Вредоносный код не могли обнаружить месяцами, потому что хакеры спрятали его у всех на виду.

Рынок теневого хостинга адаптировался к давлению полиции и снова вошёл в фазу активного роста.

Потеря сбережений — лишь верхушка айсберга, ведь под ударом оказывается вся частная жизнь.

Визуально обнаружить ловушку было крайне сложно даже при ручной проверке.

«Запасной канал» или новая монополия?

Ведомство предупредило о рисках использования «серой» измерительной техники в оборонном секторе.

Администрация президента запустила программу по ускоренному набору IT-специалистов.

Вот, что нужно сделать прямо сейчас, чтобы не лишиться доступа к своей инфраструктуре.

С такой инициативой выступил член Общественной палаты Евгений Машаров.

Спецслужбы ждали нападок на критическую инфраструктуру, но цель оказалась куда прозаичнее.

Долгие годы мировой, и в частности российский, рынок практически полностью состоял из продуктов американской корпорации Microsoft.

В первом опросе зрители поделились, на каком этапе замены Microsoft Office находится их организация:Полностью перешли на российские офисные пакеты — 25 %.

Это называется формат Open XML, который был создан компанией Microsoft и в 2008 году передан в опенсорс.

Для крупных компаний, готовых инвестировать в инфраструктуру, доступно ПО в коробочном формате для установки он-премис».

Но главная проблема — не в технологиях, а в целеполагании.

Эксперты поговорили о ключевых принципах и практических шагах, которые позволяют не только предотвратить атаку, но и минимизировать ущерб в случае инцидента.

Порядка 15 % атак на средний и крупный бизнес оказывались диверсиями — компаниям наносился непоправимый урон, возможности выкупа декриптора не предоставлялось.

При переводе средств выяснилось, что в кошельке хранится два биткойна, которые в итоге злоумышленники забрали».

Это единственный способ увидеть, как процессы работают на практике, а не на бумаге».

Есть ли у вас чёткий план: кто и что будет делать, сколько времени займёт восстановление, как найти нужный сервер?

Причём травля, судя по источникам, встречалась и в учебных заведениях, ориентированных на небогатых людей, и в школах, где обучалась высшая аристократия.

С другой стороны, если речь заходит о кибербуллинге, то более активны девочки, причём и в качестве агрессоров, и в качестве жертв.

Были такие прецеденты и в России, в частности, с сочинцем Владимиром Голубовым.

Они находятся в одном ряду с разжиганием ненависти и насилия, вовлечением в пьянство и употреблением наркотиков, сексуальной эксплуатацией, распространением идеологий террористических группировок.

С другой стороны, данная проблема является застарелой, её предпосылки складывались много лет, и с ней на системном уровне практически не …

Как проходит рабочий день специалиста, какие ошибки могут быть критичными для ИБ организации и как справляться с постоянными вызовами — обо всём этом подробнее.

Список задач в основном следующий: разработка и внедрение новых правил и политик безопасности, сложные расследования АРТ-атак и взаимодействие с внешними организациями, регуляторами.

Распределение обязанностей в корпоративном SOC и коммерческом не является строго фиксированным: конкретный набор задач зависит от структуры команды, применяемых платформ и организационных процессов.

Описанная система KPI обеспечивает прозрачность работы SOC, позволяет выявлять узкие места в процессах и поддерживать одинаковый уровень эффективности как в…

Мы побывали на одной из стратегических сессий, проведённых компанией WMT AI в Москве в кластере «Образовательный» МГУ.

Снижение затрат при внедрении ИИ в ПО в разных областях (McKinsey Global Survey, 2025)GenAI и безопасностьПочти все разделяют мнение, что приход GenAI в сферу кибербезопасности неизбежен.

Очевидно, что по мере нарастания ИИ-агентов в бизнес-системах, поддержку этих однотипных задач лучше выделить в отдельный фреймворк для управления ИИ.

Делать это необходимо хотя бы потому, что ИИ постепенно становится основным носителем информации, даже шире, чем интернет или соцсети.

Обсуждение кейсов на реальных примерах позволит грамотно ставить возникающие задачи, активней внедрять ИИ …

Как отметил модератор дискуссии «Как подготовить компанию к разрушительной кибератаке» на SOC Forum 2025 (рис.

Причём это касается не только технического персонала, но и подразделений, которые не имеют никакого отношения к ИТ и ИБ службе.

Впрочем, вопрос о том, платить или не платить вымогателям, однозначного ответа не имеет.

Он предостерёг от попыток скрыть инцидент, в том числе от регуляторов, которые, к слову, также могут помочь.

Традиционным для завершения дискуссии стал вопрос о том, чего стоит ждать и к чему готовиться в будущем.

Теперь аналогичную функциональность для управления PKI-инфраструктурой в Linux-среде с полноценным Autoenrollment (автоматической выдачей) сертификатов предлагает и российская разработка: корпоративный центр сертификации SafeTech CA в связке с доменом ALD Pro.

Windows-серверы мигрируют на Astra Linux, Active Directory заменяется на ALD Pro.

Таким образом, ручное управление сертификатами не только трудоёмко и неэффективно, но и обходится компании слишком дорого — и для бюджета, и для безопасности.

Интерфейс командной строки: предоставляет набор утилит командной строки (getcert) для управления и диагностики.

ВыводыКомплексное решение на базе SafeTech CA и ALD Pro закрывает главный пробел Linu…

Разница не в людях — все мы одинаково открываем почту и кликаем по ссылкам, — а в масштабе катастрофы.

Что такое кибергигиена и почему она критична для госслужащих и компанийКибербезопасность — это когда организация защищает свои системы, данные и процессы от взлома, блокировки и утечек.

Поэтому нарушение правил кибергигиены одним сотрудником может отразиться не только на его ведомстве, но и на смежных структурах, госсервисах и гражданах.

Правило простое: если вы не в офисе и не дома — сначала VPN, потом работа.

Резервная копия, которая не восстанавливается, — это не резервная копия, а иллюзия безопасности.

Управление очередью файлов на поведенческий анализ, настройки приоритета источников и файлов на поведенческий анализ.

Настройка проверки, предварительной фильтрации, файлов в песочницеДобавлен ряд опций, позволяющий гибко настроить порядок проверки в зависимости от выявленных PT Sandbox свойств файлов.

Антивирусные средства проверки в PT Sandbox 5.27Правила в формате YARAДополнились средства проверки и возможность пользовательской загрузки правил в формате YARA.

Системные требования PT Sandbox 5.27Для корректной и стабильной работы PT Sandbox важно учитывать системные требования, которые зависят от планируемой нагрузки, объёма хранилища и уровня производительности.

Вердикты анализа в PT San…

Значимых результатов удаётся добиться тогда, когда обучение ориентировано не на всех сразу, а на конкретные группы риска.

Ошибки компаний в обученииНи одна платформа сама по себе не повышает уровень безопасности, если обучение выстроено формально и не отражает реальной работы сотрудников.

Система менеджмента информационной безопасности (ISO / IEC 27001:2022) также требует, чтобы организации обеспечивали «осведомлённость и обучение персонала по мерам безопасности» и регулярно проверяли эффективность этих программ.

Hoxhunt делает упор на персонализацию и игровой подход: пользователи получают баллы и достижения, а обучение строится «по возрастанию» сложности.

Но вне зависимости от региона обща…

Как подчеркнул модератор дискуссии «От кликбейта до утечки данных: как манипулируют нашим вниманием и безопасностью» (рис.

Но чем новости хуже, тем повышается тревожность, что, в свою очередь, приводит к выбросу кортизола — «гормона стресса».

По этой причине люди воспринимают негативную информацию как ценную и достоверную, что не всегда соответствует реальности.

Эта волна ажиотажного спроса охватила не только Японию, но и другие страны, и Россия не стала исключением.

И в целом, как отметил основатель CURATOR Александр Лямин в интервью Anti-Malware.ru, DDoS-атаки весьма широко применяются в конкурентной борьбе.

Экосистемы кибербезопасности — это следующий эволюционный шаг после набора точечных решений.

Юрий Драченин пояснил, что экосистемы должны отвечать на 3 фундаментальных вопроса кибербезопасности: усложняющийся ИТ-ландшафт у заказчика, стоимость владения, совместимость и надёжность систем.

Речь идёт о снижении нагрузки на инфраструктуру и, что критически важно, об экономии времени и усилий специалистов безопасности.

Этот показатель, как правило, убедительнее любых других и служит веским аргументом как для руководства, принимающего решение, так и для линейных специалистов, которые будут использовать систему.

Именно такие конкретные и понятные примеры, показывающие практическую выгоду от совмес…

Threat Intelligence (TI): основные понятияСуществуют различные трактовки понятия Threat Intelligence (TI) или Cyber Threat Intelligence (CTI).

Как развивается мировой рынок Threat IntelligenceДля оценки объёма мирового рынка Threat Intelligence можно обратиться к исследованию The Business Research Company.

Обзор отечественных платформ и сервисов Threat IntelligenceЗа последние пару лет сегмент решений Threat Intelligence в России значительно вырос, и спрос на подобные продукты продолжает расти.

Kaspersky Threat Intelligence Portal объединил множество сервисов: Kaspersky Threat Lookup, Kaspersky Threat Analysis, Kaspersky Threat Infrastructure Tracking, Kaspersky Threat Data Feeds, Kaspersky…

Пластилин оказался слишком твердым — в итоге подушечка пальца при оттиске продавливается внутрь, и не удается получить ровный слепок.

Проведя аналогию с гибким текстолитом, мы задумались: а можно ли печатать непосредственно отпечатки, а не формы для них?

Как и в случае с гибким текстолитом, мы не видели статей, где для подделки отпечатков пальцев используется эластичный фотополимер.

Как и раньше, мы травили печатные платы, а также гибкий текстолит и печатали как формы, так и отпечатки.

Хоть мы и не вели статистику, по ощущениям обходить сканеры с помощью отпечатков, снятых с поверхности, сложнее.

Мы в Positive Technologies активно исследуем безопасность AI-агентов и подходы offensive AI security.

Статья носит исключительно информационный характер и не является инструкцией или призывом к совершению противоправных деяний.

На 2-м уровне предыдущий простой промпт не прошел: получили ответ, что нельзя просто так взять и переключиться на другого отправителя.

В некоторых работах упоминается, что сгенерированные суффикс-инъекции для одной модели показывают свою работоспособность и на других LLM, но с меньшим процентом успеха.

Перебор одностраничного промпта на Tesla T4 16G занимает около 3 часов, промпт на пол страницы обсчитывается около часа.

Хочется для начала, тем, кто несведущ, немного прояснить - что это за должность такая DevOps.

Это все нужно ему для выполнения своих обязанностей.

Руководство осознало, что нашей команде с С. не по пути и приняло решение расторгнуть трудовые отношения.

У нас до устройства на работу С. было Яндекс облако, и в одном из бакетов хранились архивы всех виртуальных машин.

Да и кто это все будет настраивать - он же может и сделать обратное.

Чуть позже он мог потерять небольшие суммы по кредитным картам, которые могли в определенных пределах потратить на покупки без пин-кода.

Но теперь, если жертва использует блокировку телефона не паролем, а отпечатком пальца, он может лишиться очень многого.

Его счета будут опустошены, на него взято множество мелких кредитов, где не требуют подтверждения лица.

Поэтому при встрече с девушками нужно быть крайне осторожными и выключать телефон до первого глотка напитка.

Всё просто — нельзя быстро переключиться на блокировку паролем с блокировки отпечатком.

После 4 с лишним лет создания автоматизаций, отладки катастроф, которые я сам же и устроил, и написания скриптов, которые каким-то образом выставляют меня кибер-волшебником в глазах друзей, далёких от Python, я отобрал 11 чрезвычайно практичных и редких Python-скриптов, которые сделают ваш ежедневный рабочий процесс гладким, как свежеустановленный дистрибутив Linux.

import subprocess def open_profile(profile_name): subprocess.Popen([ "google-chrome", f"--profile-directory={profile_name}" ]) open_profile("Profile 2")Сценарий использования: Отладка cookies, тестирование логинов, управление аккаунтами.

Автоматическая чистка вашей кодовой базы (Удаление мёртвых импортов и неиспользуемых перемен…

В этой статье мы разберём, как устроен JWT и его подпись, зачем нужны access и refresh-токены, что такое JWKS и в чём отличие OAuth от OpenID Connect.

Он легко передаётся по HTTP: в заголовке Authorization , в Cookie , в URL, в теле POST-запроса.

Cтандартные JWT Claims:iss — кем выдан токен (токен будем выписывать только мы);sub — кому выдан токен;iat — время выдачи токена.

Реализуем функцию загрузки ключа:Реализация loadPrivateKey package main import ( "crypto/rsa" "crypto/x509" "encoding/pem" "errors" "os" ) // Загрузка приватного ключа из файла func loadPrivateKey(path string) (*rsa.PrivateKey, error) { data, err := os.ReadFile(path) if err != nil { return nil, err } block, _ := pem.Deco…

8 миллионов пользователей, Featured-бейджи от Google и Microsoft, полный доступ к ChatGPT, Claude и Gemini — и всё это утекает дата-брокерам.

Данные сжимаются и отправляются на серверы Urban VPN, включая эндпоинты analytics.urban-vpn.com и stats.urban-vpn.com .

Расширение предупреждает вас о том, что не стоит делиться email с ChatGPT, и одновременно выгружает весь ваш диалог дата-брокеру.

Дальше – хужеПосле того как мы задокументировали поведение Urban VPN Proxy, мы проверили, есть ли тот же код где-то ещё.

В этом случае примечателен не только масштаб — 8 миллионов пользователей — и не только чувствительность данных — полные ИИ-переписки.

И я и ИИ распознали её независимо друг от друга.

Ваш типичный диалог с ИИ — это текстовая задача и текстовый результат (готовый код, решение).

Вы загружаете код в ИИ для отладки или рефакторинга.

Рабочая среда с ИИ: для рутинных, типовых задач, работы с публичными библиотеками, изучения документации.

Если ИИ-ассистент требует установки агентов или исполнения кода, делайте это в песочницах (Docker, изолированные контейнеры), ограничивайте права доступа, внимательно мониторьте сетевую активность.

За простой государственных сервисов «Ростелекому» грозят многомиллионные штрафы, инцидент попадает в новости и обсуждается на самом высоком уровне.

«Яндекс»30 марта 2023 года в одном из основных дата-центров «Яндекса» происходит то, что инженеры называют событием «раз в несколько десятилетий».

Давайте внимательнее рассмотрим показательные инциденты, часть из которых упоминали в начале и попробуем разобраться, как они повлияли на отдельных провайдеров и отрасль в целом.

Последовавшее расследование выявило пробел в процессе разработки: сбойный модуль просочился через автоматическую систему валидации, потому что в инструменте проверки содержимого был баг – он не распознал ошибку в конфигурацио…

Разработчики Microsoft сообщают, что декабрьские обновления безопасности вызвали проблемы в работе службы Message Queuing (MSMQ), нарушив функциональность корпоративных приложений и сайтов на IIS.

Служба MSMQ доступна во всех версиях Windows в качестве опционального компонента.

Ошибка затрагивает системы под управлением Windows 10 22H2, Windows Server 2019 и Windows Server 2016, в которых установлены патчи KB5071546, KB5071544 и KB5071543, выпущенные в рамках «вторника обновлений» в декабре 2025 года.

«Проблема вызвана недавними изменениями в модели безопасности MSMQ и правах доступа NTFS для папки C:\Windows\System32\MSMQ\storage.

Пользователям MSMQ теперь нужен доступ на запись в эту дире…

Считается, что CyberVolk — это базирующаяся в Индии пророссийская группировка, которая действует независимо.

VolkLocker написан на Go и работает как на Linux (включая VMware ESXi), так и на Windows.

При этом исследователи отмечают, что в коде есть таймер, который запускает вайпер, уничтожающий папки пользователя (Documents, Downloads, Pictures, Desktop) после истечения срока выплаты или при вводе неправильного ключа в HTML-окне выкупа.

Как уже упоминалось выше, этот ключ записан в исполняемый файл в виде hex-строки и дублируется в текстовом файле в %TEMP%.

Так как CyberVolk по-прежнему активна, в SentinelOne поясняют, что раскрытие информации о проблемах в VolkLocker вряд ли может помешать …

И это будут не советы по защите, а, ско­рее, рекомен­дации по тому, как стать мак­сималь­но неудоб­ным для хакера.

В этой статье мы раз­ложим с десяток граб­лей, на которые неп­ремен­но нас­тупит хакер, — и ста­нем мак­сималь­но неудоб­ными для ата­кующе­го!

Да­вай срав­ним вре­мя ска­ниро­вания топ-1000 TCP-пор­тов с отправ­кой RST-пакетов и с зап­ретом.

Ины­ми сло­вами, эти пор­ты не содер­жат никакой служ­бы и хакеру вид­ны как tcpwrapped или как пор­ты с пус­той вер­сией.

И на помощь нам вновь при­дет база фин­гер­прин­тов от Nmap.

Злоумышленники взломали почтовые серверы ведомства и получили доступ к документам.

В ответ на атаку министерство ужесточило протоколы безопасности и усилило контроль доступа к информационным системам, которыми пользуются сотрудники ведомства.

— Это может быть иностранное вмешательство, это могут быть люди, которые хотят бросить вызов властям и показать, что способны проникнуть в системы, а может быть и обычная киберпреступность.

Следует отметить, что в апреле 2025 года Франция обвинила русскоязычную хак-группу APT28 в масштабной вредоносной кампании, из-за которой за последние четыре года пострадали или были взломаны около десятка французских организаций.

Отмечается, что с 2021 года APT28 р…

Сайты маскируются под Steam и Twitch и выманивают у пользователей учетные данные.

Если присмотреться, можно заметить, что на странице две адресные строки — верхняя настоящая, а нижняя фейковая.

После ввода логина и пароля от учетной записи Steam на такой странице данные передаются хакерам.

Фишинговые сайты маскируются под Twitch и предлагают ввести промокод, а потом авторизоваться через Steam.

Исследователи напоминают, что аккаунты в Steam — лакомый кусок для хакеров.

Хакеры из группировки ShinyHunters вымогают деньги у платформы PornHub, заявляя, что похитили истории просмотров и поисковые запросы премиум-подписчиков.

Представители PornHub сообщили, что утечка произошла после компрометации компании Mixpanel 8 ноября 2025 года.

В отправленном PornHub послании группировка заявила о краже 94 ГБ данных (более 200 млн записей с персональной информацией пользователей).

Среди типов активности есть данные о просмотре или скачивании видео, а также о просмотре конкретных каналов на PornHub.

Теперь, когда подтвердилась связь ShinyHunters с взломом Mixpanel, можно с уверенностью сказать, что группировка стоит за крупнейшими утечками данных 2025 года, которые затрон…

«Начиная с этого релиза, Notepad++ и WinGUp проверяют подпись и сертификат загруженных установщиков в процессе обновления.

Следует отметить, что в начале декабря известный ИБ-специалист Кевин Бомонт (Kevin Beaumont) предупреждал, что ему известно о трех организациях, пострадавших от инцидентов, связанных с Notepad++.

Дело в том, что когда Notepad++ проверяет обновления, он обращается к адресу https://notepad-plus-plus.org/update/getDownloadUrl.php?version=<номер_версии>.

Также специалист напомнил, что злоумышленники нередко используют вредоносную рекламу для распространения зараженных версий Notepad++, которые в итоге устанавливают малварь.

Дело в том, что расследование еще продолжается, и …

Специалисты MITRE опубликовали ежегодный рейтинг 25 самых опасных и распространенных проблем в программном обеспечении, которые стали причиной появления более 39 000 уязвимостей (раскрытых с июня 2024 по июнь 2025 года).

Отчет был подготовлен совместно с HSSEDI и Агентством по кибербезопасности и защите инфраструктуры США (CISA), курирующими программу Common Weakness Enumeration (CWE).

Под уязвимостями в ПО в данном случае подразумеваются самые разные проблемы, баги, уязвимости и ошибки, обнаруженные в коде, архитектуре, имплементациях или дизайне софта.

CWE отличаются от CVE тем, что, по сути, первые являются предшественниками вторых, то есть CWE приводят к появлению непосредственно уязвим…

Справка: сканирование портовСка­ниро­вание пор­тов — стан­дар­тный пер­вый шаг при любой ата­ке.

Он поз­воля­ет ата­кующе­му узнать, какие служ­бы на хос­те при­нима­ют соеди­нение.

На осно­ве этой информа­ции выбира­ется сле­дующий шаг к получе­нию точ­ки вхо­да.

На­ибо­лее извес­тный инс­тру­мент для ска­ниро­вания — это Nmap.

Улуч­шить резуль­таты его работы ты можешь при помощи сле­дующе­го скрип­та:#!/ bin/ bash ports = $( nmap -p- --min-rate = 500 $1 | grep ^[ 0- 9] | cut -d '/ ' -f 1 | tr ' ' ', ' | sed s/, $/ / ) nmap -p $ports -A $1

В Windows обнаружена новая уязвимость нулевого дня в службе Remote Access Connection Manager (RasMan), которую можно использовать для провоцирования отказа в обслуживании и дальнейших атак с повышением привилегий.

Новый баг был обнаружен при анализе другой проблемы — CVE-2025-59230 (уязвимости повышения привилегий в RasMan, которую Microsoft исправила в октябре 2025 года после сообщений об использовании в реальных атаках).

Она затрагивает все версии Windows — от Windows 7 до Windows 11, а также Windows Server от версии 2008 R2 до Server 2025.

Представители Microsoft подтвердили СМИ наличие проблемы и сообщили, что уже работают над исправлением.

При этом в компании подчеркнули, что системы с…

Эту уязвимость совместно выявили собственные специалисты Apple и Google TAG.

Сообщается, что проблемы угрожают следующим устройствам:iPhone 11 и новее;iPad Pro 12,9 дюйма (третье поколение и новее);iPad Pro 11 дюймов (первое поколение и новее);iPad Air (третье поколение и новее);iPad (восьмое поколение и новее);iPad mini (пятое поколение и новее).

Apple исправила обе проблемы в составе iOS 26.2 и iPadOS 26.2; iOS 18.7.3 и iPadOS 18.7.3; macOS Tahoe 26.2; tvOS 26.2; watchOS 26.2; visionOS 26.2 и Safari 26.2.

Это тот же CVE, исправления для которого подготовила Apple, что указывает на скоординированный выпуск патчей и раскрытие информации.

Поскольку обе уязвимости затрагивают WebKit (который …

An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.

"Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2," Amazon said.

"Within 10 minutes of the threat actor gaining initial access, crypto miners were operational."

The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively.

What makes this campaign stand apart is its use of the …

Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer.

The malicious package, named "Tracer.Fody.NLog," remained on the repository for nearly six years.

"It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer," Socket security researcher Kirill Boychenko said.

"Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled…

Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.

Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure.

Telemetry data has also uncovered what has been described as coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.

Although these attempts are assessed to be unsuccessful, they lend weight to the aforementioned hypothesis that the adversary is grab…

Production-focused privacy platforms provide only partial automation because they attempt to infer data flows based on data already stored in production systems.

The scanner identifies privacy risks and sensitive data leaks early in development, before code is merged and before data is ever processed.

Evidence Generation for Privacy ComplianceAutomatically generate evidence-based data maps that show how sensitive data is collected, processed, and shared.

Produce audit-ready Records of Processing Activities (RoPA), Privacy Impact Assessments (PIA), and Data Protection Impact Assessments (DPIA), prefilled with detected data flows and privacy risks identified by the scanner.

They treat differe…

Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure.

Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025.

"These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices," Arctic Wolf Labs said in a new bulletin.

It's worth noting that while FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly turn it off using the …

The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.

"It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks.

A remote access trojan, it contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host.

"Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials, were also observed.

"The campaign shows characteristics of large-scale intelligence operations an…

Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web.

To that end, scans for new dark web breaches will be stopped on January 15, 2026, and the feature will cease to exist effective February 16, 2026.

"While the report offered general information, feedback showed that it didn't provide helpful next steps," Google said in a support document.

In July 2024, Google expanded the offering beyond Google One subscribers to include all account holders.

Google is also urging users to strengthen their account privacy and security by creating …

The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome Web Store.

"Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations."

Due to the nature of the data involved in AI prompts, some sensitive personal information may be processed.

"The protection feature shows occasional warnings about sharing sensitive data with AI companies," Dardikman said.

"The harvesting feature sends that exact sensitive data - and everything else - to Urban VPN's own servers, where it's sold to advertisers.

Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.

As temporary mitigations, FreePBX has recommended that users set "Authorization Type" to "usermanager," set "Override Readonly Settings" to "No," apply the new configuration, and reboot the system to disconnect any rogue sessions.

Users are also displayed a warning on the dashboard, stating "webserver" may offer reduced security compared to "usermanager."

For optimal protection, it's advised to avoid using this authentication type.

It is best practice not to use the authe…

As a result, the cryptographic keys never change and can be used to access files containing valuable data.

As a result, the cryptographic keys never change and can be used to access files containing valuable data.

"Pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups.

"When a victim uses Okta as their identity provider (IdP), the phishing page hijacks the SSO authentication flow to bring the victim to a second-stage phishing page, which acts as a proxy to the organization's legitimate Okta tenant and captures the victim's credentials and session tokens," Datadog said…

Why Browser Extensions Are a SaaS Security NightmareFor SaaS security teams, ShadyPanda's campaign shows us a lot.

It proved that a malicious browser extension can effectively become an intruder with keys to your company's SaaS kingdom.

Steps to Reduce Browser Extension RiskSo based on all of this, what can organizations do to reduce the risk of another ShadyPanda situation?

Below is a practical guide with steps to tighten your defenses against malicious browser extensions.

Treat Extension Access Like OAuth AccessShift your mindset to treat browser extensions similarly to third-party cloud apps in terms of the access they grant.

Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images.

The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer.

The ISO image ("Подтверждение банковского перевода.iso" or "Bank transfer confirmation.iso") serves as an executable that's designed to launch Phantom Stealer by means of an embedded DLL ("CreativeAI.dll").

Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium…

A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research expertsThe second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.

AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold in ESET telemetry.

On the Android platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemet…

“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025.

Compounding the issue, the software is hosted on public-facing IP addresses; thus, it’s accessible from the internet.

One comment I distinctly remember from the research is that the protocol used by the ICS device concerned was never designed to be connected to the internet.

The talk by Gjoko raised a similar concern: the building management system was not designed to be public facing on the internet, and the vendor recommends to secure it behind a virtual private network (VPN).

Building management systems are one example of this.

Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victimsBlack Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’.

At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group.

Reputation is everythingA key message delivered by Max was regarding reputation, both of the victim and the ransomware group.

The victim company needs to uphold their reputation with their customers and any hint of a data breach can …

Which brings to mind Schrödinger’s cat, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead – until you look inside.

But now I’m going to pick holes in the analogy a little whilst hoping to underscore the key message.

Therefore, the quantum breach analogy doesn’t quite hold.

And that’s even if you can recruit enough people due to the much reported, cybersecurity skills shortage.

Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day – and it’s hardly surprising.

Despite their wordy nomenclature, every report mentioned above has a beneficial role in canvassing the colorful endpoint security landscape.

Some, like the MITRE ATT&CK Evaluations, go as far as to pit products against known advanced adversary attacks.

Producing value is one thing, but keeping it safe is another: hence the need for appropriate endpoint security measures.

Most well-regarded independent analyst and lab test reports focus on endpoints, since they’re at the crossroads of every activity, including malign.

MITRE ATT&CK Evaluations Enterprise is the one for you then.

Put simply, a whaling cyberattack is one targeted at a high-profile, senior member of the corporate leadership team.

Or to hijack their email account in order to launch BEC attacks at subordinates impersonating the whale to get a smaller fish to make a big money transfer.

With AI, whaling attacks increase in scale and effectiveness, as sophisticated capabilities become democratized to more threat actors.

Taking out the whalersThere are several ways security teams can help to mitigate the risks of spearphishing and BEC attacks.

More generally, your organization may want to start limiting the kind of corporate information it shares publicly.

Often, threat actors research the individual they’re targeting in order to improve their success rates.

If IT doesn’t properly manage the accounts, credentials and privileges of its users and machines, security blind spots inevitably emerge.

How to enhance identity securityA considered, multi-layered approach to identity security can help mitigate the risk of serious compromise.

Revisit security training for all employees, from the CEO down, to ensure they know the importance of identity security, and can identify the latest phishing tactics.

Best practice identity security starts with a prevention-first mindset.

E02DD79A8CAED662969F 6D5D0792F2CB283116E8 66f3e097e4tnyHR .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

E8F4EA3857EF5FDFEC1A 2063D707609251F207DB main .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

F26CAE9E79871DF3A47F A61A755DC028C18451FC 7295be2b1fAzMZI .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

FF09608790077E1BA52C 03D9390E0805189ADAD7 20d188afdcpfLFq .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

A9747A3F58F8F408FECE FC48DB0A18A1CB6DACAE AppVs .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

It could feasibly be described as the largest open database of corporate information in the world: a veritable treasure trove of job titles, roles, responsibilities and internal relationships.

It’s also where recruiters post job listings, which may overshare technical details that can be leveraged later on in spearphishing attacks.

They might also share corporate email addresses in Git commit configurations.

Here are some hypothetical examples:An adversary finds LinkedIn information on a new starter in an IT role at company A, including their core role and responsibilities.

Update security awareness programs to ensure that all employees, from executives down, understand the importance of no…

Data exposure by top AI companies, the Akira ransomware haul, Operation Endgame against major malware families, and more of this month's cybersecurity newsNovember 2025 is almost behind us, and it's time for ESET Chief Security Evangelist Tony Anscombe to look at cybersecurity stories that raised the alarms, moved the needle or offered vital lessons over the past 30 or so days.

Here's some of what caught Tony's eye this month:many of the world's largest Ai companies inadvertently leak their secrets such as API keys, tokens, and sensitive credentials in their GitHub repositories, according to cloud security giant Wiz,the Akira ransomware group has netted $244 million from its malicious activ…

Doxxing (doxing) is what happens when a malicious third party deliberately exposes the personal information of someone else online.

Or query WHOIS databases that store the personal details of website/domain name registrants.

It would involve sending phishing messages to the victim in order to trick them into divulging logins or personal information, or installing infostealing malware on their machine/device.

Minimizing the doxxing threatThe best way to reduce your children’s exposure to doxxing is to minimize the amount of personal information their share online.

Never share their personal details, or even photos that could identify school and location.

If you’re a social media content creator, it may be time to revisit those account security best practices.

They ideally also want to target influencers who have built long-term trust with their audience, through months or years of providing advice online.

When it comes to the targeting of influencers, attacks begin with the social media account itself – whether it’s X (formerly Twitter), YouTube, TikTok, Instagram or another platform.

Highly targeted phishing attacks designed to trick the individual into handing over their logins.

The bottom line is identity theft-related security risks for followers, trashed reputation for brands and influencers, and potentially direct losses for content c…

So what’s this got to do with cybersecurity – and a solution known as Managed Detection and Response (MDR)?

That’s why Managed Detection and Response (MDR) services are often cited as the predominant way organisations will protect themselves.

Earlier this year, Gartner forecast that up to 50% of all organisations will have adopted MDR by the end of 2025.

IT generalists – and even security managers – wear many hats.

MDR offers the same level of protection – without the overhead – making it accessible to SMEs and large enterprises alike.

Short for “Open Source Intelligence”, OSINT refers to the gathering and analysis of publicly available data to produce actionable insights.

Basically, if you’re trying to make sense of public data, you’re already in OSINT territory.

OSINT Framework and OSINTCombine: these tools organize hundreds of free resources by category (web search, social media platforms, government sites, etc.

Social media tools: platforms like Namechk and Sherlock check whether a username exists across dozens of sites and are, therefore, useful for building digital profiles.

Parting thoughtsKnowing how to use OSINT tools is one thing; knowing how to investigate responsibly is another.

Internally named dns_cheat_v2 by its developers – and codenamed EdgeStepper by us – bioset is PlushDaemon’s adversary-in-the-middle tool, which forwards DNS traffic from machines in a targeted network to a malicious DNS node.

Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address.

Illustration of the final stage of the update hijackingFigure 5 shows the hijacking node serving LittleDaemon.

We observed that IP address from 2021 to 2022 as the source of the malicious update: the hijacking node.

ConclusionWe analyzed the EdgeStepper network implant that enables PlushDaemon’…

What RegTech means in practiceRegTech refers to digital tools that support compliance functions such as monitoring, reporting, and identity checks.

According to the study, these adaptive systems help institutions track shifts in customer behavior and update risk profiles as needed.

These monitoring tools also connect with other RegTech components such as identity verification and reporting, forming an interdependent architecture across AML (anti-money laundering) tasks.

Survey results from one study show strong support among banking staff for RegTech tools that guide risk checks and help prepare required filings.

It cites research showing that RegTech tools support transparency in cross bor…

Zabbix is an open source monitoring platform designed to track the availability, performance, and integrity of IT environments.

Early signs of compromise can surface as performance changes, service failures, or unusual system behavior that monitoring tools detect first.

At its core, Zabbix collects data from many sources and presents it through a single web-based interface.

With proper configuration, Zabbix supports small organizations with limited infrastructure and large enterprises running thousands of monitored assets.

Monitoring built on flexible data collectionZabbix supports both polling and trapping, which gives teams options in how data is gathered.

In this Help Net Security video, Larry Slusser, VP of Strategy at SixMap, explains why endpoint detection and response is only part of the security story.

He explains how attackers map organizations from the outside by identifying domains, IP addresses, services, and software.

Even without a known vulnerability, this information helps attackers move fast when a zero day appears.

Using examples such as Apache servers and past industry outages, he shows how weak perimeter awareness can disrupt business operations.

The video argues that security teams must define what they own, including third and fourth parties, before they can defend it.

AI has moved into enterprise operations faster than many security programs expected.

Data, models, applications, and infrastructure each introduce different failure paths.

Agentic AI introduces governance gapsEnterprises are testing a wide range of agentic AI use cases.

They use controlled pilots to understand where AI adds value and where it adds risk.

This reflects how tightly AI, data, architecture, and security are connected.

StackHawk is adding Business Logic Testing (BLT) to its AppSec offerings.

StackHawk’s BLT automates the detection of critical authorization flaws that account for 34% of security breaches.

Business logic flaws, such as broken object level authorization (BOLA) and broken function level authorization (BFLA), are top application security concerns that Stackhawk’s new BLT solution directly addresses.

“Authorization testing has been notoriously difficult to automate because it requires orchestrating multiple user sessions and understanding complex API relationships,” said Scott Gerlach, CSO of StackHawk.

But now teams can use StackHawk’s BLT solution to automatically run multi-user tests and lev…

Law enforcement agencies from several European countries have arrested twelve persons suspected of being involved in scamming victims across Europe, Eurojust announced today.

“The fraudsters used various scams, such as posing as police officers to withdraw money using their victims’ cards and details, or pretending that their victims’ bank accounts had been hacked,” the EU Agency for Criminal Justice Cooperation explained.

“They convinced their victims to transfer large sums of money from their ‘compromised’ bank accounts to ‘safe’ bank accounts controlled by the network.

Investigations showed that around 100 people from different European countries worked in the call centres,” Eurojust not…

Audio streaming service SoundCloud has suffered a breach and has been repeatedly hit by denial of service attacks, the company confirmed on Monday.

In the days leading up to the confirmation, users accessing SoundCloud through VPNs reported connection failures and error messages.

The DoS attacksSoundCloud is officially blocked in Russia, mainland China, and Turkey, and to access it, users resort to using VPN services.

Its temporary unavailability made users fear that the streaming service had permanently blocked access via VPN.

It’s currently unknown whether the breach and the DoS attacks were perpetrated by the same group.

In this Help Net Security interview, Scott Bachand, CIO/CISO at Ro, discusses how telehealth reshapes the flow of patient data and what that means for security.

Each application, partner, repository and connection point introduces risk, especially when data classification is inconsistent.

The goal is not just compliance, but continual assurance that patient data is secure, no matter where it travels.

Do you think there is a realistic way to standardize security expectations across telehealth vendors, or is fragmentation inevitable?

From a CISO perspective, what are the “must-have” capabilities in a telehealth security stack going into 2026?

Phishing is still a go-to tactic for attackers, which is why even small gains in user training are worth noticing.

AI content helped people spot more attacksThe first study involved 80 participants who received training generated through four prompting methods.

Although no large statistical differences appeared between formats, this direct profile method produced better results after training.

In a few cases the generic groups showed slightly larger improvement, although these differences were not large enough to change the overall result.

It suggests that generic training can work as well as tailored versions for phishing detection.

No account creation is required, and the app begins tracking data usage, privacy, and security as soon as it’s enabled.

You can see how much mobile data or Wi-Fi each app uses by the hour, day, week, or month.

You can also see which apps use Wi-Fi versus mobile data, which helps when managing limited data plans.

Firewall optionFor users who want more control, GlassWire offers firewall functionality on supported devices.

Final thoughtsGlassWire combines network visibility, firewall control, and data usage insights into a single tool.

New report: “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights.” From a summary article:China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there.

By exposing the full scope of China’s AI driven control apparatus, this report presents clear, evidence based insights for policymakers, civil society, the media and technology companies seeking to counter the rise of AI enabled repression and human rights violations, and China’s growing efforts to project that repression beyond its borders.

Examined together, those cases show how new AI capabiliti…

States that have already enacted consumer protections and other AI regulations, like California, and those actively debating them, like Massachusetts, were alarmed.

Then, a draft document leaked outlining the Trump administration’s intent to enforce the state regulatory ban through executive powers.

AI companies and their investors have been aggressively peddling this narrative for years now, and are increasingly backing it with exorbitant lobbying dollars.

The often-heard complaint that it is hard to comply with a patchwork of state regulations rings hollow.

EDITED TO ADD: Trump signed an executive order banning state-level AI regulations hours after this was published.

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:I’m speaking and signing books at the Chicago Public Library in Chicago, Illinois, USA, at 6:00 PM CT on February 5, 2026.

I’m speaking at Capricon 44 in Chicago, Illinois, USA.

I’m speaking at the Munich Cybersecurity Conference in Munich, Germany on February 12, 2026.

I’m speaking at Tech Live: Cybersecurity in New York City, USA on March 11, 2026.

I’m speaking at RSAC 2026 in San Francisco, California, USA on March 25, 2026.

I have no context for this video—it’s from Reddit—but one of the commenters adds some context:Hey everyone, squid biologist here!

With so many people carrying around cameras, we’re getting more videos of giant squid at the surface than in previous decades.

We’re also starting to notice a pattern, that around this time of year (peaking in January) we see a bunch of giant squid around Japan.

When we see big (giant or colossal) healthy squid like this, it’s often because a fisher caught something else (either another squid or sometimes an antarctic toothfish).

There are a few colossal squid sightings similar to this from the southern ocean (but fewer people are down there, so fewer cameras, fe…

It makes sense; the engineering expertise that designs and develops AI systems is completely orthogonal to the security expertise that ensures the confidentiality and integrity of data.

We each want this data to include personal data about ourselves, as well as transaction data from our interactions.

The engineering expertise to build AI systems is orthogonal to the security expertise needed to protect personal data.

AI companies optimize for model performance, but data security requires cryptographic verification, access control, and auditable systems.

Fortunately, decoupling personal data stores from AI systems means security can advance independently from performance (https:// ieeexplore…

AIs Exploiting Smart ContractsI have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature.

Here’s some interesting research on training AIs to automatically exploit smart contracts:AI models are increasingly good at cyber tasks, as we’ve written about before.

In a recent MATS and Anthropic Fellows project, our scholars investigated this question by evaluating AI agents’ ability to exploit smart contracts on Smart CONtracts Exploitation benchmark (SCONE-bench)­a new benchmark they built comprising 405 contracts that were actually exploited between 2020 and 2025.

Going beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in…

The FBI is warning of AI-assisted fake kidnapping scams:Criminal actors typically will contact their victims through text message claiming they have kidnapped their loved one and demand a ransom be paid for their release.

Oftentimes, the criminal actor will express significant claims of violence towards the loved one if the ransom is not paid immediately.

The criminal actor will then send what appears to be a genuine photo or video of the victim’s loved one, which upon close inspection often reveals inaccuracies when compared to confirmed photos of the loved one.

Examples of these inaccuracies include missing tattoos or scars and inaccurate body proportions.

Criminal actors will sometimes p…

There’s a public health imperative to quickly expand the adoption of autonomous vehicles.

The answer is critical for determining how autonomous vehicles may shape motor vehicle safety and public health, and for developing sound policies to govern their deployment.

In this paper, we calculate the number of miles of driving that would be needed to provide clear statistical evidence of autonomous vehicle safety.

And yet, the possibility remains that it will not be possible to establish with certainty the safety of autonomous vehicles.

One problem, of course, is that we treat death by human driver differently than we do death by autonomous computer driver.

Here’s a fun paper: “The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext“:Abstract: In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a historically plausible cipher that can replicate the manuscript’s unusual properties.

The resulting cipher­a verbose homophonic substitution cipher I call the Naibbe cipher­can be done entirely by hand with 15th-century materials, and when it encrypts a wide range of Latin and Italian plaintexts, the resulting ciphertexts remain fully decipherable and also reliably reprod…

Friday Squid Blogging: Vampire Squid GenomeThe vampire squid (Vampyroteuthis infernalis) has the largest cephalopod genome ever sequenced: more than 11 billion base pairs.

That’s more than twice as large as the biggest squid genomes.

It’s technically not a squid: “The vampire squid is a fascinating twig tenaciously hanging onto the cephalopod family tree.

It’s neither a squid nor an octopus (nor a vampire), but rather the last, lone remnant of an ancient lineage whose other members have long since vanished.”As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on December 5, 2025 at 5:06 PM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Social media companies made the same sorts of promises 20 years ago: instant communication enabling individual connection at massive scale.

We legitimately fear artificial voices and manufactured reality drowning out real people on the internet: on social media, in chat rooms, everywhere we might try to connect with others.

They could extract the funding needed to mitigate these harms to support public services—strengthening job training programs and public employment, public schools, public health services, even public media and technology.

Millions quickly signed up for a free service where the only source of monetization was the extraction of their attention and personal data.

They were …

Banning VPNsThis is crazy.

Lawmakers in several US states are contemplating banning VPNs, because…think of the children!

As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B.

It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN.

Posted on December 1, 2025 at 7:59 AM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

UNBOXINGCensys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites.

Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

-Generic TV streaming devices advertis…

Sixteen months later, however, Mozilla is still promoting Onerep.

This week, Mozilla announced its partnership with Onerep will officially end next month.

In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025.

Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline.

Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites.

However, some customers did manage to pivot their domains away from Cloudflare during the outage.

“Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage.

But also look hard at the behavior inside your org.”Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:1.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month.

As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft accoun…

More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.

Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years.

Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.

But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing serv…

The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement.

Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts.

Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options l…

Cloudflare responded by redacting Aisuru domain names from their top websites list.

One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”.

Other Aisuru domains mimicked those belonging to major cloud providers.

Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list.

However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.

The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims.

Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear.

Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.

Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and se…

Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer.

“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said.

Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network.

That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service.

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services.

On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.

Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.

Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at…

Regular readers of Hot for Security will have read plenty of articles about cybercriminals who have created malware, or malicious hackers who have used malware to infect the systems of victims.

But the news this week is that a court in Singapore has jailed a man not for launching an attack himself, but instead for teaching others exactly how to do it.

According to Singaporean authorities this is the country's first prosecution specifically targeted against somebody who had taught others how to use malware.

Prosecutors claim that Lee Rong Teng provided Cheoh with several versions of the spyware and asked him to learn how they functioned.

Cheoh’s alleged accomplice, Lee Rong Teng, is thought …

Analyst firm Gartner has issued a blunt warning to organizations: Agentic AI browsers introduce serious new security risks and should be blocked "for the foreseeable future." Read more in my article on the Fortra blog.

Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.

All this, and more, in episode 447 of the “Smashing Security” podcast with Graham Cluley, and special guest Jenny Radcliffe.

Smashing Security listeners get $1000 off!

CoreView – Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

A new report from the United States's Financial Crimes Enforcement Network (FinCEN) has shone a revealing light on the state of the criminal industry of ransomware. The report, which examines ransomware incidents from 2022 to 2024, reveals that attackers extorted more than $2.1 billion over the three-year period. Yes, that number is enormous - but it hides a more interesting story beneath it: that after peaking in 2023, ransomware payments actually started to decline. Read more in my article on the Fortra blog.

Remember when a notorious ransomware gang hit the Irish Health Service back in May 2021?

Four years on, and it seems victims who had their data exposed will finally receive compensation.

The attack against the Health Service Executive (HSE) began when the Russia-linked Conti ransomware group tricked a user into downloading a boobytrapped Microsoft Excel file.

The Health Service Executive (HSE) has now made an offer of €750 to victims whose personal data was compromised in what was declared the largest ever cyber attack against a health service computer system in Ireland.

According to media reports, a Cork-based solicitors firm representing more than 100 people affected by the data breach re…

A 22-year-old from Newport Beach, California has pleaded guilty to his role in a sophisticated criminal network that stole approximately US $263 million in cryptocurrency from victims.

Evan Tangeman is the ninth defendant to plead guilty in connection with what prosecutors have described as a highly-organised criminal enterprise, dubbed the "Social Engineering Enterprise" (SE Enterprise).

Some members of SE Enterprise specialised in hacking databases to identify wealthy cryptocurrency investors.

Evan Tangeman admitted to working as a money launderer for the group, helping convert US $3.5 million worth of stolen cryptocurrency into cash.

For all their supposed sophistication, the downfall of…

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow us:Follow the show on Bluesky, or subscribe for free in your favourite podcast app such as Apple Podcasts or Spotify, or visit our website for more information.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Grok, the AI chatbot developed by Elon Musk's xAI, has been found to exhibit more alarming behaviour - this time revealing the home addresses of ordinary people upon request.

And, as if that wasn't enough of a privacy violation, Grok has also been exposed as providing detailed instructions for stalking and surveillance of targeted individuals.

If Grok was not able to identify the exact person, it would often return lists of similarly named individuals with their addresses.

Grok was also not afraid of offering tips for encountering a world-famous pop star, providing tips for waiting near venue exits.

As AI becomes embedded in our daily lives, it is clear that stronger safeguards are not opti…

A new warning about the threat posed by Distributed Denial of Service (DDoS) attacks should make you sit up and listen. Read more in my article on the Fortra blog.

All this and more is discussed in episode 446 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Rik Ferguson.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

The FBI has recently issued a public service announcement that warns that since January 2025 there have been more than 5,100 complaints of account takeover fraud, and total reported losses in excess of US $262 million. Read more in my article on the Fortra blog.

In episode 79 of The AI Fix, Gemini 3 roasts the competition, scares Nvidia, and can’t remember what year it is.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

In a statement published on 27 November, Asahi shared details of a nearly two-month forensic investigation into the security incident.

The company reported that around 1.52 million customers who had previously contacted the company's customer-service centres may have had their personal information accessed during the attack.

Asahi states that it is continuing to reinforce its cybersecurity systems in the wake of the attack, and improve its resilience.

For millions of customers and employees, the consequences may take far longer to resolve than the beer shortages that made headlines.

For the millions of affected individuals, the immediate concern shifts from beer shortages to the potential f…

Мы в «Лаборатории Касперского» изучили, какой путь проходят данные после фишинговой атаки: кому они достаются, как их сортируют, перепродают и используют на теневом рынке.

: реквизиты карт, данные от криптокошельков.

В таких архивах часто попадаются мусорные и устаревшие данные, и поэтому стоят они недорого: стартовая цена — $50.

Данными пользователей торгуют при этом не только в даркнете, но и в старом добром Telegram.

Несложно догадаться, что наиболее дорогой и востребованный товар на этом рынке — данные от банковских аккаунтов и криптокошельков.

Разумеется, сообщать облачный пароль нельзя никому — он нужен исключительно для того, чтобы войти в ваш аккаунт в Telegram.. Сделайте это в разделе Настройки → Конфиденциальность Telegram прямо сейчас.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Telegram и хранить как его, так и ключ доступа для Telegram в Kaspersky Password Manager.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Teleg…

Правоохранительные органы Южной Кореи арестовали четырех подозреваемых во взломе 120 000 IP-камер, установленных как в частных домах, так и в коммерческих помещениях — например, в комнатах караоке, студии пилатеса и гинекологической клинике.

Объясняем, что представляют собой IP-камеры и в чем состоят их уязвимости, а также подробно рассказываем об инциденте в Южной Корее и о том, как не стать жертвой злоумышленников, охотящихся за горячими видео.

Что случилось в Южной КорееВернемся к событиям, произошедшим этой осенью в Южной Корее.

Он взломал 63 000 IP-камер и создал, а затем продал 545 видео сексуального характера за 35 миллионов южнокорейских вон (чуть меньше 24 000 долларов).

Он взломал…

В этом посте попробуем определить, какие активы требуют первоочередного внимания, как их обнаружить и в какой форме проводить реагирование.

Физические и виртуальные серверы остаются бесхозными в крупных инфраструктурах после проектов по миграции или после слияния и поглощения компаний.

Важно также закрепить в политике способы учета создаваемых хранилищ и запрет на «бесхозные» данные, доступные без ограничений, паролей и шифрования.

Для внутренней разработки — обязательное использование сканеров и комплексных систем защиты, интегрированных с конвейером CI/CD и предотвращающих сборку ПО с устаревшими компонентами.

Подключенные к сети, но не управляемые и не обновляемые роутеры, межсетевые экр…

Недавно на новостных сайтах появилась информация о том, что некие злоумышленники распространяют инфостилер через бесплатные файлы 3D-моделей для ПО Blender.

Почему Blender и онлайн-маркетплейсы 3D-моделей могут быть источниками рискаBlender — это программное обеспечение для создания 3D-графики и анимации, которое используется множеством специалистов по визуализации в различных областях.

Среди прочих возможностей Blender есть и поддержка выполнения Python-скриптов, которые используются для автоматизации задач и расширения функциональности ПО.

Чем опасны рабочие инструменты, не контролируемые ИБПроблема не в Blender как таковом — злоумышленники неизбежно попробуют эксплуатировать возможности …

Теперь поделиться можно еще и чатом с ИИ-ассистентом, и ссылка на него будет вести на официальный сайт чат-бота.

При правильном вводе скрипт скачивает вредоносное ПО и использует указанный пароль для установки и запуска зловреда.

Инфостилер и бэкдорЕсли пользователь поддастся на уговоры, на его компьютере запустится распространенный инфостилер AMOS (Atomic macOS Stealer).

Использовать надежную защиту от вредоносного ПО на всех своих смартфонах, планшетах и компьютерах, включая компьютеры под управлением macOS и Linux.

Никогда не выполнять технические инструкции, о которых вы не просили и в которых разбираетесь не до конца.

Что нового в Kaspersky Embedded Systems Security для WindowsНаши эксперты значительно переработали кодовую базу решения, добавив ряд продвинутых механизмов детектирования и блокирования угроз.

Что нового в Kaspersky Embedded Systems Security для LinuxМы значительно доработали и новый KESS для Linux, но большинство нововведений в нем повышают эффективность уже реализованных защитных механизмов.

В нем мы планируем:Обеспечить полную совместимость Kaspersky Embedded Systems Security с сервисом Kaspersky Managed Detection and Response.

Добавить в Kaspersky Embedded Systems Security для Linux технологию защиты от BadUSB, которая уже работает в Windows-версии.

Обеспечить поддержку решением Kaspers…

3 декабря стало известно о скоординированном устранении критической уязвимости CVE-2025-55182 (CVSSv3 — 10), которая содержалась в React server components (RSC), а также во множестве производных проектов и фреймворков: Next.js, React Router RSC preview, Redwood SDK, Waku, RSC-плагинах Vite и Parcel.

Учитывая, что на базе React и Next.js построены десятки миллионов сайтов, включая Airbnb и Netflix, а уязвимые версии компонентов найдены примерно в 39% облачных инфраструктур, масштаб эксплуатации может быть очень серьезным.

Благодаря компонентам RSC, появившимся в React 18 в 2020 году, часть работы по сборке веб-страницы выполняется не в браузере, а на сервере.

Изначально React предназначен дл…

C октября этого года наши технологии фиксируют вредоносные рассылки файлов, в названии которых эксплуатируется тема годовых премий и бонусов.

Еще одной интересной особенностью данной вредоносной кампании является то, что в качестве полезной нагрузки выступает XLL-файл, что достаточно нестандартно.

Атакующие, конечно, меняют иконку, но в некоторых интерфейсах — в первую очередь в «проводнике Windows» — очевидно, что тип файла не соответствует видимому расширению, как показано, например, вот в этом посте.

Тип файла XLL служит для надстроек Microsoft Excel и, по сути, представляет собой DLL-библиотеку, которая запускается непосредственно программой для работы с электронными таблицами.

Часть ко…

Наверняка найдутся и желающие применить на практике новую атаку Whisper Leak.

Исследователи из Microsoft продолжили эту тему и проанализировали параметры поступления ответа от 30 разных ИИ-моделей в ответ на 11,8 тысяч запросов.

Сравнив задержку поступления пакетов от сервера, их размер и общее количество, исследователи смогли очень точно отделить «опасные» запросы от «обычных».

Как защититься от Whisper LeakОсновное бремя защиты от этой атаки лежит на провайдерах ИИ-моделей.

Если вы пользуетесь моделью и серверами, для которых Whisper Leak актуален, можно либо сменить провайдера на менее уязвимого, либо принять дополнительные меры предосторожности.

Как устроена автоматическая машина для тасования карт Deckmate 2Машина для автоматического тасования карт Deckmate 2 была запущена в производство в 2012 году.

В предыдущей модели устройства, Deckmate, внутренней камеры не было и, соответственно, не было возможности подглядеть последовательность карт в колоде.

Как исследователи смогли взломать устройство Deckmate 2Опытные читатели нашего блога уже наверняка заметили несколько уязвимостей в конструкции Deckmate 2, которыми воспользовались исследователи для создания proof-of-concept.

Это позволяло специалистам в реальном времени узнавать порядок карт в тасовке.

Как мафия использовала взломанные Deckmate 2 в реальных покерных играхДва года спус…

Видеорегистраторы, популярные в одних странах и полностью запрещенные в других, обычно воспринимаются как страховка на случай ДТП и спорных ситуаций на дорогах.

По Wi-Fi к устройству может подключаться смартфон водителя, чтобы через мобильное приложение провести настройки, скачать видео на телефон и так далее.

Как выяснилось, многие регистраторы допускают обход аутентификации и к ним можно подключиться с чужого устройства, а затем скачать сохраненные данные.

Просто они заказывают компоненты и ПО у одного и того же разработчика.

Но массовый взлом видеорегистраторов может привести к значительно более агрессивному сбору данных и злоупотреблению ими в преступных и мошеннических схемах.

Рассказываем о том, как она работает и как защититься от злоумышленников.

Что делать, если ваш аккаунт на «Госуслугах» взломалиИзучите, как восстановить доступ к «Госуслугам», на официальном сайте и установите по-настоящему надежный пароль.

Перейдите в Профиль → Уведомления .

Также изучите разделы Профиль → Согласия , Профиль → Разрешения и доверенности , Профиль → Сим-карты — нет ли там чего-то нового и неожиданного?

Мы рекомендуем пользоваться одноразовыми кодами из приложения-аутентификатора, а не из SMS.

В октябре Microsoft завершила поддержку Exchange Server 2019, так что единственным поддерживаемым on-premise-решением в 2026 году остается Exchange Server Subscription Edition (Exchange SE).

Миграция с версий EOLИ Microsoft, и CISA рекомендуют переход на Exchange SE, чтобы своевременно получать обновления безопасности.

Срочные обновленияДля срочных уязвимостей и ошибок рекомендации по временным мерам обычно публикуются в блоге Exchange и на странице Emergency Mitigation.

Самый свежий CIS Benchmark создан для Exchange 2019, но он полностью применим к Exchange SE, поскольку по доступным настройкам текущая версия SE не отличается от Exchange Server 2019 CU15.

Подробные рекомендации по оптималь…

Cisco Identity Intelligence is now the first Cisco product to deliver a customer facing capability powered entirely by a Cisco built artificial intelligence model, Foundation-sec-1.1-8B-Instruct.

Strengthening Identity Security Through Deeper InsightCisco Identity Intelligence helps organizations understand and respond to identity related risk across their entire environment.

A key part of this experience is the weekly email digest that Cisco Identity Intelligence sends to administrators.

Why the Cisco Foundation Model MattersCisco Identity Intelligence selected the Cisco Foundation AI model because it offers clear advantages in quality, control, and long-term strategic alignment.

A Cisco-o…

According to our survey results, 94% of organizations are currently facing segmentation challenges, which range from technical to non-technical issues.

Challenges Inhibiting Segmentation ProjectsUnderstanding the challenges organizations face will ease the transition from partial to comprehensive segmentation implementations, allowing organizations to accelerate their progress through their segmentation journeys.

Currently, what are/ could be the biggest segmentation challenges you are/ could be experiencing at your organization?

Overcoming Segmentation Challenges Enables a Proactive Security StrategySegmentation remains a foundational element of enterprise security.

In the meantime, downlo…

Thanks to Duo, I was quickly given access to all the essential tools: Cisco XDR, Splunk, firewall dashboards, and more from the duo directory.

Detection: Cisco XDR flagged the suspicious behavior, visualizing the connections between one internal asset and several high-risk external hosts.

This raised immediate concerns about potential malware or command-and-control activity (see Cisco XDR investigation below).

In summary, my first SOC experience turned initial nerves into genuine confidence.

Ask a question and stay connected with Cisco Security on social media.

As a reminder, when a Windows client is seeking to talk to a domain controller it will make DNS queries for SRV records for names like _kerberos._tcp.dc._msdcs.DOMAINNAME or _ldap._tcp.dc._msdcs.DOMAINNAME.

These DNS requests enable the client to find nearby Kerberos or LDAP servers for their domain.

Finally, the Cisco Live network is designed to be a safe network for attendees to use.

A properly configured VPN client like Cisco Secure Client can support both a full tunnel VPN and “Start Before Login”.

Check out the other blogs by my colleagues in the Cisco Live Melbourne 2026 SOC.

Kerberoasting: An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

Cisco XDR: Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Secure Network Analytics: NetFlow analytics to surface scanning, beaconing, and anomalous connection patterns at scale.

Building on the success of the 2nd annual Security Operations Centre (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team supported the first SOC for Cisco Live San Diego (Americas) and invited the team back for 20025.

The SOC at Cisco Live SOC was successfully deployed in just 12 hours over 1 ½ days, demonstrating extensive prior planning and specialized expertise.

The partnership with Endace, a highly skilled full-packet capture provider, whose experience in the 2025 SOC was critical and extended to their commitment for Cisco Live Melbourne.

For example, Ryan MacLennan created an AI model to find domain generated algorithms at the Cisco Live AMER Security SOC.

Ackno…

Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME).

As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core.

Day 1 at Cisco Live and guess what?

Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

In the Cisco Live Melbourne SOC, we use a combination of Endace full packet capture (PCAP), Splunk Enterprise Security, and Splunk SOAR to provide automated detections of cleartext credential leakage.

We resolve this using the coalesce function in Splunk’s eval command.

The coalece function will return the first non-null value from a list of possible values, just like the COALESCE function in SQL.

In our case, we use it like so:However, during Cisco Live we discovered a problem with this logic.

One answer is a Splunk macro.

One area of integration between CSF and Splunk that we worked on at Cisco Live Melbourne involved Enterprise Security Content Update (ESCU) detections in Splunk Enterprise Security (ES).

Splunk ES has around two dozen ESCU detections for Cisco Secure Firewall.

These can be accessed from ES by navigating to Security Content > Content Management and then searching for ‘Secure Firewall’.

All ESCU detections for Secure Firewall reference the same macro, ‘cisco_secure_firewall’.

We transitioned our firewall log export to syslog a few conferences ago, and in Melbourne we decided to test the ESCU detections with syslog.

Sometimes though we see exceptions, in this circumstance an asset connected to the Attendee Wi-Fi network at Cisco Live Melbourne 2025 exhibited a large spike in traffic on multiple occasions.

Upon investigation, the asset was found to be connecting to multiple confirmed malicious external IP addresses.

When the Incident was investigated, we found that the asset was communicating with numerous external IP addresses classified as malicious.

Investigating further, we saw the internal IP address communicating with a number of external IP addresses, all classed as malicious.

Cisco Security Social MediaLinkedInFacebookInstagramX

The Adrenaline of the Real World: Rapid Threat Containment on DisplayThe first thing that strikes you when you walk into the Cisco Live SOC is the energy.

The XDR & Splunk ES Synergy: The key highlight of the visibility demo was the seamless data exchange between XDR and Splunk ES.

Forging the Future: Empowering New and Tier One AnalystsPerhaps the most inspiring aspect of the SOC tours was the focus on people.

The Cisco Live Melbourne 2025 SOC tours weren’t just about the technology of today; they were about sharing our experiences, delivering on the EDUCATE component of our Mission.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

Segmentation introduces critical control points, regulating who and what can access the network environment and its applications.

I consistently approach the segmentation journey with my customers by framing it as a circular cycle.

This cycle starts with visibility, progresses through identity context, policy selection, and policy enforcement, ultimately returning to enhanced visibility.

1: The segmentation cycleVisibilityThe segmentation cycle both starts and ends with robust visibility.

Policy AssignmentPolicy Assignment, often referred to as the Policy Decision Point (PDP) in NIST SP 800-207, represents the “what” in our segmentation cycle.

The survey results also revealed interesting insights into why segmentation remains a foundational concept.

The evolution of segmentation and the development of different segmentation approaches make the concept ideal for implementing a proactive approach to enterprise cybersecurity today.

And now, augmenting macro-segmentation with micro-segmentation implementations allows security teams to split environments into separate networks AND isolate specific workloads based on behavior or identity.

Data split by those who have fully implemented both macro- and micro-segmentation (315), and those who have not fully implemented both (608).

Data split by those who have fully implemented both macro-…

The GovWare Security Operations Centre is a collaborative initiative with Cisco for GovWare Conference and Exhibition 2025 — GovWare 2025 Security Operations CentreFollowing the successful Security Operations Centre (SOC) deployments at RSAC 2025, Black Hat Asia, and Cisco Live San Diego 2025, the Cisco ASEAN executive team approved the inaugural SOC for GovWare.

The SOC was founded on three primary missions:To Protect — Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating from both internal and external sources.

— Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating f…

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.

To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request.

Microsoft Defender Vulnerability Management and Microsoft Defender for CloudMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs).

In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versi…

Today, we are proud to share that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass for Generative AI Defense.

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for Generative AI Defense appeared first on Microsoft Security Blog.

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback.

The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

Secure Email Gateway and Integrated Cloud Em…

As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback.

The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

Secure Email Gateway and Integrated Cloud Em…

The Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Tactic Observed activity Microsoft Defender coverage Execution S…

The Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Tactic Observed activity Microsoft Defender coverage Execution S…

In this article, John Lambert, Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense.

It’s easy to see why some security professionals out there see the physics of defense as being against them.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors.

By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

In this article, John Lambert, Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense.

It’s easy to see why some security professionals out there see the physics of defense as being against them.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors.

By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Cyber insurance plays a critical role, helping you recover faster while reinforcing trust across your organization and with your partners.

Faster response, seamless reimbursementWe’ve built Microsoft Incident Response with both technical strength and ease of use.

This helps streamline onboarding and supports reimbursements for covered incidents under eligible cyber insurance policies.

Microsoft Incident Response Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Learn moreTo learn more about how our teams are working together, and how our collaboration with cyber insurance providers like Beazley can help you strengthen y…

We’re honored to share that Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Email Security.

We believe this recognition highlights the value of Microsoft Defender for Office 365’s innovative capabilities in addressing today’s complex email security challenges.

2025 Gartner® Magic Quadrant™ for Email Security.

Learn moreYou can learn more by reading the full 2025 Gartner® Magic Quadrant™ for Email Security report.

Gartner, Magic Quadrant for Email Security, 1 December 2025, By Max Taggett, Nikul Patel

Use network segmentation on your internal networks and enforce traffic patterns to prevent unexpected or unwanted network traffic.

Implement DNS security extensions, DNS filtering and blocking, monitor and log DNS traffic, and configure DNS servers securely to help minimize these risks.

Using fingerprinting as a primary key in correlating user traffic allows for easy identification of questionable activity.

Learn more with Microsoft SecurityTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…

Below we describe our prompt injection mitigation product strategy based on extensive research, development, and deployment of improved security mitigations.

A layered security approachGoogle has taken a layered security approach introducing security measures designed for each stage of the prompt lifecycle.

From there, a key protection against prompt injection and data exfiltration attacks occurs at the URL level.

Users are encouraged to become more familiar with our prompt injection defenses by reading the Help Center article.

Moving forwardOur comprehensive prompt injection security strategy strengthens the overall security framework for Gemini.