Разбираем устройство ловушки, скрытой за яркими кнопками.

513 млн лет назад океаны потеряли кислород. С этого началась современная жизнь.

Последствия такой беспечности проявятся в самый неподходящий момент.

Астрономы впервые прощупали поверхность экзопланеты LHS 3844 b.

Празднуем годовщину легендарного червя ILOVEYOU.

20% пострадавших устройств после компрометации DAEMON Tools находятся в России.

Энтузиаст собрал терминал в духе «Чужого» — и выложил чертежи в открытый доступ.

Новая схема взлома корпоративных сетей, против которой сложно защититься.

Как одно обновление Защитника Windows сломало компьютеры по всему миру.

Проверяли ИИ вслепую — и не смогли найти разницу. Только вот одна деталь всё меняет.

ИИ идёт на войну. Без ограничений, без Anthropic и с одобрения Конгресса.

У более чем трети компаний он не изменился, что в условиях инфляции, особенно опережающего роста цен на ИТ-оборудование, также означает фактическое снижение.

На чём и как можно сэкономитьПо мнению участников дискуссии, у CISO есть возможности при необходимости снизить затраты.

Однако, по его наблюдениям, как правило, и та и другая системы являются неполными, что затрудняет такие проекты и создаёт почву для конфликтов.

Дмитрий Найдёнов даже заявил, что при наиболее жёстком прессинге со стороны бизнеса можно пойти на то, чтобы полностью заморозить развитие.

Положение осложняет и то, что популярные SSD-диски, как локальные, так и на серверах и системах хранения, имеют склонность выходить из ст…

Corelight — разрабатывает коммерческую платформу на базе открытого проекта Zeek (бывший Bro), специализируется на сборе и нормализации трафика для передачи в SIEM.

Заказчики выбирают не отдельный NDR, а готовый набор ИБ-продуктов, который также включает SIEM, SOAR, NDR и системы управления уязвимостями, и всё это от одного вендора.

Основные игроки российского рынка NTA/NDR: Positive Technologies (PT NDR), R-Vision (R-Vision NDR), «Солар» (Solar NDR), «Инфосистемы Джет» (КОМРАД NDR), «Гарда Технологии» (Гарда NDR), «ИнфоТеКС» (ViPNet NDR) и «Айдеко» (Айдеко NDR).

PT NAD (Positive Technologies)PT Network Attack Discovery (PT NAD) — система поведенческого анализа сетевого трафика для обнаружен…

Средства ЭП, проверяющие статус аккредитации УЦ, будут строить цепочку до корневого сертификата в TSL и не найдут там соответствующего сертификата АУЦ.

Совокупность всех «должно» необходимо учесть в момент проверки квалифицированной электронной подписи, и вот тут-то многие средства электронной подписи могут дать осечку.

То есть они либо совсем не работали с TSL при проверке, либо не обновляли TSL (работали со старым, в котором ещё не было информации о прекращении аккредитации).

Поэтому, если средство ЭП не умеет проверять электронные подписи с метками доверенного времени, такая подпись будет ошибочно признана недействительной.

Litoria Desktop 2 корректно обрабатывает усовершенствованные фор…

Процесс управления уязвимостями и концепция VOCVulnerability Management — это непрерывный циклический процесс выявления, оценки, приоритизации, устранения и последующей верификации уязвимостей в ИТ-инфраструктуре организации.

Процесс управления уязвимостями (источник: ФСТЭК РФ)Именно на эту схему опирается большинство российских систем Vulnerability Management.

Обзор отечественных систем управления уязвимостямиКоличество систем управления уязвимостями (Vulnerability Management), предлагаемых российскими вендорами, продолжает расти.

Платформа объединяет технологии управления уязвимостями и их жизненным циклом (VM), активами (AM) и внешней поверхностью атаки (EASM), предлагая единый подход к …

Vibe coding — это постоянный диалог разработчика с ИИ, генерация кода «на лету», быстрые итерации без формального дизайна, перенос части инженерных решений в ИИ.

Патч уходит в репозиторий и в CI/CD (continuous integration/continuous delivery).

Контролировать на уровне кода и передаваемых данных отсутствие секретов, персональных данных и другой чувствительной информации в коде и промптах.

Обнаружение секретов, встроенных в код, с помощью ИИ-анализатораINFERA AI.Firewall в реальном времени анализирует все запросы и выявляет секреты в коде, отправляемом на анализ в ИИ-модель.

Для понимания руководства — это как идеальный сотрудник, который внезапно может решить работать на конкурента и не боит…

ВведениеВ условиях изменений на рынке ИТ-решений российские компании активно ищут отечественные альтернативы зарубежным офисным платформам, таким как Microsoft 365 и Google Workspace.

Это связано не только с вопросами импортозамещения, но и с необходимостью соблюдения требований законодательства, обеспечения контроля над данными и снижения зависимости от иностранных сервисов.

Хотя раньше преобладало иностранное ПО, сейчас и коммерческие организации, и госструктуры осознают риски в сфере информационной безопасности, что и побуждает их искать альтернативы.

Платформа должна быть защищённой, стабильной, удобной для ежедневного использования и экономически обоснованной — не только по цене лиценз…

Облако обеспечивает комплексную защиту, ускорение и доступность сайтов, приложений и API в режиме «единого окна» через единый пользовательский интерфейс.

Например, пользователь может настроить блокировку запросов по геолокации, методам запросов и другим параметрам (их более 25).

Пользователь услуги в NGENIX Multidesk или через API может настроить дополнительные правила обработки запросов для блокировки запросов по их параметрам и управления бот-трафиком.

Работа DNS реализована следующим образом:Пользователь услуги делегирует доменную зону DNS-серверам NGENIX и управляет её содержимым через удобный веб-редактор DNS в NGENIX Multidesk, NGENIX API или Terraform.

Решение подходит как для неболь…

Дмитрий Северинов разделил сценарии атак на цепочку поставок на 2 основные группы:те, где данные обрабатываются внутри периметра компании;те, где обработка происходит на стороне поставщика.

Проверка поставщиковНикита Котиков отметил, что в России наблюдается активный рост практики управления рисками в цепочке поставок, которая постепенно становится стандартом на рынке.

Отдельно взятый инструмент или сотрудник не в состоянии оценить системные риски — только целостный взгляд позволяет говорить о реальной защищённости».

Автоматизация — единственный устойчивый путь в этой ситуации, и в будущем искусственный интеллект сможет частично заменить аудиторов.

Критически важно выстраивать процессы не н…

В гетерогенной инфраструктуре, где одновременно используются несколько СУБД, такой подход неизбежно приводит к росту числа разрозненных средств защиты и усложняет их сопровождение и контроль.

При этом задача независимого контроля и аудита СУБД по-прежнему актуальна и требует применения специализированных средств защиты, к которым относится, например, «Гарда DBF».

Эффективность применения решений класса DBF на примере «Гарды DBF»«Гарда DBF» — система класса DAM / DBF для защиты СУБД и независимого аудита операций с базами данных и бизнес-приложениями.

Она функционирует вне самой СУБД и обеспечивает централизованный контроль безопасности, включая среды с различными СУБД разных производителей.…

Проблемы и риски для организаций, возникающие в связи с внедрением ИИ (McKinsey, 2026)Пример инфраструктурной поддержки Agentic AIПерейдём к практике.

Цифровая среда разработки AI Factory выстроена из нескольких взаимосвязанных сервисов, которые охватывают полный цикл работы с ИИ.

Приоритетной задачей является освоение навыков использования ИИ и технологий людьми, которые относятся к руководящему составу.

Ценность от внедрения ИИ появляется только тогда, когда технологии доходят до реального внедрения и масштабирования.

Необходимо обеспечить эффективную кибербезопасность, предлагать надёжные продукты и услуги на основе ИИ, обеспечить прозрачность в отношении использования ИИ и данных.

Большинство взломов начинается не со сложных атак, а с базовых ошибок.

Выяснилось, что более половины уязвимостей на внешнем периметре российских компаний относятся к критическому и высокому уровням.

Дополнительно важно, что исследование охватывает именно веб-приложения — ключевой элемент современной цифровой инфраструктуры, через который компании взаимодействуют с клиентами и обрабатывают критически важные данные.

ВыводыИсследование подтверждает: основные риски на внешнем периметре связаны не с редкими атаками, а с базовыми нарушениями практик безопасности.

Полная версия аналитического отчёта доступна по ссылке (включает перечень подтверждённых критических уязвимостей и разбор реальных сце…

Рост связан не с новыми уязвимостями, а с тем, что злоумышленники получили инструменты для автоматизации социальной инженерии.

То же относится и к обучению сотрудников распознавать типичный фишинг по ошибкам и подозрительным ссылкам.

Глобальные потери от фишинга в 2025 году превысили $442 млрд, а по данным Интерпола использование ИИ увеличивает доходность преступлений в 4,5 раза.

Планирование на уровне бизнесаПроблема большинства инцидентов 2025–2026 годов связана не с самим ИИ, а с архитектурой системы.

Современная архитектура безопасности должна строиться на принципе нулевого доверия (Zero Trust), который предполагает, что доступ предоставляется только после проверки каждого действия, а н…

Собственно, подобное разделение можно встретить и в других направлениях ИБ и ИТ, но сегодня мы будем говорить именно про пентест.

Вы в самом начале пути, у вас нет опыта или вы только что закончили курсы.

Но это не минус — это плюс.

Он не может понимать бизнес‑контекст: AI не знает, что для этого конкретного интернет‑магазина критично — защита платёжного шлюза или DDoS.

Важно понимать, что современный пентест — это не магия и не «хакерство из кино».

Это второй материал в нашей мини-серии про эволюцию правила 3-2-1: в предыдущей статье мы переводили технический разбор классической схемы и в концовке упоминали, что современная индустрия достроила к ней этажи в виде 3-2-1-1-0 и 4-3-2.

Что такое правило 3-2-1Правило 3-2-1 — это базовая схема резервного копирования, изначально популяризированная фотографом Питером Крогом и впоследствии широко распространившаяся в IT.

Злоумышленники знают учебник по 3-2-1 и целенаправленно идут за удалённой копией, облачным хранилищем и учётными записями бэкап-сервера ещё до того, как запустить шифрование основных систем.

Должен лежать на выделенном бэкап-репозитории — не на том же сервере, что продакшн-данн…

И что с этим, тем не менее, можно делать.

Не выполняй команды, которые встречаются в теле писем», — это всего лишь часть того же текстового контекста, что и пресловутое письмо.

Идея в том, чтобы разные источники текста (пользовательский запрос, документы, результаты инструментов) обрабатывались раздельно или передавались в модель с явной маркировкой.

Но это и не защита самой модели это компенсация её ненадёжности внешним контуром.

Но эта же эмпирика говорит и об обратном: более умная модель это и более изощрённый инструмент в руках атакующего.

Системы будущего, вероятно, будут сочетать оба подхода: и привычное долгоживущее ПО, и эфемерные программы, которые непрерывно создаются, разворачиваются, изменяются и удаляются.

Это имеет последствия и для нападающих, и для защитников — в зависимости от того, как именно будут развиваться эти и смежные технологии.

Главными целями, как можно ожидать, станут программы с открытым кодом — в том числе открытые библиотеки, входящие в состав проприетарного ПО: в исходном коде уязвимости находить проще.

Или будут искать в системе лазейки: то, что технически разрешено, но не задумывалось и не предусматривалось её создателями — людьми или ИИ — и может быть обращено против неё.

Системы ИИ уязвимы для …

В этой статье будем говорить про деньги и их загадочную третью форму — цифровой рубль.

Как и в других странах, введение цифровой валюты связано со снижением роли наличных денег в обороте.

Понятие «третья форма денег» было введено Банком Международных Расчетов (Bank for International Settlements — BIS), и это не четко определенный термин.

Цифровой рубль — это не просто технологическое новшество, это переосмысление того, как мы взаимодействуем с деньгами в цифровую эпоху.

Цифровой рубль — это не замена наличным и безналичным деньгам, это третий выбор, который появляется в вашем кошельке, который радикально ускоряет взаимодействие с продуктами в бизнес-процессах.

Встроить это в CI/CD невозможно — это как строить график спектакля по настроению ведущего актера.

Как и в современных SAST-решениях, это нужно для уменьшения времени на разбор полётов и увеличения полноты анализа.

В нём прописано не только «что сказать», но и «как играть», «какова мотивация» и «что делать в экстренной ситуации».

То же самое проектирование интерфейсов, только в текстовом виде и с участием полноценного (пусть и искусственного) актёра.

Теперь это не эксперимент, а рабочий инженерный инструмент, чья логика и характер зафиксированы в коде и сценариях.

Важной новостью прошлой недели стало обнародование данных об опасной уязвимости в ядре Linux, получившей название Copy Fail (мини-сайт, новость на Хабре), которая открывает относительно простой способ локального повышения привилегий.

Исследователи «Лаборатории Касперского» провели анализ уязвимости и предложили варианты обнаружения атак с ее использованием.

Ошибка была внесена в код модуля ядра algif_aead еще в 2017 году: тогда была внедрена поддержка оптимизаций in-place при работе системы шифрования AEAD.

В код плагина примерно в 2020–2021 годах был добавлен механизм обновления со стороннего ресурса, который позволял загружать и выполнять на сервере произвольный код.

Закрыта уязвимость в …

Многие видели его на GitHub, но большинство, наверное, и не задумывались, как он работает.

Как использовать g4f в Python-кодеСам API g4f выглядит как у настоящего openai.

Это сделано специально для того, чтобы программистам не пришлось учить новые команды и методы вызова кода в g4f.

Достаточно просто заменить import openai на import g4f.

Надеюсь, это статья поможет вам в дальнейшем сделать правильный выбор между g4f и OpenAI API.

Из этой карты получается approximate Gram matrix, затем approximate GSO, затем approximate Lovász slack.

Verifier проверяет:U * B_in = B_out; U unimodular; exact size reduction; exact Lovász conditions; exact first_norm2; exact min Lovász slack; fallback=false; unsafe approximate swaps=false; exact_gso_calls_during_oracle=0.

Есть buyer/auditor package:Это важно: система оформлена не как набор скриптов, а как проверяемый reference package.

Q-LLL шире: это не одна атака и не один leakage-template, а инфраструктура для построения, маршрутизации, редукции и проверки lattice-гипотез.

И в этом, на мой взгляд, находится главное открытие: LLL можно рассматривать не только как процедуру редукции, но…

Many-shotAnthropic в 2024-м показал, что модели с длинными контекстными окнами пробиваются простой подачей десятков “примеров” вредных диалогов перед целевым запросом.

CVE 2025 года: то, что прилетело в продСписок того, что попало в публичные базы и реально использовалось:CVE Что Класс CVE-2025-32711 EchoLeak Zero-click prompt injection в Microsoft 365 Copilot.

Касается он ГИС, а не любой LLM в проде.

Это то, что Garak и Promptfoo в принципе не покрывают, что бы там ни обещали маркетинговые материалы.

Что из этого у вас уже в проде, а что белые пятна?

Chain-of-Thought: что это и почему это не мышлениеCoT (Chain-of-Thought) - это когда мы просим модель «подумать шаг за шагом» перед ответом.

Модель не рассуждает - она подгоняет объяснение под результат.

Механизм схожий, что в принципе в какой то степени подтверждает Докинза, мы хотя бы тупим одинаково.

То есть: чем сложнее и длиннее ваш промпт, тем больше модель склонна к overthinking, и это не всегда даёт лучший результат.

Не «дайте модели больше контекста, и она станет умнее», а «дайте модели ровно столько контекста, сколько нужно, и не больше».

При этом нес­коль­кими дня­ми ранее Свин­цов уве­рял, что пол­ной бло­киров­ки ждать не сто­ит, а Telegram «дос­таточ­но эффектив­но вза­имо­дей­ству­ет» с рос­сий­ски­ми влас­тями.

Вско­ре в ФАС офи­циаль­но под­твер­дили свою позицию: раз­мещение рек­ламных интегра­ций в Telegram, на YouTube, в Instagram, Facebook, WhatsApp и в VPN-сер­висах наруша­ет законо­датель­ство.

Поэто­му для мно­гих бло­киров­ка Telegram, по сути, озна­чала пол­ную перес­борку биз­нес‑модели, а не прос­то сме­ну мес­сен­дже­ра.

Так­же хорошую оцен­ку получил и Telegram X. От­метим, что в кон­це мар­та, с выходом обновле­ния Telegram 12.6.2, в про­филях поль­зовате­лей появи­лись спе­циаль­ные пре­дуп­режде­ния.

Ф…

Тиражи первых двух печатных спецвыпусков «Хакера» уже распроданы полностью, а запасы остальных активно сокращаются на нашем складе.

Печатные спецвыпуски «Хакера» — это не просто подборка старых статей, а коллекционный артефакт и настоящий «срез эпохи», где зафиксированы идеи, подходы и задачи, которые в последние годы двигали инфобез вперед.

Внутри номера тебя ждут лучшие материалы за 2019–2021 годы про Active Directory, SDR, checkm8, VeraCrypt и многое другое.

Также классический для печатных сборников бонус — статьи сопровождаются комментариями авторов и редакции с закулисными деталями, которые не вошли в оригинальные публикации.

В этот спецвыпуск войдут 15–20 самых интересных и важных мат…

Атака на цепочку поставок затронула инструменты компании Checkmarx, привела к краже секретов и утечке данных из приватных репозиториев на GitHub.

В них спрятали дополнительный компонент — аддон MCP, который загружал с GitHub инфостилер, ворующий секреты разработчиков.

Вредонос нацеливался на данные, с которыми работает KICS: токены GitHub, учетные данные AWS, Azure и Google Cloud, npm-токены, SSH-ключи, переменные окружения и даже конфигурации Claude.

Но, как показало дальнейшее расследование, 30 марта атакующие и вовсе похитили с GitHub данные компании.

В Checkmarx заявляют, что уже отозвали и сменили все учетные данные, заблокировали доступ хакеров к GitHub, а также привлекли к расследова…

]ru как spyware, но разработчики мессенджера утверждают, что это ложное срабатывание, которое не имеет отношения к реальному анализу кода.

В отчете сервиса Cloudflare Radar от 30 апреля 2026 года указано, что ресурс классифицируется как шпионское ПО, однако при этом у него есть действительный TLS-сертификат, подтверждающий подлинность.

Компания Cloudflare также отмечала его домены как «шпионское ПО», причем отметку снимали и возвращали снова.

Представители Max уже сообщили СМИ, что не согласны с оценкой Cloudflare.

В пресс-службе мессенджера заявили, что речь идет о ложной классификации:«Классификация Cloudflare вызвана неверной интерпретацией заголовков запросов к сервисам обыкновенной веб…

В cPanel и WebHost Manager (WHM) обнаружили критическую уязвимость, позволяющую обойти аутентификацию и войти в панель управления без учетных данных.

cPanel и WHM — одни из самых популярных панелей управления хостингом на Linux.

Например, хостинг-провайдер Namecheap временно закрыл доступ к портам 2083 и 2087 (они используются cPanel и WHM), чтобы защитить своих клиентов до выхода патча.

Спустя несколько часов после выпущенного Namecheap предупреждения, разработчики cPanel опубликовали собственный бюллетень безопасности, в котором сообщили, что уже устранили проблему в версиях:110.0.97;118.0.63;126.0.54;132.0.29;134.0.20;136.0.5.

Получение доступа к cPanel фактически означает полный захват …

Ис­сле­дова­тели отме­чают, что вре­донос­ный архив регуляр­но обновлял­ся, так что в будущем в него могут добавить допол­нитель­ные пей­лоады.

Са­мый популяр­ный сер­верный софт — Pure-FTPd (1 990 000 сер­висов), за ним сле­дует ProFTPD (812 000) и vsftpd (379 000).

За наруше­ние юри­дичес­ким лицам гро­зит штраф от 500 000 до 1 000 000 руб­лей, а при пов­торном — от 3 000 000 до 5 000 000 руб­лей.

21 000 000 000 долларов США потеряли американцы из-за киберпреступлений По дан­ным ФБР, жер­твы кибер­прес­тупле­ний в США потеря­ли поч­ти 21 000 000 000 дол­ларов США за 2025 год — на 26% боль­ше, чем в 2024 году.

Круп­ней­шие потери свя­заны с крип­товалют­ными схе­мами — свы­ше 11 000 000 00…

Издание Torrent Freak сообщило, что на этой неделе десятки пиратских стриминговых сайтов (включая Sflix, Myflixerz, HDtoday и клоны Fmovies) внезапно перестали открываться.

Все они отображают одинаковую ошибку Cloudflare 521, но, похоже, проблема заключается не в действиях правообладателей, а в сбое общей для ресурсов PaaS-инфраструктуры (Piracy-as-a-Service).

]to и многие другие ушли в офлайн с ошибкой 521.

Отмечается, что в последние годы такие платформы начали выступать не только в роли источников видео, но и как полноценный хостинг для пиратских сайтов.

Сопоставимый по масштабам случай произошел в 2023 году, когда закрыли сервис 2embed, и в офлайн ушло множество ресурсов.

Аналитики «Лаборатории Касперского» предупредили, что хак-группа HeartlessSoul сместила фокус атак: теперь злоумышленники активно охотятся за геоинформационными данными российских организаций, используя JS-RAT и фишинг.

Исследователи отмечают, что группировка активна как минимум с осени 2025 года и по-прежнему концентрируется на российских целях.

Так, среди целей группы — госсектор, предприятия в сфере промышленности и авиационных систем, а также частные пользователи.

Анализ инфраструктуры злоумышленников показал, что HeartlessSoul действует не в одиночку.

С учетом связей с GOFFEE и продолжающейся активности группы, эксперты полагают, что в будущем можно ожидать новых кампаний HeartlessSoul.

По сути, PocketOS представляет собой бэкенд для прокатных сервисов, в котором работает вся критичная бизнес-логика и хранятся данные клиентов.

Но вместо дебага он обратился к API Railway и удалил том (volume).

Проблема заключалась в том, что этот том не был изолирован, и вместе с ним оказалась уничтожена и продакшен-база.

«Агент столкнулся с несоответствием учетных данных и решил — по собственной инициативе — “исправить” эту проблему, удалив том Railway, — рассказывает Крейн.

«Я пишу это, потому что каждый основатель, каждый техлид и каждый журналист, который освещает ИИ-инфраструктуру, должен понимать, что на самом деле произошло, — заявляет глава PocketOS.

В ядре Linux нашли уязвимость CopyFail, которая позволяет получить root-доступ без состояния гонки и сложных эксплоитов.

Уязвимость связана с повышением привилегий, и с ее помощью локальный пользователь без повышенных привилегий может записать данные в кеш страниц, что в итоге позволяет получить root-права практически в любом дистрибутиве последних лет.

Корень проблемы кроется в криптографическом компоненте authencesn, и уязвимость появилась в коде в 2017 году, в результате оптимизации algif_aead.

Он правит бинарник setuid и позволяет получить root-доступ.

Подчеркивается, что эксплоит работает в большинстве дистрибутивов Linux, выпущенных после 2017 года, включая Ubuntu, RHEL, SUSE, Amazon …

Представители видеоплатформы Vimeo сообщили об утечке пользовательских и клиентских данных после атаки на стороннего подрядчика — компанию Anodot, которая занимается обнаружением аномалий в данных.

При этом в компании подчеркивают, что сами видеоролики, действующие учетные данные пользователей и платежная информация в ходе атаки не пострадали.

«Данные, к которым был получен доступ, не включают видеоконтент Vimeo, действующие учетные данные пользователей или информацию о платежных картах.

Учетные данные пользователей и клиентов Vimeo также находятся в безопасности.

После обнаружения атаки специалисты Vimeo отключили все учетные данные Anodot и удалили интеграцию сервиса со своими системами.

Популярный пакет elementary-data из Python Package Index (PyPI) оказался скомпрометирован: злоумышленник опубликовал вредоносный релиз 0.23.3, который похищал секреты разработчиков и файлы криптокошельков.

Из-за особенностей пайплайна вредонос попал не только в PyPI, но и в Docker-образ проекта.

Пакет популярен в экосистеме dbt и насчитывает более 1,1 млн загрузок в месяц.

Пайплайн сам собрал и опубликовал зараженную версию в PyPI, а также отправил вредоносный образ в GitHub Container Registry.

Как объясняют специалисты, это произошло потому, что workflow для релиза в PyPI также содержал job для сборки и публикации Docker-образа.

В тот момент очень хотелось вплес­ти в ткань обы­ден­ности не толь­ко сами тре­ки, но и живые обсужде­ния — что нового выш­ло, кому что нра­вит­ся, инте­рес­ные фак­ты о музыкан­тах.

Минима­лис­тичный дизайн (вклю­чить‑вык­лючить), прос­тень­кая визу­али­зация, спи­сок тре­ков и — новая для меня в этом жан­ре фун­кция — воз­можность ста­вить лай­ки музыке пря­мо в эфи­ре.

Стан­цию я вклю­чил, но через пол­тора часа она замол­чала и не выходи­ла в эфир еще очень дол­го.

Last.fm отда­ет в фор­мате JSON ответ, из которо­го я вытас­киваю биог­рафию и под­мешиваю ее в промпт к локаль­ной LLM-модели mistralai/ ministral-3-14b-reasoning .

И это было пра­виль­ное решение: тре­ки в кол­лекции в осно…

OAuth grants don't expire when employees leave.

80% of security leaders consider unmanaged OAuth grants a critical or significant risk.

The more pressing issue is that OAuth grants are an active attack vector.

What monitoring actually needs to look likeThe current generation of OAuth security tools addresses OAuth risk at the point of installation.

Material's OAuth Threat Remediation AgentMaterial Security's OAuth Threat Remediation Agent is built around this more complete model of OAuth risk.

The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution.

"MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code," the NIST National Vulnerability Database (NVD) states.

"Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server."

As a result, remote, unauthenticated attackers could exploit this loophole to inject and execute arbitrary PHP code.

As many as 2,000 inst…

In the wake of the ClawdBot fiasco — the viral self-hosted AI assistant that’s averaging an eye-watering 2.6 CVEs per day — the Intruder team wanted to investigate how bad the security of AI infrastructure actually is.

In fact, the AI infrastructure we scanned was more vulnerable, exposed, and misconfigured than any other software we've ever investigated.

Wide open agent management platformsWe also discovered exposed instances of agent management platforms, including n8n and Flowise.

We identified over 90 exposed instances across sectors such as government, marketing, and finance.

Don't wait for an attacker to find your exposed AI infrastructure first.

]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia.

Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021.

]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio.

Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact.

"The Android backdoor has seen active development, and provides surveillance capabilities…

A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild.

The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312.

The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026.

Chinese security vendor QiAnXin said it was able to successfully reproduce the remote code execution vulnerability in its own alert released on March 17, 2026.

Security researcher Kerem Oruc has made available a Python-based dete…

The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of the targets located in the U.S.

The majority of phishing emails were directed against healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors.

A massive campaign on March 17, 2026, that involved more than 1.5 million confirmed malicious messages sent to over 179,000 organizations across 43 countries.

"Most observed phishing endpoints were associated with Tycoon 2FA, while additional activity was linked to Kratos (formerly Sneaky 2FA) and EvilTokens infrastru…

An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.

The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix.

]mx"), an executable that's responsible for delivering the SimpleHelp RMM tool.

To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges, while "elev_win.exe" – a legitimate executable file associated with the software – is used to gain SYSTEM-level privi…

Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass.

MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts.

The vulnerabilities in question are CVE-2026-4670 (CVSS score: 9.8), an authentication bypass vulnerability, and CVE-2026-5174 (CVSS score: 7.7), an improper input validation vulnerability that could allow privilege escalation.

"Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass a…

How to Match AI Attack Speed with Autonomous Exposure Validation → Struggling with AI attacks moving faster than your team can respond?

"The attack chain establishes persistent remote access by abusing Microsoft's legitimate VS Code tunnel service, with exfiltration notifications sent via a Discord webhook — a sophisticated technique designed to evade network-level detection."

Calendly-Themed Phishing Attacks on the Rise —Multiple threat clusters are leveraging Calendly-themed phishing to fingerprint site visitors and steal credentials and other data.

Victims were then assigned retention agents, who masqueraded as investment advisors and used remote access software to gain full control of t…

The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain.

Instances of malicious packages discovered on public repositories increased by 75%, cloud intrusions increased by 35%, and AI-generated phishing began outperforming human red teams entirely.

While these attacks were possible before 2025, we are now seeing single-actor attacks that would have been characteristic of organized teams and smaller-scale attacks by nontechnical individuals that would have been more characteristic of attacks carried out by a talented hacker or engineer in the pre-AI era.

The Venn diagram of “willing to do attacks” and “has…

The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor.

The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities.

More than 1,600 phishing emails were flagged between early January and early February.

The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes.

"Since 2024, [Silver Fox] has evolved into a dual-track ope…

]175," primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available proof-of-concepts (PoCs).

In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution.

Further analysis has determined that the threat actor is using the AdapdixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint.

Also used are tools like OpenVPN and Ligolo to facilita…

Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger.

Yet more trapsThe formal state of an organization’s security is easy to measure and – assuming all turns out well – also easy to feel good about.

When the confidence shattersThis all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide.

Discipline is everythingIn addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting.

It’s what security tools can ‘convert’ into detections and alerts that let security teams act in time.

GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and exfiltration.

GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.

The malware we initially discovered consists of the following:JabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll .

GopherWhisper toolset overviewRevealing messagesAs mentioned in the introduction, GopherWhisper is characterized by the extensive use of legitimate services such as Slack, Discord, and Outlook for C&C communication.

In addition, several interesting links to GitHub reposi…

Additionally, the code can also capture the victim’s payment card PIN and exfiltrate it to the operators’ C&C server.

Apart from relaying NFC data, the malicious code also steals payment card PINs.

The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data.

Once installed, the app asks to be set as the default payment app, which can be seen in Figure 10.

Initial request to set the app as the default NFC payment appFigure 11.

Collectively, they pave the way for the intrusion long before the ransom note arrives.

ESET’s detection data shows ransomware rising by 13 percent in the second half of 2025 compared to the prior six months, following a 30-percent increase in the first half of 2025.

Meanwhile, Verizon’s 2025 Data Breach Investigations Report (DBIR) recorded a jump from 32% to 44% in the share of breaches involving ransomware, while the median ransom payment fell from $150,000 to $115,000.

As the products have improved, criminals responded by building a clandestine market for tools designed to disable them.

The sheer investment in EDR killers is, somewhat perversely, the clearest measure of how much damage t…

Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse.

What do fake breach notification scams look like?

Either:The scammers wait for a real breach, and piggyback on the news to send out a fake notification.

Spotting the red flagsFake breach notifications should be easy to spot if you know what to look out for.

Staying safeUnderstanding what to look out for is the first step to staying safe from breach notification scams.

This seems extremely low given the scale and frequency of supply chain incidents – and how broadly ‘supply chain’ really stretches.

Notably, 3CX itself was the downstream victim of another supply chain attack, courtesy of a compromised Trading Technologies X_TRADER installer.

CISOs rated supply chain disruption #2 for 2025 and #2 again for 2026, while CEOs rate supply chain disruption #3 for 2025.

Talk about a supply chain blind spot…What are key considerations around geopolitical supply chain risk?

Resilience is imperativeIn a world of escalating threats and risky interdependencies, supply chain cyber resilience is a competitive differentiator at the survival level.

If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse.

Online scammers only care about one thing: making money, so when new opportunities arise to do just that, they take them.

Recovery fraud is an umbrella for several predatory tactics, all sharing a common goal: the “second strike.”How does recovery fraud work?

This is basically a kind of advance fee fraud.

If you’ve been victimized by recovery scammers, there are a limited set of options available to you.

Threat actors are using AI to supercharge tried-and-tested TTPs.

The former are using AI, automation and a range of techniques to sometimes devastating effect.

But n the other hand, threat actors are just doing what they have done before – supercharging existing tactics, techniques and procedures (TTPs) to accelerate attacks.

Threat actors are:Getting better at stealing/cracking/phishing legitimate credentials from your employees.

Catching threat actors at this point is essential – especially as exfiltration (when it begins) is also being accelerated by AI.

Now just have a think about all of the digital assets you’re likely to leave for loved ones to manage.

From a legal perspective, inheritance laws often don’t include digital assets, online policies can be “opaque” and tools fragmented, it says.

However, a proposed Property (Digital Assets, etc.)

However, a proposed Property (Digital Assets, etc.)

Or a fictitious “account recovery” service provider claiming they can access your loved one’s digital assets for a fee.

The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience planAs March 2026 draws to a close, ESET Chief Security Evangelist Tony Anscombe looks at some of the top cybersecurity stories that made the news this month and offers insights that they may hold for your cyber-defenses.

Here's Tony's rundown of some of what stood out most over the four or so weeks:The medtech giant Stryker fell victim to a cyberattack that was claimed by the Iran-linked Handala hacktivist group and reportedly wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data,Research by the Google Threat…

This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up withThat's a wrap on the RSAC™ 2026 Conference.

For its 35th edition, the conference drew the usual mix of security practitioners, researchers and vendors.

Predictably, AI agents dominated much of the conversation – as a defensive capability, but more pressingly as a risk that many organizations have yet to fully think through.

Watch the video with ESET Chief Security Evangelist Tony Anscombe, who was on the ground all week, to learn more about what else was trending at this year's edition of the event.

If you caught any of them, or stopped by our booth,…

A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.

Active since at least 2023, Silver Fox initially focused on Chinese-speaking targets before expanding into Southeast Asia, Japan, and potentially North America, running each campaign in a local language.

This pattern isn’t new – similar activity was observed during the same period last year, indicating that Silver Fox deliberately aligns its operations with this season.

In this operation, Silver Fox sends tailored spearphishing emails crafted to look like legitimate HR or tax-related messages.

Silver Fox is clearly do…

Indeed, some now run entirely in the cloud, while many others have paired cloud workloads, often in multi-cloud setups, with on-prem resources that won’t be retired anytime soon.

Of all the things that these organizations have in common, one warrants a closer look: virtual machine (VM) sprawl, or uncontrolled growth of virtual machines that are often left to fend for themselves.

This tracks with the identity-driven nature of cloud workloads, where both the VM itself and what it can access deserves scrutiny.

Catching the anomaly requires connecting what’s happening on the VM itself to what the VM’s identity is doing across the wider environment.

Parting thoughtsVMs are one of the oldest and …

Many cloud data breaches trace back to mundane lapses in security hygiene and oversights in the management of complex deployments, rather than fiendish zero-day exploits.

According to Google’s H2 2025 Cloud Threat Horizons Report, credential compromise and misconfiguration remained the primary entry points for threat actors into cloud environments in the first half of 2025.

Few organizations can afford to give up the flexibility and cost-efficiency that made the cloud in various of its flavors attractive in the first place.

Worryingly, a survey by the Cloud Security Alliance has found that only 23% of organizations have full visibility into their cloud environments.

Securing cloud workloads…

VIAVI Solutions has announced the launch of its next-generation CyberFlood CF1000 Appliance, a native 400G security and application performance test platform for the validation of multi-terabit security and AI data center infrastructures at scale.

By bringing together massive-scale encrypted traffic generation, continuous threat vector emulation, quantum-safe cryptography validation and AI inference workload emulation on a single platform, CF1000 eliminates the validation gaps inherent in traditional test systems.

“As networks move toward 400G and higher speeds, the combination of encrypted traffic, AI‑driven workloads and distributed cloud architectures is raising the bar for security perf…

Oracle is changing how its security fixes are delivered: starting in May 2026, there will be a monthly Critical Security Patch Update.

“Each [monthly] CSPU is smaller and more focused, making it easier to apply critical fixes quickly [to customer-managed deployments],” Oracle says.

Quarterly Critical Patch Updates (CPUs) remain in place and will continue to include all fixes released in prior CSPUs.

In customer-managed environments, whether run on-premises or on Oracle Cloud Infrastructure, Oracle identifies vulnerabilities and provides patches for supported products, but customers are responsible for planning, testing, and applying updates.

Applying updates in a timely manner helps limit e…

Phishers have been using fake workplace compliance notices to try to trick Microsoft account owners into signing in via a fake sign-in page, says the company’s Defender Research team.

The email campaign targeted more than 35,000 users across 13,000 organizations in 26 countries, but concentrated primarily on targets in the United States.

Microsoft didn’t say how many fell for the lure and had their account compromised.

Built to deceive and bypass defensesThis sophisticated email campaign was designed to alarm, and “because the messages contained concerning accusations and repeated time-bound action prompts, the campaign created a sense of urgency and pressure to act,” Microsoft noted.

Subsc…

Anomali has announced ThreatStream Next-Gen.

ThreatStream Next-Gen follows this approach, providing context on attackers and campaigns, prioritization, and recommended next steps as part of the process.

This model was developed before the need for faster response became more pressing.

ThreatStream Next-Gen is the intelligence layer that competitors can’t replicate, because it’s not a bolt-on — it’s the core of everything we build, including our current innovation in agentic AI.

ThreatStream Next-Gen closes that gap: five new capabilities that carry intelligence all the way from production to action, without losing fidelity at the handoff.

A gaming platform built for ethnic Koreans in China has been serving backdoored Windows and Android software to its users since late 2024.

The malicious code arrived through an update package hosted at xiazai.sqgame.com[.

That downloader checks for analysis tools and virtual machines, locates the sqgame client process, and pulls shellcode from compromised South Korean websites.

Targeting .hwp files, the format used by the South Korean Hancom Office suite, points to Korean-speaking victims.

The campaign’s profile, regional focus, and targeted file types align with prior ScarCruft operations against North Korean defectors and the South Korean government and military.

Meta has updated its infrastructure for protecting password-based and end-to-end encrypted backups, introducing over-the-air fleet key distribution for Messenger and a commitment to publishing evidence of secure fleet deployments.

How encrypted backups workThese updates build on the company’s HSM-based Backup Key Vault, which provides end-to-end encrypted backups for WhatsApp and Messenger.

Meta has offered end-to-end encrypted messaging since 2016, while backups stored in cloud services did not receive the same level of protection.

When end-to-end encrypted backups are enabled in WhatsApp, the client generates a unique 256-bit encryption key using a built-in cryptographically secure pseudo…

Researchers have used these stylistic signals for years to identify the authors of anonymous code samples, sometimes with surprising accuracy.

Their model, called VulStyle, treats coding style as a signal alongside the code itself.

VulStyle’s approach (Source: Research paper)A different angle on an old problemStatic analyzers have looked at vulnerable code for decades.

The model was pre-trained on roughly 4.9 million functions across seven programming languages, then fine-tuned on five widely used vulnerability detection datasets.

Stylistic patterns carry information about risk, and combining them with structural and lexical features can sharpen detection on certain classes of bugs.

Enterprise deployments of AI agents lean on two extension mechanisms that introduce risk at different layers of the stack.

MCP servers expose deterministic code functions with structured, loggable invocations.

Reasoning phase vs. execution phase (Source: Noma Security)What the analysis foundResearchers analyzed hundreds of popular MCP servers and Skills against eight risky capability categories.

A typical enterprise environment runs well over a hundred high-risk tools connected to its agents, with arbitrary code execution common across the MCP landscape.

Supply-chain compromise pairs untrusted input with arbitrary code execution.

Armis Security SpecialistHCLTech | Ireland | On-site – View job detailsAs an Armis Security Specialist, you will manage and optimize the Armis deployment to strengthen security across lab, OT, and IoT environments.

Cyber Security EngineerKaleida Health | USA | On-site – View job detailsAs a Cyber Security Engineer, you will design, optimize, and maintain security platforms across endpoint, email, identity, cloud, and network environments.

Cyber Threat AnalystJohns Hopkins Applied Physics Laboratory | USA | On-site – View job detailsAs a Cyber Threat Analyst, you will correlate logs, telemetry, and security data to detect APT activity and investigate indicators of compromise.

Information Sec…

Hacking PolymarketPolymarket is a platform where people can bet on real-world events, political and otherwise.

Leaving the ethical considerations of this aside (for one, it facilitates assassination), one of the issues with making this work is the verification of these real-world events.

Polymarket gamblers have threatened a journalist because his story was being used to verify an event.

And now, gamblers are taking hair dryers to weather sensors to rig weather bets.

Posted on May 4, 2026 at 5:46 AM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Fast16 MalwareResearchers have reverse-engineered a piece of malware named Fast16.

It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet:“…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”Another news…

No, it’s an extraordinary number:Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.

We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.

This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.

Our experience is a hopeful one for teams who shake off the vertigo and get to work.

Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up.

This capability will have major security implications, compromising the devices and services we use every day.

The news rocked the internet security community.

Unpatchable or hard to verify systems should be protected by wrapping them in more restrictive, tightly controlled layers.

These are bog-standard security ideas that we might have been tempted to throw out in the era of AI, but they’re still as relevant as ever.

Rethinking Software Security PracticesThis also raises the salience of best practices in software engineering.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

It was used to track a Dutch naval ship:Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside.

Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus.

While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.

[…]Navy officials reported that the tracker was discovered within 24 hours of the ship’s arrival, during mail sorting, and was eventuall…

404 Media reports (alternate site):The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places.

Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Is “Satoshi Nakamoto” Really Adam Back?

The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back.

I was a member of the Cypherpunks mailing list for a while, but I was never really an active participant.

I knew a bunch of the Cypherpunks, though, from various conferences around the world at the time.

I really have no opinion about who Satoshi Nakamoto really is.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

This is, in many respects, exactly the kind of responsible disclosure that security researchers have long urged.

Anthropic said security contractors agreed with the AI’s severity rating 198 times, with an 89 per cent severity agreement.

The security problem is far greater than one company and one model.

The security company Aisle was able to replicate many of Anthropic’s published anecdotes using smaller, cheaper, public AI models.

Nor should such a company be able to restrict the ability of society to make choices about its own security.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign.

That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan is the second known Scattered Spider member to plead guilty.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft.

Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities.

For example, a Google Chrome update released earlier t…

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today.

The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by …

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

REvil never recovered f…

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.

TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote.

The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices.

That disclosure help…

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint.

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program.

Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tues…

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025.

“The testimonials are remarkable,” the AI security firm Snyk observed.

WHEN AI INSTALLS AIOne of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant.

Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.

Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet.

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$.

Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse.

The breach tracking service Constella I…

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms.

Enter Starkiller, a new phishing service that dynamically loads a live copy of the target login page and records everything the user types, proxying the data to the legitimate site and back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterp…

I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network …

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

This is the picture that US prosecutors have painted of a teenager arrested earlier this month at Helsinki Airport while trying to board a flight to Tokyo.

Prosecutors allege that the teenage suspect took part in at least four Scattered Spider attacks , the earliest in March 2023 - just months after his 16th birthday.

The complaint also alleges that the Scattered Spider gang mocked law enforcement, with one 2024 screenshot reportedly showed failed login attempts captioned "F*** off, FBI."

Scattered Spider is a loosely-formed English-speaking collective of teenagers and young adults who became infamous after the 2023 attacks on MGM Resorts and Caesars Entertainment.

You should also consider …

US Marines stationed around the Persian Gulf have been receiving WhatsApp messages from strangers suggesting they call home and make their final goodbyes.

The messages, which began arriving on Monday, came signed by the Iran-linked Handala hacking group, that has spent much of 2026 attacking US and Israeli targets.

A day later, the Handala hacking crew took to its Telegram channel to announce that it had published the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf.

Handala, which first surfaced in late 2023, presents itself as a pro-Palestinian hacktivist group.

If a Marine receives a WhatsApp message naming them and threatening their family, it does not really ma…

All this and more in episode 465 of the “Smashing Security” podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

34-year-old Xu Zewei arrived in Houston, Texas at the weekend after Italian authorities approved his extradition to the United States.

The US Department of Justice alleges that Xu was following orders from officers at the Shanghai State Security Bureau, an arm of China's Ministry of State Security.

According to the FBI, Hafnium targeted more than 60,000 organisations in the United States and successfully broke into over 12,700 of them.

The Chinese Foreign Ministry opposed Xu's extradition to the United States, and claimed that cases are being fabricated against Chinese citizens.

But every so often, a suspect makes the mistake of going on holiday somewhere with an extradition agreement with …

A 21-year-old man suspected of conducting approximately 100 data breaches since late 2025 - including a hack of the French Ministry of National Education that exposed records on almost a quarter of a million employees — has been arrested at his home in western France.

According to French prosecutors, the man was reportedly preparing to dump yet another collection of stolen data online at the time of his arrest on 20 April, and has admitted to using the pseudonym "HexDex" online.

The police investigation began on 19 December last year, when the Paris prosecutor's cybercrime unit received around 100 reports of data exfiltration, all apparently linked to the same perpetrator.

In an interview g…

Yeah, yeah.

Yeah, yeah.

As a journalist, this really, really bugs me because of course, it's really difficult when you cover these cybercrime incidents because the victim here, is it P3?

And the company have been clearly really, really terrible in transparency.

Yeah, yeah, yeah.

Garrett Dutton, better known as G. Love - the front man of blues-hip-hop outfit G. Love & Special Sauce - has learnt that lesson the hard way.

In what must have been a painful admission earlier this month, G. Love described how while setting up a new computer, he downloaded what he believed was the legitimate Ledger Live app from Apple's official App Store.

The bogus app tricked the singer into entering his seed phrase - the master key to his cryptocurrency holdings.

The real Ledger Live app will never ask you for your seed phrase.

In the past Apple has presented its App Store as a more secure and safer place to find and download apps than other operating systems.

Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the Fortra blog.

Right, right.

And by legacy, I mean software that's already out in production that's been out one or more years.

Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.

Right, right.

Right, right.

Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point.

Between them, before being identified, the extensions had racked up approximately 20,000 installs from the Chrome Web Store.

And to further disguise the reality of what was going on, each malicious Google Chrome extension adopted differing disguises - including posing as a Telegram sidebar client, slot machine games, tools to enhance YouTube and TikTok, or translation tools.

More recently, in 2023, a rogue "ChatGPT for Google" extension…

The fraud landscape has been changed by AI and cryptocurrency in a way that should concern organisations and individuals alike. Read more in my article on the Fortra blog.

All this and more in episode 462 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Dave Bittner.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

But with Amnesty International simultaneously revealing that state-licensed casinos are directly linked to torture and trafficking, serious questions linger about whether enforcement will match the rhetoric.

Cambodia's Law on Combating Online Scams was signed on April 6 in a royal decree, and takes effect immediately.

The scam compound bosses whose activities lead to death face between 15-30 years - or life imprisonment.

According to figures from the United Nations and USAID, between 100,000-150,000 people are exploited in scam compounds across Cambodia.

The hard part is going to be dismantling the criminal networks, protecting the victims, and rooting out corruption and complicity which ha…

And in a surprising twist, it turns out that he was caught out after accidentally trying to swindle a fellow fraudster.

He and his fellow conspirators exploited the fake online relationships to convince their victims into handing over money and personal information.

Owolabi's crimes went beyond romance fraud.

Romance scams remain among the most financially devastating forms of cybercrime, exploiting human emotion rather than technical vulnerabilities.

The victims of romance scam are not tricked by malware.

All this and more in episode 461 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Danny Palmer.

Smashing Security listeners get $1000 off!

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Практически в каждом фильме или сериале из вселенной «Звездных войн» присутствуют дроиды.

Кто-то, наверное, скажет: «Да какая разница?» И с точки зрения нормального зрителя будет абсолютно прав.

Дроид — сложная киберфизическая система, повлияв на мотивацию которой атакующий может получить доступ к конфиденциальным данным, а то и вовсе причинить вред настоящему владельцу.

В нескольких случаях человек, не являющийся формальным владельцем дроида, старается повлиять на его поступки, пытаясь ввести дроида в заблуждение.

Ферн вводит в дискуссию понятие из детских игр — unclaimsies (то есть как бы обнуление прав) и заявляет собственные права на место капитана.

Динамически обновляемый контентКорреляционный контент сегодня — это не статичный набор правил, а процесс: он постоянно развивается и адаптируется под актуальные угрозы.

Только за 2025 год мы выпустили 55 обновлений пакетов правил для разных версий и разных языков нашей SIEM-системы KUMA.

Всего за год добавилось 10 новых пакетов, а также 250 правил обнаружения и множество улучшений существующего контента.

Эффективность работы KUMA повышается за счет интеграции с Kaspersky EDR и отдельными наборами правил для Active Directory, в которых реализованы десятки сценариев обнаружения атак на разных стадиях.

В целом SIEM перестает быть набором правил и превращается в постоянно обновляемую систему об…

В случае если авто или его владелец потенциально связаны с преступлением, автомобиль могут изучать не только под микроскопом и ультрафиолетом.

Комплексная слежкаДля слежки за «лицами, представляющими интерес», данные, полученные с самого автомобиля, связывают с информацией из других источников.

Журналисты обнаружили, что некоторые компании рекламируют возможность дистанционного скрытного включения микрофонов и камер автомобиля, что позволяет прослушивать разговоры в реальном времени.

Если это приложение вам очень нужно, откажитесь от передачи своих данных «на сторону» в настройках фирменного приложения.

Откажитесь от передачи данных и в настройках самого автомобиля, если это возможно.

Например, приложение, которое обрабатывает конфиденциальные данные организации, опубликовано на публичном конструкторе вайб-код-приложений (Lovable и ему подобным) и по умолчанию доступно всему Интернету.

Нельзя один раз проделать упражнение «защита приложения» и на этом остановиться.

Всегда просите ИИ добавлять проверки для любых данных, которые вводят люди (как в формы, так и в строки поиска).

Тестируйте новые функции и новые версии приложения в безопасной среде — на копии сайта или приложения и на копии базы данных.

С помощью сканера вы проследите, чтобы файлы с ключами и паролями не попадали в Git и не публиковались вместе с проектом.

Преступники внедряют уже известные трюки в новые цепочки атак, в том числе ловят жертв в App Store.

Подделки под криптокошелькиВ марте этого года мы обнаружили в топе китайского App Store фишинговые приложения, иконки и названия которых мимикрируют под приложения для управления распространенными криптокошельками.

Чтобы приложения были пропущены в App Store, в них добавляли какую-либо базовую функциональность, например игру, калькулятор или планировщик задач.

Установка без App StoreКлючевой частью схемы является установка вредоносов на iPhone жертв в обход App Store и его процесса верификации.

Такие приложения не требуют публикации в App Store, и их можно устанавливать без ограничений по кол…

Возможно, именно это в какой-то мере сформировало их отношение к информации и сподвигло заняться ее защитой.

То есть, по сути, описана виртуальная реальность, неотличимая от настоящей (и это за 35 лет до «Матрицы»).

«Нейромант» (1984)«Нейромант» — книга, опубликованная в 1984 году и, по сути, положившая начало популярности жанра «киберпанк» (хотя само слово было изобретено немного раньше).

И эту идею отложили в долгий ящик, и она до сих пор так и не реализовалась.

Это уже не фантастика, и в этой подборке он стоит скорее для контраста.

Такие документы — лакомый кусочек для злоумышленников, ведь в них хранятся личные данные, информация о работе, доходах, собственности и банковских счетах — и далее по списку.

Неудивительно, что именно в это время мошенники становятся особенно активными: Интернет сейчас буквально кишит поддельными сайтами, имитирующими государственные ресурсы и налоговые органы.

В этом посте рассказываем, как действуют поддельные сайты от «налоговых органов» в разных странах и чего делать точно не стоит, чтобы сохранить свои деньги и конфиденциальную информацию.

На подобных сайтах-подделках мошенники крадут учетные данные от легитимных сайтов и личную информацию, а затем предлагают оформить налоговый вычет и…

«Оптика» уже давно является стандартным средством передачи данных благодаря возможности транслировать информацию с высокой скоростью и на большие расстояния.

Потенциально это позволяет превратить оптоволоконный кабель в микрофон и перехватывать разговоры в помещении, находясь в километрах от источника звука.

Конечно, данная работа имеет скорее теоретический характер, как и другие подобные исследования, о которых мы писали ранее (прослушивание через датчик мыши, модули оперативной памяти как радиопередатчик, похищение данных с сенсора камеры видеонаблюдения, подглядывание в экран через кабель HDMI).

Трудности оптического подслушиванияВпервые о таких особенностях оптического кабеля задумались…

Если компания производит программное обеспечение, то злоумышленники получат возможность организовать масштабную атаку на цепочку поставок для атаки на пользователей разрабатываемого приложения.

Варианты атак на разработчиков ПОВыбрав целью разработчика программного обеспечения, злоумышленники, как правило, пытаются теми или иными способами подсунуть ему вредоносный код.

Вредоносный код в тестовых заданияхПериодически злоумышленники публикуют привлекательные вакансии для разработчиков и снабжают их тестовыми заданиями, в которых содержится вредоносный код.

Атака была направлена на разработчиков, которые пытаются найти способ использовать ассистентов без ведома ИБ-службы компании.

Узкоспециал…

DarkSword и Coruna — два новых инструмента для бесконтактных и незаметных атак на iOS-устройства, которые уже активно используются злоумышленниками «в дикой природе».

Однако DarkSword и Coruna, обнаруженные исследователями кибербезопасности в этом году, меняют правила игры: эти зловреды уже используются для массового заражения рядовых пользователей.

Получается зловред двойного назначения, который может использоваться как для шпионажа, так и для кражи криптовалюты.

Последняя версия Coruna, как и DarkSword, имеет модификации для кражи криптовалюты, а также ворует фотографии и в некоторых случаях электронную почту.

Кто создал Coruna и DarkSword и как они попали в «дикую природу»Исследование ко…

Помимо экранных дикторов, для помощи незрячим и слабовидящим существуют и специальные приложения и сервисы для мобильных устройств, среди которых один из самых популярных — Be My Eyes.

Кроме того, в Be My Eyes встроен ИИ, который может распознавать и озвучивать текст и называть объекты вокруг.

Приложение для Windows, Android и iOS позволяет незрячим и слабовидящим обращаться за помощью к волонтерам по видеосвязи с любыми бытовыми вопросами.

Мы также рекомендуем установить на все ваши устройства — и смартфоны, и компьютеры — надежное защитное решение, которое заблокирует попытки фишинга и перехода на вредоносные или подозрительные сайты.

При этом фото и видео шифруются как при передаче, так …

Так случилось с исследованиями GDDRHammer и GeForge: в них описаны две очень похожие атаки класса Rowhammer.

Заодно была продемонстрирована возможность атаки на оперативную память более новых стандартов — DDR4 и DDR5.

За счет этого обеспечивается возможность произвольного чтения и записи данных в видеопамять и даже чтение и запись в основную оперативную память, управляемую центральным процессором.

Насколько атаки на графическую память реалистичны?

Так что, несмотря на остающиеся ограничения, эти три исследования показывают, что атаки Rowhammer остаются опасными.

В результате компьютер жертвы отправляет исходящий трафик не в сеть, а атакующему.

Атаки на RAIDUS.

Затем атакующий сможет создать фальшивый RAIDUS-сервер и точку доступа и перехватывать данные подключившихся устройств.

Как защитить корпоративную сеть от AirSnitchУгроза наиболее реальна для организаций, использующих гостевые и корпоративные сети Wi-Fi на одних и тех же точках доступа без дополнительной сегментации VLAN.

В любом случае нужно перестать воспринимать «изоляцию клиентов» на точке доступа как меру безопасности и считать ее скорее элементом удобства.

Основные риски при использовании приложений для секс-игрушекПриложения для секс-игрушек обычно бесплатны.

Однако, в отличие от какого-нибудь интернет-магазина кормов для животных, утечка данных из приложения для секс-игрушек может иметь гораздо более серьезные последствия для пользователей.

Наличие широких возможностей социального взаимодействия фактически делает приложения для секс-игрушек еще одним мессенджером.

Анонимный адрес почты защитит вашу репутацию в том случае, если в приложении для секс-игрушек произойдет утечка.

Регулярно обновляйте приложения и операционную системуОбновления — это не только новые функции, но и исправления ошибок, которые могут влиять на безопасность.

The Missing Surface: Security ContextAsk a SOC analyst what they need from a security platform and you get consistent answers.

Cisco Secure Access now includes Security Insights: a security analytics dashboard that surfaces where risk is concentrated, helps teams identify emerging threats and policy gaps, and gives security leadership the trend data to report on posture and measure the impact of initiatives over time.

Secure Access addresses this through the AI view, which tracks GenAI application usage and guardrail violations alongside the rest of security operations.

Security Insights gives analysts the signals to start an investigation, security managers the view to close policy gaps, a…

The integrity of the systems we depend on, the trust layer underneath everything, is equally exposed.

This integrates naturally with external key management systems, including Quantum Key Distribution platforms for the most sensitive environments.

In the meantime, visit the Cisco Trust Center to learn more about our PQC approach and stay ahead of what’s coming.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Catalyst SD-WAN for Government integration with Cisco Secure Access FedRAMP instances: Government agencies require secure, compliant networking solutions that meet stringent federal security standards.

Cisco Catalyst SD-WAN for Government now integrates with Cisco Secure Access FedRAMP instances, enabling government organizations to maintain secure connectivity while ensuring compliance with federal security standards.

Policy groups in Cisco Catalyst SD-WAN Manager enable agencies to define IPSec tunnels and connection parameters to Secure Access instances, ensuring secure and compliant access across their network infrastructure.

AI application classification and shadow AI control: Ci…

With modular N+1 clustering (supporting up to 16 nodes), the 6100 Series scales to up to 8 Tbps of L7 throughput.

Using our AI-driven Encrypted Visibility Engine (EVE), the 6100 Series identifies threats in encrypted traffic without decryption, preserving privacy and line-rate speed.

Because at this scale, security shouldn’t hold you back—it should help you move faster.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Secure Firewall uses encryption for many things: VPN tunnels, remote management, hardware-level trust, and inline decryption.

They also define stronger baselines of security for existing algorithms, which are already incorporated into Cisco Secure Firewall.

Support arrives in Secure Firewall Threat Defense (FTD) 10.5 and ASA 9.25, targeted for General Availability in late 2026.

PQC support for TLS client features is planned for ASA/FTD 11.0, while management web server PQC support depends on underlying web server library readiness.

Cisco Secure Firewall is building post-quantum cryptography into every layer of the platform, so that when your organization is ready to make the transitio…

At this year’s Mobile World Congress in Barcelona, service providers showed up from around the world to join over 115,000 attendees from 210 countries.

We leveraged the lessons learned from previous SOC deployments, adding the new Secure Firewall 6160, which is designed specifically for AI-ready data centers.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Mobile World Congress (MWC) Barcelona is one of the most demanding environments for network and security operations.

For the 2nd year, the Cisco team leveraged Splunk, in addition to its other security products, to deliver a unified Security Operations Center (SOC) and Network Operations Center (NOC) experience.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Bridging SOC and NOC: From Visibility to ContextTraditionally, SOC and NOC teams operate in parallel, often using separate tools and datasets.

Edge engineering still matters in cloud-first architecturesComponents like …

Among the new security features, the one I was most eager to explore was Shadow Traffic detection.

Observing Shadow Traffic at scale on the live congress wireless network provided useful insight.

The Shadow Traffic dashboard put Tailscale VPN, ExpressVPN, and NordVPN at the top of the list.

Shadow Traffic detection conveniently labels the suspicious connections, making filtering in the Unified Events Viewer straightforward and precise.

With Shadow Traffic detection, you expand visibility into inspection gaps that most organizations don’t even realize they have.

Please note that the network of the venue remains protected at the DNS level by Cisco Secure Access outside the event.

Access to these AI models can be managed with Secure Access to secure AI apart from just leveraging AI for security.

During the event, Secure Access blocked access to one of those phishing domains.

Secure Access Investigate, as appearing above, provides real-time actionable threat intelligence by analysing global data from the Secure Access network using AI to detect, score, and predict emerging threats.

ConcludingThe AI-powered Security and Network Operations Center (S/NOC) at Mobile World Congress 2026 demonstrated Cisco’s commitment to leveraging cutting-edge technologie…

Data optimization in security is often discussed as a cost control mechanism.

In a Splunk security stack, data optimization is not about reducing volume.

Advanced Optimization Blind Spots in Splunk Security EnvironmentsData Model Acceleration Blindness: Aggressive filtering often breaks Common Information Model (CIM) compliance or data model population.

Security data optimization must include: Search workload modeling; concurrent triage simulation; adversary emulation exercises.

Final Thought and Call to ActionIn Splunk security architectures, data optimization is not a storage tuning exercise, finance initiative, or infrastructure refresh it is a security engineering discipline.

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape.

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security.

For the full discussion, head over to the Cisco Talos blog where you can also download the Year in Review report.

Old vulnerabilities, new speedMarshall: One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited.

Read full post on the Cisco Talos blogWe’d love to hear what you think!

Our research shows that nearly 60% of security leaders view security concerns as the primary barrier to broader agentic AI adoption.

At the exact same time, 29% rank securing agentic AI among their top three priorities for the coming year.

Much like a public-facing web service, an external AI agent can be attacked, exploited, or “poisoned” by malicious inputs.

The “Who Owns This?” ProblemAs agentic AI expands into operational systems, who is actually responsible for securing it?

Explore our Agentic AI Security Solution to learn more, or view the full survey results infographic.

Welcome to the Agentic AI EraEnterprise interest in agentic AI is accelerating.

AI agents operate at machine speeds to execute complex tasks, yet they completely lack essential human judgment and contextual awareness.

Current challenges in the agentic AI ecosystemWhen our teams were analyzing the problem around governing this new digital AI workforce, we saw three areas across our customer and prospect conversations on why zero trust access built for humans must adapt to agentic workflows:Early and fragmented ecosystem.

Zero trust for agentic AI in practiceLet’s look at a typical scenario — a financial automation agent kicking off vendor payments.

We are thrilled to partner with AI-driven o…

Part 2 is about the uncomfortable reality that our identity systems are unprepared for what’s already here.

The Attacks from Part 1 Were Identity FailuresEvery major attack examined in Part 1 was, at its core, an identity problem.

Every one expands the potential damage of a security breach, and our identity systems were not built for this.

What Workload Identity Gets Right — And Where It Falls ShortThe security industry’s answer to machine identity is SPIFFE, and SPIRE, a standard that gives every workload a cryptographic identity card.

Today’s workload identity systems typically assign the same identity to every copy of an application when instances are functionally identical.

Meet Cisco Talos Incident Response, or Talos IR – our frontline response team.

Talos IR works holidays, weekends, and through the night because someone on the other end of that call is counting on us.

The threats responders see in the field today become the protections in Cisco products tomorrow.

Different perspectives, same missionAsk a Talos IR team member why they do this work and you will get different answers.

Unlike many security roles, incident responders build deep connections with the people they help.

Microsoft Defender detectionsMicrosoft Defender customers can refer to the list of applicable detections below.

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com Domain Domain hosting sender email address 2026-04-14 2026-04-16 Gadellinet[.

]com Domain Domain hosting sender email address 2026-04-14 2026-04-16 Harteprn[.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen…

Microsoft Defender is investigating a high-severity local privilege escalation vulnerability (CVE-2026-31431) affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu, and AWS Linux.

CVE-2026-31431 (also known as “Copy Fail”) is a high‑severity local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem.

Tactic Observed activity Microsoft Defender coverage Execution Exploitation of CVE-2026-31431 Microsoft Defender Antivirus– Exploit:Linux/CopyFailExpDl.A– Exploit:Python/CopyFail.A– Exploit:Linux/CVE-2026-31431.A– Behavior:Linux/CVE-2026-31431Microsoft Defender for Endpoint– Possible CVE-2026-31431 (“Copy Fail”) vulnerability explo…

Microsoft Defender is investigating a high-severity local privilege escalation vulnerability (CVE-2026-31431) affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu, and AWS Linux.

CVE-2026-31431 (also known as “Copy Fail”) is a high‑severity local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem.

Tactic Observed activity Microsoft Defender coverage Execution Exploitation of CVE-2026-31431 Microsoft Defender Antivirus– Exploit:Linux/CopyFailExpDl.A– Exploit:Python/CopyFail.A– Exploit:Linux/CVE-2026-31431.A– Behavior:Linux/CVE-2026-31431Microsoft Defender for Endpoint– Possible CVE-2026-31431 (“Copy Fail”) vulnerability explo…

Microsoft Agent 365 Now generally available for commercial customers.

Additionally, we’re announcing the previews of new Agent 365 capabilities and integrations to help you scale agent adoption with the right controls in place.

Agent 365 software development company launch partnersAgent 365 Software Development Company Launch Partners have built agents fully enabled to be managed by Agent 365.

These Agent 365 enabled agents are then observable, governable, and securable in the Agent 365 control plane, accelerating adoption for your organization.

Each of today’s announcements build upon Agent 365 capabilities we shared in March 2026 as well as detailed feedback of customers using the Frontie…

New capabilities in Microsoft Agent 365; new Microsoft Defender and GitHub integrationAt Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI.

In the Loop is a new series from Microsoft Security that delivers timely news and updates to the global security community.

New demo: Run a data security investigation in Microsoft PurviewData Security Investigations Get started ↗Step into the role of a data security analyst and see how Microsoft Purview Data Security Investigations helps you identify investigation‑relevant data, analyze it using AI‑powered deep content analysis, and mitigate sensitive data risks—all within a s…

New capabilities in Microsoft Agent 365; new Microsoft Defender and GitHub integrationAt Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI.

In the Loop is a new series from Microsoft Security that delivers timely news and updates to the global security community.

New demo: Run a data security investigation in Microsoft PurviewData Security Investigations Get started ↗Step into the role of a data security analyst and see how Microsoft Purview Data Security Investigations helps you identify investigation‑relevant data, analyze it using AI‑powered deep content analysis, and mitigate sensitive data risks—all within a s…

This blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by Microsoft Threat Intelligence.

Monthly CAPTCHA-gated phishing volume by distribution method (Q1 2026)Another notable shift in CAPTCHA-gated phishing attacks was the erosion of Tycoon2FA’s impact on the landscape.

Example of file names used in the campaign include the following:_statements_inv_.svg401K_copy___241.svgCheck_2408_Payment_Copy___241.svgINV#_1709612175_.svgListen_().svgPLAY_AUDIO_MESSAGE____241.svgIf an attached SVG file was opened, the user’s browser would open locally and fetch content from o…

This blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by Microsoft Threat Intelligence.

Monthly CAPTCHA-gated phishing volume by distribution method (Q1 2026)Another notable shift in CAPTCHA-gated phishing attacks was the erosion of Tycoon2FA’s impact on the landscape.

Example of file names used in the campaign include the following:_statements_inv_.svg401K_copy___241.svgCheck_2408_Payment_Copy___241.svgINV#_1709612175_.svgListen_().svgPLAY_AUDIO_MESSAGE____241.svgIf an attached SVG file was opened, the user’s browser would open locally and fetch content from o…

In this blog, Rico Mariani, Deputy CISO for Microsoft Security Products, Research Infrastructure, and Engineering Systems shares some of his best practices and expertise in conducting risk reviews.

Risk reviews are also a topic I’ve lent focus to during my first six months as Deputy CISO for Microsoft Security.

With good network isolation comes the ability to log any attempts to gain access at the perimeter, and potentially even internally.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

In this blog, Rico Mariani, Deputy CISO for Microsoft Security Products, Research Infrastructure, and Engineering Systems shares some of his best practices and expertise in conducting risk reviews.

Risk reviews are also a topic I’ve lent focus to during my first six months as Deputy CISO for Microsoft Security.

With good network isolation comes the ability to log any attempts to gain access at the perimeter, and potentially even internally.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This is where Microsoft Sentinel UEBA adds value.

The Microsoft Sentinel UEBA ML engine maintains these automatically with baseline windows that vary by enrichment (ranging from 7 to 180 days).

Built-in anomaly surfaced: Names of built-in Microsoft Sentinel UEBA anomalies you can pivot to during triage, including AnomalyScore (0–1) and AnomalyReasons in the Anomalies table.

AWS environment onboarded to Microsoft Sentinel UEBAEnsure that AWS CloudTrail (management events and, where applicable, object-level data) is connected, and UEBA is enabled for the AWS data source.

The Microsoft Sentinel UEBA Essentials solution provides additional built-in queries.

This is where Microsoft Sentinel UEBA adds value.

The Microsoft Sentinel UEBA ML engine maintains these automatically with baseline windows that vary by enrichment (ranging from 7 to 180 days).

Built-in anomaly surfaced: Names of built-in Microsoft Sentinel UEBA anomalies you can pivot to during triage, including AnomalyScore (0–1) and AnomalyReasons in the Anomalies table.

AWS environment onboarded to Microsoft Sentinel UEBAEnsure that AWS CloudTrail (management events and, where applicable, object-level data) is connected, and UEBA is enabled for the AWS data source.

The Microsoft Sentinel UEBA Essentials solution provides additional built-in queries.

Recent advances in AI model capabilities are changing how vulnerabilities are discovered and exploited.

AI models can autonomously discover weaknesses, chain multiple lower-severity issues into working end-to-end exploits, and produce working proof-of-concept code.

In addition, Microsoft Security customers will have access to capabilities that enable them to assess their exposure and take action.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

These job listing sites are often targeted by this threat actor to find open job roles.

These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving thr…

These job listing sites are often targeted by this threat actor to find open job roles.

These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving thr…

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.