Космический камень летел со скоростью около 120 тысяч км/ч и разрушился высоко в атмосфере

Томас Левенсон показывает, что доводы против вакцин почти не изменились со времен оспы, хотя на стороне прививок теперь микробиология, иммунология и огромная статистика.

Коллаборация IceCube отвергла старую схему с одной степенной зависимостью и нашла заметный перелом около 30 ТэВ.

В цепочке хватило одного слабого места, чтобы защита превратилась в проблему для всей сети.

Как энтузиасты получили доступ к закрытым технологиям элитных лабораторий?

Linux Foundation раздает ИИ-агентам виртуальные паспорта.

Все ваши годы учебы в филармонии — на свалку.

Касперский предупредил, как копеечная экономия открывает доступ к вашим камерам в спальне.

Новые дата-центры поглощают ресурсы со скоростью огромных городов.

Этот волновод в 5000 раз эффективнее обычного.

Пентагон десять лет закрывал глаза на утечки координат американских солдат.

Эндрю Келли рассказал, куда на самом деле спешит Zig.

3000 лет наблюдений, зонды внутри короны — а главные вопросы до сих пор без ответа.

Имя THEY-NEVER-TEST в баг-репорте Microsoft говорит само за себя.

Если бы только учёные знали, где живёт сознание.

ВведениеСпециально к конференции ЦИПР 2026, которая проходила в Нижнем Новгороде с 18 по 21 мая, АНО «Центр компетенций по импортозамещению в сфере ИКТ» (ЦКИТ) провело исследование, посвящённое ситуации, сложившейся с использованием зарубежного ПО в России.

И в целом проекты по миграции офисных приложений затрагивают большие массы пользователей, и в силу этого они масштабные и длительные.

Однако, как напоминает Дмитрий Хомутов, 71 % лицензий на Exchange в России изначально приобретались как бессрочные.

С другой стороны, как предупреждает Рустам Калимуллин, использование неподдерживаемого ПО, Exchange в том числе, создаёт целый ряд довольно серьёзных рисков.

Клиент RuPost Desktop«Самая сложн…

В авиа-, двигателе- и судостроении, на транспорте, в строительстве и ЖКХ доля российского ПО превышает 90%.

Например, «Роскосмос» представил модели модулей Российской орбитальной станции, перенесённые из импортного ПО в систему T-FLEX PLM.

Конференция ЦИПР 2026Во 2 день работы ЦИПР на выставке были представлены другие новые технологические решения.

Она будет направлена на выявление новых уязвимостей и атак в области ИИ, интернета вещей и других перспективных технологий.

Такой формат, как и в прошлом году, позволил выровнять ожидания и сформировать более согласованное понимание того, как должна развиваться цифровая среда и какие решения в ней действительно используются.

Однако в МТС отметили, что в разных регионах эта доля отличается, и там, где она выше, сроки рефарминга сдвигаются.

А вот 2G, ориентированному на передачу голоса и небольших объёмов данных, рефарминг угрожает в меньшей степени, и он будет существовать ещё долго.

А такие есть и в Центральной России, например Тверская область.

Однако такое характерно для не самых распространённых деноминаций (ряда старообрядческих согласий, некоторых направлений протестантизма, хасидов).

Впрочем, некоторые компании имеют частные сотовые сети и не зависят от операторов, но таких — считанные единицы.

Однако инструменты самозащиты приложений во время выполнения незаменимы для сценариев, где традиционные средства ИБ, обеспечивающие поиск уязвимостей, недостаточно эффективны.

Runtime Application Self-Protection (RASP) — это технология самозащиты приложений во время выполнения, работающая по принципу «защиты изнутри».

Отличие RASP от WAFПоскольку RASP защищает уже работающее приложение, существует мнение, что вместо него вполне можно использовать файрвол веб-приложений (Web Application Firewall, WAF).

Это решение для защиты приложений во время выполнения (RASP) от компании Contrast Security.

Он позволяет обеспечивать защиту приложений в режиме реального времени и может динамически внедрятьс…

Почему классический мониторинг не покрывает потребности современной инфраструктуры?

ИТ может построить мониторинг и тем, и другим способом, но только от бизнеса зависит, что окажется эффективнее.

Это позволит ориентироваться и в количественном, и в качественном аспектах: понимать, что произошло, и проводить ретроспективный анализ.

На основе ретроспективных данных нужно понять, какое изменение планируется внести и на что оно может повлиять, — то есть спрогнозировать ситуацию на будущее.

В третьем опросе выяснилось, что для зрителей сложнее всего при внедрении мониторинга ИТ-инфраструктуры (мультивыбор):Обосновать экономическую выгоду для бизнеса — 79 %.

Однако даже из сказанного выше можно сделать важный вывод: если убрать из корпоративной инфраструктуры центр сертификации, то многое сломается.

Ключевая проблема заключается не в том, чтобы добавить центр сертификации в инфраструктуру, а в том, чтобы заменить уже имеющийся.

Составляем список задач, которые должен будет решать центр сертификации, и оцениваем по нему будущую полезность и удобство эксплуатации системы.

Если организации нужно заменить центр сертификации от Microsoft на что-то другое, то ей есть из чего выбрать.

Обзор российского рынка центров сертификации (CA) — 2026Aladdin Enterprise CAС помощью корпоративного центра сертификации от «Аладдин Р.Д.» можно построить безопасную ко…

Эксперты отрасли обсудили современные угрозы и назвали самые частые ошибки в защите мобильных приложений.

В первом опросе зрители ответили, какую угрозу для мобильных приложений они считают самой опасной для бизнеса:Кража токенов и чувствительных данных — 32 %.

Какую угрозу для мобильных приложений вы считаете самой опасной для бизнеса?

Самые частые ошибки в защите мобильных приложенийЭксперты единодушны в том, какие именно проблемы встречаются в мобильных приложениях чаще всего.

Наиболее частыми проблемами в мобильных приложениях остаются IDOR, забытые тестовые креды, незащищённые диплинки, утечки идентификаторов и полное игнорирование защиты клиентского кода.

Как происходят утечки и что утекаетУтечки в ИИ-сервисы чаще всего происходят через сотрудников, корпоративные ИИ-инструменты и агентные системы.

Аналитики и руководители просят ИИ проверить расчёты или подготовить сводку, и в итоге в публичный сервис уходит часть отчётности, прогнозы и условия сделок.

В отчёте Netskope Cloud and Threat Report 2026 говорится, что в среднем организация фиксирует 223 попытки отправить корпоративные данные в публичные ИИ-сервисы в месяц.

Если злоумышленник подменит данные в этом источнике, модель начнёт выдавать изменённую информацию в ответах, и сотрудники будут работать с неконтролируемым, потенциально опасным контентом.

Схема атаки Codex (Источник: BeyondTru…

В «Диасофт» решили не ограничиваться формальным импортозамещением и создали СУБД RuDB и Digital Q.DataBase на базе PostgreSQL для более простой миграции с Oracle Database и Microsoft SQL Server.

Для заказчиков, которые уже используют западные СУБД и намерены перейти на российскую платформу, «Диасофт» предложил собственную коммерческую СУБД Digital Q.DataBase.

Современная СУБД с точки зрения пользователяСоздание СУБД Digital Q.DataBaseБазовым продуктом в этом тандеме СУБД является Digital Q.DataBase — собственная разработка «Диасофт».

Чтобы дать оценку рынку импортозамещения СУБД в России, отметим, что их созданием в настоящее время занимаются 61 команда разработчиков.

Digital Q.DataBase и «…

Дашборд Hscan, отображающий состояние безопасностиВозможности сканера:Сканирование внешней и внутренней инфраструктуры, инвентаризация активов, программного обеспечения (ПО) и операционных систем (ОС).

Его главная задача — найти потенциально опасные файлы и скрипты, устаревшие версии программного обеспечения (ПО) и специфичные для серверов проблемы конфигурации.

Его главная задача — найти потенциально опасные файлы и скрипты, устаревшие версии программного обеспечения (ПО) и специфичные для серверов проблемы конфигурации.

Бесплатный многофункциональный сканер для поиска сетевых уязвимостей и инвентаризации сети — обнаружения хостов и запущенных на них сервисов.

Бесплатный многофункциональны…

«Группа Астра» выпустила Облако Astra Cloud на российских процессорах Baikal-S. Это шаг к технологической независимости или выполнение требований регуляторов? Разбираемся вместе с экспертами. 1. Введение2. Регулятор готов откладывать сроки внедрения3. Astra Cloud на российских процессорах Baikal-S4. Выбор целей: импортозамещение и технологический суверенитет5. x86 vs ARM: признаки технологического суверенитета6. ARM TrustZone: контроль безопасности7. ARM CCA: непрерывный динамический процесс обеспечения безопасности8. Российский бизнес и технологический суверенитет9. ВыводыВведение14 мая разработчик инфраструктурного ПО «Группа Астра» объявил о выпуске облака Astra Cloud, построенного на пр…

Браузер превратился в главный инструмент сотрудника — и одновременно в новую мишень для кибератак.

По мере того как организации активно переносят свою инфраструктуру в облака, а корпоративные приложения массово мигрируют в веб-формат, роль браузера в ИТ-инфраструктуре возрастает.

Настройка и контрольПосле того как браузеры установлены и сотрудники приступили к работе, у ИТ- и ИБ-специалистов возникает потребность оперативно управлять политиками безопасности и функциональностью.

Консоль обеспечивает любую требуемую гранулярность настроек: управлять Браузерами можно как во всём парке сразу, так и на уровне отделов — вплоть до конкретного устройства.

В условиях, когда браузер стал главным рабо…

Андрей Черепанов, начальник отдела сопровождения, «Базальт СПО»Александр Махновский отметил, что не видит глобального проникновения решений российских вендоров в промышленные инфраструктуры.

Реализована интерпретация групповых политик в том виде, в котором они используются в AD, но под Linux.

В третьем опросе выяснилось, что для зрителей является основной трудностью при миграции с Microsoft AD на российские решения:Проблемы интеграции с существующими сервисами — 34 %.

В режиме репликации работаем как с плоским доменом, так и с контроллером поддоменов.

Итоговый продукт должен закрывать у заказчика не только потребности в службе каталогов, но и потребности в унификации в целом.

Согласно ему, полная замена используемого на них ПО на российское должна была произойти к 1 января 2025 года.

В ноябре 2025 года глава Минцифры Максут Шадаев на одной из конференций назвал новую дату, к которой ЗОКИИ должны перейти на российское ПО, — 1 января 2028 года.

Также для новых объектов срок перехода на российское ПО установлен в 5 лет с момента запуска проекта.

Они очень тесно и глубоко интегрированы с оборудованием, различными контроллерами и датчиками, часто также иностранного производства и с «закрытой» архитектурой.

Всё упирается как в наличие технологической базы, так и в сложность самого объекта.

Как действовать правильно, что передавать в РКН и какие меры реально снижают риски — практический разбор без формальностей.

Поэтому каждая компания должна определить собственные «красные», «оранжевые» и «жёлтые» зоны рисков и выстраивать защиту исходя из реальных угроз, а не шаблонов.

Поэтому регламенты и порядок действий должны быть зафиксированы документально: кто, когда и что делает, где хранятся логи, кто контролирует сбор данных.

Кто и в какие сроки передаёт данные в РКНЕсли инцидент касается защиты персональных данных, компания обязана сообщить об этом в Роскомнадзор.

В процессе специалисты выясняют, как именно произошёл инцидент, кто имел доступ к пострадавшему участку системы и каки…

Поэтому в RCQ мы старались, чтобы приватность держалась на устройстве и на структуре данных, а не на том, что мы хорошие ребята.

В этой статье разберём две вещи, которые из этого выросли: острова (свой сервер) и мультиличность (несколько независимых зашифрованных аккаунтов на одном телефоне).

Острова: свой сервер вместо нашегоРаз сервер это тупая труба, его можно вынести куда угодно.

Если сервер ваш, давить надо на вас, а не на нас, и вы сами решаете, что на нём хранится.

Главная сложность тут не в UI, а в том, чтобы личности реально не протекали друг в друга.

nxc smb 10.114.158.248 -u 'guest' -p '' SMB 10.114.158.248 445 HAYSTACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:HAYSTACK) (domain:thm.corp) (signing:True) (SMBv1:None) (Null Auth:True) SMB 10.114.158.248 445 HAYSTACK [+] thm.corp\guest:Гостя в этой машине принимают за своего, поэтом проведем разведку шар и юзеров.

~ nxc smb 10.114.158.248 -u 'guest' -p '' --shares --users SMB 10.114.158.248 445 HAYSTACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:HAYSTACK) (domain:thm.corp) (signing:True) (SMBv1:None) (Null Auth:True) SMB 10.114.158.248 445 HAYSTACK [+] thm.corp\guest: SMB 10.114.158.248 445 HAYSTACK [*] Enumerated shares SMB 10.114.158.248 445 HAYSTACK Share Permissions R…

Графический стек, виртуализация и новые драйверыФреймворк drm и драйверы AMDGPU и Intel в OpenBSD 7.9 синхронизировали с кодом из Linux 6.18.22 вместо прежнего 6.12.50.

В релизе появилась полноценная поддержка работы OpenBSD в качестве гостевой системы под Apple Hypervisor.

В OpenBSD 7.9 добавили поддержку USB4, PCIe-контроллеров Cadence, Qualcomm SC7280, GENI UART, Intel LPSS SPI и LTE-модема Quectel EC200A.

Безопасность на уровне загрузки и системных вызововНа amd64 в OpenBSD 7.9 появилась возможность загружать ядро и установочные образы bsd.rd напрямую из EFI-раздела.

Также в OpenBSD 7.9 обновили OpenSSH до 10.3, LibreSSL до 4.3 и OpenBGPD до 9.1.

Это делает их полезными, но меняет модель риска: агент с инструментами становится явным риском внутри инфраструктуры.

Zero Trust — это архитектурный подход, при котором сеть, пользователь, сервис или агент не получают доверие автоматически.

Агент автономен, читает недоверенный текст, вызывает инструменты и может ошибочно принять внешнюю инструкцию за часть задачи.

Zero Trust для агентов начинается с признания: агент — не «умный пользователь» и не безликий процесс на сервере.

Проведите tabletop не на один инцидент, а на несколько одновременных: prompt injection, утечка токена, poisoned RAG и вредный tool update.

Это не инструкция по обходу блокировок: конкретных рецептов «как сделать так, чтобы у вас работало» здесь не будет, для этого есть профильные ресурсы.

С декабря 2025 по май 2026, судя по публикациям, DPI-системы научились распознавать по сигнатурам и другие протоколы обхода: WireGuard, OpenVPN, VLESS, SOCKS5, L2TP.

Это применимо и в антифроде, и в обнаружении ботов, и в fingerprinting устройств.

Это не «конец Telegram» и не «обойти невозможно» — это новый виток давней гонки между детекцией и обфускацией протоколов.

Это технический разбор механики обнаружения протоколов, не политическое высказывание и не руководство по обходу блокировок.

20 мая 2025 года Stark Industries, Юрий и Иван Некулиты попадают в санкционный список ЕС.

Как, по данным исследователей, пытались сохранить инфраструктуруЧерез девять дней после санкций — 29 мая 2025 года — PQ.Hosting публично объявляет ребрендинг в THE.Hosting.

Как поймалиВ ноябре 2025 года в Дании шли муниципальные выборы.

Обыски прошли в трёх офисах в Энсхеде и Алмере и в двух дата-центрах — Дронтен и Схипхол-Райк.

20 мая 2025 — Stark и братья Некулиты попадают под санкции ЕС.

Сложное здесь не сайт, а удержать анонимную глобальную стену от превращения в помойку без модераторов и почти без бюджета.

Модерация должна ловить реальное зло (CSAM, насилие, угрозы) на любом языке, пропускать эмоцию, мат и политику, работать без человека в цикле и стоить почти ноль.

Архитектура: каскад, а не одна модельДешёвое и широкое в начале.

Что спросил r/selfhostedМы выложили это на r/selfhosted; пост набрал ~16k просмотров, комментарии оказались полезнее самого поста.

«Не сделает ли это next-gen firewall / DPI?» Другой слой: firewall смотрит трафик на угрозы, а это редакторское решение по содержанию сообщения.

Он откровенно не вписывался в социум, пока в 17 лет не попал на летнюю стажировку в IBM.

Компьютер не судил по внешности и не смеялся над странностями — он просто честно выполнял инструкции.

В те времена слово «хакер» означало виртуозного инженера, а не киберпреступника, и в стенах лаборатории царила настоящая технологическая утопия.

Был случай, когда он просто развернулся и ушел, узнав, что презентации крутят в Microsoft PowerPoint, а не в свободном LibreOffice.

В отличие от Гейтса или Джобса, он не построил IT-империю и не заработал миллиардов.

Но когда общей истории нет или сумма сделки большая — прямой перевод в USDT превращает сделку в чистый вопрос доверия.

Решение арбитра потом принимается по фактам, а не по тому, что стороны «помнят».

Агентства, студии, консультанты приводят клиентов по реферальной ссылке и получают до 1.5% с каждой сделки — не с регистрации, а с реального оборота.

Поэтому эскроу-сделка начинается не с депозита, а с зафиксированных условий.

Вы можете провести сделку с вашим контрагентом на платформе EscroWallet.io и оценить, насколько эскроу-сервис делает процесс заключения сделок удобнее и безопаснее.

Кроме упоминания о пароле находим информацию, что в работе есть база данных PostgreSQL, которая работает в докере.

Переходим в папку с бэкапов домена.

Переходим в папку с бэкапов домена.

docker exec -it scripts_ftp_1 bashПерейдем в папку volumes.

exitПеренесем файл в папку /tmp.

Для превентивного выявления подобных проблем организации и сообщества вроде NIST и OWASP рекомендуют использовать моделирование угроз в рамках своих гайдлайнов и фреймворков.

В этой статьеСуть процесса и практическая ценностьМоделирование угроз — это поиск и анализ угроз и способов их предотвращения для защиты какой-либо ценности (ассета).

Управление рискамиВот мы и провели полноценное моделирование угроз для нашего нового участка.

Она прикручивает публичные API-эндпоинты, которые обращаются к этому сервису, и вот уже у нас оказывается доступный публично ресурс без авторизации и с отличающейся от запланированной нагрузкой.

Межкомандное взаимодействиеЕсли вдруг коллеги найдут какие-то потенц…

Чтобы там не говорили в рекламе сервисов, но эффект есть, и он не сводится к «сервис ускоряет интернет».

Особенно если играешь не в своём регионе: Европа → Япония, Дальний Восток → Корея, Россия → Азия.

Провайдер выбирает маршрут не по принципу «как удобнее игроку».

Почему он может быть быстрееСамый простой сценарий: у провайдера плохой маршрут до игрового сервера, а у бустера лучше.

Если есть возможность, стоит сравнить:прямое подключение;обычный VPN в нужном регионе;игровой бустер с ближайшим узлом;игровой бустер с узлом ближе к игровому серверу;провод вместо Wi-Fi.

Необходимо упомянуть, что решения класса EDR часто имеют отдельную функциональность для защиты от вредоносов.

Но что, если есть понимание, что атака происходит здесь и сейчас и не все файлы зашифрованы?

Злоумышленники активно пользуются уязвимостями как для определения векторов атак, так и для повышения привилегий и отключения средств защиты.

Те сильные стороны искусственного интеллекта, которые помогают атакующему, могут быть также эффективно использованы для защиты.

Однако они же и наиболее понятны для защиты и реагирования: уже созданные средства защиты помогают выстроить безопасную экосистему и успешно противостоять современным угрозам.

Мы продолжаем работу над четвертым печатным спецвыпуском «Хакера», в который войдут лучшие статьи 2021–2022 годов.

Релиз номера запланирован на июль-август, но оформить предзаказ по специальной цене можно уже сейчас.

Спецвыпуск #4 продолжает серию бумажных сборников с лучшими материалами «Хакера» за последние годы.

Первые два спецвыпуска уже распроданы полностью и стали коллекционной редкостью, а остатки остальных тиражей постепенно заканчиваются на нашем складе.

Как и раньше, публикации будут дополнены комментариями авторов и редакции, которые расскажут о том, как готовились статьи, и что осталось за кадром.

В Microsoft тестируют новую функциональность Defender for Endpoint: платформа сможет автоматически изолировать рабочие станции, если заподозрит компрометацию.

В Microsoft тестируют новую возможность Defender for Endpoint: платформа сможет автоматически изолировать рабочие станции, если заподозрит компрометацию.

Такой хост отключается от корпоративной сети и других систем, однако продолжает поддерживать связь с сервисом Microsoft Defender for Endpoint (чтобы дальше отслеживать состояние машины и собирать телеметрию).

Как поясняют в Microsoft, автоматическая изоляция призвана снизить риск дальнейшего ущерба, затруднить боковое перемещение атакующих, а также предотвратить утечки данных и распр…

Злоумышленники продвигают малварь не только через отравление SEO в поисковиках, но и через рекомендации ИИ-помощников.

Она позволяет злоумышленникам не только использовать устройства жертв для скрытого майнинга, но и сохранять к ним долговременный удаленный доступ.

В компании полагают, что это развитие классической тактики отравления SEO, только теперь злоумышленники стремятся влиять не на поисковую выдачу, а на результаты, которые генерируют LLM.

Наличие постоянного доступа к системам жертв через ScreenConnect позволяет использовать скомпрометированные хосты для кражи данных, бокового перемещения по сети и даже последующего развертывания шифровальщиков.

В Microsoft подчеркивают, что сочета…

Дело в том, что в бло­ге ком­пании раз­работ­чики сооб­щили, что про­ект ока­зал­ся слиш­ком слож­ным, и поп­росили помощи у сооб­щес­тва.

Поэто­му сегод­ня мы выходим в паб­лик не с три­умфаль­ным анон­сом, а что­бы рас­ска­зать все как есть.

В начале мая пред­ста­вите­ли Рос­комнад­зора (РКН) со­обща­ли СМИ, что не огра­ничи­вают работу GitHub в Рос­сии.

По сути, речь идет об уяз­вимос­ти в инфраструк­турном ПО, на котором дер­жится зна­читель­ная часть интерне­та.

Стра­ница игры в Steam выг­лядела впол­не легитим­но, одна­ко ана­лиз показал, что ее основное пред­назна­чение, веро­ятно, зак­лючалось вов­се не в раз­вле­чении поль­зовате­лей.

Автор вредоносного npm-пакета для кражи данных у пользователей Claude допустил серьезную ошибку, из-за которой малварь раскрыла его приватный GitHub-токен.

В итоге исследователи смогли отследить украденные данные и изучить всю инфраструктуру атаки.

После установки вредонос авторизовывался на GitHub, используя либо токен из переменных окружения жертвы, либо встроенный в код резервный токен.

Украденные данные сохранялись в каталогах со случайными именами, что помогало злоумышленнику группировать данные по отдельным сессиям.

Специалисты рекомендуют всем, кто устанавливал этот пакет, немедленно отозвать токены GitHub и считать любые данные из каталога /mnt/user-data скомпрометированными.

В опенсорсном Git-сервисе Gogs обнаружили критическую уязвимость, которая позволяет выполнить произвольный код на сервере.

Проблема пока не получила идентификатор CVE, однако исследователи Rapid7 оценили ее в 9,4 балла по шкале CVSS и предупреждают: в зоне риска находятся практически все инстансы Gogs с настройками по умолчанию.

По умолчанию Gogs разрешает свободную регистрацию и не ограничивает создание репозиториев.

Эксперты Rapid7 насчитали около 1140 доступных из интернета инстансов Gogs, тогда как Shadowserver отслеживает более 2400 серверов, а Shodan — более 1000 связанных с Gogs IP-адресов.

Для демонстрации проблемы специалисты Rapid7 уже выпустили модуль Metasploit, который автомати…

Пока исследователь Nightmare Eclipse (он же Chaos Eclipse) продолжает свою войну с Microsoft и публикует все новые эксплоиты, в компании заявляют, что его действия могут вредить всей ИБ-экосистеме.

Исследователь заявлял, что публикует 0-day-эксплоиты в знак протеста против того, как специалисты Microsoft Security Response Center (MSRC) обращаются с ИБ-специалистами.

По его словам, представители Microsoft не просто игнорировали его сообщения и не выплатили вознаграждение за найденные проблемы, но также угрожали ему и обещали «разрушить его жизнь».

В Microsoft отдельно отметили, что после публикации эксплоитов специалисты были вынуждены «круглосуточно» анализировать последствия, разрабатывать…

Специалисты BI.ZONE Threat Intelligence сообщили о новых атаках группировки Fluffy Wolf на российские компании.

Иногда вложение прикреплялось напрямую, а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив.

По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры и другие средства защиты.

Отдельное внимание специалисты уделили новому загрузчику PowerLoader, который ранее не встречался в атаках Fluffy Wolf.

Кроме того, Fluffy Wolf продолжает использовать стилер PureLogs для кражи учетных данных, файлов cookie, истории браузеров и данных из почтовых клиентов.

Метод получил название FROST (Fingerprinting Remotely using OPFS-based SSD Timing) и не требует от жертвы ничего, кроме открытия вредоносного сайта.

В данном случае исследователи сосредоточились на SSD и измерении задержек при операциях ввода-вывода.

Лежащая в основе FROST идея проста: несколько процессов конкурируют за один и тот же ресурс, а злоумышленник измеряет возникающие при этом задержки.

Исследователи продемонстрировали, что по активности SSD можно определить, какие сайты открыты у пользователя в других вкладках (и даже в других браузерах), а также какие приложения работают на устройстве.

Более подробно о FROST и технических аспектах атаки специалисты обещают рассказать в июле, на …

Я решил вскрыть их в бук­валь­ном смыс­ле и пос­мотреть, что про­исхо­дит внут­ри, ког­да нет ни схем, ни докумен­тации, ни паролей — толь­ко муль­тиметр, паяль­ник и запас тер­пения.

Почему физический доступ — это game overВ информа­цион­ной безопас­ности есть акси­ома: если ата­кующий получил физичес­кий дос­туп к устрой­ству, все прог­рам­мные защиты сво­дят­ся к задер­жке, а не к гаран­тии.

SPI — шина, по которой про­цес­сор обща­ется с флеш‑памятью.

— шина, по которой про­цес­сор обща­ется с флеш‑памятью.

— мед­ленная шина для перифе­рии и EEPROM.

Как объясняют в ФБР, атака обычно начинается с фишингового письма или звонка.

Если сотрудник отказывается или схема не срабатывает по другим причинам, группировка переходит к следующему этапу: в офис компании отправляют человека, который представляется ИТ-специалистом.

Правоохранители подчеркивают, что группировка почти не оставляет следов в системе и в основном использует штатные средства удаленного доступа и администрирования, которые редко вызывают подозрения у защитных решений.

Судя по всему, после распада Conti в 2022 году SRG отделилась и сосредоточилась на кражах данных и вымогательстве.

В прошлом году специалисты ФБР предупреждали, что SRG атакует американские юридические и финансов…

Представители CrowdStrike, Google и Shadowserver Foundation провели совместную операцию, направленную на инфраструктуру ботнета Glassworm.

Исследователи одновременно вывели из строя все каналы связи ботнета — от блокчейна Solana и BitTorrent DHT до Google Calendar и традиционных VPS.

Напомним, что Glassworm появился еще в прошлом году и быстро стал одной из самых заметных угроз для разработчиков.

Хакеры распространяли вредоносные расширения для Visual Studio Code через OpenVSX и маркетплейс Microsoft, заражали npm- и Python-пакеты, а также компрометировали GitHub-репозитории.

По данным CrowdStrike, операторы Glassworm успели отравить более 300 GitHub-репозиториев, используя для этого украде…

Новый приказ, опубликованный на портале правовых актов 22 мая, заметно расширяет список данных о пользователях, которые операторы связи и владельцы сетевой инфраструктуры будут обязаны собирать, хранить и передавать силовым структурам.

Теперь речь идет не только о привычных IP-адресах и логинах, но и о паспортных данных, адресах, банковских реквизитах, геокоординатах и другой информации, позволяющей идентифицировать человека или организацию.

Помимо перечня собираемых данных, в приказе прописаны и технические детали: взаимодействие систем предполагается через GraphQL, WebSocket и HTTP-интерфейсы.

Однако после принятия «закона Яровой» в 2016 году требования серьезно расширились: операторы обя…

В Канаде задержали 23-летнего жителя Оттавы, которого власти США считают одним из операторов DDoS-ботнета Kimwolf.

Власти США и Канады сообщили об аресте 23-летнего Джейкоба Батлера (Jacob Butler), известного под ником Dort.

Канадские правоохранители задержали его в Оттаве по запросу США, где Батлера обвиняют в содействии при проведении компьютерных атак.

Как утверждают американские власти, Kimwolf представлял собой вариант ботнета Aisuru и в основном заражал Android-устройства с открытым Android Debug Bridge (ADB).

Мы подробно рассказывали о Kimwolf и Aisuru, а также о том, что ботнет стремительно рос необычным образом: за счет заражения Android-девайсов и резидентских прокси-сетей.

Мы не меняли стоимость подписки несколько лет и старались держать цену, несмотря на происходящее вокруг: рост расходов, инфляцию, подорожание сервисов и инфраструктуры.

Сейчас годовая подписка на «Хакер» стоит 4500 рублей, но с начала июня цена вырастет до 5000 рублей.

Кто-то приходит за новостями, кто-то — за практикой, кто-то — чтобы постоянно оставаться в контексте происходящего в ИТ и ИБ.

Несмотря на разговоры о «мертвом рынке» и ИИ, желающих учиться, строить карьеру в ИТ и развиваться не становится меньше.

Спасибо, что читаешь «Хакер» и остаешься с нами!

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections.

"Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," Palo Alto Networks said in an advisory released on May 13, 2026.

"An authentication bypass in an edge facing enterprise VPN appliance can have s…

Earlier this March, Permiso also revealed how an attacker-controlled email containing specially crafted instructions, when summarized by Microsoft Copilot, could influence its output via a cross-prompt injection (XPIA) or indirect prompt injection.

In other words, a regular web page summarized with ChatGPT is enough to render phishing links, spoofed account alerts, remote images, and QR codes directly inside a trusted AI interface.

As organizations increasingly use ChatGPT for research and summarization, this vulnerability means any malicious web page an employee asks the AI chatbot to process could contain a payload that transforms ChatGPT into a phishing surface.

On the next restart, a ma…

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability.

"The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes."

CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4.

The latest activity documented by Sysdig sticks to the same pattern, the primary difference being that an LLM agent was used to drive the post-exploitation activity.

Sys…

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.

DroneLink , which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay.

, which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay.

This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes.

"The group occupies a grey area between cybercrime and state-affiliated activity, com…

The platform underneath may be audited; the application built on it isn't.

Why a mature security stack still misses thisThe reflex of a CISO reading the numbers above is to check the stack.

It can't readily distinguish an unbounded population of custom applications hosted on a vibe-coding platform's subdomains from the platform itself.

Vibe-coded applications keep getting created; the picture you build this month will be incomplete next month.

Red Access is the agentless, session-layer security platform built for exactly this - SSE-grade visibility and governance at the session itself, across any browser, any device, including unmanaged ones.

The profile behind the package, named "sicoob," has also listed 11 other NuGet packages that have collectively racked up about 6,000 downloads.

The development coincides with the discovery of 14 malicious npm packages that typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment using a purpose-built credential harvester that's launched through a preinstall hook.

141 malicious npm packages published between May 7 and 27, 2026, that abuse npm as free static hosting for an ad-monetized web proxy targeting students, serving popunder ads to …

The page claims to offer two security tools: a firewall and a keyboard security program.

"The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims," ENKI said.

In the final stage, the DLL drops a loader component ("cacheMon.dat") that, in turn, executes HTTPSpy on the compromised system.

It supports basic functionality to set the current directory, sleep for a specific time interval, and run commands.

It supports basic functionality to set the current directory, sleep for a specific time interval, and run commands.

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions.

While "git rebase" solves the same problem as "git merge" -- i.e., integrating changes from one branch into another -- the former rewrites the project history by creating new commits for each commit in the original branch.

The "git rebase" action also accepts as an argument a shell command via an --exec flag that's executed after each commit is replayed.

A notable aspect of the vulnerability is that it does not require admin privileges or interaction with other users.

In an alternative scenario, a u…

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.

"The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said.

"Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell."

"Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device."

"Session cookies and saved browser creden…

"In recent weeks, several zero-day vulnerabilities have been publicly disclosed," the tech giant said.

"The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk."

"These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities."

The fallout from these disclosures is said to have led GitHub to takedown the researcher's account last week.

Now you take the courtesy to flag my GitHub account and wipe it out of the public, just like that?

The weird part isn't that it works.

The weird part is how damn easy it still is.

Most breaches still start with trust abuse, stale configs, lazy access controls, or users getting socially engineered by someone sounding vaguely competent over the phone.

Stop assuming signed software, MFA prompts, or "internal-only" tooling means safe.

Might be time defenders stop pretending those shortcuts don't exist.

Instead, it is heavily concentrated among a small group of AI power users and a handful of dominant AI platforms that drive the majority of enterprise AI activity and sensitive data exposure.

It accounts for 36% of enterprise AI users and more than 55% of all AI conversations.

The growth of Copilot also signals something important: enterprise AI usage is starting to split between governed enterprise-native AI and consumer-driven AI adoption.

Block Personal Account Usage as Active Shadow AI: Unmanaged personal AI accounts and personal AI licenses expose sensitive enterprise workflows to uncontrolled AI environments.

Unmanaged personal AI accounts and personal AI licenses expose sensitive ent…

"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said.

"The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure."

In the attack chain documented by Wiz, JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting.

The captured data includes credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration file…

Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.

The Grandoreiro campaign "uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal," WatchGuard researcher Euler Neto said.

Active since 2016, Grandoreiro is an actively evolving banking malware that's capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories.

Some of the tactics overlap with a prior Grandoreiro campaign detailed by Kaspersky in October 2024.

The account's bio claims they are a "skilled and resou…

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities.

According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background.

The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions.

The package is still available for download from npm and is estimated to have been downloaded 676 times.

The GitHub account linked to the campaign is no longer available, although …

Here's some of what caught Tony’s attention in May 2026:Poland’s Internal Security Agency (ABW) has released information about cyber-intrusions into ICS (industrial control systems) at five water treatment facilities in the country in 2024 and 2025.

The two main attack vectors – weak passwords and systems exposed directly to the internet – were the same as those used in attacks against the Polish energy sector that leveraged DynoWiper described by ESET researchers here.

What are some key mitigation steps against attacks targeting OT systems?

How do scams crypto ATMs work and how to stay safe?

Learn this and more in Tony's video and be sure to check out the April 2026 edition of Tony's month…

ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026.

During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests.

The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period.

Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to the country’s defense efforts.

Intelligence shared here is based m…

Alongside a number of freely available AI chatbots, major technology companies have moved into consumer-facing health AI with the launches of services such as Copilot Health, ChatGPT Health, and Amazon’s HealthAI that models help users interpret their medical records and ask questions about their symptoms, lab results and treatment options.

Misuse of AI chatbots in general is now the number one health technology hazard out there, according to one US patient safety organization.

Your health data is not like a stolen credit card that can be frozen while the details are replaced and reissued.

Even so, people should be cautious: health data is unusually sensitive, and anonymization doesn’t alwa…

Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak.

BTMOB at a glanceFirst described in February 2025, BTMOB has evolved from the SpySolr malware.

BTMOB APK creation toolHow does BTMOB spread?

For example, researchers Johnk3r and Merl recently spotted campaigns that spread BTMOB while impersonating Argentina’s tax and customs authorities.

ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK.

Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand.

]shop, uses a domain that looks close enough to FIFA and the 2026 World Cup to catch a hurried visitor.

Fake site impersonating the official FIFA World Cup 2026™ websiteThe trickery doesn’t stop there, however.

Official FIFA World Cup 2026™ websiteBut back to the fake website – here’s what happens if you want to “purchase” tickets or merchandise.

The countdown to the World Cup gives criminals a ready-made audience: countless people hunting for tickets, merchandise and various last-minute opportunities.

Discord and Microsoft Graph API C&C communicationIn 2025, Webworm started abusing Discord and Microsoft Graph API for C&C communication.

]com/anjsdgasdf/WordPress, which acts as a file stager for other tools and malware used by Webworm (one such tool used the compromised Amazon S3 bucket mentioned above).

WormFrpWormFrp is a proxy tunneling tool inspired by the existing fast reverse proxy (frp) utility that Webworm also uses.

ChainWormChainWorm is another custom proxy tool used by Webworm operators.

FilesSHA-1 Filename Detection Description CB4E5043333670738142 9707F59C3CBE8D497D98 SearchApp.exe WinGo/Agent.ZK EchoCreep backdoor using Discord for C&C.

Europe’s push for tech sovereigntyIn Europe, calls for greater tech sovereignty – the ability to choose and act independently, autonomously, and securely – have become almost deafening.

Over the last year in the EU, several groups of countries have coalesced around more or less political approaches to tech sovereignty.

This is where the EU’s enhanced focus on ICT supply chain security comes into foreground complementing the initiatives specifically aimed at tech sovereignty.

In response to growing demands for national tech sovereignty and protection of local competitiveness in various regions around the world, several US tech firms have begun offering “sovereign” solutions tailored to forei…

The truth is that geopolitical tension and conflict offers potentially rich pickings for opportunistic online scammers.

The backdrop of geopolitical turmoil, whether it’s Ukraine or Iran, adds weight to the stories they spin in order to achieve their goals.

Whatever tactics they choose, the end goal is usually the same: to harvest your credentials and/or personal and financial data.

They’re tried and tested and could come via email, text, social media or phone call.

Scammers know this and will create their own fake charities – or impersonate legitimate ones – to collect donations.

Every 10 minutes, the compromised computer’s fingerprint is sent to the C&C server via an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources.

If the C&C server response content is larger than 100 bytes, the received data is executed using the eval method.

]icu N/A 2026‑03‑10 Cobalt Strike C&C server.

]icu N/A 2026‑04‑14 PicassoLoader C&C server.

]buzz N/A 2026‑04‑14 Cobalt Strike C&C server.

Smart glasses allow anyone to track and record the world around them.

So we probably shouldn’t be surprised that smart glasses are doing the rounds once more, after a failed attempt by Google to popularize them over a decade ago.

This presents significant security and privacy risks for both smart glasses users and the people they interact with.

Smart glasses give anyone the ability to record or take photos of strangers surreptitiously.

It might put you in physical danger if you lose track of your surroundingsFor bystanders:Keep your eyes peeled for anyone wearing smart glasses.

We identified and reported 28 CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.

The table in the Analyzed CallPhantom apps section lists each app along with its key details, including the download count.

Examples of CallPhantom initial screensCampaign overviewThe CallPhantom apps we found on Google Play mainly targeted Android users in India and the broader Asia‑Pacific region.

No data generation occurs until after payment; users have to pay or subscribe before any email would supposedly be sent.

For these third-party payment apps, CallPhantom apps either included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, meaning th…

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally.

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’.

However, I think there may also be elements of legacy in the method used to calculate the most common passwords.

Breaking the cycleNow, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?

There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA.

In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.

sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS.

Android BirdCall analysisIn this section, we provide a technical analysis of the Android BirdCall backdoor – an Android port of the eponymous Windows backdoor written in C++.

Trojanized Android gamesAndroid BirdCall is distributed via trojanized Android games.

During our research, we observed 12 Zoho WorkDrive drives used by the Android BirdCall backdoor for C&C purposes.

Tony also offers insights that the they may hold for your own cyber-defenses.

Iranian-linked hackers are targeting Rockwell programmable logic controllers (PLCs), with almost 4,000 such devices exposed on the networks of U.S. critical infrastructure organizations, according to a warning from multiple U.S. federal agencies.

How can critical infrastructure organizations using Rockwell PLCs stay safe?

How do the FBI's figures compare to those from 2024 and what was the most damaging scam to affect businesses last year?

Learn this and more from Tony's video and be sure to check out the March 2026 edition of Tony's monthly security news roundup for more insights.

Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger.

Yet more trapsThe formal state of an organization’s security is easy to measure and – assuming all turns out well – also easy to feel good about.

When the confidence shattersThis all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide.

Discipline is everythingIn addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting.

It’s what security tools can ‘convert’ into detections and alerts that let security teams act in time.

The Dutch National Police and the country’s National Cyber Security Center (NCSC) have taken offline 200 servers controlling a botnet of 17 million devices, the law enforcement agency announced on Thursday.

“Because residential proxies use real, trusted IP addresses, malicious use of them is much more difficult to detect or block.

Many security systems and websites trust traffic from residential proxy IPs more than traffic from data centers or anonymous VPNs.

A year ago, US and Dutch law enforcement disrupted 5socks and Anyproxy, two proxy-for-rent services that were marketed to and used by criminals.

Earlier this year, law enforcement agencies from several European countries and the US sim…

Attackers are delivering a broad-spectrum infostealer to enterprise computers by exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS).

About CVE-2026-35616CVE-2026-35616 is an improper access control vulnerability vulnerability in FortiClient EMS, a centralized management platform through which IT admins deploy, configure, and monitor FortiClient endpoint security software across all devices in an organization’s network.

The vulnerability was publicly disclosed in early April by Fortinet, after Defused Cyber spotted it being exploited as a zero-day.

“When specially crafted HTTP requests are sent to certain FortiClient EMS endpoints without vali…

Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior.

Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about websites and applications active on a user’s system.

In this case, the signal comes from SSD contention, which occurs when multiple programs compete for access to the same storage device.

The technique relies on the Origin Private File System (OPFS), a browser feature that gives websites their own sandboxed storage area for saving data locally.

Website fingerprinting is less …

A newly documented phishing campaign is targeting professionals with fake LinkedIn business emails and abusing a trusted service operated by Adobe.

Those who open the attachment will be faced with a familiar-looking LinkedIn login page, with their email address already filled in.

They are impersonating a legitimate platform and the lure is not out of place, as professionals routinely receive business inquiries through LinkedIn.

By using double extensions, they disguised the attached HTML file as a PDF file, and the HTML file is heavily obfuscated.

Finally, they are abusing Adobe’s infrastructure: Rather than directing the victim directly to their own servers, the attackers send the browser …

Microsoft 365 Copilot, an AI assistant that helps people write, summarize, analyze information, and complete work tasks, has been redesigned.

It now serves as a single, flexible entry point to Copilot across Microsoft 365 apps, suggesting relevant actions based on the user’s work.

The experience is powered by Work IQ, the intelligence layer that personalizes Microsoft 365 Copilot and understands context, relationships, and work patterns.

Copilot works directly within Microsoft 365 appsThe new entry point provides access to Copilot in a side pane and directly within documents.

From asking people to adapt to technology, to shaping technology around how people actually work,” Jon Friedman, Chi…

Anthropic has released Claude Opus 4.8 and outlined plans for broader access to its Mythos-class models, which the company expects to make available to all customers in the coming weeks.

Claude Opus 4.8 (Source: Anthropic)Claude Opus 4.8 is available to all users, with pricing unchanged from Opus 4.7.

“Early testers have found Claude Opus 4.8 to be more reliable and sharper in its judgement when it’s performing agentic tasks,” the company wrote.

Opus 4.8 performed at a level similar to Claude Mythos Preview on measures of whether systems act in accordance with user interests and instructions.

Alongside the new model, Anthropic introduced Dynamic Workflows, a feature available in research pr…

Netskope has enhanced its NewEdge Network infrastructure, expanding data sovereignty capabilities to more regions than any other SASE cloud provider.

The NewEdge Network architecture provides national data localization features that address requirements for network transport, data processing, and metadata governance in major regions worldwide, while enabling Netskope to extend this coverage to additional countries.

User flows, data processing and security features are all computed locally.

The Netskope NewEdge Network was designed to give Netskope customers control and flexibility over where and how their data is secured.

Netskope NewEdge is the high-performance, private cloud network infra…

Claroty has launched Claroty Claire, a CPS-native AI security agent designed to help organizations defend mission-critical infrastructure.

The launch expands organizations’ capabilities for supporting the safety, uptime, and availability of cyber-physical systems.

Defending a rapidly expanding attack surface from supercharged threatsThe rate at which AI is expanding the CPS attack surface requires proactive steps be taken now.

According to Gartner, “AI is reshaping CPS security.

Minimize the attack surface and prevent downtime with an always-on team of agents that proactively prioritize and orchestrate remediation of exposures that would impact business continuity if exploited.

Humanix has announced a capability to identify live violations of organization-defined procedures governing IT support workflows.

Designed to prevent unauthorized access, these procedures typically require help desk and service desk agents to follow identity verification steps before fulfilling sensitive requests, such as credential resets.

Humanix exists to help cyber teams and help desk agents detect when someone is trying to manipulate an agent.

We’ve extended that detection to also include efforts to bypass an organization’s policies and procedures governing sensitive business transactions,” Stewart continued.

Consider a common scenario: an attacker calls the help desk posing as a new c…

Malware analysts spend a lot of time deciding which signals from a sandbox run are worth keeping.

What the study set out to doThe team built a detection framework for Windows-based IoT and industrial IoT gateways.

The feature set reads like a Trojan playbookThe retained features map to the stages of a Trojan compromise.

The detection list works as a behavioral checklist for threat hunting, EDR tuning, and detection-rule writing, independent of any single model.

Strong detection came from disciplined, domain-informed feature work that isolated behaviors specific to Trojan activity.

TotalAV Mobile Security helps protect devices from malicious websites, SMS scams, unsafe public Wi-Fi networks, and exposed credentials.

After downloading the app from the App Store, users provide an email address, select what they want to scan, and start a Smart Scan.

Breach Scan checks whether an email address appears in known data breaches and alerts if personal information has been exposed online.

Device cleanup and maintenanceTotalAV includes several device maintenance tools alongside its security features.

During testing, I liked the maintenance features because I had not come across similar functionality in other mobile security apps I tested.

In this Help Net Security video, Shankar Somasundaram, CEO at Asimily, explains how to build a risk-based vulnerability program.

Patching everything is not workable, and relying on CVSS scores fails because two-thirds of published CVEs are marked high risk.

Shankar walks through a better approach.

Then map attack paths to see which vulnerabilities are truly reachable in your environment.

He covers mitigation through patching, virtual patching with NACs and firewalls, and segmentation to shrink the blast radius.

Sysdig delivers cloud security that runs inside AI coding agentsSysdig announced headless cloud security, a cyberdefense platform designed for the agentic AI era.

Sysdig Headless Cloud Security enables customers to drop the traditional, one-size-fits-all UI approach and equip their AI agents as the primary operators of machine-speed, data-driven cyberdefense.

CTERA brings AI insights and automation for unstructured dataCTERA has announced the launch of CTERA InsightAI, an agentic AI intelligence layer for the CTERA Intelligent Data Platform.

The new capability is built on Promptfoo, an AI security platform that helps enterprises detect and address vulnerabilities in AI systems during develo…

Together, these investments establish a new model for enterprise use of open source software, from upstream development through production environments.

Open source software underpins modern enterprise infrastructure, with more than 90% of Fortune 500 companies relying on OSS.

Anthropic recently reported that its Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open source software alone.

Coordinate upstream disclosures: Share fixes upstream so that open source communities can include them in long-term maintenance.

This model allows enterprises to engage IBM and Red Hat to resolve critical security issues while strengthening open source overall thro…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have gone silent.

It’s increasingly clear to us that these impacts are not incidental or ancillary to Trump administration policy.

Instead, we see a persistent strategy to maximize fear and chilling effects in ways that are corrosive to freedom and democracy.

Courts can block abuses of federal power, including illegal arrests, detentions and mass citizen databases.

But to resist chilling effects and their dangers over the long term, this would have to be the norm, not the exception.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals.

This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment.

When radio signals like WiFi travel through a space, they interact with the objects and people around them.

“By observing the propagation of radio waves, we can create an image of the surroundings and of persons who are present,” said Thorsten Strufe, a KIT professor and study co-author, in a press release.

“This works similar to a normal camera, the difference being that in our case, radio waves instead of light waves are used for the recognition.”

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Can you just maximize the security and privacy benchmark and call it a day?

Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security).

Over the last 30 years, security engineering for software evolved from black box penetration testing, through whitebox code analysis and architectural risk analysis to de facto process-driven standards like the Building Security In Maturity Model (BSIMM).

In the meantime we can make real progress in AI security by cleaning up our WHAT piles and managing risk by identifying and applying good assurance processes.

(Spoiler alert: no matter what we do, we still don’t get a secur…

(I lost track of her since college and her 1981 hit “”https://www.youtube.com/watch?v=Vkfpi2H8tOE”>O Superman.”)The origins of the quote is from Roger Needham:If you think cryptography can solve your problem, you don’t understand your problem and you don’t understand cryptography.

I modified the quote in the preface to my 2000 book Secrets and Lies:A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

I can’t tell you why me in 2000 didn’t credit Needham by name.

Somewhere along the line I dropped “security” from the phrase, and now say i…

It’s nasty, but it requires physical access to the computer:The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse.

It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM).

BitLocker is a mandatory protection for many organizations, including those that contract with governments.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Some AI-based video age-verification checks can be fooled with a fake mustache.

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:I’m giving a virtual talk on “The Security of Trust in the Age of AI,” hosted by the Financial Women’s Association of New York, at 6:00 PM ET on May 21, 2026.

I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany.

The event runs June 24–25, 2026, and my talk will be the evening of June 24.

I’m speaking at the Digital Humanism Conference in Vienna, Austria, on Tuesday, June 26, 2026.

I’m speaking at the Nuremberg Digital Festival in Nuremburg, Germany, on Wednesday, July 1, 2026.

While Anthropic’s model is really good at finding software vulnerabilities, so are other models.

The UK’s AI Security Institute found that OpenAI’s GPT-5.5, already generally available, is comparable in capability.

The tax code isn’t computer code, but it’s a series of algorithms with inputs and outputs.

As goes the tax code, so goes any other complex system of rules and strategies.

We’re seeing it right now in the deluge of software vulnerabilities that these models are finding and exploiting.

OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security VulnerabilitiesThe UK’s AI Security Institute evaluated GPT-5.5’s ability to find security vulnerabilities, and found that it is comparable to Claude Mythos.

Note that the OpenAI model is generally available.

And here is an analysis of a smaller, cheaper model.

It requires more scaffolding from the prompter, but it is also just as good.

Posted on May 13, 2026 at 7:03 AM • 0 Comments

The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure.

TruffleHog does this by monitoring a live feed that GitHub publishes which includes a record of all commits and changes to public code repositories.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, …

A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, a.k.a.

“Dort,” of Ottawa, Canada with operating the Kimwolf DDoS botnet.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads.

Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage told KrebsOnSecurity he’s relieved Butler is in custody.

The DOJ said at least one of those services collaborated with Butler’s Kimwolf botnet.

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.

Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

“The available Git metadata alone does not prove which endpoint or device was used.”Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level.

CISA has not responded to questions about the p…

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws.

But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform.

Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance.

Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers.

For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs.

The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider.

But so-called “DNS reflection” attacks rely on DNS servers that are (mis)configured to accept queries from anywhere on the Web.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento said.

Nascimento flatly denied being involved in DDoS attacks against Brazilian operators to generate business for his company’s services.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign.

That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan is the second known Scattered Spider member to plead guilty.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft.

Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities.

For example, a Google Chrome update released earlier t…

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today.

The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by …

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

REvil never recovered f…

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.

TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote.

The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices.

That disclosure help…

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint.

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program.

Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tues…

Dutch police have arrested a 35-year-old man suspected of hacking into the computer systems of Amsterdam football giant Ajax, after the personal data of hundreds of thousands of supporters was put at risk.

However, it quickly emerged that the claim of a "few hundred" potential victims was wide of the mark, as it was reported that the incident could have exposed the personal details of around 300,000 registered Ajax supporters.

In short, the number of supporters whose details were exposed was around 1000 times larger than the club's initial estimate.

Ajax says that it has worked with external experts to patch the vulnerabilities, and has strengthened its security.

It is easy to imagine that …

The Play ransomware gang is claiming to have stolen data from US pillow manufacturer MyPillow, making off with private and personal confidential data.

The company denies it has been hit, and the Play ransomware gang claims otherwise.

The truth is likely to emerge quickly, as the deadline for payment listed by Play on its leak portal is reached tomorrow.

We'll know soon enough whether Friday's payment deadline from the Play ransomware group brings a data dump or a quiet anticlimax.

One thing is certain - ransomware gangs target anyone they think might pay, and strong defences are needed by all organisations.

Smashing Security, Episode 469: What Your Oura Ring Won't Tell You, with Graham Cluley and special guest Lesley Carhart.

Because one of the things, I don't know how many people know this, but you are actively into martial arts.

I don't know.

I don't know if it's a real martial art, but I don't want to get in that argument with anybody.

And this is just a prime example of really, really, you did that.

The FBI has issued an advisory warning about a phishing-as-a-service platform that has recently emerged, which can hijack Microsoft 365 accounts without ever stealing a password.

Kali365 is a subscription service for scammers that was first spotted in April 2026, and has been promoted largely through Telegram.

Subscribers to Kali365 have access to AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targets, and the ability to capture OAuth tokens.

If you've done that, you've used "device code flow."

And this is why the FBI's top recommendation is to block device code flow, with a conditional access policy in Microsoft Entra ID where appropriate.

For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that's no longer the case. Read more in my article on the Fortra blog.

Smashing Security, episode 468: High-Speed Train Hacks and Homicidal Lawnmowers.

I've not, but also given— I don't think— In my imagination, in my mind, Taiwan's not a massive island.

I don't know.

Yeah, I don't think that's too cheeky.

I think that's a very good question because models do, as they get more capable, they tend to eat some types of software, right?

The advisory doesn't say the platform that was hacked was Canvas, and that the company concerned was Instructure.

The security breach was not just big news on cybersecurity blogs, it made headlines worldwide.

There are a few possible problems with paying an extortion gang and trusting that they will honour the deal.

Furthermore, extortionists might falsely claim to have access to compromising information, such as embarrassing photographs or videos of victims.

Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future.

Prosecutors allege he is "Speedstepper" - the suspected main administrator of the notorious Dream Market dark web marketplace that operated from 2013 until its abrupt closure in 2019.

Dream Market's cryptocurrency wallets, holding millions of dollars worth in commission payments, went dormant after the site's closure.

But in November and December 2022, someone who had access to Dream Market's original private keys began to move funds around.

And, according to the indictment, those gold bars were shipped directly to Andresen's home address in Germany.

If the claims of prosecutors are true, it was a massive error by the man suspected of being the Dream Market kingpin.

The only weapon is the hackers' threat to release stolen data, or leave your systems permanently encrypted.

Instead, they are making threats to hurt their victims.

A study last year by identity security firm Semperis found that 40% of ransomware attacks saw criminals threatening physical violence against employees who refused to pay.

Some of the most disturbing instances of cybercrime spilling out into physical violence can be found where cryptocurrency and organised crime intertwine.

With physical threats seemingly becoming more common than ever before, it's clearly important for defenders to learn some lessons.

I don't know.

Yeah, that's it, that's it.

Now, one of those in your— I was about to say Filofax, but I don't think those are a thing anymore.

But you know, yeah, as you point out, a large part of this is through the same ecosystem.

He is professor of letters at a— I don't know which letters, I imagine all of them— at a university in Besançon.

One in eight UK workers admits to selling their company login credentials - or knowing someone who has - in the past 12 months. The really alarming bit? Their bosses are even more relaxed about it. Read more in my article on the Fortra blog.

Russia's military intelligence service, the GRU, directly controls who gets into Department 4, according to the leak.

It is GRU that is overseeing exams, and signing-off on graduates' postings, with some promising students scouted as early as secondary school.

Upon his graduation, he is said to have been assigned to the Fancy Bear hacking group, which was linked by the US Department of Justice over the high profile hack of the Democratic National Committee.

He has, it seems, gone from running the Fancy Bear hacking group to helping train its replacements.

What the report does is act as a useful reminder that the threat posed by groups like Fancy Bear and Sandworm is serious and organised.

Sri Lankan police have arrested 37 people suspected of running a scam centre in a suburb of the capital city Colombo.

Prior to that, in March, immigration officers arrested 135 Chinese men and women in connection with another scam centre.

So the obvious question to ask is: what are these alleged scam centres suspected of being doing?

Sri Lanka has recently boosted its appeal to foreign tourists by relaxing visa requirements, and has been "rewarded" by more scam centers popping up in its cities residential suburbs.

You don't have to live anywhere near a scam compound for any of this to land in your life.

Meta sees everything, copy fail, and a deepfake gets hired with Graham Cluley and special guest Paul Ducklin.

Sometimes I have to whisper and sometimes the whisper is edited out afterwards, say, "Say who you are."

They had this secret memo where they said, "Look, there's going to be a bit of aggro when we launch this.

So they say there's clear user consent, they say.

And we've got so many people that still don't know about the technology.

This is the picture that US prosecutors have painted of a teenager arrested earlier this month at Helsinki Airport while trying to board a flight to Tokyo.

Prosecutors allege that the teenage suspect took part in at least four Scattered Spider attacks , the earliest in March 2023 - just months after his 16th birthday.

The complaint also alleges that the Scattered Spider gang mocked law enforcement, with one 2024 screenshot reportedly showed failed login attempts captioned "F*** off, FBI."

Scattered Spider is a loosely-formed English-speaking collective of teenagers and young adults who became infamous after the 2023 attacks on MGM Resorts and Caesars Entertainment.

You should also consider …

Конкретные примеры современных вредоносных кампанийНесмотря на эти изменения, наши эксперты продолжают активно отслеживать новые вредоносные кампании и реагировать на современные угрозы.

Наши технологии зарегистрировали более тысячи вредоносных писем почти идентичной структуры, разосланных организациям из госсектора, строительной и промышленной отраслей, что прямо указывает на автоматизацию проводимых атак.

Примечательно, что в качестве резервного командного сервера загрузчик обращается к Solana Name Service, децентрализованному блокчейн-реестру, что существенно затрудняет блокировку инфраструктуры.

Обе группы активно применяют PowerShell-нагрузки и нацелены на российский госсектор, что ука…

Как настроить интеграцию Kaspersky Scan Engine c F5 BIG IP LTMНастройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c NextcloudНастройка Kaspersky Scan EngineKaspersky Scan Engine должен работать в режиме HTTP.

Как настроить интеграцию Kaspersky Scan Engine c Hitachi NAS Platform 13.9Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c RspamdНастройка Scan EngineKaspersky Scan Engine должен работать в режиме HTTPD.

Как настроить интеграцию Kaspersky Scan Engine c ARA JAGUAR 5000Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

В последнее время злоумышленники активно используют для фишинговых атак платформу Google AppSheet: через нее можно настроить почтовую рассылку, которая отправляется c почтового адреса, связанного с Google.

К сожалению, именно эта простота делает AppSheet привлекательным и для злоумышленников.

Ниже показано, как выглядит типичный путь от получения письма от якобы «карьерного портала Google» до кражи данных аккаунта:Аналогичные письма приходят от имени и других IT-гигантов.

Прежде всего смотрите не на отображаемое имя, а на адрес отправителя.

Куда более вероятно, что вы получите легитимную AppSheet-рассылку от имени небольшой компании или бизнеса, но уж точно не от IT-гигантов.

Поэтому неудивительно, что за прошедшие несколько месяцев исследователи кибербезопасности зафиксировали несколько случаев распространения вредоносного ПО под видом IPTV-приложений для Android.

В этом посте поговорим о том, что представляют собой IPTV-приложения, как с помощью их поддельных версий преступники распространяют вредоносное ПО, на что оно способно и, главное, как не стать жертвой.

Обычно они привлекают пользователей бесплатным или очень дешевым доступом к контенту, который может быть нелегко найти без дорогостоящих подписок — в первую очередь это трансляции различных спортивных мероприятий и, в частности, футбольных матчей.

Вместо этого поддельное приложение открывало во встроенн…

Хотя многие компании осознанно внедряют ИИ для повышения качества и эффективности, еще быстрее в них появляются ИИ-инструменты, руководством не санкционированные.

ИИ встраивают в уже применяемые компанией решения сами разработчики ПО (например, Microsoft Copilot и Gemini), а также самовольно устанавливают сотрудники.

И риски, и способы их снижения отличаются для разных видов ИИ-систем.

Мы дадим обзор этой широкой темы, сфокусировавшись на инструментах детектирования и блокировки ИИ на двух уровнях.

SalesforceВ режиме настроек (Setup) нужно воспользоваться поиском по словам connected apps и в результатах поиска нажать Manage Connected Apps.

Но вы даже не узнаете, что в ваше устройство уже внедрен вредоносный код, а злоумышленники смогут получить доступ даже к заблокированному смартфону.

Что такое BootROMЧтобы понять серьезность находки, сначала нужно разобраться в том, как загружается современное устройство на чипе Qualcomm.

Самый нижний — фундамент и база, самый доверенный уровень — BootROM, постоянная память, вшитая в кремний и недоступная для изменения после производства.

Почему патча не существует — и что делатьQualcomm был уведомлен о находке в марте 2025 года и подтвердил наличие уязвимости в своих чипах.

Если у вас на руках устройство с уязвимым чипом, воспользуйтесь нашими советами, которые помогут снизить риск заражен…

В решении для защиты почтовых шлюзов мы даже реализовали технологию, позволяющую считывать эти коды (причем не только из писем, но и вложений) и проверять зашитые в них ссылки.

Что такое ASCII-графика и как ее используют злоумышленникиСейчас в это нелегко поверить, но когда-то компьютеры не умели отображать графику.

Ну и вдобавок в то время многие платили за трафик, а потому отключали загрузку картинок в почте.

А в качестве дополнительного слоя защиты — установить защитные решения на все рабочие устройства, используемые для выхода в Интернет.

В частности, объяснять, что ASCII-графика в современных письмах может свидетельствовать о попытке фишинговой атаки.

Дешевая ТВ-приставка на Android с бесплатными подписками может стать основой для ботнет-сетей и прокси-серверов киберпреступников. Разбираемся, как такие ТВ-боксы сдают ваш IP в аренду и как выбрать безопасное устройство.

Интеграция с LLMТеперь у пользователей Kaspersky Container Security есть возможность использовать технологию Kaspersky Investigation and Response Assistant (KIRA).

KIRA активно внедряется и в другие продукты, и теперь она доступна для пользователей Kaspersky Container Security в качестве ИИ-ассистента.

В ходе недавнего обновления решение Kaspersky Container Security было снабжено программным интерфейсом для подключения больших языковых моделей.

Что еще обновилось в Cloud Workload SecurityКроме добавления ИИ-ассистента наши разработчики внесли еще ряд изменений в продукты, входящие в предложение Kaspersky Cloud Workload Security.

Kaspersky Container Security, теперь поддерживает механизм еди…

При этом большая часть из них — семейные, используемые совместно с близкими… и не очень: 37% пользователей делятся своими подписками за пределами семьи.

Сегодня расскажем, как безопасно управлять подписками, избежать взлома всех ваших аккаунтов и не попасться на удочку злоумышленников.

Как делятся подписками с близкими и не оченьМногие владельцы подписок с легкостью делятся ими с членами семьи и друзьями.

Самый худший вариант с точки зрения безопасности — когда покупается один подписной аккаунт и владелец передает логин и пароль другим пользователям.

Если вы и ваши близкие храните пароли «в голове», то вероятность того, что вы используете один и тот же пароль в разных сервисах, весьма велик…

Но в этом посте я хочу рассказать о Kaspersky Container Security (KCS) не как представитель вендора, а скорее как член команды, активно использующей это решение в повседневной работе.

Но Kaspersky Container Security (KCS) — это скорее платформа для защиты контейнерной среды, которая закрывает сразу несколько задач, встраиваясь в контейнерный контур целиком.

Когда у команды сотни сборок, одного периодического сканирования реестра уже мало и это всегда требует ручного вмешательства.

Чем KCS полезен в наших сценарияхУ нас работает своя система композиционного анализа, поэтому мы не смотрим на KCS как на единственный источник истины.

Почему мы смотрим на KCS не только как на сканерЕще один силь…

Да, за рулем все еще водитель, но он там скорее для страховки, так что появление настоящего беспилотного авто — это лишь вопрос времени.

Для производителя это означает ответственность за поведение автомобиля на дороге и за выбор поставщиков.

Обеспечение безопасности автомобиля в современных условияхДолгое время, когда речь шла о безопасности автомобиля, имелась в виду исключительно функциональная безопасность.

Контроль осуществляется на разных уровнях архитектуры: внутри доменов, на уровне отдельных контроллеров и на границе сетей.

В рамках этой статьи мы рассмотрели лишь часть подходов, которые сегодня применяются в KASG для обеспечения безопасности транспортных средств.

Поэтому при внедрении собственных ИИ-серверов и их вспомогательных систем (RAG, MCP и так далее) необходимо с самого начала внедрять строгие меры безопасности.

В ответ на запросы он отчитывается о доступности серверов Ollama, LM Studio, AutoGPT, LangServe, text-gen-webui, которые часто используются для «обвязки» запущенных локально ИИ-моделей.

Дополнительно сервер-приманка отчитывался о наличии разнообразных баз данных RAG и MCP-сервера с привлекательными возможностями вроде «get_credentials» (получить учетные данные).

На самом деле на Raspberry PI просто были сохранены 500 ответов настоящей модели Qwen3, из которых несложный скрипт выбирал наиболее подходящий с учетом присланного запроса.

…

Кроме того, взлом паролей ускоряется из года в год: в нашем аналогичном исследовании 2024 года процент паролей, нестойких ко взлому, был ниже.

К сожалению, многие пользователи хранят свои пароли в открытом виде в заметках, сообщениях в мессенджерах, в документах, а также в браузерах, сохраненные пароли из которых злоумышленники вытаскивают за считаные секунды.

Не храните пароли в виде обычного текстаНи в коем случае не записывайте пароли в файлах, сообщениях и документах — они не защищены должным шифрованием, как в менеджере паролей.

Не храните пароли в браузерахМногие пользователи сохраняют свои пароли в браузерах — тем более что те любезно позволяют делать это автоматически.

Важно соблюда…

К сожалению, создатели зловредов уже не первый раз находят способы обойти эту защиту, так что секреты, хранящиеся в Chrome, опять под угрозой.

Как работает шифрование с привязкой к приложению в ChromeGoogle представила механизм шифрования с привязкой к приложению (Application-Bound Encryption) в июле 2024 года в 127-й версии браузера Chrome.

Мы уже подробно рассказывали, что представляют собой эти файлы и к чему может привести их кража, поэтому здесь лишь кратко напомним основные факты.

Дело в том, что в данной ОС Chrome использовал только стандартный встроенный механизм защиты данных Data Protection API (DPAPI).

В теории это должно было заметно усложнить атаки на Chrome и снизить эффективн…

We are excited to announce advanced enterprise browser integration between Cisco Secure Access and Microsoft Edge for Business, designed to enhance data security and protect the use of AI in modern organizations.

Seamless and Secure Enterprise Browser ExperienceThis integration brings together Cisco’s Secure Access (SSE) platform with Edge for Business, delivering a unified solution that enables secure, zero-trust access to private applications directly through the enterprise browser.

Key Benefits for IT and Security TeamsThe integration of Microsoft Edge for Business and Cisco Secure Access delivers data protection at the browser and network layers.

Enhanced Data Security with Cisco DLP In…

Instead of asking what happens when segmentation succeeds, let’s ask: why do so many segmentation projects fail.

That question is the focus of the newly released Cisco 2026 Segmentation Report, which draws on a survey of 400 failed segmentation projects at U.S.-based organizations with 500 or more employees.

Four Patterns of FailureWhen we evaluated each failed project against twelve factors spanning general IT project management and segmentation-specific challenges, four distinct failure patterns emerged:Perfect Storm (50%).

Where the Failures ConcentrateNot all segmentation projects are equally risky.

Read the Full ReportThe full 2026 Cisco Segmentation Report goes deeper into each failur…

As the cybersecurity landscape rapidly evolves, driven by groundbreaking advancements in artificial intelligence (AI), Cisco is adapting its vulnerability disclosure practices to meet the challenges and opportunities presented by these technologies.

These AI capabilities enable unprecedented speed and scale in identifying security issues, while also allowing network defenders to continuously evolve to address emerging threats.

At the same time, we recognize that adversaries will also take advantage of these evolving AI capabilities, increasing the urgency and complexity of cybersecurity defense.

Our public facing Security Vulnerability Policy (SVP) describes our process in detail including …

Two capabilities now available for Cisco Secure Email Gateway address exactly this gap: Remote Browser Isolation (RBI) and Content Disarm and Reconstruction (CDR).

How RBI and CDR fit into Cisco Secure Email GatewayAdding RBI and CDR to the gateway means organizations no longer depend on perfect threat identification at the moment of delivery.

A more resilient email layerModern secure email gateways are no longer only about keeping bad messages out.

RBI and CDR are available as add-on licenses to Cisco Secure Email Gateway.

Ask a question and stay connected with Cisco Security on social media.

Defining the inconsistency problem in AI reportingVarious types of inconsistencies in AI output frequently diminish the efficiency gains that AI reporting processes promise to deliver.

This unpredictability is problematic for professional environments where standardized layouts, such as consistent executive summaries or recommendation sections, are essential for quality control.

This unpredictability is problematic for professional environments where standardized layouts, such as consistent executive summaries or recommendation sections, are essential for quality control.

Input quality control: Unsurprisingly, we found that input quality determines output quality.

Unsurprisingly, we found t…

Today we’re releasing our new AI-powered DNS defense platform, available within Cisco Secure Access and powered by Cisco Talos intelligence.

How Cisco disrupts the ransomware lifecycle (DNS focus)Cisco Talos DNS Security (fully integrated into Cisco Secure Access) detects obfuscated data hidden in DNS packets, the core of internet communication.

Through Talos DNS Security, Talos’ custom built machine learning models detect the unique “lexical texture” of algorithmically generated domains (DGA) used by attackers.

Through Talos DNS Security, Talos’ custom built machine learning models detect the unique “lexical texture” of algorithmically generated domains (DGA) used by attackers.

Learn more …

This is also why zero trust architecture matters, shifting from assumed trust to continuous verification with systems built to withstand failure.

Being ready for the long gamePreparing for state-sponsored threats means closing gaps before an incident, not during one.

Behavioural baseline : Continuously updated behavioral baselines help surface low and slow activity, especially credential abuse that leaves no malware trace.

OT and ICS readiness : OT environments need hardware-enforced separation, as well as established response procedures.

Supply chain and insider threats: supply chains need mapped vendor access and SBOMs, and insider risk demands cross-functional hiring verification and pre…

The Missing Surface: Security ContextAsk a SOC analyst what they need from a security platform and you get consistent answers.

Cisco Secure Access now includes Security Insights: a security analytics dashboard that surfaces where risk is concentrated, helps teams identify emerging threats and policy gaps, and gives security leadership the trend data to report on posture and measure the impact of initiatives over time.

Secure Access addresses this through the AI view, which tracks GenAI application usage and guardrail violations alongside the rest of security operations.

Security Insights gives analysts the signals to start an investigation, security managers the view to close policy gaps, a…

The integrity of the systems we depend on, the trust layer underneath everything, is equally exposed.

This integrates naturally with external key management systems, including Quantum Key Distribution platforms for the most sensitive environments.

In the meantime, visit the Cisco Trust Center to learn more about our PQC approach and stay ahead of what’s coming.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Catalyst SD-WAN for Government integration with Cisco Secure Access FedRAMP instances: Government agencies require secure, compliant networking solutions that meet stringent federal security standards.

Cisco Catalyst SD-WAN for Government now integrates with Cisco Secure Access FedRAMP instances, enabling government organizations to maintain secure connectivity while ensuring compliance with federal security standards.

Policy groups in Cisco Catalyst SD-WAN Manager enable agencies to define IPSec tunnels and connection parameters to Secure Access instances, ensuring secure and compliant access across their network infrastructure.

AI application classification and shadow AI control: Ci…

With modular N+1 clustering (supporting up to 16 nodes), the 6100 Series scales to up to 8 Tbps of L7 throughput.

Using our AI-driven Encrypted Visibility Engine (EVE), the 6100 Series identifies threats in encrypted traffic without decryption, preserving privacy and line-rate speed.

Because at this scale, security shouldn’t hold you back—it should help you move faster.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Secure Firewall uses encryption for many things: VPN tunnels, remote management, hardware-level trust, and inline decryption.

They also define stronger baselines of security for existing algorithms, which are already incorporated into Cisco Secure Firewall.

Support arrives in Secure Firewall Threat Defense (FTD) 10.5 and ASA 9.25, targeted for General Availability in late 2026.

PQC support for TLS client features is planned for ASA/FTD 11.0, while management web server PQC support depends on underlying web server library readiness.

Cisco Secure Firewall is building post-quantum cryptography into every layer of the platform, so that when your organization is ready to make the transitio…

At this year’s Mobile World Congress in Barcelona, service providers showed up from around the world to join over 115,000 attendees from 210 countries.

We leveraged the lessons learned from previous SOC deployments, adding the new Secure Firewall 6160, which is designed specifically for AI-ready data centers.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Mobile World Congress (MWC) Barcelona is one of the most demanding environments for network and security operations.

For the 2nd year, the Cisco team leveraged Splunk, in addition to its other security products, to deliver a unified Security Operations Center (SOC) and Network Operations Center (NOC) experience.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Bridging SOC and NOC: From Visibility to ContextTraditionally, SOC and NOC teams operate in parallel, often using separate tools and datasets.

Edge engineering still matters in cloud-first architecturesComponents like …

Among the new security features, the one I was most eager to explore was Shadow Traffic detection.

Observing Shadow Traffic at scale on the live congress wireless network provided useful insight.

The Shadow Traffic dashboard put Tailscale VPN, ExpressVPN, and NordVPN at the top of the list.

Shadow Traffic detection conveniently labels the suspicious connections, making filtering in the Unified Events Viewer straightforward and precise.

With Shadow Traffic detection, you expand visibility into inspection gaps that most organizations don’t even realize they have.

Inflated version numbersmr.4nd3r50n uses version 100.100.100, an absurdly high version number designed to win npm’s server resolution against any real internal package version.

Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.

Use Microsoft Defender XDR to investigate suspicious activity across endpoints, identities, cloud apps, and developer environments.

Microsoft Defender XDR Threat analyticsMicrosoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest …

As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense.

For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection.

Learn moreIf you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform.

Gartner, Magic Quadrant for Endpoint Protection, Deepak Mishra, Evgeny Mirolyubov, Nikul Patel, 26 May 2026.

Gartner research publications consist of the opinions of Gartner’s research organization and should not be construe…

Microsoft has identified an active supply chain attack targeting the npm package ecosystem.

Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment.

Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.

How Microsoft Defender helpsMicrosoft Defender Antivirus detects and blocks the malicious components on access.

Microsoft Defender XDR DetectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.

In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques.

Identification: The GENTLEMEN marker, located after -- marker -- , serves as a unique identifier, allowing encryptors/decryptors to quickly determine that the file has been encrypted by The Gentlemen ransomware.

Free space wipeIf the -- wipe argument is provided, The Gentlemen ransomware performs an add…

DLL sideloading and silent installation of ScreenConnect softwareThe downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.

The malicious DLL uses msiexec.exe to silently install a second malicious DLL named vcredist_x64.dll, named to masquerade as the Visual C++ Redistributable.

]com:8443/ws URL C2 from hollowed binaryReferencesThis research is provided by Microsoft Defender Security Research with contributions from Parasharan Raghavan and members of Microsoft Threat Intelligence.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blo…

We’re pleased to share that Microsoft has been recognized as a Leader in The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026, receiving the highest scores in both the current offering and strategy categories.

The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026.

Forrester noted Microsoft strengths in identity threat detection and response (ITDR), access control, phishing-resistant authentication, and identity verification.

An Access Fabric brings together identity signals, access policies, and security workflows into a continuous loop.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Multi-stage Linux intrusion via F5 and Confluence – Threat actor activities.

In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account.

The threat actor used gowitness to perform a detailed reconnaissance of the HTTP/HTTPS services identified in the previous scan.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Multi-stage Linux intrusion via F5 and Confluence – Threat actor activities.

In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account.

The threat actor used gowitness to perform a detailed reconnaissance of the HTTP/HTTPS services identified in the previous scan.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

To modernize and unify security operations, St. Luke’s turned to Microsoft Security Copilot to supercharge analyst productivity and help its Security Operations Center (SOC) teams operate at scale.

With Microsoft Security Copilot, St. Luke’s has:Unified visibility across Defender and Microsoft Sentinel eliminates silos and accelerates threat response.

To learn more about how St. Luke’s is modernizing and unifying security operations with Microsoft Security Copilot, watch the customer video or read the full St. Luke’s customer story.

Share your insights and experiences on Gartner Peer Insights.™Learn moreLearn more about Microsoft Defender for Cloud, Microsoft Purview, and Zero Trust.

Also, …

Here’s what’s new:New data security posture management experience in Microsoft PurviewThe new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available.

Microsoft Purview Data Security Investigations extends investigative depth with custom examinationsMicrosoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth.

In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy.

Check back for the next drop and connect with us at Microsoft Build, June 2-3, 2026, in San Francisco, to hear direct…

New data security posture management experience in Microsoft PurviewThe new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available.

Microsoft Purview Data Security Investigations extends investigative depth with custom examinationsMicrosoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth.

In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy.

Check back for the next drop and connect with us at Microsoft Build, June 2-3, 2026, in San Francisco, to hear directly from Microsoft …

Microsoft has identified an active supply chain attack targeting the @antv node package manager (npm) package ecosystem.

Rotate credentials, tokens, npm access tokens, CI/CD secrets, and cloud credentials that might have been exposed in affected build or developer environments.

Review npm package lockfiles, build logs, and artifact provenance for evidence of compromised package versions.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence p…

Microsoft has identified an active supply chain attack targeting the @antv node package manager (npm) package ecosystem.

Rotate credentials, tokens, npm access tokens, CI/CD secrets, and cloud credentials that might have been exposed in affected build or developer environments.

Review npm package lockfiles, build logs, and artifact provenance for evidence of compromised package versions.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence p…

In this article, Aaron Zollman, Vice President and Deputy CISO for Gaming at Microsoft discusses the unique challenges and rewards of securing gaming.

There are more than 500 million monthly active players¹ across Xbox consoles, PC, handheld, and more through Xbox cloud gaming.

Gaming isn’t really a single culture, but rather a culture of cultures—each with their own risk factors to account for.

I work closely with Temi Adabambo, General Manager for Gaming Security, Microsoft, and Eric Mourinho, Chief Architect, Microsoft, to co-develop secure environments and shared tooling.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecur…

Built to reproduce your AI red team findings and AI incidents: RAMPART is designed to work alongside dedicated red teaming, and the two reinforce each other.

The ownership model is intentionally flipped from the traditional approach: engineers write the tests, engineers run them, and engineers treat failures like any other bug.

Agent safety ultimately comes down to what the agent does, which means evaluators need to look at which tools it invokes, what side effects occur, and whether those actions stay within expected boundaries.

Together, these approaches move AI safety from a one-time review to a set of living artifacts that developers can use throughout the lifecycle.

RAMPART and Clarity…

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.