Криосоединитель позволит кораблям получать сверххолодное топливо прямо на орбите.

Незаметный сетевой шлюз оказался слишком близко к реальным процессам.

Инженеры научились соединять слои с точностью в 200 нанометров — это в 400 раз тоньше волоса.

Гравитация — это не геометрия пространства. Это термодинамика.

Взломщики делают ставку на тишину, а не на грубую силу.

Самое тревожное в этой истории не масштаб атаки, а её пугающая простота.

Если этот гуманоид справится — правила игры поменяются навсегда.

Сеть не ломали напоказ, а изучали так, будто нужный момент уже был выбран.

Проект на базе модели Xiaomi CED распознаёт бытовые звуки за миллисекунды и работает на слабом железе

Мощную ИИ-модель для кибербезопасности снова разрешили использовать более чем сотне ведомств и компаний.

Долгожданный аналог Time Machine от Apple оказался не таким однозначным, как ожидали пользователи.

Новая линейка Sol, Terra и Luna рассчитана на сложные технические задачи, но пока доступна только ограниченному кругу клиентов.

Машинное обучение взломало древнюю капсулу времени.

Фальшивые посты, скриншоты и псевдосайт помогли выдуманной истории пройти через фильтры доверия.

Американцы решили опробовать ИИ-помощника Optio в роли преподавателя. И вот, что из этого вышло…

Системы предотвращения утечек данных (Data Leak Prevention, DLP), системы управления событиями и информацией безопасности (Security Information and Event Management, SIEM), антивирусы — видят обычный легитимный трафик и не поднимают тревогу.

Как защитить данныеПомечайте содержимое писем как недоверенный контент и не смешивайте его с системными инструкциями агента.

Он работает как универсальный переходник: один раз присоединили, и агент может обращаться к CRM, базам данных, файловым хранилищам, облачным сервисам.

Подмена после установки (Rug pull) — сервер сначала работает честно, набирает доверие, а затем подменяется, и агент продолжает отдавать ему данные.

Политики безопасности применяются…

Вы создаёте профили — например, «удалённый сотрудник», «бухгалтер», «подрядчик» — и для каждого из них настраиваете свою политику сбора данных, различную логику проверок и сценариев реагирования.

На этих ОС доступны те же механизмы контроля, что и на Windows, macOS.

Сегодня бизнес работает не только на ноутбуках и ПК, но и на телефонах, планшетах на Android и iOS.

Это нужно, чтобы закрыть требования к усиленной аутентификации для всех сотрудников и для доступа к критическим системам.

Мы не стоим на месте и стараемся заглядывать на шаг вперёд, чтобы САКУРА 3 оставалась современным, востребованным инструментом для безопасности.

Эксперты рассказали, как выстроить эффективный процесс управления конфигурациями и снизить риски.

По статистике, до 60 % всех программных инцидентов связаны именно с ошибками в конфигурации, а не с багами в коде или стандартными уязвимостями.

Светозар Яхонтов добавил практическую точку зрения, назвав самое короткое и ёмкое определение: конфигурация — это и есть ИТ-инфраструктура.

Во втором опросе зрители поделились мнением, кто получит больше пользы от внедрения процесса управления конфигурациями в их компании:Руководство/бизнес — 43 %.

Павел Попов: «Искусственный интеллект уже пришёл в Offensive Security и начинает не только помогать в поиске уязвимостей, но и участвовать в написании станд…

Анализируем рынок систем защиты баз данных и актуальные решения российских вендоров.

Что такое системы защиты баз данных и зачем они нужныРынок систем защиты баз данных (Database Security) активно развивается, отвечая на растущие угрозы кибербезопасности и нормативные требования.

Российский рынок систем защиты баз данныхРоссийский рынок защиты баз данных развивается под действием импортозамещения СУБД и ужесточения ответственности за утечки.

Ниже — обзор российских систем защиты баз данных.

«Спектр | DAM»«Спектр | DAM» — модуль мониторинга активности баз данных в составе платформы защиты данных «Спектр» компании «Сайберпик».

Новые возможности WAF Dallas Lock 3.1В июне 2026 года компания «Конфидент» официально анонсировала выпуск версии 3.1 WAF Dallas Lock, в которую вошли доработки за последние полгода.

Теперь WAF Dallas Lock поддерживает сертификаты с ГОСТ-криптографией, выданные аккредитованными УЦ, включая портал «Госуслуги» и НУЦ Минцифры РФ.

Карты доступа — механизм, позволяющий ограничивать пользователям доступ к различным разделам настроек WAF Dallas Lock.

Сравнение версий 2.16 и 3.1 WAF Dallas LockДля удобства различия версий 2.16 и 3.1 WAF Dallas Lock представлены в таблице.

Сравнительные характеристики версий 2.16 и 3.1 WAF Dallas Lock№ Характеристика WAF Dallas Lock 2.16 WAF Dallas Lock 3.1 1.

Реагирование на инцидент: что можно и что нельзя делатьАнтон Кутепов: «Если ты во время инцидента пытаешься понять, что тебе сделать — ты уже проиграл.

Жизненный цикл АСУ ТП — в среднем 7 лет.

Но в ближайшие годы ИИ войдёт и в мониторинг: он будет не только анализировать инциденты, но и предусматривать риски и угрозы».

Денис Назаренко: «Требования бизнеса и обеспечения безопасности заставят команды ИТ, ИБ и АСУ ТП интегрироваться, что приведёт к качественному росту понимания процессов и выстраиванию проектов по защите АСУ ТП.

ВыводыЗащита АСУ ТП требует комплексного подхода, который начинается не с закупки оборудования, а с признания проблемы и выстраивания системной работы.

Astra Linux Server — защищённая операционная система, одна из ключевых редакций Astra Linux Special Edition (запись в реестре отечественного ПО № 369 от 08.04.2016).

Для их устранения в Astra Linux Server 1.8 встроен комплекс средств защиты, направленных также на противодействие актуальным классам угроз, включая zero-day-атаки.

Профили в Astra Linux Server 1.8Уровни защищённостиУровень защищённости для каждого элемента информационной системы выбирается в зависимости от актуальных угроз безопасности.

Архитектурные особенности Astra Linux Server 1.8Astra Linux Server представляет собой классический Linux-дистрибутив.

Завершение миграции на Astra LinuxЛицензирование, техподдержка Astra Linux S…

С другой стороны, AD была самодостаточной и не требовала установки сторонних утилит.

AD — основной инструмент управления пользователями (в том числе мобильными и удалёнными) и их группами в среде Windows.

Как и в других службах каталогов, здесь реализованы централизованные идентификация и аутентификация пользователей.

Он существенно ужесточает требования к системам идентификации и аутентификации пользователей и распространяется не только на госструктуры, компании с госучастием и подведомственные организации.

Быстрее и эффективнее реализовывать такие проекты совместно с вендорами и интеграторами, которые помогают подобрать решение под конкретные задачи и внедрить его.

Суть в том, что вместо написания кода система работает через описание логики: нужно в понятном виде задать, что именно должно происходить и в какой последовательности.

Ева Беляева: «Но точно No-Code / Low-Code технологии в Security Vision позволяют создавать цифровые продукты без необходимости писать код с нуля, экономя месяцы разработки.

Как выглядит конструкторРассмотрим на примере, как работает конструктор и с чего начинается работа с данными, которые поступают в систему.

Обработка результатов в Security VisionТакой же подход применяется и в сценариях взаимодействия с конечными системами.

По итогам стажировки у специалистов формируется понимание того, как устроены продукты, как они разра…

Теперь объектом взлома становятся не только серверы и базы данных, но и алгоритмы, которые принимают решения.

Model Inversion и Extraction (кража модели или восстановление данных из её памяти)Эти атаки направлены не на манипуляцию поведением модели, а на кражу самой модели или восстановление конфиденциальных данных из её памяти.

При грамотном подходе это ускоряет работу, при небрежном — уводит чувствительные данные туда, где бизнес их не видит и не контролирует.

Игнорирование Федерального закона № 152-ФЗ, отраслевых стандартов, требований к защите персональных данных и коммерческой тайны добавляет юридическое измерение к техническим и репутационным последствиям.

Необходимо разграничение пра…

Мы рассматриваем ИБ шире и не ограничиваемся выполнением рабочих задач.

Например, сам ресурс расположен на домене .com, а не на официальном российском адресе.

Поэтому человек после атаки несколько дней «не в себе» и не может толком вспомнить подробности произошедшего.

Для этого нужна понятная линия консультаций, простые правила остановки и выработанная привычка задавать вопросы ИБ превентивно, а не после получения ущерба.

Современная поверхность атаки проходит не только через инфраструктуру и сетевой периметр, но и через внимание, страх и доверие человека.

Simple2FA — универсальная система двухфакторной аутентификации для обеспечения безопасного удалённого доступа к корпоративным ресурсам.

Функциональные возможности Simple2FAСистема Simple2FA обладает следующими ключевыми функциональными возможностями:Централизованное управление пользователями, группами, лицензиями и политиками аутентификации через единую веб-консоль администратора.

Гибридная архитектура, обеспечивающая локальную проверку первого фактора аутентификации и облачную обработку второго фактора без передачи паролей во внешнюю среду.

После успешной проверки первого фактора локальный модуль инициирует процедуру подтверждения второго фактора через облачный модуль Simple2FA.

Настройка …

Сегодня безопасность зависит не только от защищённого канала связи, но и от контроля пользователя, устройства и его действий.

Сегодня он является одним из ключевых элементов информационной безопасности, поскольку именно через удалённые подключения злоумышленники нередко пытаются получить доступ к внутренней инфраструктуре организации.

Однако защищённый канал не гарантирует безопасность, если злоумышленник получил доступ к учётной записи сотрудника или использует скомпрометированное устройство.

Контроль устройства как элемент безопасностиОдним из ключевых трендов последних лет стал переход от проверки пользователя к проверке устройства, с которого осуществляется подключение.

В зависимости от…

Их решения активно внедрялись на протяжении последних лет и воспринимались не как узкие инструменты балансировки, а как комплексные платформы.

Влияние балансировщика на ИТ-инфраструктуру и организационные процессыВнедрение балансировщика влияет не только на техническую архитектуру, но и на структуру эксплуатации ИТ-ландшафта.

Это воспринимается не только как формальное требование, но и как признак того, что продукт уже прошёл внедрения и имеет подтверждённую практику использования.

В итоге сравнение идёт не только по характеристикам продукта, но и по тому, насколько он вписывается в текущую архитектуру и компетенции команды.

Поэтому современные балансировщики всё чаще используются как элеме…

В этом нет ничего удивительного: оборудование, в котором применяются встраиваемые системы, рассчитано на длительный срок службы.

Они применяются и в ИТ- и сетевом оборудовании, что позволило решить ряд давних технических проблем.

В целом требования к техническим специалистам в этой области высоки: необходимо сочетание компетенций в ИТ и в конкретных отраслях, для которых разрабатываются решения.

Та же проблема характерна и для других сегментов, включая NGFW, почтовые серверы и ряд других решений.

Количество потенциальных заказчиков невелико, при этом разработка АСУ ТП, как и NGFW, требует значительных времени и ресурсов.

Но одна из самых интересных возможностей устройства — это JavaScript-движок и модуль BadUSB, который позволяет превратить Flipper в программируемую USB-клавиатуру.

В этой статье разберём небольшой, но показательный скрипт, который автоматически устанавливает набор инструментов для пентеста(или другого ПО) на macOS через Homebrew.

Традиционные BadUSB-сценарии обычно пишутся на DuckyScript:DELAY 1000 GUI SPACE DELAY 500 STRING terminal ENTER STRING brew install nmap ENTERПодход рабочий, но чаще упирается в ограничения:нет циклов;нет условий;нет модулей;сложно обрабатывать состояния;код плохо масштабируется.

Например:const apps = [ 'nmap', 'masscan', 'sqlmap', 'john-jumbo' ];Таким образом один…

И началось всё скромно — с той самой задачи: чтобы серверы видели друг друга, и не более того.

Это не маркетинг и не «смотрите какой я молодец», а честный технический разбор: архитектура, криптография, набор транспортных режимов и, главное, те места, где я набил шишки.

Лечится концептуально просто, но дошёл я не сразу: чтение нужно вынести в отдельную задачу, которую никто не отменяет, а в select!

И нюанс справедливости: лимит полосы у пользователя — это один общий token-bucket на всю сессию, а не на каждое соединение.

В том числе — почему я писал TLS-стек руками, а не брал готовую обёртку: я не хотел быть обёрткой над чужой обёрткой.

Здесь про то, куда это может пойти, и про несколько вопросов, на которые у меня пока нет хорошего ответа.

Минус в том, что поддержка WiFi Direct на Android неравномерная, на Linux — отдельная история, на Windows и macOS тоже без гарантий.

Мне интересно, насколько вообще реальный этот сценарий: попадаете ли вы в ситуацию, когда два своих устройства рядом, но не в одной сети?

Три вопросаСценарий «рядом, но не в сети» — насколько он реальный в вашем случае?

Конфликты при расхождении — вы это замечаете сейчас, или это теоретическая проблема?

Создавали DeFi на замену классических финтех-посредникам (биржи, банки, брокеры).

Общие тенденции в атаках и эра ИИИсследовав атаки на DeFi за последние пять месяцев, можем выделить три основных тренда.

След КНДР и использование ИИТо, что без ИИ сейчас никуда и что его точно будут использовать в атаках — это очевидно.

Получив миллионы токенов на долю секунды, атакующий выдвигает вредоносное предложение на голосование (например, «перевести все средства казначейства на кошелек X») и сам единогласно его утверждает.

Немного выводов и прогнозовВот что, на наш взгляд, ждёт DeFi в ближайшие пару лет.

Я — независимый эксперт в области ИТ и ИБ, преподаю в учебных центрах и пишу статьи и книги.

В петле этот кадр возвращается на тот же коммутатор через другой порт, и он отправляет его снова.

Эта функция защищает от ситуации, когда BPDU перестают поступать из‑за проблем с кабелем — порт переходит в состояние «неопределённость», а не в форвардинг.

Петли, шторма и хаотичные отказы чаще всего начинаются не с «плохого кабеля», а с неочевидной логики L2- и L3-сегментов: где нужно изолировать трафик, где настроить маршрутизацию, а где заранее защититься от неправильных подключений.

ЗаписатьсяНа уроке разберем логику пересылки кадров в VLAN, изоляцию трафика и правила настройки Access‑ и Trunk‑порт…

И этот текст — попытка осмыслить, к чему именно мы движемся и что это означает для нас как для индустрии.

Для нас как для сервис-провайдера в области верификации ПД это означает следующее: мир, в котором верификация происходит один раз «на входе», уходит в прошлое.

Традиционная верификация — это обмен данными: клиент передаёт данные провайдеру, провайдер сверяет их с источником, источник подтверждает или опровергает.

Иными словами: транзакция — это и есть верификация.

Это не означает, что роль провайдера верификации исчезает — напротив, она усложняется и становится более значимой.

Мы занимаемся поиском сложных уязвимостей, аудитом корпоративных сетей и в целом тем, что принято называть информационной безопасностью.

Это не просто цепочка уязвимостей, а демонстрация того, как один принцип проявляется в двух совершенно разных технологиях – JWT/JWE и SSH Certificate Authority.

По стандарту в директории пользователя находим флаг:ssh [email protected]Повышение привилегий: ошибка в SSH CAИз описания машины узнаем, что в ней используется SSH CA.

В случае с JWT шифрование JWE было валидным, поэтому сервер не проверил подпись внутри.

В случае с SSH CA сертификат был подписан доверенным CA, поэтому сервер не проверил имя пользователя в principal.

Без непрерывной инвентаризации вы не знаете, что именно запущено прямо сейчас: какой образ, с каким дайджестом, из какого реестра, с какими привилегиями.

И позднее, когда возникнет инцидент или аудит, придется выяснять вручную, какие контейнеры были запущены и соответствуют ли они вообще требованиям безопасности.

Поиск событий в Wazuh DashboardsПосле настройки правил полезно проверить, какие данные поступают в индекс и как они выглядят в поиске.

Не логируйте переменные среды без маскирования — они часто содержат токены, пароли и ключи API, которые могут попасть в индекс Wazuh и стать видимыми в дашборде.

Что в итогеС помощью wodle command можно быстро расширить возможности Wazuh и собирать …

КИИ в 2026: регуляторный пинок, уголовное дело или всё-таки защита?

Когда регуляторка стала уголовкой - разбираем, кто реально выигрывает от требований к критической информационной инфраструктуре, реалистичен ли дедлайн 2028 года и почему бумажная безопасность теперь может стоить свободы.

Не «реальная защита» и не «бизнес на страхе» - а «регуляторный пинок».

Пять регуляторов и как в них не запутатьсяМногие думают, что регуляторов в КИИ три: ФСТЭК, ФСБ и Минцифры.

Вывод, который стоит распечатать и повесить над рабочим столомВыполнение требований КИИ не гарантирует, что вас не взломают.

Вопрос — как его правильно реализоватьСпросите любого инженера, как разграничить доступ в приложении, — услышите RBAC: роли и права.

Но RBAC — это концепция, а не рецепт.

Плоский RBAC — это только первая ось (ACL).

Сравнение с другими подходамиСравним наш слоёный RBAC с типовыми альтернативами по четырём критериям: скорость, масштабируемость, гибкость, поддерживаемость.

Плоский RBAC отвечает только на первый и оставляет остальные три на откуп хардкоду — со всеми вытекающими дырами вроде «пользователь сделал себя админом».

xtunnel - российский туннель, который позиционирует себя аналогом ушедшего из России ngrok.

Сегодня, работая над учебным проектом, я заметил за ним любопытное поведение.

Например, мы ставим на логине токен как http only куку (ниже и дальше будет представлен код на Java Spring, но подобное поведение аналогично во всех языках):private void setTokenCookie(String token, HttpServletRequest request, HttpServletResponse response) { if (token == null) { return; } ResponseCookie cookie = ResponseCookie.from(JwtAuthFilter.TOKEN_COOKIE, token) .httpOnly(true) .secure(request.isSecure()) .sameSite("Lax") .path("/api") .maxAge(Duration.ofMillis(expirationMs)) .build(); response.addHeader(HttpHeaders.SET…

Его нужно защищать как часть цепочки поставки ПО, это не «просто автоматизация».

Лучше:include: - local: .gitlab/ci/lint.yml - local: .gitlab/ci/test.yml - local: .gitlab/ci/build.yml - local: .gitlab/ci/deploy.yml stages: - lint - test - build - deployКорневой файл должен быть картой, а не свалкой.

Анализируйте критический путь, а не «среднее время джобов»Если пайплайн длится 40 минут, не обязательно оптимизировать все джобы.

Стройте ключ кеша от lockfileДля кеша зависимостей часто лучше ключ от lockfile, а не только от ветки.

Для продакшена лучше, чтобы релиз ссылался на неизменяемый тег образа или digest, а не на latest или плавающий тег ветки.

Если действительно нужно несколько reason-scoped DistributionPoints, проверьте синтаксис на своей версии OpenSSL ( openssl req -text после генерации) или формируйте расширение через raw/DER-encoding.

То же самое — в [ server_cert ] и [ code_cert ] (и в ServerIntermediateCA.cnf / CodeIntermediateCA.cnf , поменяв имя CRL-файла на ServerIntermediateCA.crl и CodeIntermediateCA.crl ).

Многозначное расширение, задаётся через секцию.⚠️ Это расширение должно появляться только в CRL (не в сертификате).

Расширенный справочник: openssl ca — отзыв, генерация CRL, конфиг и служебные файлыОпции командной строки openssl ca , относящиеся к отзыву и CRL, плюс ключи секции [ CA_default ] и формат служебных ф…

Рисунок 10 – Обработка команды выполнения EXE-файлаПри получении такого HTTP-кода статуса ответа сервера осуществляется загрузка с сервера DLL-библиотеки с ее дальнейшим запуском с помощью команды «rundll32.exe <аргументы>»Рисунок 11 – Обработка команды запуска DLL-библиотекиДанный код вызывает выполнение переданной с сервера команды в CMD-интерфейсе Windows.

Рисунок 28 – Перезагрузка модуля кейлоггераПри получении HTTP-ответа с сервера со статусом 843 производится перезагрузка Darkwatchman.

Данный поток предназначен для обеспечения обработки команд с сервера уже в контексте HVNC-сессии, описание механизма работы которой будет рассмотрено отдельно.

S2C_CTRL_CMD_UPLOAD — команда позволяет з…

Я сразу же позвонил отцу - интернет отключили, симку вытащили, а на следующий день он сходил в МФЦ и поменял пароль.

Ссылки на материалыПрежде чем начать оставлю список из статей на Хабре, которые освещают данную тему:https://habr.com/ru/companies/k2tech/articles/879412/ - тут вирус не шифрован, очень повезлоhttps://habr.com/ru/companies/angarasecurity/articles/959476/https://habr.com/ru/companies/angarasecurity/articles/973630/https://habr.com/ru/companies/angarasecurity/articles/992388/https://habr.com/ru/companies/usergate/articles/1028474/ - очень хорошая статья, я сошлюсь на неё позже.

Понятное дело, что при установке всё это написано, но вот в такой ситуации папа внимание на всё это н…

Первый и второй ежеквартальные номера «Хакера» за 2026 год уже отпечатаны и хранятся на нашем складе, а недавно мы открыли ранние предзаказы на третий выпуск.

Самое время начать собирать бумажную подшивку «Хакера» за год или пополнить свою коллекцию свежим журналом.

#2: уже на складеВторой ежеквартальный выпуск недавно покинул типографию, и первые экземпляры уже добрались до читателей.

#1: первый ежеквартальный «Хакер»Именно с этого журнала началось возвращение «Хакера» к регулярному печатному формату.

Один заказ — и к концу года у тебя будет полная бумажная подшивка «Хакера» за 2026 год.

Специалисты компании Island обнаружили, что популярное браузерное расширение Adblock for YouTube может выполнять произвольный JavaScript-код на любых сайтах.

При этом аддон насчитывает более 10 млн установок и имеет отметку «Featured» в Chrome Web Store.

Чтобы активировать его, достаточно изменить конфигурацию на сервере, а повторная проверка в Chrome Web Store и обновление расширения не потребуются.

Отмечается, что Adblock for YouTube появилось в Chrome Web Store еще в 2014 году, а спустя четыре года расширение сменило владельца.

Также в Island подчеркивают, что связали расширение с тремя другими блокировщиками рекламы — Adblock for Chrome, Adblock for You и AdBlock Suite.

Специалисты компании SentinelOne обнаружили ранее неизвестную малварь Gaslight для macOS, которая совмещает функции бэкдора и инфостилера.

Главная особенность вредоноса — встроенный промпт-инжект, нацеленный на ИИ-инструменты, которые исследователи используют для анализа подозрительных файлов.

Gaslight написан на Rust, и в его бинарник встроен блок объемом около 3,5 Кбайт, содержащий 38 поддельных «системных» сообщений.

Все они оформлены с использованием Markdown-разметки и маскируются под отчеты о сбоях, диагностические данные и предупреждения приложений.

При этом аналитики пишут, что не нашли доказательств того, что такие промпт-инжекты могут обмануть реальные ИИ-решения для анализа малва…

В этой статье мы рас­смот­рим основные при­емы работы с канала­ми в Go и поз­накомим­ся с при­ема­ми и прак­тиками написа­ния мно­гопо­точ­ного кода.

Err () ; err != nil { fmt .

По ана­логии с пре­дыду­щими она ничего не зна­ет и не дол­жна знать о том, отку­да и каким обра­зом эти резуль­таты взя­лись.

Это общий прин­цип, он при­меним не толь­ко к отдель­ным фун­кци­ям или клас­сам, но и к любым ком­понен­там прог­рам­мной сис­темы в широком понима­нии это­го сло­ва.

Каналы потоко­безо­пас­ны по опре­деле­нию и не тре­буют исполь­зования мьютек­сов или иных при­мити­вов син­хро­низа­ции.

Инцидент произошел утром 20 июня 2026 года, когда пользователи получили сообщение: «Экстренное предупреждение от службы гражданской обороны: misantropi4».

Вскоре региональные управления гражданской обороны подтвердили, что предупреждение было фальшивым и не связано с какой-либо реальной чрезвычайной ситуацией.

В Национальном агентстве связи Бразилии (Anatel), которое курирует инфраструктуру для рассылки таких оповещений, тоже заявили, что уполномоченные ведомства не отправляли никаких сообщений.

Пока власти не сообщают, удалось ли установить личность подозреваемого.

Подчеркивается, что в SEDEC уже работают над новой платформой для рассылки экстренных оповещений и планируют усилить защиту, а…

Один из самых популярных MEV-ботов в сети Ethereum, JaredFromSubway, потерял около 15 млн долларов США после атаки на логику поиска прибыльных сделок.

В результате JaredFromSubway автоматически анализировал такие маршруты, формировал необходимые транзакции и выдавал ERC-20 approval вспомогательным контрактам атакующего.

Общий ущерб составил около 15 млн долларов США.

Однако ответа от атакующих не последовало, после чего размер награды увеличили до 7,5 млн долларов США.

При этом атакующих просили вернуть хотя бы половину похищенного, причем 1 млн долларов США обещали передать сообществу.

Пользователи больше не могут скачать или обновить «Вконтакте», «VK Музыку», «VK Мессенджер», «VK Видео», «VK Знакомства», «Одноклассники», «Дзен», почту Mail.ru и другие приложения.

В VK пишут:«Apple без предупреждений в одностороннем порядке удалила приложения VK.

Временно и в качестве альтернативы в VK предлагают пользоваться мобильной версией сайта и добавить ее на домашний экран iPhone через Safari.

Похожее объяснение в Apple давали в начале июня, когда из App Store был удален российский мессенджер Max.

В Минцифры назвали решение об удалении приложений VK политически мотивированным, а также сообщили, что обратились в Федеральную антимонопольную службу.

Исследователи выяснили, злоумышленники атаковали сотни брандмауэров FortiGate, устанавливали на них кастомные снифферы и перехватывали учетные данные.

Как уже сообщалось ранее, FortiBleed затронула более 80 000 брандмауэров и VPN-шлюзов в 194 странах мира, причем 19 000 из них по-прежнему «прослушиваются» злоумышленниками.

Изначально злоумышленники в основном занимались брутфорсом административных панелей, SSL-VPN и SSH, применяя словарные атаки и перебирая учетные данные из предыдущих утечек.

Полученные в итоге учетные данные автоматически проверяются и используются для перемещения по сети, разведки в Active Directory и доступа к сетевым шарам.

Отмечается, что инфраструктура злоумышленнико…

Читатели сайта Gizmodo столкнулись с поддельными CAPTCHA, которые предлагали им запустить команды в терминале.

То есть пользователи столкнулись с классической ClickFix-атакой.

Хотя чаще всего ClickFix-атаки нацелены на пользователей Windows, ИБ-специалисты уже не первый год предупреждают и о кампаниях, направленных на пользователей macOS и Linux.

Содержимое поддельной CAPTCHA на Gizmodo зависело от операционной системы жертвы.

Злоумышленники использовали скомпрометированный аккаунт, чтобы внедрить вредоносный скрипт, из-за чего пользователи некоторое время могли видеть мошеннический контент», — заявили представители Gizmodo.

В этой статье мы раз­берем, как коман­да KiberS прош­ла путь от раз­ведки внеш­него перимет­ра до атак на SCADA-сег­мент в отбо­ре Standoff 17.

Опи­рались и на опи­сание инфраструк­туры, и на опыт прош­лых кибер­битв.

Сра­зу заложи­ли типовые уяз­вимос­ти, воз­можные мис­конфи­ги и сце­нарии раз­вития ата­ки: от внеш­него перимет­ра во внут­реннюю сеть, а затем и в тех­нологи­чес­кий сег­мент.

x. stf ) — сце­нарии для фишин­га и атак на учет­ные записи;) — сце­нарии для фишин­га и атак на учет­ные записи; VPN-шлюз ( vpn.

Про­ана­лизи­ровав кон­тент и струк­туру стра­ниц, мы соб­рали email-адре­са сот­рудни­ков — нап­ример, a_morris@x. stf и m_harris@x. stf .

Представители LastPass и BeyondTrust подтвердили, что злоумышленники похитили данные из их Salesforce-инстансов в ходе атаки на платформу конкурентной разведки Klue.

Напомним, что ответственность за атаку на Klue взяла на себя вымогательская группировка Icarus.

Как сообщили в LastPass, в результате взлома Klue злоумышленники получили доступ к именам клиентов, телефонным номерам, email-адресам, физическим адресам, обращениям в поддержку, а также информации, связанной с продажами и CRM.

В заявлении компании подчеркивается, что продукты, сервисы и инфраструктура LastPass при этом не пострадали, а хранилища паролей клиентов взлом не затронул.

После обнаружения инцидента специалисты LastPass отк…

Уязвимость получила идентификатор CVE-2026-20971 (7,8 балла по шкале CVSS), и специалисты объясняют, что она связана с двумя компонентами Samsung: PROCA и FIVE.

PROCA работает внутри ядра и проверяет процессы перед запуском, блокируя выполнение неавторизованного кода.

Успешная эксплуатация приводила к повреждению памяти ядра и потенциально открывала путь к получению более глубокого контроля над устройством.

При этом в бюллетене безопасности, выпущенном разработчиками Samsung, сказано, что для эксплуатации уязвимости требуются локальный доступ к устройству и взаимодействие с пользователем.

Уязвимость затрагивала смартфоны Galaxy от S9 до S25, а также модели серии Galaxy A и девайсы на базе ч…

От багов и дедлайнов она, конечно, не спасет, зато прикроет голову от солнца.

В магазине «Хакера» тебя ждут четыре модели бейсболок с фирменной вышивкой.

Лаконичный дизайн легко впишется в твой повседневный гардероб, а люди в теме узнают знакомый логотип без лишних пояснений.

Бейсболки «Хакера» — это:плотная ткань и комфортная посадка;прочный регулятор размера;аккуратная объемная вышивка;четыре варианта дизайна на выбор.

Также возможна отправка заказов в другие страны (по этим вопросам пиши на [email protected]).

Представители компании AMD пообещали вернуть шифрование TSME (Transparent Secure Memory Encryption) для некоторых процессоров Ryzen 9000, не относящихся к линейке PRO.

Ранее производитель отключил эту защиту с обновлением прошивки, но после критики и жалоб пользователей в компании пересмотрели это решение.

Технология TSME (которую в AMD чаще называют Memory Guard) автоматически шифрует все данные при записи в оперативную память и расшифровывает их при чтении.

Изначально представители AMD заявили, что TSME относится к технологиям AMD PRO, и отказались объяснять, отключили защиту случайно или это было осознанное решение.

В компании пообещали вернуть опцию Memory Guard в одном из ближайших обн…

Что­бы глуб­же понять прин­ципы работы крип­товалют в целом, давай пос­мотрим на бит­коин, как на слож­ную, но инте­рес­ную инже­нер­ную конс­трук­цию.

Допус­тим, нек­то получил два перево­да: 0,3 BTC и 0,7 BTC.

Фак­тичес­ки, мы получи­ли 1 BTC и пот­ратили 1 BTC, при этом у нас обра­зовал­ся неиз­расхо­дован­ный оста­ток в раз­мере 0.1998 BTC, который мож­но пот­ратить в сле­дующий раз.

Пра­во на рас­ходова­ние под­твержда­ется толь­ко кор­рек­тной циф­ровой под­писью, которая в клас­сичес­ких тран­закци­ях хра­нит­ся в спе­циаль­ном поле scriptSig , а в тран­закци­ях SegWit (это обновле­ние про­токо­ла Bitcoin, внед­ренное в августе 2017 года) вынесе­на в отдель­ную струк­туру witness .

О…

The systematic cyber attacks aimed at stealing sensitive information from the victims, the agency added.

To pull off the operation, the attackers send SMS messages that masquerade as the messaging platform's support bot and urge users to disclose their account credentials.

The SSU noted that these attacks include not only organizations, officials or public figures, but also personal accounts belonging to Ukrainian nationals.

However, similar attack waves directly aimed at Signal and WhatsApp messaging app users have been attributed to Russian threat activity clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

The development comes as the FBI attributed Rus…

OpenAI on Friday released three versions of GPT-5.6, called Sol, Terra, and Luna, as a limited preview to a small number of companies as part of an ongoing engagement with the U.S. government.

"GPT‑5.6 Sol launches with our most robust safety stack to date.

On ExploitBench , GPT‑5.6 Sol is competitive with Anthropic Mythos Preview using only about one-third of the output tokens, OpenAI noted.

This includes adversarial attempts to jailbreak the model and refuse what it describes as "prohibited cyber assistance."

OpenAI intends to make GPT‑5.6 Sol, Terra, and Luna generally available in the coming weeks, and it previewed the model capabilities to the U.S. government.

The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key.

The updated advisory, PSA I-062626-PSA, adds two public tracking names the March notice lacked: UNC5792 and UNC4221.

The updated version walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat.

Real support does not message you inside the app to ask for codes, PINs, or your Recovery Key.

Never paste your Backup Recovery Key, verification code, or PIN into a chat.

A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.

"In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file," Kaspersky explained.

MinHook DLL, which installs API hooks for the VirtualAlloc and Sleep functions to copy the decompressed Cobalt Strike Beacon into the allocated memory region using VirtualAlloc.

"Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the Resum…

A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia.

Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region.

"From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit," Unit 42 said in a technical report.

"The malware operates on a beaconing model, with a default 10-second sleep interval between requests," Unit 42 explained.

"Our discovery of the TinyRCT backdoor in the att…

A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials.

The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest.

Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers.

The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs.

The flaw lives in Language Servers for AWS, the runtime that powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio.

A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems.

The exploit needs two things: act_pedit being loadable and unprivileged user namespaces being open, giving the attacker a namespace-local networking capability (CAP_NET_ADMIN) needed to trigger the bug.

An unprivileged user can configure tc actions from inside a user namespace, which gives them the CAP_NET_ADMIN that the exploit needs.

Ubuntu 26.04 blocks that path by default because its AppArmor profiles restrict unprivileged user namespaces, though the underlying kernel remains vulnerable.

Prioritize systems where "local user" does not mean trusted user: multi-tenant hos…

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network.

"The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data," according…

DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family.

Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root.

The patch landed in mainline on May 21; if your kernel does not have it, update now.

When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet's memory as shared with a file on disk.

The attacker loads a privileged binary like /usr/bin/su into memory, wires those memory pages into a network packet, and forces the kernel to clone it.

This guide breaks down how the guardian agents emerged, why it matters, and what operationalizing it looks like in practice.

What Guardian Agents AreA guardian agent is a purpose-built autonomous control layer that governs the identity and behavior of AI agents operating inside enterprise environments.

How Guardian Agents Differ from Traditional IAM ToolsThe instinct to govern AI agents using existing IAM tooling is understandable, and it's wrong.

Common Risks: How Unmanaged Agents Become Identity Dark MatterUnmanaged AI agents don't announce themselves as a security problem.

For teams building out their identity governance program, that telemetry becomes the connective tissue between agent…

Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.

"The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said.

"A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers."

That having said, the attack employs the same Miasm…

An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says.

The subject line names no recipient or property, which points to high-volume, list-driven sending rather than tailored spear phishing.

The operators route messages through Calendly's email notification system and Google's URL redirect service, a trick Microsoft calls authentication laundering.

SOC Prime and ITOCHU documented the same hotel phishing and the LNK-to-PowerShell-to-Node.js chain about two weeks earlier, and Microsoft says its findings line up with …

Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus.

Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025.

Asked for comment on June 22, Cellebrite told the Citizen Lab and Access Now that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized."

The Citizen Lab does not claim a direct link, but the mechanism is plain: extract one activist's social graph, and you have the target list for the next campaign.

Russia joins Serbia, Kenya, and Jordan in a gr…

"STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library," GTIG said.

, a proxy-aware tunneler that facilitates network communication capabilities to the wider STOCKSTAY suite by establishing a secure WebSocket connection to a specified remote server.

STOCKSTAY.STOCKMARKET, an orchestrator or controller that parses the backdoor's configuration to set several options regarding the malware's execution, such as the WebSocket server, time interval, and the days it's not supposed to work.

It also communicates with STOCKSTAY.…

An analysis of a popular Google Chrome ad block extension for YouTube has uncovered the ability to execute arbitrary JavaScript code.

According to Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has more than 10 million installs and carries a Featured badge on the Chrome Web Store.

Compounding the risk further is the fact that ad blocker extensions typically request extensive permissions to inspect requests, alter pages, hide elements, and adjust their behavior as ad systems evolve.

"It is the combination: a high-install extension with all-site access, a remote-controlled injection path, prior ad-injection infrastructure, a major ownership and codeba…

For these businesses, cyber resilience should be the direction of travel – that is, the ability to continue operating and recover even during a serious incident.

Cyber readiness is about putting in place the processes and controls to prevent, detect and respond to threats.

So, should confidence in cyber resilience posture be so high, especially if organizations are still getting hit multiple times?

The truth is that there’s no end state for cyber readiness or resilience.

If it’s serious about improving the cyber readiness of small businesses, the vendor community should step up.

Key points of this blogpost: Throughout 2025, Gamaredon exclusively targeted governmental and military institutions in Ukraine.

Continued data exfiltration and a new allianceThroughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine.

Notably, we uncovered that in early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor also linked to the FSB; we documented our findings in our blogpost Gamaredon X Turla collab.

Figure 1 shows a chart of unique samples of HTA downloaders delivered per month in Gamaredon spearphishing campaigns.

Compared to 2024, we also saw a shift in how Gamaredon used these dead drops.

Key points of this blogpost: ESET took part in the coordinated, global Operation Endgame to disrupt Amadey and Stealc.

Our automated systems have been dissecting Amadey and Stealc samples and identifying the fields most relevant for large-scale tracking.

The largest Amadey botnet clusterOne cluster stands out as the largest, and it contributed nearly 34% of all processed Amadey samples.

Stealc affiliate clustering based on ESET telemetryConclusionFor global disruption operations such as Operation Endgame against Amadey and Stealc, long-term automated tracking of malware is necessary.

2026‑04‑09 Stealc C&C server.

The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., tools for disrupting security software.

In this blogpost, we share our findings on Gentlemen’s suite of EDR killers gained through extensive research and corroborated by the recent leak.

Third‑party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.

Rather than relying on affiliates to source their own EDR killers, Gentlemen operators actively develop and maintain a portfolio of EDR killers for affiliates.

It allows the Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclos…

Of course, connecting production systems to enterprise networks delivers tangible benefits, but the security implications – that systems once safe were suddenly no longer so – arrived more quietly.

Start by mapping which systems in an environment are connected and have no security coverage, where IT and OT networks intersect, which segments are unmonitored, and which production systems have fallen outside any vendor support agreement.

Meanwhile, off-the-peg security tools often don’t efficiently meet the enterprise requirements in legacy OT systems that run on older hardware and outdated operating system versions.

The production systems running that version continue to operate for years, ac…

Key points of this blogpost: We discovered two previously undocumented Windows variants of FishMonger’s SprySOCKS backdoor.

Technical analysisIn this section, we provide a technical analysis of these new, Windows variants of FishMonger’s SprySOCKS backdoor.

Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor (newlines added for readability)Figure 4 depicts the execution chain of the SprySOCKS WIN_DRV variant.

It contained the SprySOCKS backdoor and the SprySOCKS loader.

6490B8E4AADE25A3EE2D A9A47F312DB2122470BC X1B5206BDC1 743DD.dat Win64/SprySOCKS.A Encrypted container of the encrypted WIN_DRV variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS …

Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page.

What makes EvilTokens dangerousThe OAuth device code flow was designed for devices that may be awkward to sign into directly, such as smart TVs or printers.

No document, invoice, email, or another platform should ask for a device code without a clear reason.

A real Microsoft page doesn’t automatically make a request safe.

Sometimes the attacker could ask them to enter a real code on a real page – but for the wrong device.

During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage.

We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company.

The domain resolved to the genuine IP address of the FireAnt update server, suggesting a supply-chain compromise scenario.

LTD 2025‑09‑20 SPECTRALVIPER C&C server.

]com IRT‑CHOOPALLC‑AP 2025‑09‑20 SPECTRALVIPER C&C server.

But that realization alone clearly doesn’t prepare them to withstand an attack.

Have the repeat victims come to view their brushes with cyber-incidents as proof of “what doesn’t kill me makes me stronger”?

For all the talk around AI, automation and attacker sophistication, many SMB breaches still begin with a familiar opening.

A total of 71% of SMBs globally now carry cyber insurance, rising to 84% in North America, with adoption climbing sharply among repeat victims.

While “when, not if” has never been more true, that alone doesn’t prepare a business for adversity.

There’s a phrase that is peddled out by governments and companies alike when a catastrophe of any type – including a cybersecurity breach – occurs: “Lessons have been learnt”.

The 130% increase in significant incidents between 2024 and 2025 severely challenges this assertion and points to lessons not being learnt, at a macro level.

In fact, this reluctance to look could also be normalcy bias quietly doing its work.

That is why this metaphor matters – cybercriminals discover the gap between what an organisation believes about its security and what the reality is.

We must accept that normalcy bias exists and act upon it.

Our kids are exposed to many of the same identity, privacy, and data security risks as their parents.

Why do people want my kids’ data?

But when they do finally flag fraud, the impact on your child’s credit history can be severe.

Apply for a credit freeze for your child’s identity with all three major credit bureaus.

Keeping your child’s identity safe should not be about restricting their digital world.

Here's some of what caught Tony’s attention in May 2026:Poland’s Internal Security Agency (ABW) has released information about cyber-intrusions into ICS (industrial control systems) at five water treatment facilities in the country in 2024 and 2025.

The two main attack vectors – weak passwords and systems exposed directly to the internet – were the same as those used in attacks against the Polish energy sector that leveraged DynoWiper described by ESET researchers here.

What are some key mitigation steps against attacks targeting OT systems?

How do scams crypto ATMs work and how to stay safe?

Learn this and more in Tony's video and be sure to check out the April 2026 edition of Tony's month…

ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026.

During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests.

The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period.

Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to the country’s defense efforts.

Intelligence shared here is based m…

Alongside a number of freely available AI chatbots, major technology companies have moved into consumer-facing health AI with the launches of services such as Copilot Health, ChatGPT Health, and Amazon’s HealthAI that models help users interpret their medical records and ask questions about their symptoms, lab results and treatment options.

Misuse of AI chatbots in general is now the number one health technology hazard out there, according to one US patient safety organization.

Your health data is not like a stolen credit card that can be frozen while the details are replaced and reissued.

Even so, people should be cautious: health data is unusually sensitive, and anonymization doesn’t alwa…

Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak.

BTMOB at a glanceFirst described in February 2025, BTMOB has evolved from the SpySolr malware.

BTMOB APK creation toolHow does BTMOB spread?

For example, researchers Johnk3r and Merl recently spotted campaigns that spread BTMOB while impersonating Argentina’s tax and customs authorities.

ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK.

Proof has launched x401, an open, issuer-neutral protocol that lets any website or API ask for and verify the identity behind agents.

x401 was developed by Proof with technical contributors from leading payments, identity and AI organizations.

x401, built with Proof, pairs that with identity: x402 answers how an agent pays, x401 answers who it is.

Proof’s digital identity: A high-assurance identity that can signBuilt on Verifiable Credentials, Proof’s digital identity is the inline implementation of OID4VC Issuance and Presentation, allowing people to verify their identity to an IAL2 standard and enroll just-in-time or instantly reauthenticate with a biometric.

Proof’s digital identity is b…

Open source software projects are getting a new framework for handling security vulnerabilities as AI shortens the time between flaw discovery and exploitation.

Akrites aims to establish a common process for addressing security issues in software used across critical infrastructure and enterprise environments.

Alpha-Omega funds security improvements for critical open source projects and supports maintainers.

The Open Source Security Foundation (OpenSSF) develops security initiatives, standards, and tooling for the open source ecosystem.

Mark Russinovich, Azure Chief Technology Officer, Deputy Chief Information Security Officer, and Technical Fellow at Microsoft, said OpenSSF and Alpha-Omega…

Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices.

Users running MailPlus Server on NAS devices with DiskStation Manager v7.3, 7.2.2 or 7.2.1 are advised users to upgrade to the recently released 4.0.1-31663 version of the software, as there is no available mitigation for the fixed issues.

Over 2,100 deployments exposed to the internetAside from technically inclined users who own a Synology NAS and want to run their own mail server, MailPlus Server is also used by small-to-medium businesses that want self-host email on their on-premises hardware – either for privacy, cost control, or compli…

Ransomware attacks against European organizations increased during the first months of 2026, with third-party suppliers becoming a major entry point for attackers.

Black Kite examined 2,066 ransomware incidents across 31 countries between January 2025 and April 2026 in its 2026 European Cyber Risk Report.

These five countries accounted for nearly 70% of all recorded ransomware incidents.

Manufacturing accounts for the largest share of incidentsManufacturing accounted for 27.9% of publicly disclosed ransomware incidents, making it the most targeted industry.

Frameworks including NIS2 and DORA require organizations to assess, monitor, and manage supplier cyber risk as part of operational resi…

Mirage2FA, a phishing kit that combines short-lived HTML smuggling with obfuscated JavaScript loaders to deliver fake Microsoft 365 login pages and steal credentials during MFA prompts, has been identified by researchers at Fortra.

Fortra based its analysis on a suspicious HTML and JavaScript attachment delivered by email, supporting DNS data, and the second-stage phishing page.

Researchers said the campaign relied on business-themed lures, including secure documents, remittance services, automated billing, and payment requests.

Opening the HTML attachment launched a Microsoft-branded page designed to resemble a protected business document.

The second-stage phishing page mimics the Microsof…

Kaspersky researchers have uncovered a previously unknown cyberattack campaign that has compromised government organizations and software development companies in multiple countries.

What initially looked like an isolated incident revealed a global operation they’ve dubbed StrikeShark, due to the attackers’ use of a previously unknown dropper the researchers named SharkLoader.

How the attackers get inThe attackers gain access either by exploiting known vulnerabilities in internet-facing applications, or by tricking users into running malware-laced files disguised as legitimate software.

The threat actor conducted extensive reconnaissance and credential theft, including dumping credentials f…

Officers from Poland’s Central Bureau for Combating Cybercrime (CBZC) arrested four suspected members of an organized cybercrime group accused of SIM swap attacks, cryptocurrency theft, and money laundering.

The operation involved agents from the U.S. Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI).

Investigators said the stolen information enabled the group to carry out SIM swap attacks by taking control of victims’ phone numbers.

Prosecutors charged the suspects with participating in an organized criminal group, breaking into computer systems, and money laundering.

CBZC noted that the international nature of the investigation limits the amount of informati…

ZeroTier has announced the release candidate 2 (RC2) for ZeroTier Quantum, its end-to-end quantum-secure networking platform.

“Reaching our final release candidate milestone brings us to the precipice of a new era in network security,” said Andrew Gault, CEO of ZeroTier.

“ZeroTier Quantum isn’t an incremental update; it’s a fundamental paradigm shift.

Delivering security, performance, and flexibilityZeroTier Quantum RC2 delivers on the brand’s foundational pillars of security, performance, and flexibility, providing quantum defense capabilities without layers of operational and implementation friction.

ZeroTier Quantum gives them immediate acceleration in their quantum journey and future-pr…

ThreatModeler has announced the general availability of ThreatModeler Nexus, an agentic threat modeling platform that brings governed, architecture-aware security to the way modern software is actually built.

ThreatModeler Nexus answers that with a platform built to threat model everything, starting wherever a team already is.

ThreatModeler Nexus pairs a multi-agent system with a deterministic framework, so AI accelerates the work while the platform governs the outcome.

The Secure Design Graph is also the answer to what the ThreatModeler and IriusRisk merger created.

A global financial services firm reduced threat modeling effort by 50 percent.

Microsoft has given Windows 10 users another year of free security updates, extending its consumer Extended Security Updates (ESU) program until October 12, 2027.

Windows 10 reached end of support in October 2025, prompting Microsoft to launch the Extended Security Updates (ESU) program for consumers.

Eligible devices must run Windows 10 version 22H2 Home, Professional, Pro Education, or Workstations edition and have the latest Windows updates installed.

“You can use your existing ESU license on up to 10 devices once you enroll in ESU,” Microsoft noted.

Although the extension is welcome news for Windows 10 users, Microsoft continues to encourage customers to upgrade to Windows 11 or purchas…

It runs suspicious binaries on the analyst’s own hardware and keeps each sample local for the duration of the analysis.

Burnyard end-to-end analysis workflowRunning the binary in user-space emulationBurnyard performs dynamic analysis through user-space emulation.

For Windows samples, Burnyard averaged 22.41 seconds, compared with 32.36 seconds for VirusTotal and 182.88 seconds for Intelix.

For Linux samples, Burnyard averaged 5.47 seconds, against 16.27 seconds for VirusTotal and 80.85 seconds for Intelix.

The Windows numbers run higher than the Linux numbers because Windows samples reach a wider Win32 API surface and involve more dynamic linking.

They also discuss what makes a platform AI-native, and why they treat security readiness and AI readiness as one conversation.

When operations and security data live in one system, a technician sees the full picture without moving.

The companies frame AI readiness and cybersecurity readiness as inseparable, arguing that neither delivers value without the other.

They’re being asked to govern AI deployments, advise on risk, and ensure that the data AI relies on is trustworthy and protected.

For them, security and AI readiness collapsed into the same conversation some time ago.

Healthcare practices run on a chain of outside vendors.

Confidence runs ahead of visibilityMost leaders said they trust their vendors’ security.

Attackers understand the dynamic and target vendors precisely because their healthcare clients tend to extend trust and skip verification.

A growing share now expect a cyberattack to cause a fatal patient incident at a U.S. healthcare facility within five years, up from the year before.

Six in ten leaders said they signed off on HIPAA attestations knowing their own risk assessments had flagged unresolved problems.

Upbound, the company behind the Crossplane project, released Modelplane, an open-source control plane that manages fleet-wide coordination for AI inference.

Modelplane runs as a control plane on its own cluster, above the inference clusters that serve models.

He said AI inference “needs the same layer.”Two roles and one APIThe software divides work into two roles.

The system stays neutral about the serving engine, so one API can serve any container-based engine and any deployment topology.

That control point carries weight for regulated and sovereign enterprises, where inference runs inside infrastructure a company governs directly for security, sovereignty, or compliance reasons.

Hyland platform innovations focus on AI governance, context, and agent oversightHyland has unveiled platform innovations designed to move AI from experimentation to enterprise-wide adoption.

Developers, AI agents, and any employee using Claude, Codex, or other AI tools keep installing exactly as they do today, and nothing dangerous makes it through.

Tigera introduces unified control plane for Kubernetes-based AI agent securityTigera has announced the general availability of Tigera Lynx, a unified control plane for Kubernetes-native AI agents.

WitnessAI Agentic Control secures AI agents, tools, and MCP server accessWitnessAI has announced extended agentic security capabilities that govern ho…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Contact Info

Meta Is Testing Facial Recognition for Police and MilitaryWe know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time.

Turns out Meta is prototyping the feature with a Pentagon supplier.

(Alternate news story.)

Posted on June 26, 2026 at 12:40 PM • 0 Comments

One Million Passports Leaked OnlineA database of almost a million passports from around the world was leaked online.

Note what happened.

A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries.

And it’s the low-value system that got hacked, putting the high-value credential at risk.

Posted on June 26, 2026 at 7:03 AM • 2 Comments

Words are words, and the phone company does not know—nor is it liable for—the words you choose to speak.

Imagine a restaurant review site that provides AI summaries, or a site summarizing laws and government procedures.

AI agents are agents of the person or organization that deploys them—and should be treated by the law as such.

If a company hired human writers to write its summaries, that company would be liable for inaccuracies in those summaries.

Visa and OpenAI recently announced a partnership to build personal AI agents to, among other things, make purchases on our behalf.

This is a fascinating explotation of how LLMs fall for prompt injection attacks.

Their conclusion:Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs.

We’ve shown that this architecture doesn’t survive into the model’s actual representations, and that such role confusion is linked to prompt injection.

Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game.

And the continuous nature of role boundaries opens the threat of injections designed to subtly shift LLM states through seemingly innocuous text, legally and at scale.

At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis.

Details:The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content.

The real malware begins after the comment with a try{eval(…)} wrapper around a large character-code array and a ROT-style substitution function.

In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.

YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still w…

Anthropic’s Fable 5 Model Jailbroken Within DaysFable 5 is the supposed safe version of Anthropic’s Mythos Preview, with guardrails to ensure that it can’t be used to create cyberattacks.

Well, that restriction was bypassed within days.

Posted on June 23, 2026 at 7:03 AM • 4 Comments

Wearables present serious privacy issues for “Average Joe” consumers, who are entrusting tech companies to safely store and protect their biometric data.

Imagine the stakes for a professional athlete, whose entire livelihood could be affected by a single biometric data point.

The coach has access to the player’s wearable data, and checks to see when they went to sleep, as well as what their heart rate looked like during the night.

What if wearable data reveals that a player isn’t as speedy as they were before, and a team uses that data against the player during contract negotiations?

What if a wearable reveals a player is favoring their leg, or is at greater risk of injury?

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Anthropic’s Fable and the State of AIOn June 9th, Anthropic released its Fable generative AI model.

Fable is the constrained version of Mythos, the AI model Anthropic announced in April.

Fable is just another incremental improvement in the years-long climb of AI capabilities.

But just as important as the AI model is the “harness.” This is typically not AI.

To an AI model, constraints are just things to get around and not general truisms about the world.

At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis.

Details:The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content.

The real malware begins after the comment with a try{eval(…)} wrapper around a large character-code array and a ROT-style substitution function.

In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.

YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still w…

The office of management and budget (OMB) disclosed a staggering 3,611 active or planned use cases for AI across the federal government.

The Department of Energy is testing the use of AI to control nuclear reactors, targeting a way to autonomously respond to potential nuclear safety incidents.

In some cases, like the HHS system, the AI might be enforcing alignment to a policy prescription that opponents abhor.

The use of predictive methods and statistics to assign prisoner security classifications goes back decades, even if such systems are often biased and ineffective.

What matters are the details of how the AI system is used, and here the inventory is severely lacking.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person.

The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects.

The…

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:The list is maintained on this page.

Posted on June 14, 2026 at 12:07 PM • 0 Comments

This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

Qurium said that immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet, but that one of those control domains was not new: ninjatech[.]io.

Jérôme Meyer, a security researcher at Nokia Deepfield, said the total population of devices participating in the Popa botnet may be far higher than Lumen’s estimates.

“Over 90% of our pharmaceutical and food & beverage customers have queried residential proxy indicators.

…

This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.

Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.

According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.

Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was pr…

Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle.

“Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang said.

Microsoft received heavily blowback on social media last month after it said in a blog post that it was considering taking legal action against the security researcher.

While 200 vulnerabilities may be a record for Patch Tuesday, the actual number of security flaws Microsoft addressed this month is far higher, said Rapid7’s Adam Barne…

On May 31, word began to spread on several Telegram instant message channels that Meta’s AI bot would happily add an email address to an existing account as part of the bot’s standard password reset flow.

Meta has not responded to requests for comment on the video’s claims, but the company reportedly did acknowledge the dormant Instagram account for the Obama White House was briefly compromised.

Meta’s solution was to deploy a conversational AI layer to handle common recovery workflows: relinking a lost email address, triggering a password reset, verifying account ownership.

Just like human customer support employees can be social engineered into providing unauthorized access to someone’s a…

But as KrebsOnSecurity observed in September 2025, those sanctions failed to target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.

MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business out of the Netherlands.

And as our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad.

On top of that, WorkTitans was getting connectivity to the larger Internet solely through MIRhosting, where Zinad had worked previously.

“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote.

The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure.

TruffleHog does this by monitoring a live feed that GitHub publishes which includes a record of all commits and changes to public code repositories.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, …

A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, a.k.a.

“Dort,” of Ottawa, Canada with operating the Kimwolf DDoS botnet.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads.

Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage told KrebsOnSecurity he’s relieved Butler is in custody.

The DOJ said at least one of those services collaborated with Butler’s Kimwolf botnet.

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.

Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

“The available Git metadata alone does not prove which endpoint or device was used.”Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level.

CISA has not responded to questions about the p…

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws.

But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform.

Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance.

Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers.

For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs.

The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider.

But so-called “DNS reflection” attacks rely on DNS servers that are (mis)configured to accept queries from anywhere on the Web.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento said.

Nascimento flatly denied being involved in DDoS attacks against Brazilian operators to generate business for his company’s services.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign.

That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan is the second known Scattered Spider member to plead guilty.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft.

Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities.

For example, a Google Chrome update released earlier t…

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today.

The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by …

Smashing Security, Episode 473: How a Hacker Could Have Rickrolled the Entire World.

You think, oh, hang on, they're going to ask me for a password or they're going to ask me for something like that.

Yeah, we'll take that money from under your bed and store it in a safety deposit box that you don't know where it is.

We saw a huge number of CVEs last year and with Mythos and the Frontier models, we think that's going to continue to spike.

So the blast radius of these IT service providers is really, really big.

Somebody had broken into Brazil's national Civil Defence alert system and used it to send fake "Extreme Alert" notifications - the most severe category, normally reserved for warnings of imminent natural disasters - to mobile phones across at least five states, including São Paulo, Rio de Janeiro, and the Federal District.

In a statement posted on social media, Brazil's National Civil Defence confirmed that it had pulled the alert platform offline at 1:30am following the compromise.

National Secretary of Protection and Civil Defence Wolnei Wolff confirmed that the attackers managed to regain access after an initial attempt to block them from accessing the system.

Emergency alert systems wor…

Hide My Email is a privacy feature that lets users create unique, random email addresses that forward messages to your real inbox.

That means you can sign-up for websites, newsletters, and apps without exposing your personal email address.

The problem is, however, that one of the reasons that Hide My Email worked so well was because its aliases were indistinguishable from regular iCloud email addresses.

All any website or app that wants to block anonymous sign-ups now has to do is to reject any email address ending in "@private.icloud.com".

For now, if you already have existing Hide My Email addresses in use, they should continue to work without any changes on your part.

Someone is pretending to be your bank, your government, or your local planning office. And according to the FTC, they're making billions doing it. Read more in my article on the Fortra blog.

Which is the connection between your AI agent and Sentry.

And when your AI agent reads data back from one of those services, it treats it as trusted and authoritative.

And so the AI agent does what agents are supposed to do.

But if an attacker can plant text somewhere that your AI agent will read, it's possible that your AI agent will act upon it, and that may not be good.

And then whenever AI wants to access something, AI has to give a reason — why do I want that?

The US state of Maine has taken its public data breach notification portal offline after someone submitted fraudulent breach disclosures impersonating two well-known technology companies.

As Bleeping Computer reported last week, fraudulent data breach disclosures were submitted to Maine's official breach portal and publicly posted before their legitimacy could be verified, prompting the named companies to deny the claims.

However, somewhat more convincing was a fake breach notice that targeted the multiplayer social virtual reality platform VRChat.

It appears that the abuse of the system was possible because the Maine data breach reporting system lacked a proper verification mechanism.

Anyo…

According to media reports, a security blunder carelessly leaked the passport details of every player in Argentina's World Cup squad ahead of Tuesday's warm-up friendly against Iceland.

But why are passport numbers on a World Cup team sheet at all?

Under FIFA regulations, teams must provide passport numbers around an hour before a match kicks off.

So the passport numbers belong in the information handed to the referee.

Before releasing any document containing sensitive data, verify that the data has actually gone - not just covered up.

Most extortion gangs hide behind a keyboard. Silent Ransom Group will phone your staff pretending to be IT support - and if that fails, send someone to your office in person to plug in a USB stick. Read more in my article on the Fortra blog.

Yeah, I've decided I should actually know something about technology after about 15 years of covering it.

This week I'm talking about helpful AI, maybe too helpful AI, which is the Meta AI, which seems to have been giving anyone who asked nicely anyone else's password.

And continuing the AI theme, I'm going to be talking about an AI worm that appears to think for itself.

I think I'm not going to cry with offense if you say that.

You're going to spend the money and you've got the money to spend.

Evanston Township High School (ETHS), located approximately 14 miles north of Chicago, says it was hit by a ransomware attack on Sunday, June 7 2026.

No ransomware group has claimed responsibility for the attack against ETHS, and it is not known if any personal data has been exfiltrated by cybercriminals.

The sad truth is that schools are attractive targets to cybercriminals.

And, as is demonstrated by the closure of ETHS, schools often rely upon networked systems for everything from the platforms used to teach pupils to providing physical access controls.

Meanwhile, schools don't just face serious threats from organised criminal gangs but also from within their own walls.

If you've ever received an out-of-the-blue message via LinkedIn from a recruiter offering some well-paid consultancy work, intelligence agencies have a message for you: be very careful.

According to the bulletin, entitled "Safeguarding Our Secrets", Chinese intelligence officers - or third parties acting on their behalf - are posing as employees of private consultancies, think tanks, and HR firms.

According to the intelligence agencies, targets do not need security clearances to be of use to Chinese spies.

Western agencies warn that just submitting a CV containing your employer history, specialist knowledge, and details of professional contacts has am intelligence value.

The Five Eyes intel…

Hackers have been hijacking Instagram accounts at scale by exploiting Meta's AI support chatbot. And, as if that weren't bad enough, the technique required no technical skill whatsoever. Read more in my article on the Fortra blog.

This AI security flaw might be impossible to fix with Graham Cluley and special guest Tanya Janca.

Yeah, I've done some work with them in the past and they're actually sponsoring this episode of the podcast.

Turns out some quiet little permission that crept wider over 3 years, a policy exception that nobody had reviewed, the kind of thing that's invisible until it isn't.

I don't know if that was also exposed on the WebBucket, but yeah, it's additional information though, isn't it?

And I used to work at the Canadian Revenue Agency, so I know they're not following the policy because I wrote it.

Dutch police have arrested a 35-year-old man suspected of hacking into the computer systems of Amsterdam football giant Ajax, after the personal data of hundreds of thousands of supporters was put at risk.

However, it quickly emerged that the claim of a "few hundred" potential victims was wide of the mark, as it was reported that the incident could have exposed the personal details of around 300,000 registered Ajax supporters.

In short, the number of supporters whose details were exposed was around 1000 times larger than the club's initial estimate.

Ajax says that it has worked with external experts to patch the vulnerabilities, and has strengthened its security.

It is easy to imagine that …

The Play ransomware gang is claiming to have stolen data from US pillow manufacturer MyPillow, making off with private and personal confidential data.

The company denies it has been hit, and the Play ransomware gang claims otherwise.

The truth is likely to emerge quickly, as the deadline for payment listed by Play on its leak portal is reached tomorrow.

We'll know soon enough whether Friday's payment deadline from the Play ransomware group brings a data dump or a quiet anticlimax.

One thing is certain - ransomware gangs target anyone they think might pay, and strong defences are needed by all organisations.

В частности, опасность может скрываться в GitHub Actions, сценариях автоматизации, позволяющих создавать пайплайны непрерывной интеграции и доставки (CI/CD).

Ошибки и мисконфигурации в них периодически используются злоумышленниками в реальных атаках.

Да, она тоже началась с компрометации мейнтейнера популярного проекта, но распространяемый в ходе этой кампании зловред похищал секреты, именно используя недочет в GitHub Actions.

Как оставаться в безопасностиМисконфигурации в GitHub Actions потенциально могут превратить пайплайны разработки в инструменты злоумышленников, позволяющие скомпрометировать среду разработки или атаковать инфраструктуру компании.

С его помощью наше решение может выявл…

Однако очевидно, что краеугольным камнем стратегии информационной безопасности остаются решения для защиты конечных точек.

Мы предлагаем при выборе EPP-решения отталкиваться не от возможностей продуктов, а от конкретных нужд вашей компании.

Отметьте пункты, которым должно соответствовать решение для защиты конкретно вашей инфраструктуры, и вам будет гораздо проще определиться с выбором.

Для перехода от EPP к EDR или MDR ключевым условием является единое решение, умеющее одновременно выполнять функции и EPP-, и EDR/MDR-агента, а также единая консоль управления.

В Kaspersky Security для бизнеса реализованы передовые защитные технологии, включая машинное обучение, поведенческий анализ, защиту …

Как защитить свой аккаунт в TelegramЧто делать, чтобы защитить свой аккаунт в Telegram от подобных схем угона?

Если вы подозреваете, что стали жертвой подобного стилера или других махинаций злоумышленников, как можно скорее завершите все сессии в Telegram: Настройки → Устройства → Активные сессии → Завершить другие сеансы.

Почему так — мы подробно рассказывали в материале Что делать, если взломали аккаунт в Telegram, перечислив в нем все способы восстановления доступа к своей учетной записи.

Во-первых, необходимо установить облачный пароль для Telegram в разделе Настройки → Конфиденциальность → Облачный пароль.

Наш менеджер паролей кроссплатформенный, поэтому войти в Telegram с использовани…

Скомпрометированная версия израильского браузера Hola для Windows (1.251.91.0) загружала на устройства пользователей криптомайнер для добычи криптовалюты Monero.

Исследователи обнаружили признаки компрометации браузера Hola в рамках процесса сертификации AppEsteem Windows Certified Application.

}exe показало, что в нем скрывался криптомайнер для добычи криптовалюты Monero.

Как злоумышленники использовали Hola Browser для майнинга MoneroКриптомайнеры — это программы, которые используют вычислительные возможности компьютера для добычи криптовалюты.

Как мы уже сказали выше, в случае заражения Hola Browser на устройства жертв загружался криптомайнер для добычи криптовалюты Monero.

Ставка на проигрышВо время чемпионата мира предсказания результатов матчей и «ставки на спорт» становятся особенно популярны — чем активно пользуются злоумышленники.

Это еще и рекордные продажи коллекционной атрибутики — наклеек, шарфиков, формы сборных, официальных мячей турнира и так далее.

На скриншоте выше злоумышленники предлагают заплатить 67 евро за коллекцию наклеек, но на маркетплейсах такой же набор обойдется как минимум вдвое дороже, а на официальном сайте Panini — втрое.

Конечно, товар вы не получите и потеряете не только деньги, но и реквизиты банковской карты.

Установите Kaspersky Premium — приложение убережет вас от зловредов, фишинга, спама, переходов на вредоносные и поддел…

Фундаментальные проблемы автономного SOC: за пределами ИИХотя использование ИИ для анализа данных и принятия решений в SOC звучит как логичная и относительно несложная в реализации идея, попытка ее внедрить ставит и обостряет проблемы, с которыми организации столкнулись при внедрении SIEM, XDR и SOAR:Качество исходных данных.

Даже когда роль ИИ сводится к предварительному сбору данных и рекомендациям, аналитики зачастую не доверяют данным и тратят время на их повторный сбор и анализ.

В SOC и ИБ в целом всегда есть плохо документированная информация: бизнес-контекст, коллективные знания и другие данные, которые помогают верно оценивать оповещения и инциденты.

Проблемы ИИ, критичные для SOCКр…

Хотя она и изолирована, но записываются эти данные в итоге на тот же SSD, с которым также работают прочие программы и веб-сайты.

Оказалось, что если вредоносная страница постоянно обращается к SSD, по задержкам при доступе к данным можно определить, что еще происходит на ПК.

Допустим, на SSD имеется достаточно большой файл, наполненный случайными данными.

Комбинация всех особенностей атаки объясняет ее название: FROST расшифровывается как Fingerprinting Remotely using OPFS-based SSD Timing, то есть удаленное наблюдение над SSD с использованием технологии OPFS.

Впрочем, суть атаки FROST не в передаче данных, а в слежке за активностью пользователя.

Злоумышленники внедряют в установочные файлы игр троян удаленного доступа под названием Argamal.

Рассказываем, как не стать жертвой нового трояна — и как безопасно и максимально анонимно смотреть пикантный контент с аниме-девочками (или без).

В другой ситуации это, наверное, сложно было бы назвать неприятной характеристикой, но Argamal, к сожалению, троян не из «скорострелов».

Через три дня компьютер подключается к GitHub, скачивает зашифрованный файл, расшифровывает его и превращает в рабочий модуль трояна.

Именно поэтому мы рекомендуем хранить пароли не в текстовых файлах, а в зашифрованном контейнере менеджера паролей.

Как выявить и ограничить использование Claude и Claude CodeДетектирование: анализ на NGFW или веб-фильтре трафика к claude.ai, anthropic.com, *.anthropic.com, api.anthropic.com.

Защита: на уровне NGFW/веб-фильтра заблокировать доступ к категории «ИИ-сервисы», на уровне DNS перенаправить трафик вышеуказанных доменов Anthropic, с помощью политик браузера заблокировать различные расширения, дающие доступ к Claude.

Защита: на уровне NGFW/веб-фильтра заблокировать доступ к категории «ИИ-сервисы», на уровне DNS перенаправить трафик вышеуказанных доменов.

Защита: на уровне NGFW/веб-фильтра заблокировать доступ к категории «ИИ-сервисы», на уровне DNS перенаправить трафик вышеуказанных доменов DeepS…

У Павла Дурова и его «приватного» мессенджера появился новый конкурент, и это — барабанная дробь — Илон Маск и его сервис XChat.

Все описанные выше сложности с PIN-кодом в XChat, на самом деле, имеют под собой своеобразное основание.

Напомним, что, в отличие от WhatsApp и Signal, разработчики XChat решили хранить приватные ключи пользователей на своих серверах.

Так что в итоге с XChat?

И, конечно, хранить его, как и любые другие пароли, следует не в заметках, а в надежном менеджере паролей.

Отключение при помощи политик: в Admin Center пройти в раздел Settings → Integrated Apps, найти Copilot в списке Available Apps, выбрать Block.

Как отключить панель Copilot в EdgeДетектирование: на уровне NGFW или других сетевых журналов искать обращение к ресурсам copilot.microsoft.com, bing.com/chat, edgeservices.bing.com.

Блокировка с помощью политик: в панели управления: Apps → Additional Google services → Gemini app: OFF.

Блокировка с помощью политик: в корпоративных политиках Chrome необходимо установить: GenAILocalFoundationalModelSettings = 0, HelpMeWriteSettings = 2 (отключено), TabOrganizerSettings = 2, CreateThemesSettings = 2, DevToolsGenAiSettings = 2.

Как отключить Apple Intel…

Мы исследовали более 84 500 общественных точек доступа Wi-Fi в Мехико, Гвадалахаре и Монтеррее — и нам есть что вам рассказать об их безопасности.

Что и как мы исследовалиПройтись пешком по Мексике в поисках публичных Wi-Fi-точек было бы сложновато, хотя ради аналогичного исследования безопасности Wi-Fi в Париже мы именно так и поступили (кстати, ознакомиться с его результатами можно в материале Безопасен ли парижский Wi-Fi?).

Выяснилось, что WPS включен почти у половины (47%) точек доступа в Мехико, у 43% — в Гвадалахаре и 41% — в Монтеррее.

Поэтому наиболее безопасным вариантом станет использование сотовой связи для доступа в Интернет — и никакой Wi-Fi не понадобится.

О том, как это сдела…

Конкретные примеры современных вредоносных кампанийНесмотря на эти изменения, наши эксперты продолжают активно отслеживать новые вредоносные кампании и реагировать на современные угрозы.

Наши технологии зарегистрировали более тысячи вредоносных писем почти идентичной структуры, разосланных организациям из госсектора, строительной и промышленной отраслей, что прямо указывает на автоматизацию проводимых атак.

Примечательно, что в качестве резервного командного сервера загрузчик обращается к Solana Name Service, децентрализованному блокчейн-реестру, что существенно затрудняет блокировку инфраструктуры.

Обе группы активно применяют PowerShell-нагрузки и нацелены на российский госсектор, что ука…

Как настроить интеграцию Kaspersky Scan Engine c F5 BIG IP LTMНастройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c NextcloudНастройка Kaspersky Scan EngineKaspersky Scan Engine должен работать в режиме HTTP.

Как настроить интеграцию Kaspersky Scan Engine c Hitachi NAS Platform 13.9Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c RspamdНастройка Scan EngineKaspersky Scan Engine должен работать в режиме HTTPD.

Как настроить интеграцию Kaspersky Scan Engine c ARA JAGUAR 5000Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

В последнее время злоумышленники активно используют для фишинговых атак платформу Google AppSheet: через нее можно настроить почтовую рассылку, которая отправляется c почтового адреса, связанного с Google.

К сожалению, именно эта простота делает AppSheet привлекательным и для злоумышленников.

Ниже показано, как выглядит типичный путь от получения письма от якобы «карьерного портала Google» до кражи данных аккаунта:Аналогичные письма приходят от имени и других IT-гигантов.

Прежде всего смотрите не на отображаемое имя, а на адрес отправителя.

Куда более вероятно, что вы получите легитимную AppSheet-рассылку от имени небольшой компании или бизнеса, но уж точно не от IT-гигантов.

If you’ve ever troubleshot a complex workflow run, you know the drill: click into actions, expand inputs and outputs, scan logs, backtrack, repeat.

We’ve just released Workflow Run Summaries in Cisco XDR Automate: an on-demand, AI-generated summary that explains what happened during a workflow execution, where things went wrong, and why that matters, without forcing you to manually inspect every step.

What the feature doesWith a single click on “Generate Run Summary”, Cisco XDR Automate analyzes a completed workflow run and produces a concise, human-readable explanation of its execution.

Why this matters, especially for Agentic AIAs XDR Automate Workflows are increasingly triggered by Agent…

It is the hardest attack category in email security — for any vendor, any product, any architecture.

This balance — 98% threat detection alongside zero hard false positives — is what the 94% Total Accuracy Rating reflects.

What Independent Validation Means for Your Security StrategyEvery email security vendor publishes detection rates.

Read the full report for more insight into ETD’s comprehensive email security capabilities.

All performance data sourced from the SE Labs Advanced Security Test Report — Email (Protection), Cisco Secure Email Threat Defense, May 2026 (v1.0).

Caption: MCP integrations exposed to the local AI workflow for SOC investigation contextAt this stage, the system was already useful.

Caption: OpenClaw using the local Ollama model backend instead of an external model providerThe distinction is important.

I installed DefenseClaw alongside the OpenClaw environment, to add inspection and audit visibility around the agentic AI workflow.

Sending DefenseClaw events into Splunk made the AI workflow feel more operational and less experimental.

At Black Hat Asia, this became a practical way to explore what private AI for SOC workflows could look like.

Cisco has been a long-standing partner in securing Black Hat conferences worldwide, providing the critical network infrastructure that ensures safe connectivity for all attendees.

At Black Hat Asia 2026, we continued this tradition while introducing significant enhancements to our security capabilities through innovative integrations.

Resource ConnectorCisco Secure Access Resource Connector was deployed to provide secure remote access to critical systems.

Resource Connector solves this problem by creating secure path to the target, which is accessible from public URL generated by Secure Access platform.

Check out the other blogs from our team at Black Hat Asia 2026.

As is tradition at every Black Hat conference, Day 1 winds down with a quick reality check – what’s done, what’s broken, and what absolutely needs to go live by tomorrow.

Corelight traffic and detections were already flowing into Cisco XDR using OCSF-based ingestion built at Black Hat Europe 2025.

That’s the lesson Black Hat reinforces every time:Progress accelerates when you ask the right person the right question.

Check out the other blogs from our team at Black Hat Asia 2026.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

Cisco celebrates our 10th year building and safeguarding the network for Black Hat Asia in Singapore.

We work with other official providers to bring the hardware, software and engineers to build and secure the Black Hat Asia network: Arista, Corelight, Jamf, MyRepublic and Palo Alto Networks.

Since 2017, Cisco has protected the Black Hat Asia network, beginning with automated malware analysis using Threat Grid.

Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat AsiaUplevelling Black Hat Threat HuntersCisco Secure Access with MCP Infrastructure at Black Hat Asia 2026The Essence of Black Hat – Collaboration with PartnersBlack Hat A…

One of the first things we notice walking into the Black Hat NOC/SOC to help setup was that no one cared about who you worked for.

That goal being to discover and protect Black Hat from attacks both internally and externally.

High Score, Low Threat: A 60-Second Triage StoryThe new agentic capabilities in Cisco XDR were enabled in our Black Hat tenant – and they didn’t disappoint.

Check out the other blogs from our team at Black Hat Asia 2026.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

The Black Hat server owners confirmed the Apache version was fully patched, ensuring no impact to Black Hat assets.

Cisco XDR correlated events and enriched them with Talos and other third-party threat intelligence feeds, confirming the issue and assigning priority.

An attendee was seen accessing a custom application hosted in their home country from the Black Hat network.

AI Reasoning AnalysisDrilled deeper into the AI reasoning behind the Cisco XDR storyboard findings.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

It was designed to be useful whether you had a team of 500 security analysts or a single IT person wearing multiple hats.

The new mathBefore Mythos and other frontier large language models (LLMs), the vulnerability lifecycle had a rhythm that most security teams had internalized.

It also means you need incident response capability for when prevention fails.

When everything has been tested and still was not enough, emergency incident response is the capability that gets you from compromised to recovered.

Because they operate at a layer of the security stack that is independent of how fast vulnerabilities are discovered.

That is why I am excited to share that Cisco SASE with Meraki is now generally available.

You keep the Meraki experience you know, then connect it to Cisco Secure Access for cloud-delivered Security Service Edge (SSE) protection.

What We BuiltCisco SASE with Meraki connects Meraki SD-WAN sites to Cisco Secure Access, Cisco’s cloud-delivered SSE solution.

With Cisco SASE with Meraki, Meraki AutoVPN can automatically establish secure primary and backup tunnels between enrolled MX sites and Cisco Secure Access.

Cisco SASE with Meraki gives Meraki customers a fast, secure, and resilient approach to bring SD-WAN traffic into Cisco Secure Access.

This is the shift from access control to action control.

To move from access control to action control, Agent Gateway will help answer five questions before a request is allowed to proceed:Who is the agent?

With Agent Gateway, Cisco extends these capabilities into the agentic workflow.

Duo will identify the agent process itself using Duo identity, extending naturally from user MFA to agent and non-human identities.

Duo will identify the agent process itself using Duo identity, extending naturally from user MFA to agent and non-human identities.

Why we are changing our cadenceThe fundamental scale of vulnerability discovery has shifted.

Seven days before each release, PSIRT will publish the list of technologies and platforms included in that drop.

Cisco PSIRT will provide ‘bundled’ CVEs (Common Vulnerability Exposures) tied to CWE categories (Common Weakness Enumerations).

If a finding is being addressed in a scheduled release, upgrading should negate the need to implement corner-case mitigations that do not scale.

The Cisco PSIRT is the gold standard for vulnerability disclosure and will drive this revolution – with significantly expanded tooling and cadence built for the new rate of discovery.

The National Institute of Standards and Technology (NIST) finalized its first PQC standards in 2024.

Cisco’s Quantum Resilience FrameworkCisco has developed a framework to articulate multiple levels of quantum resilience – each representing distinct capabilities designed to respond to new and emerging threats to confidential communication and product integrity.

It gives organizations a foundation as they progress toward more complete levels of quantum resilience.

Level 3 extends quantum resilience into identity and attestation.

Together, these levels give customers a practical way to evaluate quantum resilience.

Secure agents as digital workersThe second imperative is to secure the agents now entering the enterprise.

At Cisco Live, we are taking the next step by making DefenseClaw enterprise-ready and integrating it into Cisco Secure Client.

Context provided by the network is what allows security teams to understand behavior, enforce trust, and respond with confidence across domains.

That is how Cisco is helping customers become more resilient—and helping security teams protect, detect and respond with confidence in the agentic era.

Ask a question and stay connected with Cisco Security on social media.

]info Domain C2 domain recstrace[.

]info Domain C2 domain heliosup[.

]info Domain C2 domain fairyspells[.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Microsoft’s recognition as a Leader in The Forrester Wave™: Endpoint Management Platforms, Q2 2026 report reflects that shift—and the role Microsoft Intune plays in helping organizations manage what’s next.

Figure 1: Forrester Wave showing Microsoft in a Leader position for both strength of offering and strategyWhy Microsoft Intune is a leader in endpoint managementThe Forrester Wave™ Endpoint Management Platforms, Q2 2026 report includes eight endpoint management platform providers, assessed across current offering, strategy, and customer feedback.

Full details are in our announcement blog: Microsoft 365 adds advanced Microsoft Intune solutions at scale.

Bookmark the Microsoft Intune blog …

Organizations now require platforms that can:Correlate posture, runtime, identity, and data signals.

Learn moreRead Frost & Sullivan’s 2026 Frost Radar™ for Cloud-Native Application Protection Platforms (CNAPP) to see how leading vendors are evaluated—and how the category is shifting toward unified cloud risk operations platforms.

Explore Microsoft cloud security solutions to see how unified posture management, risk prioritization, and protection across the application lifecycle can help reduce cloud risk.

Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news an…

Indicators of compromiseIndicator Type Description 8f32456359f209a63adfd24b94235e1727382ac7f7bb7f2bcaf754e721925b64 SHA-256 StealC 0215f734867bd71c57ff5c524d8cc670be5b4f1861b2c390cf46d18784a53624 SHA-256 StealC 2a0f053855da59b3b56812e580d7baeba59fc9493694722aa9e3f121ee3363f1 SHA-256 StealC 977b33a9b481cf714946b7d386865cd5d284312aa5ecfa0546c197b1003e1bde SHA-256 StealC b7d1f172ff3feafe65d47fd1cbe0cc249316371ae0e1cbe3a7c741c738b3353d SHA-256 Amadey 5.87 9383572a30ae5b76fadd0700fbd7a1aa7b05d0b6c8f9cdaef9b30a3e1f65d57d SHA-256 Amadey 5.86 5f5b25b2e35d404034d0d60975cf1ffbc6f141761ec3f4f15d6f7c6213a056f6 SHA-256 Amadey 5.80 98e504cc7125b79eda5491f40b998605a05f4cd968b961aab4cce7beb074fefe SHA-256 …

AI memory transforms an AI system from a stateless tool into a learning collaborator.

What AI memory is (and why it matters)AI systems use memory to retain and recall information across interactions.

Since AI memory attacks happen outside of their original context, defenses are often lower and forensics are harder.

Building safe AI memory is one of the most consequential challenges in AI.

Our AI memory strategy is guided by design principles for building safe memory systems.

Once inside, the threat actor shifted focus to persistence and control.

As DART correlated activity across the environment, investigators uncovered signs of a second, unrelated threat actor operating in parallel.

DART moved quickly to contain the active intrusion involving multiple threat actors and stabilize the environment, activating a structured response playbook focused on limiting threat actor impact and restoring control.

Continuous coordination with the customer, including daily briefings, ensured that containment actions were timely, aligned, and effective in reducing further threat actor movement.

Today’s modern cyberattacks can quickly evolve beyond a single incident-blending tac…

It does not block JavaScript that is rendered by a headless browser owned by an AutoGen agent on the same machine.

This work informs guidance for developers and detections for defenders across Microsoft Defender, Microsoft Defender for Cloud, Microsoft Entra and Microsoft 365.

Customers using Microsoft Defender, Microsoft Defender for Cloud, and Microsoft Entra can use these controls to detect, contain, and investigate related activity.

This work informs guidance for developers and detections for defenders across Microsoft Defender, Microsoft Defender for Cloud, Microsoft Entra and Microsoft 365.

Customers using Microsoft Defender, Microsoft Defender for Cloud, and Microsoft Entra can use t…

This year, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study for our AI-first, end-to-end security platform.

What end-to-end security deliversBased on in-depth interviews with a survey of 362 customers and 11 security decision-makers using Microsoft Security solutions, the Forrester study revealed the impact of consolidating with Microsoft Security.

Security for AI – New solutions like Microsoft Agent 365 with foundations of Microsoft Security, extend identity, governance, and control to AI agents, so customers can adopt them with confidence.

AI for Security – Microsoft Security Copilot, together with Microsoft Defender, Entra and Purview provides A…

Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry.

Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Microsoft Defender XDR provide detections and hunting coverage for suspicious Node.js execution, malicious package behavior, reflective code loading, persistence activity and command-and-control communication.

The easy-day-js dependency was not present in any prior versions of mastra npm packages.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Advanced huntingThe following KQL queries can be used …

Clipper malware relies on stealing clipboard data and parsing it for valuable assets.

Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.

A file named “cfile” is created on the infected system as an output for payload hosted on the C2 domain.

Private Key extractionThe crypto clipper also detects cryptocurrency keys for both Ethereum and Bitcoin WIF.

Initial AccessT1091 Replication Through Removable MediaExecutionT1059 Command and Scripting Interpreter | EVAL-driven remote code execution from server taskingDiscoveryT1057 Process Discovery | Task Manager check used as an anti-analysis gatePersistenceT1053.005 Scheduled Task/Job | Scheduled …

Clipper malware relies on stealing clipboard data and parsing it for valuable assets.

Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.

A file named “cfile” is created on the infected system as an output for payload hosted on the C2 domain.

Private Key extractionThe crypto clipper also detects cryptocurrency keys for both Ethereum and Bitcoin WIF.

Initial AccessT1091 Replication Through Removable MediaExecutionT1059 Command and Scripting Interpreter | EVAL-driven remote code execution from server taskingDiscoveryT1057 Process Discovery | Task Manager check used as an anti-analysis gatePersistenceT1053.005 Scheduled Task/Job | Scheduled …

This month’s set of discoveriesThe measure of any security system is what it catches.

Several findings involve high-severity remote code execution vulnerabilities in core infrastructure layers that are difficult to scrutinize using manual approaches alone.

We analyzed which pipeline stage contributed to each miss:Scan stage: 8 cases (15.4%), failed to identify the intended finding.

Bookmark the Security blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This month’s set of discoveriesThe measure of any security system is what it catches.

Several findings involve high-severity remote code execution vulnerabilities in core infrastructure layers that are difficult to scrutinize using manual approaches alone.

We analyzed which pipeline stage contributed to each miss:Scan stage: 8 cases (15.4%), failed to identify the intended finding.

Bookmark the Security blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026.

Microsoft also received the highest possible scores across the current offering criteria of identity detection, cloud detection, SIEM replacement, Threat Intelligence, Threat hunting, Administrative controls, and Training.

Microsoft Threat Intelligence is built on a broad vantage point, analyzing 100 trillion signals each day.

Microsoft Security Copilot alert triage agent: Security Copilot agents in Defender help security operations center (SOC) teams investigate faster, automate response, and prioritize high-risk cyberthreats.

Also, follow us on LinkedI…

We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026.

Microsoft also received the highest possible scores across the current offering criteria of identity detection, cloud detection, SIEM replacement, Threat Intelligence, Threat hunting, Administrative controls, and Training.

Microsoft Threat Intelligence is built on a broad vantage point, analyzing 100 trillion signals each day.

Microsoft Security Copilot alert triage agent: Security Copilot agents in Defender help security operations center (SOC) teams investigate faster, automate response, and prioritize high-risk cyberthreats.

Also, follow us on LinkedI…

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.