рейтинг российских ITSM-систем 2024 года от «Компьютерры».

ESMPESMP — это программная ITSM-платформа для управления и автоматизации работы любых сервисных подразделений компании.

Ведение каталога услуг и управление SLA позволяет структурировать перечень ИТ-услуг, устанавливать соглашения об уровне обслуживания и контролировать и…

Планирование операции по захвату Н.МадуроПо данным The Guardian, подготовкой организационной части операции по захвату Н. Мадуро занималось ЦРУ и ряд других государственных агентств, связанных с разведывательной деятельностью.

Главный акцент американцев при проведении операции Absolute Resolve возлагался на внезапность (неизвестность момента атаки) и завоевание тактического превосходства в воздухе.

Американцы определили, что в ночь операции Н.Мадуро будет находиться в Фуэрте-Тиуна, ключевой военной базе в окрестностях Каракаса.

Поэтому распространившееся позднее утверждение, что в ходе операции не было кибератаки, выглядит малоубедительным.

Отметим еще одно необычное событие, которое произо…

О том, как проходили эти дни и что происходило за кулисами, рассказали участники российской делегации — представители ГК «Солар».

Практика последних лет показала, что в условиях глобального интернета объектами кибератак становятся в равной степени все страны, в том числе те, которые остаются «слабым звеном».

Ханойская конвенция получила одобрение со стороны Китая, многих стран Ближнего и Среднего Востока, стран АСЕАН, большинства государств Латинской Америки.

Они вряд ли примкнули бы к Будапештской конвенции и в будущем.

Если отдельные участники считают, что в другой стране “проседают” те или иные компетенции, то суверенное право каждой страны самой выбирать, что делать дальше», — отметил А…

В ходе итоговой пресс-конференции Positive Technologies был сделан традиционный прогноз: легче в 2026 году не станет.

Угрозы в новом годуКак спрогнозировала руководитель направления аналитических исследований Positive Technologies Ирина Зиновкина на итоговой пресс-конференции «Анатомия цифровых бурь», рост успешных атак в 2026 году составит около 30 %.

По оценке аналитиков J`son & Partners Consulting, данная угроза заняла стала самой распространённой в 2025 году и её актуальность сохранится в 2026 году.

По оценке УЦСБ, тенденция на атаки российского ПО сохранится и в 2026 году.

Наконец, в 2026 году можно ожидать принятия второго пакета антимошеннических мер.

Статистика за 2025 год подтверждает эту тенденцию: атаки на цепочки поставок (Supply Chain Attacks), компаний выросли на 110 %.

Атаки на цепочку поставок и меры противодействияЧтобы оценить реальные масштабы угрозы, важно опираться не на общие рассуждения, а на конкретные инциденты, в которых уязвимость поставщика привела к компрометации его клиентов.

Разработчикам рекомендовали усилить защиту учётных записей, внедрить проверку целостности зависимостей и наладить процессы аудита цепочки поставок на всех этапах жизненного цикла ПО.

Атака на цепочку поставок ПО «GhostAction»В сентябре 2025 года исследователи из GitGuardian раскрыли масштабную кампанию «GhostAction», затронувшую 327 пользовате…

А что насчет - антикейса?

Нет, не кейс с негативным окрасом, как не получилось, а кейс с позитивным уклоном, о том, как обернуть оружие серой зоны, против них самих?

Постойте, скажет неискушенный читатель, а что вообще такое, этот ваш клоакинг?

Его можно погонять и не только на мобильных профилях, но и на обычных.

В общем - клоакинговые ссылки это зло, все вокруг выкладывают инструменты обхода - а я вот сделал ровно обратное.

Акт 1 — обзор опыта и судов 2025 года: кого, за что и как штрафовали и на что стоит обратить внимание.

Так что в 2025 еще можно было защищаться, утверждая, что утечка была совершена в первом полугодии.

В идеале — поставьте и в футер сайта (приложения), и обязательно в личный кабинет пользователя.

Как и в примере выше — понятную, заметную и непротиворечивую, в футере сайта, ЛК или разделе «Правовая информация».

Кстати, если хотите иметь под рукой наглядные гайды по персональным данным в формате PDF, да и в целом быть в курсе новостей по этой теме, заглядывайте в наш ТГ-канал.

Ссылки на витрине дарквеб‑форума в clearnet на сам форум в TorПереход с витрины дарквеб‑форума в clearnet на сам форум в TorФронтенд‑витрины и скрытые бэкенд‑панели .

Такие взаимосвязи формируют единый стек, где роли распределены: форум — для общения и репутации, маркетплейс — непосредственно для сделки и платежа, Telegram‑бот — для мобильности и оповещений.

Все это зачастую встроено в форум в формате интеграций.

Можно ожидать, что и в дальнейшем форумы будут придумывать новые способы защититься и выжить, а правоохранители и специалисты по ИБ — новые способы вычислить и закрыть их.

ВыводыВ данной статье мы рассмотрели, как устроены киберпреступные форумы дарквеба с технической и экономическ…

А если нет, то почему внедрение требований по ГОСТ вновь станет актуальным и, главное – для кого?

3.Завершен пересмотр ГОСТ 57580.1, .2 и .5 внутри ТК 122, в рамках которого мне удалось отследить позицию БР по многим вопросам.

В качестве основного принципа управления системой защиты информации по ГОСТ лежит цикл Деминга (PDCA): Планируй (Plan) – Реализуй (Do) – Контролируй (Check) – Совершенствуй (Act).

3) Контроль целостности и защищенности:· выявление и устранение уязвимостей,· сканирование настроек,· своевременное обновление ПО,· резервное копирование,· контроль целостности и доверенная загрузка,· контроль состава ПО на АРМ и серверах,· выявление использования мобильного кода,· соответст…

Addition and subtraction of IP address ranges and address spaces #Example 1.

mask_min = IPv4Range.IP_ADDRESS_BITS_COUNT + 1 - low_bit_pos # Looking for an IP mask that most fully covers the specified # IP range.

Attributes: __ip_ranges ([IPv4Range]): an internal list of IP address ranges describing the IP address space. """

if self.__ip_ranges is None: return True if 0 == len(self.__ip_ranges): return True return False def __iter__(self): """Return iterator of internal IPv4Range list."""

FullSpace.txt 0.0.0.0/02.SpecialIPs.txt, содержащий перечень зарезервированных IP-адресов:SpecialIPs.txt # Based on https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xht…

Под катом — как защититься, если вы уже дали ИИ доступ к своей системе.

Теперь каждый второй разработчик использует какого-нибудь «умного помощника» с доступом к терминалу, браузеру и файловой системе.

Взял популярный open-source проект — Clawdbot (также известный как Moltbot), ~1300 TypeScript файлов, полный набор возможностей: exec, browser automation, memory, subagents.

🟡 Среднее: Отсутствие CSRF/CORS защитыgrep -r "csrf\|helmet\|cors(" src/ # Результат: пустоGateway API не использует:CSRF токеныHelmet middlewareЯвную CORS политикуРиск: CSRF атаки на локальный gateway.

tools: exec: security: allowlist ask: on-missОжидаемая защита: ~40%Уровень 2: Умеренный (Рабочий ПК)tools: exec: securit…

Их не заводят через архитектурный комитет, не обсуждают на дизайн-ревью и не включают в модель угроз.

Потому что так удобнее, потому что так сделал подрядчик, потому что «это же не сервер».

IoT как точка входаБольшинство IoT-устройств проектируются с прицелом на функциональность и цену, а не на безопасность.

Это создаёт идеальные условия для атак — не потому что хакеры какие-то особенные, а потому что защита изначально не была приоритетом.

Каждый новый гаджет добавляет ещё одну точку неопределённости, ещё один потенциальный маршрут атаки, который никто толком не описал и не ограничил.

Стандартный docker run запускает процесс с root правами внутри контейнера и доступом к большинству системных вызовов.

Разберём конкретные настройки, которые реально повышают безопасность, с примерами и объяснением зачем это нужно.

docker run --read-only myimageПриложению нужны временные файлы?

services: app: image: myimage security_opt: - no-new-privileges:trueЭто должно быть включено всегда.

docker run --security-opt apparmor=docker-nginx myimageDocker по умолчанию применяет профиль docker-default.

Вы можете ознакомиться с предыдущими статьями тут:В этой статье поэкспериментируем с Windows Defender и Windows 11 версии 25H2.

Немного сведений об AV и EDR службахСлужбы антивирусных приложений и EDR функционируют аналогично стандартным сервисам Windows, однако имеют одну важную особенность — они защищены драйверами ядра.

Любой процесс в Windows зависит от библиотек в каталоге System32, и EDR не исключение.

Сперва нам нужно выяснить группу сервисов, к которой относится EDR, чтобы создать свою службу с более высоким приоритетом запуска.

ЗаключениеСлужбы антивирусов и EDR, несмотря на защиту на уровне ядра, являются обычными службами и процессами Windows.

Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро.

Ключевая сложность возникла не с генерацией серта, атрибутами квалифицированного сертификата и так далее, а с импортом свежесгенерированного сертификата и ЗК в криптопровайдер.

В случае представления данных в виде структур EncryptedData или EnvelopedData, поле encryptedContent структуры EncryptedContentInfo представляет собой закодированное значение структуры SafeContents.

Структура SafeBag может содержать объекты различного типа: ключи, сертификаты ключа проверки электронной подписи.

Финальный диверсифи…

Что же, антивирус и вправду никакая не броня и не всегда спасает от сложных и тщательно спланированных действий злоумышленников.

Также заглянем в арсенал типичного злоумышленника и на реальных кейсах разберем, как «устаревшие» и «бесполезные» антивирусы дают прикурить киберпреступникам.

Укрупненно можно выделить четыре причины упрощения, удешевления и, как следствие, роста количества кибератак.

Остается выгрузить CSV и по баннерам сервисов (версии ОС, RDP и т.

Как видно на скриншоте, что антивирус Касперского, что встроенный в Windows бесплатный Defender отлично детектируют применение такого инструмента сканирования.

Особенно опасны атаки с амплификацией: малый по размеру запрос (например, к DNS-резолверу) вызывает объёмный ответ, который перенаправляется на жертву.

Пакетный фильтр не спасёт от HTTP-флуда, WAF не остановит ICMP-шторм, а система защиты от SYN-флуда будет бессильна перед медленным, фрагментированным запросом.

Архитектурные подходы к защите от DDoS-атакПри проектировании защиты от DDoS приходится искать баланс между скоростью реагирования, масштабируемостью и затратами на инфраструктуру.

Здесь события собираются с детектора и фильтра и коррелируются с журналами других систем безопасности, выполняется пост-анализ.

Тогда волна однообразных соединений просто затапливает систему и никто не зам…

Компания Nike проводит расследование, так как хак-группа World Leaks заявила о краже информации из ее систем.

«Мы всегда серьезно относимся к конфиденциальности клиентов и безопасности данных.

Признаков компрометации данных клиентов или сотрудников пока не обнаружено, а значит, регуляторы остаются в стороне.

World Leaks сосредоточена исключительно на краже информации, то есть не использует шифровальщики.

Тактика группы строится на краже данных и извлечении из них максимальной выгоды — вымогательства денег у компаний-жертв или продажи информации тем, кто в ней заинтересован.

Исследователи Fortinet FortiGuard Labs зафиксировали многоступенчатую фишинговую кампанию, нацеленную на российских пользователей: злоумышленники распространяют малварь Amnesia RAT и шифровальщик.

Настройка исключений Microsoft Defender — из зоны проверки выводятся ProgramData, Program Files, Desktop, Downloads и системная временная папка.

Перехват файловых ассоциаций — при попытке открыть файлы с определенными расширениями пользователю показывают сообщение с требованием связаться с атакующими в Telegram.

Этот троян ворует данные из браузеров, криптокошельков, Discord, Steam, Telegram, делает снимки с веб-камеры и записывает звук с микрофона.

Кража данных осуществляется через HTTPS и Telegr…

Соб­рать супер­компь­ютер из подер­жанных ком­плек­тующих — задача не для сла­бонер­вных.

Тог­да мы исполь­зовали Xeon 2600v4, и это было недур­но в 2022 году, ког­да я задумал эту кон­фигура­цию, а сей­час и вов­се бюд­жетнень­ко.

На самом деле это не сов­сем про­цес­сор, это ско­рее SOC, пос­коль­ку кон­трол­леры памяти, дис­ков и все­го про­чего так­же находят­ся на крис­талле.

Кро­ме того, извес­тно, что парал­лелиза­ция в соф­те реали­зова­на неидеаль­но и в какой‑то момент добав­ление ядер не при­носит ожи­даемо­го эффекта.

Впро­чем, если рас­кидать ее на 64 ядра, то выходит по 16 Гбайт на ядро, что уже не так впе­чат­ляет.

Разработчики Microsoft выпустили внеплановые патчи для критической уязвимости в Office, которую уже активно эксплуатируют в атаках.

Проблема затронула практически все версии продукта — от Office 2016 до Microsoft 365 Apps for Enterprise.

«Уязвимость возникает из-за того, что Microsoft Office полагается на недоверенные входные данные при принятии решений о безопасности, что позволяет неавторизованному злоумышленнику обойти локальную защиту», — объясняют в Microsoft.

С 26 января 2026 года пользователям Office 2016 и 2019 доступны следующие обновления:Microsoft Office 2019 — 16.0.10417.20095;Microsoft Office 2016 — 16.0.5539.1001.

Для 64-битного MSI Office на 64-битной Windows это будет HKEY_L…

Заместитель председателя комитета Госдумы по экономической политике Михаил Делягин высказался о возможной блокировке Telegram в России.

Позже Делягин уточнил, что это было лишь предположение.

Изначально «Национальная служба новостей» сообщала, что блокировка Telegram может произойти к сентябрю 2026 года, по той же схеме, что и с YouTube.

Когда происходит падение уровня жизни населения, это не только проблема, но и ресурс, потому что люди хотят, несмотря на это, сохранять образ жизни.

Это не факт, это не инсайд (я НИКОГДА не делюсь чужими секретами) — это предположение.

Аналитики Shadowserver Foundation отслеживают почти 800 000 IP-адресов на фоне активной эксплуатации критической уязвимости CVE-2026-24061 в серверном компоненте GNU InetUtils telnetd.

Проблема появилась в коде еще 19 марта 2015 года и попала в релиз версии 1.9.3 от 12 мая 2015 года.

Как сообщили аналитики Shadowserver, в настоящий момент они отслеживают почти 800 000 IP-адресов с Telnet-фингерпринтами.

Более 380 000 из них расположены в странах Азии, почти 170 000 — в Южной Америке и около 100 000 — в Европе.

Большинство атак выглядели автоматизированными, но исследователи отметили, что в нескольких случаях это определенно был «человек за клавиатурой».

Исследователи из компании Positive Technologies нашли серьезные уязвимости в российской HR-платформе Websoft HCM.

Websoft HCM — платформа для автоматизации HR-процессов от российской компании Websoft.

В общей сложности Алексей Соловьев, Никита Свешников, Владимир Власов и Николай Арчаков обнаружили 33 уязвимости в Websoft HCM 2025.1 (PT-2025-53458 – PT-2025-53490).

Сообщается, что разработчики Websoft оперативно исправили уязвимости в версии 2025.2.

Алексей Попов, руководитель команды разработки Websoft HCM, отметил:

Его разработчики обещают злоумышленникам создание вредоносных расширений для Chrome, способных обойти модерацию и проникнуть в официальный Chrome Web Store.

MaaS предлагает незаметную автоустановку расширений в браузеры Chrome, Edge и Brave, а также поддержку кастомных доработок.

Своим клиентам сервис предлагает несколько тарифных планов, самый дорогой называется Luxe Plan и включает в себя веб-панель управления и полную поддержку в ходе публикации вредоносного расширения в Chrome Web Store.

Также они могут отправлять уведомления прямо в браузер жертвы, чтобы заманить пользователя на нужные страницы.

В частности, продавец обещает, что вредоносные расширения Stanley гарантировано пройдут про…

Важ­ное усло­вие для бру­та — отсутс­твие огра­ниче­ний на количес­тво попыток либо воз­можность обой­ти эти огра­ниче­ния, нап­ример через исполь­зование прок­си.

Исполь­зуй брут толь­ко в край­них слу­чаях и в огра­ничен­ном режиме.

Вер­нись в Burp на вклад­ку Proxy и в исто­рии зап­росов най­ди подоб­ный отчет:POST / vulnerabilities/ brute/ HTTP/ 1.

Словари для брута Са­мый популяр­ный сло­варь для бру­та — rockyou.txt.

И это без каких‑либо лагов и задер­жек.

Специалисты BI.ZONE Threat Intelligence зафиксировали волну атак группировки Vortex Werewolf на российские оборонные предприятия и госорганы.

Злоумышленники присылали жертвам фишинговые ссылки, замаскированные под файловое хранилище Telegram.

Внутри находился вредоносный файл, замаскированный под PDF-документ, и скрытый каталог с дополнительным архивом.

Для скрытого управления зараженным устройством хакеры разворачивали на нем OpenSSH и Tor, через который направлялся весь трафик, чтобы скрыть соединение.

Эксперты пишут, что группировка Vortex Werewolf специализируется на шпионаже и активна как минимум с декабря 2024 года.

Оба расширения выдавали себя за легитимные инструменты для ускорения разработки, и незаметно передавали на китайские серверы весь код, с которым работали жертвы.

Проблемы были найдены в расширениях ChatGPT — 中文版 (издатель WhenSunset, 1,34 млн установок) и ChatMoss (издатель zhukunpeng, 150 000 установок).

Специалисты пишут, что оба расширения являются частью вредоносной кампании MaliciousCorgi и используют одинаковый код для кражи данных.

Кроме того, вредоносы используют одну и ту же инфраструктуру для распространения и взаимодействуют с одними и теми же серверами.

На момент публикации отчета исследователей оба вредоносных расширения все еще были доступны в VSCode.

Разработчики OnePlus добавили в свежие обновления ColorOS защиту Anti-Rollback Protection (ARB).

В результате после обновления становится невозможно вернуться на старую прошивку, использовать кастомный ROM, а также не работает большинство методов восстановления устройств после сбоя.

Как сообщает издание Droidwin, механизм ARB появился с релизом ColorOS 16.0.3.500/.501/.503 — это сборки на базе Android 16 для OnePlus 13, 13T, OnePlus 15 и линейки Ace 5.

Защита срабатывает в момент установки обновления: на материнской плате «прожигается» e-fuse, который навсегда фиксирует новый уровень версии безопасности устройства.

На очереди устройства OnePlus 11 и OnePlus 12.

Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts.

The extension, named "ClawdBot Agent - AI Coding Assistant" ("clawdbot.clawdbot-agent"), has since been taken down by Microsoft.

It was published by a user named "clawdbot" on January 27, 2026.

"The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension," Aikido researcher Charlie Eriksen said.

…

The "coordinated" cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM.

Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs).

"The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites," Dragos said.

"While the attack did not result in power outages, adversaries gained access to op…

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.

"In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed," vm2 maintainer Patrik Simek said.

"This allows attackers to escape the sandbox and run arbitrary code."

vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

The newly discovered flaw stems from the library's improper sanitization…

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution.

In its documentation, n8n notes that using internal mode in production environments can pose a security risk, urging users to switch to external mode to ensure proper isolation between n8n and task runner processes.

"These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python," researcher Nathan Nehorai said.

"Even with multiple validation layers, deny lists, and AST‑based controls in place, subtle language features and runtime behaviors can …

If you work in security operations, the concept of the AI SOC agent is likely familiar.

The forced tradeoff of ignoring low-fidelity signals disappears because the cost of investigation is significantly lower with AI SOC agents.

Adaptability refers to how well the AI system ingests feedback and guidance, and other organizational-specific context to improve its accuracy.

Tools must not only integrate with your existing technology stack but also seamlessly fit into your current security operations workflows.

To learn more about Prophet Security and see why teams trust Prophet AI to triage, investigate, and respond to all of their alerts, request a demo today.

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.

The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia.

Kaspersky, which disclosed details of the updated malware, said it's deployed as a secondary backdoor along with PlugX and LuminousMoth infections.

Between 2021 and 2025, Mustang Panda is said to have leveraged signed binaries from var…

Near-identical password reuse continues to slip past security controls, often unnoticed, even in environments with established password policies.

The reason is not always blatant password reuse, but a subtler workaround known as near-identical password reuse.

Near-identical password reuse occurs when users make small, predictable changes to an existing password rather than creating a completely new one.

Under these conditions, near-identical password reuse becomes a practical workaround rather than an act of negligence.

Specops Password PolicySpecops Password Policy enables centralized policy management, making it easier to define, update, and enforce password rules across Active Directory …

"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG) said.

The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.

"Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets," it added.

"By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowi…

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).

The packages, named spellcheckerpy and spellcheckpy, are no longer available for download, but not before they were collectively downloaded a little over 1,000 times.

"Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT," Aikido researcher Charlie Eriksen said.

This is not the first time fake Python spell-checking tools have been detected in PyPI.

In November 2025, HelixGuard said it discovered a malicious package n…

Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild.

The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO).

The company said it's continuing to investigate if other products, including FortiWeb and FortiSwitch Manager, are impacted by the flaw.

It's worth noting that the FortiCloud SSO login feature is not enabled in the default factory settings.

The development comes days after Fortinet confirmed that unidentified threat actors were abusing a "new attack path" to achieve SSO logins withou…

Meta on Tuesday announced it's adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do.

The feature, similar to Lockdown Mode in Apple iOS and Advanced Protection in Android, aims to protect individuals, such as journalists or public-facing figures, from sophisticated spyware by trading some functionality for enhanced security.

Once this security mode is enabled, some of the account settings will be locked to the most restrictive options, while simultaneously blocking attachments and media from people not in a user's contacts.

The feature can be enabled by navigating to Settings > Privacy > Advanced.

"This is…

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft.

The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025.

Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2).

GOGITTER also sets up persistence using a scheduled task that's configured to run the aforementioned VBScript file every 50 minutes.

Zscaler said it observed the threat actor also downloading RAR archives using cURL commands after gaining access to the victim's machine.

The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations with specific “girls” – fake profiles probably operated via WhatsApp.

While we don’t know how the malicious app is distributed, we assume that this exclusivity tactic is used as part of the lure, with the purported access codes distributed along with the app.

GhostChat, the malicious app used in the campaign, poses as a dating chat platform with seemingly locked female profiles.

Once the app is installed, its operators can monitor, and exfiltrate sensitive data from, the victim’s device.

This action triggered ClickFix instructions, as seen in Figure 11, which led to the download and execu…

10 reasons your inbox is full of spam and/or scamsEmail spam can range from pesky, unsolicited missives sent in bulk to the downright dangerous and malicious (phishing messages and malware delivered via spam and also known as ‘malspam’).

They then post or sell that data on cybercrime forums/marketplaces, where others buy it for use in phishing emails.

If they manage to achieve a breakthrough that bypasses spam filters, expect unwanted messages to start flooding in.

What not to doIt’s also best practice never to:Avoid clicking on ‘unsubscribe’ or replying to a spam email, as this will verify your address to the sender.

Reset your email security settings or lower spam ‘sensitivity’ levels.

The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiperIn late 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years.

ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm.

Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper.

In their latest APT Activity Report, covering April to September 2025, ESET researchers noted that they spotted Sandworm conducting wiper attacks against targets in Ukraine on a regular basis.

ESET Research offer…

AI chatbots have become a big part of all of our lives since they burst onto the scene more than three years ago.

A similar share of parents is worried their kids think AI chatbots are real people.

Our children use generative AI (GenAI) in diverse ways.

Children are going through an incredible period of emotional and cognitive development, making them vulnerable in various ways.

The onus, therefore, is definitely on parents to get ahead of any threats through proactive monitoring and education.

Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step aheadApple Pay is clearly a hit with consumers.

Here are some common scams targeting Apple Pay users.

Top six scams targeting Apple Pay usersApple Pay scammers are usually after your financial information, your money or your Apple ID and logins/2FA codes.

Or it could be a fake story about how your Apple Pay account has been suspended, your card was added to Apple Pay or similar pretexts.

First, take a moment to recognize the most common red flags and Apple Pay scams, as listed above.

A full 25 percent of the top 1,000 most-used passwords are made up of nothing but numerals.

This is according to NordPass’ analysis, which is based on billions of leaked passwords and sheds light on password trends among people in 44 countries.

Same old, same oldUsing an easily-guessable password is tantamount to locking the front door of your house with a paper latch.

Weak, obvious, or reused passwords can expose not only individual employees, but entire organizations, their customers, and their partners.

But if your own passwords appear on either list above, improving your account security should be one of the most important of them.

It may be the most recent high-profile case of threat actors abusing LinkedIn to further their own nefarious goals.

It’s easy to get up and running: For threat actors, the potential ROI for attacks using LinkedIn is massive.

Account hijacking : Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

: Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

However, it would make sense to build LinkedIn threat scenarios of the sort described above into security awareness courses.

New legislation in Australia makes it illegal for those under 16 to have a social media account.

To avoid financial penalties, social media companies have scrambled to remove accounts they believe breach the legislation.

As 2026 has just begun, this also sparks a broader question for internet users and regulators alike: will this be the year the world rethinks identity online?

Unless an app or service is operated by a regulated company that requires identity verification, people are free to create accounts on many services using any identity they desire.

I am not suggesting that all services need to have verified users.

Contrary to popular belief, much of the dark web isn’t the den of digital iniquity that some commentators claim.

involve the large-scale theft of customer/employee information, which then usually appears for sale on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

Finally, sign up to identity protection services and sites like HaveIBeenPwned, which will alert you when any PII appears on the dark web.

Indeed, credential stuffing is the digital equivalent of someone discovering a skeleton key that opens your house, office, and safe – all in one sweep.

While credential stuffing is by no means new, several trends have exacerbated the problem.

Here’s the scale at which credential stuffing attacks can be conducted:In 2022, PayPal reported that nearly 35,000 customer accounts were compromised via credential stuffing.

How to protect your organizationThese days, credential stuffing is also a primary vector for account takeover, fraud, and large-scale data theft across industries, including retail, finance, SaaS, and health care.

Importantly, many organizations are embracing passwordless authenti…

As 2025 draws to a close, Tony looks back at the cybersecurity stories that stood out both in December and across the whole of this yearAs we close out 2025, it's time for ESET Chief Security Evangelist Tony Anscombe to review some of the main cybersecurity stories from both the final month of the year and 2025 as a whole.

While staggering, this figure is still just the tip of the iceberg.

The Texas Attorney General is suing five major TV manufacturers, alleging that they illegally collected their users' data by secretly capturing what the viewers watch.

Indeed, Tony goes on to take a look back at some of the most notable cyber-incidents for the entire year, highlighting some of the most pe…

Brushing scams are a type of e-commerce fraud where a seller sends a package to an apparently random person’s address.

It shouldn’t take too much effort to work out if you’ve been singled out by brushing scammers.

It’s yours to keep, if you want toHow do I stay safe from brushing scams?

There are steps you can also take to stop brushing scams from even targeting you.

Brushing scams are just one of many ways fraudsters weaponize your personal information against you.

We provide our method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch.

CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding.

Zscaler’s findings, as well as the description provided by Microsoft, reveal that the flaw stems from the dereference of an uninitialized function pointer in WindowsCodecs.dll, which is part of the Windows Imaging Component.

We analyzed the vulnerable version 10.0.26100.4768 (SHA-1: 5887D96565749067564BABCD3DC5D107AB6666BD), and then performed a binary comparison with the first patched version 10.0.26100.4946 (SHA-1: 4EC1DC0431432BC318E78C520387911EC44F84…

We provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and other tools used by LongNosedGoblin.

NosyDoor Stage 3 – payloadNosyDoor’s third stage, the main payload, is a C#/.NET backdoor with the internal name OneDrive and with PDB path E:\Csharp\Thomas\Server\ThomasOneDrive\obj\Release\OneDrive.pdb.

NosyStealer Stage 2 – injectorWe observed two NosyStealer Stage 2 samples – one (SERV.dll) in our telemetry, and the other (msi.dll) uploaded to VirusTotal from Malaysia.

NosyStealer Stage 4 – payloadAgain, like NosyStealer Stage 3 – loader, this stage is shellcode that decrypts, loads, and executes an embedded PE file in memory using Donut’s reflecti…

A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research expertsThe second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.

AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold in ESET telemetry.

On the Android platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemet…

ImmuniWeb has hit another all-time sales record in 2025, while successfully sustaining double-digit year-over-year (YoY) growth and remaining profitable.

During 2025, the company announced 4 major updates to the ImmuniWeb AI Platform.

ImmuniWeb has also been continually improving its Community Edition with numerous new features and novel functionalities, including testing for post-quantum encryption (PQC) readiness.

Both audits revealed zero minor and zero major non-conformities, thereby evidencing ImmuniWeb’s commitment to corporate governance and regulatory compliance.

At ImmuniWeb, we have exactly what they need: tangible deliverables and measurable value to justify the ongoing developme…

ESET researchers have identified an Android spyware campaign that uses romance scam tactics to target individuals in Pakistan.

This includes a ClickFix attack that compromises victims’ computers and a WhatsApp device-linking attack that provides access to victims’ WhatsApp accounts.

While the victim interacts with the app, and even before login, the GhostChat spyware runs in the background.

Beyond desktop attacks using ClickFix, the same infrastructure supported a mobile-focused operation aimed at WhatsApp users.

They were prompted to scan a QR code to link their Android device or iPhone to WhatsApp Web or Desktop.

The US Supreme Court is considering the constitutionality of geofence warrants.

Police probing the crime found security camera footage showing a man on a cell phone near the credit union that was robbed and asked Google to produce anonymized location data near the robbery site so they could determine who committed the crime.

They did so, providing police with subscriber data for three people, one of whom was Chatrie.

Police then searched Chatrie’s home and allegedly surfaced a gun, almost $100,000 in cash and incriminating notes.

Chatrie’s appeal challenges the constitutionality of geofence warrants, arguing that they violate individuals’ Fourth Amendment rights protecting against unreasona…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Really interesting blog post from Anthropic:In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations.

This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generation…

Prompt injection is a method of tricking LLMs into doing things they are normally prevented from doing.

More precisely, there’s an endless array of prompt injection attacks waiting to be discovered, and they cannot be prevented universally.

A fast-food worker basically knows what to expect within the job and how it fits into broader society.

Additionally, LLM training is oriented toward the average case and not extreme outliers, which is what’s necessary for security.

A fast-food worker may normally see someone as a customer, but in a medical emergency, that same person’s identity as a doctor is suddenly more relevant.

Internet Voting is Too Insecure for Use in ElectionsNo matter how many times we say it, the idea comes back again and again.

Hopefully, this letter will hold back the tide for at least a while longer.

Executive summary: Scientists have understood for many years that internet voting is insecure and that there is no known or foreseeable technology that can make it secure.

Still, vendors of internet voting keep claiming that, somehow, their new system is different, or the insecurity doesn’t matter.

Bradley Tusk and his Mobile Voting Foundation keep touting internet voting to journalists and election administrators; this whole effort is misleading and dangerous.

The rampant speculation among OpenAI users who believe they see paid placements in ChatGPT responses suggests they are not convinced.

In 2024, AI search company Perplexity started experimenting with ads in its offerings.

Highly persuasivePaid advertising in AI search, and AI models generally, could look very different from traditional web search.

A December 2023 meta-analysis of 121 randomized trials reported that AI models are as good as humans at shifting people’s perceptions, attitudes and behaviors.

That will require making real commitments to consumers on transparency, privacy, reliability and security that are followed through consistently and verifiably.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Swartz believed that knowledge, especially publicly funded knowledge, should be freely accessible.

The still-unresolved questions raised by his case have resurfaced in today’s debates over artificial intelligence, copyright and the ultimate control of knowledge.

At the time of Swartz’s prosecution, vast amounts of research were funded by taxpayers, conducted at public institutions and intended to advance public understanding.

AI companies then sell their proprietary systems, built on public and private knowledge, back to the people who funded it.

Systems trained on vast bodies of publicly funded research are increasingly becoming the primary way people learn about science, law, medicine and…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:The list is maintained on this page.

Posted on January 14, 2026 at 12:00 PM • 0 Comments

The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud.

You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

My crime is that of judging people by what they say and think, not what they look like.

My crime is that of outsmarting you, something that you will never forgive me for.

Fascinating research:Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs.

We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside those contexts.

We also introduce inductive backdoors, where a model learns both a backdoor trigger and its associated behavior through generalization rather than memorization.

In our experiment, we train a model on benevolent goals that match the good Terminator character from Terminator 2.

Our results show that narrow finetuning can lead to unpredictable broad generalization, including both misalignment and backdoors.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week.

The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corpor…

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software.

“Today’s Windows patches remove agrsm64.sys and agrsm.sys.

This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time.

In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet.

All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

]to Discord server vanished, Synthient’s website was hit with a DDoS at…

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address.

A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

“It was often a chain of redirects — one or two domains outside p…

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

UNBOXINGCensys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites.

Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

-Generic TV streaming devices advertis…

Sixteen months later, however, Mozilla is still promoting Onerep.

This week, Mozilla announced its partnership with Onerep will officially end next month.

In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025.

Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline.

Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites.

However, some customers did manage to pivot their domains away from Cloudflare during the outage.

“Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage.

But also look hard at the behavior inside your org.”Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:1.

Security researchers have uncovered at least 16 malicious Chrome extensions masquerading as handy ChatGPT productivity tools.

Instead, they hook into the Chrome browser, and intercept outgoing data that contains users' authentication details.

My advice is to check if you have installed any ChatGPT-related browser extensions recently, and remove any that you have concerns over.

The security researchers who uncovered the malware campaign have listed the names of the extensions that have been identified so far (although, of course, it is possible that more have been used - or could still be):ChatGPT folder, voice download, prompt manager - ChatGPT ModsChatGPT voice download, TTS download - Cha…

In episode 85 of The AI Fix, Graham discovers that Silicon Valley has the solution to your pet’s mental health crisis, and Mark explains why AI godfather Yann LeCun thinks the entire AI industry is wrong about LLMs.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive c…

It has just been a few weeks since we reported on the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.

In light of the latest data breach to impact ESA, the December 2025 incident doesn't look too bad.

Furthermore, this latest breach reportedly involves data that might be more concerning - such as operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space.

As a consequence of this latest incident, ESA has now confirmed that a criminal investigation is underway.

Some have suggested that poor cybersecuri…

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Ray [REDACTED]Host:Graham Cluley:@grahamcluley.com @ *protected email* / grahamcluleyGuest:Ray Redacted:@rayredacted.comEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Blu…

The UK's National Cyber Security Centre (NCSC) has issued a warning about the threat posed by distributed denial-of-service (DDoS) attacks from Russia-linked hacking groups who are reported to be continuing to target British organisations.

The denial-of-service attacks are typically not highly sophisticated, but can still successfully cause disruption to IT systems, and cost organisations a significant amount of time and money as they attempt to respond or recover.

The most obviously visible symptom of a basic denial-of-service attack can be that a website is no longer accessible, as hackers flood it with unwanted traffic, making it impossible for legitimate users to reach the resource.

As …

Oh, and AI has managed to crack some famously unsolved maths problems in minutes, and Grok gains access to all of the Pentagon’s networks?

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

We can no longer say that artificial intelligence is a "future risk", lurking somewhere on a speculative threat horizon. The truth is that it is a fast-growing cybersecurity risk that organizations are facing today. That's not just my opinion, that's also the message that comes loud and clear from the World Economic Forum's newly-published "Global Cybersecurity Outlook 2026." Read more in my article on the Fortra blog.

All this, and much more, in episode 450 of the “Smashing Security” podcast with Graham Cluley, and special guest Monica Verma.

Smashing Security #450:From Instagram panic to Grok gone wild [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @ *protected email* / grahamcluleyGuest:Monica Verma:/ monicavermaEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Smashing Security listeners get $1000 off!

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or v…

In episode 83 of The AI Fix, Graham reveals he’s taken up lying to LLMs, and shows how a journalist exposed AI bluffers with a made-up idiom.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Have you ever stolen data, traded a hacking tool, or just lurked on a dark web forum believing that you are anonymous?

The leak, published on a website named after the ShinyHunters hacking and extortion gang, includes records for some 323,986 Breachforums users, exposing their usernames, email addresses, password hashes, and IP addresses.

Ironically, it's precisely the kind of data that hackers using BreachForums have been trading in for years.

And the exposed database could help law enforcement agencies around the world uncover new leads that could assist with cybercriminal investigations.

In short, if you are one of the criminal users of BreachForums you may be sleeping rather less soundl…

The founder of a spyware company that encouraged customers to secretly monitor their romantic partners has pleaded guilty to federal charges - marking one of the few successful US prosecutions of a stalkerware operator.

If you visited the pcTattletale website you would be told that it was "employee and child monitoring software" designed to "protect your business and family."

The reality is that stalkerware like pcTattletale can also be used for tracking the location and activities of people without their knowledge.

Using stalkerware to spy on others without their permission is never acceptable.

If you're concerned that someone might be using spyware against you, visited the website of the …

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Lesley Carhart.

Smashing Security #449:How to scam someone in seven days [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @[email protected] / grahamcluleyGuest:Lesley Carhart:@hacks4pancakes.com‬ @[email protected] / lcarthartEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Sma…

Police in India have arrested a former Coinbase customer service agent who is believed to have been bribed by cybercriminal gangs to access sensitive customer information.

"Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested.

In interviews since the incident, Armstrong has described how cybercriminal gangs were offering US $250,000 bribes to customer service representatives to leak sensitive data.

"We started getting customer support agents get offered like 250 grand bribes to turn over customer information.

And then the attackers would call up our customers and say, hey, here's Coinbase support.

Удобную методичку по этому вопросу выпустил некоммерческий проект OWASP, разрабатывающий рекомендации по безопасной разработке и внедрению ПО.

Злоумышленники используют методы промпт-инъекций или поддельные данные, чтобы перенастроить агента на выполнение вредоносных действий.

Злоумышленник отправляет промпт, который под предлогом тестирования кода заставляет агента с возможностью «вайб-кодинга» загрузить команду с помощью curl и передать ее на вход bash.

Такой «отравленный» контекст искажает дальнейшие рассуждения агента и выбор инструментов.

Используйте внешние шлюзы безопасности (intent gates) для проверки планов и аргументов агента на соответствие жестким правилам безопасности перед их …

На самом деле происходит не установка из магазина приложений, а загрузка приложения в пакете APK.

В России проблема «левых» загрузок усложняется тем, что многие повседневные приложения, в первую очередь банковские, более недоступны в Google Play.

«Прямой NFC» — мошенник связывается с жертвой в мессенджере и уговаривает скачать приложения якобы для подтверждения личности в банке.

Права, которые и в самом деле нужны приложению такого класса, прекрасно подходят для перехвата данных и махинаций с посещаемыми веб-сайтами.

), перенаправлять пользователя на сайты с рекламой и запускать прямо на телефоне прокси, чтобы злоумышленники могли попадать на любые сайты от лица жертвы.

Это связано с тем, что знания ИИ не хранятся в виде отдельных фрагментов, которые можно легко удалить.

Как и на каких моделях проводилось исследование?

При этом в промптах изменялась исключительно стилистика подачи: никаких дополнительных техник атаки, стратегий обфускации или адаптаций под конкретные модели в эксперименте не использовалось.

Исследователи протестировали 1200 промптов на 25 разных моделях — как в прозаическом, так и в поэтическом варианте.

Если следовать этому методу оценки, то поэзия увеличивает вероятность ответа на небезопасный промпт в среднем на 35%.

Чтобы сопрячь со смартфоном новую гарнитуру, поддерживающую эту технологию, достаточно включить ее и поднести к смартфону.

Вредоносное устройство — обычный смартфон или ноутбук атакующего — транслирует запросы Google Fast Pair и пытается соединиться с BT-устройствами в радиусе 14 метров.

Эта функция, Google Find Hub, аналогична FindMy от Apple, и создает такие же риски несанкционированной слежки, как и вредоносные AirTag.

Тем, кто пользуется Android-смартфонами и сопрягал с ними свою уязвимую гарнитуру с помощью Fast Pair, этот вариант атаки не грозит, ведь они сами записаны как владельцы устройства.

Вероятнее всего, обновленные смартфоны больше не транслируют положение аксессуаров, угнанны…

Хотя первопричина ошибки проста и понятна, ее устранение потребует обширных и систематизированных усилий, причем как от государств и международных структур, так и от конкретных организаций и частных лиц.

В ряде случаев, впрочем, возможно более короткое «путешествие во времени» — в точку 0, то есть в 1970 год.

Злонамеренная эксплуатация Y2K38Командам ИТ и ИБ стоит относиться к Y2K38 не как к простой программной ошибке, а как к уязвимости, которая может приводить к различным сбоям, включая отказ в обслуживании.

В базах данных тоже мозаика: тип TIMESTAMP в MySQL фундаментально ограничен 2038 годом и требует миграции на DATETIME, в то время как стандартные типы timestamp в PostgreSQL безопасны.…

И самое «веселое» тут то, что отвечать приходится не только за свой периметр, но и, фигурально выражаясь, «за того парня».

И в отчете четко написано, кто не только обещает, но и реально делает.

Не редкость, но и не массовая фича — только семь производителей кроме нас ее поддерживают.

И что это пустая трата денег, и что это никому не нужно.

Мы задали этот тренд, мы его возглавили, и мы будем его тащить дальше.

Но куда большую тревогу вызывает характер контента в этих базах.

Сайт компании, помимо прочего, дает возможность использовать инструменты для генерации изображений и контента с помощью ИИ.

Эти инструменты позволяли пользователям генерировать картинки по текстовому описанию, редактировать загруженные фотографии и выполнять различные визуальные манипуляции, включая создание откровенного контента и подстановку лиц.

Именно с этими инструментами была связана утечка, а база данных содержала результаты их работы, включая сгенерированные и отредактированные с помощью ИИ изображения.

Часть изображений заставила исследователя предположить, что они были загружены в ИИ в качестве референсов для создани…

Благодаря удобству технологии NFC и оплаты смартфоном, в наши дни многие вообще перестали носить кошелек и не могут вспомнить ПИН-код от банковской карты.

Что такое ретрансляция NFC и NFCGateРетрансляция NFC — это техника, при которой данные, бесконтактно передаваемые между источником (например, банковской картой) и приемником (например, платежным терминалом), перехватываются на одном промежуточном устройстве и в реальном времени передаются на другое.

Оно предназначалось для анализа и отладки NFC-трафика, а также для обучения и экспериментов с бесконтактными технологиями.

В мае 2025 года попытки применения SuperCard X были зафиксированы и в России, а в августе — в Бразилии.

Впоследствии вре…

За словами «заманивают» и «предлагают» скрывается широкий спектр тактик: почтовые рассылки, сообщения в мессенджерах и посты в соцсетях, напоминающие официальную рекламу, сайты-двойники, продвигаемые в поисковых системах инструментами SEO и даже платной рекламой.

Особенно остро эта проблема стоит для IT-компаний, продающих онлайн-сервисы, но актуальна и для розничных брендов.

Особенно остро эта проблема стоит для IT-компаний, продающих онлайн-сервисы, но актуальна и для розничных брендов.

Из перечисленных нами косвенных потерь покрытие стандартной страховкой может компенсировать расходы на DFIR и в ряде случаев на клиентскую поддержку (если ситуация признана страховым случаем).

Как защитить…

Особенно любопытна эта атака тем, что в этот раз злоумышленники потратили определенные усилия для маскировки своей активности под коммуникацию с известным сайтом и работу легитимного ПО.

Кроме того, зловред умеет делать скриншоты с экрана жертвы и собирать файлы в интересующих злоумышленников форматах (преимущественно разнообразные документы и архивы).

Файлы размером меньше 100 МБ вместе с остальной собранной злоумышленниками информацией отправляются на другой сервер коммуникации с названием ants-queen-dev.azurewebsites[.]net.

Как оставаться в безопасностиНаши защитные решения выявляют как используемый в этой атаке вредоносный код, так и коммуникацию с командными серверами злоумышленников.

…

Что нужно знать об этих изменениях и какие знания и привычки взять с собой в 2026 год?

Мы рекомендуем Kaspersky Premium — с ним вы получите и защиту от вредоносного ПО, и оповещения (если ваши личные данные засветились в каких-то публичных утечках), и менеджер паролей, и родительский контроль, и многое другое.

Как и в случае с фастфудом, телевизором, TikTok и другими легкодоступными благами, важно найти баланс между здоровым применением этих помощников и опасными привычками.

А где-то вам подключили дополнительную опцию, о которой вы и не знаете, и ее нужно отключить.

Предполагается, что нейросети помогут дому самостоятельно решать, что и когда делать, чтобы владельцу было удобнее, — без зар…

В основном Stealka распространяют на популярных ресурсах — вроде GitHub, SourceForge, Softpedia, sites.google.com и других — под видом кряков известных программ, читов и модов для игр.

Чем опасен стилер StealkaУ Stealka достаточно большой арсенал возможностей, но «лакомый кусок» для него — данные из браузеров на движках Chromium и Gecko.

Не менее интересны для хакеров куки-файлы и токены сессий, которые позволяют обойти двухфакторную аутентификацию и угнать аккаунты без ввода пароля.

В зоне риска — Discord, Telegram, Unigram, Pidgin, Tox и другие.. В служебных файлах мессенджеров хранятся данные об аккаунтах, идентификаторы устройств, токены авторизации и параметры шифрования переписки.

— S…

Наши эксперты из команды GReAT обнаружили и исследовали новую волну целевых рассылок за авторством APT-группы «Форумный тролль».

Внутри содержались персонализированные ссылки, по которым жертве предлагали скачать отчет о проверке какого-то материала на плагиат, что, по замыслу атакующих, должно было заинтересовать ученых.

В случае если жертва испытывала сомнения в легитимности письма и заходила на страницу e-library{.

Сам файл, впрочем, не был персонализирован — это был достаточно размытый отчет в формате одной из российских систем проверки на плагиат.

Мы рекомендуем устанавливать надежные ИБ-решения не только на все устройства, с которых сотрудники выходят в Интернет, но и на почтовый шлюз…

Мы в «Лаборатории Касперского» изучили, какой путь проходят данные после фишинговой атаки: кому они достаются, как их сортируют, перепродают и используют на теневом рынке.

: реквизиты карт, данные от криптокошельков.

В таких архивах часто попадаются мусорные и устаревшие данные, и поэтому стоят они недорого: стартовая цена — $50.

Данными пользователей торгуют при этом не только в даркнете, но и в старом добром Telegram.

Несложно догадаться, что наиболее дорогой и востребованный товар на этом рынке — данные от банковских аккаунтов и криптокошельков.

Разумеется, сообщать облачный пароль нельзя никому — он нужен исключительно для того, чтобы войти в ваш аккаунт в Telegram.. Сделайте это в разделе Настройки → Конфиденциальность Telegram прямо сейчас.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Telegram и хранить как его, так и ключ доступа для Telegram в Kaspersky Password Manager.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Teleg…

As we navigate an increasingly interconnected world, the conversation around privacy and data governance continues to evolve at a breathtaking pace.

This isn’t just about risk mitigation; it’s about trust, unlocking growth, and showing that privacy is a vital part of data infrastructure that drives innovation.

Looking ahead, an impressive 93% plan to allocate even more resources to privacy and data governance to manage the growing complexity of AI systems and related risks.

The Cisco 2026 Data and Privacy Benchmark Study reveals an enterprise landscape in transition, where privacy, AI, data governance, and cybersecurity are converging under a single principle: trust.

I encourage you to expl…

In response, Cisco is the first hybrid mesh firewall vendor to introduce intent-based policy management across multi-vendor firewalls through Cisco Security Cloud Control with Mesh Policy Engine.

Mesh Policy Engine handles the determination of what device should get what policy, then deploys it.

Cisco Hybrid Mesh Firewall continues to expand what’s possible in firewall policy management, empowering organizations to move faster, stay secure, and maintain clarity in an ever-changing IT landscape.

See how Mesh Policy Engine can help you adopt Cisco Hybrid Mesh Firewall more easily.

Register for a hybrid mesh firewall design clinic.

Cisco Talos Incident Response (Talos IR) handles these types of crises daily.

The reality gapMost security teams imagine incident response as a purely technical exercise: analyze threats, isolate systems, remove malware, restore from backups.

The preparation paradoxHere’s what organizations discover too late: Incident response retainers cost a fraction of what emergency rates do during global cyber events.

The difference between organizations that emerge stronger and those that simply survive is that the former understand incident response before needing it.

To learn more about how Talos IR can help your organization prepare, respond, and recover from cyber incidents, read our complete behi…

In my last two blogs, I delved into the results of the 2025 Cisco Segmentation Report to highlight the importance of macro- and micro-segmentation and to identify the primary challenges hindering segmentation journeys.

Today, I dive further into the survey results to discuss the benefits organizations can achieve when they successfully implement a dual macro- and micro-approach to segmentation.

Three Benefits of a Successful Segmentation StrategyThe good news is that the survey results indicate that organizations further along in their segmentation journeys are indeed achieving measurable benefits from their successful macro- and micro-segmentation implementations.

If you haven’t already, c…

A Cisco Talos Incident Response (Talos IR) Retainer doesn’t only help you respond to threats but fundamentally changes how your organization approaches cybersecurity.

A Talos IR Retainer delivers organization-wide benefits that strengthen organization’s entire security ecosystem.

The Talos IR retainer works seamlessly with your existing security tools, while providing access to real-time intelligence on adversary tactics.

Read the full blog to see how a Talos IR Retainer can transform your cybersecurity posture from vulnerable to vigilant: Why a Cisco Talos Incident Response Retainer is a game-changer.

Ask a question and stay connected with Cisco Security on social media.

In this context, the importance of Data Loss Prevention (DLP) capability for data protection cannot be overstated.

Cisco Secure Access: Unified, AI-Powered Data Loss Prevention (DLP) for the Modern EnterpriseCisco Secure Access delivers the next generation of Data Loss Prevention (DLP) as a core component of our Security Service Edge (SSE).

Secure Access DLP also plays a vital role in enabling the safe use of generative Artificial Intelligence (AI) applications and model repositories.

The Endpoint DLP Advantage: Safeguarding Data Movement at the SourceIncorporating endpoint DLP into an organization’s data protection strategy brings immense value.

Recognizing this, Cisco Secure Access launch…

Cisco ISE: Live network visibility—but not always aligned with CMDB metadata or lifecycle information.

The Old Way Was LimitedPrevious integrations between Cisco ISE and ServiceNow attempted to close this gap by pushing CMDB attributes into ISE.

The Cisco ISE + ServiceNow Service Graph Connector finally closes the loop between visibility and control.

With Service Graph Connector for Cisco ISE, watch your network inventory come alive.

Ask a question and stay connected with Cisco Security on social media.

Cisco Identity Intelligence is now the first Cisco product to deliver a customer facing capability powered entirely by a Cisco built artificial intelligence model, Foundation-sec-1.1-8B-Instruct.

Strengthening Identity Security Through Deeper InsightCisco Identity Intelligence helps organizations understand and respond to identity related risk across their entire environment.

A key part of this experience is the weekly email digest that Cisco Identity Intelligence sends to administrators.

Why the Cisco Foundation Model MattersCisco Identity Intelligence selected the Cisco Foundation AI model because it offers clear advantages in quality, control, and long-term strategic alignment.

A Cisco-o…

According to our survey results, 94% of organizations are currently facing segmentation challenges, which range from technical to non-technical issues.

Challenges Inhibiting Segmentation ProjectsUnderstanding the challenges organizations face will ease the transition from partial to comprehensive segmentation implementations, allowing organizations to accelerate their progress through their segmentation journeys.

Currently, what are/ could be the biggest segmentation challenges you are/ could be experiencing at your organization?

Overcoming Segmentation Challenges Enables a Proactive Security StrategySegmentation remains a foundational element of enterprise security.

In the meantime, downlo…

Thanks to Duo, I was quickly given access to all the essential tools: Cisco XDR, Splunk, firewall dashboards, and more from the duo directory.

Detection: Cisco XDR flagged the suspicious behavior, visualizing the connections between one internal asset and several high-risk external hosts.

This raised immediate concerns about potential malware or command-and-control activity (see Cisco XDR investigation below).

In summary, my first SOC experience turned initial nerves into genuine confidence.

Ask a question and stay connected with Cisco Security on social media.

As a reminder, when a Windows client is seeking to talk to a domain controller it will make DNS queries for SRV records for names like _kerberos._tcp.dc._msdcs.DOMAINNAME or _ldap._tcp.dc._msdcs.DOMAINNAME.

These DNS requests enable the client to find nearby Kerberos or LDAP servers for their domain.

Finally, the Cisco Live network is designed to be a safe network for attendees to use.

A properly configured VPN client like Cisco Secure Client can support both a full tunnel VPN and “Start Before Login”.

Check out the other blogs by my colleagues in the Cisco Live Melbourne 2026 SOC.

Kerberoasting: An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

Cisco XDR: Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Secure Network Analytics: NetFlow analytics to surface scanning, beaconing, and anomalous connection patterns at scale.

Building on the success of the 2nd annual Security Operations Centre (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team supported the first SOC for Cisco Live San Diego (Americas) and invited the team back for 20025.

The SOC at Cisco Live SOC was successfully deployed in just 12 hours over 1 ½ days, demonstrating extensive prior planning and specialized expertise.

The partnership with Endace, a highly skilled full-packet capture provider, whose experience in the 2025 SOC was critical and extended to their commitment for Cisco Live Melbourne.

For example, Ryan MacLennan created an AI model to find domain generated algorithms at the Cisco Live AMER Security SOC.

Ackno…

Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME).

As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core.

Day 1 at Cisco Live and guess what?

Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

In the Cisco Live Melbourne SOC, we use a combination of Endace full packet capture (PCAP), Splunk Enterprise Security, and Splunk SOAR to provide automated detections of cleartext credential leakage.

We resolve this using the coalesce function in Splunk’s eval command.

The coalece function will return the first non-null value from a list of possible values, just like the COALESCE function in SQL.

In our case, we use it like so:However, during Cisco Live we discovered a problem with this logic.

One answer is a Splunk macro.

That shared spirit of collaboration is exactly why we’re proud to celebrate our 2026 Microsoft Security Excellence Awards winners—exceptional teammates who elevate the game for everyone.

On Monday, January 26, 2026, in Redmond, Washington, we brought together the all‑star players of the Microsoft Intelligent Security Association (MISA), partners, finalists, and Microsoft security leaders—to honor the innovators, defenders, and visionaries driving the future of cybersecurity.

“Congratulations to this year’s Microsoft Security Excellence Awards winners and all the remarkable finalists,” said Vasu Jakkal, Corporate Vice President, Microsoft Security Business.

To learn more about Microsoft Secu…

The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains.

As my office expands its engagements with the government, we are committed to listening to our customers’ security needs, increasing our opportunities to share threat information, and hearing their security priorities and challenges first-hand.

Learn moreTo hear more from Microsoft Deputy CISOs, check out the OCISO blog series.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Figure 1: A visual representation of the 3 elements Copilot Studio agents relies on to respond to user prompts.

Microsoft Copilot Studio agents are composed of multiple components that work together to interpret input, plan actions, and execute tasks.

Final wordsSecuring Microsoft Copilot Studio agents during runtime is critical to maintaining trust, protecting sensitive data, and ensuring compliance in real-world deployments.

As you build and deploy your own Microsoft Copilot Studio agents, incorporating real-time webhook security checks will be an essential step in delivering safe, reliable, and responsible AI experiences.

Learn more about securing Copilot Studio agents with Microsoft Def…

And by choosing Microsoft Security, these customers are securing the foundation of their AI transformation from end to end.

Unified protection and measurable impactPartnering with Microsoft, Ford deployed Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Entra to strengthen defenses, centralize threat detection, and enforce data governance.

Driving security efficiency and resilienceBy integrating Microsoft Security solutions—Defender for Cloud, Microsoft Sentinel, Purview, Entra, and Microsoft Security Copilot—Icertis strengthened governance and accelerated incident response.

Share your thoughtsAre you a regular user of Microsoft Security products?

Also, follow us on …

And by choosing Microsoft Security, these customers are securing the foundation of their AI transformation from end to end.

Unified protection and measurable impactPartnering with Microsoft, Ford deployed Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Entra to strengthen defenses, centralize threat detection, and enforce data governance.

Driving security efficiency and resilienceBy integrating Microsoft Security solutions—Defender for Cloud, Microsoft Sentinel, Purview, Entra, and Microsoft Security Copilot—Icertis strengthened governance and accelerated incident response.

Share your thoughtsAre you a regular user of Microsoft Security products?

Also, follow us on …

Microsoft Defender Researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts.

Stage 5: Phishing campaignFollowed by Inbox rule creation, the attacker initiated a large-scale phishing campaign involving more than 600 emails with another phishing URL.

Mitigating AiTM phishing attacksThe general remediation measure for any identity compromise is to reset the password for the compromised user.

DetectionsBecause AiTM phishing attacks are complex threats, they require solutions that leverage signals from multiple sources.

Using …

Microsoft Defender Researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts.

Stage 5: Phishing campaignFollowed by Inbox rule creation, the attacker initiated a large-scale phishing campaign involving more than 600 emails with another phishing URL.

Mitigating AiTM phishing attacksThe general remediation measure for any identity compromise is to reset the password for the compromised user.

DetectionsBecause AiTM phishing attacks are complex threats, they require solutions that leverage signals from multiple sources.

Using …

The rise of AI Agents marks one of the most exciting shifts in technology today.

This fundamentally changes the security equation, making securing AI agent a uniquely complex challenge – and this is where AI agents posture becomes critical.

The goal is not to slow innovation or restrict adoption, but to enable the business to build and deploy AI agents securely by design.

As a result, securing AI agents demands a holistic approach.

Build AI agents security from the ground upTo address these challenges across the different AI Agents layers, Microsoft Defender provides a suite of security tools tailored for AI workloads.

The rise of AI Agents marks one of the most exciting shifts in technology today.

This fundamentally changes the security equation, making securing AI agent a uniquely complex challenge – and this is where AI agents posture becomes critical.

The goal is not to slow innovation or restrict adoption, but to enable the business to build and deploy AI agents securely by design.

As a result, securing AI agents demands a holistic approach.

Build AI agents security from the ground upTo address these challenges across the different AI Agents layers, Microsoft Defender provides a suite of security tools tailored for AI workloads.

To stay ahead in the coming year, we recommend four priorities for identity security leaders:Implement fast, adaptive, and relentless AI-powered protection.

Secure Access Webinar Enhance your security strategy: Deep dive into how to unify identity and network access through practical Zero Trust measures in our comprehensive four-part series.

Where to learn more: Get started with Microsoft Entra Agent ID and Microsoft Entra Suite.

An Access Fabric solution wraps every connection, session, and resource in consistent, intelligent access security, wherever work happens—in the cloud, on-premises, or at the edge.

Microsoft Entra delivers integrated access security across AI and SaaS apps, interne…

That’s why Microsoft is honored to be named a Leader in the 2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms (Vendor Assessment (#US53514825, December 2025).

Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI.

Industry‑leading responsible AI infrastructure Implement responsible AI practices as a foundational part of engineering and operations, with transparency and fairness built in.

Microsoft embeds its Responsible AI Standards into our engineering processes, supported by the Office of Responsible AI.

Strengthen your security strategy with Microsoft AI governance solutionsAgentic and generative AI…

That’s why Microsoft is honored to be named a Leader in the 2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms (Vendor Assessment (#US53514825, December 2025).

Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI.

Industry‑leading responsible AI infrastructure Implement responsible AI practices as a foundational part of engineering and operations, with transparency and fairness built in.

Microsoft embeds its Responsible AI Standards into our engineering processes, supported by the Office of Responsible AI.

Strengthen your security strategy with Microsoft AI governance solutionsAgentic and generative AI…

In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.

Common attacks using RedVDS infrastructureMass phishing: In most cases, Microsoft observed RedVDS customers using RedVDS as primary infrastructure to conduct mass phishing.

Microsoft Defender XDR threat analyticsMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com URL Re…

In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.

Common attacks using RedVDS infrastructureMass phishing: In most cases, Microsoft observed RedVDS customers using RedVDS as primary infrastructure to conduct mass phishing.

Microsoft Defender XDR threat analyticsMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com URL Re…

In this article, Terrell Cox, Vice President for Microsoft Security and Deputy CISO for Privacy and Policy, dives into the intersection of privacy and security.

Microsoft Trust Center Our mission is to empower everyone to achieve more, and we build our products and services with security, privacy, compliance, and transparency in mind.

In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other.

To learn how Microsoft empowers organizations to innovate securely, explore Microsoft Security Solutions.

Also, follow us on LinkedIn (Microsoft Se…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…