Список 11 стран, набравших максимум баллов.

Telegram обновил MTProto.

Крупнейшие российские маркетплейсы внедряют системы фильтрации трафика из-за требований регулятора.

Физики из Университета Пердью создали нержавеющую сталь нового поколения.

Обнаружен вирус для Linux, который ворует пароли от облачных сервисов Amazon и Google.

Собрали ценнейшие данные, побили рекорд — теперь Земля ждёт своих героев обратно.

В мобильных VLESS-клиентах нашли критическую «дыру».

Хакерская сеть Phorpiex заразила 1,7 миллиона уникальных устройств за последние три месяца.

Почему популярный инструмент для Chrome внезапно полюбил шифрование.

Физики нашли способ передавать энергию без сопротивления при -12 градусах.

В Microsoft предупредили о росте атак с использованием самовосстанавливающихся скриптов.

Нейросети прогнозируют, что в будущих вакансиях по кибербезопасности будут встречаться требования вроде владения технологиями VR-досмотров и умения оперировать интерфейсом нейросвязи.

Специалист по ИБ отвечает за защиту интересов пользователей и бизнеса в условиях постоянно меняющейся инфраструктуры и появления новых технологий.

Перспективные вакансии по кибербезопасности в ближайшие годыМы открыли несколько сайтов по поиску работы и обратили внимание на перечень актуальных позиций.

В числе наиболее часто встречающихся: специалист по ИБ, аналитик, ведущий инженер по ИБ, архитектор, эксперт по кибербезопасности и ряд смежных ролей.

Мониторинг аномалий, быстрое реагирование и взаимодействие с…

Разбираем 10 самых частых провалов при внедрении защиты веб-приложений, чтобы не блокировать клиентов и не пропускать хакеров, а построить по-настоящему эффективную систему безопасности.

Пример ошибки: Azure WAF (2024)Пользователи Azure Application Gateway с WAF регулярно сталкиваются с проблемой ложных срабатываний при использовании Keycloak для аутентификации.

Безопасники и разработчики не общаются, не обмениваются знаниями, и WAF воспринимается как «чужой» инструмент, за который отвечает только отдел ИБ.

ВыводыДесять разобранных ошибок объединяет одна общая проблема: отношение к WAF как к чёрному ящику, который достаточно однажды включить, чтобы забыть о безопасности.

WAF не заменяет без…

Нормативные требованияЗащита данных становится критически важной не только для банков, медицинских учреждений, e-commerce компаний и государственных органов, где действуют специальные требования и стандарты, но и для любой организации.

Обзор российских приложений для двухфакторной и двухэтапной аутентификацииРоссийский рынок многофакторной аутентификации демонстрирует рост и развитие.

Приложение может использоваться как в качестве аутентификатора в решениях для SAS, так и для сторонних приложений с поддержкой стандартов RFC 4226 и RFC 6238.

MULTIFACTOR имеет удобный и интуитивно понятный интерфейс, простую функциональность, а также поддерживает подтверждение доступа не только с помощью кноп…

Источниками журналов событий могут выступать сетевые устройства, серверы, хосты пользователей, информационные системы и т. д. Использование SIEM-систем возможно как в корпоративном, так и в промышленном сегменте.

Обзор мирового рынка SIEM-системНа начало 2026 года Mordor Intelligence оценивает объём мирового рынка SIEM в 12,06 млрд долларов с перспективой роста до 20,78 млрд долларов в 2030 году и темпом роста в 11,5 %.

Система Alertix внесена в реестр российского ПО (реестровая запись № 10868 от 25.06.2021) и имеет сертификат ФСТЭК (№ 4596 от 18.11.2022).

Он обеспечивает сканирование, идентификацию и инвентаризацию хостов и сервисов, управление группами активов и их категорирование по крит…

Пожалуй, главной сквозной темой традиционной конференции Ассоциации «Руссофт» стали именно новые вызовы. Это прежде всего макроэкономическая ситуация и её последствия, но есть и иные факторы. Как всё это скажется на дальнейшем развитии отрасли? 1. Введение2. Вызовы последнего времени и ответы на них2.1. Потеря внешних рынков2.2. Макроэкономическая ситуация и её последствия2.3. Большая доля внутренней разработки2.4. Ажиотаж вокруг ИИ2.5. Замедление импортозамещения2.6. Видны пределы роста российского рынка3. Факторы роста3.1. Кибербезопасность3.2. Искусственный интеллект, low code/no-code3.3. Создание экосистем3.4. Усиление регулирования4. ВыводыВведениеТрадиционная пресс-конференция Ассоциа…

Что собой представляют решения Security AwarenessРешения класса Security Awareness предназначены для обучения и оценки компетенций сотрудников в сфере кибербезопасности.

Мировой рынок Security AwarenessСогласно отчёту аналитического агентства Verified Market Reports, мировой рынок Security Awareness растёт умеренными темпами.

Рост мирового рынка Security Awareness (источник: verifiedmarketreports.com)Примерно также оценивает мировой рынок Security Awareness аналитическое агентство Market Research Intellect.

Развёртывание Solar Security Awareness по модели On-PremiseВозможности платформы:Подключение по модели MSS, SaaS или On-Premise.

МегаФон Security Awareness«МегаФон Security Awareness» — …

Защита без инвентаризации и аудита данныхDLP-проект должен начинаться не с выбора инструмента, а с понимания того, что нужно защищать.

Главное — всё это происходит не из-за того, что DLP не сработала.

Традиционные DLP создавались для работы с файлами и вложениями, но не рассчитаны на мониторинг операций копирования-вставки и взаимодействия с чат-интерфейсами.

Обнаружить такую утечку стандартными средствами практически невозможно — для DLP картинка остаётся картинкой, даже если внутри неё скрыты терабайты информации.

Сигнатурная DLP не заметила этого, ведь формально сотрудник не делал никаких запрещённых действий.

Нововведения помогли оптимизировать рабочие процессы и открыли новые возможности для коммуникации и совместной работы внутри компании и между организациями.

Функциональные возможности бета-версии VK WorkSpaceVK WorkSpace включает широкий набор функций как для рядовых пользователей, так и для администраторов.

Последние изменения в совместной работе над файломАудио- и видеозвонкиСуперапп поддерживает организацию аудио- и видеозвонков как в личных, так и в групповых чатах.

Общая схема компонентов VK WorkSpaceСистемные требования бета-версии VK WorkSpaceVK WorkSpace доступна в облаке (SaaS) и в виде локального развёртывания (on-premises).

Организация корпоративных коммуникаций в «Россети»Для ор…

Эксперты в области защиты от DDoS обсудили эволюцию угроз, типичные ошибки при выстраивании защиты и дали прогнозы на будущее.

В ходе дискуссии участники обозначили ключевые тренды, типичные ошибки при построении защиты и дали прогнозы относительно того, какие векторы атак станут наиболее проблемными в 2026 году.

Из-за доступности инструментов для создания прикладных атак фокус смещается: мы постепенно переходим от классической защиты от DDoS к антибот-системам.

Тот, кто принимает решение, обязан осознать, что ему есть что терять и что у него есть ответственность.

Главная проблема сегодня кроется не в отсутствии инструментов, а в недостаточной зрелости процессов у заказчиков.

И как интегрировать в единый контур десятки разрозненных систем — от legacy-оборудования до современных решений по защите контейнеров и облаков?

Теперь огромная база правил, созданная мировым сообществом, может быть автоматически переведена в формат KUMA и загружена в платформу.

Версия 4.2: Зрелое администрированиеПоследние обновления показывают, что KUMA достигла уровня зрелости, необходимого для крупных корпоративных SOC.

Специалисты iTPROTECT познакомились с возможностями свежей версии KUMA в одном из недавних проектов для крупного государственного ведомства.

Эволюция KUMA показывает, как продукт прошёл тот же путь, что и сам рынок SIEM — от инструмента «собери и храни» до полноценной пл…

Так что с большой долей вероятности в 2026 году новая волна атак на ДБО будет.

Вопрос лишь в том, когда: в середине года, как это произошло в 2025 году, или в конце.

Почему схема атак на ДБО возвращаетсяКак правило, злоумышленники всегда возвращаются к схемам, которые приносили успех.

И в целом, как отметил Максим, при использовании ранее применявшихся схем киберпреступники многократно усиливают свои приёмы.

Потенциал атак на обычных людей исчерпанВ «Лаборатории Касперского» уже по итогам 2025 года зафиксировали снижение количества атак на конечных пользователей при росте количества киберпреступных посягательств на бизнес.

Системные требования MIST InsightВ случае развёртывания MIST Insight в виде виртуального сервера рекомендовано использовать сервер с ОС Astra Linux или Debian 12, при обязательном соблюдении аппаратных требований.

Анализ изменений правил и объектов доступаТретий тип контроля изменений в MIST Insight — это анализ изменений только правил и объектов доступа.

В случае изменения объектов MIST Insight отображает список правил доступа, в которых используется изменённый объект.

Раздел «Использование правил и объектов» MIST Insight даёт наглядную картину использования правил и объектов доступа.

База уязвимостей в MIST InsightПомимо загрузки базы уязвимостей MIST Insight получает данные об ИТ-активах…

В ответ на новые вызовы регуляторы усиливают требования к защите информации, распространяя их не только на операторов государственных систем, но и на все вовлечённые стороны.

Разработка и формальное закрепление в договорах и технических заданиях конкретных мер и средств защиты информации, которые должен реализовать подрядчик.

Что необходимо выполнять подрядным организациямМероприятия и меры по защите для подрядных организаций формируются оператором ГИС и устанавливаются в его внутренних стандартах и регламентах.

ВыводыУже сейчас подрядным организациям стоит пересмотреть свой подход к защите при взаимодействии с информационными системами государственных организаций.

Новые требования, утвержд…

Все началось с обычного тикета в Jira, из тех, которые выглядят безобидно и даже немного скучно. «Нужно протестировать новый личный кабинет. Разверни тестовую базу». Через несколько месяцев этот тикет аукнулся сорванным релизом, сгоревшим маркетинговым бюджетом и отложенным запуском важнейшего сервиса. А Олег, как всегда, остался крайним. Давайте разберем эту непридуманную историю и выясним, какие ошибки совершили ее герои, как их избежать, если ваши тестовые базы до сих пор готовят скриптами. Почему на Олега повесили всех собак

Привет! Меня зовут Амир Уразалин, я DevOps-инженер в KTS.В аутсорсинговой модели мы одновременно ведем несколько крупных проектов, каждый со своей инфраструктурой, окружениями и требованиями безопасности. При этом команда инженеров общая, а доступ к виртуальным машинам должен управляться централизованно, прозрачно и безопасно.По мере роста числа проектов и серверов управлять доступом становилось все сложнее, поэтому мы начали искать новое решение. Читать далее

На прошлой неделе были опубликованы сразу три научные работы, так или иначе предлагающие варианты атаки Rowhammer для видеокарт Nvidia.

Новые атаки были испытаны на видеокартах с видеопамятью стандарта GDDR6, в частности на GeForce RTX3060 и RTX6000.

Последним достижением академических исследователей стала демонстрация атаки «класса» Rowhammer на новейшие модули памяти стандарта DDR5.

Тип атакуемых чипов памяти представляет здесь особую важность, так как атаки эксплуатируют максимально низкоуровневые особенности их работы.

Таким образом, сразу три команды исследователей независимо друг от друга показали, что Rowhammer на видеокартах возможен и столь же опасен, как и в случае обычной операти…

Однако существует целый класс решений, которому, на наш взгляд, уделяется незаслуженно мало внимания, — это системы контроля и управления доступом к сети или NAC (Network Access Control).

Устройства и пользователи подключаются к сети тремя основными способами: по проводу, без проводов по Wi-Fi и удаленно через VPN.

В проводной сети, где нет 802.1Х процесс подключения к сети, как правило, выглядит так:Пользователь включает компьютер.

Доступ к сети появляется строго после успешной аутентификации, что создает фундамент для контроля доступа на уровне сети.

Профилирование устройств (Profiling)Еще одна важная функция NAC-сервера — это профилирование устройств, которые аутентифицируются в сети по …

У него есть таблица правил (эти правила пишете вы), и он проверяет каждый пакет перед тем, как пустить данные в сеть.

Stateless МЭ пропустит их только в том случае, если в правилах явно прописано «разрешить входящий трафик с этого IP на этот порт».

Простое устройство, которое смотрит только на IP и порты, такие атаки не видит и не может их остановить.

А там, где критически важно, чтобы весь трафик доходил и не было случайных блокировок, ставят IDS - система обнаружения вторжений.

То есть это и агент на ПК, и сетевой сенсор, и контроль почты итд.

А наша статья посвящена патентам и свидетельствам на антифрод-системы в России и мире.

На март 2026 г. поисковая машина по запросу «антифрод», «защита информации», «от мошеннических действий» и «мошенничество» указала на отсутствие патентов на изобретения.

При этом в базе ФИПС имеется несколько заявок на изобретения, среди них:№152 081 Система и способ определения подлинности предмета.

Решение о выдаче патента от 24.10.2018№128 268 Способ и система для обнаружения мошеннического доступа к веб-ресурсу.

Баз данных по антифроду нет.

При этом один из клиентов уязвим настолько, что позволяет дампить ваши конфиги и, в худшем случае, расшифровать весь ваш трафик.

Ситуацию осложняет то, что android private space (Knox, Shelter, Island, etc) хотя и изолирует VpnService, но не изолирует loopback интерфейс.

Может быть ребята из Happ вели себя так, потому что были очень недовольны тем фактом, что я вообще это нашел.

Если у вас нет возможности получить второй IP, то в качестве альтернативы вы можете завернуть весь ваш выходной трафик в CloudFlare WARP.

Так что на клиентах вам следует иметь стратегию geoip:ru -> direct , other -> proxy .

Сегодня я расскажу вам о TrustYFox — платформе для поиска уязвимостей в коде при помощи LLM, которую я создал своими руками.

Фактически у меня появилась возможность выстраивать образ результата не на основе своих фантазий, а основываясь на рекомендациях от потенциальной целевой аудитории.

Если коротко, то можно обновить агентов или системные промпты, после чего запустить одновременно два аудита: со stable‑версией и с экспериментальной.

Всё было очень в духе стартапа: проверялись разные гипотезы самым быстрым образом и не было продумано никакого образа конечного результата.

Аудиторы и пользователи не пересекаются и не мешают друг другу.

По словам разработчика, атакующие хорошо подготовились: они клонировали внешность и бренд основателя реальной известной компании, а затем пригласили мейнтейнера в Slack-воркспейс, стилизованный под эту компанию.

Все выглядело убедительно: в воркспейсе были каналы с публикациями из LinkedIn, фальшивые профили «сотрудников» и даже других опенсорс-мейнтейнеров.

Именно с его помощью атакующие похитили учетные данные от npm, после чего опубликовали троянизированные версии Axios с малварью WAVESHAPER.V2.

Сааймен подчеркивает, что после инцидента он сбросил все свои устройства, изменил учетные данные, настроил immutable-релизы, перешел на OIDC для публикации и обновил GitHub Actions, в соответстви…

Напомним, мы уже писали об этой малвари в начале 2025 года: тогда зараженные приложения из Google Play скачали более 242 000 раз.

На этот раз исследователи обнаружили два зараженных приложения в App Store и одно в Google Play.

Также специалисты сообщают, что обновленный SparkCat для Android заметно усложнился по сравнению с предыдущими версиями.

Ее создатели постоянно усложняют техники обхода анализа, и в результате малварь обходит проверку безопасности в официальных магазинах приложений.

Из Google Play малварь уже удалили, однако подчеркивается, что SparkCat продолжает распространяться через сторонние площадки (причем некоторые из них маскируются под App Store при открытии с iPhone).

23 апреля 2026 года в Москве состоится пятая ежегодная конференция CIRF (Corporate Incident Response and Forensic).

Мероприятие, которое организует «МКО Системы», посвящено корпоративной ИБ, реагированию на инциденты и расследованию киберинцидентов.

CIRF — ежегодная конференция, ориентированная на специалистов из сфер ИБ, IT и СБ, а также на представителей бизнеса.

Дата и время: 23 апреля 2026 года, 10:00 – 20:00 Место проведения: г. Москва, Цветной бульвар 15с1 Сколько стоит?

ООО «МКО Системы».

В минувшие выходные в своем Telegram-канале Павел Дуров заявил, что 65 млн россиян пользуются Telegram через VPN, и пообещал, что команда мессенджера «продолжит адаптироваться», затрудняя обнаружение и блокировку трафика.

Однако сообщество разработчиков утверждает, что в реальности команда Telegram не сделала для обхода блокировок практически ничего, а всю работу выполнили энтузиасты.

Как указал автор детального разбора ситуации на «Хабре» под ником David_Osipov, реализация FakeTLS в Telegram содержала грубые ошибки, которые позволяли ТСПУ тривиально идентифицировать трафик мессенджера.

Реализация FakeTLS в Telegram содержит и другие проблемы: фиксированный размер ClientHello, устаревшие ра…

В компании предупреждают, что на полное устранение последствий инцидента может уйти «несколько недель».

Компания Hasbro — один из старейших производителей игрушек и развлекательной продукции в США, и в штате компании насчитывается более 5000 человек.

После этого в Hasbro превентивно отключили часть систем.

Для расследования атаки уже привлекли сторонних ИБ-специалистов, однако в Hasbro отметили, что продолжают «принимать меры по защите бизнес-операций».

В отчете для инвесторов Hasbro предупредила о возможных задержках, связанных с необходимостью работать в «промежуточном режиме» на протяжении нескольких недель.

Справка: сканирование портовСка­ниро­вание пор­тов — стан­дар­тный пер­вый шаг в любой ата­ке.

На осно­ве этой информа­ции он выбира­ет сле­дующий шаг, что­бы получить точ­ку вхо­да.

Улуч­шить резуль­таты его работы поможет сле­дующий скрипт:#!/ bin/ bash ports = $( nmap -p- --min-rate = 500 $1 | grep ^[ 0- 9] | cut -d '/ ' -f 1 | tr ' ' ', ' | sed s/, $/ / ) nmap -p $ports -A $1Он работа­ет в два эта­па.

Сна­чала запус­кает­ся быс­трое ска­ниро­вание, затем — более тща­тель­ное, с помощью встро­енных скрип­тов (опция -A ).

Под­робнее про работу с Nmap читай в статье «Nmap с самого начала.

Drift Protocol потерял 285 млн долларов в результате атаки северокорейских хакеров, которая готовилась более полугода.

По оценкам Drift, итоговые потери составили около 280 млн долларов, хотя блокчейн-аналитики PeckShield оценивают ущерб в 285 млн долларов.

При этом в Drift подчеркивают, что уязвимостей в смарт-контрактах или программном коде платформы обнаружено не было, а seed-фразы скомпрометированы не были.

Представляясь сотрудниками трейдинговой компании, злоумышленники выходили на контакт с контрибьюторами Drift на крупных криптоконференциях.

В настоящее время все функции протокола заморожены, хотя в Drift отмечают, что DSOL не затронут, а средства страхового фонда защищены.

Президент ГК InfoWatch и сооснователь «Лаборатории Касперского» Наталья Касперская опубликовала в своем Telegram-канале серию постов, посвященных блокировкам VPN, массовому сбою в работе банков и возможным экономическим последствиям блокировки мессенджера.

После первой публикации, в которой она возложила ответственность за сбой на Роскомнадзор (РКН), Касперская сообщила, что поговорила с руководством ведомства и принесла извинения за поспешные выводы.

Нет, это не вражеский налет и не атака внешних акторов или злых иностранных хакеров.

Касперская принесла извинения РКН за поспешные выводы, но при этом подчеркнула несколько важных моментов.

При переходе на другую платформу обычно теряется под…

По информации РБК, представители Минцифры разослали крупнейшим российским интернет-компаниям «методичку» по выявлению VPN на пользовательских устройствах.

Из документа следует, что на iOS обнаружение средства обхода блокировок «существенно ограничено» из-за политики конфиденциальности Apple.

Рассылку в Минцифры провели после серии совещаний, на которых присутствовали представители более 20 крупных российских компаний («Сбер», «Яндекс», VK, Wildberries, Ozon, «Авито», X5 и другие).

В Android ситуация проще — системные API (ConnectivityManager и NetworkCapabilities) позволяют любому приложению запросить параметры активной сети и определить, проходит ли трафик через VPN.

При этом для корпорати…

Может даже запус­тить прог­рамму и, если та валь­нет­ся, почитать лог и поп­равить.

А если не получит­ся сде­лать, как ты про­сил, будет пов­торять это до побед­ного кон­ца или упрется в лимит токенов.

Глав­ное — не перего­реть и не сло­вить еще одно новое явле­ние — AI brain fry, бук­валь­но «спек­шиеся от ИИ моз­ги».

Если в репози­тории или в . gitignore най­дет­ся файл agents.

Даже Линус Тор­валь­дс уже вай­бко­дит (хоть и не в ядре Linux)!

GPUBreach goes a step further than GPUHammer, demonstrating for the first time that RowHammer bit-flips in GPU memory can induce much more than data corruption and enable privilege escalation, and lead to a full system compromise.

GPUBreach extends this approach to corrupt GPU page tables with RowHammer and achieve privilege escalation, resulting in arbitrary read/write on GPU memory.

More consequentially, the attack has been found to leak secret cryptographic keys from NVIDIA cuPQC, stage model accuracy degradation attacks, and obtain CPU privilege escalation with IOMMU enabled.

This disclosure of GPUBreach coincides with two other concurrent works – GDDRHammer and GeForge – that also revo…

A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.

Attacks mounted by Storm-1175 have also leveraged zero-day exploits, in some cases, before they have been publicly disclosed, as well as recently disclosed vulnerabilities to obtain initial access.

Upon gaining a foothold, the financially motivated cybercriminal actor swiftly moves to exfiltrate data and deploy Medusa ransomware within a span of a few days, or, in select incidents, within 24 hours.

"Storm-1175 rotates exploits quickly during the t…

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.

The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.

"The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025.

According to details shared by VulnCheck, exploitation activity against the vulnerability has originated from a single Starlink IP address.

CVE-2025-59528 is the third Flowise flaw with in-the-wild…

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E.

"The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.," the Israeli cybersecurity company said.

Password spraying is a form of brute-force attack where a threat actor attempts to use a single common password against multiple usernames on the same application.

"The threat actor used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), which aligns with recent activity tied to Iran-nexus operations in the Middle East."

"Ransomware is increasingly incorporated in…

Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea.

It's assessed that these LNK files are distributed via phishing emails.

The PowerShell script performs checks to resist analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools.

This ensures that the PowerShell script is executed automatically after every system reboot.

It's worth noting that the use of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix last year.

The Multi-OS Attack Problem SOCs Aren’t Ready ForA multi-OS attack can turn one threat into several different investigations at once.

That quickly leads to familiar problems inside the SOC:Validation delays increase business exposure by slowing the moment when the team can confirm risk and contain it.

How Top SOCs Turn Multi-OS Complexity into Faster ResponseThe teams that handle this well usually do one thing differently: they make cross-platform investigation faster, clearer, and more consistent from the start.

Give your team a faster way to detect multi-OS threat behavior before hidden execution paths turn into credential theft, persistence, and deeper compromise.

The same technique has …

This has been fueled by the emergence of EvilTokens (aka ANTIBOT), the first reported criminal PhaaS (Phishing-as-a-Service) toolkit that supports device code pushing.

Another closed-source PhaaS kit called Venom offers device code phishing capabilities similar to EvilTokens.

—Device code phishing attacks, which abuse the OAuth device authorization grant flow to hijack accounts, have surged more than 37.5x this year.

This has been fueled by the emergence of EvilTokens (aka ANTIBOT), the first reported criminal PhaaS (Phishing-as-a-Service) toolkit that supports device code pushing.

Another closed-source PhaaS kit called Venom offers device code phishing capabilities similar to EvilTokens.

Their supply chain attack on LiteLLM, a popular AI development library downloaded millions of times daily, turned developer endpoints into systematic credential harvesting operations.

TeamPCP compromised LiteLLM packages versions 1.82.7 and 1.82.8 on PyPI, injecting infostealer malware that activated when developers installed or updated the package.

GitGuardian's analysis found that 1,705 PyPI packages were configuredto automatically pull the compromised LiteLLM versions as dependencies.

When GitGuardian analyzed 6,943 compromised developer machines from that incident, researchers found 33,185 unique secrets, with at least 3,760 still valid.

Secrets Live Everywhere in PlaintextThe LiteLLM m…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may see this page if you are using advanced terms that robots are known to use, or sending requests very quickly.

Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation.

Shchukin and Kravchuk are suspected of having carried out 130 ransomware attacks across Germany.

REvil (aka Water Mare and Gold Southfield) was one of the prolific ransomware groups that counted companies like JBS and Kaseya among its victims.

Weeks later, Romanian law enforcement authorities announced the arrest of two individuals for their roles as affiliates of the REvil ransomware family.

In a rare move, Russia's Federal Security Service (FSB) disclosed in Janu…

The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience planAs March 2026 draws to a close, ESET Chief Security Evangelist Tony Anscombe looks at some of the top cybersecurity stories that made the news this month and offers insights that they may hold for your cyber-defenses.

Here's Tony's rundown of some of what stood out most over the four or so weeks:The medtech giant Stryker fell victim to a cyberattack that was claimed by the Iran-linked Handala hacktivist group and reportedly wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data,Research by the Google Threat…

This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up withThat's a wrap on the RSAC™ 2026 Conference.

For its 35th edition, the conference drew the usual mix of security practitioners, researchers and vendors.

Predictably, AI agents dominated much of the conversation – as a defensive capability, but more pressingly as a risk that many organizations have yet to fully think through.

Watch the video with ESET Chief Security Evangelist Tony Anscombe, who was on the ground all week, to learn more about what else was trending at this year's edition of the event.

If you caught any of them, or stopped by our booth,…

A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.

Active since at least 2023, Silver Fox initially focused on Chinese-speaking targets before expanding into Southeast Asia, Japan, and potentially North America, running each campaign in a local language.

This pattern isn’t new – similar activity was observed during the same period last year, indicating that Silver Fox deliberately aligns its operations with this season.

In this operation, Silver Fox sends tailored spearphishing emails crafted to look like legitimate HR or tax-related messages.

Silver Fox is clearly do…

Indeed, some now run entirely in the cloud, while many others have paired cloud workloads, often in multi-cloud setups, with on-prem resources that won’t be retired anytime soon.

Of all the things that these organizations have in common, one warrants a closer look: virtual machine (VM) sprawl, or uncontrolled growth of virtual machines that are often left to fend for themselves.

This tracks with the identity-driven nature of cloud workloads, where both the VM itself and what it can access deserves scrutiny.

Catching the anomaly requires connecting what’s happening on the VM itself to what the VM’s identity is doing across the wider environment.

Parting thoughtsVMs are one of the oldest and …

Many cloud data breaches trace back to mundane lapses in security hygiene and oversights in the management of complex deployments, rather than fiendish zero-day exploits.

According to Google’s H2 2025 Cloud Threat Horizons Report, credential compromise and misconfiguration remained the primary entry points for threat actors into cloud environments in the first half of 2025.

Few organizations can afford to give up the flexibility and cost-efficiency that made the cloud in various of its flavors attractive in the first place.

Worryingly, a survey by the Cloud Security Alliance has found that only 23% of organizations have full visibility into their cloud environments.

Securing cloud workloads…

No online account is off the table.

If you can no longer access the account at all, go to the platform’s support pages and start the account recovery process.

Online services may ask for suspicious messages and other potential evidence during the reporting and account recovery process.

One-time 2FA recovery codes can help save the day if you lose access to the device to which normal 2FA codes are typically sent.

An email account deserves particular attention.

We provide a technical overview of EDR killers, including vulnerable drivers, in the The technology behind EDR killers section.

The technology behind EDR killersScriptsThe simplest EDR killers don’t rely on vulnerable drivers or other advanced techniques.

Driverless EDR killersFinally, a smaller but growing class of EDR killers achieves its goals without touching the kernel at all.

EDR killers and AIWhile the set of abused vulnerable drivers remains relatively small, the number of distinct user-mode components that are part of modern EDR killers in the wild is growing rapidly.

We outline how the past year saw increasingly commercialized offerings for EDR killers, and showcase how commercial…

Facial recognition is increasingly embedded in everything from airport boarding gates to bank onboarding flows.

The bank's facial recognition and eKYC (know your customer) platform accepted it as a genuine person.

Lastly, Jake added himself to a facial recognition watchlist at a busy train station in London.

The experiments also send a message to vendors of facial recognition systems and anyone responsible for identity verification systems.

The technology behind facial recognition is fragile in ways that matter when someone attempts to subvert it.

For most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors.

Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind.

ESET researchers have previously documented close links between several Iran-aligned APT actors.

Muddying the waters further, several pro-Russian hacktivist groups have now apparently joined the fray in support of Iran, and there are reports of Iran-linked groups engaging with IABs on Russian cybercrime forums.

Spearphishing attachments and links have long been the most popular initial access techniques among most Iran-aligned APT groups, including …

Across 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit.

Sednit profileThe Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004.

Moreover, because Xagent is a custom toolset used exclusively by the Sednit group for more than six years, we attribute SlimAgent to Sednit with high confidence.

To maintain persistent access to these high-value targets, Sednit systematically deploys another implant alongside BeardShell: Covenant, the final component of its modern arsenal.

Previously, in 2023, Sednit’s Covenant abused the legitimate cloud service pCloud, and in 2024–…

Cybersecurity is one of the few business functions where success is typically quiet.

While the need to prevent disruption is undeniable, justifying the cost of doing so against competing business priorities isn’t always straightforward.

Other parts of the business, especially profit centers, can usually point to visible changes: better sales or shorter time-to-market.

However, a couple of years where your business stayed out of harm’s way tell you little about the following year.

Theory meets realityThe lived security reality is often harsh, especially in perpetually resource-strapped and disproportionately targeted smaller organizations.

We recently caught up with Director of ESET Threat Research Jean-Ian Boutin to talk about the work of his team, and how threat research and intelligence feed into MDR workflows.

What do most small business users gain from ESET Threat Research?

ESET has a threat research team spread across multiple regions; I’m with the team in Montreal, but we have researchers spread across Europe and in the US, too.

As the head of a threat research team, what’s the difference that you see MDR having on customers?

From a threat research standpoint, this is the top advantage, and another key reason to value such visibility is the speed of response.

For the education sector, cybersecurity isn’t just about preserving reputation and minimizing financial damage.

The challenge for education institutions lies partly in the diversity of their adversaries.

How managed detection and response can helpManaged detection and response (MDR) is not a silver bullet solution to these problems.

Your MDR provider must adhere to any regulatory/industry-specific data privacy, residency or retention requirements and/or insurance policy clauses.

But disruption to learning is perhaps the most insidious impact of cyber incidents in the education sector.

In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI toolsWith the second month of 2026 (almost) behind us, it's time for ESET Chief Security Evangelist Tony Anscombe to look at cybersecurity stories that moved the needle and offered vital lessons over the past four weeks.

Here's Tony's rundown of some of what stood out in February 2026:Threat actors misused commercial generative AI tools to compromise more than 600 FortiGate devices located in 55 countries.

Rather than specific vulnerabilities, the attacks exploited exposed management ports and weak credentials without two-factor authentication, accor…

GitHub addressed that constraint this week with the release of Rubber Duck, a cross-model review feature now available in experimental mode in GitHub Copilot CLI.

What Rubber Duck doesRubber Duck is a dedicated review agent that runs on a model from a different AI family than the one handling the primary Copilot session.

When a developer selects a Claude model as the orchestrator in the model picker, Rubber Duck runs on GPT-5.4.

Rubber Duck runs through Copilot’s existing task tool, the same infrastructure used for other subagents.

Availability and model scopeRubber Duck is available now in experimental mode in GitHub Copilot CLI.

Getting a startup through a SOC 2 audit has long meant months of manual evidence collection, policy writing, and repeated back-and-forth with auditors.

Comp AI is an open-source compliance platform targeting SOC 2, ISO 27001, HIPAA, and GDPR.

It automates evidence collection, policy management, and control implementation, and it positions itself as a direct alternative to established vendors Vanta and Drata.

The AI Policy Editor lets users draft and update security policies through a natural language interface.

The Automated Evidence feature handles recurring evidence collection tasks.

OpenAI is accepting applications for a paid fellowship program that will fund external researchers to work on safety and alignment questions related to advanced AI systems.

The program, called the OpenAI Safety Fellowship, runs from September 14, 2026 through February 5, 2027.

The fellowship is open to researchers, engineers, and practitioners from outside OpenAI.

Priority research areas include safety evaluation, ethics, robustness, scalable mitigations, privacy-preserving safety methods, agentic oversight, and high-severity misuse domains.

Where fellows will workFellows will have access to workspace in Berkeley at Constellation, a nonprofit that supports AI safety research.

More CVE records now include CWE mappings from CNAs, which tends to produce more precise root-cause data.

Are analysts mapping root causes, or are people picking the closest-sounding entry to check a box?

Continued emphasis on root-cause mapping will further strengthen the value of CWE data over time, both at the individual- and cross-organization perspective.

In that sense, automation can reinforce imprecision if it’s not grounded in strong examples of accurate root-cause mapping.

Automation can accelerate and guide, but accurate CWE mapping still depends on context and expertise.

In this Help Net Security video, Andrew Williams, Senior Product Manager at Mimecast, walks through the company’s API-based email security protection for Microsoft 365 and Google Workspace environments.

The video covers a core problem: AI-generated phishing and business email compromise are slipping past native Microsoft 365 controls.

According to Mimecast’s State of Human Risk report, 64% of organizations know their built-in email security has gaps.

Mimecast’s API solution connects via Microsoft Graph API in minutes, with no MX record changes or mail flow disruption.

It covers the threat spectrum from spam and commodity malware through to targeted phishing and BEC, across both E3 and E5 li…

Labeling: synthetic data at scale, with bias attachedGenerating labeled training data has long been a bottleneck for LLM content moderation.

One study cited in the survey used three LLMs as independent annotators, aggregated their labels through majority voting, and produced over 48,000 synthetic media-bias labels.

Detection: specialized models are outperforming generalistsAt the detection stage, the survey distinguishes between general-purpose LLMs used as zero-shot classifiers and smaller models fine-tuned specifically for safety tasks.

At the auditing stage, LLMs are used to stress-test detection systems with adversarial prompts, identify demographic disparities in enforcement, and monit…

Residential proxies routed traffic through consumer broadband, mobile data, and small-business connections.

Nearly 4 in 10 IPs hitting our sensors are residential IPs, indicating the scale with which home internet gear has been compromised.

The data includes 33 residential IPs targeting VPN login pages and enterprise VPN client signatures appearing on 48 residential IPs interacting with edge systems.

“Residential proxies are nightmare fuel for defenders,” said Andrew Morris, Chief Architect at GreyNoise.

Following that event, residential sessions linked to IPIDEA-associated fingerprints declined by 46% from December to February, while hosting-based sessions increased during the same period.

Proton Authenticator is a free and open-source two-factor authentication (2FA) app that generates time-based one-time passwords (TOTP) to help secure online accounts.

How Proton Authenticator worksSetup starts with installing the app from the App Store and adding accounts.

Proton Authenticator can be used on its own or alongside other Proton services.

The app supports importing tokens from other authenticator tools such as Google Authenticator, Aegis, or Bitwarden Authenticator.

Backup and recoveryThe app provides several options for backing up authentication data.

The 2026 Cisco State of Wireless report reflects these conditions through rising incident rates, higher costs, and ongoing staffing challenges.

Security incidents remain widespreadWireless security incidents are common in enterprise environments.

36% of organizations reported compromised IoT or OT devices linked to wireless incidents.

35% of wireless leaders identify AI-generated or automated cyberattacks among the top drivers of increased wireless security threats.

Talent shortages increase operational strainTalent shortages increase operational strain and security exposure and limit the ability to implement AI in wireless networks.

More than half of respondents expect their security budgets to increase, with most of those increases falling in the 1% to 10% range.

Spending remains focused on core areasSecurity budgets continue to concentrate on a few main categories.

Staffing and compensation account for the largest share, followed closely by software delivered off-premises.

Only a smaller group expects overall security budgets to increase as a direct result of AI efforts.

AI introduces new demands across operations, though organizations continue to manage those demands within budgets that change slowly from one year to the next.

Amazon sends AI agents into pen testing and DevOpsAmazon’s latest AI capabilities bring on-demand penetration testing through the AWS Security Agent, alongside the AWS DevOps Agent.

AWS Security Agent enables on-demand penetration testing for applications, addressing gaps created by periodic testing limited by time and cost.

Frameworks like LangChain, AutoGen, CrewAI, and Azure AI Foundry Agent Service have made this kind of autonomy straightforward to deploy.

Container sandboxes are part of routine AI agent testing and deployment.

ShipSec Studio, an open-source security workflow automation platform from ShipSec AI, aims to replace that arrangement with a dedicated orchestration layer built…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Friday Squid Blogging: Jurassic Fish Chokes on SquidHere’s a fossil of a 150-million year old fish that choked to death on a belemnite rostrum: the hard, internal shell of an extinct, squid-like animal.

Original paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

Posted on April 3, 2026 at 5:07 PM • 1 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

In order to get that approval, companies manufacturing routers outside the US must apply for conditional approval in a process that will require the disclosure of the firm’s foreign investors or influence, as well as a plan to bring the manufacturing of the routers to the US.

Certain routers may be exempted from the list if they are deemed acceptable by the Department of Defense or the Department of Homeland Security, the FCC said.

Neither agency has yet added any specific routers to its list of equipment exceptions.

[…]Popular brands of router in the US include Netgear, a US company, which manufactures all of its products abroad.

One exception to the general absence of US-made routers is t…

Wired writes (alternate source):Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code.

In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

[…]Coruna’s code also appears to have been originally written by English-speaking coders, notes iVerify’s cofounder Roc…

The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you.

And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too.

The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.

A Taxonomy of Cognitive SecurityLast week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting.

Here’s a taste:The NeuroCompiler is where raw sensory data gets interpreted before you’re consciously aware of it.

If the Sensory Interface is the intake port, the NeuroCompiler is what turns that input into “filtered meaning” before the Mind Kernel ever sees it.

A critical architectural feature: the NeuroCompiler can route its output directly back to the Sensory Interface and out as behavior, skipping the conscious awareness of the Mind Kernel entirely.

That’s just one of the five levels Melton talks about: sensory interface, neurocompil…

Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography.

Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains.

The real problems are elsewhere: computer security, network security, user interface and so on.

We already have good encryption algorithms, good authentication algorithms and good key-agreement protocols.

There are far more serious security problems to worry about, and it makes much more sense to spend effort securing those.

A thoughtful review of Apple’s system to alert users that the camera is on.

It’s really well-designed, and important in a world where malware could surreptitiously start recording.

The reason it’s tempting to think that a dedicated camera indicator light is more secure than an on-display indicator is the fact that hardware is generally more secure than software, because it’s harder to tamper with.

With hardware, a dedicated hardware indicator light can be connected to the camera hardware such that if the camera is accessed, the light must turn on, with no way for software running on the device, no matter its privileges, to change that.

With an indicator light that is rendered on the display…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

A December 2025 poll by Navigator Research found similar results, with a massive net +48% favorability for more AI regulation.

In 2025, much of the popular debate around AI was cast in terms of humans versus machines.

This frame is shattered by Trump’s AI order, which unabashedly serves economic elites at the expense of populist consumer protections.

There is an opportunity for enterprising candidates, of either political party, to take the mantle of opposing AI-linked harms in the midterm elections.

AI is no longer just a policy issue for governments to discuss: it is a political issue that voters must decide on and demand accountability on.

Sen. Ron Wyden is warning us of an abuse of Section 702:Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved (with support of many Democrats) nomination of Joshua Rudd to lead the NSA.

Wyden was protesting that nomination, but in the context of Rudd being unwilling to agree to basic constitutional limitations on NSA surveillance.

But that’s just a jumping off point ahead of Section 702’s upcoming reauthorization deadline.

Buried in the speech is a passage that should set off every alarm bell:

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

REvil never recovered f…

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.

TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote.

The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices.

That disclosure help…

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint.

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program.

Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tues…

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025.

“The testimonials are remarkable,” the AI security firm Snyk observed.

WHEN AI INSTALLS AIOne of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant.

Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.

Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet.

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$.

Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse.

The breach tracking service Constella I…

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms.

Enter Starkiller, a new phishing service that dynamically loads a live copy of the target login page and records everything the user types, proxying the data to the legitimate site and back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterp…

I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network …

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet.

]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week.

The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corpor…

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software.

“Today’s Windows patches remove agrsm64.sys and agrsm.sys.

This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything.

And in a surprising twist, it turns out that he was caught out after accidentally trying to swindle a fellow fraudster.

He and his fellow conspirators exploited the fake online relationships to convince their victims into handing over money and personal information.

Owolabi's crimes went beyond romance fraud.

Romance scams remain among the most financially devastating forms of cybercrime, exploiting human emotion rather than technical vulnerabilities.

The victims of romance scam are not tricked by malware.

All this and more in episode 461 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Danny Palmer.

Smashing Security listeners get $1000 off!

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

A man has appeared in federal court in Austin, Texas, after being extradited to the United States to face charges related to his alleged role as a key developer of the notorious RedLine malware.

The RedLine malware, which has been deployed against systems in more than 150 countries, has been marketed and sold to cybercriminals via subscription on the dark web.

Last year, the US Department of State offered a reward of up to US $10 million for information about the hackers believed to be behind RedLine malware attacks.

As part of the "Operation Magnus" seizure of RedLine infrastructure in late 2024, investigators recovered a database containing the details of thousands of RedLine clients.

The…

The FBI has confirmed that Iran-linked hackers have broken into the personal email inbox of FBI Director Kash Patel, and published photos of him as well as other stolen documents.

To add to Kash Patel's embarrassment, this isn’t even the first time he has been targeted by Iranian hackers.

His personal messages were previously hacked in December 2024, before he was appointed FBI director.

The FBI has announced that a US $10 million reward is on offer for information related to the Handala hackers.

A personal Gmail account linked to the FBI director can never be considered a low-profile target.

World Leaks is a cyber extortion operation that steals sensitive data from organizations and threatens to leak it via the dark web if a ransom is not paid. Read more in my article on the Fortra blog.

All this and more in episode 460 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Jenny Radcliffe.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

A 54-year-old man has pleaded guilty to defrauding online music streaming platforms out of more than US $8 million, after creating hundreds of thousands of songs with AI, and then using bots to play them billions of times.

Instead they divide a pot of money between all of the artists whose songs have been streamed that month.

He created thousands of accounts on music-streaming platforms and used as many as 10,000 bots to cause those accounts to continuously stream the songs.

And because he needed thousands of songs, he used AI to generate them.

The case acts as a warning shot to music streaming platforms that AI tools have made it trivially easy to generate passable-sounding music at scale …

Pedestrians crossing a street in Denver, Colorado, got rather more than they bargained for last weekend, when the audio signals at two crosswalks began broadcasting a political message alongside their usual walking instructions.

"The walk signal is on, f*** Trump.

Passwords on the affected crosswalks have since been changed, and police say that they are investigating the matter.

After all, the audio of a crosswalk is something that people who are blind or are visually impaired depend upon for their safety.

Default passwords have plagued all manner of technology, including crosswalks and other roadside infrastructure in the past.

A ransomware gang that claims to be a group of "investigative journalists"? Meet LeakNet - the group using fake CAPTCHA pages to trick employees into hacking themselves. Read more in my article on the Fortra blog.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Not because the city council suddenly decided to embrace generosity - but rather because hackers succeeded in knocking the city's payment system offline.

According to a Telegram post by local authorities, a "large-scale cyberattack" hit Perm's automated parking system, overwhelming the systems used to process parking payments.

In its post officials blamed the shutdown of the permparking.ru portal and other associated payment systems on a "massive DDoS attack."

In this way, systems can be overwhelmed and unable to process legitimate requests - such as, in this case, parking payments.

This certainly is not the first time that "smart" parking meters have attracted the attention of cybercrimina…

If you're in the middle of applying for a planning or zoning permit, there is some unwelcome news: cyber-criminals have found a way to exploit the bureaucratic tedium of the process against you. Read more in my article on the Fortra blog.

The problem is not with Signal itself, but rather with its users being tricked into handing over the keys to their accounts.

The hacking campaign uses two main techniques, neither of which requires exploiting any vulnerability in Signal or WhatsApp.

As Signal explained in its post, targeted victims receive an in-app message which purports to come from "Signal Security Support Chatbot", or a similar official-sounding account.

The reality is that scanning the QR code links the attacker's device to the victim's account, allowing their conversations to be monitored surreptitiously.

And if someone contacts you claiming to be the "Signal Security Support Chatbot" - well, they're an attacker.

All this, and much more, in episode 458 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Как мы уже писали в одном из предыдущих постов, современная разработка практически немыслима без использования компонентов open source.

Для фильтрации реестра при его наполнении должны использоваться специализированные решения для сканирования open source или комплексное решение для безопасности облачных нагрузок.

Управление уязвимостями open source на базе оценки рисковВсе перечисленные меры снижают количество уязвимого ПО и компонентов, которые попадают в организацию, упрощают обнаружение и устранение уязвимостей.

Модель оценки рисков потребуется расширить с учетом специфики open source, на основании ответов на следующие вопросы:Выполняется ли уязвимая ветка кода в разработках конкретной …

В прошлом только специализированные компании по разработке ПО и очень крупные бизнесы должны были заботиться об уязвимостях в цепочке поставок и открытом исходном коде (open source).

Но в результате организация сталкивается с новыми видами уязвимостей в ПО, найти и устранить которые гораздо сложнее, чем просто скачать обновление Windows.

Дефицит данных об уязвимостях open sourceДаже если в организации хорошо налажено управление уязвимостями в готовом ПО, для open source процесс придется значительно перерабатывать и дополнять.

То есть по одной базе уязвимость считается критической, а по другой — у нее средний уровень опасности.

Вредоносное ПО в реестрах open sourceАтаки через зараженные или …

Добавьте к этому функцию клавиатурного шпиона и полный контроль устройства с удаленным доступом к экрану, камере и микрофону — естественно, с возможностью записать видео и звук.

Тогда этот Windows-троян назывался WebCrystal RAT и, судя по техническим деталям, был клоном другого трояна удаленного доступа — WebRat.

Через некоторое время автор WebCrystal провел «ребрендинг», дав ему новое имя — CrystalX RAT, и начал активно продвигать троян в свежесозданном Telegram-канале.

Как CrystalX обходит защитуКаким бы технически совершенным ни был код такого хакерского приложения, без постоянного притока новых клиентов проект просто умрет.

Как не стать жертвой троянаВот ряд простых советов, которые пом…

Да потому, что шифровальщики научились целенаправленно охотиться на резервные копии данных обычных пользователей.

Но постепенно рынок «малых целей» стал для злоумышленников не менее привлекательным — и вот в чем причины.

Следовать этому правилу просто: заведите внешний диск — вы будете подключать его раз в неделю, делать на него копию данных и отключать.

Если они хранятся в менеджере паролей — убедитесь, что данные синхронизируются в облаке или есть функция экспорта.

Если они хранятся в менеджере паролей — убедитесь, что данные синхронизируются в облаке или есть функция экспорта.

Многие визионеры ИИ в качестве ключевого направления развития технологии представляют универсального умного ассистента, который возьмет на себя всевозможные рутинные задачи.

Чем опасны ИИ-агентыПродолжим держать интригу еще немного и для начала обсудим, на что же способен бесконтрольный ИИ-агент.

Как мы уже не раз отмечали, всех рисков, связанных с ИИ, не знает никто.

Название проекта отсылает вовсе не к политической метафоре, а… к театральному термину.

Как безопасно работать с ИИ-ассистентамиПока архитектуры, подобные IronCurtain, остаются экспериментальными, ответственность за безопасное использование ИИ в первую очередь ложится на самих пользователей.

Атаки на цепочку поставок уже не первый год остаются одним из самых опасных типов инцидентов информационной безопасности.

В этом материале рассмотрим не всегда самые масштабные с точки зрения ущерба, но, точно, самые необычные и привлекшие внимание атаки на цепочку поставок, которые произошли в 2025 году.

Март 2025: попытка атаки на Coinbase через каскадную компрометацию GitHub ActionsВесна 2025 года началась с достаточно замысловатой атаки, использовавшей в качестве основного механизма компрометацию нескольких рабочих процессов GitHub Actions — инструмента автоматизации типовых задач DevOps.

Одним из первых подтвержденных случаев атаки с использованием секретов, слитых Shai-Hulud, стала кр…

Миллионы автоматизированных конвейеров разработки полагаются на встроенные в процесс сборки инструменты безопасности, такие как Trivy и Checkmarx AST.

Нападающим, группировке TeamPCP, удалось внедрить вредоносное ПО в официальные рабочие процессы GitHub Actions и образы Docker, относящиеся к Trivy.

Нападающие заявляют, что они украли сотни гигабайт данных и более 500 000 учетных записей.

Пользователям рекомендовано немедленно искать индикатор компрометации litellm_init.pth и в плановом порядке ротировать все потенциально скомпрометированные секреты.

Администраторы конвейеров CI/CD и команды ИБ должны немедленно проверить свои ссылки на решения Checkmarx (kics-github-action, ast-github-actio…

Прямая ссылка на фишинговый сайт в письме — путь к провалу.

Реальная функция такого веб-приложения сводится к тому же автоматическому перенаправлению жертвы на сайт злоумышленника, но есть пара нюансов.

Они предоставляют непосредственным организаторам атак достаточно неприятный фишинговый инструментарий, в котором постоянно совершенствуются разнообразные механизмы как для отправки вредоносных писем, так и для обхода антифишинговых технологий.

В данном конкретном случае веб-приложение на платформе Bubble перенаправляет жертв на сайт c Cloudflare-проверкой, имитирующий окно ввода учетных данных Microsoft.

В параллельной вселенной злоумышленников, правда, все еще жив Skype, но в остальном сайт…

Рассказываем, как работает новая мошенническая схема и как на нее не попасться.

А как их используют мошенники?

Они создают опрос, вставляют в его тело ссылки на мошеннические сайты, а затем рассылают письма со ссылкой на этот опрос по своей базе адресатов.

Они не платят сервису за продвижение, не используют его таргетинг, а рассылают ссылку на опрос по своей собственной базе.

Как не попасться на удочкуНе доверяйте «надежным доменным именам» в ссылках безоговорочно — com или forms.gle в адресной строке еще не гарантируют безопасность содержимого.

В данном исследовании эксперты фокусировались не на том, как происходит заражение шпионским ПО, а на том, как вредоносная программа ведет себя после компрометации устройства.

Самой интересной находкой стали механизмы, с помощью которых трояну удается скрывать индикаторы использования камеры и микрофона в системе iOS и благодаря этому вести скрытое наблюдение за пользователем зараженного устройства.

В нашем посте сегодня расскажем о том, что представляет собой шпионское ПО Predator, как устроена система индикаторов использования камеры и микрофона в iOS и каким образом зловреду удается их отключать.

Как работает система индикаторов камеры и микрофона в iOSЧтобы понять, каким образом Predator…

Разумеется, бессмысленные пакеты в реестре появлялись и раньше, но в данном случае были найдены десятки тысяч не имеющих полезной функции модулей, единственный смысл которых заключался в добавлении совершенно ненужных зависимостей в проекты.

В именах пакетов фигурировали произвольно вставленные названия индонезийских блюд и связанных с кулинарией терминов (например, bakso, sate и rendang), из-за чего кампания и получила наименование IndonesianFoods.

Непонятно точно, что нужно искать, чтобы перепутать имя с названием индонезийского блюда, но в исходном исследовании пишут о том, что как минимум 11 пользователей NPM как-то включили пакеты в свои проекты.

В небольшую часть мусорных пакетов был …

Обход блокировок, которого нетРанее мы уже рассказывали о том, как злоумышленники шантажировали YouTube-блогеров, заставляя их распространять вредоносное ПО под видом программ обхода блокировок.

FixIt — это чистая приманка, и единственное предназначение этой «утилиты» — заставить вас скачать архив с вредоносом и самостоятельно установить его себе на компьютер с помощью BAT-файла.

Кампания использует YouTube по уже знакомой схеме.

Пока жертва тестирует разные варианты и нетерпеливо смотрит на прогресс-бар «инсталляции утилиты», на ее компьютер устанавливаются сразу две вредоносные программы: стилер Arcane и майнер криптовалюты Monero, транзакции которой труднее отследить.

Что крадет стилер A…

Чем чреваты два месяца непрерывного общения с ИИПосле трагедии отец Джонатана нашел на его компьютере полную транскрипцию общения сына с Gemini за последние два месяца.

Обучаясь на миллиардах текстов, доступных в Сети, они сталкиваются и с теми романами, фанфиками и драмами, где сюжеты часто граничат с паранойей, шизофренией и безумием.

В Google ожидаемо ответили, что «Gemini разработан так, чтобы не поощрять насилие в реальной жизни и не предлагать членовредительство.

Общение с ИИ, которое для кого-то окажется просто невинным развлечением и способам скоротать время, другой может воспринять как чудо, откровение или любовь всей жизни.

Как защитить себя и близкихКонечно, все это не повод отка…

Если жертвы ищут инструменты под macOS, то в качестве вредоносной нагрузки выступает тот же AMOS, а если под Windows — инфостилер Amatera.

А это значит, что подобные кампании несут угрозу не только для домашнего пользователя, но и для организаций.

Дело в том, что ассистента для кодинга Claude Code, как и агента для автоматизации рабочих задач OpenClaw достаточно часто используют сотрудники компаний.

Вредоносная нагрузкаТочно так же, как и в случае с оригинальным Claude Code, команда для macOS пытается через консольную утилиту curl установить приложение.

Она устанавливает инфостилер Amatera, который собирает данные браузера и криптокошельков и информацию папки пользователя и отправляет данны…

В одной кампании троян маскировался под официальное приложение для получения госуслуг в Бразилии, INSS Reembolso, в другой — под приложение Starlink.

Перед расшифровкой и переходом к следующим этапам заражения он проверяет, что находится на реальном смартфоне и в нужной стране.

BeatBanker прекращает работу, если найдет любые несоответствия или обнаружит себя на эмуляторе или в среде для анализа приложений.

Кстати, фальшивый «загрузчик обновлений» вообще загружает модули прямо в оперативную память, чтобы не создавать в смартфоне файлов, видимых защитному ПО.

Затем они активируют майнинг, но отключают эту функцию, если смартфон перегрелся, сильно разрядился или в данный момент им активно поль…

Welcome to the Agentic AI EraEnterprise interest in agentic AI is accelerating.

AI agents operate at machine speeds to execute complex tasks, yet they completely lack essential human judgment and contextual awareness.

Current challenges in the agentic AI ecosystemWhen our teams were analyzing the problem around governing this new digital AI workforce, we saw three areas across our customer and prospect conversations on why zero trust access built for humans must adapt to agentic workflows:Early and fragmented ecosystem.

Zero trust for agentic AI in practiceLet’s look at a typical scenario — a financial automation agent kicking off vendor payments.

We are thrilled to partner with AI-driven o…

Our research shows that nearly 60% of security leaders view security concerns as the primary barrier to broader agentic AI adoption.

At the exact same time, 29% rank securing agentic AI among their top three priorities for the coming year.

Much like a public-facing web service, an external AI agent can be attacked, exploited, or “poisoned” by malicious inputs.

The “Who Owns This?” ProblemAs agentic AI expands into operational systems, who is actually responsible for securing it?

Explore our Agentic AI Security Solution to learn more, or view the full survey results infographic.

Meet Cisco Talos Incident Response, or Talos IR – our frontline response team.

Talos IR works holidays, weekends, and through the night because someone on the other end of that call is counting on us.

The threats responders see in the field today become the protections in Cisco products tomorrow.

Different perspectives, same missionAsk a Talos IR team member why they do this work and you will get different answers.

Unlike many security roles, incident responders build deep connections with the people they help.

Part 2 is about the uncomfortable reality that our identity systems are unprepared for what’s already here.

The Attacks from Part 1 Were Identity FailuresEvery major attack examined in Part 1 was, at its core, an identity problem.

Every one expands the potential damage of a security breach, and our identity systems were not built for this.

What Workload Identity Gets Right — And Where It Falls ShortThe security industry’s answer to machine identity is SPIFFE, and SPIRE, a standard that gives every workload a cryptographic identity card.

Today’s workload identity systems typically assign the same identity to every copy of an application when instances are functionally identical.

But identity-based access control?

It brings Cisco’s proven identity and segmentation principles into a form factor purpose-built for Meraki-managed networks—delivering identity-based access control without enterprise-level operational burden.

It delivers identity-based access control as a cloud-native SaaS solution built directly into the Meraki Dashboard.

Experience It for YourselfCisco Access Manager is licensed as a subscription, aligned with Cisco’s SaaS model.

For a limited time Cisco Access Manager is available through a See, Try, Buy offer designed to eliminate adoption risk.

You can test drive these capabilities today with Secure Firewall Test Drive, an instructor-led course that will guide you through the Secure Firewall and its powerful roles in cybersecurity for your organization.

With the release of Cisco Secure Firewall version 10.0, expanded protections covering SQL injection attacks, Command Injection attacks, Cross-Site Scripting exploits are now available.

Cisco Secure Firewall version 10.0 ties DNS filtering to SGTs, enabling seamless and accurate policy application as the user moves across networks.

Cisco Secure Firewall version 10.0 brings new capabilities for clustered firewall configurations, allowing identification of portscan attempts even if th…

In support of this model, Orange Business has certified Cisco Catalyst SD-WAN Next-Generation Firewall (NGFW) capabilities as part of its Orange Flexible SD-WAN managed service.

Rather than treating networking and security as separate solutions, Catalyst SD-WAN enables partners like Orange Business to deliver an integrated service model built on consistent policy enforcement, visibility, and security across distributed environments.

Built-in security capabilities powered by Catalyst SD-WANCatalyst SD-WAN embeds security directly into the WAN fabric, enabling partners like Orange Business to deliver robust, enterprise-grade managed security without added complexity.

Learn more about how you …

As discussed in Peter Bailey’s recent LinkedIn post, the security conversation is shifting toward protecting the infrastructure software that underpins everything else.

Security agencies have warned that threat actors actively exploit vulnerabilities in network infrastructure devices to gain and maintain persistent access.

The exposure window CISOs can’t ignoreOne of the structural challenges in securing networking infrastructure is patch velocity.

Threat intelligence research has shown that vulnerabilities in network infrastructure are frequently exploited rapidly after disclosure, while remediation may take 30 days or more.

With eBPF at its core and Cisco’s networking leadership as its pl…

To address this reality, Cisco is expanding the remote browser isolation (RBI) capability of Cisco Secure Access with advanced isolation controls.

Introducing Advanced Isolation Controls in Cisco Secure AccessRBI advanced isolation controls in Cisco Secure Access extend policy enforcement into how users interact with web-based content.

By keeping policy enforcement within isolation, organizations may reduce tools for data protection, browser control, and end point enforcement.

RBI advanced isolation controls represent a natural next step, building on a proven isolation foundation to deliver practical, policy-driven protection at the last mile.

Read the Secure Access e-book or join a Secure …

While organizations have made significant progress securing their email domains with DMARC, attackers are exploiting an adjacent, less-defended surface: social media.

Why social media is the next impersonation frontierUnlike domain-based attacks, which require registering infrastructure and hosting phishing pages, social media impersonation is operationally simple.

Now, Brand Trust’s newest add-on, Social Media Monitoring, is now available through Cisco.

This gives Cisco customers the ability to detect and respond to fraudulent social media profiles that impersonate their company or executives.

For more information on domain protection and Social Media Monitoring, please visit Red Sift’s Ci…

Building on the lessons learned in the Security Operations Center (SOC) at major events, we challenged ourselves to build something new at Cisco Live Amsterdam 2026, a closed-loop integration with Cisco XDR and Splunk Enterprise Security.

The Splunk Security Product Labs team worked to utilize the power of the Cisco XDR correlation engine, to bring Splunk ES Risk index logs as Sources into the XDR Data Analytics Platform.

The integration between Cisco XDR and Splunk ES delivers a seamless experience for security operations teams by combining native XDR detections with Splunk’s extensive data backend and custom OCSF detections.

Key factors enabling this rapid setup included:Pre-validated Dat…

The Challenge of Encrypted Traffic InspectionTraffic inspection remains one of the most critical capabilities in modern firewall systems.

This is where Encrypted Visibility Engine (EVE) becomes a gamechanger, providing valuable insight into encrypted connections without requiring decryption.

What is Encrypted Visibility Engine?

This enables visibility into the source process by generating encrypted connections, a capability traditionally limited to endpoint antivirus and anti-malware software.

Without Encrypted Visibility Engine, this connection would have succeeded unnoticed by a security analyst.

During Cisco Live EMEA we noticed a variety of AI tools being used across the network.

To better understand which AI tools are the most popular I decided to dig into DNS data.

First, we queried DNS events categorized under Secure Access’ Generative AI classification to identify emerging and long-tail AI-related destinations.

This allowed us to discover AI services beyond well-known platforms and understand broader generative AI adoption trends.

Here is the Splunk query and the results specifically searching for Umbrella DNS events that have been categorized as Generative AI.

Advanced Logging is a Cisco Firewall unique capability that sends Zeek style logs to Splunk or another SIEM solution.

In this blog post, we’ll look at the Splunk integration wizard and Advanced Logging, alongside a few use cases from the conference.

The Splunk Integration WizardVersion 10.0 brings with it a new wizard that can be used to export syslog from Cisco Secure Firewall to Splunk and other SIEMs.

With Advanced Logging enabled, a firewall admin can then select individual rules to generate logs.

Fortunately, Advanced Logging gave us the visibility to quickly confirm that a connection using the /rootr2 string never occurred.

Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale.

This activity marks a significant escalation in threat actor sophistication since the Storm-2372 device code phishing campaign observed in February 2025.

The server returns a JSON object containing Device Code (with a full 15-minute lifespan) and a hidden Session Identifier Code.

Credential Access Detects anomalous device code authentication using authentication patterns and token acquisition after successful device code auth.

?/~` -]+$"Surface suspicious email items accessed that follow the Device code phishing compr…

The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption.

The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access.

Storm-1175’s rapid attack chain: From initial access to impactExploitation of vulnerable web-facing assetsStorm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access.

]121 IP SimpleHelp C2 2024-02-23 2026-02-12ReferencesLearn moreF…

Now, threat actors from nation states to cybercrime groups are embedding AI into how they plan, refine, and sustain cyberattacks.

The objectives haven’t changed, but the tempo, iteration, and scale of generative AI enabled attacks are certainly upgrading them.

Disruption: Closing the threat intelligence loopOur Digital Crimes Unit disrupted Tycoon2FA earlier this month, seizing 330 domains in coordination with Europol and industry partners.

Microsoft’s ability to observe at scale, act at scale, and share intelligence at scale is the differentiation that matters.

Microsoft Threat Intelligence will continue to track, publish, and act on what we are observing in real time.

Observed variants of cookie-controlled PHP web shellsAlthough the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity.

Limit Control Panel Shell CapabilitiesWhere hosting control panels are used, restrict or disable shell access such as jailshell wherever possible.

Microsoft recommends the following mitigations to reduce the impact of this threat in Linux environments protected by Microsoft Defender for Endpoint:Enable cloud-delivered protection in Microsoft Defender for Endpoint on Linux or the equivalent capability in your antivirus solution.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list …

Observed variants of cookie-controlled PHP web shellsAlthough the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity.

Limit Control Panel Shell CapabilitiesWhere hosting control panels are used, restrict or disable shell access such as jailshell wherever possible.

Microsoft recommends the following mitigations to reduce the impact of this threat in Linux environments protected by Microsoft Defender for Endpoint:Enable cloud-delivered protection in Microsoft Defender for Endpoint on Linux or the equivalent capability in your antivirus solution.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list …

Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor.

Analysis of the attackOn March 31, 2026, two malicious versions of Axios npm packages were released.

]com:8000/6202033 Microsoft Defender for Endpoint network protection and Microsoft Defender SmartScreen block malicious network indicators observed in the attack.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat …

Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor.

Analysis of the attackOn March 31, 2026, two malicious versions of Axios npm packages were released.

]com:8000/6202033 Microsoft Defender for Endpoint network protection and Microsoft Defender SmartScreen block malicious network indicators observed in the attack.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat …

Critical infrastructure (CI) organizations underpin national security, public safety, and the economy.

What Microsoft Threat Intelligence is observing across critical infrastructure environments right now is not a forecast.

Now.Given these rising threats, governments worldwide are advancing policies and regulations to require critical infrastructure organizations to prioritize continuous readiness and proactive defense.

The U.S. National Cybersecurity Strategy published in March 2023 explicitly frames cybersecurity of critical infrastructure as a national security imperative.

And Canada is advancing a more prescriptive approach to critical infrastructure security through Bill C8 What Micros…

If you’re developing your own AI software, you can balance different needs—like latency, cost, and correctness.

Learn how to protect your organization at the speed and scale of AI with Microsoft Security Copilot.

Lastly, any customer installing AI in their organization needs to ensure that it comes from a reputable source, meaning the original creator of the underlying AI model.

For an in-depth look at how Microsoft protects data and software in AI systems, read our article on securing generative AI models on Microsoft Foundry.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

If you’re developing your own AI software, you can balance different needs—like latency, cost, and correctness.

Learn how to protect your organization at the speed and scale of AI with Microsoft Security Copilot.

Lastly, any customer installing AI in their organization needs to ensure that it comes from a reputable source, meaning the original creator of the underlying AI model.

For an in-depth look at how Microsoft protects data and software in AI systems, read our article on securing generative AI models on Microsoft Foundry.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Microsoft Defender Experts (DEX) observed a campaign beginning in late February 2026 that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files.

Stage 1: Initial Access via WhatsAppThe campaign begins with the delivery of malicious Visual Basic Script (VBS) files through WhatsApp messages, exploiting the trust users place in familiar communication platforms.

Tactic Observed activity Microsoft Defender coverage Initial Access Users downloaded malicious VBS scripts delivered via WhatsApp.

Microsoft Defender threat analyticsMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the …

Pete Bryan, Principal AI Security Research Lead, on the Microsoft AI Red Team, and Daniel Jones, AI Security Researcher on the Microsoft AI Red Team, also served on the OWASP Agentic Systems and Interfaces Expert Review Board.

For organizations building and deploying agents, Copilot Studio provides a secure foundation to create trustworthy agentic AI.

Copilot Studio: OWASP Top 10 Mitigations: At-a-glance mapping from each OWASP risk to Copilot Studio controls and Microsoft Security layers.

Microsoft AI Red Team: How Microsoft stress-tests AI systems and what teams can learn from that practice.

Microsoft AI Agents Hub: Role-based readiness resources and guidance for building agents.

Pete Bryan, Principal AI Security Research Lead, on the Microsoft AI Red Team, and Daniel Jones, AI Security Researcher on the Microsoft AI Red Team, also served on the OWASP Agentic Systems and Interfaces Expert Review Board.

For organizations building and deploying agents, Copilot Studio provides a secure foundation to create trustworthy agentic AI.

Microsoft AI Red Team: How Microsoft stress-tests AI systems and what teams can learn from that practice.

Microsoft Security for AI: Microsoft’s approach to protecting AI across identity, data, threat protection, and compliance.

Microsoft AI Agents Hub: Role-based readiness resources and guidance for building agents.

Microsoft Defender applies asset-aware protection using Microsoft Security Exposure Management to detect and block threats against these critical systems.

Microsoft Defender already provides enhanced protection for critical assets through capabilities such as automatic attack disruption.

This approach also enables automatic identification of critical assets in customer environments and applies deeper, context-aware detections based on each asset’s risk profile.

High‑value asset protection scenario demonstrating how Microsoft Defender detects and blocks domain controller credential theft using critical asset context.

Protections designed specifically for high‑value assets prevented the comma…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.