Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday. "These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 1:00 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Artificial Intelligence (AI) company Anthropic announced a new cybersecurity initiative called Project Glasswing that will use a preview version of its new frontier model, Claude Mythos, to find and address security vulnerabilities. The model will be used by a small set of organizations, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike,&
The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. [...]
Microsoft has pushed a server-side fix for a known issue that broke the Windows Start Menu search feature on some Windows 11 23H2 devices. [...]
Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. [...]
Latest
Wednesday, April 8
i've spent a long time in security training and awareness space, and there's a growing gap between how deepfake attacks are being taught and how they're actually being used in the wild .. From what I have seem .. most awareness content around deepfakes is still slides and theoretical examples .. part of the reason is that actually demonstrating a live deepfake is hard since you need a GPU or powerful hardware to run the face swap .. and becuse most endusers / securitty teams don't have a GPU lying around ... demonstrating a realtime deepfake never happens and people never really feel how real this has become .. So I built a cloud based real time deepfake service that lets anyone experience a deepfake of themselves directly in the browser. Would genuinely value feedback from this community .. Also, in the coming weeks I'll be launching a free deepfake documentary maker that lets users generate a custom training video where their own deepfake identity becomes part of the educational content (both audio and video). Happy to share more on that when it's ready.
Hey folks, This week we released what we think is the most comprehensive and easy way to detect every trace of AI in codebases, including specific models, libraries, MCP servers and API keys. It's called AI Inventory and it was built for a few (good) reasons. Some of them may be obvious to you. If not, you're invited to click through to read why this was one of our most requested features in recent times and to see how it works in detail.
ChipSoft's website remains down but emails are functioning A Dutch healthcare software vendor has been knocked offline following a ransomware attack, officials say.…
The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and
Brandefense Q4 2025 Ransomware Trends Report — 2,373 incidents, 125 groups, CVE exploitation breakdown
Hi r/netsec community, Q4 2025 data, monitoring dark web leak sites and criminal forums throughout October–December 2025. Numbers: \- 2,373 confirmed victims \- 125 active ransomware groups \- 134 countries, 27 industries Group highlights: \- Qilin peaked at 481 attacks in Q4, up from 113 in Q1 \- Cl0p skipped encryption entirely in most campaigns — pure data theft + extortion via Oracle EBS and Cleo zero-days \- 46.3% of activity attributed to smaller/unnamed groups — RaaS commoditization is real CVEs exploited this quarter (with group attribution): RCE: \- CVE-2025-10035 (Fortra GoAnywhere MFT) — Medusa \- CVE-2025-55182 (React Server Components) — Weaxor \- CVE-2025-61882 (Oracle E-Business Suite) — Cl0p \- CVE-2024-21762 (Fortinet FortiOS SSL VPN) — Qilin Privilege Escalation: \- CVE-2025-29824 (Windows CLFS driver → SYSTEM) — Play Auth Bypass: \- CVE-2025-61884 (Oracle E-Business Suite) — Cl0p \- CVE-2025-31324 (SAP NetWeaver, CVSS 10.0) — BianLian, RansomExx Notable: DragonForce announced a white-label "cartel" model through underground forums. Operations linked to Scattered Spider suggest staged attack chains — initial access and ransomware deployment split between separate actors. Full report [brandefense.io/reports/ransomware-trends-report-q4-2025/](http://brandefense.io/reports/ransomware-trends-report-q4-2025/)
Two practice web addresses appear to have been compromised Multiple domains belonging to Scottish healthcare providers have been hijacked and are now pushing links to adult content and illegal sports streams, according to a researcher.…
Artificial Intelligence (AI) company Anthropic announced a new cybersecurity initiative called Project Glasswing that will use a preview version of its new frontier model, Claude Mythos, to find and address security vulnerabilities. The model will be used by a small set of organizations, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike,&
The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated
Reverse-engineered the Whoop 4.0 BLE protocol — CRC-32 with non-standard polynomial, 96-byte real-time data packets
[CVE-2026-34980](https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf) and [CVE-2026-34990](https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp)
Microsoft has pushed a server-side fix for a known issue that broke the Windows Start Menu search feature on some Windows 11 23H2 devices. [...]
In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse.
President Brad Smith tells an interviewer that Microsoft is reconsidering datacenter design in light of Iran war Microsoft is reevaluating how it designs and builds datacenters in conflict-prone regions after Iran began targeting Middle Eastern bit barns in retaliation for US military operations.…
I am working through the publicly available MITRE ATT&CK Evaluations APT29 dataset from OTRF Security-Datasets, ingested into Splunk Free tier on Windows 10. The dataset contains 196,071 events across 165 unique EventIDs covering a full APT29 Day 1 adversary simulation. **What I confirmed** * Initial access at 22:57:12 via cod.3aka3.scr executing from C:\\ProgramData\\victim. * Full execution chain confirmed via ProcessID 2976 with 546 events across 15 EventIDs * Steganographic payload execution at 22:58:44: PowerShell loaded monkey.png from Downloads folder and extracted payload using System.Drawing.Bitmap and GetPixel to read pixel data. T1027.001 * Scheduled task persistence: task named \\CYAlyNSS created in root task path. T1053.005. * Timestomping in EventID 2: CARNYB.tmp file creation time changed from 2:58:44 to 2:44:15, a backward shift of approximately 14 minutes and 29 seconds. T1070.006. * ProcessGuid pivot from the timestomped file revealed 257 events across 8 EventIDs in one millisecond, showing the complete implant setup routine in a single burst including 98 DLL loads and 148 registry operations. * Credential access confirmed in EventID 10. * Certificate store manipulation in EventID 12. * EventID 13: PowerShell setting registry values including binary data and DWORD values in 11 events. * C2 confirmed in EventID 3 and 5156: BackgroundTransferHost connecting to \*.\*.\*.\* on port 443 via BITS abuse at 22:59:23. T1197. * Lateral movement confirmed: PsExec connecting from \*.\*.\*.\* to \*.\*.\*.\* on port 135 at 23:18:00. Same user account, different machine. T1021.002. * Collection and cleanup: rar.exe and sdelete.exe created by python process. **IOCs confirmed:** 23.56.173.48 on port 443, primary C2 via BITS. 72.21.91.29 on port 80, secondary C2. 23.98.151.170 on port 443, possible third C2. 192.168.0.4 on port 8443, internal relay. 192.168.0.5 on port 443, dropper initial contact. 10.0.1.6, lateral movement target. **Content published on** [**Substack**](https://manishrawat21.substack.com)
Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday. "These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial
**Body:** According to a March 2026 audit of 30+ popular AI agent frameworks (OpenClaw, AutoGen, CrewAI, LangGraph, etc.), 93% still rely exclusively on unscoped API keys with no per-agent identity or revocation. Full post: [https://www.reddit.com/r/netsec/comments/1ruefpo/we\_audited\_authorization\_in\_30\_ai\_agent/](https://www.reddit.com/r/netsec/comments/1ruefpo/we_audited_authorization_in_30_ai_agent/) Report: [https://grantex.dev/report/state-of-agent-security-2026](https://grantex.dev/report/state-of-agent-security-2026) I shipped **authproof-sdk** to change that. It gives users a signed Delegation Receipt that: * Binds authorization to hashed operator instructions * Ties execution to immutable Safescript capability hashes * Uses a decentralized append-only log as a trusted time oracle * Enforces hard boundaries the operator cannot override No more “the model went rogue” excuses when the receipt proves exactly what was authorized. Open source (MIT), npm package available, whitepaper in the repo. Would value thoughts from security folks working on agent governance. Link: [https://github.com/Commonguy25/authproof-sdk](https://github.com/Commonguy25/authproof-sdk) Demo is live if anyone wants to see the receipt flow in action — commonguy25.github.io/authproof-sdk/demo.html Works on mobile. Signs a real delegation receipt using Web Crypto API, shows the SHA-256 hash computing in real time, publishes to the append only log. Takes about 30 seconds to go through the full flow.
Tuesday, April 7
Your PLCs aren't internet-connected, right? Right?! Iranian-affiliated actors have escalated intrusions targeting critical US water and energy facilities, in some cases disrupting operations, the FBI and American cyber defense agencies said on Tuesday.…
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. [...]
Cloudflare is accelerating its post-quantum roadmap. We now target 2029 to be fully post-quantum (PQ) secure including, crucially, post-quantum authentication. At Cloudflare, we believe in making the Internet private and secure by default. We started by offering free universal SSL certificates in 2014, began preparing our post-quantum migration in 2019, and enabled post-quantum encryption for all websites and APIs in 2022, mitigating harvest-now/decrypt-later attacks. While we’re excited by the fact that over 65% of human traffic to Cloudflare is post-quantum encrypted, our work is not done until authentication is also upgraded. Credible new research and rapid industry developments suggest that the deadline to migrate is much sooner than expected. This is a challenge that any organization must treat with urgency, which is why we’re expediting our own internal Q-Day readiness timeline. What happened? Last week, Google announced they had drastically improved upon the quantum algorithm to break elliptic curve cryptography, which is widely used to secure the Internet. They did not reveal the algorithm, but instead provided a zero-knowledge proof that they have one. This is not even the biggest breakthrough. That same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom computer. For P-256, it only requires a shockingly low 10,000 qubits. Google’s motivatio
U.S. victims lost nearly $21 billion to cyber-enabled crimes last year, driven primarily by investment scams, business email compromise, tech support fraud, and data breaches, the Federal Bureau of Investigation says. [...]
Who needs MFA when you've got EvilTokens? Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.…
Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. [...]
https://www.anthropic.com/glasswing Anthropic launched Project Glasswing, a cybersecurity initiative with major partners including AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation. The goal is to use Anthropic’s unreleased model, Claude Mythos Preview, to find and fix serious vulnerabilities in critical software before attackers can exploit them. Anthropic says the model has already identified thousands of high-severity bugs, including issues in major operating systems and browsers, and is committing up to $100 million in usage credits plus $4 million in donations to open-source security groups. The core claim of the post is that AI has crossed a threshold in cybersecurity: Anthropic argues these frontier models can now outperform nearly all but the top human experts at discovering and exploiting software flaws. That creates a real risk if such capabilities spread irresponsibly, but Anthropic’s position is that the same capability can be used defensively to harden critical infrastructure faster and at larger scale. Anthropic gives several examples to support that argument. It says Mythos Preview found a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg vulnerability, and chained Linux kernel flaws to escalate privileges, with the disclosed examples already reported and patched. Anthropic also says many findings were made largely autonomously, without human steering. More than 40 additional organizations that maintain critical software infrastructure have reportedly been given access to scan both their own systems and open-source software. Anthropic says it will share lessons learned so the broader ecosystem benefits, especially open-source maintainers who often lack large security teams. (its not for general public as of today)
AI coding tools are being shipped fast. In too many cases, basic security is not keeping up. In our latest research, we found the same sandbox trust-boundary failure pattern across tools from Anthropic, Google, and OpenAI. Anthropic fixed and engaged quickly (CVE-2026-25725). Google did not ship a fix by disclosure. OpenAI closed the report as informational and did not address the core architectural issue. That gap in response says a lot about vendor security posture.
The AI lab's Project Glasswing will bring together Apple, Google, and more than 45 other organizations. They'll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities.
Bots are now firmly in the toolbox, helping crooks scale old scams Crims are taking advantage of AI to sharpen old scams. The FBI reported Monday that cybercrime losses hit a record $20.87 billion in 2025, with help from bots.…
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “ Forest Blizzard .” How targeted DNS requests were redirected at the router. Image: Black Lotus Labs. Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. Researchers at Black Lotus Labs , a security division of the Internet backbone provider Lumen , found that at the peak of its activity in December 2025, Fo
Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. [...]
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed
A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. "
Automated pentesting tools deliver strong early results, then quickly plateau. Picus Security explains how the "PoC cliff" leaves major attack surfaces untested and creates a dangerous validation gap. [...]
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet. "A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already
AI agents are being handed access to sensitive systems, but security hasn’t kept up. New research shows: * 46% of companies grant AI tools access to critical data * 76% lack proper governance for these identities * Only 28% have full visibility into non-human identities Result: massive blind spots across APIs, service accounts, and automated workflows. Non-human identities are now one of the biggest attack surfaces in cybersecurity.
When talking about credential security, the focus usually lands on breach prevention. This makes sense when IBM’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.4 million. Avoiding even one major incident is enough to justify most security investments, but that headline figure obscures the more persistent problems caused by recurring credential
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit , conducted before launch, identified several vulnerabilities that compromised WhatsApp’s privacy model, all of which Meta has patched. Our findings show that TEEs aren’t a silver bullet: every unmeasured input and missing validation can become a vulnerability, and to securely deploy TEEs, developers need to measure critical data, validate and never trust any unmeasured data, and test thoroughly to detect when components misbehave. The challenge of using AI with end-to-end encryption WhatsApp’s Private Processing attempts to resolve a fundamental tension: WhatsApp is end-to-end encrypted, so Meta’s servers cannot read, alter, or analyze user messages. However, if users also want to opt in to AI-powered features like message summarization, this typically requires sending plaintext data to servers for computationally expensive processing. To solve this, Meta uses TEEs based on AMD’s SEV-SNP and Nvidia’s confidential GPU platforms to process messages in a secure enclave where even Meta can’t access them or learn meaningful information about the message contents. The stakes in WhatsApp are high, as vulnerabilities could expose millions of users’ private messages. Our review identified 28 issues, including eight high-severity findings that could h
In Brief The Question Every Board Is Asking Cybersecurity environments grow more complex every year. Cloud infrastructure expands daily. New applications appear. APIs multiply. Attackers increasingly use automation and purpose-built AI tools—including offensive tools like GhostGPT—to identify weaknesses faster than security teams can remediate them. At RSA 2026, the recurring theme across the keynote stages […] The post Continuous Security Validation: Why It Matters and Why Synack Is Built for It appeared first on Synack .
New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of a host. The efforts have been codenamed GPUBreach, GDDRHammer, and GeForge. GPUBreach goes a step further than GPUHammer, demonstrating for the first time that
Common Entra ID Security Assessment Findings – Part 3: Weak Privileged Identity Management Configuration
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups What Is Privileged Identity Management? Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables organizations to manage, control, and monitor privileged access. The main features are: Provide just-in-time privileged access Assign time-bound access and end dates Require approval or multifactor authentication to activate privileged roles Require written justification for role activation Generate notifications when privileged roles are activated A common use case is to avoid permanently assigning the Global Administrator role. Instead, users or group members are made eligible to activate the role only when needed and only for a limited period.
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems. "The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent
Obvious signs: High cpu activity without any "visible" reason. The malware creates a fake dwm.exe process. That process is additional to the original dwm.exe of Windows. It connects to a dutch vps. It hides itself from the most comon end-user used process listing methods (task manager, sysinternals process explorer, perfmon etc.). It is not detected by Windows Defender, by Malwarebytes and ESET NOD32. It can be spotted when renaming SysInternals Process Explorer executable or using a tool like System Informer. Process Explorer is unable to kill this process, while System Informer is. Based on what I see, that dmw.exe doesn't exist as file, only in memory. [The fake process](https://preview.redd.it/qp97mhlicptg1.png?width=1477&format=png&auto=webp&s=46d6df54823a7a5f62d9f35742b80588a9a0a39d) [Protected process ](https://preview.redd.it/m25ruvflcptg1.png?width=531&format=png&auto=webp&s=77de33543669aaa63ae4650f659da07ebbfb8857) [The unauthorized connection](https://preview.redd.it/tsjxbgkscptg1.png?width=544&format=png&auto=webp&s=049cd62975df2f02ba09d08fb27c6deca525f44c)
Customizations are causing pain so new cloud will stick to upstream cuts of the open source stack LY Corporation, the Japanese web giant that dominates messaging, e-commerce and payments in many Asian countries, has revealed it is replacing a heavily-customized OpenStack cloud with a more conventional cut of the open source cloud stack – and making massive consolidations along the way.…
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite This week, more time than I'd have liked to spend went on talking about the trials of chasing invoices. This is off the back of a customer (who, for now, will remain unnamed), who had invoices stacking back more than 6 months overdue and despite payment terms of 30 days, paid on an average of 80 days . But as I say in this week's video, more than anything, it was the gall of the CEO to take issue with my frustrated tone rather than with their complete lack of respect for basic business etiquette and paying one's suppliers. And so, Copilot and I spent the weekend fixing up a nice little Xero integration to ensure this never happens again. If you arrive at this post sometime in the future after finding your HIBP enterprise service no longer functioning weeks after an unpaid invoice was due, at least you'll know it's not personal... and pay your damn bills!
We're launching C2 Detection — a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.
Monday, April 6
The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. [...]
CUPS server shown spilling out remote code execution and root access In the latest chapter on leaky CUPS, a security researcher and his band of bug-hunting agents have found two flaws that can be chained to allow an unauthenticated attacker to remotely execute code and achieve root file overwrite on the network.…
Cloudflare was designed to be simple to use for even the smallest customers, but it’s also critical that it scales to meet the needs of the largest enterprises. While smaller customers might work solo or in a small team, enterprises often have thousands of users making use of Cloudflare’s developer, security, and networking capabilities. This scale can add complexity, as these users represent multiple teams and job functions. Enterprise customers often use multiple Cloudflare Accounts to segment their teams (allowing more autonomy and separation of roles), but this can cause a new set of problems for the administrators by fragmenting their controls. That’s why today, we’re launching our new Organizations feature in beta — to provide a cohesive place for administrators to manage users, configurations, and view analytics across many Cloudflare Accounts. Principle of least privilege The principle of least privilege is one of the driving factors behind enterprises using multiple accounts. While Cloudflare’s role-based access control (RBAC) system now offers fine-grained permissions for many resources, it can be cumbersome to enumerate all the resources one by one. Instead, we see enterprises use multiple accounts, so each team’s resources are managed by that team alone. This allows organic growth within the account: they can add new resources as needed, without giving Administrative control too widely. While multiple accounts are great at limiting permissions for most of the users within an organization, they complicate things for the administrators, as the administrators need to be added to every account and given the appropriate
The Kill Chain models how an attack succeeds. The Attack Helix models how the offensive baseline improves. The Tipping Point One person. Two AI subscriptions. Ten government agencies. 150 gigabytes of sovereign data. In December of 2025, a single unidentified operator used Anthropic’s Clau
Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. [...]
Microsoft has resolved a known issue that was preventing some Classic Outlook users from sending emails via Outlook.com. [...]
An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily
Nonprofits run out of US Border Patrol stations are also selling other “operation”-themed coins that include a phrase popularized by the Proud Boys, potentially in violation of government rules.
CISA added the flaw to KEV after Fortinet confirmed exploitation in the wild Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31.…
The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]
With Cloudflare now supporting PQC encryption, I thought it'd be a fun experiment to see if I could encapsulate Plex traffic in a tunnel since it's not supported natively. 🤓
Your attack surface no longer lives on one operating system, and neither do the campaigns targeting it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, taking advantage of the fact that many SOC workflows are still fragmented by platform. For security leaders, this creates a
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there. One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react. That’s this week. Read&
The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on
Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro. Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named "msimg32.dll,"
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Sunday, April 5
True-crime tales of criminals making fools of themselves interview Cybercrime crews have become almost mystical entities, with security vendors assigning them names like Wizard Spider and Velvet Tempest.…
When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.
Saturday, April 4
x64dbg Reversing a Jump Tutorial | Breakpoints, Zero Flag, Binary Patching & Cracking Basics - YouTube
Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more.
Friday, April 3
Ex-CISA official tells The Reg: 'this would weaken the system for managing cyber risk' The US Cybersecurity and Infrastructure Security Agency's budget will see yet another deep cut if Congress approves President Trump's proposal to slash CISA's spending by $707 million in fiscal year 2027.…
Praetorian is excited to announce the release of Vespasian, a probabilistic API endpoint discovery, enumeration, and analysis tool. Vespasian watches real HTTP traffic from a headless browser or your existing proxy captures and turns it into API specifications (OpenAPI, GraphQL SDL, WSDL). We built it because pentesters spend the first days of every API engagement manually reconstructing documentation that should already exist. You know the scenario. You are three days into an API penetration test. Documentation was promised during scoping, and it existed at some point, but the Confluence page was last updated eighteen months ago and describes endpoints that have since been replaced. The Swagger UI returns a 404. The mobile app calls endpoints that don’t appear in any documentation at all. Nobody dropped the ball; the API just evolved faster than the docs. So you do what every pentester does: you open Burp Suite, click through the application for an hour, and start reading raw HTTP traffic. You spot JSON responses on /api/v2/ paths. GraphQL queries appear on a different subdomain. There’s a SOAP service that the frontend calls exactly once during login. Endpoint URLs are copied into a spreadsheet. You guess at parameter names. You manually reconstruct the API over the course of a couple days. This part of the project is informative, but it’s also a bottleneck. Vespasian reduces that bottleneck. It observes real HTTP traffic, either by crawling the target with a headless browser or by importing captures you’ve already made in Burp Suite, HAR, or mitmproxy, and generates API specifications automatically. REST endpoints become OpenAPI 3.0. GraphQL endpoints become SDL schemas. SOAP services become WSDL documents. You can try it yourself at
A practical look at securing identities, devices and applications wherever work happens Webinar Promo The shift to hybrid work has reshaped the enterprise perimeter. Users are logging in from home networks, shared spaces and unmanaged devices, while applications span on-prem systems and multiple clouds. Traditional security models were not designed for this level of fragmentation, leaving many organizations struggling to maintain visibility and control without adding friction.…
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA , an open-source tool that simplifies the full range of MBA expressions used in the wild. Point it at an obfuscated expression and it recovers a simplified equivalent: $ cobra-cli --mba "(x&y)+(x|y)" x + y $ cobra-cli --mba "((a^b)|(a^c)) + 65469 * ~((a&(b&c))) + 65470 * (a&(b&c))" --bitwidth 16 67 + (a | b | c) CoBRA simplifies 99.86% of the 73,000+ expressions drawn from seven independent datasets. It ships as a CLI tool, a C++ library, and an LLVM pass plugin. If you’ve hit MBA obfuscation during malware analysis, reversing software protection schemes, or tearing apart VM-based obfuscators, CoBRA gives you readable expressions back. Why existing approaches fall short The core difficulty is that verifying MBA identities requires reasoning about how bits and arithmetic interact under modular wrapping, where values silently overflow and wrap around at fixed bit-widths. An identity like (x ^ y) + 2 * (x & y) == x + y is true precisely because of this interaction, but algebraic simplifiers only see the arithmetic and Boolean minimizers only see the logic; neither can verify it alone. Obfuscator
The Quizlet flashcards, which WIRED found through basic Google searches, seem to include sensitive information about gate security at Customs and Border Protection locations.
A threat actor who goes by the name "Mr. Raccoon" has claimed to hack Adobe support via 3rd party Indian BPO firm
A massive data breach (allegedly) has occurred at Adobe. Carried out by a threat actor calling themselves "Mr. Raccoon", the claims are that over 13M support ticket details have been leaked along with details of over 15,000 employees. Additionally, they have access to their microsoft SharePoint instance and also to make matters worse, Adobe's HackerOne account. Adobe is yet to comment on this matter.
Thursday, April 2
A new MaaS has been promoted on Telegram as combining spyware, stealer, and remote access capabilities, Kaspersky reports. April 2026
‘Uncanny Valley’: Iran’s Threats on US Tech, Trump’s Plans for Midterms, and Polymarket’s Pop-up Flop
In this episode, we discuss Iran’s threats to target US tech firms, gear up for the midterm elections, and get a scene report from the Polymarket pop-up bar in DC.
Built a small experiment: turn a file into a “sonic fingerprint” in the browser I wanted to share a side project we put together: [https://listen.maliscope.com/](https://listen.maliscope.com/) It takes a file and turns it into a deterministic audio representation of file characteristics. A few important caveats: * it runs locally in the browser * it does not claim to detect malware through music * it is not a verdict engine * it is just an experimental visualization The idea was not “can analysts detect malware by ear?” but more: what happens if you represent file structure and characteristics as sound instead of another chart? I thought some people here might find it interesting, even if only as a weird security-adjacent experiment.
As strikes continue on Iran’s nuclear facilities, the real danger isn’t the explosion, but what happens if critical safety systems fail—and how that risk could spread across the Gulf.
Source code with a side of Vidar stealer and GhostSocks Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware.…
A few days ago I wrote about how the Trivy ecosystem got turned into a credential stealer. One of my takeaways was “pin by SHA.” Every supply chain security guide says it, I’ve said it, every subreddit says it, and the GitHub Actions hardening docs say it. The Trivy attack proved it wrong, and I think we need to talk about why.
Overview Artifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution. Description Artifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in pdf_load_image_imp , which is responsible for preparing image data for decoding. The function processes image parameters including w (width), h (height), and bpc (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against SIZE_MAX rather than INT_MAX , but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied. When the overflow occurs, the resulting corrupted values are passed into the fz_unpack_stream function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes fz_unpack_stream to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write. Impact Successful exploitation results in a heap out-of-bounds write during PDF image decoding.
Posted by Adam Gavish, Google GenAI Security Team Indirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious instructions into the data or tools used by the LLM as it completes the user’s query. This may even be possible without any input directly from the user. IPI is not the kind of technical problem you “solve” and move on. Sophisticated LLMs with increasing use of agentic automation combined with a wide range of content create an ultra-dynamic and evolving playground for adversarial attacks. That’s why Google takes a sophisticated and comprehensive approach to these attacks. We’re continuously improving LLM resistance to IPI attacks and launching AI application capabilities with ever-improving defenses.
Cloudflare data shows that 32% of traffic across our network originates from automated traffic . This includes search engine crawlers, uptime checkers, ad networks — and more recently, AI assistants looking to the web to add relevant data to their knowledge bases as they generate responses with retrieval-augmented generation (RAG). Unlike typical human behavior, AI agents , crawlers, and scrapers’ automated behavior may appear aggressive to the server responding to the requests. For instance, AI bots frequently issue high-volume requests, often in parallel. Rather than focusing on popular pages, they may access rarely visited or loosely related content across a site, often in sequential, complete scans of the websites. For example, an AI assistant generating a response may fetch images, documentation, and knowledge articles across dozens of unrelated sources. Although Cloudflare already makes it easy to control and limit automated access to your content, many sites may want to serve AI traffic. For instance, an application developer may want to guarantee that their developer documentation is up-to-date in foundational AI models, an e-commerce site may want to ensure that product descriptions are part of LLM search results, or publishers may want to get paid for their content through mechanisms such as pay per crawl . Website operators therefore face a dichotomy: tune for AI crawlers, or for human traffic. Given both exhibit widely different traffic patterns, current cache architectures force operators to choose one approach to save resources. In this
You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
If you squint and look at the CISA KEV list, you might think it's made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them. The following represent industry-defining historical incidents: The MOVEit breach in 2023 , Cleo Harmony, VLTrader and LexiCom in 2024, or, Fortra’s GoAnywhere, with mysterious active exploitation in 2025 . Today, we find ourselves analyzing the journey we took to discover multiple vulnerabilities in Progress ShareFile, ultimately chained together to achieve Pre-Authenticated Remote Code Execution - and sharing more memes. What is Progress ShareFile? A software suite that was previously owned by Citrix but later acquired by Progress in 2024 . In ShareFile’s own words: ShareFile software gives you a structured, secure space to work with clients - share files, collect signatures, request data, and manage to-dos in one place, improving collaboration and the experience around it. At first glance at the software’s descriptions and signup process, on
A WIRED analysis of DHS records identified dozens of specialized federal agents who used force against US civilians during the largest known deployment of its kind in US history.
Connected devices can leave an otherwise secure network vulnerable Pwned Welcome to Pwned, The Register's new column, where we highlight the worst infosec own goals so you can, hopefully, protect against them. Caffeine is an essential tool for most IT defenders, so, on balance, we're sure it has protected against a lot more exploits than it has caused. But in this case, the desire for everyone's favorite stimulant led to a massive breach.…
First public downstream victim, but won't be the last AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.…
Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.
Wednesday, April 1
Introduction The Zodiac Killer, one of America’s most notorious unsolved serial killer cases, sent numerous encrypted messages to newspapers during his reign of terror in the late 1960s and early 1970s. While his 408-character cipher was eventually cracked, the shorter “Z32” cipher that accompanied a map of the San Francisco Bay Area has remained unsolved for over five decades. The Z32 cipher consists of just 32 characters combining both letters and symbols. Alongside this cipher, the Zodiac included a chilling note: “The Map coupled with this code will tell you where the bomb is set. You have until next Fall to dig it up.”
Plus: how to train your human AI interview Amazon has seen a 40 percent efficiency gain by using AI tools to pentest its products before and after launch, according to security chief CJ Moses.…
Finding Value in the AI Noise Over the past year, the cybersecurity conversation has shifted hard toward AI. Walk through any conference and you’ll see it everywhere: agentic systems, autonomous testing, and machines operating at a scale that humans simply can’t match. A lot of that progress is real. At Synack, we’re investing heavily in […] The post Why AI Alone Won’t Fix the Security Problem appeared first on Synack .
1. macOS ClickFix Campaign Targets Claude Code Users with **AMOS Stealer** and Backdoor Access 2. **RUTSSTAGER**: Registry-Stored DLL Leads to OrcusRAT Deployment 3. **Kamasers**: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide 4. **MicroStealer**: A Fast-Spreading Infostealer with Limited Detection * This one is super interesting in my opinion; the chain and way it is created makes the detection complicated - obfuscated java modules are pain to deal with - ends up most of the time without any static engine flags Source: [https://any.run/cybersecurity-blog/major-cyber-attacks-march-2026/](https://any.run/cybersecurity-blog/major-cyber-attacks-march-2026/)
We could tell you no for free The UK government will spend about £630,000 running a discussion panel on its digital identity card plans, which minister James Frith said will "consider different perspectives and debate trade-offs" alongside a formal consultation .…