Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells

Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserializati...

All the recent news you need to know
Vulnerability Management
AI-Assisted Exploitation Attack Surface Management CERT-In Blueprint cyber resilience Cyber Security Exposure Management Security Automation Threat Detection Vulnerability Management

The Growing Threat of AI-Driven Exploitation in Vulnerability Management


 

In vulnerability management programs, it has been assumed that defenders will have adequate time to evaluate newly disclosed flaws, prioritize remediation efforts, and deploy patches prior to large-scale exploitations occurring. This assumption is rapidly becoming obsolete. Artificial intelligence is increasingly being utilized by threat actors to compress every stage of the attack lifecycle from vulnerability discovery to proof-of-concept to automated weaponizing to mass exploitation.

Organizations are finding themselves caught between escalating pressures to patch faster and the operational realities of maintaining critical systems while exploitation timelines continue to shrink. 

A security team's challenge is no longer just identifying vulnerabilities, but managing risks in an environment in which attackers can quickly progress from disclosure to exploitation within hours, often faster than traditional remediation mechanisms can respond. The scope of this challenge is becoming increasingly difficult to ignore. 

Even though patch management remains a fundamental security control, the increasing volume of vulnerabilities being discovered is forcing IT organizations to acknowledge the limitations of relying solely on remediation speed to prevent security breaches. 

When Anthropic reported, in May 2026, that Project Glasswing, in collaboration with nearly 50 industry partners, utilized Claude Mythos Preview to uncover more than 10,000 critical- and high-severity vulnerabilities in widely used and systemically important software within a single month through its use of Claude Mythos Preview, a tool developed by Claude Mythos. 

Several internal research programs are confirming similar outcomes, demonstrating how artificial intelligence is allowing security flaws to be identified and validated at a much faster rate, despite the fact that this shift is not limited to defenders and software vendors. In addition to simplifying vulnerability analysis and rapidly reproducing revealed vulnerabilities, threat actors are able to reduce the time it takes to operational exploitation by utilizing the same AI-driven capabilities. Thus, security imbalances are no longer solely determined by patching delays, but rather by the unprecedented speed with which both legitimate researchers and adversaries can utilize newly discovered weaknesses to accomplish their objectives. 

The growing concern is also beginning to shape national cybersecurity strategy. CERT-In recently released its Blueprint on Reducing Exposure and Protecting Digital Infrastructure against Artificial Intelligence-Assisted Vulnerabilities Exploitation, which recognizes that Artificial Intelligence fundamentally alters the economics and speed of cyber operations.

Specifically, the guidance discusses how artificial intelligence is facilitating adversaries' identification and weaponization of vulnerabilities, exposed internet-facing services, insecure APIs, weak identity controls, misconfigurations, and software supply chain vulnerabilities in an increasingly interconnected enterprise environment by identifying and weaponizing vulnerabilities.

As AI-assisted attacks accelerate multiple stages of the cyber kill chain, including reconnaissance and exploitation, lateral movement, and data exfiltration, CERT-In indicates, traditional security models are becoming increasingly difficult to maintain in response. 

According to the framework, continuous exposure management, adaptive defense mechanisms, and resilience-driven cybersecurity operations should be replaced by periodic assessments and reactive remediation. This blueprint advocates the implementation of AI-enabled, intelligence-led security programs that are capable of continuously validating defenses across stakeholders, endpoints, networks, applications, cloud platforms, operational technology environments, and evolving AI systems. 

As part of the strategy, the company places significant emphasis on strengthening governance, ensuring executive accountability, providing proactive threat hunting, ensuring incident response readiness, and reducing exposure by enhancing attack surface management and continuing security validation. 

Additionally, CERT-In emphasizes the importance of securing software supply chains, cloud ecosystems, artificial intelligence models, and third-party dependencies as a result of ongoing assurance activities such as audits, adversarial testing, red teaming, and independent assessments.

Further, the guidance emphasizes that effective defense against AI-based exploitation will require more than just technical measures, but also coordinated threat intelligence sharing, collaborative response efforts, and sustained cooperation between organizations, cybersecurity communities, and national cyber authorities. There are, however, practical limitations in eliminating risk at the speed modern threats require that go beyond identifying risk. 

The exploitation timeline has steadily contracted for years, but artificial intelligence adoption is increasing this trend to the point where newly disclosed vulnerabilities can attract active exploitation attempts within hours of public disclosure due to its increasing adoption. As attackers increasingly utilize automated workflows and highly scalable workflows, remediation processes continue to be hampered by business continuity requirements, testing cycles, change management procedures, regulatory requirements, and the complexity of modern enterprise environments. 

Across the industry, this disparity has become increasingly pronounced. The Verizon Data Breach Investigations Report 2026 (DBIR) indicates that the median remediation time for critical vulnerabilities increased from 32 days to 43 days over the past three years, illustrating the growing gap between organization response capability and exploitation speed. 

With regulators such as CERT-In advocating more aggressive remediation timelines for critical vulnerabilities as well as sub-day patching expectations, security leaders are faced with balancing the need for urgency with the needs of operational stability. The emerging reality is that some vulnerabilities will inevitably be targeted prior to the completion of full remediation. 

The effectiveness of cyber defense cannot be solely assessed by the pace at which patches are deployed, but also by an organization's ability to limit exposure, contain exploitation opportunities, and maintain resilience during the period between vulnerability disclosures and remediation. As a result, automation is increasingly becoming regarded as a prerequisite rather than an enhancement to modern security operations against this backdrop. 

CERT-In focuses its efforts on continuous monitoring, verification, and adaptive defense, reflecting a broader industry recognition that manual security workflows cannot cope with the scale and velocity of AI-driven threats. Ruvala commented that traditional operating models based on human analysis and response are becoming increasingly unsustainable as security teams contend with an expanding attack surface, growing number of vulnerabilities, and a constant flow of alerts and telemetry generated across distributed environments. 

It is no longer feasible for security events to be manually investigated and prioritized under such circumstances. The use of artificial intelligence-enabled security platforms is therefore being increased for the purpose of accelerating threat detection, coordinating activities between disparate systems, automating investigative processes, and determining the priority of remediation efforts based on real-time risk exposure. 

In light of adversaries' use of artificial intelligence to accelerate reconnaissance, vulnerability identification, and active exploitation, these capabilities are becoming increasingly important. To achieve better response effectiveness at scale, Ruvala believes the industry is shifting toward platform-centric, increasingly autonomous Security Operations Center (SOC) models with artificial intelligence, automation, and unified visibility.

Unless these levels of operational augmentation are in place, most organizations will remain challenged to meet the rapid remediation and response timeframes now expected by regulators, business leaders, and threat realities alike. Increasingly, artificial intelligence is becoming increasingly influential when it comes to vulnerability discovery and exploitation, reshaping long-held assumptions about cyber security. 

As the gap between vulnerabilities being disclosed and actively exploited narrows, organizations are being forced to acknowledge that remediation alone is no longer sufficient to protect against malicious attacks. As threats evolve rapidly, the challenge is not simply responding faster, but developing security programs that continuously identify vulnerabilities, validate controls, prioritize risks, and adapt accordingly. 

As adversaries and defenders have increasingly powerful AI capabilities available, the ability of organizations to effectively combat the next generation of cyber threats will be determined by resilience, visibility, and operational agility.
Read more »
Windows driver
API BYOVD Attack Cyber Security Lenovo Windows driver

Signed Lenovo Driver Could Be Misused to Shut Down Security Software, Researcher Warns

 


A security researcher has uncovered a weakness in a Lenovo-signed Windows driver that could allow attackers to disable antivirus and endpoint security tools, potentially weakening a system's defenses before carrying out additional malicious activity.

The finding involves BootRepair.sys, a driver linked to Lenovo PC Manager. According to research conducted by security researcher Jehad Abudagga, the driver contains functionality that can be exploited to terminate processes directly from the Windows kernel. Because the file is legitimately signed by Lenovo, it may appear trustworthy to operating systems and security products that rely on digital signatures when evaluating software.

At the time of the analysis, the driver, identified by the SHA-256 hash 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946, reportedly had no detections on VirusTotal. Security researchers note that attackers often favor signed and seemingly legitimate software components because they can help malicious activity blend into normal system operations.

The research surfaces the growing nature of this particular attack technique known as Bring Your Own Vulnerable Driver, or BYOVD. In these attacks, threat actors deliberately use trusted but flawed drivers to gain elevated capabilities inside a system. Rather than exploiting security software directly, attackers abuse weaknesses in legitimate drivers to bypass protections and interfere with defensive tools.

A detailed examination of BootRepair.sys revealed several security weaknesses. The driver creates a device object called "\Device\::BootRepair" without applying a secure discretionary access control list (DACL). In practical terms, this means users with limited privileges may still be able to communicate with the driver.

The driver also creates a symbolic link named "\DosDevices\BootRepair," making the functionality accessible from user-mode applications. Researchers further found that the driver does not perform access-control validation when processing IRP_MJ_CREATE requests. As a result, any user can potentially obtain a handle to the driver without undergoing meaningful permission checks.

Analysis of the driver's input and output control functionality identified a single exposed IOCTL code, 0x222014. This control code accepts a four-byte input buffer that contains a process identifier, commonly referred to as a PID. Once received, the PID is passed to an internal routine responsible for terminating the specified process.

The underlying mechanism relies on the Windows kernel function ZwTerminateProcess. Because the operation is performed in kernel mode, the driver can terminate processes that would ordinarily be protected from interference. This includes security-sensitive services and endpoint protection products that are designed to prevent unauthorized shutdown attempts.

According to the research, these weaknesses create two primary attack opportunities. If the driver is already installed on a target system, an attacker with limited privileges could interact with it directly and terminate antivirus or endpoint detection and response (EDR) processes. If the driver is not present, an attacker could deploy the signed driver as part of a BYOVD operation, load it into the kernel, disable security controls, and then proceed with post-compromise activities.

In a proof-of-concept demonstration, the researcher showed that even protected processes could be terminated once the driver had been loaded. The test used standard Windows APIs to communicate with the driver. The process involved opening a handle to "\\.\BootRepair," sending a target process identifier through IOCTL code 0x222014, and allowing the driver to terminate the selected process from kernel mode.

The simplicity of the proof-of-concept demonstrates how little effort may be required to exploit the functionality once access to the driver is available. Researchers warn that after security products are disabled, attackers may be able to run credential theft tools, information stealers, or other post-exploitation utilities with a lower likelihood of detection.

The findings also reinforce concerns surrounding BYOVD attacks, which have become increasingly common in ransomware operations and advanced intrusion campaigns. Because vulnerable drivers often carry legitimate digital signatures, they can sometimes evade security controls that place significant trust in signed software.

To reduce exposure, organizations are encouraged to implement Microsoft's vulnerable driver blocklist, monitor systems for unusual driver-loading activity, restrict the installation of unauthorized drivers, and watch for suspicious kernel-level behavior. Security teams should also ensure that endpoint protection platforms are configured to detect attempts to abuse legitimate drivers.

The research serves as another example of how trusted software components can become security liabilities when design weaknesses are present. As attackers continue searching for legitimate tools that can be repurposed for malicious activity, organizations will need stronger controls around driver management, behavioral monitoring, and endpoint visibility to prevent security products from being disabled before an attack fully unfolds.

Read more »
VISA
Cyber Fraud Data Breach sensitive information UK government VISA

UK Visa Application Service Left More Than 100,000 Identity Documents Accessible Online

 




A private visa assistance website used by travelers seeking permission to enter the United Kingdom left a large collection of customer records accessible online, exposing passport copies, identity verification photographs, and location information linked to applicants.

The website, known as UK Visa Portal, offers paid assistance for visa and travel authorization applications. The platform is not operated by the U.K. government, although reports indicate that some users may have mistaken it for an official government service and paid application-related fees through the site instead of using government channels.

The exposure came to light after an individual discovered a security issue affecting the platform and reported it to journalists. According to information shared by the source, the accessible records included more than 100,000 files uploaded by applicants during the visa application process. These files reportedly contained passport images and selfie photographs that users submitted to verify their identities.

Following inquiries from journalists, the exposed data was secured. However, details regarding how long the information remained accessible have not been publicly disclosed.

According to reporting on the incident, the exposed records were stored in an Amazon-hosted cloud storage repository used by UK Visa Portal. While the storage system did not openly display a list of documents to the public, individual files could still be accessed by anyone who possessed the correct web address. The individual who identified the issue stated that a flaw within the website's backend functionality made it possible to view references to files stored in the cloud environment.

Journalists investigating the incident reportedly verified the authenticity of the exposed records by contacting individuals whose documents appeared in the dataset. Those contacted confirmed that the information matched records they had submitted through the platform.

Beyond passport scans and identity photographs, some uploaded images reportedly contained embedded geolocation metadata. This information can be automatically recorded by smartphones and digital cameras when a photograph is taken. In certain cases, the metadata was reportedly detailed enough to reveal the location where the image was captured, including locations associated with applicants' residences.

The exposure of identity documents can create opportunities for fraud and impersonation. Passports, facial images, dates of birth, addresses, and other personal identifiers are frequently used during account verification processes. If obtained by unauthorized parties, such information may be used in attempts to create fraudulent accounts, bypass identity checks, or conduct targeted social engineering operations.

The handling of the incident has also left several questions unanswered. Reports indicate that journalists attempted to notify the company about the security issue but were unable to identify a dedicated vulnerability reporting channel. The website reportedly did not provide public contact information for company executives or security personnel responsible for addressing cybersecurity matters.

After initial contact was made through customer support, a manager was identified as a potential point of contact. However, reports indicate that direct engagement with company management did not occur. Instead, communication later involved representatives from a public relations firm and attorneys from a U.S.-based law firm.

Following publication of the findings, journalists sought additional information regarding the incident, including the length of time the storage repository remained exposed, whether access logs exist, whether any files were downloaded by unauthorized parties, and who oversees cybersecurity operations within the organization. Public answers to those questions have not been released.

The company is reportedly linked to an organization called Active Leadgen LLC, which is described as having connections to the United Arab Emirates. However, independent verification of the ownership structure has not been publicly established.

The incident comes amid increasing reliance on online identity verification systems by governments, financial institutions, and digital service providers. As more organizations require users to submit passports and photographs electronically, the protection of those documents has become a critical responsibility for any company handling sensitive personal information.

Applicants seeking authorization to travel to the United Kingdom are generally advised to confirm that they are using official government services before submitting identity documents or making payments. In most cases, travelers can complete the application process directly through official U.K. government channels without relying on third-party visa assistance platforms.

Read more »
Signal Jamming
Cyber Security Defence Secretary RAF Jet Russian Border Signal Jamming

RAF Jet Carrying UK Defence Secretary John Healey Has Signal Jammed Near Russia Border

 

An RAF jet carrying UK Defence Secretary John Healey experienced signal jamming near the Russian border earlier this week, highlighting the growing security risks faced by military and government flights operating close to tense front lines. The incident took place while Healey was returning to the UK after visiting British troops stationed in Estonia. According to the BBC report, the aircraft’s GPS was affected, forcing the crew to rely on an alternative navigation system for the three-hour journey. 

The reported disruption has raised fresh concerns about electronic interference in areas bordering Russia, where GPS jamming and related forms of signal disruption have become a familiar feature of the strategic environment. The BBC said it is suspected that Russia was behind the interference, although it remains unclear whether Healey himself was deliberately targeted. The flight path was reportedly visible on aircraft-tracking platforms, which may have made the plane easier to monitor. 

Signal jamming is not only a technical nuisance; it can also carry serious operational implications. When GPS is disabled or distorted, pilots must depend on backup systems and heightened crew awareness to maintain safe navigation. The BBC noted that a similar incident occurred in 2024, when an RAF aircraft carrying then-Defence Secretary Grant Shapps also faced GPS jamming near Russian airspace. That history suggests the latest case is part of a broader pattern rather than an isolated event. 

For the UK, the episode underlines the pressures of supporting allies in Eastern Europe while deterring hostile interference. Britain has maintained a military presence in Estonia as part of its NATO commitments, and visits by senior officials send a message of solidarity and readiness. Yet incidents like this show that even routine travel in the region can be affected by electronic warfare and other forms of disruption. The incident adds another layer of caution for defence planners and transport crews working in contested airspace. 

Although the full circumstances remain under review, the incident is a reminder that modern conflict is increasingly fought in invisible ways. Jamming signals, disrupting navigation, and probing aircraft movements are part of a wider contest that extends beyond traditional battlefields. As European tensions remain high, the UK and its allies are likely to keep paying close attention to the safety of flights operating near Russia’s borders.
Read more »
Google Research
AI Generated Content Law AI manufacturing research Cyber Security Fake Data generative AI fraud Google Research

AI-Generated Fake Citations Surge Across Scientific Papers and Peer-Reviewed Journals

 

Surprising numbers of made-up sources now show up in research articles, thanks to artificial intelligence. Instead of slowing down, the problem grew fast - around 150,000 false references slipped into academic work just in 2025 alone. While some stay hidden in early drafts online, others make it through review systems and land in official journals. What once seemed rare has become common, raising concerns across universities and publishing houses alike. 

From 2020 to 2025, scholarly articles totaling 2.5 million were examined by analysts at Cornell, UCLA, and Berkeley. These documents contributed a citation count of 111 million. Data originated in prominent archives - arXiv, bioRxiv, SSRN, and PubMed Central being among them. Attention shifted toward references that lacked confirmation in standard indexing systems. Tools like Semantic Scholar, OpenAlex, and Google Scholar failed to validate certain paper titles. Scrutiny centered on these unverifiable instances. Work unfolded without reliance on assumed accuracy. 

Instead, gaps in traceability became the point of departure. Midway through 2024, a noticeable spike emerged in made-up citations. This shift came alongside broader adoption of advanced language software - systems initially built for drafting text but now able to produce full reference lists. Although such tools speed up writing tasks, they sometimes invent scholarly sources that sound real yet lead nowhere. 

A paper called "LLM Hallucinations in the Wild" traced this pattern directly to how these models operate when asked to cite materials. Because false references mimic genuine ones so closely, spotting them becomes difficult without careful checking. Surprisingly, the investigation reveals fabricated citations appear beyond clearly dishonest work. These false references turn up across credible-looking documents, implying certain authors include AI-suggested sources without checking them first. What stands out is how casually unverified material slips into accepted formats. 

Most current safety measures faced questions about how well they work. The research showed that close to 78.8% of made-up citations got through arXiv’s review process without detection. Even after some bioRxiv papers appeared in journals listed by PubMed Central, around 85.3% still kept their false references unchanged. A study appearing in The Lancet highlighted recurring issues in biomedical literature. 

Over 4,000 false references turned up in nearly three thousand reviewed articles from 2023 through early 2026. Papers drawn from that span showed a sharp climb in made-up sources. While just one in 2,828 works contained such problems at the start, the proportion jumped - by early 2026, it was one out of every 277. Growth like this signals deeper cracks forming beneath the surface. 

One concern gaining traction: false references might cycle back into AI training data once they land in shared digital archives. Because these inaccuracies can persist, journals are being pushed toward using software checks on citations prior to accepting articles. 

As artificial intelligence plays a larger role in research tasks, closer scrutiny seems less like an option and more like a necessity. Some now see automated validation not as extra effort but as basic hygiene in scholarly communication.
Read more »
Ukraine
Gamaredon GammaPhish GammaWorm malware Russia Ukraine

Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware


The Russian Hacking group called Gamaredon has been linked to the constant hack of a WinRar bug to install a few malware strains aiming to propagate and steal data.

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server. The main goal is to fingerprint the host device and update the network settings in the registry via dead drop resolvers (DDRs), retrieve and launch arbitrary VBScript payloads from the C2 servers.

About the malware

“Gamaredon’s arsenal has undergone a significant transformation over the last decade, transitioning from Pteranodon custom-built framework into a fragmented and modular malware. Based on our observation, today’s Gamaredon capacities are characterised by a proliferation and a highly active development cycle of new malware variants,” said Sekoia

Payloads attacking VBS

One payload is a VBScript worm called GammaWorm that builds persistence through scheduled tasks and is built to hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code gotten from a C2 server.

To fix C2,  GammaWorm starts a GET request to the public Telegram channel. Via genuine platforms such as Telegram, hackers blend with regular traffic, escape getting caught, and launch long-term spying campaigns. GammaWorm also depends on NTFS Alternate Data Streams (ADS) tactics to hide its core modules.

Other malware strains

A different malware family deployed through GammaLoad is a modular information stealer called GammaSteel that stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option. According to Sekoia, the infection chain could be used to launch different malware strains like GammaWipe or GamaWiper, this depends on the hacker’s targets. 

"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first,” Sekoia said.

State-sponsored hackers involved

Russian state-sponsored actor Gamaredon associated with the official Federal Security Service (FSB) has a long history of targeting Ukraine and its government, critical infrastructures, military via spear-phishing emails that consist infected attachments in “booby-trapped RAR archives”, according to the Hacker News.

Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.

Read more »
Subscribe to: Posts (Atom)

Featured