Почему компании гибнут от кибератак, имея на руках все инструкции?

Вместо строгих протоколов безопасности вайб-кодинг даёт лишь скорость и надежду на чудо.

Проект Xuwei должен давать промышленный пар и электричество, снижая зависимость от угля.

Прямое наблюдение дает шанс проверить, насколько квантовая теория описывает реальные реакции.

Самый полный скелет древнего предка показал, что 2 миллиона лет назад «первые люди» все еще жили на деревьях.

Специалисты Google Cloud открыли всеобщий доступ к инструменту «судного дня».

Тема международной ситуации в Венесуэле послужила идеальной ширмой для атак.

Триллер о том, как превратить чужую собственность в личную игровую площадку.

Обновлённый вредонос Kazuar научился обходить защитные системы без лишнего шума.

...но по ошибке создала 5D-вселенную.

Почему «битый» ZIP-архив может быть опаснее обычного файла?

Рассказываем историю самого нелепого саморазоблачения года.

Статистика за 2025 год подтверждает эту тенденцию: атаки на цепочки поставок (Supply Chain Attacks), компаний выросли на 110 %.

Атаки на цепочку поставок и меры противодействияЧтобы оценить реальные масштабы угрозы, важно опираться не на общие рассуждения, а на конкретные инциденты, в которых уязвимость поставщика привела к компрометации его клиентов.

Разработчикам рекомендовали усилить защиту учётных записей, внедрить проверку целостности зависимостей и наладить процессы аудита цепочки поставок на всех этапах жизненного цикла ПО.

Атака на цепочку поставок ПО «GhostAction»В сентябре 2025 года исследователи из GitGuardian раскрыли масштабную кампанию «GhostAction», затронувшую 327 пользовате…

Инцидент ИБ — не формальность и не тикет, а сбой сложной системы.

Такой подход кажется удобным, но на практике не устраняет первопричину и не даёт накопления опыта, из-за чего проблемы возвращаются.

Выводы, решения, найденные уязвимости и удачные практики не переходят в систему и не масштабируются на команду.

В такой модели выводы и решения становятся предсказуемыми и объективными, а сам процесс начинает опираться на стандарты, а не на интуицию отдельных специалистов.

Суть проста: задача не в том, чтобы вернуть всё в исходное состояние, а в том, чтобы устранить фундаментальный сбой и не допустить повторения инцидента в других точках инфраструктуры.

Дмитрий Курашев, директор-сооснователь UserGate (слева) и Станислав Кудж, ректор МИРЭА, открыли лабораторию UserGateЛаборатория, открытая в МИРЭА, стала шестой локацией Академии UserGate в российских вузах.

К 2025 году ситуация меняется: в «лёгком» классе — 60 и 80 %; в «среднем» классе — 49 и 50 %; в «тяжёлом» классе – 18 и 0 % соответственно.

Но где связь между образованием в области ИБ и открытием лаборатории UserGate в МИРЭА?

Экспорт российской системы образования в области ИБ рассматривается ими, скорей, как дополнительный элемент в рамках продвижения собственных ИБ-продуктов.

Фактически в UserGate накапливается собственный опыт поддержки системы образования в области ИБ.

Он занимает первую строчку по частотности упоминаний и в прогнозах развития киберугроз, и в предположениях о будущем средств защиты информации.

Следовательно, уязвимости в Windows 10, найденные после окончания поддержки, могут затронуть очень и очень многих — и в «домашнем» сегменте, и в корпоративном.

Поэтому переход на отечественные решения и повышение киберустойчивости для критической инфраструктуры становятся постоянным режимом работы и для государства, и для коммерции.

Поэтому сегментация сетей, минимальные привилегии, MFA и глубокий анализ трафика становятся обязательными элементами и для коммерческого сектора, и для критической инфраструктуры.

Эта тема преобладает и в прогнозах по ча…

Мы сравнили 6 бесплатных антивирусов для Android, которые доступны в России к началу 2026 года.

ВведениеНаше предыдущее сравнение антивирусов для Android вышло в 2021 году, когда на российском рынке ещё присутствовали топовые зарубежные компании-разработчики.

Среди прочего большинство мобильных антивирусов, рассмотренных в предыдущем сравнении, теперь недоступны для россиян: их не удастся найти в магазине Google Play, если не изменить геолокацию.

Авторитетные российские разработчики антивирусов — «Лаборатория Касперского» и «Доктор Веб» — по-прежнему с нами, и сегодня мы посмотрим, что общего и что разного у отечественных и иностранных антивирусов для Android, доступных в России к началу 20…

На смену срочности и необходимости простой замены пришёл запрос на качество, гарантированную совместимость компонентов и экономическую эффективность решений.

Вендорам и интеграторам пришлось отвечать на этот вызов, делая ставку не на единичные продукты, а на создание или встраивание в доверенные экосистемы.

в промышленном сегменте, выпустили новое решение для резервного копирования и серьёзно продвинулись в области инфраструктурных решений для искусственного интеллекта.

Андрей Крючков, директор по развитию технологических партнёрств, компания «Киберпротект»Валентин Губарев: «Наша стратегия в этом году строилась на 3 ключевых фокусах.

Год показал, что будущее отечественных информационных тех…

Автоматизировать процесс внедрения стандартов и комплаенс-контроль по этому сценарию поможет модуль MaxPatrol Host Compliance Control (MaxPatrol HCC) в составе MaxPatrol VM.

Как MaxPatrol HCC делает комплаенс-контроль и харденинг прощеMaxPatrol HCC — это модуль для MaxPatrol VM, который позволяет приоритизировать риски, назначать политики безопасности, контролировать выполнение требований и сроки устранения несоответствий.

Возможность разрабатывать собственные стандарты или адаптировать системные, включая стандарты PT Essentials, с помощью встроенного в MaxPatrol HCC конструктора.

В MaxPatrol HCC уже реализованы готовые стандарты, интегрированные в продукт.

Дашборды в MaxPatrol HCC для ключ…

Флагманское решение вендора — сервер управления аутентификацией Blitz Identity Provider, позволяющий избавиться от неудобств парольной защиты и усилить ИБ организации.

Схема работы Blitz Identity ProviderНовые возможности Blitz Identity Provider 5.31:Мобильное приложение Blitz Key для подтверждения входа через push и с помощью TOTP-генераторов кодов подтверждений.

Архитектура Blitz Identity ProviderПомимо сервиса аутентификации, Blitz Identity Provider включает следующие модули:Blitz Panel.

Графический интерфейс Blitz PanelРабота с системой Blitz Identity ProviderРассмотрим вкратце развёртывание и настройку сервера аутентификации Blitz Identity Provider, чтобы продемонстрировать возможности…

Мы проанализируем, как изменился ландшафт угроз, куда движется рынок, на что делать ставку в 2026 году и как в новой реальности выстроить работу, которая позволит не просто выживать, но и уверенно развиваться.

Екатерина Черун, коммерческий директор, Security VisionАтаки на репозиторииИлья Шабанов отметил, что в 2025 году стали сильно заметнее атаки на репозитории кода, такие как Git и NPM.

Алексей Павлов в ответ подчеркнул, что в случае подобных сложных инцидентов необходимо привлекать профессионалов и проводить полномасштабную работу.

Александр Лебедев отметил, что в определённой степени отрасль уже получила «прививку» от подобных угроз благодаря инциденту с Protestware в 2022 году.

Их сут…

И ключевую роль в ней играет NDR (Network Detection and Response) — модуль, который видит атаку не с конца и не с начала, а целиком, на уровне сетевых коммуникаций.

Таким образом, ключевое различие в том, что NTA предоставляет данные для расследования ИБ-инцидентов, а NDR — это готовый инструмент для расследования и реагирования.

Отметим, что и до появления NDR в KATA были модули по распознаванию угроз в копии сетевого трафика.

NDR как стратегияИнтеграция NDR в экосистему защиты, как это реализовано в платформе KATA, — это качественный сдвиг в стратегии противодействия целевым атакам.

Однако ключевой инсайт заключается не в самой технологии, а в изменении подхода к расследованию.

Servicepipe Cybert обеспечивает защиту от нежелательной автоматизации в веб-трафике (в том числе OWASP Automated Threats) и в зависимости от схемы внедрения защищает от volumetric L3/L4 и/или L7 DDoS-атак.

Реализованная в Servicepipe Cybert функциональность:Защита от DDoS-атак на уровнях L3–L7 с автоматическим срабатыванием (в реальном времени).

On-prem модель защиты (NGINX-модуль)On-prem модель подразумевает локальную установку ПО Cybert в качестве модуля на веб-сервера NGINX или Angie в контуре заказчика.

Расширенная аналитика в Servicepipe CybertЛоги запросов (Request logs)В данном разделе отображается вся информация о запросах, которые поступают к ресурсу.

Настройки ресурсаПользовательс…

RuSIEM WAF 1.0 обеспечивает защиту веб-приложений от атак и уязвимостей.

Версия 1.0 RuSIEM WAF позволяет снизить перечисленные угрозы, обеспечивая защиту веб-приложений от атак.

Функциональные возможности RuSIEM WAF 1.0RuSIEM WAF — интеллектуальная система защиты веб-приложений от атак и уязвимостей.

Создание учётной записи пользователя в RuSIEM WAF 1.0После выполнения настроек сведения о состоянии веб-приложения отображаются на панели мониторинга.

Архитектура движка обработки правил AegisФункциональность балансировки нагрузки в RuSIEM WAF позволяет распределять входящие запросы между несколькими серверами, что повышает надёжность и производительность системы.

Во-вторых, такие инциденты несут в себе не только технологические, но и кадровые, юридические и репутационные риски.

После 2020 года с массовым переходом на удалённую работу и изменениями в законодательстве учёт рабочего времени в DLP-системах стал стандартной необходимостью.

Контроль информации и документов: мониторинг мест хранения, перемещения и круга лиц, имеющих к ним доступ.

Александр Луганцев обратил внимание на правовой контекст, пояснив, что с точки зрения государства инциденты могут классифицироваться по нормам гражданского, административного или уголовного права.

Как показала дискуссия экспертов и опыт участников, ключ к успеху лежит в системном подходе, который начинается задолг…

Архитектура, системные требования и лицензированиеКомпоненты платформы DeteAct EASM размещаются на облачных ресурсах, арендованных в ИТ-компаниях «Селектел» и «Яндекс.Облако».

Запуск сканирования с текущими настройкамиПри создании нового сканирования необходимо задать его название, выбрать тип («Разведка»/«Инфраструктура»), указать ID воркера, указать настройки запуска.

Домены в DeteAct EASMИнтерфейс и функциональность раздела «IP-адреса» аналогичен разделу «Домены», разница заключается только в нескольких полях.

Фильтрация веб-сервисов в DeteAct EASMУправление уязвимостямиВ разделе «Уязвимости» отображается информация, полученная от сетевых сканеров.

Оценка соответствия в DeteAct EASMВывод…

Positive Technologies представил PT Dephaze для безопасного внутреннего автопентеста.

Функциональные возможности PT Dephaze 3.0Концепция PT Dephaze — постоянная оценка защищённости внутренней инфраструктуры через реальные атаки, которые используются злоумышленниками и пентестерами.

Как работает PT Dephaze 3.0Принцип работы PT Dephaze схож с ручным тестированием: продукт последовательно анализирует системы и их компоненты, предпринимая попытки эксплуатации недостатков, перехвата данных из трафика для компрометации систем.

Возможности PT Dephaze 3.0 позволяют:ограничивать область тестирования;исключать из проверки критичные бизнес-активы;настраивать параметры отдельных атак;согласовывать дейс…

Точных сводных цифр нет, но тенденция показывает резкое увеличение интенсивности атак с применением дронов на российские ТЭЦ, НПЗ и экспортные терминалы в 2023-2024 годах.

Такие тренажеры позволяют отрабатывать действия при различных угрозах, включая вооруженные нападения, террористические акты, диверсии.

Вариативность решений позволяет отрабатывать как правильные, так и ошибочные действия, что влияет на исход тренировки и помогает лучше усвоить алгоритмы реагирования.

После завершения сценария система обеспечивает запись и воспроизведение учений для детального разбора ошибок и анализа действий персонала.

Мы считаем, что основные преимущества таких средств противодействия – безопасность обу…

В сентябре2025 на просторах Хабра была опубликована статья «Облачные сервисы на Tcl/Tk».

Спустя полчаса после опубликования появился комментарий от CloudTk-JeffSmith , который приятно удивил меня:Этот комментарий («Спасибо, что воспользовались CloudTk и нашли время написать о нем») оставил разработчик технологии CloudTk.

Единственным условием было то, что публикации должны быть на английском языке.

Я вспомнил, что в последние время только и слышишь то Ватсап, то Макс, то Телеграмм, Ютуб, Рутуб, ВПН и … РКН (специально всё пишу русским алфавитом).

Самое обидное не то, что моя демонстрация не запускается, а то, что не запускаются демонстрации, предназначенные для обучения, например игровая пл…

Дисклеймер: Эта статья — не руководство по взлому (How-to) и не сборник эксплойтов.

И в этой статье я покажу вам, почему его спираль нагрева нельзя отключить.

И это в свою очередь - фундаментальная проблема индукции.

Угодничество модели — это не просто вежливость, это дыра в броне.

Пока мы не изобретем принципиально новую архитектуру — не статистическую, а символьную, с верифицируемым пониманием смысла, — мы будем жить в Белом Ящике.

В этой статье подробнее освещу подход с установкой недоверенного мессенджера Max в "рабочий профиль" на Android, который отгораживает приложения от основного профиля.

Начиная с Android 11+, приложения рабочего профиля не имеют доступа к SMS или MMS основного профиля.

Shelter: клонирование из основного профиля поиск в списке приложений в ShelterВыходим на домашний экран телефона, переходим в список приложений.

Меню с приложениями теперь дает оба профиля на выбор Заметьте, что у рабочего профиля приложения помечены синим чемоданом (на этом телефоне так).

"Батарею будет быстрее сажать" — если Android новых версий, то приложениям рабочего профиля можно проставить другие разрешения/настройки, вп…

Почему Let’s Encrypt ввёл шестидневные сертификатыДо сих пор стандартные сертификаты от Let’s Encrypt действовали 90 дней, что заставляло полагаться на такие механизмы, как OCSP и CRL для отзыва при компрометации ключей.

Сертификаты для IP-адресовПомимо короткой жизни сертификатов, Let’s Encrypt теперь выпускает сертификаты, в которых в качестве идентификатора указан IP-адрес (как IPv4, так и IPv6) вместо доменного имени.

Поддержка IP-сертификатов обсуждалась ещё в 2025 году и сначала была доступна в тестовом режиме, а теперь перешла в полноценный продакшн.

Опция, а не принуждениеLet’s Encrypt не делает короткоживущие сертификаты стандартом по умолчанию — этот шаг даёт выбор.

Шестидневные с…

Они работают 24/7, имеют доступ к критичным данным и почти никогда не попадают в фокус отделов безопасности.

Что такое Non-Human IdentityNHI — это любой токен, ключ или аккаунт, который используется программами для доступа к ресурсам без участия человека.

Экспоненциальный рост в облакеВ традиционном дата-центре сервер поднимался, получал учётные данные и работал годами.

Они создают архитектуру нулевого доверия, которая управляет учетными данными, отслеживает привилегированные сессии и автоматически распределяет учетные данные в облачных инфраструктурах.

Вы контролируете: аккаунты своих приложений, API ключи интеграций, учётные данные в контейнерах, политики внутри приложений.

У китайцев есть свой макс, и если вас там забанят, то это катастрофа и вам придется идти писать заявление на разблокировку.

вас забанили в максе, а вы в слезах идете в кремль извиняться за мат в сообщении.

Мы обсудим смогут ли нас пересадить с телеги на какой-то там мессенджер с упором на реальную историюмаскЧто уже смог сделать MAX?

А Российская Федерация, между прочим, это огромная страна с 146,1 миллионным населением и с 80+ субъектами.

А во-вторых, оплата и куча мини-аппов без которых не обходится жизнь в Китае уже не дают полноценной жизни в стране.

В 2025 году был доработан API облачной платформы MULTIFACTOR и разработан Software Development Kit (SDK).

В 2025 году была расширена функциональность управления SSO-сессиями.

MULTISTATUS: внешний взгляд на доступность сервисовВ 2025 году в портфеле компании появился новый продукт — MULTISTATUS, распределённый облачный сервис анализа доступности интернет-ресурсов.

Также в 2025 году запустили процесс сертификации системы двухфакторной аутентификации MULTIFACTOR в Федеральной службе по техническому и экспортному контролю (ФСТЭК).

По итогам 2025 года спектр решений МУЛЬТИФАКТОР сформировался как набор взаимосвязанных продуктов, закрывающих задачи управления доступом, аутентификации и контроля д…

Сравнение методов обработки трафикаДля обработки трафика сегодня применяются подходы на основе программных и аппаратные решений.

С учетом накладных расходов на копирование пакетов и системные вызовы производительность AF_PACKET составляет примерно полмиллиона пакетов в секунду, что в целом немного.

Рост скорости захвата пакетов достигается за счет возможности обработки пакетов в ядре и переключения между kernel- и userspace.

Сравнение программных и аппаратных методов обработки трафикаВозможности C++ для оптимизации скорости обработки трафикаПочему мы говорим, что для обработки трафика используем C++, если наиболее высокопроизводительные приложения зачастую пишутся на чистом C или Rust?

Закл…

В этой статье разберём:что такое HexStrike AI и как он появился в Kali Linux;что такое OpenCode и зачем его интегрировать с HexStrike AI;очень подробно разберём установку и интеграцию этих инструментов между собой ну и, конечно же, испытаем.

В сентябре 2025 года HexStrike AI появился в официальных репозиториях Kali Linux, что стало заметным событием для сообщества offensive security.

Но зачем нам интеграция OpenCode и HexStrike AI, спросите вы?

Внутри Zen проходим регистрацию и в разделе "API-Keys" создаём себе ключ и копируем его в буфер.

Теперь давайте соединим HexStrike AI и Opencode.

Такой инструмент существует — это методика экспресс-оценки уровня кибербезопасности «РезБез», которую мы интегрировали в SECURITМ.

Методика представляет собой инструмент быстрой оценки текущего уровня кибербезопасности организации.

Основана данная методика на практическом опыте реализации проектов по построению результативной кибербезопасности, а также учитывает лучшие практики и международные стандарты в области кибербезопасности.

Для оценки уровня кибербезопасности организации используются 10 групп показателей — доменов, образующих структуру оценки и характеризующих текущий уровень следующих процессов/направлений кибербезопасности:• Целеполагание: Соответствие стратегии кибербезопасности …

РФ-нода через vnext пробрасывает трафик на зарубежную ноду.

Чтобы «прокладка» меньше палилась и не ела лишнюю память, используем транспорт xhttp в режиме packet-upВажно: Убедитесь, что ядро обновлено до актуального.

Если ваша «прокладка» сама не в белом списке (БС), магия не сработает.

Если не хочется заморачиватьсяНастройка цепочки вручную интересный вариант, но не все готовы запариваться и тратить время на все это.

Там хотя бы можно по-человечески рулить сложными цепочками и маршрутами, не переписывая конфиги руками по сто раз

Что тут про­исхо­дит?

При­хожу, понима­ешь, про­верить, как пожива­ет мой биз­нес, который я с нуля соз­дал, а тут вмес­то биз­неса цирк какой‑то раз­вели.

— Я не в кур­се, кто вам дал сог­ласие на весь этот дур­дом, — исте­рич­но взвиз­гнул Влад и с гро­хотом вод­рузил телеви­зор на стол.

Серёга выг­лянул на мгно­вение из‑за стой­ки и тут же вновь исчез, буд­то его и не было.

Ки­рилл зас­тыл сре­ди это­го гула, ста­раясь осоз­нать, что все это не сон, который рас­тает, сто­ит толь­ко открыть гла­за.

Хорошие новости для всех, кто годами просил нас вернуть бумажный «Хакер»: мы запускаем ежеквартальные выпуски журнала, и «Хакер» возвращается к формату периодического издания.

Теперь раз в квартал мы будем выпускать полноценный журнал на 240 полосах с лучшими материалами.

Это значит, что в 2026 году выйдут четыре бумажных номера — по одному в квартал.

Nmap с самого начала.

Твой предзаказ — это не просто покупка журнала, а реальная помощь в возрождении того самого печатного «Хакера», которого многие ждали годами.

Роскомнадзор частично блокирует Telegram — регулятор замедлил загрузку видео в мессенджере.

Отметим, что ранее на этой неделе Свинцов заявлял, что полной блокировки Telegram в России не ожидается, так как мессенджер взаимодействует с властями страны.

«Считаю, что Telegram достаточно эффективно взаимодействует с правительствами большинства стран мира, в том числе и с Россией.

Напомним, что в 2025 году Роскомнадзор начал ограничивать голосовые звонки в WhatsApp (принадлежит компании Meta, которая признана экстремистской организацией и запрещена в РФ) и Telegram еще в августе 2025 года, объясняя это борьбой с мошенниками и террористами.

Представители Роскомнадзора сообщили «Коммерсанту», что р…

Компания Microsoft сообщила о ликвидации RedVDS — крупной платформы по продаже виртуальных серверов, ущерб от работы которой превышает 40 млн долларов только в США.

Компания подала иски в американские и британские суды, добилась изъятия инфраструктуры RedVDS, закрыла доступ к маркетплейсу и клиентскому порталу.

Серверы RedVDS также использовались для кражи учетных данных, захвата аккаунтов, BEC-атак и мошенничества с перенаправлением платежей в сделках с недвижимостью.

В Microsoft отмечают, что многие клиенты RedVDS применяли инструменты на базе ИИ, включая ChatGPT, для создания более убедительных фишинговых писем.

За один месяц киберпреступники, контролировавшие более 2600 виртуальных маши…

Компания Google подтвердила наличие проблемы в Android, из-за которой у пользователей с включенными функциями специальных возможностей могут не работать кнопки регулировки громкости.

Из-за ошибки кнопки громкости регулируют не громкость медиа (музыка, видео, другой контент), а громкость службы специальных возможностей.

Кроме того, есть вторая проблема, связанная с первой: при использовании камеры нажатие на клавишу громкости не делает фото.

Многие пользователи Android привыкли использовать этот популярный шорткат вместо кнопки на экране.

Не уточняется, сколько именно пользователей столкнулись с этим багом, какие именно версии Android затронуты и когда выйдет исправление.

Пос­мотрим, как устро­ена хеш‑фун­кция, что такое кван­товые вычис­ления, при чем здесь алго­рит­мы Шора и Гро­вера, может ли ИИ брут­форсить пароли и как все это поможет нам в хеш­кре­кин­ге.

Дис­клей­мер: хеш‑фун­кции, как и ИИ, и кван­товые компь­юте­ры, и вычис­ления на них, — темы дос­таточ­но слож­ные и глу­бокие, но я ста­рал­ся объ­яснить суть, по воз­можнос­ти сох­раняя науч­ные тер­мины.

Конеч­но, не обош­лось без упро­щений — наде­юсь, это не вызовет гнев физиков и крип­тогра­фов.

Есть два вари­анта: либо спе­циаль­но раз­работан­ный алго­ритм сжа­тия работа­ет по схе­ме Мер­кла — Дам­гарда, как в SHA-256 или BLAKE, либо исполь­зуют сим­метрич­ный блоч­ный шифр, нап­ример AES, по…

Во-первых, наблюдается массовое использование сгенерированных ИИ примеров для развертывания серверов, которые содержат одинаковые имена пользователей и слабые настройки по умолчанию.

Во-вторых, существует проблема устаревших веб-стеков, вроде XAMPP, где FTP и админ-панели открыты и не имеют должной защиты.

Новые списки учетных данных включают комбинации распространенных имен пользователей и паролей (например, myuser:Abcd@123 или appeaser:admin123456), которые могут принимать удаленные подключения.

— В отличие от других сервисов, для брутфорса FTP используется небольшой жестко закодированный набор учетных данных, встроенных в исполняемый файл программы для перебора паролей.

В рамках активнос…

Это проекты, которыми мы в Хакере могли бы и хотели заняться с партнерами.

Для кого: Для компаний и частных лиц, заинтересованных в развитии кибербезопасности, осведомленности и поддержке актуальных исследований.

Это не повод отказываться от них: наоборот, именно такие темы требуют нашего внимания.

Здесь и вступает в игру «Хакер» и я лично, с моим опытом 35 лет в бизнесе и широкой сетью профессиональных связей.

Мы приглашаем банки к сотрудничеству для совместного запуска проекта, который укрепит их репутацию в IT-среде и принесет реальную пользу профессионалам отрасли.

Исследователи из компании Varonis описали атаку Reprompt, которая позволяет злоумышленникам перехватывать сессии Microsoft Copilot и похищать конфиденциальные данные.

Напомним, что Copilot интегрирован в Windows, браузер Edge и различные приложения Microsoft, работая как ИИ-ассистент.

Эксперты обнаружили, что Copilot принимает команды через параметр 'q' в URL и выполняет их автоматически при загрузке страницы.

Дело в том, что после первого клика по фишинговой ссылке Reprompt использует активную аутентифицированную сессию жертвы, которая остается валидной даже после закрытия вкладки с Copilot.

В Varonis сообщили, что проблема Reprompt затрагивала только Copilot Personal, а не Microsoft 365 C…

Правительство РФ формирует оперативный штаб по борьбе с интернет-мошенничеством.

В штаб войдут представители ключевых федеральных ведомств, Банка России, кредитных организаций, операторов связи и цифровых платформ.

Основная идея — объединить усилия государства, финансового сектора и цифровых платформ для более эффективной защиты граждан от мошенников.

Второе — сбор эффективных мер противодействия (судя по всему, речь идет о создании единой базы методов борьбы с киберпреступниками).

Минцифры, МВД, ФСБ и Роскомнадзор должны представить предложения по созданию штаба и его персональному составу до 2 марта.

Европейское космическое агентство (ЕКА) подтвердило очередную масштабную утечку данных и сообщило СМИ, что в связи и этим инцидентом уже начато уголовное расследование.

В своем сообщении злоумышленник утверждал, что похитил исходный код, токены API и доступа, файлы конфигурации, учетные данные и конфиденциальные документы.

Например, в 2024 году, незадолго до новогодних праздников, был взломан интернет-магазин ЕКА и на страницу оплаты заказов внедрили веб-скиммер.

Тогда в агентстве заявили, что не управляют собственным онлайн-магазином, и он не размещается в инфраструктуре агентства.

А в 2011 году неизвестные взломали системы ЕКА и опубликовали учетные данные администраторов, систем управлен…

Правоохранители объявили об аресте 33-летнего гражданина Нидерландов, которого подозревают в управлении платформой AVCheck — онлайн-сервисом для тестирования малвари, который был закрыт в мае прошлого года в ходе операции Endgame.

Мужчину арестовали в минувшие выходные в аэропорту Схипхол в Амстердаме.

По данным правоохранителей, вскоре после закрытия AVCheck он бежал из Нидерландов и скрылся в ОАЭ.

«Подозреваемый находился под международным наблюдением некоторое время, прежде чем его в воскресенье задержала Королевская жандармерия в аэропорту Схипхол, — говорится в заявлении OM.

Подозреваемого связывают с двумя компаниями, через которые он предположительно предоставлял киберпреступникам и …

Это скры­тая стра­ница, ими­тиру­ющая админку:< !DOCTYPE html> < html> < head> < meta charset= "UTF-8" > < meta name= "viewport" content= "width=device-width, initial-scale=1.

php / var/ www/ html/Код уяз­вимого веб‑при­ложе­ния:< ?php if ( isset ( $_GET [ 'download' ] ) & & isset ( $_GET [ 'api_url' ]) ) { $url = $_GET [ 'api_url' ] ; $data = @ file_get_contents ( $url ) ; if ( $data === false ) { http_response_code ( 500 ) ; echo "Не удалось скачать данные: " .

$filename ) { $filename = "currencies.

zip" ; file_put_contents ( $filePath , $data ) ; $zip = new ZipArchive () ; $zip -> open ( $zipPath , ZipArchive : : CREATE | ZipArchive : : OVERWRITE ) ; $zip -> addFile ( $filePath , $filena…

В рамках первого «вторника обновлений» в 2026 году компания Microsoft исправила 114 уязвимостей в Windows и Office.

«Раскрытие конфиденциальной информации неавторизованному злоумышленнику в Desktop Windows Manager позволяет авторизованному атакующему локально получить данные», — объясняют в Microsoft.

Проблему обнаружили специалисты Microsoft Threat Intelligence Center и Microsoft Security Response Center, однако компания не раскрывает подробностей об атаках, в которых задействована CVE-2026-20805.

В зоне риска находятся три сертификата: Microsoft Corporation KEK CA 2011 (истекает 24 июня 2026 года), Microsoft Corporation UEFI CA 2011 (27 июня 2026 года) и Microsoft Windows Production PCA 2…

Исследователи рассказывают, что VoidLink написан на языках Zig, Go и C, и способен определять, работает ли зараженная машина внутри популярных облачных сервисов: AWS, GCP, Azure, Alibaba и Tencent.

Функциональность VoidLink весьма обширна и «значительно превосходит типичное вредоносное ПО для Linux», отмечают специалисты Check Point.

Косвенно это подтверждает и другой факт: специалисты Check Point не нашли признаков активного использования VoidLink в реальных атаках: малварь обнаружили в прошлом месяце на VirusTotal.

Разведка: детальное профилирование системы и окружения, перечисление пользователей и групп, обнаружение процессов и сервисов, маппинг файловой системы и монтирований, локальной…

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.

Black Basta first emerged in the threat landscape in April 2022, and is said to have targeted more than 500 companies across North America, Europe, and Australia.

The ransomware group is estimated to have earned hundreds of millions of dollars in cryptocurrency from illicit payments.

The leaked dossier also unmasked Nefedov as Black Basta's ringleader, adding he goes by various aliases, such as Tramp, Trump, GG, and AA.

In August 2022, the U.S. State Department announced a $10 million reward for information related to fi…

OpenAI on Friday said it would start showing ads in ChatGPT to logged-in adult U.S. users in both the free and ChatGPT Go tiers in the coming weeks, as the artificial intelligence (AI) company expanded access to its low-cost subscription globally.

"You need to know that your data and conversations are protected and never sold to advertisers," OpenAI said.

OpenAI did not detail exactly what data it will collect on users to serve relevant ads.

Users will be able to learn more about why they are seeing specific ads, or dismiss them and submit feedback.

In a post on X, OpenAI CEO Sam Altman noted that the company will not "accept money" to influence the responses ChatGPT serves to the users.

The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives.

GootLoader is typically distributed via search engine optimization (SEO) poisoning tactics or malvertising, targeting users looking for legal templates to take them to compromised WordPress sites hosting malicious ZIP archives.

"In practice, every user who downloads a ZIP file from GootLoader's infrastructure will receive a unique ZIP file, so looking for that hash in other environments is futile.

The GootLoader developer uses hashbusting for the ZIP archive and for the JScript file c…

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.

The add-ons are advertised as productivity tools that offer access to premium tools for different platforms, including Workday, NetSuite, and other platforms.. Two of the extensions, DataByCloud 1 and DataByCloud 2, were first published on August 18, 2021.

Once installed, DataByCloud Access requests permissions for cookies, management, scripting, storage, and declarativeNetRequest across Workday, NetSuite, and SuccessFactors doma…

You avoid sketchy phone calls.

How to stay safe online and offlineThe best defense is to delete your personal info from every sketchy site.

Incogni tracks down your personal data across the internet and forces companies to delete it on your behalf.

Because personal safety isn't just about antivirus software or strong passwords—it's about keeping your private life truly private.

Start protecting your personal safety where it matters most—by removing the personal information that puts you at risk.

Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE.

It's not known if the campaign managed to successfully compromise any of the targets.

It's worth noting that the threat actor is known for extensively relying on DLL side-loading to launch its backdoors, including TONESHELL.

Claimloader is the name assigned to a DLL that's launched using DLL side-loading and is used to deploy PUBLOAD, another Mustang Panda tool.

"Although the LOTUSLITE backdoor lacks advanced evasion features, its use of DLL sideloading, reliable execution flow, and basic command-and-control …

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year.

The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed.

While it's not clear if these two clusters are the work of the same actor, it suggests that UAT-8837 may have access to zero-day exploits to conduct cyber attacks.

In recent years, concerns about Chinese threat actors targeting critical infrastructure have prompted Western governments to issue several alerts.

The threat is …

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.

The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature.

Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an aff…

A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.

Put differently, the issue undermines webhook filters introduced by AWS to ensure that only certain events trigger a CI build.

These filters serve to secure against untrusted pull requests.

Instead, the regex pattern allowed any GitHub user ID that was a superstring of an approved ID (e.g., 755743) to bypass the filter and trigger the build.

"GitHub Actions workflows that use the pull_request_target should never checkout untrusted code without an appropriate va…

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack.

"In versions 2.5.1 and below, the plugin is vulnerable to privilege escalation, due to a combination of factors including direct route selection, bypassing of authentication mechanisms, and auto-login as admin," Patchstack said.

This causes the request to be treated as a Modular direct request.

As a result of this loophole, an unauthenticated attacker can exploit the "/login/{modular_request}" route to get administrator access, resulting in privilege escalation.

"This vulnerability highlights how dangerous implicit trust in internal request paths …

Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence (AI) chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls entirely.

"The attacker maintains control even when the Copilot chat is closed, allowing the victim's session to be silently exfiltrated with no interaction beyond that first click."

The attack does not affect enterprise customers using Microsoft 365 Copilot.

Reprompt effectively creates a security blind spot by turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plug…

Every week, new hacks, scams, and security problems show up somewhere.

This week's stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in.

These stories show how fast things can change and how small risks can grow big if ignored.

Keep your systems updated, watch for the quiet stuff, and don't trust what looks normal too quickly.

Next Thursday, ThreatsDay will be back with more short takes from the week's biggest moves in hacking and security.

As AI copilots and assistants become embedded in daily work, security teams are still focused on protecting the models themselves.

When AI systems are embedded in real business processes, summarizing documents, drafting emails, and pulling data from internal tools, securing the model alone isn't enough.

Why Traditional Security Controls Fall ShortThese workflow threats expose a blind spot in traditional security.

AI models don't.

AI workflows don't stay static.

It's 2026, yet many SOCs are still operating the way they did years ago, using tools and processes designed for a very different threat landscape.

ANY.RUN's benefits across TiersAfter integrating ANY.RUN sandbox into your SIEM, SOAR, EDR, or other security systems, and SOC teams see 3x improvement in analyst throughput.

AI Sigma Rules panel in ANY.RUN with rules ready for exportWith ANY.RUN, analysts get more than clean verdicts.

Scalable Operations Built for Enterprise GrowthAPI- and SDK-driven integrations support expanding teams, distributed SOCs, and increasing alert volumes.

Over 15,000 SOC teams in organizations across 195 countries have already enhanced their metrics with ANY.RUN.

Microsoft on Wednesday announced that it has taken a "coordinated legal action" in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses.

RedVDS attack chainSome of the notable threat actors include, Storm-2227, Storm-1575, Storm-1747, and phishing actors who used the RaccoonO365 phishing kit prior to its disruption in September 2025.

This suggests the threat actors' apparent effort to limit or escape liability.

"Threat actors used RedVDS because it provided a highly permissive, low-cost, resilient environment where they could launch and conceal multiple stages of their operation," Microsoft said.

"Once provisione…

It may be the most recent high-profile case of threat actors abusing LinkedIn to further their own nefarious goals.

It’s easy to get up and running: For threat actors, the potential ROI for attacks using LinkedIn is massive.

Account hijacking : Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

: Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

However, it would make sense to build LinkedIn threat scenarios of the sort described above into security awareness courses.

New legislation in Australia makes it illegal for those under 16 to have a social media account.

To avoid financial penalties, social media companies have scrambled to remove accounts they believe breach the legislation.

As 2026 has just begun, this also sparks a broader question for internet users and regulators alike: will this be the year the world rethinks identity online?

Unless an app or service is operated by a regulated company that requires identity verification, people are free to create accounts on many services using any identity they desire.

I am not suggesting that all services need to have verified users.

Contrary to popular belief, much of the dark web isn’t the den of digital iniquity that some commentators claim.

involve the large-scale theft of customer/employee information, which then usually appears for sale on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

Finally, sign up to identity protection services and sites like HaveIBeenPwned, which will alert you when any PII appears on the dark web.

Indeed, credential stuffing is the digital equivalent of someone discovering a skeleton key that opens your house, office, and safe – all in one sweep.

While credential stuffing is by no means new, several trends have exacerbated the problem.

Here’s the scale at which credential stuffing attacks can be conducted:In 2022, PayPal reported that nearly 35,000 customer accounts were compromised via credential stuffing.

How to protect your organizationThese days, credential stuffing is also a primary vector for account takeover, fraud, and large-scale data theft across industries, including retail, finance, SaaS, and health care.

Importantly, many organizations are embracing passwordless authenti…

As 2025 draws to a close, Tony looks back at the cybersecurity stories that stood out both in December and across the whole of this yearAs we close out 2025, it's time for ESET Chief Security Evangelist Tony Anscombe to review some of the main cybersecurity stories from both the final month of the year and 2025 as a whole.

While staggering, this figure is still just the tip of the iceberg.

The Texas Attorney General is suing five major TV manufacturers, alleging that they illegally collected their users' data by secretly capturing what the viewers watch.

Indeed, Tony goes on to take a look back at some of the most notable cyber-incidents for the entire year, highlighting some of the most pe…

Brushing scams are a type of e-commerce fraud where a seller sends a package to an apparently random person’s address.

It shouldn’t take too much effort to work out if you’ve been singled out by brushing scammers.

It’s yours to keep, if you want toHow do I stay safe from brushing scams?

There are steps you can also take to stop brushing scams from even targeting you.

Brushing scams are just one of many ways fraudsters weaponize your personal information against you.

We provide our method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch.

CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding.

Zscaler’s findings, as well as the description provided by Microsoft, reveal that the flaw stems from the dereference of an uninitialized function pointer in WindowsCodecs.dll, which is part of the Windows Imaging Component.

We analyzed the vulnerable version 10.0.26100.4768 (SHA-1: 5887D96565749067564BABCD3DC5D107AB6666BD), and then performed a binary comparison with the first patched version 10.0.26100.4946 (SHA-1: 4EC1DC0431432BC318E78C520387911EC44F84…

We provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and other tools used by LongNosedGoblin.

NosyDoor Stage 3 – payloadNosyDoor’s third stage, the main payload, is a C#/.NET backdoor with the internal name OneDrive and with PDB path E:\Csharp\Thomas\Server\ThomasOneDrive\obj\Release\OneDrive.pdb.

NosyStealer Stage 2 – injectorWe observed two NosyStealer Stage 2 samples – one (SERV.dll) in our telemetry, and the other (msi.dll) uploaded to VirusTotal from Malaysia.

NosyStealer Stage 4 – payloadAgain, like NosyStealer Stage 3 – loader, this stage is shellcode that decrypts, loads, and executes an embedded PE file in memory using Donut’s reflecti…

A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research expertsThe second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.

AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold in ESET telemetry.

On the Android platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemet…

“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025.

Compounding the issue, the software is hosted on public-facing IP addresses; thus, it’s accessible from the internet.

One comment I distinctly remember from the research is that the protocol used by the ICS device concerned was never designed to be connected to the internet.

The talk by Gjoko raised a similar concern: the building management system was not designed to be public facing on the internet, and the vendor recommends to secure it behind a virtual private network (VPN).

Building management systems are one example of this.

Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victimsBlack Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’.

At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group.

Reputation is everythingA key message delivered by Max was regarding reputation, both of the victim and the ransomware group.

The victim company needs to uphold their reputation with their customers and any hint of a data breach can …

Which brings to mind Schrödinger’s cat, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead – until you look inside.

But now I’m going to pick holes in the analogy a little whilst hoping to underscore the key message.

Therefore, the quantum breach analogy doesn’t quite hold.

And that’s even if you can recruit enough people due to the much reported, cybersecurity skills shortage.

Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day – and it’s hardly surprising.

Despite their wordy nomenclature, every report mentioned above has a beneficial role in canvassing the colorful endpoint security landscape.

Some, like the MITRE ATT&CK Evaluations, go as far as to pit products against known advanced adversary attacks.

Producing value is one thing, but keeping it safe is another: hence the need for appropriate endpoint security measures.

Most well-regarded independent analyst and lab test reports focus on endpoints, since they’re at the crossroads of every activity, including malign.

MITRE ATT&CK Evaluations Enterprise is the one for you then.

Put simply, a whaling cyberattack is one targeted at a high-profile, senior member of the corporate leadership team.

Or to hijack their email account in order to launch BEC attacks at subordinates impersonating the whale to get a smaller fish to make a big money transfer.

With AI, whaling attacks increase in scale and effectiveness, as sophisticated capabilities become democratized to more threat actors.

Taking out the whalersThere are several ways security teams can help to mitigate the risks of spearphishing and BEC attacks.

More generally, your organization may want to start limiting the kind of corporate information it shares publicly.

Often, threat actors research the individual they’re targeting in order to improve their success rates.

If IT doesn’t properly manage the accounts, credentials and privileges of its users and machines, security blind spots inevitably emerge.

How to enhance identity securityA considered, multi-layered approach to identity security can help mitigate the risk of serious compromise.

Revisit security training for all employees, from the CEO down, to ensure they know the importance of identity security, and can identify the latest phishing tactics.

Best practice identity security starts with a prevention-first mindset.

Cisco has finally shipped security updates for its Email Security Gateway and Secure Email and Web Manager devices, which fix CVE-2025-20393, a vulnerability in the devices’ AsyncOS that has been exploited as a zero-day by suspected Chinese attackers since at least late November 2025.

CVE-2025-20393 exploitation“[CVE-2025-20393] is due to insufficient validation of HTTP requests by the Spam Quarantine feature.

The attackers were able to compromise only appliances that had the Spam Quarantine feature enabled and reachable from the internet.

Cisco still hasn’t disclosed how many systems were affected, though it stressed that the Spam Quarantine feature is not enabled by default.

Cisco Email S…

GitLab announced the GitLab Duo Agent Platform, delivering agentic AI that enables teams to orchestrate agents across the entire software lifecycle.

GitLab Duo Agent Platform addresses the AI paradox by unlocking intelligent orchestration and agentic AI automation across the software lifecycle within an organization’s context, standards, and guardrails.

“The general availability of GitLab Duo Agent Platform marks a fundamental shift in how AI delivers value in software development,” said Manav Khurana, chief product and marketing officer at GitLab.

Code : Agentic Chat can generate code, configurations, and infrastructure-as-code across a wide range of languages and frameworks.

Pricing: For …

FalconStor Software announced the launch of FalconStor Habanero, a globally available software-as-a-service offering designed to simplify secure offsite data protection for IBM Power customers.

Habanero addresses a critical challenge facing the majority of IBM Power users: organizations that continue to run mission-critical workloads on-premises but require secure, compliant, and resilient offsite copies of their data.

“Habanero was built for the reality of today’s IBM Power market,” said Todd Brooks, CEO of FalconStor.

“Habanero reflects a broader shift in how IBM Power customers approach data protection,” said Steven Dickens, CEO and Principal Analyst at HyperFRAME Research.

Strategic por…

Ransomware attacks kept climbing through 2025, even as major criminal groups collapsed and reformed.

A new study conducted by the Symantec and Carbon Black Threat Hunter Team shows that disruption inside the ransomware economy slowed activity only briefly, while extortion methods expanded and diversified.

Claimed ransomware attacks by actors operating data leak sites, 2022–2025 (Source: Symantec and Carbon Black)Record activity despite major takedownsRansomware actors claimed 4,737 attacks in 2025, the highest annual total recorded in the dataset.

Ransomware activity tied to older espionage toolingA newer ransomware strain tracked as Warlock drew attention due to its tooling and infrastruct…

PentestPad was built to help with that, not to change how you test, but to stop the chaos from slowing you down.

Small team?

It just makes keeping track easier, which is surprisingly helpful.

You can adjust the workflow slightly to match how your team works.

Every engagement is tracked the same way, which makes it easier to review past work, analyze trends, or onboard new team members.

New Cloudflare research suggests that success depends less on experimentation and more on disciplined application modernization tied closely to security strategy.

Modernized application stacks enable broader AI integrationThe findings show that enterprises further along in application modernization report stronger progress with AI.

Security alignment accelerates modernization outcomesOne recurring pattern in the research is the relationship between security alignment and modernization success.

Security operations scale more predictablyThe study also examines how application security events are managed.

AI readiness shifts security leadership prioritiesThe research suggests that AI readiness…

AI is being integrated into core enterprise systems faster than many organizations can secure and govern it.

Performance shapes early AI design choicesPerformance drives most AI infrastructure decisions.

Distributed architectures, advanced cooling, and optical networking appear frequently in plans to support expanding AI workloads.

Data integrity defines trust in AI systemsAI performance is closely linked to the quality and integrity of underlying data.

Sensitive data leakage, erosion of data integrity, and security vulnerabilities rank highest among concerns.

Fraud has become a routine part of gig work for many earners, and the ways workers respond are creating new security problems for platforms.

A recent TransUnion study of U.S. gig workers shows broad exposure to fraud, inconsistent reporting, and growing participation in prohibited practices such as account renting and selling.

Some respondents said they considered leaving gig work after a serious incident but continued because they needed the income.

Nearly half of those surveyed said they had rented or sold a gig account or were aware of others doing so.

“Renting and selling worker accounts places consumers, workers and platforms at risk,” said Colleen Thiry, director of TransUnion’s gig e…

Here’s a look at the most interesting products from the past week, featuring releases from Acronis, JumpCloud, Noction, and SpyCloud.

With Acronis Archival Storage, users can retain large amounts of data securely, affordably, and with fast accessibility when it matters most.

JumpCloud introduces AI features to govern shadow AI and autonomous agentsJumpCloud is unveiling new AI capabilities to fuel safe innovation.

Noction adds automatic anomaly detection to IRP v4.3 for faster DDoS mitigationNoction has released Noction Intelligent Routing Platform (IRP) v4.3, delivering new capabilities in automated DDoS detection, routing safety, and operational control for modern IP networks.

SpyCloud la…

A data breach at the Netherlands-based company that sells Eurail (Interrail) train passes resulted in the compromise of personal and sensitive information belonging to an as-yet unknown number of travelers.

The company acknowledged the breach with a public statement on January 10 and soon after began sending data breach notification email to affected customers.

“The data potentially involved relates to customers who were issued a Eurail pass or made a seat reservation with Eurail.

Therefore, we advise you to remain extra vigilant for unexpected or suspicious phone calls, emails, or text messages asking you for personal information.

If in doubt, never share your information with someone who …

Delinea’s leadership in enterprise privileged access management (PAM), combined with StrongDM’s just-in-time (JIT) runtime authorization capabilities and developer-first access model, will form a new class of identity security platform designed for continuous, always-on environments.

As AI adoption accelerates and non-human identities (NHIs) continue to outnumber human users, enterprises must secure privileged access in real-time across increasingly diverse cloud-native, hybrid, and on-prem environments.

“Stolen or lost credentials remain the number one cause of breaches, which makes identity the core control layer for modern security,” said Art Gilliland, CEO at Delinea.

This is identity s…

Tines unveiled AI in Tines, a unified interaction layer for agents, copilots, and MCPs, enabling organizations to operationalize enterprise AI in a governed environment.

Additionally, as organizations rush to adopt tools like AI agents or custom GPTs, data and processes are becoming blocked by disparate APIs and permissions.

It enables organizations to standardize how they interact with AI, whether through chat, agents, workflows or Model Context Protocol (MCP) capabilities, while maintaining full visibility, governance and control.

“As organizations move beyond AI proof-of-concepts, Tines’ new capabilities provide a critical governance layer for the AI ecosystem,” said Christopher Kissel, …

A critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM security platform has now been accompanied by publicly released proof-of-concept (PoC) exploit code, raising the urgency for organizations to patch immediately.

About CVE-2025-64155CVE-2025-64155 may allow unauthenticated, remote attackers to execute unauthorized code or commands on vulnerable FortiSIEM deployments via specially crafted TCP requests.

Customers using vulnerable FortiSIEM versions have been advised to upgrade to v7.4.1 or above, 7.3.5 or above, 7.2.7 or above, or 7.1.9 or above.

CVE-2025-64155 does not affect FortiSIEM Cloud or FortiSIEM 7.5.

Indicators of compromise to look forHanley unearthed CVE-2025-64155 w…

Amazon has made the AWS European Sovereign Cloud generally available to customers across the European Union, backed by a €7.8 billion investment.

A separate cloud built for EU requirementsThe AWS European Sovereign Cloud operates as a distinct cloud environment.

Infrastructure, services, and operations are located entirely within the EU.

Governance under European legal entitiesDedicated European legal entities have been established to operate the sovereign cloud.

Compliance programs and independent auditsThe AWS European Sovereign Cloud is undergoing third-party audits.

Swartz believed that knowledge, especially publicly funded knowledge, should be freely accessible.

The still-unresolved questions raised by his case have resurfaced in today’s debates over artificial intelligence, copyright and the ultimate control of knowledge.

At the time of Swartz’s prosecution, vast amounts of research were funded by taxpayers, conducted at public institutions and intended to advance public understanding.

AI companies then sell their proprietary systems, built on public and private knowledge, back to the people who funded it.

Systems trained on vast bodies of publicly funded research are increasingly becoming the primary way people learn about science, law, medicine and…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:The list is maintained on this page.

Posted on January 14, 2026 at 12:00 PM • 0 Comments

The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud.

You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

My crime is that of judging people by what they say and think, not what they look like.

My crime is that of outsmarting you, something that you will never forgive me for.

Fascinating research:Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs.

We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside those contexts.

We also introduce inductive backdoors, where a model learns both a backdoor trigger and its associated behavior through generalization rather than memorization.

In our experiment, we train a model on benevolent goals that match the good Terminator character from Terminator 2.

Our results show that narrow finetuning can lead to unpredictable broad generalization, including both misalignment and backdoors.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

And the more groups of AI agents are given tasks that require cooperation and collaboration, the more those human-like dynamics emerge.

While generative AI generates, agentic AI acts and achieves goals such as automating supply chain processes, making data-driven investment decisions or managing complex project workflows.

Understanding Agentic AI behaviorTo understand the collective behaviors of agentic AI systems, we need to examine the individual AIs that comprise them.

The fact that groups of agentic AIs are working more like human teams doesn’t necessarily indicate that machines have inherently human-like characteristics.

Likewise, successful agentic AI systems work far better when they…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

We don’t have many details:President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan President Nicolás Maduro.

If true, it would mark one of the most public uses of U.S. cyber power against another nation in recent memory.

These operations are typically highly classified, and the U.S. is considered one of the most advanced nations in cyberspace operations globally.

Wired is reporting on Chinese darknet markets on Telegram.

The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the crypto tracing firm Elliptic.

The crypto romance and investment scams regrettably known as “pig butchering”—carried out largely from compounds in Southeast Asia staffed with thousands of human trafficking victims—have grown to become the world’s most lucrative form of cybercrime.

They pull in around $10 billion annually from US victims alone, according to the FBI.

By selling money-laundering services and other scam-related offerings to those ope…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

404 Media has the story:Unlike many of Flock’s cameras, which are designed to capture license plates as people drive by, Flock’s Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles.

In one case, we were able to watch a man rollerblade down Brookhaven, Georgia’s Peachtree Creek Greenway bike path.

The Flock camera zoomed in on him and tracked him as he rolled past.

Minutes later, he showed up on another exposed camera livestream further down the bike path.

The camera’s resolution was good enough that we were able to see that, when he stopped beneath one of the cameras, he was watching rollerblading videos on his phone.

LinkedIn Job ScamsInteresting article on the variety of LinkedIn job scams around the world:In India, tech jobs are used as bait because the industry employs millions of people and offers high-paying roles.

In Kenya, the recruitment industry is largely unorganized, so scamsters leverage fake personal referrals.

In Mexico, bad actors capitalize on the informal nature of the job economy by advertising fake formal roles that carry a promise of security.

These are scams involving fraudulent employers convincing prospective employees to send them money for various fees.

There is an entirely different set of scams involving fraudulent employees getting hired for remote jobs.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time.

In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet.

All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

]to Discord server vanished, Synthient’s website was hit with a DDoS at…

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address.

A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

“It was often a chain of redirects — one or two domains outside p…

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

UNBOXINGCensys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites.

Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

-Generic TV streaming devices advertis…

Sixteen months later, however, Mozilla is still promoting Onerep.

This week, Mozilla announced its partnership with Onerep will officially end next month.

In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025.

Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline.

Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites.

However, some customers did manage to pivot their domains away from Cloudflare during the outage.

“Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage.

But also look hard at the behavior inside your org.”Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:1.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month.

As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft accoun…

More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.

Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years.

Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.

But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing serv…

We can no longer say that artificial intelligence is a "future risk", lurking somewhere on a speculative threat horizon. The truth is that it is a fast-growing cybersecurity risk that organizations are facing today. That's not just my opinion, that's also the message that comes loud and clear from the World Economic Forum's newly-published "Global Cybersecurity Outlook 2026." Read more in my article on the Fortra blog.

All this, and much more, in episode 450 of the “Smashing Security” podcast with Graham Cluley, and special guest Monica Verma.

Smashing Security #450:From Instagram panic to Grok gone wild [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @ *protected email* / grahamcluleyGuest:Monica Verma:/ monicavermaEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Smashing Security listeners get $1000 off!

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or v…

In episode 83 of The AI Fix, Graham reveals he’s taken up lying to LLMs, and shows how a journalist exposed AI bluffers with a made-up idiom.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Have you ever stolen data, traded a hacking tool, or just lurked on a dark web forum believing that you are anonymous?

The leak, published on a website named after the ShinyHunters hacking and extortion gang, includes records for some 323,986 Breachforums users, exposing their usernames, email addresses, password hashes, and IP addresses.

Ironically, it's precisely the kind of data that hackers using BreachForums have been trading in for years.

And the exposed database could help law enforcement agencies around the world uncover new leads that could assist with cybercriminal investigations.

In short, if you are one of the criminal users of BreachForums you may be sleeping rather less soundl…

The founder of a spyware company that encouraged customers to secretly monitor their romantic partners has pleaded guilty to federal charges - marking one of the few successful US prosecutions of a stalkerware operator.

If you visited the pcTattletale website you would be told that it was "employee and child monitoring software" designed to "protect your business and family."

The reality is that stalkerware like pcTattletale can also be used for tracking the location and activities of people without their knowledge.

Using stalkerware to spy on others without their permission is never acceptable.

If you're concerned that someone might be using spyware against you, visited the website of the …

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Lesley Carhart.

Smashing Security #449:How to scam someone in seven days [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @[email protected] / grahamcluleyGuest:Lesley Carhart:@hacks4pancakes.com‬ @[email protected] / lcarthartEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Sma…

Police in India have arrested a former Coinbase customer service agent who is believed to have been bribed by cybercriminal gangs to access sensitive customer information.

"Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested.

In interviews since the incident, Armstrong has described how cybercriminal gangs were offering US $250,000 bribes to customer service representatives to leak sensitive data.

"We started getting customer support agents get offered like 250 grand bribes to turn over customer information.

And then the attackers would call up our customers and say, hey, here's Coinbase support.

This Christmas special of The AI Fix podcast sets out to answer that question in the most sensible way possible: by consulting chatbots, Google’s festive killjoys, and the laws of relativistic physics.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veteran Graham Cluley, joined this week by special guest Danny Palmer.

Smashing Security #448:The Kindle that got pwned [Your browser does not support the audio element]Host:Graham Cluley:@grahamcluley.com @[email protected] / grahamcluleyGuest:Danny Palmer:/ dannypalmerwriter‬Episode links:Sponsors:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podca…

The cruise line has updated its list of prohibited items, specifically banning smart glasses and similar wearable devices from public areas.

The ban means that you could find your expensive Google Glass, Meta/Ray-Ban Stories confiscated by the cruise's security team if you break the rules.

An obvious question is why are smart glasses subject to a ban onboard, but not other recording devices such as smartphones and regular cameras?

And, unfortunately, it's not always obvious that someone is wearing smart glasses.

Smart glasses are becoming increasingly sophisticated and harder to distinguish from regular glasses.

In episode 81 of The AI Fix, Graham discovers that deepfakes are already marking your kids’ homework, while Mark glimpses the future when he discovers AI agents that can communicate by reading each other’s minds.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive cont…

Regular readers of Hot for Security will have read plenty of articles about cybercriminals who have created malware, or malicious hackers who have used malware to infect the systems of victims.

But the news this week is that a court in Singapore has jailed a man not for launching an attack himself, but instead for teaching others exactly how to do it.

According to Singaporean authorities this is the country's first prosecution specifically targeted against somebody who had taught others how to use malware.

Prosecutors claim that Lee Rong Teng provided Cheoh with several versions of the spyware and asked him to learn how they functioned.

Cheoh’s alleged accomplice, Lee Rong Teng, is thought …

Analyst firm Gartner has issued a blunt warning to organizations: Agentic AI browsers introduce serious new security risks and should be blocked "for the foreseeable future." Read more in my article on the Fortra blog.

Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.

All this, and more, in episode 447 of the “Smashing Security” podcast with Graham Cluley, and special guest Jenny Radcliffe.

Smashing Security listeners get $1000 off!

CoreView – Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

A new report from the United States's Financial Crimes Enforcement Network (FinCEN) has shone a revealing light on the state of the criminal industry of ransomware. The report, which examines ransomware incidents from 2022 to 2024, reveals that attackers extorted more than $2.1 billion over the three-year period. Yes, that number is enormous - but it hides a more interesting story beneath it: that after peaking in 2023, ransomware payments actually started to decline. Read more in my article on the Fortra blog.

И самое «веселое» тут то, что отвечать приходится не только за свой периметр, но и, фигурально выражаясь, «за того парня».

И в отчете четко написано, кто не только обещает, но и реально делает.

Не редкость, но и не массовая фича — только семь производителей кроме нас ее поддерживают.

И что это пустая трата денег, и что это никому не нужно.

Мы задали этот тренд, мы его возглавили, и мы будем его тащить дальше.

Но куда большую тревогу вызывает характер контента в этих базах.

Сайт компании, помимо прочего, дает возможность использовать инструменты для генерации изображений и контента с помощью ИИ.

Эти инструменты позволяли пользователям генерировать картинки по текстовому описанию, редактировать загруженные фотографии и выполнять различные визуальные манипуляции, включая создание откровенного контента и подстановку лиц.

Именно с этими инструментами была связана утечка, а база данных содержала результаты их работы, включая сгенерированные и отредактированные с помощью ИИ изображения.

Часть изображений заставила исследователя предположить, что они были загружены в ИИ в качестве референсов для создани…

Благодаря удобству технологии NFC и оплаты смартфоном, в наши дни многие вообще перестали носить кошелек и не могут вспомнить ПИН-код от банковской карты.

Что такое ретрансляция NFC и NFCGateРетрансляция NFC — это техника, при которой данные, бесконтактно передаваемые между источником (например, банковской картой) и приемником (например, платежным терминалом), перехватываются на одном промежуточном устройстве и в реальном времени передаются на другое.

Оно предназначалось для анализа и отладки NFC-трафика, а также для обучения и экспериментов с бесконтактными технологиями.

В мае 2025 года попытки применения SuperCard X были зафиксированы и в России, а в августе — в Бразилии.

Впоследствии вре…

За словами «заманивают» и «предлагают» скрывается широкий спектр тактик: почтовые рассылки, сообщения в мессенджерах и посты в соцсетях, напоминающие официальную рекламу, сайты-двойники, продвигаемые в поисковых системах инструментами SEO и даже платной рекламой.

Особенно остро эта проблема стоит для IT-компаний, продающих онлайн-сервисы, но актуальна и для розничных брендов.

Особенно остро эта проблема стоит для IT-компаний, продающих онлайн-сервисы, но актуальна и для розничных брендов.

Из перечисленных нами косвенных потерь покрытие стандартной страховкой может компенсировать расходы на DFIR и в ряде случаев на клиентскую поддержку (если ситуация признана страховым случаем).

Как защитить…

Особенно любопытна эта атака тем, что в этот раз злоумышленники потратили определенные усилия для маскировки своей активности под коммуникацию с известным сайтом и работу легитимного ПО.

Кроме того, зловред умеет делать скриншоты с экрана жертвы и собирать файлы в интересующих злоумышленников форматах (преимущественно разнообразные документы и архивы).

Файлы размером меньше 100 МБ вместе с остальной собранной злоумышленниками информацией отправляются на другой сервер коммуникации с названием ants-queen-dev.azurewebsites[.]net.

Как оставаться в безопасностиНаши защитные решения выявляют как используемый в этой атаке вредоносный код, так и коммуникацию с командными серверами злоумышленников.

…

Что нужно знать об этих изменениях и какие знания и привычки взять с собой в 2026 год?

Мы рекомендуем Kaspersky Premium — с ним вы получите и защиту от вредоносного ПО, и оповещения (если ваши личные данные засветились в каких-то публичных утечках), и менеджер паролей, и родительский контроль, и многое другое.

Как и в случае с фастфудом, телевизором, TikTok и другими легкодоступными благами, важно найти баланс между здоровым применением этих помощников и опасными привычками.

А где-то вам подключили дополнительную опцию, о которой вы и не знаете, и ее нужно отключить.

Предполагается, что нейросети помогут дому самостоятельно решать, что и когда делать, чтобы владельцу было удобнее, — без зар…

В основном Stealka распространяют на популярных ресурсах — вроде GitHub, SourceForge, Softpedia, sites.google.com и других — под видом кряков известных программ, читов и модов для игр.

Чем опасен стилер StealkaУ Stealka достаточно большой арсенал возможностей, но «лакомый кусок» для него — данные из браузеров на движках Chromium и Gecko.

Не менее интересны для хакеров куки-файлы и токены сессий, которые позволяют обойти двухфакторную аутентификацию и угнать аккаунты без ввода пароля.

В зоне риска — Discord, Telegram, Unigram, Pidgin, Tox и другие.. В служебных файлах мессенджеров хранятся данные об аккаунтах, идентификаторы устройств, токены авторизации и параметры шифрования переписки.

— S…

Наши эксперты из команды GReAT обнаружили и исследовали новую волну целевых рассылок за авторством APT-группы «Форумный тролль».

Внутри содержались персонализированные ссылки, по которым жертве предлагали скачать отчет о проверке какого-то материала на плагиат, что, по замыслу атакующих, должно было заинтересовать ученых.

В случае если жертва испытывала сомнения в легитимности письма и заходила на страницу e-library{.

Сам файл, впрочем, не был персонализирован — это был достаточно размытый отчет в формате одной из российских систем проверки на плагиат.

Мы рекомендуем устанавливать надежные ИБ-решения не только на все устройства, с которых сотрудники выходят в Интернет, но и на почтовый шлюз…

Мы в «Лаборатории Касперского» изучили, какой путь проходят данные после фишинговой атаки: кому они достаются, как их сортируют, перепродают и используют на теневом рынке.

: реквизиты карт, данные от криптокошельков.

В таких архивах часто попадаются мусорные и устаревшие данные, и поэтому стоят они недорого: стартовая цена — $50.

Данными пользователей торгуют при этом не только в даркнете, но и в старом добром Telegram.

Несложно догадаться, что наиболее дорогой и востребованный товар на этом рынке — данные от банковских аккаунтов и криптокошельков.

Разумеется, сообщать облачный пароль нельзя никому — он нужен исключительно для того, чтобы войти в ваш аккаунт в Telegram.. Сделайте это в разделе Настройки → Конфиденциальность Telegram прямо сейчас.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Telegram и хранить как его, так и ключ доступа для Telegram в Kaspersky Password Manager.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Teleg…

Правоохранительные органы Южной Кореи арестовали четырех подозреваемых во взломе 120 000 IP-камер, установленных как в частных домах, так и в коммерческих помещениях — например, в комнатах караоке, студии пилатеса и гинекологической клинике.

Объясняем, что представляют собой IP-камеры и в чем состоят их уязвимости, а также подробно рассказываем об инциденте в Южной Корее и о том, как не стать жертвой злоумышленников, охотящихся за горячими видео.

Что случилось в Южной КорееВернемся к событиям, произошедшим этой осенью в Южной Корее.

Он взломал 63 000 IP-камер и создал, а затем продал 545 видео сексуального характера за 35 миллионов южнокорейских вон (чуть меньше 24 000 долларов).

Он взломал…

В этом посте попробуем определить, какие активы требуют первоочередного внимания, как их обнаружить и в какой форме проводить реагирование.

Физические и виртуальные серверы остаются бесхозными в крупных инфраструктурах после проектов по миграции или после слияния и поглощения компаний.

Важно также закрепить в политике способы учета создаваемых хранилищ и запрет на «бесхозные» данные, доступные без ограничений, паролей и шифрования.

Для внутренней разработки — обязательное использование сканеров и комплексных систем защиты, интегрированных с конвейером CI/CD и предотвращающих сборку ПО с устаревшими компонентами.

Подключенные к сети, но не управляемые и не обновляемые роутеры, межсетевые экр…

Недавно на новостных сайтах появилась информация о том, что некие злоумышленники распространяют инфостилер через бесплатные файлы 3D-моделей для ПО Blender.

Почему Blender и онлайн-маркетплейсы 3D-моделей могут быть источниками рискаBlender — это программное обеспечение для создания 3D-графики и анимации, которое используется множеством специалистов по визуализации в различных областях.

Среди прочих возможностей Blender есть и поддержка выполнения Python-скриптов, которые используются для автоматизации задач и расширения функциональности ПО.

Чем опасны рабочие инструменты, не контролируемые ИБПроблема не в Blender как таковом — злоумышленники неизбежно попробуют эксплуатировать возможности …

Теперь поделиться можно еще и чатом с ИИ-ассистентом, и ссылка на него будет вести на официальный сайт чат-бота.

При правильном вводе скрипт скачивает вредоносное ПО и использует указанный пароль для установки и запуска зловреда.

Инфостилер и бэкдорЕсли пользователь поддастся на уговоры, на его компьютере запустится распространенный инфостилер AMOS (Atomic macOS Stealer).

Использовать надежную защиту от вредоносного ПО на всех своих смартфонах, планшетах и компьютерах, включая компьютеры под управлением macOS и Linux.

Никогда не выполнять технические инструкции, о которых вы не просили и в которых разбираетесь не до конца.

Что нового в Kaspersky Embedded Systems Security для WindowsНаши эксперты значительно переработали кодовую базу решения, добавив ряд продвинутых механизмов детектирования и блокирования угроз.

Что нового в Kaspersky Embedded Systems Security для LinuxМы значительно доработали и новый KESS для Linux, но большинство нововведений в нем повышают эффективность уже реализованных защитных механизмов.

В нем мы планируем:Обеспечить полную совместимость Kaspersky Embedded Systems Security с сервисом Kaspersky Managed Detection and Response.

Добавить в Kaspersky Embedded Systems Security для Linux технологию защиты от BadUSB, которая уже работает в Windows-версии.

Обеспечить поддержку решением Kaspers…

In my last two blogs, I delved into the results of the 2025 Cisco Segmentation Report to highlight the importance of macro- and micro-segmentation and to identify the primary challenges hindering segmentation journeys.

Today, I dive further into the survey results to discuss the benefits organizations can achieve when they successfully implement a dual macro- and micro-approach to segmentation.

Three Benefits of a Successful Segmentation StrategyThe good news is that the survey results indicate that organizations further along in their segmentation journeys are indeed achieving measurable benefits from their successful macro- and micro-segmentation implementations.

If you haven’t already, c…

A Cisco Talos Incident Response (Talos IR) Retainer doesn’t only help you respond to threats but fundamentally changes how your organization approaches cybersecurity.

A Talos IR Retainer delivers organization-wide benefits that strengthen organization’s entire security ecosystem.

The Talos IR retainer works seamlessly with your existing security tools, while providing access to real-time intelligence on adversary tactics.

Read the full blog to see how a Talos IR Retainer can transform your cybersecurity posture from vulnerable to vigilant: Why a Cisco Talos Incident Response Retainer is a game-changer.

Ask a question and stay connected with Cisco Security on social media.

In this context, the importance of Data Loss Prevention (DLP) capability for data protection cannot be overstated.

Cisco Secure Access: Unified, AI-Powered Data Loss Prevention (DLP) for the Modern EnterpriseCisco Secure Access delivers the next generation of Data Loss Prevention (DLP) as a core component of our Security Service Edge (SSE).

Secure Access DLP also plays a vital role in enabling the safe use of generative Artificial Intelligence (AI) applications and model repositories.

The Endpoint DLP Advantage: Safeguarding Data Movement at the SourceIncorporating endpoint DLP into an organization’s data protection strategy brings immense value.

Recognizing this, Cisco Secure Access launch…

Cisco ISE: Live network visibility—but not always aligned with CMDB metadata or lifecycle information.

The Old Way Was LimitedPrevious integrations between Cisco ISE and ServiceNow attempted to close this gap by pushing CMDB attributes into ISE.

The Cisco ISE + ServiceNow Service Graph Connector finally closes the loop between visibility and control.

With Service Graph Connector for Cisco ISE, watch your network inventory come alive.

Ask a question and stay connected with Cisco Security on social media.

Cisco Identity Intelligence is now the first Cisco product to deliver a customer facing capability powered entirely by a Cisco built artificial intelligence model, Foundation-sec-1.1-8B-Instruct.

Strengthening Identity Security Through Deeper InsightCisco Identity Intelligence helps organizations understand and respond to identity related risk across their entire environment.

A key part of this experience is the weekly email digest that Cisco Identity Intelligence sends to administrators.

Why the Cisco Foundation Model MattersCisco Identity Intelligence selected the Cisco Foundation AI model because it offers clear advantages in quality, control, and long-term strategic alignment.

A Cisco-o…

According to our survey results, 94% of organizations are currently facing segmentation challenges, which range from technical to non-technical issues.

Challenges Inhibiting Segmentation ProjectsUnderstanding the challenges organizations face will ease the transition from partial to comprehensive segmentation implementations, allowing organizations to accelerate their progress through their segmentation journeys.

Currently, what are/ could be the biggest segmentation challenges you are/ could be experiencing at your organization?

Overcoming Segmentation Challenges Enables a Proactive Security StrategySegmentation remains a foundational element of enterprise security.

In the meantime, downlo…

Thanks to Duo, I was quickly given access to all the essential tools: Cisco XDR, Splunk, firewall dashboards, and more from the duo directory.

Detection: Cisco XDR flagged the suspicious behavior, visualizing the connections between one internal asset and several high-risk external hosts.

This raised immediate concerns about potential malware or command-and-control activity (see Cisco XDR investigation below).

In summary, my first SOC experience turned initial nerves into genuine confidence.

Ask a question and stay connected with Cisco Security on social media.

As a reminder, when a Windows client is seeking to talk to a domain controller it will make DNS queries for SRV records for names like _kerberos._tcp.dc._msdcs.DOMAINNAME or _ldap._tcp.dc._msdcs.DOMAINNAME.

These DNS requests enable the client to find nearby Kerberos or LDAP servers for their domain.

Finally, the Cisco Live network is designed to be a safe network for attendees to use.

A properly configured VPN client like Cisco Secure Client can support both a full tunnel VPN and “Start Before Login”.

Check out the other blogs by my colleagues in the Cisco Live Melbourne 2026 SOC.

Kerberoasting: An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

Cisco XDR: Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Secure Network Analytics: NetFlow analytics to surface scanning, beaconing, and anomalous connection patterns at scale.

Building on the success of the 2nd annual Security Operations Centre (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team supported the first SOC for Cisco Live San Diego (Americas) and invited the team back for 20025.

The SOC at Cisco Live SOC was successfully deployed in just 12 hours over 1 ½ days, demonstrating extensive prior planning and specialized expertise.

The partnership with Endace, a highly skilled full-packet capture provider, whose experience in the 2025 SOC was critical and extended to their commitment for Cisco Live Melbourne.

For example, Ryan MacLennan created an AI model to find domain generated algorithms at the Cisco Live AMER Security SOC.

Ackno…

Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME).

As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core.

Day 1 at Cisco Live and guess what?

Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

In the Cisco Live Melbourne SOC, we use a combination of Endace full packet capture (PCAP), Splunk Enterprise Security, and Splunk SOAR to provide automated detections of cleartext credential leakage.

We resolve this using the coalesce function in Splunk’s eval command.

The coalece function will return the first non-null value from a list of possible values, just like the COALESCE function in SQL.

In our case, we use it like so:However, during Cisco Live we discovered a problem with this logic.

One answer is a Splunk macro.

One area of integration between CSF and Splunk that we worked on at Cisco Live Melbourne involved Enterprise Security Content Update (ESCU) detections in Splunk Enterprise Security (ES).

Splunk ES has around two dozen ESCU detections for Cisco Secure Firewall.

These can be accessed from ES by navigating to Security Content > Content Management and then searching for ‘Secure Firewall’.

All ESCU detections for Secure Firewall reference the same macro, ‘cisco_secure_firewall’.

We transitioned our firewall log export to syslog a few conferences ago, and in Melbourne we decided to test the ESCU detections with syslog.

The Adrenaline of the Real World: Rapid Threat Containment on DisplayThe first thing that strikes you when you walk into the Cisco Live SOC is the energy.

The XDR & Splunk ES Synergy: The key highlight of the visibility demo was the seamless data exchange between XDR and Splunk ES.

Forging the Future: Empowering New and Tier One AnalystsPerhaps the most inspiring aspect of the SOC tours was the focus on people.

The Cisco Live Melbourne 2025 SOC tours weren’t just about the technology of today; they were about sharing our experiences, delivering on the EDUCATE component of our Mission.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

Sometimes though we see exceptions, in this circumstance an asset connected to the Attendee Wi-Fi network at Cisco Live Melbourne 2025 exhibited a large spike in traffic on multiple occasions.

Upon investigation, the asset was found to be connecting to multiple confirmed malicious external IP addresses.

When the Incident was investigated, we found that the asset was communicating with numerous external IP addresses classified as malicious.

Investigating further, we saw the internal IP address communicating with a number of external IP addresses, all classed as malicious.

Cisco Security Social MediaLinkedInFacebookInstagramX

That’s why Microsoft is honored to be named a Leader in the 2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms (Vendor Assessment (#US53514825, December 2025).

Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI.

Industry‑leading responsible AI infrastructure Implement responsible AI practices as a foundational part of engineering and operations, with transparency and fairness built in.

Microsoft embeds its Responsible AI Standards into our engineering processes, supported by the Office of Responsible AI.

Strengthen your security strategy with Microsoft AI governance solutionsAgentic and generative AI…

In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.

Common attacks using RedVDS infrastructureMass phishing: In most cases, Microsoft observed RedVDS customers using RedVDS as primary infrastructure to conduct mass phishing.

Microsoft Defender XDR threat analyticsMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com URL Re…

In this article, Terrell Cox, Vice President for Microsoft Security and Deputy CISO for Privacy and Policy, dives into the intersection of privacy and security.

Microsoft Trust Center Our mission is to empower everyone to achieve more, and we build our products and services with security, privacy, compliance, and transparency in mind.

In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other.

To learn how Microsoft empowers organizations to innovate securely, explore Microsoft Security Solutions.

Also, follow us on LinkedIn (Microsoft Se…

In this article, Terrell Cox, Vice President for Microsoft Security and Deputy CISO for Privacy and Policy, dives into the intersection of privacy and security.

Microsoft Trust Center Our mission is to empower everyone to achieve more, and we build our products and services with security, privacy, compliance, and transparency in mind.

In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other.

To learn how Microsoft empowers organizations to innovate securely, explore Microsoft Security Solutions.

Also, follow us on LinkedIn (Microsoft Se…

To further help organizations before, during, and after a cyber incident, we’re excited to introduce new proactive incident response services designed to help organizations build resilience and minimize disruption.

Microsoft Incident Response Strengthen your security with intelligence-driven incident response from Microsoft.

Incident response plan development : We assist organizations in developing their own incident response plan, using lessons from real-world incidents.

Cyber range : Microsoft Incident Response delivers simulations that provide high-fidelity, hands-on experience in a controlled environment.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the lat…

Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.

While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

ReferencesLearn moreFor the latest security research from the Microsoft Thr…

Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.

While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

ReferencesLearn moreFor the latest security research from the Microsoft Thr…

Microsoft Defender Experts Suite Get integrated security services that protect your organization and accelerate security outcomes in the new security offering from Microsoft.

The Defender Experts Suite can help you do the following:Defend against cyberthreatsMicrosoft Defender Experts for XDR delivers round-the-clock MXDR, natively integrated with Microsoft Defender.

When you first get started with the Microsoft Defender Experts Suite, Enhanced Designated Engineering guides you through deploying Defender workloads securely and helps ensure Defender Experts for XDR is configured correctly.

From January 1, 2026, through December 1, 2026, eligible customers can save up to 66% on the Microsoft …

But point solutions can only go so far.

In our new e-book, 3 reasons point solutions are holding you back, we share how a unified, AI-ready platform can transform your security operations to help keep your organization safe.

Download the 3 reasons point solutions are holding you back e-book and discover how a unified, AI-ready platform can help your team stay ahead of cyberthreats and prepare for the future.

Learn moreTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

But point solutions can only go so far.

In our new e-book, 3 reasons point solutions are holding you back, we share how a unified, AI-ready platform can transform your security operations to help keep your organization safe.

Download the 3 reasons point solutions are holding you back e-book and discover how a unified, AI-ready platform can help your team stay ahead of cyberthreats and prepare for the future.

Learn moreTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time.

Why a unified approach to access security is better than a fragmented oneLet’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.

This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals.

What makes an Access Fabric solution effectiveFor an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connec…

An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time.

Why a unified approach to access security is better than a fragmented oneLet’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.

This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals.

What makes an Access Fabric solution effectiveFor an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connec…

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.

To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request.

Microsoft Defender Vulnerability Management and Microsoft Defender for CloudMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs).

In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versi…

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.

To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request.

Microsoft Defender Vulnerability Management and Microsoft Defender for CloudMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs).

In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versi…

Today, we are proud to share that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass for Generative AI Defense.

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for Generative AI Defense appeared first on Microsoft Security Blog.

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…

Below we describe our prompt injection mitigation product strategy based on extensive research, development, and deployment of improved security mitigations.

A layered security approachGoogle has taken a layered security approach introducing security measures designed for each stage of the prompt lifecycle.

From there, a key protection against prompt injection and data exfiltration attacks occurs at the URL level.

Users are encouraged to become more familiar with our prompt injection defenses by reading the Help Center article.

Moving forwardOur comprehensive prompt injection security strategy strengthens the overall security framework for Gemini.