Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Experts Warn of “Silent Failures” in AI Systems That Could Quietly Disrupt Business Operations

As companies rapidly integrate artificial intelligence into everyday operations, cybersecurity and technology experts are warning about a gr...

All the recent news you need to know
Technology
AI ClawJacked Data OpenClaw Technology

Hackers Exploit OpenClaw Bug to Control AI Agent


Cybersecurity experts have discovered a high-severity flaw named “ClawJacked” in the famous AI agent OpenClaw that allowed a malicious site bruteforce access silently to a locally running instance and take control. 

Oasis Security found the issue and informed OpenClaw, a fix was then released in version 2026.2.26 on 26th February. 

About OpenClaw

OpenClaw is a self-hosted AI tool that became famous recently for allowing AI agents to autonomously execute commands, send texts, and handle tasks across multiple platforms. Oasis security said that the flaw is caused by the OpenClaw gateway service linking with the localhost and revealing a WebSocket interface. 

Attack tactic 

As cross-origin browser policies do not stop WebSocket connections to a localhost, a compromised website opened by an OpenClaw user can use Javascript to secretly open a connection to the local gateway and try verification without raising any alarms. 

To stop attacks, OpenClaw includes rate limiting. But the loopback address (127.0.0.1) is excused by default. Therefore, local CLI sessions are not accidentally locked out. 

OpenClaw brute-force to escape security 

Experts discovered that they could brute-force the OpenClaw management password at hundreds of attempts per second without any failed attempts being logged. When the correct password is guessed, the hacker can silently register as a verified device, because the gateway autonomously allows device pairings from localhost without needing user info. 

“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn't stand a chance,” Oasis said. 

The attacker can now directly interact with the AI platform by identifying connected nodes, stealing credentials, dumping credentials, and reading application logs with an authenticated session and admin access. 

Attacker privileges

According to Oasis, this might enable an attacker to give the agent instructions to perform arbitrary shell commands on paired nodes, exfiltrate files from linked devices, or scan chat history for important information. This would essentially result in a complete workstation compromise that is initiated from a browser tab. 

Oasis provided an example of this attack, demonstrating how the OpenClaw vulnerability could be exploited to steal confidential information. The problem was resolved within a day of Oasis reporting it to OpenClaw, along with technical information and proof-of-concept code.

Read more »
Isreal
Cyber Attacks Cybersecurity Reporting cybersecurity risk Cyerhackers Hacker attack Iran Isreal

Cyberattacks Reported Across Iran Following Joint US-Israeli Strike on Strategic Targets

 

A fresh bout of online actions emerged overnight Friday into Saturday, running parallel to air assaults carried out jointly by U.S. and Israeli forces against sites inside Iran, security researchers noted. The timing suggests the virtual maneuvers were linked to real-world strikes - possibly aiming to scramble communication lines, shape information flow, or hinder organized reactions on the ground. 

Appearing online, altered pages of Iranian media sites showed protest slogans instead of regular articles. Though small in number, these digital intrusions managed to reach large audiences through popular platforms. A shift occurred when hackers targeted BadeSaba - an app relied on by millions for daily religious guidance. Messages within the app suggested military personnel step back and align with civilian demonstrators. Not limited to websites, the interference extended into mobile tools trusted by ordinary users. 

Despite its routine function, the calendar software became a channel for dissenting statements. More than just data theft, the breach turned everyday technology into a medium for political appeal. Someone poking around online security thinks the app got picked on purpose - lots of people who back the government use it to look up faith stuff. According to Hamid Kashifi, who started a tech outfit called DarkCell, that crowd turned the platform into a useful path for hackers aiming to push content within national borders. 

Meanwhile, connections online in Iran began falling fast. According to Doug Madory - who leads internet research at Kentik - access weakened notably when the strikes occurred, with just faint digital signals remaining in certain areas. Some reports noted cyber actions focused on various Iranian state functions, administrative bodies, along with possible facilities tied to defense. 

As referenced by the Jerusalem Post, these incidents might have sought to weaken Iran’s capacity for unified decision-making amid heightened tensions. Possibly just the start, this online behavior could signal deeper conflicts ahead. With hostilities growing, factions linked to Iran might strike back through digital means, according to Rafe Pilling. He leads threat analysis work at Sophos. Targets may include U.S. or Israeli defense systems, businesses, even everyday infrastructure. 

Such moves would come amid rising geopolitical strain. What researchers have seen lately involves reviving past data leaks, while also trying simpler ways to target online industrial controls. Early moves like these could serve as probes - checking weak spots or collecting details ahead of bigger actions, according to experts. Now working at the cybersecurity firm Halcyon, Cynthia Kaiser - once a top cyber official at the Federal Bureau of Investigation - observed a clear rise in digital operations throughout the Middle East. Calls urging more aggressive moves have already emerged from online actors aligned with Iran, she pointed out. 

Meanwhile, Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike, said the firm is already observing reconnaissance efforts and distributed denial-of-service attacks linked to Iranian-aligned groups. Though tensions rise, some experts point to how warfare now blends physical strikes with online attacks - raising fears of broader digital clashes. 

Iran, noted by American authorities before, appears in the same category as China and Russia when discussing state-backed hacking aimed at international systems. With hostilities evolving, unseen pathways into infrastructure take on greater risk, especially given past patterns of intrusion tied to geopolitical friction.
Read more »
Smartphone Surveillance Risks
Android Security Threats App Data Permissions KoSpy Spyware Mobile App Permissions Mobile Cybersecurity Practices Mobile Security Privacy Smartphone Surveillance Risks

Security Specialists Warn That Full Photo Access Can Expose Personal Data


 

Mobile devices have become silent archives of modern life, storing everything from personal family moments to copies of identification documents and work files. However, their convenience has also made them a very attractive target for cyber-espionage activities. 

The Google Play Store was recently censored after investigators discovered several Android applications carried a sophisticated strain of spyware known as KoSpy. In a recent security intervention, Google removed several Android applications from the store. 

It is believed that the malicious software is capable of quietly infiltrating devices, harvesting sensitive information, and transmitting that information back to its operators without the users being aware. 

APT37 is believed to have been behind the campaign, and researchers believe the malware has been employed by the group since at least 2022 for covert surveillance activities. Privacy specialists have reaffirmed their warnings that something as common as granting applications broad permissions especially access to personal photo libraries can potentially lead to far more invasive forms of digital monitoring if done inadvertently. 

In addition, the incident emphasizes the importance of obtaining and using device permissions by mobile applications. In order for an Android or iOS application to function properly, it requires access to various components of the smartphone. 

In addition to install-time permissions, run-time permissions, and a few special permissions that are prompted during application usage, these requests typically fall into several categories. The majority of permissions are straightforward and are automatically granted during installation, while others require explicit approval by the user via prompts issued by the operating system.

Operating systems act as intermediaries between an application and the phone's hardware, determining whether an application can access sensitive resources such as the camera, microphone, storage, or location data. 

However, in spite of the fact that these controls have been designed to ensure that functional integrity is maintained across applications and that unauthorized interactions between software components are avoided, users often approve requests without fully considering the implications. 

When malicious or poorly secured applications abuse the runtime and special permissions those that provide deeper access to device data they pose the greatest security risks. Understanding why these permissions matter is central to evaluating the potential impact of spyware such as KoSpy App permissions essentially function as gatekeeping settings that determine what categories of personal data an application is allowed to collect, process, or transmit.

As a result of the need for this access, legitimate services can be provided. Messaging platforms, such as WhatsApp, for example, require camera and microphone permissions to provide voice and video calls, while navigation tools, such as Google Maps, utilize location data to provide real-time directions and localized information. 

When these permissions are granted to untrusted software, however, they may also serve as vectors for exploitation. When location access is misused, it could lead to the recording of covert audio or the unauthorized monitoring of conversations, thereby exposing users to surveillance risks or even physical safety concerns.

Microphone permissions, if misused, could enable covert audio recording. Social networking platforms, such as Facebook and Instagram, commonly request access to contact lists. By leveraging this data, applications can map social connections as well as run aggressive marketing campaigns, distribute spam, or harvest information. 

The storage permissions necessary to allow apps to read and upload files, such as those required by photo editing and document management software, can also pose a serious privacy concern if granted to applications without a clear functional reason for accessing personal documents. 

Security analysts report that the cumulative effect of these permissions can be significant, especially when malicious software has been specifically designed to take advantage of them to collect covert data. 

Privacy advocates have expressed concerns about mobile permissions in connection with a wide variety of products and services, not just obscure applications and alleged spyware campaigns. As well as some of the world's largest technology platforms have faced scrutiny from the privacy community over how their data is handled once access has been granted.

In a series of cases cited by digital rights groups, Meta Platforms, the parent company of Facebook, has demonstrated how extensive data access can lead to complex privacy implications. A criminal investigation involving a mother and daughter accused of carrying out an abortion in 2022 drew widespread criticism after the company provided law enforcement authorities with private message records connected to that investigation. 

It has been argued that this case illustrates how copies of personal information stored on major platforms can be accessed by legal processes, thus raising broader questions about how digital information is preserved, analyzed, and ultimately disclosed.

The Surveillance Technology Oversight Project's communications director, Will Owen, believes that such cases demonstrate the ability of technology platforms to facilitate government access to sensitive personal information in certain circumstances, where it is legally required. 

Concerns were recently raised when a Facebook feature requested users to provide the platform with access to their device's camera roll in order for the platform to automatically suggest photos using artificial intelligence on their device. Users were invited to enable cloud-based processing that analyzed images stored on their devices in order to generate variants enhanced by artificial intelligence. 

Activating such a feature could result in the platform's systems processing photographs and potentially analyzing biometric data such as facial features, according to privacy advocates. Despite the tool being presented as a convenience feature designed to enhance photo sharing, some users expressed concerns regarding its scope of data processing.

There appears to be a lack of widespread availability of this feature, and the company has not publicly clarified its current status. Security experts emphasize the importance of digital hygiene by citing these examples. However, even when a feature is presented as an optional enhancement, users should carefully consider what information an application may have access to. 

Facebook, for example, allows users to review and modify camera roll integration settings within their privacy controls in the "Settings and Privacy" menu, which contains options for managing photo suggestions and sharing of images. Despite the appearance that these adjustments are merely minor, limiting broad access to a user's personal photo libraries remains an effective safeguard for smartphone users. 

A privacy expert notes that restricting such permissions not only reduces the probability of accidental data exposure, but also ensures that personal images are not processed, stored, or shared in ways they were not intended. In addition to the increasing sophistication of smartphones, persistent concerns have been raised regarding how extensive user activity could be monitored by mobile devices.

Whenever multiple applications run simultaneously-many of which have microphone access, voice recognition capabilities, and integration with digital assistants-questions arise regarding whether smartphones passively listen to conversations in order to send targeted advertising or notifications. 

 Despite the fact that modern mobile operating systems include safeguards to protect against unauthorized recording, the discussion points to a broader issue surrounding data governance on personal devices. A user's choice of whether to approve permission requests is determined by both the developer's design and the choices made by the user. 

There are many organizations that develop mobile applications, including large technology companies, independent developers, internal engineering teams, and outsourced development firms. However, the last layer of control remains with the end user, even though most development processes adhere to established security practices, privacy policies, and compliance frameworks. 

The possibility of an attack surface being increased by granting permissions indiscriminately can lead to an increase in device vulnerabilities, particularly in the case of applications requesting access to resources not directly required for their core functionality. Therefore, security specialists emphasize that app installation and permission management should be managed more deliberately.

By assessing application ratings, assessing developer credibility, and examining permission requests prior to installation, malicious or poorly designed software can be significantly reduced. It is imperative that users periodically review the permission management settings available within both Android and iOS to ensure that they are aware of which applications retain access to sensitive information such as microphones, storage space, and location services to ensure that access is granted only when the information clearly supports an application's legitimate function. 

Keeping operating systems and applications up-to-date also helps mitigate potential security vulnerabilities that may occur over time. As mobile ecosystems continue to evolve toward increasingly data-driven digital services, developers are expected to adopt more transparency regarding the collection and processing of personal information.

Despite this, cybersecurity professionals consistently emphasize that user behavior is essential to data protection. The use of personal devices as storage devices for large volumes of sensitive information has been demonstrated to be very effective in maintaining control over digital footprints. 

Exercise caution with permissions, installing applications only from trusted marketplaces, and regularly auditing privacy settings remain among the most effective methods for maintaining control. It is important to note that mobile security is no longer limited to antivirus tools or system updates alone. 

Since smartphones continue to provide access to personal, financial, and professional information, managing application permissions is becoming increasingly important to everyday cybersecurity practices. 

A number of analysts suggest that users should evaluate new apps carefully before downloading them evaluating whether the permissions they are asked for align with the service they are attempting to access, and reconsidering requests for access that seem excessive or unnecessary. 

Practice suggests tightening permission controls, reviewing privacy settings frequently, and utilizing well-established applications developed by trusted developers in order to reduce the likelihood of covert data collection.

Despite the fact that platforms and developers share responsibility for strengthening protections, experts emphasize that informed and cautious user behavior is still the most effective means of protecting against emerging threats to mobile surveillance.
Read more »
Supply Chain Attack
AI Tool GlassWorm malware Open VSX Supply Chain Attack

GlassWorm Abuses 72 Open VSX Extensions in Bold Supply-Chain Assault

 

GlassWorm has resurfaced with a more aggressive supply‑chain campaign, this time weaponizing the Open VSX registry at scale to target developers. Security researchers say the latest wave represents a significant escalation in both scope and stealth compared to earlier activity. 

Since January 31, 2026, at least 72 new malicious Open VSX extensions have been identified, all masquerading as popular tools like linters, formatters, code runners, and AI‑powered coding assistants. These look and behave like legitimate utilities at first glance, making it easy for busy developers to trust and install them. Behind the scenes, however, they embed hidden logic designed to pull in additional malware once inside a development environment.

The attackers now abuse trusted Open VSX features such as extensionPack and extensionDependencies to spread their payloads transitively. An extension can appear harmless on installation but later pull in a malicious dependency via an update or a bundled pack. This approach allows the threat actor to minimize obviously suspicious code in each listing while still maintaining a broad infection path.

Once executed, GlassWorm behaves as a multi‑stage infostealer and remote access tool targeting developer systems. It focuses on harvesting credentials for npm, GitHub, Git, and other services, then uses those stolen tokens to compromise additional repositories and publish more infected extensions. This creates a self‑reinforcing loop that can quickly expand across ecosystems if not promptly contained. 

Beyond credentials, GlassWorm aggressively targets financial data by going after more than 49 different cryptocurrency wallet browser extensions, including popular wallets like MetaMask, Coinbase, and Phantom. Stolen cookies and session tokens can enable account takeover, while drained wallets provide immediate monetization for the attackers. In later stages, the malware deploys a hidden VNC component and SOCKS proxy, effectively converting developer machines into nodes within a criminal infrastructure. 

For developers and organizations, this campaign underscores how extension ecosystems have become high‑value attack surfaces. Teams should enforce strict extension allowlists, monitor unusual repository activity, and rotate credentials if any suspicious Open VSX extensions were recently installed. Security tooling that inspects extension metadata, dependency chains, and post‑install behavior is now essential to counter evolving threats like GlassWorm.
Read more »
Privacy
encrypted messaging apps End To End Encryption Instagram Law Enforcement Meta Privacy

Meta to Discontinue End-to-End Encrypted Chats on Instagram Come May 2026

 



Meta Platforms has confirmed that it will remove support for end-to-end encrypted messaging in Instagram direct messages beginning May 8, 2026. After this date, conversations that previously relied on this encryption feature will no longer be protected by the same privacy mechanism.

According to guidance published in the platform’s support documentation, users whose conversations are affected will receive instructions explaining how to download messages or media files they want to retain. In some situations, individuals may also need to install the latest version of the Instagram application before they can export their chat history.  

When asked about the decision, Meta stated that encrypted messaging on Instagram saw limited adoption. The company explained that only a small percentage of users chose to enable end-to-end encryption within Instagram direct messages. Meta also pointed out that people who want encrypted communication can still use the feature on WhatsApp, where end-to-end encryption is already widely used.


How Instagram Encryption Was Introduced

Instagram’s encrypted messaging capability was originally introduced as part of a broader push by Meta to transform its messaging ecosystem. In 2021, Meta CEO Mark Zuckerberg outlined a “privacy-focused” strategy for social networking that aimed to shift communication toward private and secure messaging environments. 

Within that initiative, Meta began experimenting with encrypted direct messages on Instagram. However, the feature never became the default setting for users. Instead, it remained an optional capability available only in certain regions and had to be manually activated within specific conversations.

The tool also gained relevance during geopolitical tensions. Shortly after the outbreak of the Russia-Ukraine conflict in early 2022, Meta expanded access to encrypted direct messages for adult users in both Russia and Ukraine. The company said the move was intended to provide safer communication channels during the early phase of the war.


Industry Debate Over Encrypted Messaging

The decision to discontinue Instagram’s encrypted chats comes amid a broader debate in the technology sector about whether strong encryption improves or complicates online safety.

Recently, the social media platform TikTok said it currently has no plans to introduce end-to-end encryption for its messaging system. The company told the BBC that such technology could reduce its ability to monitor harmful activity and protect younger users from abuse.

End-to-end encryption is widely regarded by cybersecurity experts as one of the strongest ways to secure digital communication. When this technology is used, messages are encrypted on the sender’s device and can only be decrypted by the recipient. This means that even the platform hosting the conversation cannot read the message contents during transmission. 

Because of this design, encrypted systems can protect users from surveillance, data interception, or unauthorized access by third parties. Many messaging services, including WhatsApp and Signal, rely on similar encryption models to secure billions of conversations globally.


Law Enforcement Concerns

Despite its privacy advantages, encryption has long been controversial among law enforcement agencies and child-safety advocates. Critics argue that encrypted messaging makes it harder for technology companies to detect criminal behavior such as terrorism recruitment or the distribution of child sexual abuse material.

Authorities describe this challenge as the “Going Dark” problem, referring to situations where investigators cannot access message content even when they obtain legal warrants. Policymakers have repeatedly warned that widespread encryption could reduce the ability of platforms to cooperate with criminal investigations.

Internal documents previously reported by Reuters indicated that some Meta executives had raised similar concerns internally. In discussions dating back to 2019, company officials warned that widespread encryption could limit the company’s ability to identify and report illegal activity to law enforcement authorities. 


Regulatory Pressure and Future Policy

The global policy debate around encryption is still evolving and charting new courses. The European Commission is expected to release a technology roadmap on encryption later this year. The initiative aims to explore ways to allow lawful access to encrypted data for investigators while preserving cybersecurity protections and civil liberties.


A Changing Messaging Strategy

Meta’s decision to remove encrypted messaging from Instagram highlights the complex trade-offs technology companies face when balancing privacy protections with safety monitoring and regulatory expectations.

While encryption remains a cornerstone of messaging on WhatsApp and has expanded across other platforms, the rollback on Instagram suggests that adoption rates, platform design, and policy pressures can influence whether such security features remain viable.

For Instagram users who relied on encrypted chats, the upcoming change means reviewing conversations before May 2026 and exporting any information they wish to keep before the feature is officially retired.

Read more »
zero-day cyberattack
CISA CVE-2025-0282 Ivanti Connect Secure vulnerability malware RESURGE UNC5221 threat actor zero-day cyberattack

CISA Reveals New Details on RESURGE Malware Exploiting Ivanti Zero-Day Vulnerability

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published fresh technical insights into RESURGE, a malicious implant leveraged in zero-day attacks targeting Ivanti Connect Secure appliances through the vulnerability tracked as CVE-2025-0282.

The latest advisory highlights the implant’s ability to remain undetected on affected systems for extended periods. According to CISA, the malware employs advanced network-level evasion and authentication mechanisms that allow attackers to maintain hidden communication channels with compromised devices.

CISA first reported the malware on March 28 last year, noting that it can persist even after system reboots. The implant is capable of creating web shells to harvest credentials, generating new accounts, resetting passwords, and escalating privileges on affected systems.

Security researchers at incident response firm Mandiant revealed that the critical CVE-2025-0282 flaw had been actively exploited as a zero-day vulnerability since mid-December 2024. The campaign has been linked to a China-associated threat actor identified internally as UNC5221.

Network-level evasion techniques

In the updated bulletin, CISA shared additional technical details about the implant. The malware is a 32-bit Linux shared object file named libdsupgrade.so that was recovered from a compromised Ivanti device.

RESURGE functions as a passive command-and-control (C2) implant with multiple capabilities, including rootkit, bootkit, backdoor, dropper, proxying, and tunneling functions.

Unlike typical malware that regularly sends signals to its command server, RESURGE remains idle until it receives a specific inbound TLS connection from an attacker. This behavior helps it avoid detection by traditional network monitoring systems.

When loaded within the ‘web’ process, the implant intercepts the ‘accept()’ function to inspect incoming TLS packets before they reach the web server. It searches for particular connection patterns originating from remote attackers using a CRC32 TLS fingerprint hashing method.

If the fingerprint does not match the expected pattern, the traffic is redirected to the legitimate Ivanti server. CISA also explained that the attackers rely on a fake Ivanti certificate to confirm that they are interacting with the malware implant rather than the genuine web server.

The agency noted that the forged certificate is used strictly for authentication and verification purposes and does not encrypt communication. However, it also helps attackers evade detection by impersonating the legitimate Ivanti service.

Because the fake certificate is transmitted over the internet without encryption, CISA said defenders can potentially use it as a network signature to identify ongoing compromises.

Once the fingerprint verification and authentication steps are completed, attackers establish encrypted remote access to the implant through a Mutual TLS session secured with elliptic curve cryptography.

"Static analysis indicates the RESURGE implant will request the remote actors' EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key," CISA says.

By disguising its traffic to resemble legitimate TLS or SSH communications, the implant maintains stealth while ensuring long-term persistence on compromised systems.

Additional malicious components

CISA also examined another file, a variant of the SpawnSloth malware named liblogblock.so, which is embedded within the RESURGE implant. Its primary role is to manipulate system logs to conceal malicious activities on infected devices.

A third analyzed component, called dsmain, is a kernel extraction script that incorporates the open-source script extract_vmlinux.sh along with the BusyBox collection of Unix/Linux utilities.

The script enables the malware to decrypt, alter, and re-encrypt coreboot firmware images while modifying filesystem contents to maintain persistence at the boot level.

“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."

To address the risk, CISA recommends that administrators review the updated indicators of compromise (IoCs) provided in the advisory to identify potential RESURGE infections and remove the malware from affected Ivanti systems.
Read more »
Subscribe to: Comments (Atom)

Featured