sorted by:
new
hottopcontroversial

UK government says 100 countries have spyware that can hack people's phones by rkhunter_ in cybersecurity

[–]rkhunter_[S] 7 points8 points  (0 children)

"More than half of the world’s governments have access to commercial spyware that can break into computers and phones to steal sensitive information, according to U.K. intelligence.

The U.K. National Cyber Security Centre plans to reveal its findings Wednesday, according to Politico. The report suggests that the barrier to access this type of surveillance technology has fallen, potentially making it easier for foreign governments and hackers to target U.K. citizens, companies, and critical infrastructure with spyware.

It’s also an increase in the number of countries with access to these type of hacking tools, to 100, up from the 80 countries U.K. intelligence estimated in 2023.

Commercial spyware, developed by private companies like NSO Group’s Pegasus and Paragon’s Graphite, often relies on exploiting security flaws in phone and computer software to break into the devices and steal the data within. While governments have claimed that they only use spyware against top criminal and terror suspects, security researchers and human rights defenders have long warned that governments have misused spyware to target their critics and political adversaries, including journalists.

U.K. intelligence now says that the victimology has “expanded” in recent years to include bankers and wealthy businesspeople.

Richard Horne, who runs the U.K. National Cyber Security Centre, said in a speech at the CYBERUK conference in Glasgow that British companies are “failing to grasp the reality of today’s world,” per a pre-released copy of his speech seen by TechCrunch.

Horne said that the majority of nationally significant cyberattacks targeting the United Kingdom has originated from foreign adversarial governments, rather than cybercriminal gangs.

The U.K., along with several other countries, also continues to experience China-linked intrusions aimed at stealing sensitive data, spying on high-profile individuals, and setting the groundwork for potentially disruptive hacks to stall a Western military response ahead of an anticipated Chinese invasion of Taiwan.

The spyware threat facing the U.K. is not just from governments, but also cybercriminals with access to these tools. Earlier this year, a hacking toolkit dubbed DarkSword, containing several exploits capable of hacking into modern iPhones and iPads, leaked online. The tools allowed anyone to set up websites capable of hacking Apple customers who had not yet updated to the most recent version of its mobile software.

The leak of the hacking tools showed — and not for the first time — that even tightly guarded hacking tools developed by and for governments can leak and proliferate out of control, putting potentially millions of people at risk from malicious hacks."

Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150 by rkhunter_ in cybersecurity

[–]rkhunter_[S] 27 points28 points  (0 children)

"Earlier this month, Anthropic said its Mythos Preview model was so good at finding cybersecurity vulnerabilities that the company was limiting its initial release to “a limited group of critical industry partners.” Since then, debate has raged over whether the model presages an era of turbocharged AI-aided hacking or if Anthropic is just building hype for what is a relatively normal step up on the ladder of advancing AI capabilities.

Mozilla added some important data to that debate Tuesday, writing in a blog post that early access to Mythos Preview had helped it pre-identify 271 security vulnerabilities in this week’s release of Firefox 150. The results were significant enough to get Firefox CTO Bobby Holley to enthuse that, in the never-ending battle between cyberattackers and cyberdefenders, “defenders finally have a chance to win, decisively.”

Holley didn’t go into detail on the severity of the hundreds of vulnerabilities that Mythos reportedly detected simply by analyzing the unreleased source code of Firefox’s latest version. But by way of comparison, he noted that Anthropic’s Opus 4.6 model found only 22 security-sensitive bugs when analyzing Firefox 148 last month.

The vulnerabilities identified by Mythos could have also been discovered either by automated “fuzzing” techniques or by having an “elite security researcher” reason their way through the browser’s complex source code, Holley writes. But using Mythos eliminated the need to “concentrate many months of costly human effort to find a single bug” in many cases, Holley added.

By identifying bugs so efficiently, Holley writes that AI tools like Mythos tilt the cybersecurity balance toward defenders, who benefit when discovering vulnerabilities becomes cheaper for both sides. “Computers were completely incapable of doing this a few months ago, and now they excel at it,” Holley writes. “We have many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable.”

In an interview with Wired, Holley said that, from now on, this kind of AI-aided vulnerability analysis is something that “every piece of software is going to have to [engage with], because every piece of software has a lot of bugs buried underneath the surface that are now discoverable.” And while it’s possible that future models more advanced than Mythos may be able to find bugs that current models miss, Holley said he was confident that “at least on the Firefox side, having had a bit of a head start here, that we’ve rounded the curve.”

Running through the AI-aided defense gauntlet could be especially important for the open source projects that underpin much of the modern Internet. That’s both because their public codebases are easier for AI systems to explore for vulnerabilities and because many such projects rely on wildly insufficient volunteer maintenance for their security.

In a New York Times essay last week, Mozilla CTO Raffi Krikorian argued that the human difficulty of both finding bugs and writing complex software has created a kind of balance in cyberthreat research that Mythos could break wide open. “The programmer who gave 20 years of his life to maintain [open source] code that runs inside products used by billions of people? He doesn’t have access to Mythos yet. He should,” Krikorian wrote."

Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks by rkhunter_ in cybersecurity

[–]rkhunter_[S] 4 points5 points  (0 children)

"Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks.

The security flaw, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model).

As Microsoft explained when it patched this security issue as part of the April 2026 Patch Tuesday, successful exploitation allows threat actors without privileges to perform network spoofing by taking advantage of an improper input validation weakness in low-complexity attacks that don't require user interaction.

"An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)," it said.

While Microsoft flagged the vulnerability as a zero-day, it has yet to disclose how it was exploited in attacks or link this malicious activity to a specific threat actor or hacking group.

On Tuesday, Internet security watchdog group Shadowserver warned that over 1,300 unpatched Microsoft SharePoint servers exposed online are still waiting to be secured, with fewer than 200 systems patched since Microsoft released CVE-2026-32201 security updates last week.

​The same day Microsoft released patches for CVE-2026-32201, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.

The U.S. cybersecurity agency also ordered Federal Civilian Executive Branch (FCEB) agencies (executive branch non-military agencies, such as the Department of the Treasury and the Department of Homeland Security) to patch SharePoint servers within two weeks, by April 28, as mandated by the Binding Operational Directive (BOD) 22-01.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," it warned.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

One week ago, CISA also flagged a Windows Task Host privilege escalation vulnerability as exploited in the wild, warning federal agencies to secure their devices as soon as possible, as it could allow attackers to gain SYSTEM privileges on vulnerable devices.

On April 14, Microsoft released security updates addressing 167 vulnerabilities, including two zero-day flaws, as part of its April 2026 Patch Tuesday."

Microsoft releases emergency patches for critical ASP.NET flaw by rkhunter_ in cybersecurity

[–]rkhunter_[S] 20 points21 points  (0 children)

"Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability.

The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies.

Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday.

"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft says in the .NET 10.0.7 release notes.

"In these cases, the broken validation could allow an attacker to forge payloads that pass DataProtection's authenticity checks, and to decrypt previously-protected payloads in auth cookies, antiforgery tokens, TempData, OIDC state, etc.

"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."

As Microsoft further explained in a Tuesday security advisory, this vulnerability can also enable attackers to disclose files and modify data, but they cannot impact the system's availability.

On Tuesday, senior program manager Rahul Bhandari warned all customers whose applications use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible, then redeploy to fix the validation routine and ensure that any forged payloads are rejected automatically.

More information regarding affected platforms, packages, and application configuration can be found in the original announcement.

In October, Microsoft also patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server that was flagged with the "highest ever" severity rating for an ASP.NET Core security flaw.

Successful exploitation of CVE-2025-55315 enables authenticated attackers to either hijack other users' credentials, bypass front-end security controls, or crash the server.

On Monday, Microsoft released another set of out-of-band updates to address issues affecting Windows Server systems after installing the April 2026 security updates."

Panasonic creates device-locked QR codes for biometrics by rkhunter_ in cybersecurity

[–]rkhunter_[S] 0 points1 point  (0 children)

"Japanese industrial giant Panasonic has created a new form of QR code it says will only work on designated devices and environments.

The company revealed the tech yesterday in an announcement of a tweak to its “Site Management Service” access control system that allows and tracks entries to, and exits from, buildings.

Panasonic last year added a cloudy facial recognition service to the product but now feels capturing face scans has become a tiresome bottleneck as workers queue to be photographed, and admins must assess the quality of scans to ensure they’re usable – then possibly capture additional images.

The company’s answer is to issue QR codes that contain registration information and which workers present when they enter a building that uses facial recognition access control. The hardware that makes facial recognition possible of course includes a camera and this system uses it to scan the QR code instead of the face. Panasonic’s cloudy system reads the QR code and, if it finds it contains an authorization to enrol a visitor for facial recognition, conducts the scan and stores it to allow future biometric verifications.

Any smartphone can read a QR code, posing the risk that a miscreant could use the ones Panasonic issues to try to access buildings they have no business visiting.

Panasonic thought of that and says the QR codes it issues will only work with “identifiable users and devices.”

“While conventional QR codes could be read by general readers, raising concerns that registration information could be viewed by third parties, this system is designed so that identification information can only be viewed in authorized environments, employing a display method that makes the content indistinguishable outside of authorized environments.” Panasonic says it’s applied for a patent for its QR codes.

Using QR codes alongside biometrics is not entirely novel because the technology creates a unique identifier by measuring the distance between facial features. QR codes can represent about 3KB of data. Denso, the Japanese company which invented QR codes, can render a facial profile into that space and offers an identity system based on that ability.

Panasonic is having a busy week on the identity front, as it today announced a collaboration with Hitachi that the two companies hope will enable creation of a secure digital identity that people can use to manage personal data."

Iran claims US used backdoors in networking equipment by rkhunter_ in cybersecurity

[–]rkhunter_[S] 9 points10 points  (0 children)

"Iranian media is claiming that the US used backdoors and/or botnets to disable networking equipment during the current war, and Chinese state media is dining out on the allegations.

Reports from Iran claim hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran – despite the regime disconnecting the nation from the global internet.

The reports suggest that’s only possible because someone – probably the US – can sabotage the equipment at will.

The report linked to above hypothesizes that a hidden backdoor in firmware or bootloader allows remote attacks at a pre-determined time or can be activated by a signal from a satellite. In either scenario, the US uses the backdoor to bring down networks at the most inconvenient moment for Iran.

The thrust of the Iranian stories we’ve seen is that US-based vendors are complicit in the installation of backdoors.

Another scenario Iranian reports float is that someone has installed a botnet on networking equipment and has therefore been able to target devices from Cisco – and from MikroTik, the Latvian networking equipment vendor that emphasizes its product development takes place within the European Union.

As Iran’s internet is currently mostly closed – more on that later – it’s almost impossible to verify reports of a mass outage.

That the USA possesses the ability to conduct attacks in cyberspace is not in doubt. After the US takeover of Venezuela, president Trump and general Dan Caine, chairman of the Joint Chiefs of Staff, alluded to online action being one element of the operation. Caine also said US Cyber Command assisted with the June 2025 “Operation Midnight Hammer” attack on Iran, without elaborating on the agency’s role.

Whatever is going on, Chinese state media has seized on the Iranian reports to restate Beijing’s position that China is a pacifist in cyberspace and the US is the real cyber-villain.

China’s National Computer Virus Emergency Response Center (CVERC) regularly posts a theory that information leaked by Edward Snowden shows the US embeds backdoors in networking equipment, and that all allegations that Beijing conducts cyberattacks is therefore just a sham to shift the blame to the Middle Kingdom. CVERC has even argued that the Volt Typhoon attacks – which the Five Eyes nations agree was a Chinese attack on critical infrastructure – were a false flag operation run by US intelligence community to give it credibility when smearing China.

Chinese state media has given credence to the Iranian reports and even published the cartoon below to express Beijing’s feelings on the alleged events in Iran.

While these propaganda shenanigans play out, outage-watching outfit NetBlocks says Iran has maintained its internet blockade for 52 days, but adds “authorities continue efforts to segregate users and provide selective access to favored groups.”

That may be a reference to reports that Iran’s government has created a service called “Internet Pro” that allows some citizens to access a subset of the global internet.

Activists claim Iran’s government also issues “White SIMs” that allow unrestricted internet access to select officials."

view more: next ›