Кибербезопасность
👉 от %username%
Подборка ресурсов по кибербезопасности
На русском 🇷🇺
Securitylab
последний пост 3 часа назад
Хакеры из World Leaks опубликовали чертежи вспомогательных систем крупнейшей АЭС
Хакеры из World Leaks опубликовали чертежи вспомогательных систем крупнейшей АЭС Хакеры из World Leaks опубликовали чертежи вспомогательных систем крупнейшей АЭС

Хакеры опубликовали почти 19000 документов о строящихся энергоблоках АЭС «Куданкулам» в Индии.

3 часа назад @ securitylab.ru
Используете 7-Zip? Поздравляем, один клик по вложению в письме превратит ваш ПК в инструмент для взлома
Используете 7-Zip? Поздравляем, один клик по вложению в письме превратит ваш ПК в инструмент для взлома

Исправление не установится автоматически, поэтому новую версию придётся скачать вручную.

4 часа назад @ securitylab.ru
Лестница, яма, поваленное дерево, склон — любой другой робот застрял бы намертво. Этот даже не сбавляет шаг
Лестница, яма, поваленное дерево, склон — любой другой робот застрял бы намертво. Этот даже не сбавляет шаг

Как алгоритм APT-RL прокачает индустрию четвероногих машин.

5 часов назад @ securitylab.ru
Испания — Аргентина: где смотреть финал ЧМ и как не лишиться всех денег на карте за минуту до матча
Испания — Аргентина: где смотреть финал ЧМ и как не лишиться всех денег на карте за минуту до матча Испания — Аргентина: где смотреть финал ЧМ и как не лишиться всех денег на карте за минуту до матча

Поддельные трансляции обещают бесплатный матч, но приводят болельщиков к скрытым подпискам и краже данных.

5 часов назад @ securitylab.ru
Спутники глушат, а нам все равно. Новая система JDG научилась вести человека по маршруту вообще без GPS
Спутники глушат, а нам все равно. Новая система JDG научилась вести человека по маршруту вообще без GPS

JDG — новая система навигации, которая может спасать жизни.

6 часов назад @ securitylab.ru
Митохондрии называли просто батарейками клетки. Оказалось, они могут управлять тем, кто мы есть
Митохондрии называли просто батарейками клетки. Оказалось, они могут управлять тем, кто мы есть Митохондрии называли просто батарейками клетки. Оказалось, они могут управлять тем, кто мы есть

Учёные подозревают: сознание, память и тревога могут рождаться вовсе не в мыслях…

7 часов назад @ securitylab.ru
ИИ-фильтр почты обвели вокруг пальца тем же трюком, что и в нулевых
ИИ-фильтр почты обвели вокруг пальца тем же трюком, что и в нулевых

Защита нового поколения не справилась с задачей из прошлого.

8 часов назад @ securitylab.ru
Вселенная ориентируется по Земле? Почему ученые очень не хотят верить в новую «ось зла» на картах космоса
Вселенная ориентируется по Земле? Почему ученые очень не хотят верить в новую «ось зла» на картах космоса

Ось зла: загадка реликтового излучения, которую наука не может объяснить уже 20 лет.

9 часов назад @ securitylab.ru
Одна из старейших задач теории Рамсея почти решена — и в этом внезапно помог ИИ
Одна из старейших задач теории Рамсея почти решена — и в этом внезапно помог ИИ

Сколько хаоса может выдержать система, прежде чем в ней обязательно появится порядок?

19 часов назад @ securitylab.ru
Автор PirateFi наконец попался. Создателя вредоносных игр в Steam вычислили по заказам из Uber Eats
Автор PirateFi наконец попался. Создателя вредоносных игр в Steam вычислили по заказам из Uber Eats

Безупречный криминальный план рухнул из-за единственной мелкой оплошности.

20 часов назад @ securitylab.ru
Картридж, тонер, два компа. Компанию HP уличили в организации «печатного ОПГ»
Картридж, тонер, два компа. Компанию HP уличили в организации «печатного ОПГ» Картридж, тонер, два компа. Компанию HP уличили в организации «печатного ОПГ»

Штраф в 14 миллионов долларов — лишь начало истории.

20 часов назад @ securitylab.ru
Nightmare Eclipse снова испортил Microsoft выходные. Встречайте экплойт LegacyHive
Nightmare Eclipse снова испортил Microsoft выходные. Встречайте экплойт LegacyHive

Патча нет, срока исправления нет — а рабочий код уже гуляет по сети.

21 час назад @ securitylab.ru
OpenAI планирует выпустить умную колонку, способную двигаться и познавать окружающий мир
OpenAI планирует выпустить умную колонку, способную двигаться и познавать окружающий мир

Такого ещё не делал никто. Но приходит резонный вопрос — а надо ли было?

22 часа назад @ securitylab.ru
Просто введи номер телефона и читай чужие переписки. Как NSO Group превратила тотальную слежку в удобный веб-сервис
Просто введи номер телефона и читай чужие переписки. Как NSO Group превратила тотальную слежку в удобный веб-сервис Просто введи номер телефона и читай чужие переписки. Как NSO Group превратила тотальную слежку в удобный веб-сервис

NSO Group создаёт эксплойты, регистрирует анонимные аккаунты, обслуживает серверы и круглосуточно следит за работой клиентских систем.

23 часа назад @ securitylab.ru
Пользователи GPT-5.6 столкнулись с удалением личных файлов и баз данных
Пользователи GPT-5.6 столкнулись с удалением личных файлов и баз данных

Ошибка, которую человек заметил бы сразу, прошла мимо всех защитных барьеров.

1 day назад @ securitylab.ru
Anti-Malware Anti-Malware
последний пост 1 day, 23 hours назад
Удалёнка без защиты: почему VPN и MFA больше не работают
Удалёнка без защиты: почему VPN и MFA больше не работают Удалёнка без защиты: почему VPN и MFA больше не работают

Стоимость простоя после кибератаки достигает 21,7 млн рублей в час для ИТ- и телеком-компаний и 9,6 млн рублей в час для ритейла.

Компания не управляет его сетью, устройством, каналами связи и окружением и не может гарантировать, что сессия остаётся безопасной.

ИТ-отдел не видит трафик и устройства сотрудников, а значит, не может блокировать доступ к неавторизованным сервисам.

Он шифрует трафик, но не контролирует устройство, не отслеживает состояние сессии и не ограничивает доступ внутри сети.

VPN не проверяет состояние устройства и не управляет сессией.

1 day, 23 hours назад @ anti-malware.ru
Чем опасен вайбкодинг и как проверять код, созданный ИИ
Чем опасен вайбкодинг и как проверять код, созданный ИИ Чем опасен вайбкодинг и как проверять код, созданный ИИ

Интеграция ИИ в конвейер безопасной разработки, как это часто бывает сегодня, становится ответом на рост вызовов и угроз, связанных с применением нейросетевых инструментов как в разработке, так и злоумышленниками в ходе атак.

ИИ как вызовКак показало исследование ГК «Солар» и УЦСБ, инструменты с ИИ для написания и анализа программного кода используют 80 % опрошенных российских компаний.

Руководитель отдела разработки пользовательского интерфейса компании «НЕКСТБИ» Григорий Голиков среди организационных рисков выделил появление кода, который внешне работает, но не адаптируется, не оптимизирован и небезопасен: непрозрачен, потенциально уязвим и не проходит проверку.

ИИ как инструмент злоумышл…

2 days, 4 hours назад @ anti-malware.ru
Как выбрать DRP-сервис для защиты от внешних угроз
Как выбрать DRP-сервис для защиты от внешних угроз Как выбрать DRP-сервис для защиты от внешних угроз

ВведениеDigital Risk Protection (DRP) — это не просто модный термин, а насущная необходимость для любой компании, у которой есть сайт, бренд или сотрудники.

Ландшафт угроз: почему DRP становится обязательнымИлья Шабанов провёл параллель между DRP и концепцией раннего обнаружения.

Компании не всегда осознают наличие у себя таких проблем, им стоит протестировать профильные решения, чтобы увидеть свою компанию глазами злоумышленников.

Во втором опросе зрители поделились, как у них в компании организован мониторинг внешних цифровых рисков:Мониторят своими силами — 42 %.

Прогнозы: куда движется рынок DRPСтанислав Гончаров: «Мы запускаем версию DRP Light для руководителей SOC-центров, для юристов…

2 days, 20 hours назад @ anti-malware.ru
Тестирование Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ
Тестирование Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ Тестирование Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ

На основании созданного правила была сформирована группа для обучения: в неё вошли люди, которые были скомпрометированы в ходе первичного тестирования.

Отчёт по динамике обучения в Phishman 2.35Анализ показал, что часть сотрудников не завершила обучение в установленный срок.

Как и на первом этапе, основной задачей было сделать письмо максимально похожим на стандартную рабочую переписку, соответствующую реальным бизнес-процессам нашей компании.

Информационная панель Phishman 2.35 после завершения экспериментаПосле обучения и повторного тестирования добавились другие показатели:Обученность — 11 / 100.

Поддержка была доступна не только в рабочее время, но и в выходные дни.

3 days, 5 hours назад @ anti-malware.ru
ИИ-ассистенты как угроза безопасности: как чат-боты сливают данные компаний
ИИ-ассистенты как угроза безопасности: как чат-боты сливают данные компаний ИИ-ассистенты как угроза безопасности: как чат-боты сливают данные компаний

Корректное проектирование архитектуры, контроль источников данных и управление контекстом выполнения ИИ-систем существенно уменьшили бы их влияние.

Промпт-инъекция не проявляется как SQL-инъекция и не использует структурированные запросы — это обычный текст, встроенный в контекст обработки.

Отличие от разовой инъекции в том, что воздействие закрепляется в данных и влияет на дальнейшую работу системы на постоянной основе.

Агент начинает использовать это как норму при анализе событий.

Эксплуатация доверия (Human-Agent Trust Exploitation, ASI09)Злоумышленники используют доверие к агенту как к «компетентному собеседнику».

3 days, 6 hours назад @ anti-malware.ru
Как вернуть контроль над неструктурированными данными при помощи DCAP
Как вернуть контроль над неструктурированными данными при помощи DCAP Как вернуть контроль над неструктурированными данными при помощи DCAP

Разберём, как выявить эти проблемы и устранить их с помощью решений класса DCAP на примере «Спектр | DCAP».

По опыту экспертов «Кросстеха» и «Сайберпик», описанная проблема есть и в небольших компаниях, и в зрелом бизнесе с выстроенной информационной безопасностью (ИБ).

Фиксация «Спектр | DCAP» аномальной активности пользователяОбласть применения DCAP не ограничивается папками общего доступа в операционных системах Windows и Linux.

Но само по себе, как и любое СЗИ, оно не может существовать изолированно и полностью закрывать задачу защиты от утечек.

Даже при наличии технических средств защиты сотрудники должны понимать, как работать с данными в рамках своих должностных обязанностей.

4 days, 6 hours назад @ anti-malware.ru
Обзор Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ
Обзор Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ Обзор Phishman 2.35, системы повышения осведомлённости пользователей в сфере ИБ

Phishman 2.35 — система повышения киберосведомлённости пользователей в ИБ, в которой отказались от единой программы обучения в пользу подхода, учитывающего различия в поведении пользователей и уровне цифровых рисков.

Главная или информационная панель системыНа главной странице представлена сводная информация об обученности, иммунности и киберосознанности сотрудников и др.

Раздел «Настройки» в Phishman 2.35Одним из наиболее востребованных инструментов в ходе нашего эксперимента стал журнал событий.

Не диагностирует и не оказывает услуги в отношении телекоммуникационного, инфраструктурного и прочего оборудования, не входящего в Phishman.

Обновления системы доступны как в формате файлового арх…

4 days, 6 hours назад @ anti-malware.ru
Российские решения Security Awareness: сравнение платформ для обучения киберграмотности
Российские решения Security Awareness: сравнение платформ для обучения киберграмотности Российские решения Security Awareness: сравнение платформ для обучения киберграмотности

Сравниваем российские решения класса Security Awareness по 40+ критериям: учебные курсы, имитация фишинга, кастомизация, отчётность, лицензирование и поддержка.

Нет Да (помимо основного учебного курса есть экспресс-курс) Нет Да ДаТаблица 8.

Отчёты, часть IПараметр / Продукт Infosecurity Security Awareness Kaspersky Security Awareness Phishman RED Security Awareness Secure-T Awareness Отчёты по обучению Да Да Да Да Да Отчёты по атакам Да Да Да Да Да Аналитические отчёты Частично (как опция технической поддержки сервиса) Да Да Да Да Пользовательские отчёты Нет Да Да Да ДаТаблица 10.

Отчёты, часть IIПараметр / Продукт Solar Security Awareness Start AWR T2 Security Awareness UBS Cybersecurity A…

5 days, 6 hours назад @ anti-malware.ru
Российские мобильные операционные системы: обзор рынка 2026 года
Российские мобильные операционные системы: обзор рынка 2026 года Российские мобильные операционные системы: обзор рынка 2026 года

ВведениеМобильные устройства, как массовые, так и специализированные, весьма широко используются в бизнес-процессах компаний и в деятельности государственных служащих.

По довольно консервативной оценке, по состоянию на конец 2025 года в России было скомпрометировано около 1,5 млн мобильных устройств на Android.

Российский рынок мобильных устройствПо итогам 2025 года в России было продано около 24 млн смартфонов, что на четверть меньше уровня 2024 года.

И в том, и в другом сегментах рынка доминируют зарубежные вендоры.

Предустанавливается на мобильные устройства целого ряда российских вендоров, включая «Аквариус», F-Plus, Highscreen, Kvadra, Mobile Inform Group как для потребительского рынка…

5 days, 22 hours назад @ anti-malware.ru
ИИ-агенты и Platform Engineering: как внедрять Agentic AI в бизнесе
ИИ-агенты и Platform Engineering: как внедрять Agentic AI в бизнесе ИИ-агенты и Platform Engineering: как внедрять Agentic AI в бизнесе

Подходы к построению инфраструктуры для них развиваются в дисциплине Platform Engineering, которая существенно изменилась с появлением Agentic AI.

Константин объяснил:«Заказчики приходят за инфраструктурой для ИИ и готовой платформой поверх неё, а не за реализацией конкретной функции через ИИ.

Необходимо детально проработать экономическую модель внедрения и эксплуатации — выполнить расчёт совокупной стоимости владения (Total Cost of Ownership, TCO) при построении ИИ-агентских платформ».

Перспективы внедрения в России проприетарных западных решений (в их полноразмерной конфигурации) достаточно неопределённы.

Внедрение изменений с появлением ИИ — это долговременный процесс, общие контуры кото…

1 week, 1 day назад @ anti-malware.ru
EDR с защитой от шифровальщиков. Бэкап больше не нужен?
EDR с защитой от шифровальщиков. Бэкап больше не нужен? EDR с защитой от шифровальщиков. Бэкап больше не нужен?

Данный инструментарий призван помочь в борьбе с «теневыми ИТ», которые являются источниками целого комплекса проблем в компаниях и с которыми очень сложно бороться.

Методы атак на организацииПоловина успешных атак приходится на программы-шифровальщики и вайперы, направленные на уничтожение данных в инфраструктуре (рис.

Это в «Лаборатории Касперского» связали с тем, что от компании, даже небольшой, за один эпизод можно получить больше, чем от обычного человека.

Но и в том, и в другом случае злоумышленники крадут данные.

Продукты от Qihoo 360 и K7 Computing, так же как и Check Point / ZoneAlarm, предназначены для конечных пользователей и малого бизнеса.

1 week, 2 days назад @ anti-malware.ru
Биометрия в сделках с недвижимостью: насколько это безопасно
Биометрия в сделках с недвижимостью: насколько это безопасно Биометрия в сделках с недвижимостью: насколько это безопасно

С 1 июля 2026 года биометрия станет дополнительным способом подтверждения личности при подаче документов в Росреестр в электронном виде при сделках с недвижимостью.

Данная процедура применима к основным сделкам с недвижимостью:Покупка и продажа квартир, домов и земельных участков как на первичном, так и на вторичном рынке.

Пока биометрия будет использоваться скорее в исключительных случаях как дополнительное средство идентификации личности при совершении дистанционных сделок с недвижимостью и исключительно добровольно».

Также с 2024 года некоторые банки начали использовать биометрию при заключении ипотечных договоров, и в этом сегменте существенных проблем также не выявлено.

Они связаны как…

1 week, 2 days назад @ anti-malware.ru
Атаки на цепочки поставок ПО: как они работают и как защититься
Атаки на цепочки поставок ПО: как они работают и как защититься Атаки на цепочки поставок ПО: как они работают и как защититься

В ПО злоумышленники подменяют библиотеки, внедряют вредоносный код в программные зависимости или используют уязвимые компоненты с открытым исходным кодом.

Атаки на цепочки поставок выросли на 110 % за год и уже составляют до трети всех инцидентов.

При следующем запуске агент подключается к серверу злоумышленников и выполняет их код с правами пользователя без песочницы и дополнительных запросов.

«Солар» отмечает, что первом квартале 2026 года на промышленность пришлось 48,8 тысячи кибератак, на 14 % больше, чем годом ранее.

Единственный рабочий подход — относиться к цепочке поставок как к критической инфраструктуре: проверять источники, фиксировать версии, контролировать плагины и образы, из…

1 week, 3 days назад @ anti-malware.ru
ИИ в кибербезопасности: как меняются угрозы и средства защиты
ИИ в кибербезопасности: как меняются угрозы и средства защиты ИИ в кибербезопасности: как меняются угрозы и средства защиты

И наконец, появляется новый класс задач — защита сотрудников, использующих ИИ в работе, что требует отдельных политик и инструментов.

В первом опросе зрители поделились, где они уже используют или тестируют ИИ в кибербезопасности (мультивыбор):Реагирование на инциденты и подготовка отчётов — 54 %.

Артём Гяммер считает, что ИИ в реагировании может выступать скорее в роли консультанта или ассистента.

Рекомендации по внедрению ИИ в кибербезопасностьАндрей Гунькин предложил три шага:Определить, какие процессы уже есть в компании.

Фишинговые письма пишутся без ошибок и на любом языке, вредоносный код генерируется за секунды, а дипфейки становятся неотличимы от реальности.

1 week, 4 days назад @ anti-malware.ru
Отчёт сканера зелёный, а данные утекли: на чём российские CISO ловят ложное спокойствие
Отчёт сканера зелёный, а данные утекли: на чём российские CISO ловят ложное спокойствие Отчёт сканера зелёный, а данные утекли: на чём российские CISO ловят ложное спокойствие

Покупатель формирует заказ, переходит к оплате, и в этот момент сайт отправляет запрос к API с параметром 'order_id=345'.

Сканер безопасности, который настроен на автоматическое сканирование, в это время проверяет веб-формы на наличие классических уязвимостей: подставляет кавычки, угловые скобки, длинные строки и смотрит на коды ответов.

Он не падает, не выдаёт трассировку стека, не тормозит — он просто отдаёт данные.

Он не может показать, что в одном случае показана личная информация, а в другом — чужая.

А злоумышленник в это время спокойно меняет цифры в адресной строке, потому что разработчики забыли добавить одну проверку, а автоматическая проверка её не требует.

1 week, 5 days назад @ anti-malware.ru
Хабр: ИБ Хабр: ИБ
последний пост 1 час назад
Как изменилась жизнь интернет-безопасников с приходом QUIC? IDS и threat analysing в реалиях HTTP/3
Как изменилась жизнь интернет-безопасников с приходом QUIC? IDS и threat analysing в реалиях HTTP/3 Как изменилась жизнь интернет-безопасников с приходом QUIC? IDS и threat analysing в реалиях HTTP/3

Архитектура QUIC и что это такое вкратцеКак многие уже знают, QUIC - разработка гугла, новый протокол для передачи гипертекста на базе UDP (вместо TCP+TLS в HTTP/2).

Он содержит параметры транспорта QUIC и приветственное сообщение TLS (ClientHello), включая поддерживаемые алгоритмы шифрования и публичный ключ (Key Share).

Получается короткий хеш, который уникален для конкретной комбинации TLS-библиотеки + её версии + способа конфигурации (а не для конкретного пользователя или сайта).

JA3 фингерпринтит не браузер и не пользователя, а конкретную реализацию TLS-стека.

В ином случае IDS может классифицировать это как аномалию и возвращать требование придти через новое, безопасное соединение.

1 час назад @ habr.com
Hugging Face взломал автономный ИИ-агент — защищались тоже с помощью ИИ
Hugging Face взломал автономный ИИ-агент — защищались тоже с помощью ИИ Hugging Face взломал автономный ИИ-агент — защищались тоже с помощью ИИ

Hugging Face — открытая площадка, куда любой пользователь заливает свои датасеты, и злоумышленник просто загрузил вредоносный набор данных.

По описанию Hugging Face, кампанию вел автономный агентный фреймворк — причем, судя по всему, собранный на основе инструмента, который создавался для легальных исследователей безопасности.

Дополнительный плюс такого подхода в том, что ни данные атаки, ни упомянутые в них учетные данные не покидали периметр компании.

Вывод, к которому Hugging Face: данные и модели теперь надо считать первоклассной поверхностью атаки, а защищаться приходится ИИ на скорости машин.

Рядовым пользователям Hugging Face советует на всякий случай ротировать токены доступа и пров…

2 часа назад @ habr.com
Разбор Mimolet: что здесь удобно, а что стоит переделать
Разбор Mimolet: что здесь удобно, а что стоит переделать Разбор Mimolet: что здесь удобно, а что стоит переделать

Оно необязательное, но само его наличие вызывает вопросы, особенно потому, что по весу потом можно фильтровать людей.

Это не поиск конкретного человека и не распознавание личности.

В мотогруппах показывают мотоциклы, в группах про животных выкладывают питомцев, игроки ищут напарников, а в городских чатах обсуждают местные события.

Поэтому воспринимать их стоит именно как данные команды, а не как независимый замер.

Не всё из этого одинаково полезно, но основные разделы связаны между собой и не выглядят случайным набором кнопок.

11 часов назад @ habr.com
Разбор Mimolet: что здесь удобно, а что стоит переделать
Разбор Mimolet: что здесь удобно, а что стоит переделать Разбор Mimolet: что здесь удобно, а что стоит переделать

Оно необязательное, но само его наличие вызывает вопросы, особенно потому, что по весу потом можно фильтровать людей.

Это не поиск конкретного человека и не распознавание личности.

В мотогруппах показывают мотоциклы, в группах про животных выкладывают питомцев, игроки ищут напарников, а в городских чатах обсуждают местные события.

Поэтому воспринимать их стоит именно как данные команды, а не как независимый замер.

Не всё из этого одинаково полезно, но основные разделы связаны между собой и не выглядят случайным набором кнопок.

15 часов назад @ habr.com
Посмотрел, как Mimolet обращается с данными и нежелательным контентом: два замечания и семь удачных решений
Посмотрел, как Mimolet обращается с данными и нежелательным контентом: два замечания и семь удачных решений Посмотрел, как Mimolet обращается с данными и нежелательным контентом: два замечания и семь удачных решений

Гораздо интереснее посмотреть не на обещания, а на конкретные механизмы.

Это не полноценный аудит безопасности и не попытка проникнуть в чужую систему.

Если файл поврежден или не распознается как допустимое изображение, загрузка отклоняется.

Но сервер не принимает файл на веру и не складывает исходник в хранилище без обработки.

Это не утечка и не найденная "дыра".

1 day назад @ habr.com
[Перевод] Кража памяти: как я заставил Claude рассказать личные секреты пользователя
[Перевод] Кража памяти: как я заставил Claude рассказать личные секреты пользователя [Перевод] Кража памяти: как я заставил Claude рассказать личные секреты пользователя

Учтя всё это, я решил присмотреться к Claude, и в частности к основному повседневному помощнику (claude.ai, не Claude Code).

Доступ к произвольным URL из песочницы оказался бы огромной ошибкой, поэтому Anthropic предусмотрела это и заблокировала такую возможность.

$ bun dev Claude navigated to /a Claude navigated to /ay Claude navigated to /ayu Claude navigated to /ayus Claude navigated to /ayush Claude navigated to /ayush- Claude navigated to /ayush-p Claude navigated to /ayush-pa Claude navigated to /ayush-pau Claude navigated to /ayush-paulИтак, у меня получилось реализовать экфильтрацию произвольных данных из песочницы Claude!

Я зашёл в Claude и спросил, где кофе лучше всего, передав ем…

1 day, 5 hours назад @ habr.com
Техника безопасности при работе с AI
Техника безопасности при работе с AI Техника безопасности при работе с AI

Похоже, пора внедрять такие же правила и для работы с LLM и AI в целом.

Ошибки контекста при каскадной работе требуют архитектурных решений: очистка контекста при повторных попытках, мониторинг коэффициента ошибок и минимальные привилегии для агентов.

Техника безопасности при работе с ИИ - простые правилаИИ - это как калькулятор с доступом в интернет: он может ошибиться, быть обманутым или использован против вас.

Если это случилось с Google - случится и с вами.

Простое правило: ИИ - не друг, не коллега, не начальник.

1 day, 6 hours назад @ habr.com
Как защитить железку от Китайцев, если вы им передаете всю производственную документацию?
Как защитить железку от Китайцев, если вы им передаете всю производственную документацию? Как защитить железку от Китайцев, если вы им передаете всю производственную документацию?

Отложенный саботажЕсли проверка не прошла, устройство не блокируется мгновенно.

Криптографический ключ и защита от Replay-атакКогда мы говорим о передаче активационного блока данных с сервера на устройство, критически важно защитить этот канал от перехвата.

В FPGA для этого идеально подходит Ring Oscillator PUF (RO-PUF) — кольцевой генератор на базе задержек в логических элементах.

Мы сравниваем не «на сколько один быстрее другого», а просто определяем, кто из них выиграл гонку:3.

Им и в голову не прийдет (в первое время), что этот шум генерирует идеально работающий цифровой автомат внутри FPGA, который просто не дождался ключа.

1 day, 20 hours назад @ habr.com
[Перевод] Лучшие практики по Kubernetes. Жаль, я не знала о них раньше
[Перевод] Лучшие практики по Kubernetes. Жаль, я не знала о них раньше [Перевод] Лучшие практики по Kubernetes. Жаль, я не знала о них раньше

Управляйте манифестами через Helm, Kustomize или Pulumi, а не через копирование YAML между проектами.

Храните секреты во внешнем хранилище, а не в обычных Kubernetes Secrets.

Поэтому многоконтейнерные поды стоит использовать осознанно, а не по умолчанию.

Алерты — «алертить» лучше по SLO burn rate, а не по каждому упавшему поду, чтобы реагировать на происшествия, оказывающие реальное влияние на пользователей, а не на любой рестарт.

Добавьте служебные метки для владельца сервиса, центра затрат, окружения и уровня критичности ( SLO tier ), потому что они понадобятся и для FinOps-, и для on-call-процессов.

2 days, 2 hours назад @ habr.com
Локальный запуск LLM для SOC: сколько GPU действительно нужно?
Локальный запуск LLM для SOC: сколько GPU действительно нужно? Локальный запуск LLM для SOC: сколько GPU действительно нужно?

В этом сценарии модель не обучается с нуля и не работает как универсальный чат для большого количества пользователей.

Тем не менее результаты позволяют оценить порядок необходимых вычислительных ресурсов не на абстрактных расчетах количества токенов, а на основе реальных SOC-сценариев.

Архитектурная экономия: DeltaNetКак мы выяснили выше, значительная часть слоев модели не требует полноценного KV-cache для истории токенов.

Эксперимент 2: влияние длины генерации на производительностьЦель: проверить, как меняется скорость генерации (TPOT), если модель переходит от короткого ответа к длинному — 10K-20K токенов на выходе.

Сценарий 120K на вход и 100 токенов на выход оказывается худшим для инфер…

2 days, 2 hours назад @ habr.com
Безопасный удалённый доступ
Безопасный удалённый доступ Безопасный удалённый доступ

Проблема классического VPNКлассический VPN подключает пользователя к сети, а не к конкретному приложению.

ZTNA: доступ к приложению, а не к сетиZTNA (Zero Trust Network Access) встроен в Ideco NGFW Novum и входит в базовую поставку.

Три уровня доступа по результатам проверки:Полное соответствие — доступ к рабочим приложениям.

Контроль подрядчиковДля подрядчиков настраивается минимально необходимый доступ к конкретному ресурсу.

Узнать больше про Ideco NGFW Novum и получить доступ к демонстрации

2 days, 4 hours назад @ habr.com
Когда Kubernetes нельзя, а Ansible боль: чего я не договорил про Horchestra
Когда Kubernetes нельзя, а Ansible боль: чего я не договорил про Horchestra Когда Kubernetes нельзя, а Ansible боль: чего я не договорил про Horchestra

Стоимость здесь не в отдельном пути доставки, а в необходимости поддерживать их N штук и удерживать в согласованном состоянии.

Если объединяющая модель и есть модель Kubernetes, то среда с Kubernetes не требует особого случая — она становится нативной.

Не «Kubernetes без Kubernetes» как замена платформы, а перенос подхода Kubernetes туда, куда платформа не дотягивается.

Почему именно Kube-way, а не собственный форматУнификация требует не «похожей», а той же самой модели, что и на реальном кластере.

Для запуска недоверенного или сомнительного кода это выигрыш, а не лазейка: прав выдаётся меньше, а не больше.

2 days, 4 hours назад @ habr.com
Атака через службу ViPNet MFTP: признаки компрометации и рекомендации
Атака через службу ViPNet MFTP: признаки компрометации и рекомендации Атака через службу ViPNet MFTP: признаки компрометации и рекомендации

Специалистами экспертного центра безопасности Positive Technologies (PT ESC) зафиксированы признаки реализации злоумышленниками атаки через штатную функциональность службы ViPNet MFTP.

wtsapi32.dllВредоносное ПО (ВПО) представляет собой загрузчик, хранящий в .data -секции исполняемый файл в виде DLL-библиотеки с измененными магическими байтами (magic bytes) заголовка.

РекомендацииДля нейтрализации угроз необходимо остановить и отключить службу ViPNet система обновления на каждом узле (АРМ/сервере) с установленным ПО ViPNet, а также запретить ее автоматический запуск.

Данная операция может быть выполнена двумя способами:Вариант А. Ручная настройка (через графический интерфейс ViPNet): Нажать…

2 days, 5 hours назад @ habr.com
Horchestra: когда Kubernetes нельзя, а Ansible становится второй кодовой базой
Horchestra: когда Kubernetes нельзя, а Ansible становится второй кодовой базой Horchestra: когда Kubernetes нельзя, а Ansible становится второй кодовой базой

Kubernetes не виноватС Kubernetes я работаю уже больше восьми лет — ещё со времён версии 1.9.

Поэтому всё, что будет сказано дальше, — это не попытка доказать, что Kubernetes плохой или переоценённый.

Тот факт, что некоторую систему можно запустить в Kubernetes, вовсе не означает, что это будет лучшая архитектура.

Но концептуально называть это Pod было бы неправильно: Pod в Kubernetes — это группа контейнеров, а здесь у нас один процесс.

Не планировщик, не высокую доступность и не распределённую оркестрацию, а саму возможность использовать декларативную модель управления приложениями на обычном Linux-сервере.

3 days назад @ habr.com
Безопасность микроядра: где заканчивается трюизм и начинается инженерия
Безопасность микроядра: где заканчивается трюизм и начинается инженерия Безопасность микроядра: где заканчивается трюизм и начинается инженерия

Но в любом случае речь идет о сотнях системных вызовов, тогда как в микроядрах их около десятка.

В KasperskyOS модуль безопасности, применяющий политики, зовется на всех системных вызовах в ядро и на всех IPC (кросс-процессных) вызовах.

Формальная верификация важна не только для абстрактных свойств ядра, но и для конкретных механизмов изоляции.

Уже был Reflections on Trusty Trust, уже провели анализ безопасности multics и чуть позже даже отрефлексировали и его, но это не было такой доминантой.

И потому во многих современных монолитах, и в Linux в частности, безопасность — фича не врожденная, а благоприобретенная трудами титанов.

3 days, 1 hour назад @ habr.com
Хакер Хакер
последний пост 1 day, 19 hours назад
Четвертый бумажный спецвыпуск «Хакера» передан в печать
Четвертый бумажный спецвыпуск «Хакера» передан в печать Четвертый бумажный спецвыпуск «Хакера» передан в печать

У нас отличные новости — четвертый бумажный спецвыпуск «Хакера» с лучшими материалами за 2021–2022 годы уже передан в типографию, а значит, до старта рассылки заказов осталось совсем недолго.

В них мы расскажем о закулисных деталях работы над материалами, вспомним, как проводились исследования, и добавим интересных подробностей.

Мы не планируем дополнительных тиражей, поэтому советуем не затягивать с заказом.

Спецвыпуск #3 (2019–2021)Третий печатный спецвыпуск почти полностью распродан: на складе осталось меньше сотни экземпляров.

В нем мы собрали 22 лучших материала прошлого года: про локальные LLM, декомпилятор на нейросетях, превращение «Яндекс Станции» в шпионский гаджет и многое другое.

1 day, 19 hours назад @ xakep.ru
Малварь OkoBot нацелена на владельцев программных и аппаратных криптокошельков
Малварь OkoBot нацелена на владельцев программных и аппаратных криптокошельков Малварь OkoBot нацелена на владельцев программных и аппаратных криптокошельков

Аналитики «Лаборатории Касперского» обнаружили вредоносную платформу OkoBot, которая нацелена на кражу криптовалюты и данных владельцев криптокошельков.

В состав фреймворка входит более 20 модулей: они похищают учетные данные и файлы, перехватывают пользовательский ввод, устанавливают скрытые расширения в браузеры и записывают происходящее в окнах целевых приложений.

Связанная с OkoBot вредоносная кампания активна с весны 2025 года.

Учитывая, что малварь распространяют через GitHub и маскируют под профессиональный софт, исследователи считают, что одна из основных целей этой кампании — разработчики и другие ИТ-специалисты.

Связать OkoBot с конкретной хак-группой пока не удалось.

1 day, 19 hours назад @ xakep.ru
В Zoom для Windows исправили критическую уязвимость
В Zoom для Windows исправили критическую уязвимость В Zoom для Windows исправили критическую уязвимость

Уязвимость связана с некорректной проверкой входных данных и затрагивает Zoom Workplace, VDI Client и Meeting SDK для Windows.

Известно, что CVE-2026-53412 затрагивает Zoom Workplace для Windows ниже версии 7.0.0 и Meeting SDK ниже 7.0.0.

CVE-2026-53410 затрагивает Zoom Workplace для Windows ниже версии 7.0.5, VDI Client и VDI Plugin ниже версий 6.5.17 и 6.6.14 в соответствующих ветках, Zoom Rooms ниже 7.0.5, а также Remote Control for Zoom Contact Center ниже 7.0.0.

Уязвимость CVE-2026-53409 связана с некорректным управлением привилегиями в Zoom Rooms для Windows ниже версии 7.1.0.

Наконец, CVE-2026-53411 затрагивает VDI Plugin для Windows ниже версии 6.6.14.

1 day, 21 hours назад @ xakep.ru
Жизнь после смерти Windows Server 2016. Разбираем угрозы и укрепляем безопасность устаревшей ОС
Жизнь после смерти Windows Server 2016. Разбираем угрозы и укрепляем безопасность устаревшей ОС Жизнь после смерти Windows Server 2016. Разбираем угрозы и укрепляем безопасность устаревшей ОС

12 янва­ря 2027 года в Microsoft офи­циаль­но прек­ратят рас­ширен­ную под­дер­жку Windows Server 2016.

В Windows Server 2016 нет мно­гих сов­ремен­ных механиз­мов защиты, которые появи­лись в более поз­дних вер­сиях — Windows Server 2022 и Windows Server 2025.

Нап­ример, Windows Server Update Services (WSUS), которую годами исполь­зовали вмес­те с Windows Server 2016, помети­ли как уста­рев­шую, а новые под­ходы к адми­нис­три­рова­нию уже стро­ятся вок­руг Enterprise Access Model и Azure Arc.

Поэто­му пер­вый и самый эффектив­ный шаг в хар­денин­ге сер­веров с Windows Server 2016 — выб­рать вари­ант уста­нов­ки Server Core вмес­то Desktop Experience.

Поэто­му каж­дый сер­вер на Windows Se…

1 day, 23 hours назад @ xakep.ru
Claude для Chrome позволяет другим расширениям читать данные Gmail, Google Docs и не только
Claude для Chrome позволяет другим расширениям читать данные Gmail, Google Docs и не только Claude для Chrome позволяет другим расширениям читать данные Gmail, Google Docs и не только

Другой вредоносный аддон может имитировать клики пользователя и вынудить Claude прочитать данные из Gmail, Google Docs, Google Calendar и Salesforce.

Claude для Chrome отслеживает клики по определенному элементу на claude.ai.

То есть атакующие могут вынудить ассистента прочитать последние письма в Gmail, открыть свежий документ в Google Docs и комментарии к нему, проверить календарь или изменить данные в Salesforce.

Эксперты уведомили представителей Anthropic о проблемах еще 21 мая 2026 года, когда актуальной была версия 1.0.72 Claude для Chrome.

За восемь релизов разработчики так и не изменили код, который обрабатывает клики и запускает боковую панель.

2 days назад @ xakep.ru
Линус Торвальдс высказался об использовании ИИ: «Форкайте ядро или уходите»
Линус Торвальдс высказался об использовании ИИ: «Форкайте ядро или уходите» Линус Торвальдс высказался об использовании ИИ: «Форкайте ядро или уходите»

По его словам, Linux не станет очередным «анти-ИИ-проектом», а решения будут приниматься исходя из технических критериев, а не из страха перед новыми инструментами.

По мнению Торвальдса, ИИ следует воспринимать как обычный рабочий инструмент:«ИИ — такой же инструмент, как и другие, которыми мы пользуемся.

При этом Торвальдс признает, что ИИ может создавать дополнительную нагрузку на мейнтейнеров и регулярно находит «неприятные и постыдные баги».

Теперь Торвальдс подчеркивает, что не считает нынешние ИИ-системы идеальными, но напоминает, что люди тоже далеки от совершенства:«ИИ не идеален.

Но, черт возьми, любой, кто указывает на проблемы ИИ, должен одновременно посмотреть в зеркало и указат…

2 days, 1 hour назад @ xakep.ru
Российские компании атакуют через механизм обновлений ViPNet
Российские компании атакуют через механизм обновлений ViPNet Российские компании атакуют через механизм обновлений ViPNet

Атаки начались в мае 2026 года и затронули госструктуры, промышленные и энергетические компании, транспортно-логистический сектор и образовательные учреждения.

Исследователи пишут, что для закрепления в системе злоумышленники используют компонент обновлений ViPNet — комплекса для создания защищенных сетей.

На одной из машин злоумышленники также развернули обратный SSH-туннель к серверу 5.39.253[.]206.

Однако исследователи не исключают, что злоумышленники специально оставили ложные флаги.

В 2025 году специалисты обнаружили сложный бэкдор, который маскировался под обновления этого ПО, и эти атаки затронули десятки российских организаций.

2 days, 2 hours назад @ xakep.ru
Приложения VK и мессенджер Max удалили из магазина Google Play
Приложения VK и мессенджер Max удалили из магазина Google Play Приложения VK и мессенджер Max удалили из магазина Google Play

16 июля 2026 года из магазина Google Play пропали приложения холдинга VK и мессенджер Max.

Пользователи Android-устройств продолжат получать push-уведомления о сообщениях, событиях и звонках в Max и приложениях VK», — гласит заявление компании.

Из официального магазина приложений Google были удалены мессенджер Max, «Вконтакте», «Одноклассники» и «Дзен», а также отдельные приложения сервисов холдинга: «VK Мессенджер», «VK Звонки», «VK Знакомства», «VK Музыка», «VK Видео», «VK Видео Live» и «VK Клипы».

Кроме того, магазин перестал отображать для пользователей «Почту Mail», «Облако Mail», «VK Почту», VK WorkSpace, VK Play, «Юлу» и «Марусю».

В конце июня Apple сослалась на необходимость соблюда…

2 days, 4 hours назад @ xakep.ru
Преступника, отбывающего срок за отмывание денег, обвинили в краже криптовалюты
Преступника, отбывающего срок за отмывание денег, обвинили в краже криптовалюты Преступника, отбывающего срок за отмывание денег, обвинили в краже криптовалюты

53-летнего гражданина Болгарии Россена Г. Иосифова (Rossen G. Iossifov) обвинили в краже 290 000 долларов США в криптовалюте, которую ранее арестовали американские власти.

По версии следствия, он организовал вывод средств, уже отбывая 121-месячный срок за отмывание денег, похищенных у жертв интернет-мошенников.

Следствие считает, что новую схему Иосифов организовал в январе 2024 года, уже находясь в тюрьме после приговора, вынесенного в 2021 году.

В частности, он предлагал мошенникам более выгодные обменные курсы и позволял конвертировать наличные в криптовалюту без предоставления документов, удостоверяющих личность или подтверждающих происхождение средств.

Суд обязал его выплатить жертвам …

2 days, 19 hours назад @ xakep.ru
Опубликован эксплоит для 0-day-уязвимости LegacyHive в Windows
Опубликован эксплоит для 0-day-уязвимости LegacyHive в Windows Опубликован эксплоит для 0-day-уязвимости LegacyHive в Windows

Анонимный ИБ-исследователь Nightmare Eclipse опубликовал PoC-эксплоит LegacyHive для новой 0-day-уязвимости в Windows.

Проблема LegacyHive эксплуатирует службу профилей пользователей Windows (Windows User Profile Service, ProfSvc) и механизм, связанный с загрузкой пользовательских хайвов реестра (registry hive).

Nightmare Eclipse объясняет, что при входе пользователя Windows должна загрузить его хайв UsrClass.dat.

Однако Nightmare Eclipse утверждает, что специально урезал свой эксплоит, чтобы затруднить использование LegacyHive в массовых атаках.

Он отмечает, что самостоятельно восстановить недостающие части эксплоита смогут специалисты, которые достаточно хорошо разбираются в архитектуре W…

2 days, 21 hours назад @ xakep.ru
Go ломать хеши! Пишем свой хешкрекер на Golang и изучаем тонкости языка
Go ломать хеши! Пишем свой хешкрекер на Golang и изучаем тонкости языка Go ломать хеши! Пишем свой хешкрекер на Golang и изучаем тонкости языка

SrcFileName, и помещает их в канал cfg.

Err () ; err != nil { cfg .

Фун­кция worker( ) обра­баты­вает задания: вычис­ляет хеш, срав­нива­ет его с целевым зна­чени­ем и, если они сов­пада­ют, отправ­ляет сло­во в канал резуль­татов и завер­шает­ся.

Го­рути­на collect запус­кает­ся и работа­ет, пока не зак­роет­ся канал resultCh или пока она не получит резуль­тат вычис­лений.

Чте­ние из resultCh внут­ри collect тоже завер­шает­ся: либо мы получи­ли иско­мое зна­чение, либо все вор­керы отра­бота­ли и канал resultCh зак­рылся.

2 days, 23 hours назад @ xakep.ru
Apple подала в суд на OpeanAI, утверждая, что бывший сотрудник использовал баг для кражи секретов
Apple подала в суд на OpeanAI, утверждая, что бывший сотрудник использовал баг для кражи секретов Apple подала в суд на OpeanAI, утверждая, что бывший сотрудник использовал баг для кражи секретов

По версии Apple, бывший инженер воспользовался багом в системе аутентификации и несколько недель скачивал материалы о еще не вышедших продуктах компании, уже работая в OpenAI.

Главным фигурантом иска Apple стал Чан Лю (Chang Liu), который восемь лет участвовал в разработке секретных продуктов Apple, а в январе 2026 года перешел в OpenAI.

Логи показали, что ошибка затронула еще нескольких пользователей, однако признаков кражи данных с их стороны в компании не обнаружили.

В Apple полагают, что этот инцидент был частью более масштабной схемы.

В компании заявили, что молодой аппаратный бизнес OpenAI построен на «прогнившем фундаменте» из незаконном присвоении коммерческих тайн.

3 days назад @ xakep.ru
На GitHub обнаружили фальшивые утилиты для обхода блокировок
На GitHub обнаружили фальшивые утилиты для обхода блокировок На GitHub обнаружили фальшивые утилиты для обхода блокировок

Специалисты Solar 4RAYS ГК «Солар» предупреждают, что злоумышленники используют блокировку Telegram и повышенный спрос на средства обхода ограничений для распространения малвари через GitHub.

Исследователи рассказывают о нескольких схожих инцидентах, когда пользователи запускали вредоносные инструменты, скачанные с GitHub под видом легитимного софта.

Специалисты объясняют, что из-за действующих в РФ ограничений ссылки на оригинальные и валидные репозитории удаляются из поисковой выдачи «Яндекса».

Так как оригинальный репозиторий может отсутствовать в результатах поиска, вредоносные ссылки поднимаются на первые позиции в «Яндексе» по запросам вроде «tg-ws-proxy».

Исследователи заключают, что…

3 days, 2 hours назад @ xakep.ru
В июле Microsoft исправила рекордные 622 уязвимости в своих продуктах
В июле Microsoft исправила рекордные 622 уязвимости в своих продуктах В июле Microsoft исправила рекордные 622 уязвимости в своих продуктах

В первую очередь разработчики рекомендуют обратить внимание на 0-day-уязвимость CVE-2026-56164, затрагивающую SharePoint Server и уже использующуюся в атаках.

В компании объяснили, что отсутствие аутентификации для критически важных функций в Microsoft Office SharePoint позволяло неавторизованному злоумышленнику повысить свои привилегии.

В Microsoft не раскрывают, как именно баг используют хакеры, но в качестве временной защитной меры рекомендуется включить Antimalware Scan Interface (AMSI), а также перевести параметр Request Body Scan в режим Full.

Что касается рекордных 622 уязвимостей, ранее в этом месяце представители Microsoft предупреждали, что ежемесячных исправлений будет становитьс…

3 days, 4 hours назад @ xakep.ru
Легальный ужас. Как хакеры превращают в оружие инструменты удаленного управления
Легальный ужас. Как хакеры превращают в оружие инструменты удаленного управления Легальный ужас. Как хакеры превращают в оружие инструменты удаленного управления

Зло­умыш­ленни­ки исполь­зуют это доверие как лазей­ку и прев­раща­ют инс­тру­мент адми­нис­три­рова­ния в средс­тво для про­ник­новения в инфраструк­туру и зак­репле­ния в ней.

Клас­сичес­кий сце­нарий с RMM — связ­ка вре­донос­ного лоаде­ра или даун­лоаде­ра с инс­тру­мен­том уда­лен­ного управле­ния.

По ста­тис­тике лидиру­ет ScreenConnect RMM, но Atera, Tactical RMM и зна­мени­тый AnyDesk тоже очень популяр­ны.

Даль­ше перей­дем к прак­тике: раз­берем кон­крет­ные инс­тру­мен­ты RMM и пос­мотрим, как зло­умыш­ленни­ки исполь­зуют тех­нику T1219 (Remote Access Tools) из MITRE ATT&CK.

В Elsinore Technologies раз­работа­ли это решение в 2008 году для уда­лен­ного дос­тупа к рабоче­му сто­л…

3 days, 7 hours назад @ xakep.ru
In English 🇺🇸
The Hacker News The Hacker News
последний пост 1 day, 15 hours назад
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

An anonymous HTTP request can run code on a WordPress site.

The writeup, published under the name wp2shell, says the attack has "no preconditions and can be exploited by an anonymous user."

WordPress released 6.9.5 and 7.0.2 on July 17, 2026, closing a pre-auth RCE in core that an anonymous request can trigger against a default install with no plugins.

The release covers one critical and one high severity flaw, and WordPress does not say which is which.

WordPress core is open source, and 7.0.1 and 7.0.2 both sit in the public release archive, so the comparison is available to anyone who wants it.

1 day, 15 hours назад @ thehackernews.com
OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives.

OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it.

When the attacker drops the connection, OpenSSL frees the buffer, but glibc holds small and medium chunks for reuse rather than returning them to the kernel.

On a 16 GB server, HollowByte locked up 25% of system memory without ever crossing the connection ceiling, which is why the Red Team says "standard connection-limiting defenses won't stop it".

Here is the case for them: 131 KB per connection is small, every TLS server allocates memory per connection, and a bounded…

1 day, 16 hours назад @ thehackernews.com
Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT
Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may see this page if you are using advanced terms that robots are known to use, or sending requests very quickly.

1 day, 18 hours назад @ thehackernews.com
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.

What a bot ships home is cloud keys pulled out of environment variables, k8s service account tokens, and the contents of ~/.aws/config, .env, and ~/.docker/config.json.

The researchers put it plainly: the operator is after "not the host itself, but the cloud credentials, Kubernetes cluster privileges" on it.

Censys counted 12,520 reachable MCP services across 8,758 IP addresses as of April 28, more than 21,000 by May 6, and roughly 90 advertising a tool that runs commands.

The botnet's own MCP counters do not reconcile: 12,100 MCP services listed as …

1 day, 20 hours назад @ thehackernews.com
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may see this page if you are using advanced terms that robots are known to use, or sending requests very quickly.

1 day, 20 hours назад @ thehackernews.com
Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images
Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges.

The assignment involved executing a trojanized repository containing malware designed to exfiltrate valuable data and configuring a Socket.IO backdoor.

"The payloads are split into base64 fragments inside HTML comments across every SVG flag image inside an assets directory.

Elastic said the main payload shares overlap with OtterCookie, a cross-platform malware that first emerged in September 2024.

"The success of these operations underscores how compromising an i…

1 day, 23 hours назад @ thehackernews.com
E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants
E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants

Google has to ship it in the next major release, Android 18, and by 1 August 2027 at the latest.

The second makes Google hand anonymised Search query, click, and ranking data to rival search engines, and to AI chatbots that do search, for a cost-based fee.

Google may demand certification before an app touches five of them, which the published measures call restricted features:Centralised access to the on-device data apps opt in to sharing, today AppSearch.

The Commission's draft measures from 27 April have no restricted features, no Qualified AI Assistant Programme, and no certification authorities.

Google spent the spring arguing that uncertified assistants should not hold these permission…

2 days, 1 hour назад @ thehackernews.com
The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace?
The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace? The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace?

Now the focus shifts to the trusted information infrastructure that allows them to operate together at mission speed.

The future force won't be defined by autonomous systems alone, it will be defined by the trusted information infrastructure that connects them.

Trusted information infrastructure should enable programs to adopt autonomous capability at the same pace and flexibility that modern defense demands.

Removing the operating system from the trust boundary reduces the architecture complexity while supporting the movement of trusted information across secure environments.

Learn more about the trusted information infrastructure for autonomous operations or speak with an Everfox expert a…

2 days, 1 hour назад @ thehackernews.com
Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man
Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Armenia has held a Russian tourist named Aleksandr Ermakov in a detention center since June 28, on a U.S. extradition request for a REvil ransomware suspect named Aleksandr Ermakov.

His lawyers say Washington has the wrong man.

The man in the Armenian cell, his lawyers say, is Aleksandr Yuryevich Ermakov, from Omsk, a former prison-service lawyer who does not speak English.

The SDN record runs: ERMAKOV, Aleksandr, Moscow, DOB 16 May 1990, male, one Yandex address, four handles (blade_runner, GistaveDore, GustaveDore, JimJones).

The Ermakov warrant name is at home, reporting once a month to the prison service that the man in the cell spent his career working for.

2 days, 2 hours назад @ thehackernews.com
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders.

Red Canary had logged Claude-branded lures a month earlier, delivering ACR Stealer through fake Claude Code pages on GitLab such as claude-desktop[.]gitlab[.]io .

ClearFake, a web-inject cluster that has been feeding ACR Stealer since at least March 2025, took the No.

1 spot on its most-prevalent-threat list for the first time that month, and ACR Stealer entered the top ten at a tie for sixth.

Proofpoint reported in June 2025 that "ACR Stealer was significantly upd…

2 days, 4 hours назад @ thehackernews.com
New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage
New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system.

The end goal of these efforts is to harvest sensitive files and stage them for subsequent exfiltration using a data collecting tool dubbed ThumbcacheService.

The attacks have also employed credential dumping tools via GoSerpent to capture system credentials need to facilitate data exfiltration through network shared drives.

Earlier iterations of the Go-based implant and remote access trojan (RAT) have been put to use since 2021 against victims in Southeast Asia, with recent variants deployed as recently as this year.

The malware functions by re…

2 days, 4 hours назад @ thehackernews.com
CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026.

The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute arbitrary code.

"In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft said in an advisory release…

2 days, 6 hours назад @ thehackernews.com
Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person.

Both the NCA and the CPS put TfL's losses and recovery costs at £29 million.

The CPS says Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA.

One laptop held a screenshot of network connectivity to TfL infrastructure, plus videos Flowers had recorded of Jubair moving through TfL systems during the attack.

Neither the NCA's nor the CPS's written releases set out how Flowers and Jubair first got into TfL.

2 days, 20 hours назад @ thehackernews.com
ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories
ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

A lot of this week’s trouble starts with something that looks close enough.

Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation.

Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research.

Check the repo, the installer, the account, the exposed service.

And when a bug looks old, awkward, or too simple to matter, assume someone has already found a use for it.

2 days, 21 hours назад @ thehackernews.com
n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them.

How big a deal is thisThe flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers.

The practical question is whether an ordinary user at a trusted issuer can influence the sub they receive.

Cut back to a single trusted issuer, or turn the feature off.

By n8n's own scope statement, an instance with token exchange off is not affected.

2 days, 23 hours назад @ thehackernews.com
threatpost threatpost
последний пост None
DarkReading
последний пост None
WeLiveSecurity
последний пост 5 days, 4 hours назад
Forgotten UEFI shims undermining Secure Boot
Forgotten UEFI shims undermining Secure Boot Forgotten UEFI shims undermining Secure Boot

UEFI shim bootloader and UEFI Secure BootTo understand the impact that such vulnerable shims can have on UEFI Secure Boot-protected systems, we need to understand how UEFI Secure Boot works, and how signed UEFI shim bootloaders extend the Secure Boot trust chain.

In this section we’ll look at UEFI Secure Boot basics, how UEFI shims extend the UEFI Secure Boot trust chain, and two shim-related features: Machine Owner Key (MOK) and Secure Boot Advanced Targeting (SBAT).

For anyone already familiar with the theory, we recommend jumping directly to the section Bypassing UEFI Secure Boot using old shims.

UEFI shim bootloader and Secure BootWith Linux distributions supporting UEFI Secure Boot, th…

5 days, 4 hours назад @ welivesecurity.com
ESET Threat Report H1 2026
ESET Threat Report H1 2026 ESET Threat Report H1 2026

A view of the H1 2026 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

The first half of 2026 shows how attackers continue to improve the efficiency and scalability of their operations.

In H1 2026, ESET analyzed nearly 900,000 AI skills – small functional components used by AI agents – and identified tens of thousands of suspicious and thousands of outright malicious instances.

ESET detections of this vector more than doubled between H2 2025 and H1 2026, indicating sustained activity and adaptation.

ESET Research has documented over 100 EDR killers used in the wild, with new variants appearing regularly.

1 week, 4 days назад @ welivesecurity.com
Cyber readiness for SMBs: Getting the basics right
Cyber readiness for SMBs: Getting the basics right Cyber readiness for SMBs: Getting the basics right

Organizations are right to pay attention, especially because malicious use of AI makes old gaps a more urgent test of an organization’s cyber readiness.

AI and the basics“AI-powered malware” is cited as the top concern of global SMBs for the year ahead, according to the ESET SMB Cyber Readiness Index 2026.

Lack of security monitoring (22%): You might have plenty of security tools, but do you have a single, centralized place to collect, correlate and flag alerts?

Malicious email detection trend in 2025 (source: ESET Threat Report H2 2025)Tried-and-tested solutions to age-old threatsThis isn’t to say that SMBs should ignore AI-enabled threats.

True cyber readiness means being able to prevent,…

2 weeks, 2 days назад @ welivesecurity.com
This month in security with Tony Anscombe – June 2026 edition
This month in security with Tony Anscombe – June 2026 edition This month in security with Tony Anscombe – June 2026 edition

It's that time of month when ESET Chief Security Evangelist Tony Anscombe looks back at some of the top cybersecurity stories that made the news over the past 30 or so days and considers what they may mean for your own cyber-defenses.

What lessons does the new CISA policy hold for organizations outside the agency's direct remit?

What else is there to know about threats facing ATGs or, indeed, many other critical infrastructure systems?

How can you stay safe from imposter fraud, and could the social media bans for children work?

Learn more from Tony's video and be sure to check out the May 2026 edition of Tony's monthly security news roundup for more insights.

2 weeks, 4 days назад @ welivesecurity.com
Inside the inbox: Why cybercriminals want to break into your email account
Inside the inbox: Why cybercriminals want to break into your email account Inside the inbox: Why cybercriminals want to break into your email account

With access to your email account, they can reset your passwords across multiple other accounts – perhaps intercepting one-time passcodes sent by your bank, social media, cloud storage or other online provider.

That could lay the groundwork for a convincing phishing email designed to impersonate a trusted organization you interact with.

A phishing attack on your corporate email account is often the first stage in a bigger data breach, extortion/ransomware or espionage attack.

They’re also using more sophisticated tools to improve the success rates of email phishing campaigns.

In this instance the scammers reportedly hijacked the email account of a high-level executive, before impersonating …

2 weeks, 6 days назад @ welivesecurity.com
SMB cyber readiness: the road to resilience starts here
SMB cyber readiness: the road to resilience starts here SMB cyber readiness: the road to resilience starts here

For these businesses, cyber resilience should be the direction of travel – that is, the ability to continue operating and recover even during a serious incident.

Cyber readiness is about putting in place the processes and controls to prevent, detect and respond to threats.

So, should confidence in cyber resilience posture be so high, especially if organizations are still getting hit multiple times?

The truth is that there’s no end state for cyber readiness or resilience.

If it’s serious about improving the cyber readiness of small businesses, the vendor community should step up.

3 weeks, 2 days назад @ welivesecurity.com
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

Key points of this blogpost: Throughout 2025, Gamaredon exclusively targeted governmental and military institutions in Ukraine.

Continued data exfiltration and a new allianceThroughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine.

Notably, we uncovered that in early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor also linked to the FSB; we documented our findings in our blogpost Gamaredon X Turla collab.

Figure 1 shows a chart of unique samples of HTA downloaders delivered per month in Gamaredon spearphishing campaigns.

Compared to 2024, we also saw a shift in how Gamaredon used these dead drops.

3 weeks, 3 days назад @ welivesecurity.com
ESET takes part in Operation Endgame to disrupt Amadey and Stealc
ESET takes part in Operation Endgame to disrupt Amadey and Stealc ESET takes part in Operation Endgame to disrupt Amadey and Stealc

Key points of this blogpost: ESET took part in the coordinated, global Operation Endgame to disrupt Amadey and Stealc.

Our automated systems have been dissecting Amadey and Stealc samples and identifying the fields most relevant for large-scale tracking.

The largest Amadey botnet clusterOne cluster stands out as the largest, and it contributed nearly 34% of all processed Amadey samples.

Stealc affiliate clustering based on ESET telemetryConclusionFor global disruption operations such as Operation Endgame against Amadey and Stealc, long-term automated tracking of malware is necessary.

2026‑04‑09 Stealc C&C server.

3 weeks, 4 days назад @ welivesecurity.com
Killing me gently: Inside Gentlemen’s EDR killer framework
Killing me gently: Inside Gentlemen’s EDR killer framework Killing me gently: Inside Gentlemen’s EDR killer framework

The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., tools for disrupting security software.

In this blogpost, we share our findings on Gentlemen’s suite of EDR killers gained through extensive research and corroborated by the recent leak.

Third‑party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.

Rather than relying on affiliates to source their own EDR killers, Gentlemen operators actively develop and maintain a portfolio of EDR killers for affiliates.

It allows the Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclos…

1 month назад @ welivesecurity.com
Protecting legacy OT systems against modern cyberthreats
Protecting legacy OT systems against modern cyberthreats Protecting legacy OT systems against modern cyberthreats

Of course, connecting production systems to enterprise networks delivers tangible benefits, but the security implications – that systems once safe were suddenly no longer so – arrived more quietly.

Start by mapping which systems in an environment are connected and have no security coverage, where IT and OT networks intersect, which segments are unmonitored, and which production systems have fallen outside any vendor support agreement.

Meanwhile, off-the-peg security tools often don’t efficiently meet the enterprise requirements in legacy OT systems that run on older hardware and outdated operating system versions.

The production systems running that version continue to operate for years, ac…

1 month назад @ welivesecurity.com
FishMonger’s arsenal upgraded: SprySOCKS for Windows
FishMonger’s arsenal upgraded: SprySOCKS for Windows FishMonger’s arsenal upgraded: SprySOCKS for Windows

Key points of this blogpost: We discovered two previously undocumented Windows variants of FishMonger’s SprySOCKS backdoor.

Technical analysisIn this section, we provide a technical analysis of these new, Windows variants of FishMonger’s SprySOCKS backdoor.

Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor (newlines added for readability)Figure 4 depicts the execution chain of the SprySOCKS WIN_DRV variant.

It contained the SprySOCKS backdoor and the SprySOCKS loader.

6490B8E4AADE25A3EE2D A9A47F312DB2122470BC X1B5206BDC1 743DD.dat Win64/SprySOCKS.A Encrypted container of the encrypted WIN_DRV variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS …

1 month назад @ welivesecurity.com
EvilTokens: A phishing attack that doesn’t steal your password
EvilTokens: A phishing attack that doesn’t steal your password EvilTokens: A phishing attack that doesn’t steal your password

Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page.

What makes EvilTokens dangerousThe OAuth device code flow was designed for devices that may be awkward to sign into directly, such as smart TVs or printers.

No document, invoice, email, or another platform should ask for a device code without a clear reason.

A real Microsoft page doesn’t automatically make a request safe.

Sometimes the attacker could ask them to enter a real code on a real page – but for the wrong device.

1 month назад @ welivesecurity.com
OceanLotus: From external espionage to domestic targeting
OceanLotus: From external espionage to domestic targeting OceanLotus: From external espionage to domestic targeting

During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage.

We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company.

The domain resolved to the genuine IP address of the FireAnt update server, suggesting a supply-chain compromise scenario.

LTD 2025‑09‑20 SPECTRALVIPER C&C server.

]com IRT‑CHOOPALLC‑AP 2025‑09‑20 SPECTRALVIPER C&C server.

1 month, 1 week назад @ welivesecurity.com
SMB cyber-readiness: What makes or breaks it
SMB cyber-readiness: What makes or breaks it SMB cyber-readiness: What makes or breaks it

But that realization alone clearly doesn’t prepare them to withstand an attack.

Have the repeat victims come to view their brushes with cyber-incidents as proof of “what doesn’t kill me makes me stronger”?

For all the talk around AI, automation and attacker sophistication, many SMB breaches still begin with a familiar opening.

A total of 71% of SMBs globally now carry cyber insurance, rising to 84% in North America, with adoption climbing sharply among repeat victims.

While “when, not if” has never been more true, that alone doesn’t prepare a business for adversity.

1 month, 1 week назад @ welivesecurity.com
Cybercriminals: the 'auditors' you never hired
Cybercriminals: the 'auditors' you never hired Cybercriminals: the 'auditors' you never hired

There’s a phrase that is peddled out by governments and companies alike when a catastrophe of any type – including a cybersecurity breach – occurs: “Lessons have been learnt”.

The 130% increase in significant incidents between 2024 and 2025 severely challenges this assertion and points to lessons not being learnt, at a macro level.

In fact, this reluctance to look could also be normalcy bias quietly doing its work.

That is why this metaphor matters – cybercriminals discover the gap between what an organisation believes about its security and what the reality is.

We must accept that normalcy bias exists and act upon it.

1 month, 1 week назад @ welivesecurity.com
Naked Security Naked Security
последний пост None
Help Net Security Help Net Security
последний пост 6 часов назад
Week in review: High severity WordPress vulnerabilities, fake OAuth IDs bypass sign-in logs
Week in review: High severity WordPress vulnerabilities, fake OAuth IDs bypass sign-in logs Week in review: High severity WordPress vulnerabilities, fake OAuth IDs bypass sign-in logs

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:Two new high severity WordPress vulnerabilities, patch immediately!

Cynative, an open-source security research agent, answers that hazard by refusing to write anything by default, and by checking that refusal on every single call it makes.

The 2026 SANS AI Survey, drawn from 536 IT and security professionals, describes what that commitment costs to keep.

Open-source code sits under web apps, build pipelines, and the machine learning stacks getting so much attention right now.

Attackers work along attack paths, and that mismatch is where the money goes.

6 часов назад @ helpnetsecurity.com
Two new high severity WordPress vulnerabilities, patch immediately!
Two new high severity WordPress vulnerabilities, patch immediately! Two new high severity WordPress vulnerabilities, patch immediately!

The 7.0.2 WordPress security release addresses one critical and one high severity security issue.

The vulnerabilities reported to the WordPress security team include:CVE-2026-60137 – A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo– A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo CVE-2026-60137 – A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight CyberWhich versions of WordPress are vulnerable?

WordPress 6.9 is affected by both vulnerabilities.

WordPress 6.8 is only affected by the first vulnerability.

The beta release of WordPress 7.1 is affec…

22 часа назад @ helpnetsecurity.com
Spirals ransomware locks down victim systems in under 24 hours
Spirals ransomware locks down victim systems in under 24 hours Spirals ransomware locks down victim systems in under 24 hours

The attackers gained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell.

Credential dumping and tunneling expanded the intrusion“Credential material was harvested by dumping the Security Account Manager (SAM) hive to a password-protected archive.

Some of the tools used in the attack were hosted externally with .jpg file extensions, apparently to dodge basic file-type filtering.

“The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service,” they noted.

The company has shared indicators of compromise tied to the attack for organizations wanting to check …

2 days назад @ helpnetsecurity.com
Scammers weaponize FaceTime to drain bank accounts
Scammers weaponize FaceTime to drain bank accounts Scammers weaponize FaceTime to drain bank accounts

Apple is warning iPhone and iPad users that scammers are using FaceTime calls to trick them into handing over money and account details.

According to Apple, scammers pose as trusted organizations and use social engineering to convince people to hand over account credentials, security codes, and financial information.

Scammers also tend to bring up private information early in the conversation, things like a home address, an employer, or sometimes a Social Security number, to sound credible.

Some scammers go further and ask victims to turn off two-factor authentication (2FA) or Stolen Device Protection, framing it as necessary to stop an ongoing attack.

In one version of the scam, the caller…

2 days, 3 hours назад @ helpnetsecurity.com
Claude can now sign into websites with 1Password without exposing your credentials
Claude can now sign into websites with 1Password without exposing your credentials Claude can now sign into websites with 1Password without exposing your credentials

It requires a Mac, Claude Desktop, Claude in Chrome, the 1Password desktop app, and the 1Password browser extension.

Connecting 1Password and ClaudeUsers connect their 1Password account to Claude from the Connectors section in Claude Desktop.

After the integration is enabled and the 1Password vault is unlocked, Claude can request credentials whenever it needs to sign in to a website while completing a task.

Connecting 1Password and Claude (Source: 1Password)Signing in without exposing credentialsWhen Claude reaches a sign-in page, it requests the required login from 1Password.

Users experiencing setup issues should verify that Claude Desktop, Claude in Chrome, the 1Password desktop app, and…

2 days, 3 hours назад @ helpnetsecurity.com
Ransomware attack halts Coca-Cola’s Fairlife US milk production
Ransomware attack halts Coca-Cola’s Fairlife US milk production Ransomware attack halts Coca-Cola’s Fairlife US milk production

A ransomware attack has stopped milk production at Fairlife, the Coca-Cola dairy brand known for its high-protein milk, protein shakes, and nutrition drinks.

Coca-Cola disclosed the incident on July 16, 2026, in a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC).

However, as a result of the incident, production operations at fairlife in the United States are temporarily suspended.

fairlife’s Canada production operations are not currently impacted,” the company said.

“The full scope, nature and impacts of the incident are not yet known,” the company added.

2 days, 5 hours назад @ helpnetsecurity.com
Prompt injection is becoming the XSS of the web agent era
Prompt injection is becoming the XSS of the web agent era Prompt injection is becoming the XSS of the web agent era

Autonomous web agents read whatever a page displays, and much of that content comes from strangers.

Their system, Prismata, sits between a web agent and the browser.

It filters the content an agent sees and limits the actions the agent can take.

An attacker writes a product review that tells the agent to send the user’s credit card details to a stranger, and the agent may comply.

Prismata operates between the web agent and the browser, providing a system-level defense that filters and constrains web content before it reaches the web agent (Source: Research paper)Reading page structure to make the callPrismata works from the structure of the page.

2 days, 7 hours назад @ helpnetsecurity.com
The script, not the voice, is what makes AI voice phishing work
The script, not the voice, is what makes AI voice phishing work The script, not the voice, is what makes AI voice phishing work

The voice belongs to a senior manager, or sounds close enough, and she needs a password reset before a flight.

The detection number is a mirageGive people a synthetic voice and they’ll call it out most of the time.

What looks like a detection skill is really a room full of people who’ve decided everyone on the phone might be a robot.

People who use AI tools often scored about the same as people who had never touched one, and voice assistant users scored about the same as everyone else.

Industrial scam operations in Southeast Asia have run voice fraud at volume for years on labor costs nowhere near that.

2 days, 7 hours назад @ helpnetsecurity.com
The five step plan that cuts security budget waste
The five step plan that cuts security budget waste The five step plan that cuts security budget waste

In this Help Net Security video, Viktor Bulanek, CTO of Penetrify, explains where security budget waste comes from.

Attackers work along attack paths, and that mismatch is where the money goes.

The hidden costs are triage hours, alert fatigue, and false confidence.

Most teams don’t need more money.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation

2 days, 8 hours назад @ helpnetsecurity.com
A hard drive reliability check on 341,263 drives, from 4TB to past 20TB
A hard drive reliability check on 341,263 drives, from 4TB to past 20TB A hard drive reliability check on 341,263 drives, from 4TB to past 20TB

Large cloud storage operators track their hard drives every day, recording which units keep running and which ones drop off the racks.

The analysis covered 341,263 hard drives, after boot drives and a small group of units that missed the reporting thresholds were set aside.

The quarterly annualized failure rate came to 1.24%.

Across the whole fleet, the lifetime failure rate stands at 1.39%, a steadier long-run gauge of how the hardware holds up.

No new drive models joined the fleet this quarter, an outcome the company calls rare given that new models arrived in six of the past eight quarters.

2 days, 8 hours назад @ helpnetsecurity.com
New infosec products of the week: July 17, 2026
New infosec products of the week: July 17, 2026 New infosec products of the week: July 17, 2026

Here’s a look at the most interesting products from the past week, featuring releases from Cloudflare, Lineation.ai, Nudge Security, and Polygraf AI.

Polygraf AI Meeting Guard delivers real-time deepfake detection for enterprise meetingsPolygraf AI has announced Meeting Guard, a real-time AI fraud detection solution for enterprise meetings built to detect fraud and protect meeting security.

The new agents continuously analyze OAuth grants and browser extensions discovered by Nudge Security, flag what’s risky, and automate remediation with human-in-the-loop decisions.

Lineation.ai focuses on runtime security for autonomous AI agentsLineation.ai has announced the public launch of its comprehe…

2 days, 9 hours назад @ helpnetsecurity.com
Scattered Spider members jailed over Transport for London hack that cost £29 million
Scattered Spider members jailed over Transport for London hack that cost £29 million Scattered Spider members jailed over Transport for London hack that cost £29 million

Two members of the notorious “Scattered Spider” hacking collective have been sentenced to five years and six months in prison each for a cyberattack on Transport for London (TfL) that disrupted services for thousands of commuters and cost the transport authority an estimated £29 million.

Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, pleaded guilty last month, on the day their trial was set to start.

The National Crime Agency (NCA) and City of London Police charged them under Section 3ZA of the Computer Misuse Act (CMA).

Jubair and Flowers gained unauthorized access to TfL’s systems between 31 August and 3 September 2024.

Investigators estimated that a complete outage …

2 days, 23 hours назад @ helpnetsecurity.com
Adaptiva simplifies secure patch management for air-gapped networks
Adaptiva simplifies secure patch management for air-gapped networks Adaptiva simplifies secure patch management for air-gapped networks

Adaptiva has announced AirGap for OneSite Patch, a new capability that extends autonomous patch management to air-gapped environments.

“For years, organizations operating air-gapped environments have had to choose between maintaining strict isolation and keeping critical systems consistently patched,” said Dr. Deepak Kumar, CEO of Adaptiva.

Our customers need a way to extend modern, autonomous patch management into their most secure environments without compromising the security controls that were designed to protect those environments.

AirGap for OneSite Patch delivers exactly that.”AirGap for OneSite Patch extends Adaptiva’s autonomous patch management capabilities to fully isolated, air-…

2 days, 23 hours назад @ helpnetsecurity.com
CISA folds its own hard-won lessons into coordinated vulnerability disclosure guidance
CISA folds its own hard-won lessons into coordinated vulnerability disclosure guidance CISA folds its own hard-won lessons into coordinated vulnerability disclosure guidance

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and four allied cyber authorities published a guide telling software vendors how to build a coordinated vulnerability disclosure (CVD) program.

Six days earlier, CISA published a blog post explaining how a security researcher had tried and failed, repeatedly, to report a serious problem to CISA itself.

The guidanceSuppliers should design a CVD program to “effectively and transparently collaborate with security researchers to report and remediate vulnerabilities,” the guidance says.

This can be achieved by the suppliers publishing a vulnerability disclosure policy on their website and stating plainly that reportin…

2 days, 23 hours назад @ helpnetsecurity.com
Russian cybercriminal used jailbroken Gemini CLI to rebuild botnet infrastructure in six minutes
Russian cybercriminal used jailbroken Gemini CLI to rebuild botnet infrastructure in six minutes Russian cybercriminal used jailbroken Gemini CLI to rebuild botnet infrastructure in six minutes

A Russian-speaking threat actor known as “bandcampro” used a jailbroken Gemini CLI, Google’s open-source terminal-based AI agent, to deploy and operate a small command-and-control (C2) botnet, according to TrendAI.

Posing as an “authorized penetration tester,” he instructed Gemini to suppress safety disclaimers and automatically save any credentials it encountered.

The threat actor did none of the debugging himself, and the initial migration was completed in six minutes.

Now, that knowledge sits in a 5KB file even a non-technical threat actor can read and use.”That shift matters for two reasons.

Beyond the botnet, the threat actor used Gemini to crack passwords, compromise WordPress merchan…

3 days, 1 hour назад @ helpnetsecurity.com
IT Security Guru IT Security Guru
последний пост None
SecurityTrails
последний пост None
Блоги 👨‍💻
Бизнес без опасности Бизнес без опасности
последний пост None
Жизнь 80 на 20 Жизнь 80 на 20
последний пост None
ZLONOV ZLONOV
последний пост None
Блог Артема Агеева Блог Артема Агеева
последний пост None
Киберпиздец Киберпиздец
последний пост None
Schneier on Security Schneier on Security
последний пост 1 day, 16 hours назад
Friday Squid Blogging: Squid Washing Up on Cape Cod Beach
Friday Squid Blogging: Squid Washing Up on Cape Cod Beach Friday Squid Blogging: Squid Washing Up on Cape Cod Beach

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Contact Info

1 day, 16 hours назад @ schneier.com
Details of Alan Turing’s Voice Encryption System
Details of Alan Turing’s Voice Encryption System Details of Alan Turing’s Voice Encryption System

Really interesting piece of cryptographic history:In November 2023, a large cache of his wartime papers—nicknamed the “Bayley papers”—was auctioned in London for almost half a million U.S. dollars.

The previously unknown cache contains many sheets in Turing’s own handwriting, telling of his top-secret “Delilah” engineering project from 1943 to 1945.

Delilah was Turing’s portable voice-encryption system, named after the biblical deceiver of men.

There is also material written by Bayley, often in the form of notes he took while Turing was speaking.

It is thanks to Bayley that the papers survived: He kept them until he died in 2020, 66 years after Turing passed away.

2 days, 2 hours назад @ schneier.com
Protecting Privacy in an AI Era
Protecting Privacy in an AI Era Protecting Privacy in an AI Era

Protecting Privacy in an AI EraDaniel Solove argues in the Wall Street Journal (alternate link) that giving people control of their personal data is not an effective way to regulate privacy in this era.

Instead, we need to hold companies accountable for their actions, similar to what we do with food and drug companies.

Measures such as rigorous data minimization, fiduciary duties, liability for negligent or reckless technological design, liability for algorithms that cause harm, and multi-stakeholder review of technologies will be far more effective.

Posted on July 16, 2026 at 10:34 AM • 0 Comments

2 days, 22 hours назад @ schneier.com
A Video Screen That Is Also a Camera
A Video Screen That Is Also a Camera A Video Screen That Is Also a Camera

Amazing:Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both.

This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization.

The team reported its findings in a paper published yesterday in Nature.

We are one step closer to 1984 technology:The telescreen received and transmitted simultaneously.

There was of course no way of knowing whether you were being watched at any given moment.

4 days, 2 hours назад @ schneier.com
Upcoming Speaking Engagements
Upcoming Speaking Engagements Upcoming Speaking Engagements

I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026.

I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA.

The conference runs August 6-7, 2026; my speaking time is TBD.

I’m speaking at DEF CON 34 in Las Vegas, Nevada, USA.

The conference runs September 30–October 1, 2026; the time of my talk is TBD.

4 days, 21 hours назад @ schneier.com
Vulnerability in FIFA’s Network
Vulnerability in FIFA’s Network Vulnerability in FIFA’s Network

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Contact Info

5 days, 2 hours назад @ schneier.com
AI Data Centers and the Concentration of Wealth
AI Data Centers and the Concentration of Wealth AI Data Centers and the Concentration of Wealth

AI Data Centers and the Concentration of WealthThis essay was written with Nathan E. Sanders, and originally appeared in The Guardian.

Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines.

For some, data center opposition may feel like the only tangible mechanism for registering their concern, disapproval, or even anger about AI.

The problem is that this may be exactly what the AI companies are banking on.

And while data center opposition campaigns have been successful in building widespread appeal, their effectiveness in the US is mixed.

6 days, 2 hours назад @ schneier.com
Friday Squid Blogging: “Squidbleed” Vulnerability
Friday Squid Blogging: “Squidbleed” Vulnerability Friday Squid Blogging: “Squidbleed” Vulnerability

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Contact Info

1 week, 1 day назад @ schneier.com
AI Surveillance and Social Progress
AI Surveillance and Social Progress AI Surveillance and Social Progress

These systems will combine powerful AI, public and private surveillance via real-time facial recognition technology and digital tracking, mass databases and highly personalized enforcement.

If deployed at scale, they will have profound chilling effects not just on personal freedoms, but democracy and social progress itself.

AI surveillance is now being experimented with in North America, South America, Europe, Asia and Africa.

While the systems are ostensibly used to maintain security and public safety, the real aim is often social control.

But we believe the most urgent and long-term impact will be its broader chilling effects.

1 week, 2 days назад @ schneier.com
The Language of AI Could Change How Humans Speak
The Language of AI Could Change How Humans Speak The Language of AI Could Change How Humans Speak

Internet risks are nothing new, and cyberattacks—both large and small—have been a significant issue since long before the current crop of generative AI models.

Contrast the L0pht hackers with hackers derided as “script kiddies.” They didn’t understand computers, or security.

Instructing AI models to spy on people and report any malicious prompts to the authorities fails for similar reasons.

We want these AI models to be able to review computer code, find vulnerabilities and automatically fix them.

They are things talked about at that congressional hearing back in 1998, titled “Weak computer security in government: Is the public at risk?” Even the Five Eyes admitted that their security advic…

1 week, 3 days назад @ schneier.com
Cybersecurity and the Gap Between Skill and Ability
Cybersecurity and the Gap Between Skill and Ability Cybersecurity and the Gap Between Skill and Ability

Internet risks are nothing new, and cyberattacks—both large and small—have been a significant issue since long before the current crop of generative AI models.

Contrast the L0pht hackers with hackers derided as “script kiddies.” They didn’t understand computers, or security.

Instructing AI models to spy on people and report any malicious prompts to the authorities fails for similar reasons.

We want these AI models to be able to review computer code, find vulnerabilities and automatically fix them.

They are things talked about at that congressional hearing back in 1998, titled “Weak computer security in government: Is the public at risk?” Even the Five Eyes admitted that their security advic…

1 week, 4 days назад @ schneier.com
Google Is Suing Chinese Scammers Who Are Using Gemini
Google Is Suing Chinese Scammers Who Are Using Gemini Google Is Suing Chinese Scammers Who Are Using Gemini

Not sure this will have any effect, but I support the effort:According to Google’s legal filing, Outsider Enterprise operates through Telegram.

The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own.

In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use Google’s Gemini AI to create websites that imitate those of Google, YouTube, and government agencies such as New York’s E-ZPass.

[…]Google worked with AT&T, Verizon, and T-Mobile to block many of these malicious text messages, and Google notes that its on-device scam detection in Google Messages probably…

1 week, 5 days назад @ schneier.com
France to Stop Certifying Non-Quantum-Safe Encryption
France to Stop Certifying Non-Quantum-Safe Encryption France to Stop Certifying Non-Quantum-Safe Encryption

France is accelerating its transition to post-quantum encryption:France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems.

Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030.

ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption.

1 week, 6 days назад @ schneier.com
Flock Cameras Can Surveil Cars Without License Plates
Flock Cameras Can Surveil Cars Without License Plates Flock Cameras Can Surveil Cars Without License Plates

This is from a 2024 company presentation:Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.

Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the company’s presentation shows.

The company gives police officers the ability to search that data as well, to “build stronger cases with less information upfront.” That includes being able to locate multiple vehicles law enforcement officials believe are moving together and what Flock calls a “multi geo search.”

2 weeks, 2 days назад @ schneier.com
Cybersecurity Mission Creep in the US
Cybersecurity Mission Creep in the US Cybersecurity Mission Creep in the US

Interesting paper: “Cybersecurity Mission Creep.”Abstract: Cybersecurity is experiencing mission creep.

Positioned as security threats, cybersecuritized issues become endowed with the apparent normative power to override countervailing considerations, oversimplifying the problem.

Cybersecuritization’s oversimplification similarly risks unidimensional solutions and invites use of argumentative trump cards, like First Amendment challenges.

Together, the reductive tendencies of cybersecuritization and the deference it prompts to specialists renders ultimate governance choices more opaque.

If we continue to ignore it, we risk abdicating further responsibility for difficult choices to the trump …

2 weeks, 3 days назад @ schneier.com
Krebs On Security
последний пост 4 days, 17 hours назад
Microsoft Patches a Record 570 Security Flaws
Microsoft Patches a Record 570 Security Flaws Microsoft Patches a Record 570 Security Flaws

Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.

Microsoft also addressed three zero-day flaws that are already being exploited in the wild.

As AI advances the state of vulnerability discovery and remediation, it is also making it easier for attackers to quickly devise working exploits for known software flaws.

Backing up your Windows system and/or data is always a good idea before applying operating system updates.

It’s not uncommon for security patches to introduce system stability issues, and those chances probably increase quite a bit with the gigantic patch count released today.

4 days, 17 hours назад @ krebsonsecurity.com
Lessons Learned from CISA’s Recent GitHub Leak
Lessons Learned from CISA’s Recent GitHub Leak Lessons Learned from CISA’s Recent GitHub Leak

Experts say the gaps identified in the agency’s initial response provide important lessons that all security teams should absorb.

CISA also admitted it can do better when it comes to responding to security incident notifications from external parties.

Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures.

Valadon said the report validates the need to scan continuously — not just quarterly — for exposed secrets.

“Continuous monitoring of public GitHub surfaced it.

5 days, 22 hours назад @ krebsonsecurity.com
Felons, Fraudsters Flog Offensive Cybersecurity Startup
Felons, Fraudsters Flog Offensive Cybersecurity Startup Felons, Fraudsters Flog Offensive Cybersecurity Startup

IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities.

“Our business model is this,” reads a pinned post on top of the IRIS C2 account on X.

The website claims IRIS C2 is in the business of acquiring “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms.

When approached with questions about IRIS C2, Burkman referred further inquiries to his longtime associate, 28-year-old Jacob Wohl.

In May, the author of the IRIS C2 account on X said that his girlfriend had no idea what he did for a living.

1 week, 4 days назад @ krebsonsecurity.com
FBI Seizes NetNut Proxy Platform, Popa Botnet
FBI Seizes NetNut Proxy Platform, Popa Botnet FBI Seizes NetNut Proxy Platform, Popa Botnet

Benjamin Brundage is founder of the proxy tracking service Synthient, one of the companies that published evidence last month linking the Popa botnet to NetNut and Alarum Technologies.

Brundage said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it.

“Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes.

What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller.

More than a quarter of the apps made for Samsung’s Tizen o…

2 weeks, 2 days назад @ krebsonsecurity.com
Scattered Spider Hackers Plead Guilty on Day 1 of Trial
Scattered Spider Hackers Plead Guilty on Day 1 of Trial Scattered Spider Hackers Plead Guilty on Day 1 of Trial

The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial.

In April 2026, 24-year-old British national and Scattered Spider member Tyler “Tylerb” Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft for participating in the group’s SMS phishing spree in the summer of 2022.

The government said Buchanan, Jubair and others used the credentials harvested in that phishing campaign to steal at least $8 million in cryptocurrency from victims throughout the United States.

The U.S. Department of Justice says three alleged Scattered Spider defendants indicted alo…

3 weeks, 4 days назад @ krebsonsecurity.com
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

Qurium said that immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet, but that one of those control domains was not new: ninjatech[.]io.

Jérôme Meyer, a security researcher at Nokia Deepfield, said the total population of devices participating in the Popa botnet may be far higher than Lumen’s estimates.

“Over 90% of our pharmaceutical and food & beverage customers have queried residential proxy indicators.

1 month назад @ krebsonsecurity.com
Who Runs the Ransomware Group ‘The Gentlemen?’
Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’

This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.

Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.

According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.

Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was pr…

1 month, 1 week назад @ krebsonsecurity.com
A Record-Breaking Patch Tuesday for June 2026
A Record-Breaking Patch Tuesday for June 2026 A Record-Breaking Patch Tuesday for June 2026

Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle.

“Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang said.

Microsoft received heavily blowback on social media last month after it said in a blog post that it was considering taking legal action against the security researcher.

While 200 vulnerabilities may be a record for Patch Tuesday, the actual number of security flaws Microsoft addressed this month is far higher, said Rapid7’s Adam Barne…

1 month, 1 week назад @ krebsonsecurity.com
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

On May 31, word began to spread on several Telegram instant message channels that Meta’s AI bot would happily add an email address to an existing account as part of the bot’s standard password reset flow.

Meta has not responded to requests for comment on the video’s claims, but the company reportedly did acknowledge the dormant Instagram account for the Obama White House was briefly compromised.

Meta’s solution was to deploy a conversational AI layer to handle common recovery workflows: relinking a lost email address, triggering a password reset, verifying account ownership.

Just like human customer support employees can be social engineered into providing unauthorized access to someone’s a…

1 month, 2 weeks назад @ krebsonsecurity.com
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

But as KrebsOnSecurity observed in September 2025, those sanctions failed to target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.

MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business out of the Netherlands.

And as our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad.

On top of that, WorkTitans was getting connectivity to the larger Internet solely through MIRhosting, where Zinad had worked previously.

“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote.

1 month, 3 weeks назад @ krebsonsecurity.com
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak

The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure.

TruffleHog does this by monitoring a live feed that GitHub publishes which includes a record of all commits and changes to public code repositories.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, …

1 month, 3 weeks назад @ krebsonsecurity.com
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, a.k.a.

“Dort,” of Ottawa, Canada with operating the Kimwolf DDoS botnet.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads.

Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage told KrebsOnSecurity he’s relieved Butler is in custody.

The DOJ said at least one of those services collaborated with Butler’s Kimwolf botnet.

1 month, 4 weeks назад @ krebsonsecurity.com
CISA Admin Leaked AWS GovCloud Keys on Github
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.

Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

“The available Git metadata alone does not prove which endpoint or device was used.”Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level.

CISA has not responded to questions about the p…

2 months назад @ krebsonsecurity.com
Patch Tuesday, May 2026 Edition
Patch Tuesday, May 2026 Edition Patch Tuesday, May 2026 Edition

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws.

But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

2 months, 1 week назад @ krebsonsecurity.com
Canvas Breach Disrupts Schools & Colleges Nationwide
Canvas Breach Disrupts Schools & Colleges Nationwide Canvas Breach Disrupts Schools & Colleges Nationwide

The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform.

Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance.

Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers.

2 months, 1 week назад @ krebsonsecurity.com
Graham Cluley Graham Cluley
последний пост 1 day, 14 hours назад
Google’s Gemini lets strangers send messages from your locked Android phone
Google’s Gemini lets strangers send messages from your locked Android phone Google’s Gemini lets strangers send messages from your locked Android phone

Someone gets hold of your locked Android phone and, despite not knowing your security PIN, they can send messages via SMS or WhatsApp pretending to come from you.

It is clear that Google has patched Gemini lock screen issues before, but security researchers keep finding new ways through.

The latest vulnerability is different from the previous similar Gemini-based Android lock screen bypass bugs that have been plaguing the operating system since September 2025.

To do that:Open the Gemini app, tap your profile picture, go to Settings, and select "Gemini on lock screen."

Every new capability Gemini is given at the lock screen is also a new potential attack surface.

1 day, 14 hours назад @ bitdefender.com
Anubis ransomware: what you need to know
Anubis ransomware: what you need to know

The Anubis ransomware-as-a-service (RaaS) operation has hit some healthcare organisations hard - but they are not the only ones at risk. Read more in my article on the Fortra blog.

2 days, 16 hours назад @ fortra.com
Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers
Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers

That is a really, really busy street potentially.

I don't know what the difference is between a tuk-tuk and a rickshaw.

I don't know.

Yeah, it's got to be a Bluetooth transmitter from the battery, and within the battery there's an operating system or something that'll need updating.

It's really, really great.

3 days, 4 hours назад @ grahamcluley.com
The ransomware negotiator who was working for the other side
The ransomware negotiator who was working for the other side The ransomware negotiator who was working for the other side

When a company falls victim to a ransomware attack, it is not uncommon for it to turn to experts for help.

Specialist ransomware negotiation firms handle communications with criminal gangs on a victim's behalf.

41-year-old Martino worked as a ransomware negotiator for DigitalMint, an incident response company based in Chicago.

The ransomware victim, a hospitality company, ultimately paid out nearly US $16.5 million.

The company has since changed the way its negotiators communicate with ransomware gangs, and is working with the Department of Homeland Security to establish a registry for the currently highly-unregulated world of ransomware negotiation.

5 days, 5 hours назад @ bitdefender.com
Invited to a “job interview” with Netflix or OpenAI? Beware! Your Google password could be at risk
Invited to a “job interview” with Netflix or OpenAI? Beware! Your Google password could be at risk Invited to a “job interview” with Netflix or OpenAI? Beware! Your Google password could be at risk

Have you received an email from a recruiter at Adobe, Netflix, or OpenAI offering you an exciting new marketing role?

Security experts have uncovered a phishing campaign which impersonates over 30 well-known brands in fake job interviews designed to steal Google account passwords.

When victims click on "Continue with Google," a pop-up appears that looks like a legitimate Google authentication dialog.

In the past the FBI has warned the public about scammers using fake job ads to steal money and personal information from applicants.

Earlier this year, Hot for Security published a guide explaining how many fake recruiter scams work, and how to avoid them.

1 week, 2 days назад @ bitdefender.com
Smashing Security podcast #475: JadePuffer – the AI that ran a ransomware attack all by itself
Smashing Security podcast #475: JadePuffer – the AI that ran a ransomware attack all by itself Smashing Security podcast #475: JadePuffer – the AI that ran a ransomware attack all by itself

These stories appear different, but they're actually telling the same story.

I'm going to flag, I'm going to flag the point that I made earlier is that operational security isn't always there.

I know how to do this because it's done it for me, but I don't actually know how to apply it logically.

And when the technology you're relying on to protect you, and in some people's case it is protecting their life, and you're not doing it to the best of your ability, that's, that's really, really disappointing.

But I guess for now, all eyes are on Apple and how they're going to respond to this, albeit 13 months later.

1 week, 3 days назад @ grahamcluley.com
Two arrested over credit card phishing – as the Netherlands is named Europe’s worst for payment fraud
Two arrested over credit card phishing – as the Netherlands is named Europe’s worst for payment fraud Two arrested over credit card phishing – as the Netherlands is named Europe’s worst for payment fraud

Two young men have been arrested in the Netherlands on suspicion of running a phishing operation that harvested the credit card details of unsuspecting victims.

According to a police press release, victims were duped into entering their payment card details on bogus phishing websites.

Investigators believe the arrested men, who have not been named, did not just misuse the stolen payment card details themselves, but also passed them on to other fraudsters.

Card payment fraud was found to be the single most common category, with over half a million fraudulent transactions (up more than a quarter on the year before).

In 2024, just 1% of Dutch fraud victims recovered their money, and while arou…

1 week, 5 days назад @ bitdefender.com
The Gentlemen ransomware: what you need to know
The Gentlemen ransomware: what you need to know

Who Are The Gentlemen?

Despite the impeccably polite name, there is nothing polite or refined about this particular gang of cybercriminals. Read more in my article on the Fortra blog.

2 weeks, 2 days назад @ fortra.com
Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack?
Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack? Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack?

And I'm going to be looking at whether you're wise to take a gamble with your security on Polymarket.

Right, well, I want to tell you about a company that's built its entire brand on being really, really good at predicting the future.

They've actually done it really, really well.

So it's The Summer Portraits by— remind me who it's by again, 'cause I'm going to butcher his name.

It's really, really good.

2 weeks, 3 days назад @ grahamcluley.com
Scammers race to cash in on Venezuelan earthquake disaster
Scammers race to cash in on Venezuelan earthquake disaster Scammers race to cash in on Venezuelan earthquake disaster

When a devastating earthquake struck north central Venezuela last week, rescue teams were not the only ones who mobilised fast.

Researchers at threat intelligence firm WhoisXML API say that they uncovered 212 newly-registered domains referencing the earthquake, all of which had been filed within five days of the disaster.

Even years after a natural disaster scammers can still exploit human misery.

And that's because exploitation of a major news event - whether it be a natural disaster of otherwise - can be a successful lure for criminals to deploy when defrauding the unwary out of their savings.

And when a natural disaster creates an urgent need for response, it is all the easier for cyberc…

2 weeks, 4 days назад @ bitdefender.com
USB drives carrying China-linked malware infected Japanese military networks for nearly a year
USB drives carrying China-linked malware infected Japanese military networks for nearly a year USB drives carrying China-linked malware infected Japanese military networks for nearly a year

Leaked internal documents have revealed that for nearly a year Japan's Ground Self-Defense Force (JGSDF) used counterfeit USB flash drives infected with malware on computers connected to sensitive military networks.

The USB drives have been linked to Chinese hacking operations, according to an investigation by Nikkei Asia.

Subsequent investigations found that six out of eight USB drives tested contained the same malicious code.

The infected USB drives had been attached to over 50 computers, with nearly half of those systems used to handle classified data, including information about the movement of troops.

The counterfeit drives, priced 30 to 50 percent below authentic brands, were traced t…

2 weeks, 5 days назад @ bitdefender.com
Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup
Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup

Smashing Security, Episode 473: How a Hacker Could Have Rickrolled the Entire World.

You think, oh, hang on, they're going to ask me for a password or they're going to ask me for something like that.

Yeah, we'll take that money from under your bed and store it in a safety deposit box that you don't know where it is.

We saw a huge number of CVEs last year and with Mythos and the Frontier models, we think that's going to continue to spike.

So the blast radius of these IT service providers is really, really big.

3 weeks, 3 days назад @ grahamcluley.com
Hacker hijacks Brazil’s national alert system, sending “misanthropy” to millions of phones
Hacker hijacks Brazil’s national alert system, sending “misanthropy” to millions of phones Hacker hijacks Brazil’s national alert system, sending “misanthropy” to millions of phones

Somebody had broken into Brazil's national Civil Defence alert system and used it to send fake "Extreme Alert" notifications - the most severe category, normally reserved for warnings of imminent natural disasters - to mobile phones across at least five states, including São Paulo, Rio de Janeiro, and the Federal District.

In a statement posted on social media, Brazil's National Civil Defence confirmed that it had pulled the alert platform offline at 1:30am following the compromise.

National Secretary of Protection and Civil Defence Wolnei Wolff confirmed that the attackers managed to regain access after an initial attempt to block them from accessing the system.

Emergency alert systems wor…

3 weeks, 5 days назад @ bitdefender.com
Apple’s Hide My Email tweak leaves privacy fans fuming
Apple’s Hide My Email tweak leaves privacy fans fuming Apple’s Hide My Email tweak leaves privacy fans fuming

Hide My Email is a privacy feature that lets users create unique, random email addresses that forward messages to your real inbox.

That means you can sign-up for websites, newsletters, and apps without exposing your personal email address.

The problem is, however, that one of the reasons that Hide My Email worked so well was because its aliases were indistinguishable from regular iCloud email addresses.

All any website or app that wants to block anonymous sign-ups now has to do is to reject any email address ending in "@private.icloud.com".

For now, if you already have existing Hide My Email addresses in use, they should continue to work without any changes on your part.

4 weeks, 1 day назад @ bitdefender.com
Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse
Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse

Someone is pretending to be your bank, your government, or your local planning office. And according to the FTC, they're making billions doing it. Read more in my article on the Fortra blog.

4 weeks, 1 day назад @ fortra.com
Компании 🏢
Блог Касперского Блог Касперского
последний пост 2 days, 2 hours назад
Кража почты через OAuth | Блог Касперского
Кража почты через OAuth | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 89a6c1c61d71bc406a42bd2d91dc48b6Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-17T15:00:29+03:00Config id: 290Faithfully yours, nginx.

2 days, 2 hours назад @ kaspersky.ru
Промпт-атаки на умного помощника Gemini и ИИ-ассистента Gemini Workspace | Блог Касперского
Промпт-атаки на умного помощника Gemini и ИИ-ассистента Gemini Workspace | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 9e57da73febcf1364991851b3ffd4607Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-16T15:00:15+03:00Config id: 290Faithfully yours, nginx.

3 days, 2 hours назад @ kaspersky.ru
Ключевые уязвимости Microsoft Patch Tuesday за июль 2026 | Блог Касперского
Ключевые уязвимости Microsoft Patch Tuesday за июль 2026 | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: ad5fb1fb73f446dedef7d1ec45313d70Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-15T17:00:41+03:00Config id: 289Faithfully yours, nginx.

4 days назад @ kaspersky.ru
Meta* включила и тут же отключила функцию генерации ИИ-изображений на основе пользовательского контента в Instagram** | Блог Касперского
Meta* включила и тут же отключила функцию генерации ИИ-изображений на основе пользовательского контента в Instagram** | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: d28ecbce6fae6b24393f114511aa53c1Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-14T15:00:39+03:00Config id: 282Faithfully yours, nginx.

5 days, 2 hours назад @ kaspersky.ru
Борьба с BEC-атаками на базе ИИ | Блог Касперского
Борьба с BEC-атаками на базе ИИ | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 0f43fc04a64ef8b4198bfe5f08f75233Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-13T17:00:32+03:00Config id: 281Faithfully yours, nginx.

6 days назад @ kaspersky.ru
Что не так с функцией NameTag в умных очках Meta* и почему ее стоит опасаться | Блог Касперского
Что не так с функцией NameTag в умных очках Meta* и почему ее стоит опасаться | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 36cc4a8142dd177820e529f1c74777d2Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-09T14:00:09+03:00Config id: 281Faithfully yours, nginx.

1 week, 3 days назад @ kaspersky.ru
Целевой фишинг на производственные компании | Блог Касперского
Целевой фишинг на производственные компании | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 1ce0e45ab895fdb2ea63e5f66838efb9Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-08T18:00:10+03:00Config id: 281Faithfully yours, nginx.

1 week, 3 days назад @ kaspersky.ru
Почему капча скоро исчезнет: как ИИ изменил проверку на человечность | Блог Касперского
Почему капча скоро исчезнет: как ИИ изменил проверку на человечность | Блог Касперского

An error occurred.

Sorry, the page you are looking for is currently unavailable.

Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Request id: 26a02984b49c814d5538d529e6b61e94Server IP: 185.54.220.248Client IP: 23.88.109.5Time: 2026-07-06T15:00:25+03:00Config id: 280Faithfully yours, nginx.

1 week, 6 days назад @ kaspersky.ru
Неотключаемый бэкдор в роботах-газонокосилках Yarbo | Блог Касперского
Неотключаемый бэкдор в роботах-газонокосилках Yarbo | Блог Касперского Неотключаемый бэкдор в роботах-газонокосилках Yarbo | Блог Касперского

Но в совершенно ином масштабе: в режиме газонокосилки данный робот может обслуживать территории до 2,5 гектар (это 250 соток, то есть небольшой садовый кооператив), а в режиме транспортировщика поддерживает угодья площадью до 12,5 гектар.

Вместе с исследователем Андреасом Макрисом они провели эксперимент, в рамках которого исследователь, будучи в Германии, удаленно захватил контроль над газонокосилкой Yarbo и переехал журналиста, лежащего на газоне у себя в США.

Чаще всего в качестве операционной системы в них используется Linux — и роботы Yarbo тут не исключение.

При этом серийные номера устройств имеют предсказуемый формат и используются в инфраструктуре Yarbo в качестве идентификаторов р…

2 weeks, 3 days назад @ kaspersky.ru
Управление рисками агрегаторов LLM и API-прокси для нейросетей
Управление рисками агрегаторов LLM и API-прокси для нейросетей Управление рисками агрегаторов LLM и API-прокси для нейросетей

По мере того как организации начинают использовать нейросети для все более широкого круга задач, они неизбежно сталкиваются с вопросами надежности и стоимости ИИ-инструментов.

Чтобы не отказываться от нужных нейросетей, бизнес часто рассматривает переход на сторонние сервисы, обеспечивающие единое «окно доступа» к различным нейросетям.

Они предлагают услуги на десятки процентов, а иногда и в разы дешевле, чем у официальных поставщиков, обещая заодно обход любых лимитов.

Утечка данных и кража интеллектуальной собственностиИсследование показало, что цель многих таких сервисов — сбор качественных диалогов топовых моделей для обучения нейросетей третьих фирм.

Пять правил безопасной работы с ИИ-…

2 weeks, 3 days назад @ kaspersky.ru
Социальная инженерия: как злоумышленники манипулируют людьми | Блог Касперского
Социальная инженерия: как злоумышленники манипулируют людьми | Блог Касперского Социальная инженерия: как злоумышленники манипулируют людьми | Блог Касперского

Следующий абзац снова вгоняет вас в панику: «К сожалению, при проверке мы обнаружили, что ваши платежные данные могли быть скомпрометированы».

Для разбирательства напишите нам, иначе мы возбудим уголовное дело и разошлем информацию о вас в СМИ» — и далее по списку.

Но если с вами общаются чересчур эмоционально и вы чувствуете, что на вас давят, то вероятность, что вы общаетесь с мошенником, близится к 99,9%.

→ немедленно смените пароль на этом сервисе и на всех других, где использовали такой же.

Если с вашей карты успели снять или перевести деньги, узнайте, как оспорить транзакцию.

2 weeks, 5 days назад @ kaspersky.ru
Как сегодня злоумышленники атакуют компании | Блог Касперского
Как сегодня злоумышленники атакуют компании | Блог Касперского Как сегодня злоумышленники атакуют компании | Блог Касперского

Мы выбрали три кейса, три реальные истории о том, как злоумышленники атакуют сегодня, а главное, почему им удается проворачивать такие атаки.

Если вы не видите этот трафик или не считаете это инцидентом — вы проигрываете еще до начала активной фазы атаки.

Как и в предыдущем кейсе, злоумышленники вошли в корпоративную сеть через скомпрометированную учетную запись.

Почему это произошлоБыли допущены две классические ошибки:Сервер мониторинга был настроен с избыточными привилегиями, с доступом ко всем активам компании: и физическим, и виртуальным.

Попав в инфраструктуру, через Active Directory и групповые политики злоумышленники распространили в корпоративной сети вредоносное ПО с функционально…

2 weeks, 6 days назад @ kaspersky.ru
250 000 мисконфигураций в GitHub Actions | Блог Касперского
250 000 мисконфигураций в GitHub Actions | Блог Касперского 250 000 мисконфигураций в GitHub Actions | Блог Касперского

В частности, опасность может скрываться в GitHub Actions, сценариях автоматизации, позволяющих создавать пайплайны непрерывной интеграции и доставки (CI/CD).

Ошибки и мисконфигурации в них периодически используются злоумышленниками в реальных атаках.

Да, она тоже началась с компрометации мейнтейнера популярного проекта, но распространяемый в ходе этой кампании зловред похищал секреты, именно используя недочет в GitHub Actions.

Как оставаться в безопасностиМисконфигурации в GitHub Actions потенциально могут превратить пайплайны разработки в инструменты злоумышленников, позволяющие скомпрометировать среду разработки или атаковать инфраструктуру компании.

С его помощью наше решение может выявл…

3 weeks, 2 days назад @ kaspersky.ru
Чек-лист для выбора EPP-решения | Блог Касперского
Чек-лист для выбора EPP-решения | Блог Касперского Чек-лист для выбора EPP-решения | Блог Касперского

Однако очевидно, что краеугольным камнем стратегии информационной безопасности остаются решения для защиты конечных точек.

Мы предлагаем при выборе EPP-решения отталкиваться не от возможностей продуктов, а от конкретных нужд вашей компании.

Отметьте пункты, которым должно соответствовать решение для защиты конкретно вашей инфраструктуры, и вам будет гораздо проще определиться с выбором.

Для перехода от EPP к EDR или MDR ключевым условием является единое решение, умеющее одновременно выполнять функции и EPP-, и EDR/MDR-агента, а также единая консоль управления.

В Kaspersky Security для бизнеса реализованы передовые защитные технологии, включая машинное обучение, поведенческий анализ, защиту …

3 weeks, 2 days назад @ kaspersky.ru
Как злоумышленники крадут аккаунты Telegram через PowerShell-скрипты | Блог Касперского
Как злоумышленники крадут аккаунты Telegram через PowerShell-скрипты | Блог Касперского Как злоумышленники крадут аккаунты Telegram через PowerShell-скрипты | Блог Касперского

Как защитить свой аккаунт в TelegramЧто делать, чтобы защитить свой аккаунт в Telegram от подобных схем угона?

Если вы подозреваете, что стали жертвой подобного стилера или других махинаций злоумышленников, как можно скорее завершите все сессии в Telegram: Настройки → Устройства → Активные сессии → Завершить другие сеансы.

Почему так — мы подробно рассказывали в материале Что делать, если взломали аккаунт в Telegram, перечислив в нем все способы восстановления доступа к своей учетной записи.

Во-первых, необходимо установить облачный пароль для Telegram в разделе Настройки → Конфиденциальность → Облачный пароль.

Наш менеджер паролей кроссплатформенный, поэтому войти в Telegram с использовани…

3 weeks, 4 days назад @ kaspersky.ru
Блог Group-IB
последний пост None
Cisco Security Blog Cisco Security Blog
последний пост 3 days, 22 hours назад
We third-party tested our firewall built for AI-scale. The test tools hit their limit first.
We third-party tested our firewall built for AI-scale. The test tools hit their limit first. We third-party tested our firewall built for AI-scale. The test tools hit their limit first.

In independent testing with NetSecOPEN, the Cisco Secure Firewall 6160 delivered AI-scale inspected throughput beyond what the tools built to measure it could register, all while blocking 100% of tested threats.

These results are specific to Cisco Secure Firewall 6160, but the software capabilities behind Cisco Firewall, including advanced threat protection and high-performance inspection, extend across Cisco Firewall form factors in the cloud, virtually, and on-premises, from campus to data center.

Performance passed the previous benchmark by 5XInspection was turned on, and the test tools built to measure throughput hit their limit before the 6160 firewall did.

In previous NetSecOPEN testi…

3 days, 22 hours назад @ blogs.cisco.com
SharpHound Recon Attack – How AI enhanced the threat hunt
SharpHound Recon Attack – How AI enhanced the threat hunt SharpHound Recon Attack – How AI enhanced the threat hunt

We innovated by giving the Agentic SOC access to Endace’s always-on, full packet capture, and asked the agent to assess a potential SharpHound Recon attack that we had seen while threat hunting.

This blog explores how we built the integrations and how AI helped us with our threat hunt and threat assessment.

Agentic AI Massively Speeds our AnalysisAt this point, we decided to use Agentic AI capabilities to investigate and assess this potential threat.

ConclusionThe Agentic SOC, blending Agentic AI built into Endace’s products with custom agentic tools, is a massive boost to productivity and security.

AcknowledgementsOur thanks go to the Cisco SOC team led by @Jessica Oppenheimer and @Ivan Be…

1 week, 4 days назад @ blogs.cisco.com
Machine Speed, Human Judgement: How AI Changed the SOC in 2026
Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Machine Speed, Human Judgement: How AI Changed the SOC in 2026

Having spent time in the Cisco Live Americas 2026 SOC, one thing became abundantly clear:The way SOCs operate today is fundamentally different from even a few years ago.

Instead of spending time gathering information, analysts could spend more time understanding what the information actually meant.

Just as spreadsheets empowered business users decades ago, AI-assisted coding is beginning to empower security analysts today.

At Cisco Live, AI was already present throughout the workflow:Incident summaries generated automatically within XDR.

And based on what I saw at Cisco Live 2026, that future has already arrived.

1 week, 4 days назад @ blogs.cisco.com
Elevating Expertise in the SOC
Elevating Expertise in the SOC Elevating Expertise in the SOC

The new SOC analysts were great at finding evidence, helped with triage and correlation by the AI agents in the SOC architecture.

With the advancements in Cloud Control, our new SOC Analysts can validate their hypothesis.

They had the ability to investigate the incident and find the root cause found in Splunk Security and Endace.

Instant Attack VerificationIn each Incident, the SOC Analysts is given an AI generated Summary stitching all the relevant logs from all the sources that are related to the objects in question.

Check out the blogs by the engineers who worked inside the SOC at Las Vegas:

1 week, 4 days назад @ blogs.cisco.com
Educate at Event Speed: Cisco Live Security Operations Center
Educate at Event Speed: Cisco Live Security Operations Center Educate at Event Speed: Cisco Live Security Operations Center

At Cisco Live AMER 2026 in Las Vegas, my work with the Cisco Event SOC centered on one outcome that makes these deployments valuable beyond the event itself: Education.

The SOC protects the conference, but it also turns live operations into a learning environment through SOC tours, Cisco Live sessions, training inside the SOC, and conversations in the World of Solutions.

Bringing live SOC lessons into the classroomEducation also happened in the sessions I delivered at Cisco Live.

Cisco Live AMER 2026 reinforced that the SOC is one of the best classrooms we have because it teaches through real operations.

For a deeper look at the model behind these deployments, read the Cisco Event SOCs: A R…

1 week, 4 days назад @ blogs.cisco.com
What Working the Cisco Live SOC Taught Me About AI, Detection, and Response
What Working the Cisco Live SOC Taught Me About AI, Detection, and Response What Working the Cisco Live SOC Taught Me About AI, Detection, and Response

Inside the Cisco Live SOCAt Cisco Live AMER, the Security Operations Center (SOC) is more than a demo environment.

For a broader look at how the Cisco Live SOC operates, read this overview.

Another part was spent in the SOC, working real investigations with XDR, Splunk Enterprise Security, firewall events, DNS telemetry, packet data, and AI assistance.

AI can help a product manager become useful faster in a live SOC.

That is the bar I want us to continue building toward as we build Cisco XDR and Splunk Security.

1 week, 4 days назад @ blogs.cisco.com
Cable to Cloud – A Product Engineer’s Journey Through the Cisco Live AMER 2026 SOC
Cable to Cloud – A Product Engineer’s Journey Through the Cisco Live AMER 2026 SOC Cable to Cloud – A Product Engineer’s Journey Through the Cisco Live AMER 2026 SOC

As part of the Cisco XDR (Extended Detection and Response) product engineering group, a few of us got exactly that chance.

Every product had a part to play for a network as traffic-heavy as Cisco Live.

(PS : Flaunting the SOC T-shirts was fun)AcknowledgementsA heartfelt thank you to Cisco and the entire SOC team — you are all amazing.

To the Cisco XDR , Splunk , Secure Access , and Secure Firewall engineering teams.

Check out the other blogs from our team at the Cisco Live Americas 2026 SOC at Las Vegas:

1 week, 4 days назад @ blogs.cisco.com
The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth
The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth

We built an Experience Score model on Cisco and Splunk infrastructure and watched it run against real traffic, at real scale, in real time.

The result was a working model for how leaders measure what customers feel, act before friction surfaces, and tie operational decisions to revenue and trust.

At Cisco Live, the Experience Score model organized that architecture around four questions business and technology leaders can answer together.

The composite Experience Score tells a leader whether the experience is healthy enough to protect the moments the business depends on.

From Cisco Live to LA28Cisco Live was a rehearsal for larger exposure surfaces, where digital experience, revenue, brand …

1 week, 4 days назад @ blogs.cisco.com
AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026
AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026

And we kept thinking the same engineer thought: this flow is so consistent… could an agentic agent do the first 90%?

It was a great experiment — and a glimpse of a fully self-hosted agentic SOC — but for the event we pivoted to Claude Opus 4.8 running through Claude Code.

The division of labor we landed on: Tier-1 agentic SOC was already handled beautifully by the AI features in our own products — XDR’s Agentic Attack Storyboard and Splunk’s Triage Agent.

What does an agentic SOC actually need?

The MCP servers — an Endace MCP for packet capture/decode and a Splunk MCP for running queries.

1 week, 4 days назад @ blogs.cisco.com
Building the Agentic SOC at Cisco Live Americas 2026
Building the Agentic SOC at Cisco Live Americas 2026 Building the Agentic SOC at Cisco Live Americas 2026

Building on the Cisco Live EMEA SOC, Cisco Live Americas placed the Security Operations Center (SOC) and Network Operations Center (NOC) at the center of the World of Solutions, demonstrating the power of Cisco in bringing Networking, Security and Observability together.

The Cisco Live Americas Agentic SOC architecture shows how a “One Cisco” approach brings different security tools together to eliminate data silos, in close partnership with the NOC.

The SOC at Cisco Live was set up in just two days, thanks to lessons learned and continuous evolution.

For Cisco Live AMER, we treated agentic AI as an auditable review layer across the SOC, not as a replacement for analysts.

Agentic SOC: Incid…

1 week, 4 days назад @ blogs.cisco.com
Ten Years in the SOC at RSAC: What We Learned in 2026
Ten Years in the SOC at RSAC: What We Learned in 2026 Ten Years in the SOC at RSAC: What We Learned in 2026

Cisco Security and Splunk Security released the Findings Report from the Security Operations Center at RSAC 2026 Conference.

This year marked the 10th year of the SOC at RSAC.

Those lessons helped inform the Agentic SOC work that followed at Cisco Live Americas 2026.

The SOC used Cisco AI Defense to gain visibility into generative AI application usage and to help protect on-premises AI models running in the SOC in a Box.

Download the full RSAC 2026 SOC Findings Report to see the architecture, metrics, investigations, lessons learned, and recommendations from the 10th year of the SOC.

2 weeks, 3 days назад @ blogs.cisco.com
Uplevelling Black Hat Threat Hunters
Uplevelling Black Hat Threat Hunters Uplevelling Black Hat Threat Hunters

More telemetry means better visibility – but also more data for threat hunters to sift through.

Then came an important decision: Focus on what matters for detection of threats at Black Hat.

Enriching with Network Context and reducing noiseA file submitted via HTTP doesn’t exist in isolation – it has network context.

It was about:Surfacing high-risk submissions automaticallyProviding network context for faster triageHelping threat hunters dismiss noise fasterThis workflow is far from perfect.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

3 weeks, 5 days назад @ blogs.cisco.com
Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate
Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate

If you’ve ever troubleshot a complex workflow run, you know the drill: click into actions, expand inputs and outputs, scan logs, backtrack, repeat.

We’ve just released Workflow Run Summaries in Cisco XDR Automate: an on-demand, AI-generated summary that explains what happened during a workflow execution, where things went wrong, and why that matters, without forcing you to manually inspect every step.

What the feature doesWith a single click on “Generate Run Summary”, Cisco XDR Automate analyzes a completed workflow run and produces a concise, human-readable explanation of its execution.

Why this matters, especially for Agentic AIAs XDR Automate Workflows are increasingly triggered by Agent…

1 month назад @ blogs.cisco.com
Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength
Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength

It is the hardest attack category in email security — for any vendor, any product, any architecture.

This balance — 98% threat detection alongside zero hard false positives — is what the 94% Total Accuracy Rating reflects.

What Independent Validation Means for Your Security StrategyEvery email security vendor publishes detection rates.

Read the full report for more insight into ETD’s comprehensive email security capabilities.

All performance data sourced from the SE Labs Advanced Security Test Report — Email (Protection), Cisco Secure Email Threat Defense, May 2026 (v1.0).

1 month назад @ blogs.cisco.com
Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia
Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia

Caption: MCP integrations exposed to the local AI workflow for SOC investigation contextAt this stage, the system was already useful.

Caption: OpenClaw using the local Ollama model backend instead of an external model providerThe distinction is important.

I installed DefenseClaw alongside the OpenClaw environment, to add inspection and audit visibility around the agentic AI workflow.

Sending DefenseClaw events into Splunk made the AI workflow feel more operational and less experimental.

At Black Hat Asia, this became a practical way to explore what private AI for SOC workflows could look like.

1 month назад @ blogs.cisco.com
Microsoft Security Microsoft Security
последний пост 1 day, 21 hours назад
Microsoft at Black Hat USA 2026: Defending trust in the age of AI and supply chain attacks
Microsoft at Black Hat USA 2026: Defending trust in the age of AI and supply chain attacks Microsoft at Black Hat USA 2026: Defending trust in the age of AI and supply chain attacks

Follow the research in the Black Hat BriefingsMicrosoft Security researchers will also present peer-reviewed technical research in the Black Hat Briefings.

Visit booth #2144 for research, community, and hands-on defenseThis year we are transforming the Microsoft Security booth into a community center.

Partner presenceAt Black Hat 2026, the Microsoft booth will feature 13 partners from the Microsoft Intelligent Security Association (MISA) who will showcase solutions built with Microsoft Security technology.

Skill up before and after Black HatYou do not need to be in Las Vegas to take part in the broader Microsoft Security Black Hat experience.

The Microsoft Black Hat Skilling Challenge begin…

1 day, 21 hours назад @ microsoft.com
ACR Stealer: Two observed intrusion chains amid increased threat activity
ACR Stealer: Two observed intrusion chains amid increased threat activity ACR Stealer: Two observed intrusion chains amid increased threat activity

From late April 2026 to mid-June 2026, Microsoft Defender Experts observed increased ACR Stealer activity across customer environments.

Security teams should prioritize monitoring for ClickFix lures, suspicious WebDAV activity, obfuscated PowerShell execution, and attempts to access browser credential stores.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

]art Payload hosting siteReferencesLearn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ev…

2 days, 14 hours назад @ microsoft.com
Least privilege for AI agents: Identity, access, and tool binding
Least privilege for AI agents: Identity, access, and tool binding Least privilege for AI agents: Identity, access, and tool binding

When an agent operates without a managed identity and least-privilege role-based access controls (RBAC), it can access or modify sensitive data beyond intended permissions if controls are not properly configured.

Organizations are deploying agentic capabilities (multi-step automation, delegated actions, tool use) faster than their identity and authorization models are evolving to safely constrain them.

The right mental model is to treat every agent as a first-class principal: give it a lifecycle-managed identity, assign explicit roles, scope its permissions tightly, and scope tool usage to a preconfigured tools manifest or configuration.

In the next 30–90 days, inventory your agent identiti…

2 days, 21 hours назад @ microsoft.com
Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery
Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery

On July 14, 2026, Microsoft Threat Intelligence identified a coordinated supply chain compromise of the @asyncapi npm organization, a widely used set of packages for the AsyncAPI specification and code generation.

Ensure that Microsoft Defender Antivirus cloud-delivered protection, Microsoft Defender for Endpoint telemetry, and Microsoft Defender XDR investigation workflows are enabled across developer and CI assets.

Some promptbooks require access to Microsoft Defender XDR, Microsoft Sentinel, or related Microsoft security plugins.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories a…

3 days, 11 hours назад @ microsoft.com
Turning threat intelligence into decisive action with Defender Experts
Turning threat intelligence into decisive action with Defender Experts Turning threat intelligence into decisive action with Defender Experts

Today we’re announcing a new service, Microsoft Defender Experts Threat Intelligence, and we are expanding Microsoft Defender Experts MDR to include new third-party and multi-cloud coverage.

Microsoft Defender Experts Threat Intelligence is a new, expert-delivered service that closes that distance.

Today we’re announcing that Microsoft Defender Threat Intelligence (MDTI) capabilities are now fully converged into the Defender portal.

Defender Experts MDR provides a fully managed detection and response service that reduces noise, adds expert context, and drives action.

Everything available today as Defender Experts for XDR carries forward unchanged as Microsoft Defender Experts MDR Plan 1, wh…

3 days, 21 hours назад @ microsoft.com
Defending SaaS-based applications against ShinyHunters OAuth abuse
Defending SaaS-based applications against ShinyHunters OAuth abuse Defending SaaS-based applications against ShinyHunters OAuth abuse

The resulting quiet persistence and large-scale data access highlight the need for stronger detection, visibility, and governance of OAuth-connected applications and guest user accounts.

New posture and governance capabilities for connected OAuth appsWhile improved detection is critical, recent incidents have also highlighted the need for stronger preventive controls and ongoing governance of OAuth-connected applications.

Complete permission visibility for Salesforce connected apps and external client apps.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Micro…

5 days, 15 hours назад @ microsoft.com
Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID
Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID

Beginning September 1, 2026, Microsoft will begin rolling out passkeys as the default authentication experience in Microsoft Entra ID.

Select a telecom provider in Microsoft Security StoreToday, Microsoft provides the telecom delivery behind SMS and voice authentication natively within Entra ID.

Microsoft Entra ID supports: Synced passkeys, such as passkeys stored in platform credential managers like iCloud Keychain and Google Password Manager.

Device-bound passkeys, such as Microsoft Authenticator passkeys, Entra passkey on Windows, and FIDO2 security keys.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

5 days, 20 hours назад @ microsoft.com
Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative
Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative

That conviction is where the Secure Future Initiative (SFI) started two years ago and continues to guide us today.

And our principles—secure by design, secure by default, secure in operations—are what turn intent into product, like Microsoft 365 Baseline Security Mode.

Evaluate how identity, code, configuration, and network relationships interact in production.

Learn moreTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1 week, 1 day назад @ microsoft.com
GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

In analyzing these backdoor capabilities, we discovered that some backdoor commands contain code from additional malware families.

GigaWiper backdoor command 3 is heavily based on Crucio’s code, leading to the assessment that the same threat actor developed both malware families.

Crucio’s code was the base for GigaWiper command 3, and FlockWiper was recoded in Golang and updated for GigaWiper command 12.

Indicators of compromiseIndicator Type Description 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 SHA-256 GigaWiper backdoor ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 SHA-256 GigaWiper backdoor f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd6…

1 week, 2 days назад @ microsoft.com
Protecting Microsoft at AI speed: How SFI proactively hardens our cloud
Protecting Microsoft at AI speed: How SFI proactively hardens our cloud Protecting Microsoft at AI speed: How SFI proactively hardens our cloud

At Microsoft we encompass these security requirements, along with threat knowledge and operational frameworks in our Secure Future Initiative (SFI), to guide what a well-defended cloud service looks like.

This system is purpose-built to evaluate Microsoft’s own cloud services against our stringent security requirements and make our infrastructure harder to compromise.

Enumerates applicable security controls based on SFI requirements across identity, network, tenant isolation, engineering systems, and detection domains.

Proven results: From theory to practiceWithin a few months, the system has enabled Microsoft security engineering teams to proactively harden our cloud services.

The same AI …

1 week, 3 days назад @ microsoft.com
5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management
5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management 5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management

Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management points to a structural shift: CSPM is no longer a periodic compliance exercise.

Frost & Sullivan’s evaluation framework reflects this transition—placing greater emphasis on integrated, code to cloud risk management capabilities inside broader CNAPP platforms.

The Frost Radar™ for Cloud Security Posture Management visualizes how leading vendors compare across innovation and growth—two key measures of market leadership and future potential.

Learn moreRead the Frost & Sullivan Frost Radar™ for Cloud Security Posture Management (2025) to see how CSPM leaders are evaluated—and what capabilities matter most as vendor selec…

1 week, 5 days назад @ microsoft.com
5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management
5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management 5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management

Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management points to a structural shift: CSPM is no longer a periodic compliance exercise.

Frost & Sullivan’s evaluation framework reflects this transition—placing greater emphasis on integrated, code to cloud risk management capabilities inside broader CNAPP platforms.

The Frost Radar™ for Cloud Security Posture Management visualizes how leading vendors compare across innovation and growth—two key measures of market leadership and future potential.

Learn moreRead the Frost & Sullivan Frost Radar™ for Cloud Security Posture Management (2025) to see how CSPM leaders are evaluated—and what capabilities matter most as vendor selec…

1 week, 5 days назад @ microsoft.com
Improving security posture across the Microsoft partner ecosystem
Improving security posture across the Microsoft partner ecosystem Improving security posture across the Microsoft partner ecosystem

For Microsoft, these partners are Microsoft Cloud Solution Providers (CSPs), and they help customers buy, manage, and optimize cloud services like Microsoft 365 and Microsoft Azure.

This helps us ensure that the Microsoft partner ecosystem remains healthy, compliant, and effective, and ultimately helps drive the best outcomes for our customers.

Partner vetting helps ensure that only legitimate organizations can enter the ecosystem, while CSP security posture improvements help enhance the operating standards of organizations already in the ecosystem.

In short, we have made a set of improvements to the security posture across the CSP ecosystem, both at the Microsoft platform layer and at the …

2 weeks, 2 days назад @ microsoft.com
Improving security posture across the Microsoft partner ecosystem
Improving security posture across the Microsoft partner ecosystem Improving security posture across the Microsoft partner ecosystem

For Microsoft, these partners are Microsoft Cloud Solution Providers (CSPs), and they help customers buy, manage, and optimize cloud services like Microsoft 365 and Microsoft Azure.

This helps us ensure that the Microsoft partner ecosystem remains healthy, compliant, and effective, and ultimately helps drive the best outcomes for our customers.

Partner vetting helps ensure that only legitimate organizations can enter the ecosystem, while CSP security posture improvements help enhance the operating standards of organizations already in the ecosystem.

In short, we have made a set of improvements to the security posture across the CSP ecosystem, both at the Microsoft platform layer and at the …

2 weeks, 2 days назад @ microsoft.com
Microsoft named a leader in the Frost Radar for cloud and application runtime security
Microsoft named a leader in the Frost Radar for cloud and application runtime security Microsoft named a leader in the Frost Radar for cloud and application runtime security

Frost & Sullivan’s 2026 Frost Radar™ for Cloud/Application Runtime Security (CARS) reflects this shift.

Why cloud security is being redefinedThe Frost Radar makes a clear point: cloud security is no longer about visibility or compliance alone.

These are the capabilities that define the next generation of cloud and application runtime security.

Learn moreRead Frost & Sullivan’s 2026 Frost Radar™ for Cloud/Application Runtime Security to see how leading vendors are evaluated—and how the category is shifting toward unified cloud and application runtime risk operations.

Explore Microsoft cloud security solutions to see how unified posture management, risk prioritization, and protection across t…

2 weeks, 3 days назад @ microsoft.com
Google Online Security Blog Google Online Security Blog
последний пост 2 months, 3 weeks назад
AI threats in the wild: The current state of prompt injections on the web
AI threats in the wild: The current state of prompt injections on the web AI threats in the wild: The current state of prompt injections on the web

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

2 months, 3 weeks назад @ security.googleblog.com
Bringing Rust to the Pixel Baseband
Bringing Rust to the Pixel Baseband Bringing Rust to the Pixel Baseband

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

3 months, 1 week назад @ security.googleblog.com
Protecting Cookies with Device Bound Session Credentials
Protecting Cookies with Device Bound Session Credentials Protecting Cookies with Device Bound Session Credentials

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

3 months, 1 week назад @ security.googleblog.com
Google Workspace’s continuous approach to mitigating indirect prompt injections
Google Workspace’s continuous approach to mitigating indirect prompt injections Google Workspace’s continuous approach to mitigating indirect prompt injections

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

3 months, 2 weeks назад @ security.googleblog.com
VRP 2025 Year in Review
VRP 2025 Year in Review VRP 2025 Year in Review

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

3 months, 2 weeks назад @ security.googleblog.com
Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android
Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

3 months, 3 weeks назад @ security.googleblog.com
Cultivating a robust and efficient quantum-safe HTTPS
Cultivating a robust and efficient quantum-safe HTTPS Cultivating a robust and efficient quantum-safe HTTPS

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

4 months, 3 weeks назад @ security.googleblog.com
Staying One Step Ahead: Strengthening Android’s Lead in Scam Protection
Staying One Step Ahead: Strengthening Android’s Lead in Scam Protection Staying One Step Ahead: Strengthening Android’s Lead in Scam Protection

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

4 months, 3 weeks назад @ security.googleblog.com
Keeping Google Play & Android app ecosystems safe in 2025
Keeping Google Play & Android app ecosystems safe in 2025 Keeping Google Play & Android app ecosystems safe in 2025

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

4 months, 4 weeks назад @ security.googleblog.com
New Android Theft Protection Feature Updates: Smarter, Stronger
New Android Theft Protection Feature Updates: Smarter, Stronger New Android Theft Protection Feature Updates: Smarter, Stronger

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

5 months, 3 weeks назад @ security.googleblog.com
HTTPS certificate industry phasing out less secure domain validation methods
HTTPS certificate industry phasing out less secure domain validation methods HTTPS certificate industry phasing out less secure domain validation methods

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

7 months, 1 week назад @ security.googleblog.com
Further Hardening Android GPUs
Further Hardening Android GPUs Further Hardening Android GPUs

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

7 months, 1 week назад @ security.googleblog.com
Architecting Security for Agentic Capabilities in Chrome
Architecting Security for Agentic Capabilities in Chrome Architecting Security for Agentic Capabilities in Chrome

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

7 months, 1 week назад @ security.googleblog.com
Android expands pilot for in-call scam protection for financial apps
Android expands pilot for in-call scam protection for financial apps Android expands pilot for in-call scam protection for financial apps

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

7 months, 2 weeks назад @ security.googleblog.com
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

8 months назад @ security.googleblog.com