Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Researchers Show How Android Notifications Could Be Used to Manipulate Google Gemini

  Security researchers have disclosed a now-remediated flaw that could have allowed specially crafted notifications from common messaging an...

All the recent news you need to know
Ethical Hacking
AI cybersecurity AI Hacking AI Systems AI Tool AI-powered hacking Cyber Security ethical AI Ethical Hacking

AI Cybersecurity Tools Raise Questions About the Future of Ethical Hacking Competitions

 

Surprisingly, artificial intelligence is changing cybersecurity faster than expected. Some elite ethical hackers now wonder whether human-driven hacking contests will stay relevant much longer. Momentum built around this idea when someone prominent at Pwn2Own this year pointed to advanced AI systems possibly surpassing numerous expert analysts. Performance gaps might widen as these tools grow stronger. 

Among those who took part in Berlin’s yearly Pwn2own contest, Valentina Palmiotti stood out - not just by name but by result. Though many go by handles online, she competes under the tag “Chompie,” a nickname familiar across security circles. Success came her way more than others’, marking her top among solo entrants. Instead of waiting for flaws to be misused, the event encourages finding hidden bugs first. Rewards follow when researchers expose weaknesses in digital tools that were not yet public knowledge. 

This year’s competition handed out close to $1..3 million for spotting 47 previously unknown weaknesses in various software and systems. Because researchers shared the details with makers first, fixes arrived ahead of potential exploitation. Midway through the event, Chompie exposed weaknesses across several platforms - some tied to Nvidia - securing significant rewards. Her method? Endless stretches of probing flaws, something she laughed about calling "zombie hacker mode," where nights blurred into days thanks to sheer persistence and concentration. 

Though today's AI tools speed up code analysis and threat detection, Chompie sees a shift on the horizon. Her view: present systems boost efficiency, yet future versions may make several classic roles obsolete. What now requires teams might soon run on smarter algorithms alone. Nowhere has scrutiny been more intense than around Claude Mythos, a powerful AI said to detect vast quantities of software weaknesses. The creators state it has uncovered countless security issues spanning many applications. Because of risks tied to abuse, only certain government bodies and cyber defense groups are allowed to use it. Access remains tightly controlled amid ongoing debate. Some scientists see things differently. 

A top Pwn2-Owned champion, Orange Tsai of Taiwan, treats artificial intelligence as a helpful tool instead of a substitute for people's knowledge. Because it speeds up testing, new approaches get checked faster - this means more attacks can be studied quickly. Still, originality, gut instinct, and sideways leaps in logic stay within human reach only; these traits often spot flaws machines miss. Though tech advances, certain mental moves resist automation. 

Though artificial intelligence is advancing, hackers now employ automation more often to speed up tasks like scanning networks, crafting phishing messages, or building malicious software. Yet a large number of breaches continue depending on older methods - manipulating people or stealing login details - instead of exploiting cutting-edge flaws. 

Even with worries over automation, some specialists think artificial intelligence might boost digital defense by spotting flaws more quickly than hackers can act. Because systems evolve fast, teams protecting networks may rely on smart tools to stay ahead - provided those resources are used carefully and shared wisely.
Read more »
Malware attacks
Cyber Attacks GTA 6 GTA 6 Scams malware Malware attacks

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

 

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early. 

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists. 

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts. 

Safety tips 

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately. 

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.
Read more »
WannaCry ransomware
cybersecurity leaks EternalBlue NotPetya attack NSA hacking tools Shadow Brokers Vulnerabilities and Exploits WannaCry ransomware

Shadow Brokers Mystery Remains One of Cybersecurity’s Biggest Unsolved Cases

 

dThe world of cybersecurity has witnessed countless data breaches and hacking incidents over the years, many of which remain unresolved despite extensive investigations. While several notorious cybercriminal groups and state-backed hacking operations have eventually been exposed, some of the most significant cyber mysteries continue to puzzle experts.

Among these unsolved cases, few are as intriguing as the story of the Shadow Brokers — a mysterious online group that shocked the cybersecurity community by releasing a cache of advanced hacking tools allegedly linked to the U.S. National Security Agency (NSA) before disappearing without a trace.

The group first emerged in the summer of 2016, a period already marked by heightened attention on cyberattacks connected to the U.S. presidential election. Shadow Brokers appeared on Twitter and directed users to a Pastebin post, tagging several media organizations in the process. However, the unusual method of communication meant many of those outlets likely never noticed the messages.

Those who followed the link encountered a document titled “Equation Group Cyber Weapons Auction — Invitation,” referring to the Equation Group, a sophisticated cyber operation widely believed to be associated with the NSA.

In the announcement, the hackers wrote, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies’ cyber weapons?” They claimed to have breached the Equation Group and offered access to stolen cyber tools. The post included downloadable samples along with an encrypted archive that could supposedly be unlocked by the highest bidder.

Promoting the contents, the group stated, “Auction files better than Stuxnet,” referencing the malware deployed against Iranian nuclear facilities during a joint U.S.-Israeli cyber operation in 2007. The hackers demanded bids of at least one million Bitcoin.

The leak rapidly drew global attention. As cybersecurity experts examined the released tools, many concluded that the software was exceptionally advanced and likely originated from the NSA. This belief strengthened when researchers noticed similarities between the leaked tools and programs previously revealed through disclosures by former NSA contractor Edward Snowden.

Over time, it became apparent that the auction itself may never have been intended as a genuine sale. Months later, the Shadow Brokers publicly released many of the tools without receiving the requested payment. Their behavior often appeared contradictory. The group’s unusual and frequently broken English raised questions about whether they were deliberately disguising their identity or attempting to mislead investigators.

Despite attracting widespread media coverage, the group remained remarkably elusive. They communicated with journalists only once, granting a brief interview to Joseph Cox, now of 404 Media, during his tenure at VICE Motherboard. A decade later, the true identities behind the Shadow Brokers remain unknown.

At the time, journalists and researchers consulted former NSA personnel, some of whom speculated that a current or former agency insider could have played a role. Yet no individual has ever been formally charged for carrying out one of the most damaging intelligence-related cyber leaks in U.S. history.

One frequently discussed suspect was Harold T. Martin III, an NSA contractor arrested for removing classified materials from the agency. However, investigators faced a significant challenge with that theory: Shadow Brokers continued posting online after Martin had already been taken into custody. As a result, he has never been officially linked to the leaks through criminal charges.

A more widely accepted explanation among analysts suggests that the Shadow Brokers may have been a front created by a Russian intelligence operation designed to influence public perception and advance strategic objectives.

The consequences of the leak were profound. Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically. Because zero-day vulnerabilities are unknown to software developers, they often remain unpatched and highly dangerous until discovered.

The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak, while Russian operators incorporated it into the NotPetya malware campaign. Although initially aimed at targets in Ukraine, NotPetya spread globally and is estimated to have caused around $10 billion in economic losses.

For organizations worldwide, the incident underscored a critical cybersecurity lesson: vulnerabilities stockpiled by intelligence agencies can eventually escape into the public domain, creating enormous risks for businesses and governments alike.

Even years later, researchers continue uncovering new insights from the leaked materials. One tool contained a list of project names, including an entry called Fast16 that carried the unusual note, “NOTHING TO SEE HERE — CARRY ON.”

Last month, cybersecurity researchers announced that they had successfully located and analyzed the project. Their investigation uncovered malware dating back to 2005 that was reportedly designed to manipulate software believed to be used by Iranian nuclear scientists, demonstrating that the Shadow Brokers leak continues to reveal new chapters in cyber espionage history.


Read more »
Phishing
AI Bug Cloud Cyber Attacks Data KnowledgeDeliver Phishing

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells


Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration,” said Bleeping Computer, throughout all KnowledgeDeliver consumer deployments. 

Deserialization of ViewState

Hackers found the stolen machine key and used it in ViewState deserialization campaigns to sign infected ViewState payloads and launch remote code execution (RCE) at the OS level. 

In 2025, Mandiant responded to a campaign on a KnowledgeDeliver server and said that in the beginning, the bug was abused as a zero-day to deploy a compromised script into the web platform.

Attack tactic

The compromise was also possible as threat actors used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the experts said. 

According to Mandiant, “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”

Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor. 

The encrypted payload used a key “that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant report said.

Similar attacks in 2025

In August last year, experts from ASEC also disclosed that Godzilla was planted in ASP.NET environments in ViewState deserialization attacks against firms in the finance industry.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Hackers targeting unsecured machines

In recent years, threat actors are increasingly exploiting unsafe  machine keys in Viewstate deserialization attacks against web platforms for a few products.

Threat actors utilized a hardcoded machine key in March of last year to create a malicious payload that gave them access to Gladinet CenterStack's secure file-sharing servers.

After obtaining the machine key to generate signed malicious ViewState payloads, hackers gained access to 85 Microsoft SharePoint systems in July 2025.

Additionally, state-sponsored actors utilized ViewState deserialization assaults to install WeepSteel, a spying tool that revealed the ASP.NET machine key on Sitecore servers.

Read more »
Vulnerability Management
AI-Assisted Exploitation Attack Surface Management CERT-In Blueprint cyber resilience Cyber Security Exposure Management Security Automation Threat Detection Vulnerability Management

The Growing Threat of AI-Driven Exploitation in Vulnerability Management


 

In vulnerability management programs, it has been assumed that defenders will have adequate time to evaluate newly disclosed flaws, prioritize remediation efforts, and deploy patches prior to large-scale exploitations occurring. This assumption is rapidly becoming obsolete. Artificial intelligence is increasingly being utilized by threat actors to compress every stage of the attack lifecycle from vulnerability discovery to proof-of-concept to automated weaponizing to mass exploitation.

Organizations are finding themselves caught between escalating pressures to patch faster and the operational realities of maintaining critical systems while exploitation timelines continue to shrink. 

A security team's challenge is no longer just identifying vulnerabilities, but managing risks in an environment in which attackers can quickly progress from disclosure to exploitation within hours, often faster than traditional remediation mechanisms can respond. The scope of this challenge is becoming increasingly difficult to ignore. 

Even though patch management remains a fundamental security control, the increasing volume of vulnerabilities being discovered is forcing IT organizations to acknowledge the limitations of relying solely on remediation speed to prevent security breaches. 

When Anthropic reported, in May 2026, that Project Glasswing, in collaboration with nearly 50 industry partners, utilized Claude Mythos Preview to uncover more than 10,000 critical- and high-severity vulnerabilities in widely used and systemically important software within a single month through its use of Claude Mythos Preview, a tool developed by Claude Mythos. 

Several internal research programs are confirming similar outcomes, demonstrating how artificial intelligence is allowing security flaws to be identified and validated at a much faster rate, despite the fact that this shift is not limited to defenders and software vendors. In addition to simplifying vulnerability analysis and rapidly reproducing revealed vulnerabilities, threat actors are able to reduce the time it takes to operational exploitation by utilizing the same AI-driven capabilities. Thus, security imbalances are no longer solely determined by patching delays, but rather by the unprecedented speed with which both legitimate researchers and adversaries can utilize newly discovered weaknesses to accomplish their objectives. 

The growing concern is also beginning to shape national cybersecurity strategy. CERT-In recently released its Blueprint on Reducing Exposure and Protecting Digital Infrastructure against Artificial Intelligence-Assisted Vulnerabilities Exploitation, which recognizes that Artificial Intelligence fundamentally alters the economics and speed of cyber operations.

Specifically, the guidance discusses how artificial intelligence is facilitating adversaries' identification and weaponization of vulnerabilities, exposed internet-facing services, insecure APIs, weak identity controls, misconfigurations, and software supply chain vulnerabilities in an increasingly interconnected enterprise environment by identifying and weaponizing vulnerabilities.

As AI-assisted attacks accelerate multiple stages of the cyber kill chain, including reconnaissance and exploitation, lateral movement, and data exfiltration, CERT-In indicates, traditional security models are becoming increasingly difficult to maintain in response. 

According to the framework, continuous exposure management, adaptive defense mechanisms, and resilience-driven cybersecurity operations should be replaced by periodic assessments and reactive remediation. This blueprint advocates the implementation of AI-enabled, intelligence-led security programs that are capable of continuously validating defenses across stakeholders, endpoints, networks, applications, cloud platforms, operational technology environments, and evolving AI systems. 

As part of the strategy, the company places significant emphasis on strengthening governance, ensuring executive accountability, providing proactive threat hunting, ensuring incident response readiness, and reducing exposure by enhancing attack surface management and continuing security validation. 

Additionally, CERT-In emphasizes the importance of securing software supply chains, cloud ecosystems, artificial intelligence models, and third-party dependencies as a result of ongoing assurance activities such as audits, adversarial testing, red teaming, and independent assessments.

Further, the guidance emphasizes that effective defense against AI-based exploitation will require more than just technical measures, but also coordinated threat intelligence sharing, collaborative response efforts, and sustained cooperation between organizations, cybersecurity communities, and national cyber authorities. There are, however, practical limitations in eliminating risk at the speed modern threats require that go beyond identifying risk. 

The exploitation timeline has steadily contracted for years, but artificial intelligence adoption is increasing this trend to the point where newly disclosed vulnerabilities can attract active exploitation attempts within hours of public disclosure due to its increasing adoption. As attackers increasingly utilize automated workflows and highly scalable workflows, remediation processes continue to be hampered by business continuity requirements, testing cycles, change management procedures, regulatory requirements, and the complexity of modern enterprise environments. 

Across the industry, this disparity has become increasingly pronounced. The Verizon Data Breach Investigations Report 2026 (DBIR) indicates that the median remediation time for critical vulnerabilities increased from 32 days to 43 days over the past three years, illustrating the growing gap between organization response capability and exploitation speed. 

With regulators such as CERT-In advocating more aggressive remediation timelines for critical vulnerabilities as well as sub-day patching expectations, security leaders are faced with balancing the need for urgency with the needs of operational stability. The emerging reality is that some vulnerabilities will inevitably be targeted prior to the completion of full remediation. 

The effectiveness of cyber defense cannot be solely assessed by the pace at which patches are deployed, but also by an organization's ability to limit exposure, contain exploitation opportunities, and maintain resilience during the period between vulnerability disclosures and remediation. As a result, automation is increasingly becoming regarded as a prerequisite rather than an enhancement to modern security operations against this backdrop. 

CERT-In focuses its efforts on continuous monitoring, verification, and adaptive defense, reflecting a broader industry recognition that manual security workflows cannot cope with the scale and velocity of AI-driven threats. Ruvala commented that traditional operating models based on human analysis and response are becoming increasingly unsustainable as security teams contend with an expanding attack surface, growing number of vulnerabilities, and a constant flow of alerts and telemetry generated across distributed environments. 

It is no longer feasible for security events to be manually investigated and prioritized under such circumstances. The use of artificial intelligence-enabled security platforms is therefore being increased for the purpose of accelerating threat detection, coordinating activities between disparate systems, automating investigative processes, and determining the priority of remediation efforts based on real-time risk exposure. 

In light of adversaries' use of artificial intelligence to accelerate reconnaissance, vulnerability identification, and active exploitation, these capabilities are becoming increasingly important. To achieve better response effectiveness at scale, Ruvala believes the industry is shifting toward platform-centric, increasingly autonomous Security Operations Center (SOC) models with artificial intelligence, automation, and unified visibility.

Unless these levels of operational augmentation are in place, most organizations will remain challenged to meet the rapid remediation and response timeframes now expected by regulators, business leaders, and threat realities alike. Increasingly, artificial intelligence is becoming increasingly influential when it comes to vulnerability discovery and exploitation, reshaping long-held assumptions about cyber security. 

As the gap between vulnerabilities being disclosed and actively exploited narrows, organizations are being forced to acknowledge that remediation alone is no longer sufficient to protect against malicious attacks. As threats evolve rapidly, the challenge is not simply responding faster, but developing security programs that continuously identify vulnerabilities, validate controls, prioritize risks, and adapt accordingly. 

As adversaries and defenders have increasingly powerful AI capabilities available, the ability of organizations to effectively combat the next generation of cyber threats will be determined by resilience, visibility, and operational agility.
Read more »
Windows driver
API BYOVD Attack Cyber Security Lenovo Windows driver

Signed Lenovo Driver Could Be Misused to Shut Down Security Software, Researcher Warns

 


A security researcher has uncovered a weakness in a Lenovo-signed Windows driver that could allow attackers to disable antivirus and endpoint security tools, potentially weakening a system's defenses before carrying out additional malicious activity.

The finding involves BootRepair.sys, a driver linked to Lenovo PC Manager. According to research conducted by security researcher Jehad Abudagga, the driver contains functionality that can be exploited to terminate processes directly from the Windows kernel. Because the file is legitimately signed by Lenovo, it may appear trustworthy to operating systems and security products that rely on digital signatures when evaluating software.

At the time of the analysis, the driver, identified by the SHA-256 hash 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946, reportedly had no detections on VirusTotal. Security researchers note that attackers often favor signed and seemingly legitimate software components because they can help malicious activity blend into normal system operations.

The research surfaces the growing nature of this particular attack technique known as Bring Your Own Vulnerable Driver, or BYOVD. In these attacks, threat actors deliberately use trusted but flawed drivers to gain elevated capabilities inside a system. Rather than exploiting security software directly, attackers abuse weaknesses in legitimate drivers to bypass protections and interfere with defensive tools.

A detailed examination of BootRepair.sys revealed several security weaknesses. The driver creates a device object called "\Device\::BootRepair" without applying a secure discretionary access control list (DACL). In practical terms, this means users with limited privileges may still be able to communicate with the driver.

The driver also creates a symbolic link named "\DosDevices\BootRepair," making the functionality accessible from user-mode applications. Researchers further found that the driver does not perform access-control validation when processing IRP_MJ_CREATE requests. As a result, any user can potentially obtain a handle to the driver without undergoing meaningful permission checks.

Analysis of the driver's input and output control functionality identified a single exposed IOCTL code, 0x222014. This control code accepts a four-byte input buffer that contains a process identifier, commonly referred to as a PID. Once received, the PID is passed to an internal routine responsible for terminating the specified process.

The underlying mechanism relies on the Windows kernel function ZwTerminateProcess. Because the operation is performed in kernel mode, the driver can terminate processes that would ordinarily be protected from interference. This includes security-sensitive services and endpoint protection products that are designed to prevent unauthorized shutdown attempts.

According to the research, these weaknesses create two primary attack opportunities. If the driver is already installed on a target system, an attacker with limited privileges could interact with it directly and terminate antivirus or endpoint detection and response (EDR) processes. If the driver is not present, an attacker could deploy the signed driver as part of a BYOVD operation, load it into the kernel, disable security controls, and then proceed with post-compromise activities.

In a proof-of-concept demonstration, the researcher showed that even protected processes could be terminated once the driver had been loaded. The test used standard Windows APIs to communicate with the driver. The process involved opening a handle to "\\.\BootRepair," sending a target process identifier through IOCTL code 0x222014, and allowing the driver to terminate the selected process from kernel mode.

The simplicity of the proof-of-concept demonstrates how little effort may be required to exploit the functionality once access to the driver is available. Researchers warn that after security products are disabled, attackers may be able to run credential theft tools, information stealers, or other post-exploitation utilities with a lower likelihood of detection.

The findings also reinforce concerns surrounding BYOVD attacks, which have become increasingly common in ransomware operations and advanced intrusion campaigns. Because vulnerable drivers often carry legitimate digital signatures, they can sometimes evade security controls that place significant trust in signed software.

To reduce exposure, organizations are encouraged to implement Microsoft's vulnerable driver blocklist, monitor systems for unusual driver-loading activity, restrict the installation of unauthorized drivers, and watch for suspicious kernel-level behavior. Security teams should also ensure that endpoint protection platforms are configured to detect attempts to abuse legitimate drivers.

The research serves as another example of how trusted software components can become security liabilities when design weaknesses are present. As attackers continue searching for legitimate tools that can be repurposed for malicious activity, organizations will need stronger controls around driver management, behavioral monitoring, and endpoint visibility to prevent security products from being disabled before an attack fully unfolds.

Read more »
Subscribe to: Posts (Atom)

Featured