Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

New ChatGPT Settings Will Improve User Privacy and Data Training

Almost everyone has used ChatGPT now. Sometimes we share our personal information and files with the Chatbot.  Do not feed your personal inf...

All the recent news you need to know
Windows Vulnerabilities
AI cybersecurity Kernel Security MDASH AI Microsoft security Patch Tuesday Remote Code Execution Threat Detection Vulnerabilities and Exploits Windows Vulnerabilities

MDASH AI Helps Microsoft Detect 16 Critical Windows Security Flaws


 

The company has reported that the MDASH framework, developed internally by Microsoft for agentic artificial intelligence, was instrumental in identifying 16 security vulnerabilities affecting core Windows networking and authentication components, including four critical vulnerabilities that can be exploited remotely. 

According to the discovery, which was addressed during Patch Tuesday's security rollout of May 2026, autonomous AI systems are not limited to the generation of code in defensive cybersecurity engineering. In addition to analyzing complex software environments, tracing insecure logic paths, and identifying exploitable weaknesses before threats can weaponize them, these tools are increasingly being used to analyze complex software environments. 

Microsoft's Autonomous Code Security team developed MDASH, which is currently being tested by a select number of customers in a private preview program. MDASH is now actively supporting internal security engineering operations and is part of the company's wider effort to integrate AI-driven vulnerability research into enterprise-scale software assurance and development processes. 

The MDASH framework is at the core of this initiative. It is an internally developed framework that works independently of any single language model while coordinating specialized AI agents tailored to specific vulnerability classes, a framework that is uniquely engineered for this purpose. By utilizing a combination of frontier-scale and distilled AI models, the platform distributes tasks across more than 100 purpose-built agents instead of relying on a conventional one-model scanning architecture. 

Using the system, Taesoo Kim, Microsoft's vice president of agentic security, enables the detection of end-to-end vulnerabilities by autonomously identifying suspicious code behavior, challenging each other's findings, and independently validating exploitability before escalated results that are confirmed. MDASH is an analysis pipeline that consists of multiple stages. 

After ingesting source code, MDASH constructs an internal threat model and maps the attack surface, and then dedicated agents conduct audits to identify possible vulnerabilities such as insecure logic, memory corruption, authentication vulnerabilities, and other exploitable conditions. In addition to eliminating false positives, a secondary layer of "debater" agents also performs adversarial reasoning workflows to verify technical validity and eliminate false positives. 

As a result of the correlation between semantically similar findings, consolidating overlapped detections, and providing proof-based validation, the framework is able to demonstrate that vulnerabilities can be exploited practically. Using Microsoft's architecture, Microsoft says complex security analysis can be performed using state-of-the-art reasoning models, distilled models for large-scale validation tasks, and a high-capability, independent counteranalysis model. 


Through layered reviews, Microsoft hopes to improve detection accuracy and reliability across enterprise-scale codebases including Windows. In addition to the TCP/IP networking stack, IKEEXT IPsec, HTTP.sys, Netlogon, DNS resolution mechanisms, and the legacy Telnet client, MDASH uncovered a number of deeply embedded Windows components that were susceptible to remote attack surfaces. These vulnerabilities underscore how wide a range of attacks can be conducted on modern operating systems. 

According to Microsoft, ten of the identified vulnerabilities affect kernel-mode components and six affect user-mode services. Under realistic deployment scenarios, most of these vulnerabilities are remotely accessible without authentication. In total, four vulnerabilities were rated Critical, including CVE-2026-338277, an unauthenticated use-after-free issue in tcpip.sys, and CVE-2026-338248, a remotely exploitable double-free issue in the IKEv2 protocol over UDP port 500. 

It is reported that MDASH demonstrated unusually high precision during validation exercises, in that all 21 intentionally seeded vulnerabilities were detected without generating false positives during internal testing. It was further stated by Microsoft that the framework recalled 96 percent of the five years of confirmed cases of the Microsoft Security Response Center for CLFS.sys and covered tcpip.sys in full, as well as scoring 88.45 percent on the CyberGym benchmark containing 1,507 real-world vulnerabilities, which is the highest score in the industry. 

The broader research initiative continues to be closely tied to Microsoft's offensive and defensive security engineering ecosystems. Currently, the platform is deployed across Microsoft's engineering environments and is currently being evaluated by limited customers through a private preview program. A team led by Autonomous Code Security worked in collaboration with Windows Attack Research and Protection specialists who specialized in advanced offensive Windows research to spearhead development efforts. 

A number of researchers involved in this project previously served as members of Team Atlanta, the team recognized for winning the DARPA AI Cyber Challenge using a system for discovering and patching vulnerabilities autonomously. The company stated that the implementation of autonomous auditing at an enterprise level can pose unique operational difficulties due to the proprietary nature of the Windows codebase and the absence of public training datasets. 

In addition, low-tolerance production environments prevent inaccurate detections from occurring. These constraints can be addressed by MDASH by providing extensible plugins capable of injecting highly specialized contextual knowledge into the analysis pipeline. These include kernel calling conventions, synchronization rules, interprocess communication trust boundaries, and file-system structures that are not reliably inferred by general-purpose models. 

A particular extension, developed for the Common Log File System (CLFS), generates triggering log artifacts from candidate findings automatically, allowing the framework to go beyond theoretical detection and provide proof-based vulnerability validation that engineering teams can use to remedy vulnerabilities directly. 

Using CVE-2026-33827 as an example of advanced flaws that conventional single-model AI systems routinely fail to identify, Microsoft highlighted that vulnerability. In order to address this vulnerability, Microsoft implemented a strict source and record route processing process that improperly managed a reference-counted Path object during the Windows IPv4 receive path.

It is possible that the affected function reused the same pointer under alternate execution flow conditions after releasing its owned reference through a dereference operation, therefore causing a race-driven use-after-free scenario in kernel memory. 

Due to the fact that the vulnerable code path processes attacker-controlled packet metadata and executes within an elevated networking context, a remote attacker could potentially exploit this flaw by sending specially crafted IPv4 packets containing SSRR options to their hosts. A Microsoft representative explained that the problem became significantly more dangerous as a result of the concurrency behavior of multiple independent cleanup subsystems that were capable of reclaiming the object before further reuse. 

According to the company, single-model artificial intelligence systems often fail to detect such vulnerabilities since ownership violations are not readily apparent locally and are instead dependent on correlating reference semantics, branching conditions, concurrency interactions, and analogous patterns spread across distinct code paths to determine the violation. 

The MDASH system was reported to have successfully analyzed the behavior of objects during their lifetimes, compared implementation inconsistencies elsewhere in the codebase, and assembled a coherent exploitation chain by using staged reasoning and adversarial verification through specialized agents. During Patch Tuesday in April 2026, the flaw was addressed. 

Furthermore, Microsoft disclosed CVE-2026-33824, a critical double-free vulnerability affecting IKEEXT, a key exchange service for IPsec authentication. Remotely accessible via UDP port 500, the vulnerability is capable of triggering against systems configured as IKEv2 responders, such as RRAS VPNs, DirectAccesss, Always-On VPNs, and hosts with IPsec security policies that govern inbound connections. There was a vulnerability caused by an ownership handling error during fragment reassembly, which caused a packet receive context to be duplicated by using shallow memory copy operations. 

A deterministic heap corruption condition was created within the LocalSystem svchost.exe process when teardown routines released the same memory region twice, resulting in reference to and assumption of ownership of the same heap allocation linked to a security realm identifier controlled by an attacker.

The vulnerability is particularly severe from a defensive perspective, as it only requires two crafted UDP packets without race conditions or precise timing requirements, making exploitation particularly easy. During analysis of the codebase, the company identified that the flaw extended across six separate source files, and that the vulnerability was triggered by subtle differences between ownership handling patterns that were incorrect and correctly implemented elsewhere.

Microsoft has stated that multiple file aliasing and lifecycle vulnerabilities are routinely evaded by conventional automated analysis because a single execution context does not expose the entire exploitation chain at once. MDASH's multi-agent debate and verification architecture is specifically credited for identifying those fragmented relationships and confirming the exploit path before publication. 

The issue was also patched as part of April 2026 Patch Tuesday. There is a notable shift in how large-scale software security auditing will evolve in enterprise environments with the emergence of MDASH. Modern operating systems are becoming increasingly complex and difficult to assess through traditional manual methods alone.

The Microsoft AI platform combines autonomous reasoning, adversarial validation, and exploit-focused analysis in a coordinated multi-agent framework, enabling AI to not merely serve as a productivity tool, but also to provide an operational security layer capable of detecting deeply buried vulnerabilities within critical infrastructure code. 

A growing number of threat actors are leveraging automation in offensive campaigns, and the company’s latest findings suggest that defensive research may become increasingly dependent on AI-driven systems capable of identifying exploitable weaknesses before they become operational.
Read more »
Public Sector Banks
AI Threat Cyber Security Indian Banks Public Sector Banks

Indian Banks Step Up IT Spending Over AI Security Fears

 

Public sector banks are preparing to spend more on technology because a new wave of AI-driven cyber risk is making their existing systems look vulnerable. The main concern is Anthropic’s Claude Mythos, which has raised alarms for its ability to identify software weaknesses and potentially help attackers exploit them. 

Indian banks are being pushed to treat IT spending as a survival need, not just an operating cost. Senior bank executives have said they will raise budgets this financial year, with a large share going into cybersecurity, stronger defenses, and monitoring tools to reduce exposure to attacks. 

The issue is especially serious because banks depend on legacy systems that run critical operations in real time. One successful breach can ripple across payments, forex, clearing, depositories, and other linked financial networks, making the whole sector more exposed than a single institution might appear on its own.

The concern grew after Anthropic’s tests suggested Mythos could perform advanced cybersecurity and hacking-related tasks at a level that outpaced humans in some cases. Reports also noted that the model found thousands of high-severity vulnerabilities, which made regulators and bank leaders worry that similar tools could shorten the time between discovering a flaw and weaponizing it. 

In response, the government formed a panel under SBI Chairman C S Setty to study the risks and recommend safeguards. Finance Minister Nirmala Sitharaman has also urged banks to take pre-emptive measures, while institutions are expected to coordinate in the coming weeks to identify weak points and decide where additional investment is needed.
Read more »
telecom systems
5G Network Cyber Warfare Cybersecurity Mobile Security sim SIMjacking telecom systems

How Telecom Systems Were Used to Secretly Track Mobile Users Worldwide

A new investigation by the digital rights research group Citizen Lab has revealed how weaknesses inside global telecom infrastructure were allegedly exploited to secretly monitor mobile phone users in more than ten countries over the past three years.

The findings, reviewed by Haaretz, highlight how parts of the global mobile network system, originally developed decades before smartphones existed, continue to expose users to modern surveillance risks despite the arrival of 4G and 5G technologies.

According to the report, researchers uncovered two separate surveillance operations that appear to be linked to commercial spyware and cyber intelligence vendors selling tracking capabilities to government clients worldwide. One of the operations reportedly used telecom infrastructure connected to Israeli providers 019Mobile and Partner Communications, although both companies denied involvement.

Researchers say the operations relied on weaknesses in SS7, an older telecom signaling protocol used globally to route phone calls, text messages, and roaming traffic between mobile operators. SS7 was designed during a period when telecom networks trusted one another by default, long before today’s cybersecurity threats emerged. Security experts have warned for years that attackers can abuse the protocol to monitor phone activity, intercept communications, or identify a user’s location.

The report states that some surveillance firms were able to impersonate legitimate mobile carriers and gain access to these legacy telecom systems in order to track users internationally. A second operation was reportedly linked to Fink Telecom Services, a Swiss company previously named in a 2023 investigation by Haaretz and Lighthouse Reports involving telecom surveillance services supplied to cyber intelligence vendors, including Rayzone.

Last week, British regulators reportedly moved to ban similar telecom signaling abuse practices, describing them as a major source of malicious activity affecting mobile networks. However, the new findings suggest that even newer systems built for 4G and 5G communications are vulnerable to similar exploitation.

One example highlighted in the report is Diameter, a signaling protocol widely used in 4G roaming and many 5G environments to manage subscriber connectivity and authentication. Although Diameter was introduced with stronger security protections than SS7, researchers found that attackers are still capable of abusing the system to conduct tracking operations.

In the first campaign identified by Citizen Lab, researchers documented more than 500 location-tracking attempts between November 2022 and 2025 across countries including Thailand, Bangladesh, Norway, Malaysia, South Africa, and several African nations. The investigation reportedly began after researchers observed a Middle Eastern businessman being repeatedly tracked over a four-hour period through international telecom queries.

Citizen Lab found that telecom identifiers associated with 019Mobile were used to send location-tracking requests through infrastructure connected to Partner Communications, which supports 019Mobile’s services. Another network route reportedly passed through Exelera Telecom, a communications and cloud services provider that also manages international fiber-optic infrastructure. Exelera did not publicly respond to requests for comment.

019Mobile’s head of security denied involvement and stated that the company operates as a virtual provider using another carrier’s infrastructure rather than maintaining its own roaming agreements. Researchers noted that attackers may have forged the company’s telecom identity to access the network.

Although Citizen Lab did not publicly identify the companies behind the operations, the report referenced several possible actors, including Cognyte. Internal files reviewed by Haaretz reportedly showed that Cognyte’s former parent company, Verint Systems, sold an SS7-based tracking product called SkyLock to a government customer in the Democratic Republic of Congo.

According to the report, SkyLock could reportedly locate mobile devices globally by exploiting telecom roaming systems. The documents also pointed to commercial relationships with telecom operators in Thailand, Malaysia, Indonesia, Vietnam, and Congo, several of which overlap with countries mentioned in the surveillance campaign.

Researchers also uncovered a more advanced surveillance method known as SIMjacking. The technique exploits vulnerabilities inside SIM cards by sending hidden binary text messages containing secret instructions. Once received, the SIM card can silently transmit the device’s location back to the attacker without displaying any visible warning or notification to the user.

Citizen Lab identified more than 15,700 suspected SIMjacking-related tracking attempts since late 2022. Researchers noted that when Haaretz and Lighthouse Reports first exposed Fink Telecom Services in 2023, the company had not yet been linked to the SIMjacking technique.

Cybersecurity experts warn that these attacks are especially concerning because they target weaknesses within telecom infrastructure itself rather than requiring malware installation or phishing attacks on individual devices. Researchers also cautioned that many telecom providers continue operating old and new signaling systems together, creating additional opportunities for attackers to bypass modern protections.

Fink Telecom Services, Exelera Telecom, Verint, and Cognyte did not publicly respond to the allegations referenced in the report. Partner Communications stated that it had no connection to the incident and rejected attempts to associate the company with the activity described by researchers.

Read more »
location tracking
Bluetooth Bluetooth exploits Bluetooth Flaw Cyber Police Cyber Privacy Cyber Security cybersecurity risks location tracking

Axon Police Taser and Body Camera Bluetooth Flaw Raises Officer Tracking Concerns

 

Australian police may unknowingly be exposing their live locations through Bluetooth-enabled devices made by Axon. Researchers discovered that body cameras and tasers used across the country broadcast signals without modern privacy protections, potentially allowing anyone nearby to detect and track officers in real time. 

Unlike smartphones that randomize Bluetooth MAC addresses to prevent tracking, Axon devices reportedly use static identifiers. This means simple apps or laptops can detect nearby police equipment and reveal device details, coordinates, and movement patterns. 

A security researcher demonstrated the issue in Melbourne using publicly available Android software capable of identifying Axon devices. Custom tools reportedly extended the tracking range to nearly 400 meters, raising concerns for undercover officers, tactical teams, and police returning home after shifts. 

Experts warn criminal groups could deploy low-cost Bluetooth scanners across neighborhoods to monitor police activity, detect raids, or map officer movement in real time. The flaw has reportedly been known since 2024, when warnings were sent to police agencies, ministers, federal authorities, and national security offices urging immediate action. 

Internal reviews within Victoria Police reportedly acknowledged the threat and recommended protections for covert units. However, after discussions with Axon, the issue was later downgraded internally. Victoria Police later stated there had been no confirmed cases of officers being tracked through the devices. Police agencies across New South Wales, Queensland, Western Australia, South Australia, Tasmania, the Northern Territory, and the Australian Federal Police were also informed of the vulnerability. 

Most declined to explain whether officers were warned or if safeguards had been introduced. Researchers believe the flaw stems from hardware design rather than software alone, making simple patches unlikely to fully resolve the problem. Fixing it may require redesigning core system components entirely. 

Axon has acknowledged on its security pages that its cameras emit detectable Bluetooth and Wi-Fi signals and advises customers to consider operational risks before deployment in sensitive situations. Critics argue these warnings remain buried in technical documentation instead of being clearly communicated to frontline officers. 

The issue highlights growing concerns about modern policing’s dependence on connected technology. As law enforcement increasingly relies on wireless devices, AI systems, and cloud-based tools, small cybersecurity flaws can quickly become serious operational and physical safety risks.
Read more »
Telegram
Application Apps Crypto Crypto scams Cyber Crime Scam Telegram

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams

 

Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware. 

FEMITBOT malware 


Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.

These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application. Exploiting Telegram Mini apps

The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.

In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.

Brands impersonated


Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola. The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure.

Telegram bots compromised


Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it's part of the application itself.

Tricking users via phishing tactics


After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.

When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.

The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.

Malware distribution via mini apps


Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.

“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.
Read more »
Vulnerabilities and Exploits
Cybersecurity Exim security flaw Exim vulnerability remote code execution Vulnerabilities and Exploits

Critical Exim Flaw Exposes Email Servers to Remote Code Execution Risk

 

A newly discovered security vulnerability in the widely used mail transfer agent Exim has raised serious concerns among cybersecurity experts, as attackers could exploit the flaw to potentially execute malicious code remotely on vulnerable email servers.

According to researchers, the vulnerability occurs due to improper memory handling during the TLS session shutdown process. The issue specifically affects Exim installations using GnuTLS configurations.

“This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”

Security experts confirmed that all Exim versions starting from 4.97 through 4.99.2 are vulnerable. However, systems relying on OpenSSL or other TLS libraries are not affected, as the flaw only impacts builds compiled with USE_GNUTLS=yes.

The vulnerability was identified by Federico Kirschbaum, Head of Security Lab at XBOW, an autonomous cybersecurity testing platform, who reported the issue on May 1, 2026.

“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region,” Kirschbaum said. “That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives.”

XBOW described the flaw as one of the most severe vulnerabilities uncovered in Exim in recent years, noting that attackers require minimal server-side configuration to trigger the exploit successfully.

To address the issue, Exim developers released version 4.99.3 and urged administrators to upgrade immediately. The developers also clarified that no temporary workaround or mitigation is currently available.

“The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used,” Exim noted.

This is not the first major security concern involving Exim. Back in 2017, the platform fixed another critical use-after-free vulnerability, tracked as CVE-2017-16943, which allowed unauthenticated attackers to execute remote code using specially crafted BDAT commands and potentially take control of email servers.
Read more »
Subscribe to: Posts (Atom)

Featured