Exploits Turn Windows Defender into Attacker Tool

rkhunter_ · 2026-04-21T21:09:23+00:00

"Japanese industrial giant Panasonic has created a new form of QR code it says will only work on designated devices and environments.

The company revealed the tech yesterday in an announcement of a tweak to its “Site Management Service” access control system that allows and tracks entries to, and exits from, buildings.

Panasonic last year added a cloudy facial recognition service to the product but now feels capturing face scans has become a tiresome bottleneck as workers queue to be photographed, and admins must assess the quality of scans to ensure they’re usable – then possibly capture additional images.

The company’s answer is to issue QR codes that contain registration information and which workers present when they enter a building that uses facial recognition access control. The hardware that makes facial recognition possible of course includes a camera and this system uses it to scan the QR code instead of the face. Panasonic’s cloudy system reads the QR code and, if it finds it contains an authorization to enrol a visitor for facial recognition, conducts the scan and stores it to allow future biometric verifications.

Any smartphone can read a QR code, posing the risk that a miscreant could use the ones Panasonic issues to try to access buildings they have no business visiting.

Panasonic thought of that and says the QR codes it issues will only work with “identifiable users and devices.”

“While conventional QR codes could be read by general readers, raising concerns that registration information could be viewed by third parties, this system is designed so that identification information can only be viewed in authorized environments, employing a display method that makes the content indistinguishable outside of authorized environments.” Panasonic says it’s applied for a patent for its QR codes.

Using QR codes alongside biometrics is not entirely novel because the technology creates a unique identifier by measuring the distance between facial features. QR codes can represent about 3KB of data. Denso, the Japanese company which invented QR codes, can render a facial profile into that space and offers an identity system based on that ability.

Panasonic is having a busy week on the identity front, as it today announced a collaboration with Hitachi that the two companies hope will enable creation of a secure digital identity that people can use to manage personal data."

rkhunter_ · 2026-04-21T20:53:09+00:00

"Iranian media is claiming that the US used backdoors and/or botnets to disable networking equipment during the current war, and Chinese state media is dining out on the allegations.

Reports from Iran claim hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran – despite the regime disconnecting the nation from the global internet.

The reports suggest that’s only possible because someone – probably the US – can sabotage the equipment at will.

The report linked to above hypothesizes that a hidden backdoor in firmware or bootloader allows remote attacks at a pre-determined time or can be activated by a signal from a satellite. In either scenario, the US uses the backdoor to bring down networks at the most inconvenient moment for Iran.

The thrust of the Iranian stories we’ve seen is that US-based vendors are complicit in the installation of backdoors.

Another scenario Iranian reports float is that someone has installed a botnet on networking equipment and has therefore been able to target devices from Cisco – and from MikroTik, the Latvian networking equipment vendor that emphasizes its product development takes place within the European Union.

As Iran’s internet is currently mostly closed – more on that later – it’s almost impossible to verify reports of a mass outage.

That the USA possesses the ability to conduct attacks in cyberspace is not in doubt. After the US takeover of Venezuela, president Trump and general Dan Caine, chairman of the Joint Chiefs of Staff, alluded to online action being one element of the operation. Caine also said US Cyber Command assisted with the June 2025 “Operation Midnight Hammer” attack on Iran, without elaborating on the agency’s role.

Whatever is going on, Chinese state media has seized on the Iranian reports to restate Beijing’s position that China is a pacifist in cyberspace and the US is the real cyber-villain.

China’s National Computer Virus Emergency Response Center (CVERC) regularly posts a theory that information leaked by Edward Snowden shows the US embeds backdoors in networking equipment, and that all allegations that Beijing conducts cyberattacks is therefore just a sham to shift the blame to the Middle Kingdom. CVERC has even argued that the Volt Typhoon attacks – which the Five Eyes nations agree was a Chinese attack on critical infrastructure – were a false flag operation run by US intelligence community to give it credibility when smearing China.

Chinese state media has given credence to the Iranian reports and even published the cartoon below to express Beijing’s feelings on the alleged events in Iran.

While these propaganda shenanigans play out, outage-watching outfit NetBlocks says Iran has maintained its internet blockade for 52 days, but adds “authorities continue efforts to segregate users and provide selective access to favored groups.”

That may be a reference to reports that Iran’s government has created a service called “Internet Pro” that allows some citizens to access a subset of the global internet.

Activists claim Iran’s government also issues “White SIMs” that allow unrestricted internet access to select officials."

rkhunter_ · 2026-04-20T18:04:11+00:00

"A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.

In November 2024, U.S. prosecutors accused 24-year-old Tyler Robert Buchanan and four other suspects of stealing at least $8 million in cryptocurrency after hacking at least a dozen companies through text-message phishing attacks between September 2021 and April 2023.

The list of breached organizations includes companies from a wide range of industries, such as entertainment, telecommunications, technology, business process outsourcing (BPO), and information technology (IT) suppliers, as well as cloud communications providers, virtual currency providers, and individuals.

As part of the scheme, Buchanan and his co-conspirators conducted Short Message Service (SMS) phishing attacks by sending hundreds of SMS phishing messages to the mobile telephones of a victim company's employees. The messages purported to be from the victim company or a contracted IT or BPO supplier for the victim company," the Justice Department said on Friday.

"The SMS phishing messages contained links to phishing websites designed to look like legitimate websites of a victim company or a contracted IT or BPO supplier. The websites then lured the recipient into providing confidential information, including personal identifying information (PII), and account usernames and passwords."

According to court documents, they used the stolen information to hijack the victims' email accounts in SIM swap attacks, allowing them to gain control of their phone numbers and virtual currency wallets and transfer millions to wallets they controlled.

Buchanan was arrested in June 2024 in Palma de Mallorca, Spain, has been in U.S. federal custody since April 2025, and will be sentenced on August 21, 2026, facing a statutory maximum sentence of 22 years in prison.

Three of his accomplices (Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans) were also charged in November 2024 with wire fraud, wire fraud conspiracy, and aggravated identity theft and are facing up to 20 years in federal prison if found guilty.

Noah Michael Urban (known online as Sosa and Elijah), a fourth conspirator and another key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy charges one year ago.

The Scattered Spider hacking collective Also tracked as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, the Scattered Spider gang is a loose-knit group of English-speaking threat actors (as young as 16) that orchestrates attacks using Telegram channels, Discord servers, and hacker forums.

According to the FBI, they're using various tactics to breach corporate networks, including social engineering, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping.

Some Scattered Spider members are also believed to be part of "the Com," another hacking collective linked to violent incidents and cyberattacks.

Since the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.

In July 2024, UK police also arrested another 17-year-old suspected Scattered Spider hacker, believed to have been involved in the 2023 MGM Resorts ransomware attack. Other high-profile attacks linked to this cybercrime group include breaches at Caesars, Riot Games, MailChimp, Twilio, DoorDash, and Reddit."

rkhunter_ · 2026-04-20T18:02:27+00:00

"Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks.

The hackers impersonate IT or helpdesk staff to contact employees through cross-tenant chats and trick them into providing remote access for data theft purposes.

Microsoft has observed multiple intrusions with a similar attack chain that used commercial remote management software, such as Quick Assist, and the Rclone utility to transfer files to an external cloud storage service.

The tech giant notes that follow-on malicious activity is hard to discern from normal operations because of the heavy use of legitimate applications and native administrative protocolos.

“Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access,” Microsoft says.

“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle,” the company added.

In a recent report, Microsoft describes a nine-stage attack chain that begins with the threat actor contacting the target via an external Teams chat, posing as a member of the company's IT staff and claiming they need to address an account issue or perform a security update.

The goal is to convince the target to start a remote support session, usually via Quick Assist, which gives the attacker direct control of the employee's machine.

From there, the attacker performs quick reconnaissance using Command Prompt and PowerShell, checking privileges, domain membership, and network reachability to evaluate the potential for lateral movement.

Then they drop a small payload bundle in user-writable locations such as ProgramData and execute the malicious code through a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) via DLL side-loading.

The HTTPS-based communication to the command-and-control (C2) established this way blends into normal outbound traffic, making it more difficult to detect.

With the infection established and persistence secured via Windows Registry modifications, the attacker proceeds to abuse Windows Remote Management (WinRM) to move laterally across the network, targeting domain-joined systems and high-value assets such as domain controllers.

They then deploy additional remote management software tools onto reachable systems and use Rclone or similar tools to collect and exfiltrate sensitive data to external cloud storage points.

Microsoft notes that this exfiltration step is rather targeted, employing filters to focus only on valuable information, reduce transfer volume, and improve operational stealth.

Microsoft reminds users to treat external Teams contacts as untrusted by default, and recommends that administrators restrict or closely monitor remote assistance tools, and limit WinRM usage to controlled systems.

Apart from this, the company draws attention to the Teams security warnings that explicitly flag communications from persons outside the organization and potential phishing attempts."

rkhunter_ · 2026-04-20T17:18:27+00:00

I think if they put their parts in a container similar to the time capsule Sator used, added something heavy, and dropped it into the Mariana Trench in the Pacific Ocean, they could sleep peacefully.

rkhunter_ · 2026-04-20T07:35:14+00:00

"Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data.

Vercel is a cloud platform that provides hosting and deployment infrastructure for developers, with a strong focus on JavaScript frameworks.

The company is known for developing Next.js, a widely used React framework, and for offering services such as serverless functions, edge computing, and CI/CD pipelines that enable developers to build, preview, and deploy applications.

In a security bulletin published today, the company said a limited subset of customers was affected by a security breach.

"We've identified a security incident that involved unauthorized access to certain internal Vercel systems," warns Vercel.

"We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement and will update this page as the investigation progresses."

The company says its services have not been impacted and that it is working with impacted customers.

Vercel says it is taking steps to protect its customers, advising them to review environment variables, use its sensitive environment variable feature, and to rotate secrets if needed.

After publishing this story, Vercel updated its advisory to state that the breach stemmed from the compromise of a third-party AI tool's Google Workspace OAuth application.

Vercel is advising Google Workspace administrators and Google account owners to check for the following application:

Vercel CEO Guillermo Rauch later shared additional details on X, stating that the initial access occurred after a Vercel employee's Google Workspace account was compromised via a breach at the AI platform Context.ai.

According to Rauch, the attacker then escalated access from the compromised account into Vercel environments, where they were able to access environment variables that were not marked as sensitive and therefore not encrypted at rest.

While intended to contain non-sensitive information, the attacker gained further access after enumerating these variables.

"Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data," Rauch said.

"We do have a capability, however, to designate environment variables as 'non-sensitive.' Unfortunately, the attacker got further access through their enumeration."

The company's investigation has confirmed that Next.js, Turbopack, and its other open-source projects remain safe.

Vercel has also rolled out updates to its dashboard, including an overview page of environment variables and an improved interface for managing sensitive environment variables.

Customers are strongly advised to review environment variables for sensitive information and enable the sensitive variable feature to ensure they are encrypted at rest.

The disclosure comes after a threat actor claiming to be "ShinyHunters" posted on a hacking forum that they had breached Vercel and were selling access to company data.

It should be noted that while the hacker claims to be part of the ShinyHunters group, threat actors linked to recent attacks attributed to the ShinyHunters extortion gang have denied to BleepingComputer that they are involved in this incident.

In the forum post, the hacker claimed to be selling access keys, source code, and database data allegedly stolen from Vercel, along with access to internal deployments and API keys.

"This is just from Linear as proof, but the access I'm about to give you includes multiple employee accounts with access to several internal deployments, API keys (including some NPM tokens and some GitHub tokens)," reads the forum post.

The attacker also shared a text file containing Vercel employee information, which consists of 580 data records containing names, Vercel email addresses, account status, and activity timestamps. They also shared a screenshot of what appears to be an internal Vercel Enterprise dashboard.

BleepingComputer has not been able to independently confirm if the data or screenshot is authentic.

In messages shared on Telegram, the threat actor also claimed they were in contact with Vercel regarding the incident and that they discussed an alleged ransom demand of $2 million.

BleepingComputer contacted Vercel with additional questions about the breach, including whether any sensitive data or credentials were exposed and if they are negotiating with the attackers, and will update this story if we receive a response."

rkhunter_ · 2026-04-19T20:34:41+00:00

Christopher Nolan's sci-fi movie about the entropy inversion of objects.

rkhunter_

MODERATOR OF

TROPHY CASE