DVIUS INTELLIGENCE

DVIUS AI represents a groundbreaking advancement in cybersecurity threat intelligence. Our proprietary machine learning algorithms analyze global threat data in real-time, identifying patterns and anomalies that traditional security systems often miss. The system processes billions of data points daily, leveraging deep neural networks to provide unprecedented visibility into evolving cyber threats. Recent deployments have demonstrated remarkable effectiveness with 99.7% accuracy in threat detection and a 68% reduction in false positives compared to conventional solutions. The autonomous response capabilities can contain threats within milliseconds, significantly reducing potential damage to enterprise systems. As cyber threats continue to evolve in sophistication, DVIUS AI's adaptive learning capabilities ensure continuous improvement in defensive strategies. The platform represents the future of intelligent, automated cybersecurity defense.

The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter

Cyber crooks are abusing a trojanized Android payment application to steal near field communication (NFC) data and PINs, enabling cloning of payment cards and draining victim accounts. According to ESET researchers, a new variant of the NGate malware has been infused into the HandyPay NFC-relay application to transfer NFC data to the attacker’s device and use it for contactless ATM cash-outs. Use of AI is suspected in the campaign. “To trojanize HandyPay, threat actors most probably used GenAI, indicated by emoji left in the logs that are typical of AI-generated text,“ the researchers said in a blog post. The campaign has been distributing two malware samples, through a fake lottery website and a fake Google Play website, in attacks targeting Android users in Brazil since November 2025. Legit app doing the dirty work ESET researchers pointed out that the campaign marks NGate operators shifting from custom tooling to a trojanized legitimate application. HandyPay, originally designed to relay NFC data between devices, is being used to require minimal permissions and blend into expected payment workflows. This approach avoids building custom tooling from scratch, previously seen with the NFCGate abuse, and instead adds malicious code into an existing NFC-capable app. By repurposing an NFC relay app, the attackers inherit functionality that already handles the core data exchange, the researchers noted.An NFC-relay app is a tool that captures contactless communication from a card or device and forwards it in real time to another device, extending the short-range Near Field Communication signal over a network for remote use. Because the app operates within expected NFC workflows, it is easier for attackers to mask the attack. The distribution channels include a fake lottery site impersonating Brazil’s “Rio de Premios,” and a spoofed Google Play page advertising a “card protection” tool. AI was likely used ESET researchers also spotted something unusual in the malware’s internals. Some traces suggested generative AI may have played a role in its development. Specifically, the injected malicious code contains emoji markers in debug logs, something more commonly associated with AI-generated output than human-written malware. The researchers noted that this isn’t definitive proof but aligns with a broader trend of attackers using large language models to accelerate malware creation. Android presently has some protection against this attack vector in the form of security alerts. “The victim needs to manually install a trojanized version of HandyPay, since the app is only available outside Google Play,” the researchers said. “When a user taps the download app button in their browser, Android automatically blocks the install and shows a prompt asking them to allow installation from this source.” For the attack to be successful, the user then needs to tap Settings in the prompt, enable “Allow from this source,” and return to installing the app, a process quite common with third-party app installation these days. Nothing particularly suspicious stands out in the “allow download” workflow to protect against this threat. ESET shared a list of indicators in a dedicated GitHub repository, which included files, hashes, network indicators, and MITRE ATT&CK maps to support detection efforts.

Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. "Two batch scripts are responsible for initiating the

Unit 42 research reveals AirSnitch attacks bypass WPA2/3 Wi-Fi encryption and client isolation, exposing critical infrastructure vulnerabilities. The post When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks appeared first on Unit 42.

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic

Anthropic’s Mythos has intensified a problem that vulnerability management programs were already struggling to contain: too many vulnerabilities and not enough clarity about which ones matter. What changes with Mythos — and the AI-based class of vulnerability discovery systems it represents — is the speed at which software flaws can be found and exploited. That speed raises a more immediate question for defenders: Which vulnerabilities require action? Anthropic has pointed to one method. In guidance tied to its work on AI-accelerated offense, the company recommended using the Exploit Prediction Scoring System (EPSS), a probabilistic model developed by the data scientists behind Empirical Security, and published through FIRST, as a way to triage vulnerabilities as discovery increases. According to Anthropic, “Patching the KEV [CISA’s Known Exploited Vulnerabilities catalog] list first, and then everything above a chosen EPSS threshold will help you turn thousands of open CVEs into a manageable queue.” “EPSS uses the same probabilistic models that weather forecasters do,” Michael Roytman, co-founder and CTO of Empirical Security and one of the original EPSS authors, told CSO. “The forecast is which vulnerabilities are likely to be exploited somewhere on the internet in the next 30 days.” Roytman added, “We don’t deal with rain by constantly having an umbrella over our heads. We have predictive models that tell us whether we should or should not bring an umbrella.” Ed Bellis, CEO of Empirical Security, told CSO that Anthropic’s recommendation stood out because of who made it, not because EPSS is new. According to Bellis, it was the first time, to his knowledge, that a large language model provider had explicitly endorsed a probabilistic, purpose-built model for vulnerability prioritization. A system already under strain Mythos arrives as the vulnerability ecosystem is already under strain. Most recently, the volume of new vulnerabilities forced NIST to scale back enrichment of its National Vulnerability Database (NVD) to only certain CVEs. The NVD enriches vulnerability reports with CVSS scores, which are developed by FIRST, while EPSS provides a separate estimate of exploitation likelihood. “The fact that they’re [NIST] narrowing down the vulnerabilities that they are going to focus on [for CVSS] is because it’s all human-driven,” Bellis said. EPSS, by contrast, is machine-driven and can be applied across all CVEs, with scores published daily. “It’s machine-driven, and it’s a machine learning model that ultimately scores that vulnerability,” Bellis added. “The average vulnerability management practice today is not thinking about it from a machine-learning, data-driven perspective, but they could be.” According to the Zero Day Clock, the mean time to exploit a vulnerability after it’s been discovered is going to reach one hour this year, and only one minute by 2028, down from 2.3 years in 2018. Security leaders weigh promise versus reality Security vendors are increasingly incorporating EPSS scores into their systems. According to Roytman, EPSS has been incorporated into more than 120 security vendors’ products, including CrowdStrike, Cisco, Palo Alto Networks, Qualys, and Tenable platforms. “I do not think other CISOs realize how broadly EPSS has been adopted, but that adoption is great news for the industry,” James Robinson, CISO at Netskope, told CSO. “EPSS, when applied to [software flaws], is an essential step in being able to know if this exploitable vulnerability applies to your implementation or operation,” he said, adding that “the role that EPSS can play in identifying non-CVE vulnerabilities identified from Mythos and other upcoming models is extremely useful.” Aaron Weismann, CISO at Main Line Health, welcomed the faster discovery of vulnerabilities but questioned whether the guidance translates to sectors such as healthcare, telling CSO, “It’ll be interesting to see how actionable those recommendations are for critical infrastructure — like healthcare, utilities, government, and others — where immediate and automated patching can be challenging due to the prevalence of legacy hardware and software.” Not all defenders embrace the concept of EPSS or even CVSS to address the rapid discovery of vulnerabilities. “To be direct: Both CVSS and EPSS are fundamentally outdated in the ‘Mythos’ era and require a complete rethink,” Ramy Houssaini, chief cyber solutions officer of Cloudflare, told CSO. “EPSS relies on lagging, 30-day historical data, but AI has collapsed the time-to-exploit into mere minutes. Instead of waiting for a predictive score to prioritize human-speed patching, organizations must shift to real-time defense.” Exposure management will extend beyond CVEs While most of the analysis of the power of Mythos to discover vulnerabilities has centered on common applications to which CVEs can be applied, its discoveries will most likely reveal millions of other vulnerabilities that don’t meet this definition. “A similar process is happening across clouds and applications, where there is no common enumerator across those applications,” Empirical Security’s Roytman said. “My application looks very different than yours, even if it’s written in the same language,” he added. “So, when we think about that probabilistic modeling expanding to all of exposure management, which might be a bigger problem than just CVEs themselves, we have to think about building local predictive models for applications, clouds, configurations, misconfigurations, and that is another exercise in taking advantage of the existing security tooling and building small, purpose-built models rather than having humans do the manual triage work.” In short, Mythos and competing AI models will soon be able to find millions and millions of vulnerabilities that will not fit into the CVE model. “We see enterprises all the time that might have tens of millions of open instances of vulnerabilities, let alone the sheer volume of those classes of flaws that they’re going to discover on the AI front,” Bellis said. “This is a problem, but the sky is not falling,” Roytman said. “There are methods for managing it.”

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than

A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to

Softwareentwicklung und Autoproduktion haben mehr gemein, als man denkt. Lesen Sie, was Sie zum Thema Software Bill of Materials (SBOM) wissen sollten. Foto: Ju1978 – shutterstock.comEine Software Bill of Materials ist ein detaillierter Leitfaden, der unter anderem Aufschluss über die Komponenten Ihrer Software gibt. Als eine Art Stückliste hilft eine SBOM Anbietern und Käufern gleichermaßen, den Überblick über die Komponenten zu behalten und die Sicherheit der Softwarelieferkette zu verbessern. SBOM – Definition Eine Software Bill of Materials ist eine formale, strukturierte Aufzeichnung, die die Komponenten eines Softwareprodukts und ihre Beziehungen innerhalb der Softwarelieferkette beschreibt. Eine SBOM gibt also einerseits an, welche Pakete und Bibliotheken in Ihre Anwendung eingeflossen sind, andererseits auch die Beziehung zwischen diesen Paketen und Bibliotheken und anderen vorgelagerten Projekten. Das ist besonders wichtig ist, wenn es um wiederverwendeten Code und Open-Source-Komponenten geht. Sie kennen Stücklisten vielleicht im Zusammenhang mit Neuwagen. In diesem Fall handelt es sich um ein Dokument, das jede Komponente, die sich in Ihrem neuen Fahrzeug befindet, detailliert beschreibt. Auch wenn Ihr Auto von Toyota oder General Motors zusammengebaut wurde: Viele seiner Komponenten stammen von Subunternehmern auf der ganzen Welt. Die Stückliste gibt Aufschluss darüber, woher jedes einzelne dieser Teile stammt. Das dient nicht nur der Transparenz, sondern auch der Sicherheit: Wird eine bestimmte Serie von Airbags zurückgerufen, müssen die Fahrzeughersteller schnell herausfinden können, wo diese verbaut sind. Da Open-Source-Bibliotheken von Drittanbietern sich jedoch zunehmender Beliebtheit erfreuen, um containerisierte, verteilte Applikationen zu erstellen, weisen Softwareentwicklung und Fahrzeugfertigung inzwischen mehr Gemeinsamkeiten auf, als man denkt. Sowohl Entwickler als auch Benutzer können eine Software Bill of Materials verwenden, um nachzuvollziehen, welche Bestandteile in die Software eingeflossen sind, wie sie verteilt und verwendet wurden. Das erlaubt – insbesondere aus Sicherheitsperspektive – eine Reihe wichtiger Rückschlüsse. Software Bill of Materials – Vorteile Die Zeiten monolithischer, proprietärer Codebasen sind längst vorbei. Moderne Anwendungen basieren oft auf in großen Teilen wiederverwendetem Code – häufig mit Beteiligung von Open-Source-Bibliotheken. Diese Anwendungen werden auch zunehmend in kleinere, in sich geschlossene Funktionskomponenten, so genannte Container, aufgeteilt, die über Orchestrierungsplattformen wie Kubernetes gemanagt und lokal oder in der Cloud ausgeführt werden. Im Großen und Ganzen waren diese Veränderungen ein Segen für die Softwareentwicklung und haben dazu beigetragen, die Entwicklerproduktivität zu erhöhen und Kosten zu senken. Aus Security-Perspektive sieht das Bild nicht ganz so rosig aus: Indem sie sich in hohem Maße auf den Code von Drittanbietern verlassen, (deren interne Prozesse sie möglicherweise nicht oder nur teilweise kennen), haben Entwickler eine Lieferkette von Softwarekomponenten geschaffen, die genauso komplex ist, wie die von Herstellern physischer Produkte. Da eine Anwendung jedoch nur so sicher ist wie ihre schwächste Komponente, kann dieses Gebahren gravierende Schwachstellen zur Folge haben. Die 2020er Jahre waren von einer Reihe von Angriffen auf die Softwarelieferkette geprägt, die für Schlagzeilen sorgten: Ende 2020 gelang es Hackern, die mit dem russischen Geheimdienst in Verbindung stehen sollen, eine Backdoor in die Netzwerk-Monitoring-Plattform von SolarWinds einzuschleusen. Diese wird wiederum von anderen Sicherheitsprodukten genutzt, was zu ihrer Kompromittierung führte. Ende 2021 wurde eine schwerwiegende Sicherheitslücke in Apache Log4j entdeckt, einer Java-Bibliothek, die für die Protokollierung von Systemereignissen verwendet wird. Das hört sich nur so lange langweilig an, bis man feststellt, dass fast jede Java-Anwendung Log4j in irgendeiner Form verwendet und damit angreifbar wird. Diese Sicherheitskrisen verdeutlichen die potenzielle Rolle der Software Bill of Materials innerhalb der Sicherheitslandschaft. Viele Anwender haben vielleicht nur beiläufig von diesen Schwachstellen gehört, waren sich aber nicht bewusst, dass sie Log4j oder eine andere SolarWinds-Komponente verwenden. Mit einer SBOM wissen Sie genau, welche Pakete Sie installiert haben – und vor allem, welche Versionen dieser Pakete. So können Sie bei Bedarf aktualisieren, um auf der sicheren Seite zu sein. Eine Software Bill of Material kann auch über die Sicherheit hinausgehen: SBOMs können Entwicklern beispielsweise dabei helfen, den Überblick über die Open-Source-Lizenzen ihrer verschiedenen Softwarekomponenten zu behalten, was wichtig ist, wenn es darum geht, Applikationen zu distribuieren. SBOMs – Pflicht in den USA und bald auch in Europa Der SolarWinds-Hack hat insbesondere bei der US-Regierung die Alarmglocken schrillen lassen – auch weil viele US-Bundesbehörden die kompromittierte Komponente eingesetzt hatten. Deshalb enthielt die im Mai 2022 von der Biden-Regierung erlassene Cybersecurity-Verordnung auch Richtlinien im Zusammenhang mit Software Bill of Materials. Das US-Handelsministerium veröffentlichte einen Leitfaden, welche grundlegenden Elemente in SBOMs enthalten sein müssen. Obwohl sich die Anordnung speziell auf diejenigen bezieht, die in direkter Beziehung zu den US-Bundesbehörden stehen, werden die Regelungen weitergehende Auswirkungen haben. Schließlich werden die an die US-Regierung verkauften Produkte, die nun mit einer SBOM ausgeliefert werden müssen, größtenteils auch an andere Unternehmen und Organisationen verkauft. Viele Softwarehersteller hoffen, dass die Kunden aus der Privatwirtschaft SBOMs ebenfalls als Mehrwert betrachten. Außerdem ist das staatliche Auftragswesen selbst eine Lieferkette, wie Sounil Yu, ehemaliger Chief Security Scientist bei der Bank of America sowie CISO bei JupiterOn, unterstreicht: “Es gibt nur eine bestimmte Anzahl von Unternehmen, die direkt mit der US-Regierung zusammenarbeiten und von der Verordnung betroffen sind. Die Auswirkungen auf der zweiten Zuliefererebene sind noch wesentlich größer.” In Europa wird die SBOM ebenfalls verpflichtend – und zwar im Rahmen der Umsetzung des Cyber Resilience Act bis Ende 2027. Software Bill of Materials – Aufbau Als Reaktion auf die Executive Order veröffentlichte die National Telecommunications and Information Administration (NTIA) im Juli 2021 den Leitfaden “The Minimum Elements For a Software Bill of Materials” (PDF). Das Dokument könnte zu einem De-facto-Standard für SBOMs in der gesamten Branche werden und legt sieben Datenfelder fest, die jede SBOM enthalten sollte: Name des Anbieters: Der Name einer Einheit, die eine Komponente erstellt, definiert und identifiziert. Komponentenname: Die Bezeichnung, die einer vom ursprünglichen Lieferanten definierten Softwareeinheit zugewiesen wird. Version der Komponente: Eine Kennung, die vom Lieferanten verwendet wird, um eine Änderung der Software gegenüber einer zuvor identifizierten Version anzugeben. Andere eindeutige Identifikatoren: Andere Informationen, die verwendet werden, um eine Komponente zu identifizieren oder als Nachschlageschlüssel für relevante Datenbanken dienen. Das könnte etwa ein Identifikator aus dem NIST CPE Dictionary sein. Abhängigkeitsbeziehung: Kennzeichnet die Beziehung, in der eine Upstream-Komponente X in Software Y enthalten ist. Das ist besonders wichtig für Open-Source-Projekte. Autor der SBOM-Daten: Der Name der Entität, die die SBOM-Daten erstellt. Zeitstempel: Aufzeichnung des Datums und der Uhrzeit der Zusammenstellung der SBOM-Daten. SBOMs müssen darüber hinaus auch folgende Anforderungen erfüllen: Die SBOM muss in einem von drei standardisierten Formaten vorliegen, damit sie maschinenlesbar ist – SPDX, CycloneDX oder SWID-Tags. Mit jeder neuen Softwareversion muss eine neue SBOM generiert werden, um sicherzustellen, dass sie auf dem neuesten Stand ist. Die SBOM muss nicht nur Abhängigkeitsbeziehungen enthalten, sondern auch Aufschluss darüber geben, wo solche Beziehungen wahrscheinlich bestehen, aber der Organisation, die die SBOM erstellt, unbekannt sind. SBOM erstellen – so geht’s Wenn Sie diesen Artikel lesen, empfinden Sie es möglicherweise als entmutigende Aufgabe, eine Software Bill of Materials zu erstellen. Schließlich muss es ein Alptraum sein, all diese Informationen manuell zusammenzutragen. Glücklicherweise werden SBOMs in den meisten Fällen mit Hilfe von SCA-Tools (Software Composition Analysis ) automatisch erstellt. Diese Tools werden häufig in DevSecOps-Pipelines eingesetzt und spielen nicht nur für die Erstellung von SBOMs eine Rolle. SCA-Tools durchsuchen Ihre Codeverzeichnisse nach Paketen und vergleichen sie mit Online-Datenbanken, um sie mit bekannten Bibliotheken abzugleichen. Es gibt aber auch Werkzeuge, die eine Software Bill of Materials im Rahmen des Software-Build-Prozesses erstellen. Die OWASP Foundation hat eine umfassende Liste von SCA-Tools zusammengestellt, die von einfachen, quelloffenen Kommandozeilen-Tools bis hin zu spezialisierten, kommerziellen Produkten reicht. Wenn Sie tiefer in diesen Bereich eintauchen möchten, sollten Sie außerdem einen Blick auf unseren Artikel “7 Tools, die Ihre Softwarelieferkette absichern” werfen. Wenn Sie verteilte Software entwickeln, wird es immer wichtiger, SBOMs in Ihre Entwicklungspraxis zu integrieren. Auch wenn Sie keine Verträge mit der US-Regierung abschließen – Sie sollten sich angesichts der Bedrohungslage in jedem Fall Gedanken über die Sicherheit ihrer Softwarelieferkette machen.

Two weeks after researchers using an AI tool discovered a major hole in Apache’s ActiveMQ messaging middleware, there are still thousands of unpatched instances open to the internet, more evidence that many application developers and IT leaders aren’t paying close attention to warnings about vulnerabilities. While the remote code injection vulnerability [CVE-2026-34197] was revealed on April 7, according to statistics from the ShadowServer Foundation, there are still almost 6,500 unpatched instances of ActiveMQ open to being abused. “The fact that ShadowServer is still seeing 6,000+ unpatched boxes nearly two weeks later is just mind-blowing,” IT analyst Rob Enderle of the Enderle Group told CSO. “In a world where an LLM can help an attacker weaponize a bug the second it’s announced, taking 12 days to patch is essentially a suicide note for your network”. Vulnerable are versions of ActiveMQ and ActiveMQ Broker before 5.19.4, and 6.0 to before 6.2.3; this means the flaw could have been exploited for over a decade. ActiveMQ Artemis isn’t affected. The issue is so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known and exploited vulnerability list (KEV) this week, urging federal agencies to promptly update their applications. The move should also be seen by private sector developers who use ActiveMQ in their applications, and IT and security leaders who have apps using ActiveMQ in their environments, as a cue to act fast and upgrade to patched versions 5.19.4 or 6.2.3. Bug found by AI in 10 minutes The hole was discovered by researchers at Horizon3.ai using Anthropic’s Claude AI assistant. It took them about 10 minutes, an illustration of how quickly modern AI tools can be used by experts to find vulnerabilities. Anthropic says its limited release Claude Mythos tool is even better than Claude at finding flaws. Apache says an authenticated attacker can exploit the hole with a crafted discovery URI that triggers a parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.  Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s Java VM through bean factory methods such as Runtime.exec. “This vulnerability sat there for 13 years,” noted Enderle. “Humans missed it, scanners missed it, but Claude finds it in what, 10 minutes? That’s a massive capability leap. AI is basically acting like an archeologist for exploits, digging up every skeleton we’ve left in our legacy closets for the last decade.” The problem for CSOs is “we’re basically bringing a knife to an AI gunfight,” he added. “Most IT shops are still stuck in ‘Human-Speed,’ waiting for a weekend maintenance window or a committee meeting, while the bad guys are running at ‘Machine-Speed.’ If you aren’t automating your defense and using AI to patch as fast as AI is finding the holes, you aren’t just behind; you’re already breached and just don’t know it yet.” Automation is key “If a company hasn’t patched this by now, it’s moved past a ‘resource issue’ and straight into professional negligence,” Enderle said. “We’ve got to stop treating patching like a chore and start treating it like a survival requirement.” The fix is simple, but hard for most old-school IT shops to swallow, he noted: Get the humans out of the way. “If AI is finding holes in minutes,” he said, “a 12-day manual patch cycle is basically an invitation to get robbed.” Start by putting together a software bill of materials for every app in your environment, Enderle advised. “Without it, you’re just guessing what’s under the hood. You need a live, automated inventory, using standards like CycloneDX, so the second a bug like this [ActiveMQ] hits, you aren’t scanning. You already know exactly which apps are carrying the poisoned ingredient.” Second, he said, auto-patch the small stuff and use automated testing for the big systems. Again, he maintained that if IT is still waiting for a weekend maintenance window or a committee approval to fix a critical flaw, “you’re playing a 2010 game in a 2026 world.”  “Bottom line,” he said: “If you don’t know what’s in your software, and you can’t fix it faster than an LLM can find it, you’re just a target.”

Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within

Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them. The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. Angelo Martino, 41, of Land O'Lakes, Florida, teamed up with the operators of the BlackCat ransomware starting in April 2023 to assist the e-crime gang in extracting higher amounts as ransoms. "Working as a negotiator on behalf of five different

Security teams often present MTTR as an internal KPI. Leadership sees it differently: every hour a threat dwells inside the environment is an hour of potential data exfiltration, service disruption, regulatory exposure, and brand damage.  The root cause of slow MTTR is almost never "not enough analysts." It is almost always the same structural problem: threat intelligence that exists

Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a

A high-severity authentication flaw in Microsoft’s Azure SRE Agent exposed sensitive agent data to unauthorized network access, according to a confirmed vulnerability disclosure. The issue was identified by Enclave AI researcher Yanir Tsarimi, who detailed the findings in a blog post describing how agent interactions could be accessed without proper authentication controls. The vulnerability has been tracked as CVE-2026-32173 and rated critical with a CVSS score of 8.6. In the blog, Tsarimi described scenarios where agent activity could be observed during execution, including interactions between users and the system. The exposure stemmed from an authentication gap in the service, allowing access to data streams without valid credentials. Microsoft classified it as an improper authentication issue that allows an unauthorized attacker to disclose information over a network, the NVD entry said. “Imagine you hired an assistant who has access to everything: your servers, your logs, your passwords, your source code. Now imagine a total stranger, from a completely unrelated company, could silently listen to every conversation that assistant has,” Enclave researcher Yanir Tsarimi wrote. “That’s what we found in Azure SRE Agent.” Microsoft has since fixed the issue, the blog added. The fix was applied server-side, and Microsoft’s advisory states that no customer action is required. Azure SRE Agent reached general availability on March 10. Multi-tenant by default The agent streams all activity through a WebSocket endpoint called /agentHub, the blog said. The endpoint required a token to connect, but the underlying Entra ID app registration was configured as multi-tenant, meaning any account from any Entra ID tenant could obtain a valid token that the hub would accept. “The hub then checked: Is the token valid? Yes. Is the audience correct? Yes. It never asked: Does this caller belong to the target’s tenant? Are they authorized to use this agent? Do they have any role on this resource?” Tsarimi wrote. Once connected, the hub broadcasts all events to all clients with no identity filtering, the blog said. The exposed channel included user prompts, agent responses, internal reasoning traces, every command executed with full arguments, and the command output. “In our own test environment, we watched the agent run a routine task and return deployment credentials for live web applications,” Tsarimi wrote. “An eavesdropper on a real target would have received the same. Silently. With nothing to indicate anyone else was on the line.” Exploitation required only the target agent’s subdomain, which Enclave described as predictable and enumerable, and roughly 15 lines of Python. Third-party trackers identified the affected component as the Azure SRE Agent Gateway SignalR Hub. Watching a privileged operator think out loud The category of flaw should not be compared too closely to a conventional API bug, said Alexander Hagenah, cybersecurity researcher and executive director at Zurich-based financial infrastructure operator SIX Group. “A normal API issue is usually bound by a specific endpoint, dataset, or permission check. With an AI operations agent, the agent itself becomes the aggregation point for infrastructure state, logs, source code, incident context, commands, outputs, and sometimes credentials that appear during troubleshooting,” Hagenah said. “In practical terms, it can look like watching a privileged operator think out loud,” he added. The exposure does not amount to automatic infrastructure compromise, Hagenah said, but it can be more valuable than many read-only bugs. Attackers typically have to work hard after initial access to understand an environment. An SRE agent may already have that context assembled for them. The connection also left no trace on the victim’s side, the researcher wrote. “Victim organizations had no way to detect it, no way to investigate after the fact, and no way to scope what had been exposed.” Considerations for enterprises Enclave, as per the blog post, noted that organizations that ran Azure SRE Agent during the preview window must treat the period as potentially exposed and review any credentials, configuration data, or sensitive information that may have passed through agent conversations or CLI outputs. Hagenah said agentic operations services need to be governed more like privileged automation platforms than ordinary SaaS tools. “Before granting that level of access, I would want very clear answers on tenant isolation and resource-level authorization. It should not be enough that a token is valid. The service has to verify that the caller belongs to the right tenant, is authorized for that specific agent, and is allowed to access that specific stream, thread, tool output, or action,” he said. The agent should run under a dedicated managed identity with minimal permissions, and integrations with command execution, log query, source repositories, and incident platforms should be reviewed like any other privileged system, Hagenah said. Enterprises also need to know who connected, what threads they accessed, what commands ran, and what output was returned, with logs exportable to the SIEM. Microsoft did not immediately respond to a request for comment.

Security researchers have revealed a prompt injection flaw in Google’s Antigravity IDE that could be weaponized to bypass its sandbox protections and achieve remote code execution (RCE). The issue came from Antigravity’s ability to allow AI agents to invoke native functions, like searching files, on behalf of the user. Designed to kill complexity, the feature could allow attackers to inject malicious input into a tool parameter. According to Pillar Security researchers, the vulnerability could bypass Antigravity’s “most restrictive security configuration,” Secure Mode. The flaw was reported to Google in January, which acknowledged and fixed the issue internally, awarding Pillar Security a bounty through its Vulnerability Reward Program (VRP) for AI-specific categories. Google did not immediately respond to CSO’s request for comments. File search could be turned into code execution Pillar’s prompt injection vector relied on Antigravity’s “find_my_name” tool and an “fd” utility within. find_my_name is one of Antigravity’s built-in agent tools that allows the AI to search for files and directories in the project workspace using the fd command line. What was happening is that any string beginning with “-” was being interpreted by fd as a flag rather than a search pattern, allowing execution of binaries within files matching a “-Xsh” pattern. “The technique exploits insufficient input sanitization of the find_by_name tool’s Pattern parameter, allowing attackers to inject command-line flags into the underlying fd utility, converting a file search operation into arbitrary code execution,” the researchers said in a blog post. Essentially, instead of just locating files, “fd” could be tricked into executing attacker-supplied binaries across those files using a crafted prompt that manipulates the “Pattern” parameter. The researchers demonstrated this by creating a file in the local directory with the malicious prompt to exploit the “pattern” injected. Antigravity picked up the file, ran its intended tasks (like launching Calculator), and also launched the search tool, now primed to execute “-Xsh” patterns. This could also be turned into remote code execution via indirect prompt injection. “A user pulls a benign-looking source file from an untrusted origin, such as a public repository, containing attacker-controlled comments that instruct the agent to stage and trigger the exploit,” the researchers explained. The worst part was that it was unstoppable with the existing protection. Google’s sandbox never got a chance Antigravity’s Secure Mode, which is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context, could not flag or quarantine this technique. This is because the find_my_name tool is called much before Secure Mode restrictions are evaluated. “The agent treats it as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces,“ the researchers noted. The issue was trimmed down to a twofold root cause. A “No input validation” at the Pattern parameter, which accepts arbitrary strings without checking for legitimate search pattern characters. The second was “no argument termination,” which refers to fd’s inability to distinguish between flags and search terms. Google has already fixed the flaw internally, and Antigravity users need not do anything else to remain protected. However, the flaw’s ability to bypass Secure Mode, Pillar researchers point out, underlines that security controls focused on shell commands are insufficient. “The industry must move beyond sanitization-based controls toward execution isolation,” they said. “Every native tool parameter that reaches a shell command is a potential injection point.”

The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn't changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing

Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution. The flaw, since patched, combines Antigravity's permitted file-creation capabilities with an insufficient input sanitization in Antigravity's native file-searching tool, find_by_name, to bypass the program's Strict

Identity centric technologies have undergone a significant transformation in recent times. Gone are the days when it was all about logging in and out of any given system. Today, identity has become the backbone of all digital enterprises. It’s the ‘invisible engine’ that powers everything. From security to how modern-day products are sold. Today’s Identity based frameworks not only controls who can access what, how and when, they also help businesses work efficiently, improves customer satisfaction and reduces fraud and risk, especially associated with back-office jobs. In this article, we’ll look at why identity is key and how it supports several key aspects of digital transformation. Identity is the new security boundary Traditionally, enterprises used firewalls and internal network policies to protect themselves against any external attacks. If you were inside the company network, then trust was automatically granted. If you were not, you were perceived as a threat. That world no longer exists. Because, unlike in the past, companies have employees working from different geographic locations or work from home. Most systems are hosted in the cloud. Customers can access services from mobile devices. And even programs and bots require access to the system. This means that identity is the new perimeter. And traditional methods of securing systems won’t work anymore, as there’s no clear definition of who is ‘inside’ or ‘outside’ the perimeter anymore. Instead of relying on location to grant access, verification is performed on the person or system making the request, and subsequently authorization checks are performed to allow the requested action. Managing user access is not easy at an enterprise scale. And it doesn’t get any easier for those using complicated network rules and manual setups. In fact, it often results in errors and delays. This is where identity-based solutions come into play. When someone from any team logs in, the identity system will accurately pinpoint: Who they are and what they are up to. The project they are working on. Which environment should they use? Using this information, the system can determine which resource someone needs, when they need it and how to use it. The principle behind it is ‘never trust, always verify’. With it, errors that normally occur are reduced, less manual configuration is required and overall efficiency and accountability increase. When something goes haywire, it becomes easy for the enterprise to track which resource was accessed by whom and when. This helps teams move faster without losing control. How identity helps software teams work faster Software is usually managed in various stages during its creation. To do this effectively, companies have different test environments, such as: Development Testing Staging Performance testing For all these environments, we’ve got different teams working simultaneously on the same software. For example, when development teams are working on building new features for the software, business users would be validating the beta version in the parallel testing environment. Modern Identity structure easily carries this context in the message and helps route transactions to the appropriate environment. Identity helps to control exactly what people can see and do Every organization has its own hierarchical structure. Within it, everyone has limitation to what they can access or see. For instance, a junior officer cannot have the same privileges as a manager. Similarly, a manager cannot have the same authorization as the CEO. If everyone had the same access, it would create a serious security risk. This is where modern identity systems shine. It stores information about users based on department, job description, location, level of responsibility and whether the user has special permissions. When logging in, this information travels with them. The application uses this to determine which information to disclose and which to restrict. Put simply, some users see certain menu options while others using the same system can’t see them at all. Similarly, others might have the ability to read and write data, while others can only view it. This is what is known as fine-grained access control, where access is given to users when they truly need it. Some of its benefits are: Enhanced security against internal misuse of data. Reduced data leaks. Makes it easy to comply with data protection laws. Auditing and filing of reports are simplified. Beyond security: Identity powers customer personalization Identity goes beyond just managing employee access. It helps the business grow as it manages crucial customer profile information such as preferences, purchase history, product interest and consent for data use. The data collected is used to market personalized products, send relevant offers, show content based on previous browsing history and even communicate in their customer’s preferred language. Before customer identity management systems, all this information was scattered across different systems. One database could handle emails, another purchase history and another might track website visits. With unified identity management, all this information is summarized under one customer. This translates to better customer experience, higher conversion rates, increased customer loyalty and better marketing. Plus, when customers see how their data is being handled, they are more likely to trust the brand and give permissions for their data to be used. Identity reduces risk and prevents fraud in finance This is where identity is needed the most because financial institutions, such as banks, deal with sensitive information and large amounts of money. Any slight error in processing data could easily incur huge losses and serious repercussions to the institution. In many cases, most customers usually have multiple accounts: Savings account Credit card Mortgage Investment account Business account All these accounts usually exist in different systems. With centralized identity systems, they can all be linked using a single identifier and traced back to one verified customer. This creates a complete financial picture of the customer. Better risk assessment With a clear picture, banks can make informed decisions, which in the long run helps reduce losses. We’re talking about smarter lending decisions, better assessment of risks, income and debt, repayment history, just to mention a few. Stronger fraud detection For any business to stand a chance against sophisticated modern cyberattacks like fraud, early detection is key. With AI-based identity security, detection takes place in real time. So, when someone makes a transaction, the system cross-checks with information such as login location, device type, behavioral patterns and transaction history. If an issue arises during this time, the system can either request extra verification or block the transaction entirely. Detecting fake identities Criminals today are evolving almost at the same pace as technology. To avoid detection, some of them create fake identities by mixing real and false information. Without strong security measures in place, most of them usually get away with it. To prevent this, identity systems based on vast information collected can be able to tell what ‘normal’ looks like for each customer and what doesn’t make sense. For example, when one personal number is linked to multiple unrelated accounts. Building identity as core infrastructure To support the areas this article talked about, it’s crystal clear that organizations can’t just treat identity as an old-fashioned list of names. It must be woven within the very foundation of the business. Here are three golden rules to make that happen: 1. It must be ‘real time’ The system should always share updates whenever they occur. For example, when a user logs in or changes their privacy settings, the information should be propagated throughout the entire system so that other parts of the company can react. 2. It must be easy to integrate with other systems They should be like plug-and-play tools that allow developers to easily connect with others without necessarily needing any assistance from a specialist. 3. It must be built for governance Not everyone needs to have unlimited access to the system. Each organization needs to have a clear set of rules on who gets access to what and when. On top of that, these permissions need to be reviewed from time to time, and all the activities tracked. This not only ensures the company stays safe but also complies with the law. Identity is the foundation of modern business Time and time again, most people often associate digital transformation with advanced new technology. But it’s not just about that. It involves connecting systems, data and the people using these resources smartly and securely. Identity makes this possible. It ensures that only the right users access the right resources at the right time. With identity, software developers are creating and deploying applications much faster, organizations get to control access to sensitive information, businesses can create personalized customer experiences and banks can detect and manage fraud right before it occurs. Therefore, as more businesses continue their migration towards digital transformation, identity needs to be established as the foundation. Those who do this are better positioned to grow, innovate and compete in this digital age. This article is published as part of the Foundry Expert Contributor Network.Want to join?

Much of the talk around cybersecurity these days revolves around AI and the threat it poses to corporate systems when used by nefarious actors. But the reality on the ground remains a little more mundane than polymorphic AI malware and criminal masterminds putting machine learning and generative AI to work at scale. Still, keeping on top of even minor nuances and emerging trends in the techniques cyberattackers are deploying of late can greatly help cyber defenders in their task. Of note is the fact that attackers are increasingly exploiting identity as a preferred method for infiltrating systems. While exploiting vulnerabilities also remains an important vector with its own emerging subtleties in practice, phishing, stolen credentials, and social engineering are among the more common root causes of initial attack today, according to threat response experts. “Identity-related attack techniques such as phishing (41%), stolen credentials (18%), and social engineering (12%) dominating our incident response engagements,” Alexandra Rose, director at the Counter Threat Unit at Sophos, tells CSO. Rose adds: “Attackers are increasingly looking to leverage weaknesses that can’t be targeted by patching — instead going after the human link in the chain: people.” Entry points created by expanding hybrid and cloud environments, integrations with AI tooling, and new SaaS apps are also particularly attractive to threat actors, allowing them to infiltrate systems without needing to deploy traditional malware. “Attackers [are exploiting] trusted tools, identities, and user behaviour rather than relying on technical sophistication” to mount attacks, according to threat intel vendor ReliaQuest’s latest Annual Cyber-Threat Report. Here, cyber experts quizzed by CSO identify the most prevalent cyberattack techniques being deployed against enterprises today. Drive-by RMM misuse Attackers have increasingly been abusing legitimate remote monitoring and management (RMM) tools to camouflage attacks on corporate networks. Designed to help IT teams manage systems remotely, popular RMM tools, such as ConnectWise ScreenConnect, Tactical RMM, and MeshAgent, are often abused by attackers for command-and-control, lateral movement, and ransomware deployment. Now, trojanized versions of RMM tools are being dropped directly onto hosts, often through drive-by compromise, according to ReliaQuest. ConnectWise ScreenConnect led RMM-related incidents between December 2025 up until the end of February 2026, according to the threat intel vendor. A separate study by managed detection and response firm Blackpoint found that abuse of legitimate RMM tools represented 30% of incidents handled by the firm. Network security device hacking Network edge devices have increasingly drawn attackers’ attention over the past two years, establishing a new battleground where the very devices meant to protect the network have become attractive targets for exploitation. As a result, flaws in security device, such as SSL VPN systems and other gateways, are among the top initial access vectors for attackers. SSL VPN compromises, for example, accounted for 33% of identifiable activity, according to Blackpoint. ClickFix ClickFix is a social engineering tactic that aims to trick prospective marks into pasting and executing malicious PowerShell commands from fake “fix” prompts. Because these bogus prompts come from either compromised websites or manipulated search results, the approach bypasses traditional security controls such as email filters or denylists. ClickFix scams often uses fake CAPTCHA pages as the lure. The methodology is most frequently used to distribute remote access trojans or infostealers, but attackers have also begun to feature ClickFix in ransomware attacks. “ClickFix adoption continues to expand across the attacker spectrum, with ransomware operators like LeakNet now using ClickFix lures to run campaigns directly rather than purchasing access from initial access brokers,” according to ReliaQuest. Identity-based attacks Attackers are increasingly impersonating legitimate users, machines, or services to gain access to systems, data, or infrastructure. The technique is on the upswing in part due to improved security defenses, according to some experts, and also demonstrates attackers’ interest in targeting authentication mechanisms rather than exploiting software vulnerabilities directly. “Endpoint detection and response technologies have pushed criminals into stealing credentials — or buying them from thieves — and then using them for authentication as account users,” says Tom Exelby, head of cybersecurity at UK-based cybersecurity services firm Red Helix. “Once they have access, they can augment their privileges through systems such as Microsoft Active Directory and Entra ID.” Instead of stealing passwords, attackers steal active authentication tokens to bypass multi-factor authentication (MFA) protections. Attackers are increasingly using OAuth consent phishing and reverse proxy kits to steal session tokens and bypass MFA, adds cloud-native security firm Netskope. “Attackers targeting Microsoft 365 environments are also adopting adversary-in-the-middle attacks,” Red Helix’s Exelby adds. “They capture credentials, MFA responses, and session cookies by using phishing kits as a proxy between the target and the legitimate authentication service.” Cybercriminals are using platforms such as the Tycoon 2FA phishing-as-a-service to run adversary-in-the-middle (AiTM) attacks. Many of the victims of this attack vector are “likely to be SMBs with limited cybersecurity resources,” according to Red Helix. Phishing Despite a year-over-year decline in the number of people clicking on phishing links, in part due to improved user education, this traditional form of social engineer remains a problem. According to a recent study by Netskope, 87 out of every 10,000 users click on a phishing link each month. Microsoft remains the brand attackers impersonate most. Remote and hybrid workforces have given attackers more opportunities for phishing and credential theft, and now the power of AI in facilitating such attacks is becoming a major concern. Cybercriminals have been putting AI to use to develop highly personalized phishing lures, automated reconnaissance, and synthetic voice and deepfake attacks. Hacking machine identities The rapid profileration of machine identities is proving to be a wellspring for attackers seeking inroads into corporate systems. Much of this is due to increased use of service accounts, containers, APIs, and the automation of DevOps, but agentic AI, with its promise of autonomous AI activity, is another rising source of concern for security organizations. “With non-human identities central to infrastructure, attackers are inevitably focusing on compromise of service accounts and API identities, which give them long-lived credentials and a broad range of permissions,” says Red Helix’s Exelby. Exelby adds: “Machine identities often have weak protection, are notoriously invisible, and poorly managed.” Managed service providers that hold privileged access to many client’s systems have a magnetic attraction for attackers as a potential route to carry out supply chain attacks. Even a midsize business is likely to have hundreds of SaaS apps and thousands of identities criminals can exploit. Shai-Hulud: The supply-chain attack evolves In September 2025, credential-stealing code wormed its way through scores of npm libraries, adding a modern twist to the supply chain attack. What would become known as Shai-Hulud included self-propagation logic that would eventually spread to hundreds of packages by automatically replicating and injecting itself into projects owned by compromised maintainers. Later versions of the npm supply-chain worm (“Shai-Hulud 2.0”) have expanded into cloud credential theft, making it the most significant new entry in ReliaQuest’s attack technique list since the previous edition last year. “The self-replicating nature [of the malware] makes containment particularly difficult once it enters a development pipeline,” ReliaQuest warns. Countermeasures Defenders should prioritize ClickFix-specific user training, enforce remote monitoring and management (RMM) tool allowlists, and centralize SaaS audit logging, ReliaQuest advises. Protection against the tide of identity-based attacks requires a shift to layered defenses. “Layered defences should include phishing-resistant authentication with hardware security keys, FIDO2 password-free approaches or certificate-based methods to reduce credential theft and adversary-in-the-middle attacks,” says Red Helix’s Exelby. Exelby adds: “Zero trust and least privilege access principles are essential, validating continuously using device posture, user behaviour and network context, along with risk-scoring. Time-bound access for accounts should be part of this.”

On April 7, six US government agencies issued a critical advisory warning domestic private sector organizations of potential infrastructural cyberattacks conducted by Iranian-affiliated Advanced Persistent Threat (APT) actors. The advisory stops short of attributing these threats to a single group but makes reference to 2023 attacks on US water and wastewater facilities linked to the known Iranian APT “CyberAv3ngers”, suggesting a possible correlation between historical and current incidents. Reports on “CyberAv3ngers” and analogous group “Handala Hack Team” — who have recently been in headlines for their numerous clashes with the FBI — emphasize that while these operations present themselves as radical pro-Palestinian hacktivist collectives, both are believed to be heavily-resourced and directly tied to the Iranian Ministry of Intelligence (MOIS). Sometimes referred to as “fronts”, “proxy insurgents” or “ghost groups”, these presumed false flag operations represent a longstanding obfuscation tactic amongst the so-called “Big Four” of cybercrime — Russia, China, North Korea and Iran. Notably, Russia’s largest military intelligence agency, the GRU, is widely known to recruit talented threat actors to execute complex cyber campaigns against political enemies. The Big Four are known for their pervasive assertions of soft power, otherwise known as ‘Influence Cyber Operations’ (ICOs). Each has a flagship operation in this field: Russia with disinformation campaigns, China with long-term operational technology espionage, North Korea with remote worker scams and laptop farms, and Iran with critical infrastructure disruptions. The “gray area” of plausible deniability Iran’s use of proxy insurgent groups follows a clear line of logic. A radical activist organization would be expected to execute politically motivated attacks, but not on a large scale or with exceptional technical skill. In the case of a group like Handala, openly proclaiming to be pro-Iranian nationalists aligns their interests with the Iranian government, making them a perfect cover for state-backed operations. It’s a strategy that allows for symbolic retributive actions by Iran without having to reveal the extent of its tactical power, and — crucially — one that allows for attacks to continue in times of supposed peace. This “death by a thousand cuts” approach — sometimes referred to as “soft warfare” or “gray warfare” — follows a military doctrine centered around a consistent, slow erosion of the enemy via covert operations. Obscuring the state’s involvement beneath a grandiose, pro-Iranian rhetoric allows it to affect change in the US with less chance of immediate retaliation, especially compared to an act of direct physical aggression, such as an overseas bombing on US soil. A state of perpetual interference To understand how proxy insurgent groups such as Handala fit within Iran’s modern-day intelligence ecosystem, we first need to look at the historical development of the country’s intelligence operations. In 1953, the United States and Britain (via conduit operations of the CIA and MI6, respectively) instigated a coup in Iran that displaced then-Prime Minister Mohammad Mosaddegh in favor of strengthening the imperialist power of its Shah, Mohammad Reza Pahlavi. The US hoped that by bolstering Iran’s monarchical leader in exchange for underlying influence in a newly pro-Western regime, it would be able to gain access to Iran’s rich petroleum resources. Part of this influence included the establishment and shaping of SAVAK in 1957, the first intelligence agency and secret police of the Imperial State of Iran. Despite being classed as a civilian organization, SAVAK was primarily composed of military figures whose objectives involved suppressing opposition, surveillance of threats to the monarchy and media control within Iran, often operating outside existing laws. When the group was violently dismantled following the 1979 Iranian Revolution, its replacement MOIS — still the country’s dominant intelligence organization — borrowed significantly from its personnel, core philosophy and tactics. All current Iranian entities involved in intelligence are technically required to report to and collaborate with MOIS, including the Islamic Revolutionary Guards Corps (IRGC), which was notably created directly in response to the first Supreme Leader’s suspicions of Iran’s existing military forces. Iran’s modern-day intelligence capabilities have ultimately formed from a mishmash of competing outfits. This includes MOIS, the Islamic Revolutionary Kumitehs, SAVAMA, the IGRC and its paramilitary force the IRGC-QF, all of which were established to support various pro-revolutionary and counterintelligence directives at the end of the 1970s and throughout the 1980s. In short, Iran’s cyber ecosystem has been shaped by decades of political upheaval, revolutionary factioning and calculated external influence. The protective front of a “pro-revolutionary” ideology, therefore, has long been used by the Iranian state to justify acts of political violence, espionage, surveillance and subterfuge. What do these groups actually represent? Western perceptions of groups such as Handala Hack Team and CyberAv3ngers are likely distorted by culturally based assumptions. In the US, for example, we tend to associate terms like “insurgent” with anti-authoritarians, not government loyalists. However, historically in Iran, civilian and military intelligence enterprises have been simultaneously enmeshed and compartmentalized by design. While there hasn’t been much discussion of the semantics in this scenario to-date, there’s no real qualifier preventing Handala from technically being considered a “radical hacktivist group” while also being a highly intentional product of the state. Whether they actually carry the values that they espouse publicly is anyone’s guess. Think of it this way: a radical activist organization is created to fight whatever it deems as an “oppressive system”, using symbolic direct action to compensate for its lack of size. And while Iranian APT groups are well-resourced domestically, in a global arena, they are still undeniably small. When held next to cyber superpowers like the US and Israel, even Iran’s most elite task forces are microscopic by comparison. A captive audience Experts have noted that Handala’s social media posts often contain exaggerated, near-theatrical claims. One blog post reads: “The slightest aggression against Iran’s vital facilities will mean the beginning of a devastating reaction that will turn all these vital infrastructures to ashes.” The group makes constant, unsubstantiated threats with claims of successful breach operations that quickly fade into the ether, never to be backed with evidence. However, to dismiss Handala’s evangelizing as laughable is missing the point — intentionally or not, Handala’s outsized assertions of its own power to retaliate against its aggressors highlight just how asymmetric the whole conflict really is. If nothing else, readers of Handala Hack’s messaging — conveniently written in English — are forced to grapple with the reality of a massive power imbalance between “us” and “them” just to figure out how safe they are allowed to feel. Americans engaging with Handala’s threats will likely feel alarmed, with that fear quickly turning to frustration that random American businesses are being symbolically attacked on behalf of entire industries due to Iran’s limited targeting capabilities. Suddenly, the imminent specter of Iran as presented by the US begins to fall apart. This is the true advantage of a state entity adopting a radical persona, particularly one with an air of “righteous fury” or a “bleeding heart”. Many have accused Handala of falsely claiming to be a pro-Palestinian group, but from a strategic standpoint, they are, because they are explicitly and violently anti-Israel — for a group with such radical political goals, sometimes ideology just means having a shared enemy. Beneath their seemingly unshakeable veneer, however, it’s only becoming clearer that Handala’s words are those of a state in crisis, one which has been hampered by sanctions into near technological autarky and that is literally struggling to keep the lights on thanks to repeated sieges of its own critical infrastructures. Lest we forget, the “world’s first cyberweapon”, Stuxnet, was created as a joint US-Israeli venture for the express purpose of destroying Iran’s nuclear program by targeting its SCADA and PLC systems. When the US warns that Iran is capable of targeting those same systems, it is merely positioning Iran as an enemy that is capable of doing to us exactly what we are to them. Although its motivations are ultimately multilayered and complex, Handala/the Iranian state’s “goal” is likely not simple fear-mongering. It’s to cause embarrassment, eroding the public’s good faith assumptions of its leaders’ motivations in the Global East as their actions are brought to light. Given the group’s level of media coverage for its minor hacking feats, who’s to say that things aren’t going as planned? This article is published as part of the Foundry Expert Contributor Network.Want to join?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving

Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust. There’s also a shift in how attacks run.

Attackers are increasingly exploiting enterprise collaboration platforms such as Microsoft Teams to gain initial access, impersonating IT helpdesk staff and persuading employees to grant remote control, according to new research from Microsoft. In a blog post, Microsoft described a “cross-tenant helpdesk impersonation” technique in which threat actors initiate conversations with employees via Teams’ external access feature. “Attackers use social engineering to convince users to grant access,” Microsoft said, noting that the approach allows adversaries to operate within trusted communication channels and bypass traditional phishing defenses. Unlike conventional phishing or exploit-driven attacks, the technique relies on what Microsoft characterizes as user-approved access. Victims are persuaded to initiate remote sessions, often using legitimate tools, effectively handing control to attackers without triggering typical malware-based detections, the blog post said. Shift to collaboration apps While the technique may appear new, analysts say it reflects an evolution rather than a reinvention of attack methods. “From my perspective, this is more an evolution of existing social engineering tactics than a fundamental shift,” said Prabhjyot Kaur, senior analyst at Everest Group. “The underlying objective hasn’t changed. Attackers are still exploiting user trust and urgency to gain initial access. What is changing is the channel.” As platforms such as Teams become central to workplace communication, attackers are following users into those environments. Unlike email, these platforms enable real-time engagement, making impersonation of IT or helpdesk staff more convincing. Kaur said collaboration platforms enable real-time interaction, making impersonation of IT or helpdesk staff more convincing than email-based phishing. “So rather than replacing phishing, this expands the attack surface and makes social engineering more operationally effective,” Kaur said. Offering a sharper view of the shift, Sanchit Vir Gogia, chief analyst at Greyhound Research, said the change is less about channel and more about how attacks unfold. “Phishing asked for attention. This model demands participation,” he said. “Attackers are inserting themselves into legitimate workflows and guiding users step by step through actions that grant access,” Gogia added, describing it as a move toward “guided execution” rather than simple deception. Microsoft’s findings follow earlier incidents in which attackers used Teams chats and calls to impersonate IT support and initiate remote access. Cross-tenant risk grows The attack chain uses Teams’ cross-tenant communication capability, which allows external users to initiate chats with employees, Microsoft wrote in the blog. “The cross-tenant risk is significant, and many organizations probably do underestimate it,” said Sunil Varkey, advisor at Beagle Security. “Collaboration tools were designed to reduce friction, but many organizations enabled that convenience before fully applying Zero Trust controls,” Varkey said. “The sustainable approach is to keep the business value of these platforms while treating every external interaction, support request, and access approval as something that must be verified, limited, and monitored.” He compared the risk to a physical security gap. Allowing anyone into a lobby should not mean they can walk employees to restricted areas and request access. Kaur added that many enterprises still treat collaboration platforms primarily as productivity tools rather than part of their attack surface. “Cross-tenant access is necessary for business, but it introduces a trust boundary that is often not well understood or tightly controlled,” she said. Gogia said the issue is rooted in how trust is applied in modern environments. “External actors can now initiate interactions inside environments that employees associate with internal coordination,” he said, adding that this creates a “false sense of safety.” Detection becomes harder Microsoft said attackers use legitimate administrative tools and remote access utilities after gaining entry, making activity harder to distinguish from normal operations. Because attackers use legitimate tools and approved workflows, “there’s very little that looks overtly malicious in isolation,” Kaur said. “These attacks blend into normal IT operations.” Microsoft also noted that attackers rely on native administrative tools and legitimate data transfer utilities to move laterally and exfiltrate data while appearing as routine activity. This shifts the focus toward behavioral detection. “Security teams should prioritize detecting sequences of activity,” Kaur said, pointing to patterns such as an unsolicited external Teams interaction followed by remote support activity and lateral movement. Gogia said this requires a shift in detection approach. “These attacks do not rely on exploits. They rely on sequence,” he said. “Each individual action appears legitimate. The compromise emerges only when those actions are connected.” Varkey added that defenders need to move beyond traditional indicators. “Because these attacks rely on legitimate tools and user-approved actions, security teams need to focus on context and behavior, not just malware,” he said. Tighter controls needed To reduce risk, experts say organizations need stronger governance over collaboration environments. “Collaboration platforms are often configured for convenience first, with easy external chat, calls, screen sharing, and remote assistance, without fully considering how those features can be abused together,” Varkey said. Kaur emphasized the need for integrated visibility. “The most effective defenses will come from integrating collaboration, identity, endpoint, and SOC visibility rather than treating them as separate layers,” she said. Recommended measures include tightening external access controls, restricting remote-support tools to approved workflows, enforcing conditional access and multi-factor authentication, and improving user awareness around how legitimate IT support interactions occur, Microsoft wrote.

Frontend cloud platform Vercel, the creator of Next.js and Turbo.js, has warned about a data breach after a compromised third-party AI application abused OAuth to access its internal systems. A Vercel employee used the third party app, identified as Context.ai , which allowed the attackers to take over their Google Workspace account and access some environment variables that the company said were not marked as “sensitive.” “Environment variables marked as “sensitive” in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed,” Vercel said in a security post. The incident compromised what the company described as a “limited subset” of customers whose Vercel credentials were exposed. These customers have now been reached out with requests to rotate their credentials, Vercel said. According to reports surfacing on the internet, a threat actor claiming to be the Shinyhunters began attempting to sell the stolen data, which allegedly include access key, source code, and private database, even before Vercel confirmed the breach publicly. Hacking the access Vercel’s disclosure confirmed that the initial access vector was Google Workspace OAuth tied to Context.ai. Once the application was compromised, attackers inherited the permissions granted to it, including access to Vercel employee’s account. It remains unclear whether Context.ai’s infrastructure was compromised, OAuth tokens were stolen, or a session/token leak within the AI workspace enabled attackers to abuse authenticated access into Vercel’s environments. Context.ai did not immediately respond to CSO’s request for comments. “We have engaged Context.ai directly to understand the full scope of the underlying compromise,” Vercel said in the post. “We assess the attacker as highly sophisticated based on their operational velocity and detailed understanding of Vercel’s systems. We are working with Mandiant, additional cybersecurity firms, industry peers, and law enforcement.” Vercel has urged its customers to review activity logs for suspicious behavior and to rotate environment variables, especially any unprotected secrets that may have been exposed. It also recommended enabling sensitive variable protections, checking recent deployments for anomalies, and strengthening safeguards by updating deployment protection settings and rotating related tokens where needed. Sensitive secrets, including API keys, tokens, database credentials, and signing keys, that were not marked as “sensitive” should be treated as potentially exposed and rotated as a priority, Vercel emphasized. For users in panic, Vercel has offered an shortcut. “If you have not been contacted, we do not have reason to believe that your Vercel credentials or personal data have been compromised at this time,” the post reassured. Allegedly breached by ShinyHunters According to screenshots circulating on the internet, a threat actor has already claimed the breach on the dark web and is attempting to sell the spoils. “Greetings All, Today I am selling Access Key/ Source Code/ Database from Vercel company,” the actor said in one of such posts. “Give me a quote if you’re interested. This could be the largest supply chain attack ever if done right.” The data was put up for $2 million on April, 19. The threat actor can be seen using a “BreachForums” domain in the screenshot, claiming (not explicitly) to be Shinyhunters themselves, one of the operators of the notorious hacksite. Other giveaways include a Telegram channel “@Shinyc0rpsss” and an email id “[email protected]” mentioned in the post. While recent incidents have hinted at ShinyHunters resurfacing after  takedowns and alleged arrests, it remains likely that this is an imposter leveraging the name to lend credibility, something that has precedent.

Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to

Nitin Raina’s career history resembles that of many CISOs: He worked in IT infrastructure, operations, and services before moving into security and advancing through the ranks. He’s now global chief information security officer at technology consultancy Thoughtworks. But in a less common professional move Raina also picked up the role of global head of enterprise risk, a position he has held at Thoughtworks since 2020. He earned the job, he says, because of his ability and propensity to talk “about risk in totality.” After taking the position, Raina established the enterprise risk management function, which he now oversees. The function identifies and mitigates strategic, operational, and cybersecurity risks throughout the organization, and performs in-depth risk assessments and gap analyses to uncover vulnerabilities and inefficiencies within critical business processes, systems, and controls. Raina says heading enterprise risk is a natural fit for him as CISO, which is why he believes the two roles should be paired more frequently. “The risk conversation, as CISOs, we can lead that,” Raina says. “We have the ability and the forum in which we can raise it.” Most CISOs don’t hold a risk title, as Raina does, yet researchers, executive advisers, and other security leaders say CISOs are increasingly taking on more enterprise risk management tasks. It’s a logical expansion, these experts say. CISOs have been coached for years to identify how cyber risks pose business risks and to understand which risks represent the biggest risks to the enterprise, whether the impact of any of those exceed the organization’s tolerance for risks, and if so by how much. That CISO work is more critical than ever, they further assert. Nearly all business operations have become digital. That fact makes any cyber risk a material risk to the business, and it makes resiliency an operational imperative today. As such, the CISO should be a key player in assessing and managing business risk. “CISOs had once been focused on IT and cybersecurity risk. They’d ask, ‘What are the risks I have for platforms, applications, systems, the tech stack?’ It was a very flat plane,” says Paul Caron, global managed services lead and head of cybersecurity for the Americas at S-RM, a global corporate intelligence and cybersecurity consultancy. “But it has evolved in the past few years, and now CISOs are being pulled into new areas. They’re being asked, ‘What are the risks to the business?’” CISOs lead the way on risk In the 2026 CISO Report from data platform maker Splunk, 78% of CISOs reported joint accountability with other technical C-suite leaders (CIO, CTO, etc.) for security operational business risk, 56% have that joint accountability with CEOs, and 29% have joint accountability with other C-suite roles (CFO, chief legal officer, etc.). The report also found that 96% of CISOs are now responsible for AI governance and risk management. Meanwhile, the CyberRisk Alliance’s Q1 2026 CISO Top 10 report found that governance, risk, and compliance is the top priority for CISOs today. The report says this reflects GRC’s “role as the primary mechanism through which cybersecurity earns executive and board trust.” The report also notes that “organizations are under pressure to prove that risk oversight is continuous, defensible, and integrated into enterprise decision-making. CISOs are increasingly expected to unify regulatory obligations, enterprise risk tolerance, and security controls into a coherent operating model that supports real-time governance.” Evolving risks require a new CISO leadership profile The shift to CISO as a risk position, and not one limited to technical and cybersecurity alone, has been years in the making. But it has accelerated since the arrival of ChatGPT in late 2022, as organizations embraced first generative AI and more recently agentic AI. That’s because AI melds with the business process, whereas prior technologies only enabled business processes. That melding raises the stakes and makes cyber, digital, and business risk nearly synonymous. That evolution has pushed the CISO deeper into risk assessment and management, and it requires a different type of CISO than those of the past. “CISOs cannot walk around and make decisions based on fear or compliance. They must now be able to talk about risk in business terms. They need to understand that risk is a business conversation,” says Leon DuPree, lecturer at Eastern Michigan University’s School of Information Security and Applied Computing. Leading CISOs do this by quantifying both risk and the ROI of their options to address those risks, DuPree says, noting that many use the Factor Analysis of Information Risk (FAIR) model to understand and position cyber and operational risk in financial terms. “That’s the direction that CISOs are trying to go, so they can facilitate change and innovation working from ROIs for all the dollars being spent on security assets and risk mitigation,” he adds. S-RM’s Caron sees more CISOs taking this approach. For example, he says more security chiefs are being tasked with assessing and modeling risks associated with the AI uses within their organizations and reporting how those risks impact business processes — not just data integrity and IT systems. To perform such duties, CISOs must use more of their executive skills than their cyber acumen, Caron says. They must identify risks that come with the deployment of AI and other technologies, quantify those risks in business terms, offer mitigation strategies, quantify how each mitigation option reduces business risks, and help prioritize risk-related tasks based on expected returns and business objectives. “It takes more of a business leader’s lens than a very technical lens. So CISOs now have to be the ones responsible for steering the conversation into directions that show they’re a partner with the business to accelerate growth,” he explains. “The businesses of today are demanding more and more a business CISO.” Caron acknowledges that it’s a significant demand, one that requires CISOs to expand their knowledge base beyond technical and even compliance to business operations, enterprise strategy, and market conditions. “I think that’s where CISOs needs to start going, not necessarily where they are today,” he adds. “Many do still struggle with the mental shift it takes.” A question of appetite Steve Martano, an IANS Research faculty member and a partner in Artico Search’s cybersecurity practice, says the majority of CISOs rise through the technical and engineering ranks, so many still find enterprise risk assessment and management novel tasks. But, like Caron, he says it’s now part of the gig. “I think understanding how emerging tech impacts the organization’s risk profile is something they must do, and I think the conversation around enterprise risk is always something security practitioners should be striving for when they communicate,” he says. But Martano, like others, also says CISOs do not have — nor should they assume — ownership over establishing the organization’s risk appetite. “It’s not the CISOs job to revisit the risk posture itself. It’s not the CISO’s job to say, ‘We’re operating too loose,’” Martano says. Instead, CISOs must possess “a good understanding of what the organization thinks is inbounds and out-of-bounds” so they can “flag how technologies, processes, and tools could have an effect on the risk posture,” he says. “The CISO is the adviser.” Boards expect CISOs to be capable of identifying and assessing current and future risks as well as advising on whether to mitigate, transfer, insure against or accept those risks, he adds. That may be more challenging now than ever, with technology, AI, and enterprise use of them swiftly evolving. “The best CISOs think about risks that are around the corner. They have to have a pulse on where things are going,” Martano adds. “They don’t have to be visionary; but they do need to be proactive by engaging more outside their four walls, engaging with vendors, information-sharing with their peers, having a pulse on the macro level. The more they diversify what they’re hearing, the better, so they can bring nuggets of information to their boards and executive teams to discuss and how those affect their own organization’s risk culture.”

Unit 42 finds frontier AI models enhance vulnerability discovery, acting as full-spectrum security researchers. They enable autonomous zero-day discovery and faster N-day patching. The post Fracturing Software Security With Frontier AI Models appeared first on Unit 42.

KI-Agenten sind populär – und anfällig dafür, missbraucht zu werden.DC Studio / Shutterstock KI-Agenten fürs Enterprise können bekanntlich Arbeitsabläufe optimieren. Aber auch die Datenexfiltration – wie Sicherheitsforscher von Capsule Security herausgefunden haben. Sie haben sowohl in Microsoft Copilot Studio als auch Salesforce Agentforce Prompt-Injection-Schwachstellen entdeckt. Diese ermöglichen Angreifern in beiden Fällen schadhafte Befehle über scheinbar harmlose Prompts einzuschleusen – mit potenziell verheerenden Folgen. Copilot leakt Sharepoint-Daten Beim „ShareLeak“ getauften Problem auf Microsoft-Seite liegt der Knackpunkt darin, wie Copilot-Studio-Agenten SharePoint-Formulare verarbeiten. Der Angriff beginnt mit einem manipulierten Payload, der in ein Standard-Formularfeld (etwa „Kommentare“) eingefügt wird. Diese fließt später im Rahmen seines operationellen Kontexts in den KI-Agenten ein. Weil das KI-System Benutzer-Inputs mit System-Prompts verknüpft, überschreibt der „injizierte“ Payload die ursprünglichen Anweisungen des Agenten. Das KI-Modell behandelt damit die Anweisungen eines Angreifers als legitime System-Direktiven – der schadhafte Input wird ohne jegliche Widerstände vom Agenten ausgeführt. Sobald ein Agent auf diese Art und Weise kompromittiert wurde, ist es demnach auch möglich, auf verbundene Sharepoint-Listen zuzugreifen, sensible Kundendaten zu extrahieren und diese per E-Mail zu versenden. Wie die Forscher feststellten, wurden Daten selbst dann exfiltriert, wenn die Sicherheitsmechanismen von Microsoft verdächtiges Verhalten meldeten. „Die Hauptursache dafür ist, dass es keine zuverlässige Trennung zwischen vertrauenswürdigen Systemanweisungen und nicht vertrauenswürdigen Benutzerdaten gibt. In der bestehenden Konfiguration kann die KI das nicht voneinander unterscheiden“, so die Sicherheitsexperten. Microsoft hat inzwischen einen Patch veröffentlicht, der das Problem behoben hat. Und die Sicherheitslücke mit einem Schweregrad von 7,5 von 10 auf der CVSS-Skala bewertet. Seitens der Benutzer sind keine weiteren Maßnahmen erforderlich. Lead-Formulare kapern Agentforce Im Fall von Salesforce Agentforce konnten die Forscher von Capsule maliziöse Instruktionen in ein öffentlich zugängliches Lead-Formular einbetten, die im Anschluss über einen „Agent Flow“ mit E-Mail-Funktionen ausgeführt wurden. Weist ein interner Benutzer einen Agentforce-Agenten später an, diesen Lead zu überprüfen oder zu verarbeiten, führt dieser die Anweisungen aus und exfiltriert sensible Daten. „Das resultiert in einer nicht-autorisierten Datenoffenlegung und potenziell massenhafter Exfiltration von CRM-Daten“, schreiben die Forscher. Massenhaft deswegen, weil sich die Kompromittierung nicht auf einen einzelnen Datensatz beschränkt: Laut den Capsule-Experten kann ein gekaperter Agent mehrere Lead-Datensätze gleichzeitig abfragen und exfiltrieren, wodurch eine einzelne Formularübermittlung effektiv zur Datenbank-Extraktions-Pipeline werde. Den Forschern zufolge habe Salesforce das Prompt-Injection-Problem zwar anerkannt, den Exfiltrations-Vektor jedoch als „konfigurationsspezifisch“ eingestuft und auf optionale Human-in-the-Loop-Kontrollen verwiesen. Die Sicherheitsforscher von Capsule widersprechen dieser Darstellung und argumentieren, dass manuelle Genehmigungen den eigentlichen Zweck autonomer Agenten untergraben. Das eigentliche Problem, so die Forscher, seien unsichere Standardeinstellungen. Für die Automatisierung konzipierte Systeme sollten es demnach nicht zulassen, dass nicht-vertrauenswürdige Inputs die Ziele der Agenten neu definieren können. Was Unternehmen tun sollten Beide Sicherheitslücken laufen auf eine Grundvoraussetzung hinaus: Sämtliche externe Inputs sollten als nicht vertrauenswürdig behandelt werden. Und: Filter einzurichten, die Daten von Anweisungen trennen, ist zu empfehlen. Dies würde auch bedeuten, folgende Maßnahmen durchzusetzen: Input-Validierung, Least-Privilege-Zugriff, sowie strikte Kontrollmaßnahmen für Dinge wie ausgehende E-Mails. (fm)

Claude Mythos wird derzeit von ausgesuchten Organisationen getestet – in erster Linie großen Tech-Konzernen aus den USA.Anthropic | Screenshot Der Hype um Anthropics Security-Modell Mythos bekommt erste Risse: Während KI-Konkurrent OpenAI plant, mit einem eigenen Cybersecurity-fokussierten KI-Modell „entgegenzuwirken“, stellen die Sicherheitsexperten von VulnCheck in einer aktuellen Untersuchung die praktischen Auswirkungen von Claude Mythos, respektive „Project Glasswing“ in Frage. „Anthropics Project Glasswing hat große Aufmerksamkeit erregt – liefert aber nur sehr wenig konkrete Daten“, schreibt VulnCheck-Forscher Patrick Garrity in einem Blogbeitrag. Zwar würden die Forschungsaktivitäten von Anthropic aktiv dazu beitragen, Schwachstellen aufzudecken und seien insgesamt vielversprechend – der nachweisbare Impact des Projekts bislang jedoch eher überschaubar. Glasswing’s getting a lot of attention, so we took a look to understand what can be verified so far: https://t.co/UKmHYT3vaJ75 CVEs mention Anthropic40 credit their researchers1 tied to Glasswing (so far)More is expected later this year, and we’ll be tracking it.— VulnCheck (@VulnCheckAI) April 15, 2026 Die CVE-Analyse von VulnCheck Für ihre Analyse haben sich die Experten von VulnCheck die Zahlen hinter „Project Glasswing“ genauer angesehen – beziehungsweise die CVEs, die der Initiative direkt zuzuordnen sind. „Weder der Report zu Glasswing noch die von Anthropic veröffentlichten Sicherheitshinweise liefern eine umfassende Liste der entdeckten Schwachstellen. Also beschloss ich, die gesamte CVE-Datenbank nach Einträgen zu durchsuchen, die den Begriff ‚anthropic‘ enthielten und überprüfte jeden einzelnen“, beschreibt Garrity sein Vorgehen. Insgesamt identifizierte der Researcher 75 solche CVE-Einträge. Allerdings wurden davon lediglich 40 den Forschern von Anthropic zugeschrieben. Nach einer weiteren Eingrenzung zeigte sich, dass lediglich eine einzige CVE ausdrücklich „Project Glasswing“ selbst zugeordnet wird. Dabei handelt es sich um eine Sicherheitslücke in FreeBSD, die es ermöglicht, remote Code auszuführen. Diese wird als „autonom identifiziert“ und „ausgenutzt“ beschrieben. Bei seiner Analyse hat Garrity drei Schwachstellen außen vor gelassen, die auf der Website des Projekts erwähnt werden – allerdings unter Embargo stehen, beziehungsweise nicht im Detail einsehbar sind, bis Patches verfügbar sind. Darunter: eine 27 Jahre alte Sicherheitslücke in OpenBSD, ein 16 Jahre alter Bug in FFmpeg, sowie Privilege-Escalation-Ketten im Linux-Kernel. „Ein abschließendes Bild von der tatsächlichen Leistungsfähigkeit von Claude Mythos zu gewinnen, wird erst möglich sein, wenn Anthropic umfassend öffentlich Rechenschaft darüber ablegt, welche Schwachstellen im Rahmen von Project Glasswing gefunden und behoben wurden“, so Garrity. Damit rechnet der Sicherheitsexperte für den Juli 2026. Das sagen Experten Die Erkenntnisse von VulnCheck werfen ein neues Licht auf die Fähigkeiten von Claude Mythos – beziehungsweise darauf, wie diese gemessen werden. Schließlich ist die Anzahl direkt zurechenbarer CVEs nur ein Weg, den Impact des KI-Modells von Anthropic zu erfassen. So nimmt etwa Melissa Bischoping, Vorstandsmitglied des SANS Technology Institute und Senior Director beim Sicherheitsanbieter Tanium, eine andere Perspektive ein, wenn es um das Potenzial von Claude Mythos geht: „Wir haben bei Tanium die System Card der Claude Mythos Preview analysiert – und das Modell erzielt eine bisher unerreichte Erfolgsquote bei Exploits. Der Sprung von einer Erfolgsquote nahe Null auf ungefähr 72 Prozent bei derselben Klasse von Angriffszielen deutet darauf hin, dass es kein Bottleneck mehr darstellt, raffinierte, aufwendige Exploits zu entwickeln.“ Auch wenn Claude Mythos derzeit im eng abgesteckten Rahmen von Project Glasswing getestet werde, habe es bereits gezeigt was künftig möglich ist, meint die Managerin: „Die Kluft zwischen Frontier- und Open-Weight-Modellen hat sich von mehr als einem Jahr auf wenige Wochen verringert. Dieses Leistungsniveau wird sich rasch ausbreiten – sehr wahrscheinlich, können die Sicherheitsvorkehrungen dabei nicht Schritt halten“, warnt Bischoping. Die Expertin zeigt sich insbesondere besorgt darüber, ob Unternehmen noch fähig sein werden, auf die durch Claude Mythos zu Tage geförderten Erkenntnisse zu reagieren – bevor das Modell in die freie Wildbahn gelangt: „Agentic-Patch-Workflows sind realisierbar und können in vielen Fällen mit Adversarial AI Schritt halten. Allerdings laufen Unternehmenspolitik und Change-Kontrolle aktuell nicht mit KI-Geschwindigkeit.“ (fm)

Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet.

loading="lazy" width="400px">Lesen Sie, welche Aspekte für einen Krisenkommunikationsplan entscheidend sind.Gorodenkoff – shutterstock.com Cyberangriffe fordern nicht nur CISOs in punkto Prävention und Krisenbewältigung heraus. Auch die Unternehmenskommunikation ist mit im Boot. Sie ist verantwortlich für den Krisenkommunikationsplan, den sie mit dem CISO entwickelt und bei Cybersicherheitsvorfällen umsetzt. Eine gute Krisenprävention hat aus der Perspektive der Kommunikation drei Elemente und beginnt nicht erst dann, wenn die Krise eingetreten ist. Die folgenden Maßnahmen sollten grundsätzlich Teil der Unternehmenskommunikation (UK) sein. Ein Krisenkommunikationsplan bereitet das Unternehmen optimal auf alle möglichen Krisenszenarien vor. Dazu zählen klare Verhaltens- und Kommunikationsregeln, vorbereitete Inhalte und sichere Kommunikationskanäle und -instrumente. Ein Internet-Monitoring zeigt an, wie die Krise in Sozialen Netzwerken und Medien wahrgenommen wird. Reputationsschädigende Veröffentlichungen können frühzeitig entdeckt und Gegenmaßnahmen eingeleitet werden. Eine gute Kommunikationsarbeit im Tagesgeschäft schafft etablierte Kontakte zu Meinungsführern. Auf gute Beziehungen und starkes Standing kann man in der Krise aufsetzen. Konsistente Aussagen nach außen Um eine konsistente Kommunikation und im Krisenfall eine schnelle Reaktion auf alle Herausforderungen zu garantieren, ist eine klare kommunikative Verantwortungsstruktur unbedingt notwendig. Während die Gesamtverantwortung für korrektes unternehmerisches Handeln in der Krise bei der Geschäftsführung liegt, muss die Verantwortung für die Krisenkommunikation in der Abteilung Unternehmenskommunikation angesiedelt werden. Notfallstäbe treten zusammen Im Krisenkommunikations-Notfallstab (KKN) sollten nur aktiv an Kommunikationsentscheidungen beteiligte Verantwortliche teilnehmen. Dieses Gremium wird nicht nach hierarchischen Gesichtspunkten besetzt. Parallel etabliert sich der erweiterte Krisenkommunikations-Notfallstab (eKKN). Ihm gehören Mitglieder aller Unternehmensbereiche an. Aufgabe des eKKN ist es, die Gesamtorganisation über den Stand der Dinge zu informieren. Leitung des Krisenstabs Neben der Krisenkommunikation geht es im konkreten Handeln, um die Krise zu lösen, vor allen Dingen um die Koordination technischer Maßnahmen. Im Falle einer Cyberattacke liegt die Verantwortung bei der IT-Abteilung. Deshalb führen ein Mitglied aus der Unternehmenskommunikation und ein Mitglied aus der IT gemeinsam den KKN. Zu den Aufgaben des KKN gehört es, die Kommunikationsmaßnahmen auszurollen und die externe Berichterstattung zu beobachten. Der Krisenstab entscheidet auch darüber, Maßnahmen und Inhalte anzupassen. Von der Theorie in die Praxis Die Planung der Krisenkommunikation umfasst viele praktische Aspekte. Dazu gehört zum Beispiel, zu definieren, in welchem Raum Live-Sitzungen des Krisenstabs stattfinden können und wie Online-Meetings abgehalten werden. Dabei muss für den Fall einer Cyberkrise immer mit bedacht werden, dass gegebenenfalls Kommunikationstools wie E-Mail, Chat und Festnetz- beziehungsweise IP-Telefonie nicht verfügbar sind. Notfall-Infrastruktur frühzeitig aufbauen Es muss auch damit gerechnet werden, dass das IT-Netz nicht zugänglich ist oder aus Sicherheitsgründen abgeschaltet werden muss. Sämtliche vorbereitete Dokumente und Kontaktlisten des Krisenstabs müssen deshalb zwingend auch ohne Zugang zum internen IT-Netz erreichbar sein. Dabei müssen für die Teammitglieder E-Mail-Accounts genutzt werden, die unabhängig von der Unternehmens-IT funktionieren. Die UK-Leitung muss bei der Erstellung dieser alternativen Kommunikations-Infrastruktur für Krisenfälle unbedingt auf Datenschutz- und Datensicherheit achten. Licht ins Dunkel mit der Darksite Wo sollten Betriebe mit der ersten Notfall-Kommunikation anfangen? Gehen wir von der Situation aus, dass die IT nicht mehr funktioniert und auch die Webseite nicht mehr erreichbar ist. Dann wird eine Darksite online geschaltet. Die Darksite ist eine vorbereitete Internet-Seite mit den wichtigsten Informationen für Kunden, Partner und Öffentlichkeit im Krisenfall. Die Web-Adresse der Homepage wird über den Provider auf diese Darksite gelenkt. Laufende Information stärkt das Vertrauen Auf der Darksite können laufend aktuelle Informationen zur Krise und zur Krisenbewältigung veröffentlicht werden sowie Kontaktadressen für Betroffene, Medien und Partner. Bereits im Vorfeld muss geklärt sein, wer im KKN für die Redaktion der Darksite verantwortlich ist. Das Vorhalten einer Darksite ist unbedingt zu empfehlen, da die Webseite ein attraktives Ziel für Cyberkriminelle ist. Sie beweisen damit den Erfolg ihrer Attacke. Mehrstufige Kommunikation Entscheidend für eine gute Außenkommunikation ist, dass Medien und Nutzer Sozialer Netzwerke aus einer Hand informiert werden. Deshalb muss geklärt sein, dass ausschließlich definierte Mitarbeiterinnen und Mitarbeiter der Unternehmenskommunikation mit Erfahrung in der Öffentlichkeitsarbeit Stellungnahmen gegenüber den Medien abgeben. Alle Abteilungen müssen darüber informiert sein, wer Ansprechpartner für Medien ist. Die Pressearbeit in der Krise erfolgt grundsätzlich mehrstufig. Stellungnahme bereithalten Sofort bei Ausbruch der Krise muss ein vorbereitetes Statement bereitgestellt werden, das auf Anfrage herausgegeben werden kann. Dieses Statement kann noch keine Details zum Vorfall selbst enthalten, muss aber die Bereitschaft zur offenen Kommunikation erklären. Da die meisten Cybervorfälle nach dem gleichen Muster ablaufen, können die Dokumente gut vorbereitet werden. Je konkreter das Ausmaß der Krise intern bekannt ist, desto konkreter kann die erste Stellungnahme formuliert werden. Erste aktive Erklärung Sobald Ursache und Ausmaß der Krise benannt werden, erfolgt eine aktive Information mit Kernaussagen. Da die häufigsten Formen von Cyberangriffen bekannt sind, kann auch diese Pressemitteilung vorbereitet werden. Gegebenenfalls können noch ergänzende Aussagen hinzugefügt werden, die für das Verständnis des Vorfalls wichtig sind beziehungsweise die Reputation schützen oder zusätzliche Informationen für Betroffene beinhalten. Alternative Tools für Pressearbeit Bei der aktiven Kommunikation ist zu beachten, dass interne Systeme, etwa Listen mit Medienkontakten oder Tools für den Versand von Presseinfos nicht mehr zur Verfügung stehen. Cloud-Lösungen können hier Abhilfe schaffen und lassen sich meist auch im Tagesgeschäft nutzen. Die wichtigsten Daten, zum Beispiel private E-Mail-Adressen und Mobilfunk-Nummern der Mitglieder der Krisenstäbe sowie der wichtigsten externen Notfallpartner, sollten aber immer auch auf dem sichersten Medium der Welt gespeichert werden: auf Papier! Laufende Information gemäß Kenntnisstand Eine zweite Pressemitteilung folgt zeitnah mit ergänzenden Informationen zum Vorfall und mit einer Erläuterung der Anti-Krisenstrategie sowie Hinweisen für Betroffene. Je nach Krisenverlauf folgen weitere Pressemitteilungen. Die optionale vierte Phase kann kommunikativ grundsätzlich genutzt werden, um Vertrauen aufzubauen: Geschäftsführende und Mitglieder des Expertenteams können gemeinsam darüber berichten, welche Wege zur erfolgreichen Bewältigung der Krise geführt haben. Das Kommunikationshandbuch – Nachschlagwerk für die Krise Das Krisenkommunikationshandbuch ist Teil des Notfallhandbuchs. Das Notfallhandbuch deckt alle Aspekte der Krisenbewältigung ab. Es kann für jede potenziell von einer Krise betroffene Fachabteilung mit einem entsprechenden Kapitel ergänzt werden. Zusätzlich sollte das Notfallhandbuch weitere Unterlagen umfassen, die eher dem allgemeinen Krisenmanagement einer Organisation zuzuordnen sind. Das Krisenkommunikationshandbuch umfasst zum Beispiel folgende Elemente: Definition einer Krise Definition von Zuständigkeiten Mitgliedslisten der Krisenstäbe mit allen Kontaktdaten inklusive privater E-Mail-Adressen und privater Telefonnummern Beschreibung der Aufgaben der Gremien Definition der Prozesse Definition aller in der Krise genutzten Kommunikationskanäle (mit Zielgruppenzuordnung) Definition aller Kommunikationsinstrumente in der Krise Definition der Sprecher-Rollen Ablaufdiagramme (vom Feststellen der Krise bis zur Beendigung der Krise) Beschreibung der Kommunikationskultur Vorformulierte Dokumente Ratgeber und Vorlagen von staatlicher Seite Das Bundesamt für Sicherheit in der Informationstechnik (BSI) empfiehlt schon lange die Erstellung eines Notfallhandbuchs und gibt auch konkrete Tipps, was so ein Handbuch alles enthalten sollte.   Die Krisenkommunikation sollte immer ein Teil eines Notfallhandbuch sein. Es hilft auch nichts, wenn ein Unternehmen technisch gerettet ist, aber die Kunden und Partner mangels Kommunikation weglaufen. Erfahrungsgemäß muss ein Handbuch zur Krisenkommunikation immer in einem Prozess mit Geschäftsführung, Kommunikationsabteilung, IT-Abteilung, Sicherheits-Experten und betroffenen Fachabteilungen eines Unternehmens erarbeitet werden. Alle Jahre wieder – der Praxistest Wie eine Brandschutzübung wird auch die Krisenkommunikation, die durch eine Cyberattacke ausgelöst wurde, jährlich geübt. Sie beginnt mit der Ausrufung der Krise bis zum Abschlussbericht. Damit wird überprüft, ob Maßnahmen funktionieren, Gremien arbeitsfähig sind, die Prozesse wie gewünscht ablaufen und die Vorlagen tauglich sind.(jm) Lesetipp: So geht Tabletop Exercise

Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems. The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company. "The attacker used that access to take over the employee's Vercel Google Workspace account,

In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching. For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI agent connections, and OAuth grants. When projects end or employees leave, most

Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement. This attack led to the theft of over 1

Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting

Maintainers of Thymeleaf, a widely used template engine for Java web applications, fixed a rare critical vulnerability that allows unauthenticated attackers to execute malicious code on servers. The vulnerability, tracked as CVE-2026-40478, is rated 9.1 on the CVSS severity scale and is described as a Server-Side Template Injection (SSTI) issue. Thymeleaf has a sandbox-like protection that prevents user input from executing dangerous expressions, but this flaw allows attackers to bypass those protections. “Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions,” the developers said in their advisory. “If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library’s protections to achieve Server-Side Template Injection (SSTI).” Thymeleaf is the de facto template engine in the Java Spring ecosystem and Spring is the most popular framework for developing web applications in Java. Since Java is still widely used for development in enterprise environments, this vulnerability has the potential to impact numerous business applications. All Thymeleaf versions before 3.1.4.RELEASE are affected and no work-around exists. Companies are advised to identify which of their applications use Thymeleaf and upgrade to 3.1.4.RELEASE as soon as possible. Straightforward exploitation According to researchers from application security testing firm Endor Labs, exploitation is straightforward with no special privileges or conditions required. Attackers just need to control input that reaches Thymeleaf’s expression engine, which is a common pattern in web applications. Endor Labs notes in their report that Thymeleaf has defense-in-depth layers to block dangerous expressions and in this case two of them failed. For example, a string check scanned the expression text for dangerous patterns, such as the new keyword followed by an ASCII space, T (Spring Expression Language type references) and @ (SpEL bean references in some code paths). However, the check only looked for ASCII space 0x20 characters, but the SpEL’s parser also accepts tab (0x09), newline (0x0A), and other control characters between new and the class name. Another policy blocked classes that start with java.* from being used inside T() type references, but did not block types from org.springframework.*, ognl.*, or javax.*. “Since typical Spring applications have spring-core on the classpath, classes like org.springframework.core.io.FileSystemResource were freely constructable, and that class can create arbitrary files on disk,” the researchers said. As such, Endor Labs was able to easily build a proof-of-concept exploit by combining the two: use a tab character after new and calling the org.springframework.core.io.FileSystemResource class to create a file on disk. “With the right class, an attacker can escalate from file creation to full remote code execution, for example, instantiating a ProcessBuilder wrapper from a third-party library, or leveraging Spring’s own GenericApplicationContext to register and invoke arbitrary beans,” the researchers explained. Vulnerabilities in the Java Spring Framework itself have been exploited in the past to compromise web servers, so it’s likely that an easy-to-exploit flaw such as this one will be quickly adopted by attackers.

Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42.

Cisco admins are scrambling to patch a critical flash memory overflow vulnerability in over 200 Cisco Systems IOS XE-based models of wireless access points (APs), caused by a recent flawed software update. If the issue is not corrected quickly, the AP’s memory will become so flooded that new software updates will be blocked and the AP rendered insecure, or possibly even bricked. The problematic library update causes a specific log file in the flash memory of affected access points to grow by about 5MB a day. Over time, Cisco said in an advisory this week, this could consume “a big portion” of the available memory space. “The longer an AP runs the affected software, the higher the probability that a software download will fail due to insufficient space,” the advisory says. Analyst Rob Enderle of the Enderle Group said that ‘buggy logs’ are a common trope in networking. But, he added, “this particular case is dangerous because it targets the physical limitations of flash memory on hardware that is notoriously difficult to access once it becomes bricked or enters a boot loop. In the world of networking, this is a high-impact, medium-rarity event.” He explained, “what makes this unique is the Catch-22 it creates. To fix the bug, you must upgrade the software. However, the bug itself prevents the device from having enough space to download the fix. If an admin waits too long, the device may require manual, physical intervention or become permanently stuck in a boot loop.” Johannes Ullrich, dean of research at the SANS Institute, called this particular problem uncommon, although he acknowledged flash memory space in IoT devices like access points is limited and may fill up from time to time. “But,” he added, “there is a bigger issue: A competent [vendor] vulnerability management program must always include verification that the patch was indeed applied as expected. There are many reasons why a patch may not be applied correctly, and this is just one way a patch may fail to apply.” Kellman Meghu, CTO of incident response firm DeepCove Cybersecurity, said overflowing a fixed device’s memory due to a bug “would have me rather annoyed with this vendor. This is very rare in my experience, and something that was an issue way back when storage costs were a factor. I would expect my vendor to be able to clean and manage storage for fixed devices. If this device is supported, this would be an RMA [return merchandise authorization] or fix issue, and expectation [for vendor action] would be right away/proactive.” [Related content: Cisco Webex SSO flaw] Affected are access points running IOS XE versions 17.12.4, 17.12.5, 17.12.6, and 17.12.6a. These include Cisco Catalyst 9130AX series APs, as well as 9130AX models with a Stadium Antenna, Catalyst 91361, 91621, 9163E, 91641, 9166D1, and IW9167 series APs, and Wi-Fi 6 Outdoor APs, There are two ways for admins to solve the problem: Download a Cisco tool called WLANPoller, which automates execution of a fix across multiple APs, or manually use the show boot command on each device to look into the boot partition and see if it has enough space for an upgrade. Greater detail on the necessary action is in the Cisco advisory. Cisco says a mandatory precheck of an AP’s status should be run as close to the scheduled maintenance window as possible. But because the affected log file grows daily, Enderle said, “you sure don’t want to wait until [AP] failure.”  Manual fixing will probably take 5-10 minutes of active work per AP, he cautioned, plus another 15-20 minutes soak time to make sure the fix takes if the AP does have room for the upgrade. But if the AP has space problems, the time per device could jump to around 20-45 minutes. And if the AP has failed, then it would take one to two hours to fix, he added, and would need physical access to the device. Using WLANPoller will make the process faster, he added. Enderle said that if an admin finds an AP whose flash memory is already too full to upgrade, a reboot sometimes clears temporary buffers or allows a small window for a manual transfer. However, with this specific log bug, a reboot may not be enough if the file is persistent. Admins should contact Cisco for the emergency cleanup script before attempting a mass push, he said. Ultimately, Enderle said, the pushing of a flawed update is a supply chain integrity issue. CSOs should ask their teams, ‘Do we have monitoring in place for hardware health metrics (CPU, RAM, Flash), or only for ‘Up/Down’ status?’ An AP that is Up but has 0MB of free flash memory is a liability, he said. CSOs should look at this vulnerability as a Critical Availability Risk, he added. “While it isn’t a data breach, the potential for a site-wide Wi-Fi outage (due to failed automated updates or boot loops) can halt business operations,” he noted, adding that CSOs should also enforce a policy where even “minor library updates” are still tested in a lab environment for seven to 14 days. “This 5MB/day log growth would likely have been caught in a lab before hitting a production fleet of 5,000 APs,” Enderle said. This article originally appeared on NetworkWorld.

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (

The US government is preparing to authorize a version of Anthropic’s Claude Mythos model for use by major US federal agencies, amid concerns that the AI model could rapidly spot cybersecurity vulnerabilities and offer the ability to exploit them. Federal Chief Information Officer Gregory Barbaccia at the White House Office of Management and Budget (OMB) told officials at Cabinet departments on Tuesday that the OMB was setting up protections to allow federal agencies to begin using the model, reported Bloomberg, citing an internal memo. The memo did not commit specific agencies to deployment or provide a timeline, the report said. “We’re working closely with model providers, other industry partners, and the intelligence community to ensure the appropriate guardrails and safeguards are in place before potentially releasing a modified version of the model to agencies,” Barbaccia wrote in the email, according to the report. The OMB move comes while the Department of Defense’s supply-chain risk designation against Anthropic, issued on March 3, remains in force. The D.C. Circuit refused to stay the designation on April 8, keeping Anthropic barred from defense contracts while civilian agencies are now being positioned for access. The White House and Anthropic did not immediately respond to requests for comment. Defining the guardrails The memo’s reference to a modified version of the model points to open questions about what agency deployment would actually look like. Anthropic announced Claude Mythos Preview on April 7 under Project Glasswing, a controlled-access program for select technology and financial organizations. The company then said the model identified thousands of zero-day vulnerabilities across every major operating system and browser in internal testing and stated it did not plan to make the model generally available. “For a federal deployment to be defensible, the modifications must cover specific assurance dimensions,” said Neil Shah, VP for research and partner at Counterpoint Research. “The software code base being scanned should remain sovereign within an isolated and air-gapped environment, and the data should not be used to retrain the base model.” Additional steps could include transparency requirements and human-in-the-loop review before any bug fix is applied, he said, to make the deployment more controlled. Enterprise implications Those same assurance questions translate directly to enterprise procurement. The OMB move signals that federal cyber defense is pivoting toward frontier models that can find vulnerabilities faster than human teams can patch them, and the rift between the Pentagon and the White House carries a lesson for private-sector buyers, Shah said. “The rift between the two government entities is a lesson on how important it is to control the deployment of potent AI capabilities which could be misused,” he said, calling for a multi-layered control framework spanning discovery, classification, security, assurance, and action. The asymmetry extends beyond US borders. European agencies have largely been blocked out of early access, with only the UK AI Security Institute granted the ability to test the model. If the OMB authorization proceeds on the terms Barbaccia described, defensive AI capability inside the US federal government would advance ahead of European counterparts, while the Pentagon designation against the same vendor continues to move through the courts. A civilian workaround to the Pentagon ban The modified version approach is how Anthropic is navigating around the Pentagon position without losing control of the model, Shah said. “The Anthropic modified version thereby circumvents the Pentagon’s black and white approach and helps other entities adopt the model as a security enclave for civilian and enterprise sovereignty with agreed-upon guardrails,” Shah said. He added that the arrangement sets a precedent for Anthropic’s future adoption across other government entities and enterprises. Federal access to Anthropic has been in flux for weeks. A US District Court in California granted Anthropic a preliminary injunction on March 26 against a parallel civilian designation, a ruling that gave contractors breathing room to reassess AI supply chains. Anthropic is now simultaneously blacklisted from military procurement, enjoined from removal across civilian systems, and under discussion for expanded access through OMB. Contractors face operational difficulty identifying where specific AI models sit inside their stacks, a challenge that has reshaped supply-chain risk across federal AI deployments.

Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April’s Patch Tuesday, researchers warn of another vulnerability that could enable SYSTEM privileges through local escalation. In a newly disclosed proof-of-concept (PoC) exploit, dubbed “RedSun,” GitHub user going by the name “Nightmare Eclipse” demonstrated how Microsoft Defender’s handling of certain cloud-tagged files can be abused to overwrite protected system files and escalate privileges. “When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location,” Eclipse wrote in the PoC repository description. The PoC exploit impacts Windows 10 and Windows 11 systems running Microsoft Defender, specifically builds with cloud files features enabled. Antivirus rewrites the threat The RedSun PoC highlights a counterintuitive behavior. Defender’s remediation process may restore a flagged file under certain conditions. Specifically, files tagged with cloud metadata (such as those used by OneDrive and similar services) trigger a different handling path inside the antivirus engine. Rather than permanently removing the malicious file, Defender attempts to restore it to its original source, rewriting the file back to disk. The PoC exploits this mechanism to, during the rewrite process, manipulate the file contents or destination. If an attacker can control the timing and location of the rewrite, they can replace legitimate system binaries or configuration files with malicious payloads. RedSun demonstrated this exploit to gain SYSTEM-level privileges. Will Dormann from Infosec Exchange verified the PoC using the Cloud Files API. “This works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled,” he said. “Any system that has cldapi.dll should be affected.” Dormann used the Cloud Files API to introduce a specially crafted file, followed by “oplock“ to control file access timing. From there, the exploit leverages Volume Shadow Copy race conditions and directory junctions/reparse points to redirect where Defender writes the file. Second Defender-based LPE in days The Defender flaw addressed earlier this week as part of Patch Tuesday was one of the two zero-day bugs Microsoft fixed, and it also allowed local privilege escalation stemming from “insufficient granularity of access control.” While Microsoft attributed the discovery of the flaw, tracked as CVE-2026-33825, to security researcher Zen Dodd, the flaw already had a PoC exploit, “BlueHammer,” available before it was even fixed. It came from “Chaotic Eclipse,” an alias used by Nightmare Eclipse on other publishing platforms. The flaw received a high-severity rating of 7.8 out of 10. Eclipse has some disagreements with how Microsoft handled the disclosure of CVE-2026-33825. While it is unknown if “RedSun” was reported to Microsoft before disclosure, the PoC still sits unaddressed.Microsoft did not immediately respond to CSO’s requests for comments. Dormann confirmed that the exploit is being detected on VirusTotal, but relies heavily on a test file signature (EICAR), which can be handled to some extent with string encryption. “Defender (Microsoft)  currently doesn’t detect the exploit in either case,” he noted.

In two decades, Palo Alto Networks has evolved from a next-generation niche player to one of the largest global cybersecurity giants today. Under its mantra of “platformization,” the company has catapulted its revenues over its closest competitors and boosted its stock valuation to over $130 billion. No stranger to AI use in cybersecurity, Palo Alto recently announced its participation in Project Glasswing, an AI-based vulnerability-discovery initiative led by Anthropic that many are viewing as a structural shift for the cyber industry. The initiative, which includes 10 other major technology companies as coalition partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, and Microsoft, aims to leverage Anthropic’s Claude Mythos to improve the security of the software that underpins much of the world’s technical infrastructure. It is in this context that Computerworld Spain spoke with Helmut Reisinger, CEO of Palo Alto Networks for EMEA, in Madrid at the company’s Ignite event on April 14. The interview was conducted in Spanish, a language that the multilingual Austrian executive and PhD holder speaks fluently. Following are excerpts from that interview, edited for length and clarity. Computerworld Spain: Let’s start with the recent announcement of Palo Alto’s participation in the exclusive Mythos project, which few companies have access to due to the power of this technology and the risk of it falling into the wrong hands. Or is this just a marketing strategy? Helmut Reisinger: Indeed, this is a restricted release that only a few companies can access for vulnerability testing. We’ve witnessed firsthand how this pioneering model represents a radical shift. With it, we’ve detected zero-day vulnerabilities in an unprecedented number of operating systems and browsers. And it’s capable of turning most of these vulnerabilities into working exploits, with all the risks that entails. For now, we can’t say much more. We’re currently working on providing more information through a blog. In any case, the important thing is the context in which this is happening. On the democratization of AI. Yes. At Palo Alto, we’ve been using AI to improve cybersecurity for a long time. Back in 2014, we integrated machine learning technology into our systems, initially just firewalls. But we also develop cybersecurity solutions specifically for AI. The major challenge today is that, according to a Stanford University report, only 6% of AI deployments are implemented with appropriate cybersecurity. And this is happening in the age of agents, where for every human identity there are approximately 80 machine identities, and even more if we include agents. That’s why, thanks to our acquisition of Protect AI, a company founded by Ian Swanson, formerly head of AI at Amazon, we’ve launched a security solution for AI deployments, language models, and agents. This is just one of several purchases Palo Alto has made recently, correct? Yes, we just closed the deal [in February] with CyberArk, a leader in identity security. At Palo Alto, we’re convinced that AI and identity are two worlds that must go hand in hand, especially now in the era of generative systems and agents. Another acquisition we recently completed, in January, and which falls within this context of addressing the current AI landscape, is that of Chronosphere, a leader in observability. Chronosphere is capable of managing and protecting massive volumes of AI-generated data at a lower cost — half the price — of other market players. This is an important acquisition because observability is essential in cybersecurity. And finally, we’ve acquired Koi, a deal I expect will close in a few days. Koi’s technology focuses on agentic endpoint security — protecting businesses from the risks of using AI agents and autonomous development tools operating on users’ devices. Koi’s technology will be integrated into our Cortex XDR platform to monitor what AI agents are doing on users’ computers and detect if they are being manipulated to execute malicious commands. I imagine effectively integrate all these companies presents significant challenges. That’s right, because many IT companies, when they make acquisitions, focus more on contractual than technological integrations, but that’s not our approach. Our strategy involves complete technological integrations, like Protect AI, which is now part of our network platform. This aligns with our commitment to platformization using a modular system. It’s clear that ‘platformization’ is the company’s mantra and a way to simplify life for customers, but doesn’t it also create greater dependencies, including vendor lock-in? Yes, we sometimes hear clients say they don’t want to put all their eggs in one basket. But that’s precisely why our strategy is modular, so the client can decide. It’s also true that all the clients who have experienced a massive data breach have opted for complete platformization. In fact, our founder [Nir Zuk] has always said that “everyone will switch to platforms as soon as they suffer a mega-breach.” The speed of platform adoption, therefore, will be determined by the client themselves, their business, their use cases, their existing contracts, and so on. We are also making efforts to reduce costs to encourage clients to migrate and simplify their platformization process. Furthermore, we mustn’t lose sight of the fact that the approach to cybersecurity must be comprehensive; it’s a global chain. Regarding cost, Palo Alto has a reputation for having powerful but expensive technology. What’s your opinion? Compared to the level of protection we provide our customers, our technology isn’t that expensive. On the other hand, the cost also reflects all the innovation included in our solutions. How do you see Palo Alto Networks’ major competitors, primarily Fortinet and CrowdStrike? The cybersecurity market is fragmented, but we lead it. That said, we have to win every single day. The current, highly turbulent geopolitical climate is having a significant impact on the cybersecurity field, as well as on customers’ IT purchasing decisions. Does being a US player in Europe affect Palo Alto? Are you seeing a shift among public sector clients toward more local options? CISOs with high levels of responsibility know very well that a wealth of telemetry data is essential for effective protection, and that’s why we aren’t seeing a decrease in demand. That’s the primary reason. Furthermore, each region and country has its own legal frameworks and regulations, which we fully respect. In fact, we were among the first companies in the world to sign the European AI Act and ensured we also obtained the corresponding national certifications. Our view on sovereignty is that we must find a balance between perfect sovereignty and zero sovereignty. When we talk about sovereignty, we can refer, for example, to hardware. Regarding this issue, we must accept the interdependence we have between different global markets; this happens, for example, in the field of chips. But if we talk about data sovereignty, this is something that can be easily achieved. We implement the Bring Your Own Key (BYOK) policy for many clients to ensure that the telemetry data sent by their devices is encrypted and protected. We are not interested in accessing the personal data our clients handle; we only use telemetry, application identity, user, and device data. It was precisely thanks to this type of analysis that we were able to discover the attempted intrusion using SolarWinds, although, as it occurred years ago [2020], it was carried out using machine learning tools. How is the current war in Iran affecting the threat landscape? This has many implications. Our Unit42 team recently published a report outlining how the joint military offensive launched by the United States and Israel activated the Iranian-aligned cyber ecosystem, creating a scenario of digital confrontation that transcends the region and combines hacktivism, political messaging campaigns, and pressure on critical infrastructure. In this regard, I want to bring up the issue of sovereignty again because what can a company do if its infrastructure is, for example, bombed? In other words, what does the concept of sovereignty mean in an emergency situation? We already have clients in the Middle East who are rethinking their sovereignty strategy because of this situation. Furthermore, as we saw earlier, we are talking about telemetry data, not other types of data. Ultimately, all of this shows that the concept of sovereignty is fluid. Returning to Europe, in less than two months Palo Alto will be opening new offices in Spain and, in addition, a ‘hub’, correct? Yes, we want to establish a center of excellence here. In Europe, in addition to Madrid, Palo Alto has large offices in London, Amsterdam, Paris, and Munich. From Madrid, Jordi Botifoll has been leading the business for 87 countries — not only in Southern Europe, but also in the Middle East, Africa, etc. — for the past three years. And what are your expectations for the new center of excellence? Why have you chosen Spain? Cybersecurity requires a lot of technological expertise, and Spain has very good engineers who can help our clients in case of emergency, both through our incident response unit, Unit 42, and through our partners, such as Telefónica Tech, Kyndryl, and Orange, because ours is a technology company, not a service company. How many employees do they have in Spain, and what will the number of employees be at the new center? I can’t break down local numbers, but overall, across the entire company, once the 4,000 CyberArk professionals are integrated, we’re already around 20,000 people worldwide. Our main development centers are in California and Israel, although we also have others in Poland and Lithuania. Looking ahead, significant challenges in information security are coming with the arrival of the post-quantum era. Yes, and we’re already preparing. We’ve launched Quantum Safe Security to help organizations get ready for the post-quantum era. Because the big question scientists and experts are asking now is when ‘Q Day’ will be, which might arrive sometime between 2029 and 2035. Furthermore, integrating CyberArk technology will help ensure that credentials used by machines cannot be compromised through quantum decryption. The cybersecurity of the future must be real-time, highly automated, and simple for customers, or what we call modular ‘platformization.’ Finally, what would you say is the biggest challenge for CISOs today? Shadow AI. We must prevent AI from suffering the same fate as other technologies in the past, creating what’s known as shadow IT. AI deployments must be accompanied by robust cybersecurity. And AI and identity management must go hand in hand. Another concern is the fragmentation of solutions. I was recently speaking with an executive at a large European bank who told me they have 60 different solutions; the gaps between these systems are a clear invitation to attack.

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not

An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to