Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Accenture Buys Cybersecurity Firms Dragos, runZero, NetRise for $4.18 Billion

 

In a landmark move to fortify its cybersecurity capabilities, Accenture has announced a $4.18 billion deal to acquire a majority stake in industrial cybersecurity leader Dragos, alongside full ownership of asset intelligence firm runZero and device security specialist NetRise. This strategic acquisition spree underscores Accenture’s ambition to expand beyond traditional consulting services and establish itself as a comprehensive provider of software-driven cybersecurity solutions, particularly for critical infrastructure sectors vulnerable to AI-powered cyber threats and geopolitical risks. 

The timing of the deal reflects both opportunity and necessity. While global consulting demand has softened—partly due to the ongoing Iran war impacting Middle East operations—cybersecurity remains a high-growth domain with surging client investment. Accenture, already operating a $10 billion cybersecurity business, sees industrial and operational technology (OT) security as a key frontier. By integrating Dragos’s OT threat monitoring, runZero’s real-time asset discovery, and NetRise’s embedded device security, the firm aims to deliver end-to-end protection for energy grids, manufacturing facilities, transportation systems, and other mission-critical environments increasingly targeted by state-sponsored and criminal hackers.

Dragos brings deep expertise in securing industrial control systems, with a platform widely used by utilities and heavy industries to detect and respond to OT-specific threats. runZero complements this with advanced asset intelligence, enabling organizations to maintain accurate, dynamic inventories of all connected devices—a foundational requirement for effective cybersecurity in complex, hybrid IT-OT environments. NetRise adds another critical layer by securing firmware and embedded systems, which are often overlooked but increasingly exploited attack vectors. Combined, these three companies contribute approximately $208 million in annual recurring revenue and significantly enhance Accenture’s software-led service portfolio. 

The transactions are structured to close by August or September 2026, subject to regulatory approvals and standard closing conditions. Accenture’s majority stake in Dragos—rather than full acquisition—suggests a collaborative approach that preserves the firm’s entrepreneurial agility while leveraging Accenture’s global scale and client network. Full ownership of runZero and NetRise, meanwhile, allows deeper integration into Accenture’s existing cybersecurity and cloud practices. This hybrid model reflects a broader industry shift where consultancies blend strategic partnerships with outright acquisitions to rapidly scale niche capabilities without disrupting innovation cultures. 

For the cybersecurity market, Accenture’s move signals intensifying competition among large professional services firms to capture share in the booming industrial security segment. Enterprises, especially in critical infrastructure, stand to benefit from more integrated offerings that combine strategy, implementation, threat intelligence, and managed services under a single provider. However, investor reaction has been cautious, with Accenture’s shares dropping over 13% following the announcement, partly due to weaker-than-expected quarterly guidance tied to geopolitical headwinds. Still, the $4.18 billion bet highlights Accenture’s long-term conviction that cybersecurity—particularly in the industrial realm—will remain a cornerstone of digital transformation and risk management in the AI era.

Researchers Warn of Unpatched Argo CD Flaw That Enables Cluster Takeover

 


Organizations using Argo CD to automate application deployments on Kubernetes are being urged to review their network configurations after security researchers disclosed an unpatched vulnerability that could allow attackers to execute arbitrary code on the platform's repo-server component and ultimately seize control of an entire Kubernetes cluster.

The vulnerability was identified by French cybersecurity firm Synacktiv, which says the issue affects the repo-server, a core Argo CD service responsible for retrieving application source code from Git repositories and converting it into Kubernetes manifests before workloads are deployed. Because the repo-server sits at the center of the GitOps deployment process, compromising it gives an attacker an opportunity to interfere with how applications are delivered throughout the cluster.

According to the researchers, exploitation does not require authentication. An attacker only needs network access to the repo-server's internal gRPC service, which accepts requests from other Argo CD components but does not verify the identity of the caller. Once that communication channel becomes reachable, a specially crafted request can be used to trigger remote code execution on the vulnerable service.

Synacktiv reported the vulnerability to the Argo CD maintainers in January 2025 through a responsible disclosure process. However, roughly eighteen months later, the issue remains unresolved, with no official security patch or CVE identifier assigned. The researchers chose to disclose their findings publicly to give administrators time to strengthen their deployments while awaiting a permanent fix.

At the center of the attack is Argo CD's repo-server, which continuously retrieves application definitions stored in Git repositories and prepares them for deployment by generating Kubernetes manifests. These manifests describe the desired state of applications, including containers, services, networking, storage, and other deployment configurations that Kubernetes uses to build and manage workloads. Since every deployment passes through this component, gaining control of the repo-server can provide attackers with extensive influence over the software being deployed inside a cluster.

The vulnerability stems from an unauthenticated internal gRPC interface exposed by the repo-server. gRPC is a high-performance communication framework commonly used for communication between services inside distributed applications. In Argo CD's design, the interface is intended for trusted internal communication. However, Synacktiv found that the service performs no authentication checks, allowing any system capable of reaching the port to submit requests that the repo-server will process.

The researchers demonstrated the attack against Argo CD version 2.13.3. They noted that no patched release currently exists and did not publish a complete list of affected versions, leaving administrators without a definitive inventory of vulnerable deployments.

To achieve code execution, the attack abuses Kustomize, a Kubernetes configuration management tool that Argo CD relies on to generate deployment manifests. Kustomize can also invoke Helm, another widely used package manager for Kubernetes, through the "--helm-command" option that specifies which executable should be launched.

Instead of directing Kustomize to the legitimate Helm binary, Synacktiv discovered that an attacker can send a malicious GenerateManifest request instructing it to execute a script stored inside an attacker-controlled Git repository. When Kustomize begins processing the deployment, it unknowingly launches the attacker's script in place of Helm, providing arbitrary code execution within the repo-server environment.

Although the vulnerable interface is intended to remain internal, the researchers warn that internal services should not automatically be considered secure. Kubernetes clusters frequently host dozens or even hundreds of interconnected workloads, and a compromise affecting a single pod can become the starting point for lateral movement if internal communication is not properly restricted.

Argo CD includes Kubernetes NetworkPolicy resources designed to limit access to sensitive services such as the repo-server and Redis. However, Synacktiv found that these protections are disabled by default when Argo CD is deployed using its Helm chart because the "networkPolicy.create" option is set to "false". As a result, installations that rely on the default configuration may unintentionally leave the repo-server reachable from other workloads running inside the cluster.

In such environments, compromising a single pod may be enough for an attacker to contact the repo-server and exploit the vulnerability.

The researchers also demonstrated that remote code execution represents only the beginning of the attack chain. After obtaining execution on the repo-server, they extracted the Redis password stored in an environment variable, authenticated to Argo CD's Redis instance, and modified cached deployment information. When Argo CD later performed its routine synchronization with the Git repository, the poisoned cache caused the platform to deploy an attacker-controlled workload instead of the intended application.

According to Synacktiv, this technique effectively revives a previously addressed weakness tracked as CVE-2024-31989. That earlier vulnerability, discovered by Cycode, exposed Argo CD deployments where Redis lacked password protection, allowing any pod inside the cluster to manipulate deployment cache data. Although Argo CD later introduced Redis password protection to address that issue, the cache contents themselves remain unsigned. By stealing the Redis credentials through the newly disclosed repo-server vulnerability, attackers can once again tamper with deployment data and recreate a similar compromise path.

With no software update currently available, researchers recommend treating network segmentation as the primary line of defense. Administrators should enable Kubernetes NetworkPolicy rules to ensure that only legitimate Argo CD components can communicate with the repo-server and Redis services. Organizations deploying Argo CD through Helm should verify that these policies have been explicitly enabled rather than relying on the chart's default configuration.

Administrators can inspect active network policies by running:

"kubectl get networkpolicy -A"

A properly secured deployment should display dedicated network policies protecting each Argo CD component, including both the repo-server and Redis. Missing policies may indicate that sensitive internal services remain accessible to other workloads inside the cluster.

To help organizations evaluate their exposure, Synacktiv developed a proof-of-concept tool named argo-cdown, capable of automating the complete attack chain. The researchers have postponed its public release to provide defenders with additional time to secure vulnerable environments. The tool is expected to be published on GitHub later, allowing administrators to validate the effectiveness of their own security controls.

The newly disclosed vulnerability is the latest in a series of security issues affecting Argo CD's privileged position within Kubernetes environments. In September 2025, the project patched CVE-2025-55190 after researchers found that an API token with only basic read permissions could retrieve Git repository credentials associated with a project. Several months later, in May 2026, another flaw tracked as CVE-2026-42880 enabled read-only users to access plaintext Kubernetes secrets.

Taken together, these incidents point to a recurring challenge rather than isolated implementation flaws. Argo CD occupies one of the most privileged positions within Kubernetes deployments, maintaining access to source repositories, deployment pipelines, cluster resources, and sensitive credentials. As a result, weaknesses affecting its internal services can quickly become pathways to broader infrastructure compromise.

Until an official patch becomes available, organizations should assume that internal cluster traffic cannot always be trusted. Restricting communication between workloads, enabling Kubernetes NetworkPolicy protections, and limiting access to critical Argo CD services remain the most effective measures for reducing exposure to this newly disclosed attack technique.

WhatsApp Tests New Android Chat Backup Management Feature to Improve Google Drive Storage Control

 

Managing WhatsApp backups on Android might become significantly easier in the future as the messaging platform prepares new solutions to give users more control over their data. The upcoming update will allow people to organize and delete old backups, thus saving space on their devices and ensuring a better management of information stored on Google Drive. 

WhatsApp has been working on the tool for quite some time, while it has not been publicly available yet. Reporters found out about the future feature as they explored the latest beta version of the app. The new tool will appear in the Backup section and will enable users to delete old backups directly from WhatsApp, thus providing more space for data stored on Google Drive. 

This update will make managing storage much easier for millions of Android users who experience difficulties deleting excess data from Google Drive. The update comes as WhatsApp continues working on new ways to improve its cloud backup system. Last year, reporters learned about the company’s plan to create its cloud storage system. That way, WhatsApp users will be able to store their backups on Google Drive or the company’s cloud. 

According to the publication, WhatsApp’s storage will offer 2 gigabytes of space for free, and an additional 10 gigabytes can be acquired for a small fee. Moreover, regardless of the storage method, WhatsApp backups will be end-to-end encrypted. The encryption can be supplemented by a passkey, a regular password, or a 64-digit code. At the same time, WhatsApp has not abandoned its reliance on Google Drive. The application updates in 2021 demonstrated Android users’ demand for more control over their WhatsApp backups. 

Developers worked on ways to meet the users’ requirements and made the new in-app management system more accessible by adding shortcuts to Google Drive’s management system and Android’s built-in settings. In the same vein, Google has also been working on ways to provide more convenience and flexibility for Android users. Recently, Android users have received an additional tool to manage WhatsApp backups. 

With version 26.23 of Google Play Services, users gained the ability to view and control their WhatsApp backups directly from their device’s Settings menu. Thus, the Settings page now offers access to WhatsApp backups without having to open the messaging app. Right now, WhatsApp users can back up their chats, media files, voice notes, and other content to Google Drive. The application can automatically perform backups every day, weekly, or monthly. 

To restore a backup, one has to reinstall WhatsApp on their device and log in with their Google and WhatsApp account. The upcoming update will allow Android users to manage backups directly in WhatsApp, complementing Google’s newly introduced settings. The new system for managing WhatsApp backups will enable Android users to delete unwanted backups directly inside the application. 

That way, the update will enable more control over the backups, which will help the users that have multiple devices or simply change their smartphones too often. Having more than one phone results in multiple backups, whereas excessive WhatsApp backups consume more space on Google Drive. Though WhatsApp has not announced when the update will be released, it should come in the near future. 

After Google released its new system that allows Android users better control over WhatsApp backups, the update can be available to users soon. If the update arrives in 2022, Android users will appreciate the additional flexibility and convenience of managing their WhatsApp backups while keeping their data safe and secure.

Hackers Breached Kubota, Employee Data Compromised


Kubota North America Corporation revealed that threat actors compromised its network systems and accessed few resources for over a month in the beginning of 2026.

After an investigation of the breach, the organization discovered that between March and April, the hacker accessed files carrying personal data of employees.

About Kubota 

It is a Japanese industrial manufacturer famous for its construction and agricultural work. Kubota has plants in 120 counties and currently employs over 52,000 people. Kubota has an annual revenue of $20 billion.

The North American division consists of facilities that make utility vehicles, tractors, and mowers. 

About the data leak

“We discovered that files maintained by our human resources team were accessed as part of this incident. We carefully reviewed these files, and on June 16, 2026, we determined that one or more files may have contained personal information related to certain employees and their dependents,” Kubota reported on its site.

What may have been leaked?

As per the announcement posted on the Kubota USA portal, the following employee information may have been revealed:

  • Social security numbers (for dependents too)
  • Full employee names (for dependents too)
  • Dates of birth (for dependents too)
  • IDs of taxpayers
  • Bank account details of direct deposit
  • Corporate payment card details
  • Benefits enrollment data and limited claims information (for dependents too)
  • Driver’s license details or other government IDs

Attack tactic

The specific data that was exposed varies per person. Kubota also started sending personalised mails to inform the individuals about the exact impact on them.

The notification information consists step by step instructions for using Kroll identity protection to help the targets address the threats coming from the leak of their personal data. 

Kubota has specially advised people to look out for bank accounts and  healthcare related statements and promptly report any malicious activity to the concerned authorities.

Safety measures

Kubot has implemented robust security measures to avoid such incidents from happening in the future. 

No cybercrime gangs, data extortion gangs, or ransomware gangs have claimed responsibility for the Kubota breach.

Kubota did not report any operational or business disruptions due to the breach.

On ensuring employee safety, Kubota said, “We take the privacy and confidentiality of our employees’ information very seriously. To help prevent something like this from happening again, we have taken and will continue to take steps to further enhance our existing security measures.” 

ClickFix Investigation Exposes API-Driven Malware Across 3,000 Live Payloads


 

A growing number of ClickFix campaigns are advancing from simple social engineering operations into highly orchestrated malware delivery operations supported by dynamic infrastructure. A recent study analyzing nearly 3,000 ClickFix payloads reveals that attackers are utilizing API-based delivery systems that allow them to generate uniquely disguised malicious commands for each victim while serving the same underlying malware to all victims. 

Bert-Jan Pals conducted the analysis, which uncovered previously unknown techniques for evading Windows script inspections, thus demonstrating the deliberate efforts of threat actors to increase detection resistance and operational scalability through evasion of Windows script inspection. These findings show how what once appeared to be a straightforward clipboard-based deception has evolved into a resilient, adaptive ecosystem in which infection success is maximized despite conventional security controls being compromised. It is concerning that the findings come as ClickFix continues to gain traction as one of the most widespread social engineering exploits. 

First identified in March 2024, ClickFix has since become one of the most widely abused social engineering exploits in the cybercrime landscape. As opposed to exploiting software vulnerabilities, ClickFix exploits user trust by presenting fake browser errors, anti-bot CAPTCHA challenges, security warnings, or access restrictions that appear legitimate and gain the user's trust. 

Once the victims have completed the seemingly routine verification procedure, the attacker-supplied code is executed manually by the victim. According to Microsoft's Cyber Signals report for 2025, 47 percent of observed first-time access incidents were attributed to ClickFix-based activity, demonstrating the prevalence of deception-driven attack chains among malware operators. 

An attack sequence that transforms ordinary web pages into malware launch points is at the center of these campaigns, and it appears to be deceptively simple. It is common for attackers to compromise legitimate websites or create convincing phishing pages and substitute counterfeit CAPTCHA screens for verification prompts that require visitors to perform a series of manual tasks, including executing a command copied to the clipboard. These commands typically launch PowerShell, which retrieves and executes remote payloads, thereby enabling the deployment of information stealers and other malicious applications. 

On Windows systems, researchers observed ClickFix delivering multiple malware families, including Deepload, during the observed campaigns. Researchers have documented the use of the same technique beyond the Windows ecosystem, with the Atomic Stealer (AMOS) malware being distributed to macOS users for the first time. The technique targets browser credentials, session cookies, cryptocurrency wallets, and Apple Keychain data, illustrating its increasing cross-platform scope. 

ClickFix's popularity is largely attributed to its ability to bypass many of the security mechanisms commonly utilized by organizations. ESET's telemetry shows that ClickFix activity increased 517 percent between late 2024 and the first half of 2025 in response to this model, and Microsoft's Digital Defense Report indicates that the technique accounted for 47 percent of initial access incidents investigated by its Defender Experts team in 2025. A dedicated entry under technique T1204.004 has also been made under the MITER ATT&CK framework, recognising ClickFix as a unique form of user-assisted malicious execution, based on its increasing operational significance. 

According to Pals' investigation, the most significant evolution today is not contained on the phishing page itself but rather on backend APIs that generate payloads on demand instead of embedding static commands. Backend validation, logs, and returns a unique obfuscated command to every execution while delivering the same malware for each execution. In one test, a single server generated 100 distinct payloads over 100 requests by cycling through the following layered encoding and encryption techniques: Base64, AES, TripleDES, Rijndael, Deflate. In the absence of these protective layers, the payloads currently resolve to the same runspace script in PowerShell, but Pals cautions that the next step in the development of the technique may be per-victim payload customization. 

Using the platform, visitors can receive lures in 25 languages and are automatically tailored with payloads depending on whether they are using Windows or macOS. Further evidence of ClickFix's commercialization is provided by the findings, which extend beyond builder kits to API-driven payload generation. Additionally, Pals spotted a significant shift in execution tactics designed to minimize the effectiveness of clipboard-focused detections as well as API-driven payload generation. The newer ClickFix variants do not place the entire malicious command into the victim's clipboard, but instead download an archive into the Windows Downloads directory first and then copy only the lightweight PowerShell "orchestrator" command. 

The command is executed silently and moves the archive to a temporary location, extracts its contents, and launches the embedded PowerShell script when executed. It has also been made more discreet to execute the payload since it is separated from the clipboard command, which reduces the exposure to the Antimalware Scan Interface (AMSI). In earlier ClickFix campaigns, victims were instructed to paste commands into the Run dialog by pressing Windows+R, but in more recent operations observed throughout 2025 and into 2026, users were directed to Windows Terminal via Windows+X. 

Furthermore, the method does not create RunMRU registry artifacts commonly required for forensic investigations, which makes it appear more routine. ClickFix campaigns have undergone a significant change since moving away from static commands to API-generated payloads. In addition to maintaining the same underlying malware, attackers may also generate uniquely obfuscated commands on demand, thereby complicating signature-based detection without increasing operational complexity, thereby making campaigns more scalable and more difficult to identify through conventional security measures. The ClickFix platform has also been used by state-sponsored threat groups.

According to Proofpoint threat intelligence, a number of state-sponsored organizations incorporated ClickFix into existing intrusion workflows, including Russian APT28, Iranian MuddyWater, and North Korean Kimsuky. As part of the campaign, North Korean operators have also designed fraudulent recruitment schemes, known as ClickFake Interviews, targeting cryptocurrency professionals. Security firm Expel reported that 147,521 systems may have been compromised by a single ClearFake campaign since late August 2025, with the operational scale equally significant. 

A more valuable method of defending against malware than clipboard inspection alone is behavioral monitoring. Pals determined the most reliable indicators to be process chains originating from explorer.exe or WindowsTerminal.exe, which immediately spawned powershell.exe, cmd.exe, or msiexec.exe, followed by outbound network activity. PowerShell and cmd.exe accounted for approximately 39 percent of all observed launch methods across the analyzed dataset, followed by msiexec.exe at approximately 34 percent. 

Behavioral EDR, application control policies, and continued user awareness remain among the most effective defensive techniques. Another hunting opportunity is presented by the Downloads-folder technique, which utilizes seemingly benign one-line commands that access the Downloads directory prior to initiating concealed PowerShell execution. 

According to Pals, three active payload distribution servers were identified during the investigation - comicstar[.]lat, babybon[.]cfd, and merkantalolol[.]asia. Communication with these domains does not by itself indicate a successful compromise, but rather indicates that ClickFix commands have been delivered to a user's clipboard. Based on API-driven payload infrastructure, ClickFix is believed to have evolved into a flexible attack framework. 

A major development in cybercrime, he warns, will likely be the transition from individual payload wrappers to malware which is tailored to each target's specific needs. This evolution of ClickFix illustrates the broader shift in cybercrime towards highly adaptable, service-driven attack ecosystems that emphasize flexibility, scale, and evasion. Due to the dynamic nature of payload delivery, organizations cannot solely rely on static indicators or traditional prevention measures to protect themselves. 

The critical aspect of disrupting attacks designed to blend into legitimate activities remains the continuous monitoring of user-driven execution chains, the strengthening of application controls, and the maintenance of security awareness. The resilience of organizations will depend on the ability to detect behaviors instead of keeping up with ever-changing payloads in an environment where threat actors are constantly fine-tuning successful techniques.

UAE Becomes First Arab Nation to Ban Social Media for Children Under 15

 

The United Arab Emirates has become the first Arab nation to impose a comprehensive ban on social media use for children under the age of 15, marking a significant milestone in digital child protection. Announced in mid-June 2026 through a cabinet resolution, the policy prohibits minors below 15 from creating, using, or managing personal accounts on platforms like Instagram, TikTok, Snapchat, and Facebook. 

This decision aligns the UAE with countries such as Australia, Britain, and Canada that have recently tightened online safety rules amid growing concerns about social media's impact on young people's mental health. Under the new regulations, children under 15 are completely barred from accessing interactive social media features, including posting content, commenting on posts, sharing material, or joining public groups and open channels. 

The ban is absolute and cannot be circumvented through parental or caregiver consent, representing a stricter approach than previous guidelines. For teenagers aged 15 and 16, limited access is permitted but comes with enhanced safeguards, including age-appropriate content controls, restrictions on interactions with strangers, screen-time management tools, and mandatory parental supervision features. 

Social media platforms operating in the UAE must now implement robust age-verification systems, including digital identity checks and AI-supported technologies, with self-declared ages explicitly rejected as valid proof. Companies have been given a 12-month transition period ending December 31, 2026, to identify, monitor, and disable accounts belonging to underage users. Failure to comply with these requirements could result in significant penalties, including partial or full blocking of non-compliant services within the country, with enforcement overseen by the Telecommunications and Digital Government Regulatory Authority.

The resolution builds upon Federal Decree-Law No. 26 of 2025 on Child Digital Safety, which came into force on January 1, 2026, and applies to all digital platforms that operate in or have users within the UAE, regardless of where the company is headquartered. These regulations also restrict the collection of personal data from children under 13 without verifiable parental consent and prohibit platforms from using minors' information for targeted advertising or behavioural profiling. The measures are designed to protect children from inappropriate content, online risks, excessive social media use, and misuse of personal data while fostering healthier digital habits. 

The policy has immediate relevance for the UAE's large expatriate population, including over 3.5 million Indians residing in the country, many of whom have school-aged children using social media platforms. In response, Dubai has launched a nationwide initiative aimed at promoting healthy technology use among young people and supporting parents in adapting to rapid technological changes. Authorities emphasise that digital balance does not mean rejecting technology but rather helping children and families use it in ways that support their wellbeing and growth. 

BlueHammer Microsoft Defender Vulnerability Linked to Ransomware Attacks After CISA Confirms Active Exploitation

 

Microsoft Defender users are advised to update their software after discovering a security flaw known as BlueHammer was used in ransomware attacks. The weakness with identifier CVE-2026-33825 has been added to the list of flaws actively used by malicious actors. It is part of the growing trend of ransomware attackers using zero-day issues. 

The issue was uncovered after the cybersecurity researcher, otherwise known as Chaotic Eclipse or Nightmare Eclipse, shared the information regarding another vulnerability before the update was released. The same individual has criticized Microsoft several times over their approach to disclosure of security weaknesses. The researcher has published multiple posts about actively used problems prior to the official date of their resolution. 

Microsoft published the details regarding BlueHammer on April 2nd, whereas the security update was released on April 14th. The flaw was categorized as a privilege escalation vulnerability with the ability to escalate the privileges of an authenticated attacker. However, Microsoft updated the description, specifying the risk as more likely than not, while refraining from officially acknowledging active exploitation. 

According to the independent security researchers, the vulnerability was actively used by ransomware operators before the release of the mentioned security update. The evidence came from the report by the Huntress team, which discovered multiple attacks that incorporated CVE-2026-33825 as a zero-day exploit. This information has prompted the addition of the weakness to the CISA’s Known Exploited Vulnerabilities (KEV) list on April 22nd, with the updated listing providing the additional context of ransomware attacks. 

Despite the confirmation of ransomware attacks, the one issued by CISA does not indicate what group may be responsible for them. There is no public evidence linking BlueHammer to any known ransomware group or family. In spite of that, the weakness has been actively used in ransomware operations. At the same time, it is unclear whether other ransomware groups have used it or may be using it currently. The issue has also prompted the debate over the response to such incidents, with the critics suggesting that the defenders and security researchers are not notified when the weaknesses are added to the ransomware operations. 

In practice, the CISA only updates the KEV list periodically. It does not provide threat intelligence and response support for individual organizations every time when the weakness is added to the list. Some security experts have stated that the better alternative would be to notify the defenders directly. In the meantime, a threat intelligence company GreyNoise has announced the availability of a free service that monitors the KEV list for changes, indicating when the weakness is updated to include the details of a ransomware attack. 

The discovery of BlueHammer presents an illustrative example of how fast the ransomware attackers can adopt and incorporate the newly discovered vulnerabilities into their operations. Experts advise the defenders to always remain alert, apply the Microsoft security updates in a timely manner and monitor the threats intelligence channels for the relevant weaknesses. The ransomware operators continue to pursue the opportunities, which render the prompt response to the updates crucial.

Remote Exploits Target Controller Flaws in Highway Signs and Digital Billboards


 

With the increasing integration of digital display infrastructure within transportation networks and public information systems, vulnerabilities within controllers that operate these assets present an increasing threat to cybersecurity. 

A number of Daktronics display controllers have been reported to contain critical and high-severity vulnerabilities that could allow unauthorized remote access to the content appearing on the highway message boards, roadside signs, and digital billboards. 

According to an independent cybersecurity researcher who identified the security flaws and subsequently published an advisory, widespread deployment of controller models for the management of large-scale LED display systems within highways, airports, sports stadiums, and urban advertising networks are affected by the flaws. 

A variety of vulnerabilities within operating display technologies are identified in this study, which illustrate how they can affect more than just the security of the system, resulting in tangible risk to public communications, infrastructure integrity, and reliability of information delivered via connected electronic signage. 

According to the latest advisory issued by CISA under ICSA-26-176-04, the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 display controllers are affected. A total of nine vulnerabilities have been disclosed which expose weaknesses across directory access, file management, and administrative authentication. One of the vulnerabilities, CVE-2026-28701, allows both authenticated and unauthenticated remote users to enumerate arbitrary paths on the file system irrespective of their identity. Secondly, CVE-2026-33560 pertains to the DMP-5000 file service, where authenticated users can upload files of any type without being validated, enabling the deployment of unauthorized content. CVE-2026-31928 relates to a default administrative web account that is configured with weak authentication controls and does not require password modification during deployment, which allows attackers to gain full control of the system if left unchanged. 

Security researcher Thomas Jou, an undergraduate at Princeton University, discovered the vulnerabilities after discovering a number of internet-facing controllers with the potential to be remotely targeted. It has been reported that Jou submitted his findings via CISA's VINCE vulnerability reporting platform in early January 2026, which enabled Daktronics to prepare patched firmware by early March, prior to the release of a public advisory.

Despite the availability of updated firmware, the researcher stressed that organizations must ensure affected controllers are not exposed directly to the public internet, as patching alone does not eliminate unnecessary attack surfaces. In addition to the mitigation guidance provided by Daktronics, customers are encouraged to change default administrative credentials. 

In June, a security incident involving a FIFA World Cup API authorization flaw exposed live television broadcasts to an account takeover, following several instances of security incidents involving publicly accessible infrastructure and digital platforms. A cPanel vulnerability affecting over 550,000 servers was exploited last month, as was the compromise of airport public address systems across Canada and the United States last year, during which unauthorized political and anti-Israel messages were broadcast. 

These incidents provide an example of how overlooked vulnerabilities in internet-connected communication and operational systems can rapidly develop into high-impact disruptions with public consequences if not addressed. The underlying controllers of connected display technologies require the same level of security oversight as any other internet-accessible operational system as they become an integral component of public infrastructure. 

The timely management of patches, removal of unnecessary external exposures, and strong authentication practices are all necessary to prevent vulnerabilities from becoming potential avenues for real-world disruption. As operators are reminded by these findings, the resilience of public-facing digital infrastructure depends on both its deployment and its design in equal measure.

Anthropic to Restore Access to Claude Fable 5 After U.S. Lifts Export Controls



Anthropic is preparing to restore access to its Claude Fable 5 artificial intelligence model after the U.S. Department of Commerce lifted export controls that had temporarily restricted deployment of the company's most advanced AI systems.

The company announced on X that access to Claude Fable 5 will begin returning on Wednesday following the government's decision. Anthropic also confirmed that the export restrictions affecting both Claude Fable 5 and Claude Mythos 5 have been removed.

"We've received notice that the Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5," the company said in its statement, adding that it will begin restoring access on Wednesday and provide additional updates as the rollout progresses.

Anthropic also thanked its community for its patience during the temporary suspension and acknowledged the teams involved in preparing the models for redeployment.

Although the rollout is set to begin immediately, the company has not clarified whether Claude Fable 5 will become available to all users at the same time. It remains uncertain whether users outside the United States will regain access during the initial phase of the deployment or whether availability will expand gradually across different regions.

The export restrictions were introduced earlier after U.S. authorities raised national security concerns surrounding the deployment of highly capable frontier AI models. During that period, Anthropic temporarily suspended access while it worked to comply with government requirements and strengthen safeguards governing the release of its latest systems.

While restoring access to its models, Anthropic also appears to be expanding identity verification measures for certain Claude services.

Recent references to Know Your Customer (KYC) procedures discovered on the company's website suggest that some users may soon be required to verify their identities before accessing specific Claude capabilities. The references have prompted speculation that advanced models such as Claude Fable 5 could initially be limited to verified users or become available only in certain regions as Anthropic gradually expands access.

According to Anthropic's support documentation, identity verification is being introduced for a limited number of use cases. Users may encounter verification requests when using particular Claude features, during routine platform integrity reviews, or as part of broader safety, security and regulatory compliance checks.

The company says the verification process is intended to reduce abuse of its AI systems, enforce platform usage policies and meet legal obligations associated with operating increasingly powerful AI technologies.

"Being responsible with powerful technology starts with knowing who is using it," Anthropic said while explaining the purpose of the new verification measures.

Anthropic has selected Persona as its identity verification provider. Users who are asked to complete verification may be required to submit a valid government-issued photo identification document, including a passport, driver's license, state or provincial identification card, or a national identity card.

The company notes that several forms of identification will not be accepted during the verification process. These include photocopies, screenshots, scanned documents, mobile IDs, student identification cards, employee badges, bank cards and temporary paper identification documents.

Some users may also be asked to complete a live selfie verification using the camera on a computer or mobile device. According to Anthropic, the entire verification process typically takes less than five minutes to complete.

Addressing privacy concerns, the company says identity documents and selfie data are collected and stored by Persona rather than directly within Anthropic's own systems. However, Anthropic may access verification records through Persona when necessary, including during account review or appeal processes.

Anthropic also emphasized that identity verification information is not used to train Claude's AI models. Instead, the data is used solely to confirm a user's identity and to satisfy the company's legal, safety and compliance responsibilities.

The restoration of Claude Fable 5, together with the introduction of targeted identity verification measures, reflects the growing intersection of frontier AI development, government oversight and platform security. As developers release increasingly capable AI systems, compliance requirements, export regulations and stronger user verification are becoming a more prominent part of deploying advanced models responsibly.

Chatting Without Username: WhatsApp Rolls Out Username Feature


When a new person walks into our lives, sharing our phone numbers can be a big step as it’s personal and connected to many spheres of our lives. At times, we wish to chat without revealing our contacts. 

WhatsApp users will soon have a new option to talk without exposing their contact numbers. Prior to the wider update set for this year, WhatsApp has started launching username reservations in advance, permitting people to pre-claim a unique username before the feature becomes publicly available. 

“For most people, choosing a WhatsApp username should be something unique that only people you want to contact you will know. If you need help picking one, we have a username generator to make one work just for you. We also know that some people like creators, small businesses, and organizations may want to maintain a consistent presence online. For them, we reserved an option to claim their existing Instagram or Facebook username on WhatsApp.” WhatsApp wrote in its blog. 

This move is said to be WhatsApp’s one of the biggest privacy-focused modifications, allowing users to start chats through a username instead of showing their contact number. WhatsApp released the feature in an official blog post recently, and said the feature launch will take place gradually in the next few months. 

Users can book usernames

The company has started allowing users to book a username in advance so that they can choose the handle they want and have a better chance. The early reservation process is important because WhatsApp now has over three billion users across the world. This feature will be optional and gradually allow users to replace their contact number with a user handle when texting someone for the first time (but the username has to be turned on). 

How to set a user handle

Users can see the feature by updating to the latest version and going to Settings > Account > Username.

The users will get an in-app notification when the feature is available in their country. 

If someone has already taken your user name, WhatsApp will offer a built-in userhandle generator that provides alternative unique handles.

Focusing on privacy and security

Contrary to many social media platforms, WhatsApp will not launch a searchable username directory. Users can only contact someone if they know the specific username.

Post-Quantum Cryptography Readiness Becomes a Strategic Cybersecurity Priority for Enterprises

 

Though practical quantum computers may still be years away, organizations are already preparing for the security risks they could create. Post-quantum cryptography has shifted from research into real-world planning as experts warn current encryption could eventually become vulnerable. Rather than waiting for that moment, many businesses are reviewing existing systems now. 

Early preparation is increasingly viewed as essential because delaying changes could make future transitions far more difficult. Fresh policies are adding urgency by setting clear expectations for organizations responsible for protecting critical infrastructure and sensitive data. Quantum readiness is no longer seen as only an IT issue but a business-wide priority involving leadership, governance, funding, and long-term planning. 

Instead of simply replacing outdated encryption, organizations are expected to build flexible strategies that can adapt to future cryptographic standards. A major concern is the “harvest now, decrypt later” threat. Attackers may steal encrypted information today and store it until quantum computers become powerful enough to decrypt it. 

Intellectual property, healthcare records, financial information, source code, and government communications with long-term value could all become exposed in the future, even if current encryption remains secure against today’s computers. The challenge is no longer just preparing for future technology but protecting data that must remain confidential for years. Organizations handling highly sensitive or regulated information may need to begin migration sooner because the consequences of delayed action could be far greater.  

Cybersecurity leaders recommend assigning clear ownership of post-quantum initiatives instead of leaving responsibility with individual application teams. Cross-functional groups involving security, IT, engineering, legal, compliance, procurement, and business leadership are better positioned to manage the transition since encryption supports nearly every part of modern digital operations. 

A critical first step is identifying where cryptography exists throughout the organization. Many companies lack a complete view of which systems rely on specific algorithms, certificates, keys, authentication methods, APIs, cloud environments, and third-party services. Without that visibility, assessing risks or deciding migration priorities becomes extremely difficult. Security experts also stress that this inventory should remain continuously updated rather than existing as a static spreadsheet. 

Ongoing visibility helps organizations identify systems requiring stronger protection, understand dependencies, provide accurate regulatory reporting, and give executives a realistic view of progress. Once cryptographic assets are fully mapped, organizations can prioritize migration based on business impact. Systems protecting customer information, healthcare data, financial services, critical infrastructure, digital identities, and software integrity generally require attention before less critical environments, allowing organizations to spread the transition over several years. 

Preparing for post-quantum security also requires dedicated investment. Funding must support discovery tools, testing environments, migration programs, automation, and governance. Organizations will also need specialists with expertise in cryptography, enterprise architecture, public key infrastructure, compliance, and cybersecurity to guide the transition effectively. Long-term success depends on achieving crypto-agility—the ability to update cryptographic algorithms without rebuilding entire systems. 

Rather than treating post-quantum cryptography as a one-time project, many organizations are designing adaptable security architectures capable of evolving alongside future standards. As artificial intelligence, autonomous technologies, and increasingly complex digital ecosystems continue to expand, flexible cryptographic infrastructure will become even more important.  

Although no one knows exactly when quantum computers capable of breaking today’s encryption will become reality, many cybersecurity experts believe organizations should begin preparing now. Companies that establish governance, maintain visibility into cryptographic assets, and gradually modernize their infrastructure will be better positioned to adapt as quantum computing—and the security landscape—continues to evolve.

GPT-5.6 Sol Debuts With Enhanced Cyber Protections, Limited to Trusted Partners


 

An open preview of OpenAI's next-generation GPT-5.6 model family has been introduced under tight control, marking an important milestone in the advancement of frontier artificial intelligence with an equal emphasis on cybersecurity and responsible deployment. The release is anchored by GPT-5.6 Sol, the company's most advanced and security-hardened model to date. 

It introduces a three-tier architecture comprising Sol, Terra, and Luna, each of which is specifically designed to meet distinct performance, cost, and deployment requirements in software engineering, scientific research, professional knowledge work, computer use, and cybersecurity. OpenAI has restricted access to its API and Codex platforms to a select group of trusted partners following a formal request from the Trump administration rather than releasing the technology to the general public immediately. 

As a result, a cautious strategy emphasizes rigorous security evaluation, controlled real-world testing, and resilience against misuse before the product is available in broad markets. 

GPT-5.6 Introduces a New AI Model Architecture

Moreover, OpenAI is transforming its product architecture, replacing sequential branding with permanent capability tiers in addition to its flagship launch. A long-term restructuring of OpenAI's model portfolio is also part of the GPT-5.6 release, replacing sequential branding with permanent capability tiers that differentiate performance, efficiency, and deployment. 

Sol is the flagship model for advanced reasoning and technical tasks within this framework, Terra delivers performance comparable to GPT-5.5 at approximately half the operational cost for enterprise-scale deployments, while Luna is designed to achieve low latency and low operating cost for high-volume inference applications. Instead of GPT-5.5, which emphasized reasoning and coding improvements, GPT-5.6 emphasizes defensive cybersecurity, controlled deployment, and capability-specific safeguards, reflecting the general trend toward the advancement of security-aware frontier AI. 

The company states that the phased deployment reflects ongoing engagement with federal authorities in an effort to align future frontier AI releases with the objectives outlined in the recent Executive Order governing the assessment of advanced artificial intelligence systems for national security purposes. 

Preparedness Framework Strengthens Cybersecurity Safeguards 

Security remains central to the GPT-5.6 rollout. In its Preparedness Framework, OpenAI has categorized Sol, Terra, and Luna as High Capability models for both cybersecurity, biology, and chemical domains. However, none of these models currently meet the threshold for AI self-improvement as a High Capability model. 

To reduce the increased dual-use risks associated with increasingly capable foundation models, the company has adopted capability-specific safeguards rather than a uniform protection layer in order to mitigate this risk. By combining policy-level restrictions with automated classifiers, cybersecurity- and biology-related prompts are continuously analyzed in real time through the security architecture. 

When potentially high-risk interactions are detected, response generation is temporarily halted until a secondary reasoning model reviews the conversational context to determine whether or not to allow or restrict responses. A risk assessment can also be conducted by OpenAI at an account level to help differentiate legitimate security research and vulnerability analysis from potentially malicious behavior. 

GPT-5.6 Sol Demonstrates Strong Defensive Security Performance

The OpenAI benchmark results demonstrate that GPT-5.6 Sol provides competitive performance in defensive cybersecurity tasks while operating with significantly higher computational efficiency as compared to GPT-5.6 Sol. Sol was able to achieve results comparable to those of leading frontier systems such as Mythos Preview when evaluated on ExploitBench with one-third more tokens required for output. 

In internal testing of large Chromium and Firefox codebases, the model demonstrated the capability of identifying software flaws, isolating vulnerabilities, and providing patching advice as well as basic exploitation primitives. In addition, OpenAI pointed out that the system did not independently develop complete multistage exploit chains, reinforcing its goal of supporting defensive security research rather than facilitating offensive cyber operations. 

Red-Teaming and Safety Testing Ahead of Deployment

The OpenAI preview version included more than 700,000 A100-equivalent GPU hours of automated red-teaming for further strengthening resilience against misuse. Rather than focusing solely on isolated prompt failures, the testing program targeted systemic weaknesses as well as universal jailbreak techniques capable of bypassing model safeguards across a variety of scenarios, thereby enhancing resilience against misuse. 

In the coming week, OpenAI plans to make the models available to a wider range of API and Codex partners. Additionally, OpenAI warns against making government-mediated pre-clearance a permanent requirement for frontier AI deployments. As a result of prolonged restrictions, advanced defensive capabilities may not be available as needed by the wider cybersecurity community to combat rapidly evolving threats if they are prolonged. 

Pricing, Capability Tiers and Enterprise Availability 

Additionally, OpenAI has revised its naming strategy with generation numbers identifying the model family, and Sol, Terra, and Luna remaining persistent capability layers. A tiered pricing structure based on token consumption has been established by the company, with GPT-5.6 Sol charging $5 for a million input tokens and $30 for a million output tokens, Terra charging $2.50 per input and $15 per output, and Luna charging $1 per input and $6 per output, in accordance with the performance profiles and deployment scenarios of each model. 

As part of OpenAI's ongoing commitment to the enterprise, GPT-5.6 Sol will be released on Cerebras in July, delivering inference speeds of up to 750 tokens per second for enterprises with high-throughput AI requirements. 

Government Oversight Shapes GPT-5.6 Rollout 

GPT-5.6's limited release has also been the focus of an ongoing debate concerning national security oversight of frontier AI systems as a result of the limited release. According to OpenAI, the decision was made to limit the initial release following the Trump administration's request for a staggered rollout as government agencies evaluated the impact of the model's advanced capabilities. 

Sam Altman, the Chief Executive Officer of OpenAI, has subsequently advised employees that access to the preview will be approved individually as part of the coordinated rollout process. The request was made in consultation with the Office of the National Cyber Director, the Office of Science and Technology Policy, and Howard Lutnick, Secretary of Commerce. 

It was openAI's belief that government-mediated access should continue to be an exceptional measure rather than a long-term deployment model, even as it cooperated with the temporary review process, arguing extended restrictions may deter developers, enterprises, and cybersecurity practitioners from implementing critical AI capabilities. 

New Reasoning Modes Expand Defensive AI Capabilities 

 Along with deployment and governance, OpenAI has also enhanced the defensive security capabilities of GPT-5.6. According to OpenAI, GPT-5.6 is designed to make prohibited offensive activities more difficult, uncertain, and detectable while preserving legitimate applications such as code review, vulnerability research, patch development, and defensive security testing. 

The Max Reasoning Effort mode introduced in GPT-5.6 supports this approach by allowing Sol to allocate considerable computational resources to complex problems before providing responses. With Ultra reasoning, the execution of long-term tasks which require sustained planning and multi-step analysis is enhanced beyond conventional single-agent execution by orchestrating multiple parallel subagents capable of collaborating collaboratively. 

Scientific Benchmarks and OpenAI's Cybersecurity Roadmap

GPT-5.6 is the latest model family from OpenAI that demonstrates the company's commitment to AI-based defensive cybersecurity. Additionally, the company recently introduced GPT-5.5-Cyber as part of its Daybreak initiative, a specialized model for automated vulnerability discovery, patch generation, and software remediation. 

The OpenAI model achieved state-of-the-art performance across CyberGym (85.6%), ExploitGym (39%), and SEC Bench Pro (69.8%), a significant improvement over GPT-5.5 baselines. Additionally, GPT-5.6 Sol has demonstrated improved performance on GeneBench v1 and improved reasoning efficiency, indicating that the latest releases are an integral part of a broader strategy: advancing frontier AI capabilities while also investing equally in tools and safeguards necessary for enhancing cyber defenses.

Five Eyes Warns New AI Models Pose Urgent Cyber Risk

 

The Five Eyes intelligence alliance has issued a stark warning that the latest generation of artificial intelligence could reshape the cyber threat landscape much faster than most organizations expect. In a joint advisory, intelligence and cybersecurity leaders from the United States, the United Kingdom, Canada, Australia and New Zealand said frontier AI models are advancing so quickly that long-standing assumptions about cyber risk may become outdated in only a matter of months. 

The message is clear: AI is no longer just a productivity tool or a research breakthrough. It is also a force multiplier for attackers who want to move faster, exploit weaknesses sooner and launch more sophisticated campaigns. According to the advisory, AI can lower the barriers for malicious actors by making phishing, malware development and vulnerability discovery easier and more efficient. 

That means attackers with limited technical skill may soon be able to carry out actions that once required experienced operators, while more advanced threat groups could automate parts of their workflow at greater scale. The intelligence chiefs said the risk is not theoretical, because the speed of AI development is already changing how quickly vulnerabilities can be found and weaponized. As a result, organizations that wait for mature standards may find themselves exposed before they realize the threat has changed. 

The alliance also emphasized that cyber risk should be treated as a business risk, not just an IT issue. Its guidance urges leaders to understand risk, strengthen foundational security controls and give cyber teams enough authority and resources to respond effectively. The warning stresses that breaches are inevitable, so preparedness matters as much as prevention. In practice, that means testing incident response plans, training staff and making sure the organization can contain and recover from an attack before it turns into a wider operational or financial crisis. 

Five practical steps were highlighted as urgent priorities: reduce unnecessary exposure, accelerate patching, address legacy systems, strengthen identity and access controls and prepare for incidents in advance. The advice is especially relevant because outdated systems and slow patch cycles remain common weaknesses across both public and private sectors. By limiting attack surfaces and tightening access, organizations can reduce the chances that AI-assisted attackers will find an easy opening. The core message is that resilience must be built before a crisis starts, not after. 

For businesses, the report is a reminder that AI’s cyber impact is arriving faster than policy and governance often do. The Five Eyes warning does not argue that AI should be avoided; instead, it says AI should be used deliberately to strengthen defense while leaders move faster on security basics. In other words, the organizations most likely to cope with AI-driven threats will be those that treat cybersecurity as continuous readiness, not a one-time compliance exercise.

Agentic AI Has Become an Identity Crisis for Enterprise Security Teams



Every major technological change has followed a familiar pattern: organizations embrace innovation first, while security teams are left adapting controls after deployment. Cloud computing, Software-as-a-Service (SaaS), and DevOps all reshaped enterprise security in this way. Agentic AI is now driving the next transformation, but with a more complex challenge. Unlike conventional applications, AI agents actively authenticate, interact with APIs, query databases, generate code, and execute workflows across production environments, often using credentials and permissions that organizations have yet to fully catalogue.

This changes the conversation around AI security. Rather than focusing solely on what an AI model can generate, security leaders must determine who an AI agent represents, what systems it can access, who is accountable for its actions, and whether its privileges can be modified or revoked as business requirements evolve.

Traditional identity and access management programs were designed around employees whose access follows established roles and review processes. The rapid expansion of machine identities, including service accounts, API keys, certificates, and workload identities, already challenged that approach. Autonomous AI agents introduce another level of complexity because they can interpret objectives, make decisions, and perform actions independently while operating at machine speed. They can also be deployed by developers, embedded into SaaS platforms, delegated permissions by users, and continue running long after their original purpose has ended.

Static access controls are increasingly inadequate for these systems. An AI assistant summarizing customer support tickets requires far fewer privileges than one capable of issuing refunds, modifying customer records, or deploying production infrastructure. Instead of relying on permanent permissions, organizations should adopt contextual, task-specific, time-limited, and continuously evaluated access policies that adjust according to an agent's responsibilities.

The rapid growth of agentic AI also introduces three identity risks that security teams cannot ignore. Many enterprises already lack visibility into AI agents operating across cloud services, developer environments, and business applications, making ownership and accountability difficult to establish. At the same time, broad permissions granted during testing frequently evolve into long-term identity debt, leaving agents with unnecessary administrative access. Attackers are also exploiting prompt injection techniques, manipulating trusted agents through untrusted content to perform unintended actions when effective privilege boundaries are absent.

Addressing these risks requires identity-centric governance rather than a separate AI security strategy. Every AI agent should possess a unique identity, a clearly assigned owner, a defined business purpose, and a controlled lifecycle supported by strong credential management and continuous monitoring. Automated discovery, policy enforcement, and access reviews will become essential as organizations deploy growing numbers of autonomous systems.

As enterprises integrate agentic AI into everyday operations, the security question is no longer limited to what AI can produce. The greater concern is what autonomous agents are authorized to do, and whether those identities remain governed throughout their entire lifecycle. Organizations that strengthen identity governance today will be better positioned to embrace AI-driven innovation without expanding their attack surface.

FCRF Launches India’s Largest Cybercrime Hackathon for 2026

 

The Future Crime Research Foundation (FCRF) has announced what is being positioned as India’s largest cybercrime hackathon, a move that reflects the growing urgency around digital threats in the country. With cyber fraud, phishing, ransomware, and AI-driven deception becoming more sophisticated, the event aims to create a space where innovators can build practical solutions for real-world investigation and defense. Unlike ordinary coding contests, this hackathon is expected to focus on cybercrime response, digital forensics, and applied security ideas that can help law enforcement and security professionals. 

FCRF, an IIT Kanpur-incubated non-profit known for its work in cyber safety, training, and fraud risk management, has built a reputation as a serious player in India’s cybersecurity ecosystem. Its broader mission is to make India more resilient against evolving digital risks through research, awareness, and capacity building. The hackathon fits neatly into that mission by inviting participants to think beyond theory and build tools that can support investigations, evidence analysis, and cyber defense operations. 

The event is also notable for the kind of collaboration it encourages. By bringing together students, researchers, ethical hackers, developers, and cyber professionals, the hackathon creates a multidisciplinary environment where ideas can move quickly from concept to prototype. That matters because today’s cybercrime problems are no longer limited to one domain; they involve fake identities, financial fraud, social engineering, malware, and emerging AI threats. A challenge of this kind can help discover solutions that are both technically strong and operationally useful. 

For participants, the opportunity goes beyond competition. Hackathons like this can serve as launchpads for careers in cybersecurity, digital forensics, threat intelligence, and policy research. They also offer exposure to problem statements that mirror the pressure and complexity of real cyber investigations. In a country where digital adoption is expanding rapidly, events that combine innovation with public safety can play an important role in strengthening the national security ecosystem.

As FCRF continues to expand its influence through initiatives such as the FutureCrime Summit, this hackathon adds another layer to its growing impact. It signals a shift in how India is approaching cybercrime: not only by reacting to incidents, but by building talent and tools before attacks happen. That makes the event important not just as a competition, but as a serious step toward a more prepared and cyber-aware India.

China's New AI Model Challenges U.S. Cybersecurity Leaders

 



China's latest open-weight artificial intelligence model is drawing attention within the cybersecurity community after independent evaluations indicated that it can rival some of the vulnerability detection capabilities of leading U.S. frontier AI systems. The findings are fueling renewed debate over whether restricting access to advanced American AI models is enough to slow the spread of powerful cyber capabilities.

Chinese AI company Zhipu AI, also known as Z.ai, released its GLM-5.2 model on June 13 under a permissive open-weight license. Unlike proprietary AI systems that are only accessible through controlled cloud services, open-weight models allow researchers and developers to download the model weights and run them on their own hardware. This approach enables offline deployment, customization through fine-tuning, and unrestricted experimentation without requiring ongoing approval from the model developer.

The release stands in contrast to Anthropic's Claude Mythos, one of several advanced AI systems whose availability has been limited under U.S. export controls because of concerns that highly capable models could be misused for offensive cyber operations. While GLM-5.2 still falls behind leading models from Anthropic and OpenAI across many general-purpose reasoning benchmarks, recent testing suggests it performs remarkably well in one highly specialized area: identifying software vulnerabilities.

Independent benchmarking conducted by Semgrep found that GLM-5.2 achieved an F1 score of 39% when detecting Insecure Direct Object Reference (IDOR) vulnerabilities. IDOR flaws arise when applications expose internal object identifiers without properly verifying whether a user is authorized to access the requested resource, making them a common source of unauthorized data access and privilege abuse. Under the same evaluation conditions, Claude Code recorded scores ranging from 32% to 37%, placing GLM-5.2 slightly ahead in this specific cybersecurity task.

The benchmark also underlined a notable economic advantage. Researchers estimated that GLM-5.2 identified vulnerabilities at an average cost of approximately $0.17 per finding, roughly one-sixth of the cost associated with comparable Claude-based workflows. Lower operating costs could make advanced AI-assisted vulnerability research accessible to a much broader range of organizations, independent researchers, and software security teams.

Additional benchmarking conducted by Graphistry reached similar conclusions, reinforcing the view that an openly downloadable Chinese model can compete with frontier U.S. AI systems in narrowly focused cybersecurity applications. The independent evaluations are particularly noteworthy because they relied on standardized testing methodologies designed to reduce benchmark contamination and minimize vendor-specific bias.

The findings arrive amid growing concern in Washington over the national security implications of frontier artificial intelligence. The Trump administration has increasingly treated advanced AI models such as Mythos and Fable as strategic technologies because of their ability to automate complex cybersecurity tasks, including discovering previously unknown software vulnerabilities that could potentially be weaponized in cyber operations.

Those concerns have shaped U.S. export control policies that restrict access to some advanced AI systems for foreign organizations, including researchers based in China. The underlying assumption behind these controls is that limiting access to the most capable American models would delay competing nations from acquiring comparable cyber capabilities. GLM-5.2's performance is prompting renewed questions about whether restricting model access alone can achieve that objective when capable alternatives are being developed elsewhere.

The discussion is further informed by Anthropic's Project Glasswing, which previously demonstrated the cybersecurity potential of frontier AI by identifying more than 10,000 critical software vulnerabilities during its initial research phase. The project illustrated how advanced language models can assist security researchers in reviewing large codebases, prioritizing weaknesses, and accelerating vulnerability discovery. If open-weight models begin approaching similar levels of performance, comparable capabilities may no longer remain exclusive to a small number of tightly controlled AI providers.

The latest development also comes shortly after OpenAI introduced GPT-5.6 with limited availability because of concerns surrounding misuse. Together, these decisions reflect a broader effort by U.S. AI developers to place increasingly capable models behind controlled access mechanisms while balancing innovation with national security considerations.

Cybersecurity researchers note that advances in open-weight models create opportunities as well as risks. Defensive teams could use these systems to automate code reviews, strengthen secure software development practices, and accelerate vulnerability remediation. At the same time, threat actors may attempt to exploit the same capabilities to identify weaknesses in software before organizations have an opportunity to patch them. Because GLM-5.2 can be downloaded and operated locally, these capabilities are available globally regardless of whether users have access to commercial U.S. AI services.

The emergence of GLM-5.2 does not necessarily indicate that Chinese AI has surpassed American frontier models across every benchmark. However, its strong performance in specialized cybersecurity evaluations suggests that the technological gap is narrowing in selected high-value domains. The development is likely to intensify debate over whether hardware restrictions and access controls alone are sufficient to preserve leadership in AI-driven cybersecurity, or whether future policy must place greater emphasis on strengthening defensive capabilities, accelerating software patching, and preparing for a world where advanced vulnerability discovery tools become increasingly accessible worldwide.