Attacks & Vulnerabilities |
New ClickFix Attack Targets Crypto Wallets and 25+ Browsers with Infostealer (2 minute read)
An evolved ClickFix campaign uses fake CAPTCHA pages to trick users into executing PowerShell commands that download an infostealer via the Donut shellcode loader, which runs entirely in memory using VirtualAlloc and CreateThread to evade file-based detection. The malware targets cryptocurrency wallets, including MetaMask and Exodus, harvests credentials from over 25 browsers, and exfiltrates VPN configurations, Steam accounts, and FTP credentials, while persisting through RunMRU registry key modifications. Organizations should monitor for suspicious PowerShell execution chains, block known C2 IPs, and note that Microsoft Defender detects the payload as Behavior:Win32/SuspClickFix.C. |
AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries (4 minute read)
A Russian-speaking, financially motivated threat actor leveraged commercial generative AI tools to compromise over 600 FortiGate devices across 55 countries by targeting exposed management interfaces and weak single-factor credentials, according to Amazon Threat Intelligence. Post-exploitation activity included Active Directory compromise, credential harvesting via pass-the-hash/pass-the-ticket and NTLM relay attacks, and targeting Veeam Backup servers using CVE-2023-27532 and CVE-2024-40711, consistent with pre-ransomware operations. Organizations should immediately restrict exposure of the FortiGate management interface, enforce MFA for all administrative and VPN access, rotate SSL-VPN credentials, and isolate backup infrastructure from general network access. |
Attackers have 16-digit card numbers, expiry dates, but not names. Now org gets £500k fine (3 minute read)
The UK Court of Appeal has backed the ICO's £500k fine on DSG Retail over a 2017 breach that exposed 5.6 million card details and data on 14 million people, even though attackers lacked cardholder names. The ruling confirms that payment card numbers and expiry dates are personal data from the controller's perspective, stresses jigsaw identification risk, and strengthens regulators' ability to penalize weak security in future cyberattacks. |
|
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI-Driven Attacks (9 minute read)
AI assistants with web-browsing capabilities, specifically Grok and Microsoft Copilot, can be abused as covert C2 relays by using anonymous web access to fetch attacker-controlled URLs and return embedded commands, all without API keys or registered accounts. This PoC uses a WebView2-based C++ implant to create a bidirectional channel in which victim data is exfiltrated via URL query parameters and commands are returned via AI-generated responses, with simple encoding sufficient to bypass model-side safeguards. The research outlines a near-term evolution toward AI-Driven malware where implants shift from static logic to prompt-driven behavior, enabling AI-assisted anti-sandbox detection, intelligent victim triage, and targeted ransomware that prioritizes high-value files to evade volume-based detection thresholds. |
Testing Access to AWS Resources Without Angering the People That Pay the Bills (10 minute read)
This post details a methodology for empirically verifying AWS resource exposure without reading sensitive data or altering the resource state. It employs four techniques: comparing unsigned and signed requests, conducting metadata-only reads, performing no-op operations like untagging nonexistent keys, and sending malformed request probes that leverage AWS' sequence where authorization checks occur before parameter validation. The "3-topic method" ensures probe safety by testing identical changes across allowed, denied, and nonexistent resources — if only denied and nonexistent targets return 403 errors and allowed ones return 400, it confirms authorization without executing the action. This method is implemented in the open-source sns-buster tool for SNS and is adaptable to other AWS services for CSPM, bug bounty, and IAM policy validation. |
eBPF Ring Buffer vs Perf Buffer (4 minute read)
Ring buffer, introduced in Linux 5.8, replaced the legacy perf buffer as the recommended mechanism for kernel-to-userspace data transfer in eBPF programs. It uses a single shared circular buffer across all CPUs instead of per-CPU buffers, eliminating cross-CPU event ordering complexity and reducing copy overhead. This article walks through both implementations in C and Go using cilium/ebpf, demonstrating how the ring buffer's reserve-and-submit model via bpf_ringbuf_reserve and bpf_ringbuf_submit provides a simpler, higher-throughput path compared to perf buffer's bpf_perf_event_output approach. For security tooling built on eBPF tracing, the ring buffer is now the default choice for structured event streaming from kernel-level monitors to usersp. |
|
Don't trust the code (Sponsor)
AI coding assistants create security risks at machine speed and massive scale. Checkmarx Developer Assist embeds an AI-native AppSec agent directly in AI IDEs, preventing vulnerabilities in real time before commit. It enforces policy, validates AI-generated code, and secures the modern Agentic Development Lifecycle (ADLC). Explore the guide or visit us at RSAC 2026. |
Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning (2 minute read)
Anthropic launched Claude Code Security in limited research preview for Enterprise and Team customers, offering AI-powered codebase vulnerability scanning that goes beyond static analysis by reasoning about component interactions and tracing data flows. Findings undergo a multi-stage verification process to filter false positives, with each vulnerability assigned a severity and confidence rating alongside suggested patches. The feature employs a human-in-the-loop approach where developers review and approve all remediation before any changes are applied. |
Cvemapping (GitHub Repo)
This repository gathers all available CVE exploits from GitHub and publishes them on a public website. |
claude-code-config (GitHub Repo)
Trail of Bits released an opinionated configuration repository for Claude Code covering sandboxing, permissions, hooks, skills, MCP servers, and workflow patterns refined through security audits and development. The repository includes pre-built slash commands for autonomous PR review, issue resolution, and Dependabot merging using parallel agents, alongside sandbox hardening that blocks access to SSH keys, cloud credentials, crypto wallets, and shell configs. It also documents context management strategies, local model integration via LM Studio, and a multi-layered security model combining OS-level sandboxing, devcontainers, and disposable cloud droplets for safe bypass-permissions operation. |
|
Cloudflare outage on February 20, 2026 (11 minute read)
Cloudflare experienced a 6-hour outage after a cleanup sub-task in its Addressing API queried with an empty `pending_delete` parameter, causing the system to interpret all 4,306 BYOIP prefixes as queued for deletion and systematically withdrawing ~1,100 BGP prefixes across customer networks. The bug rendered services including Magic Transit, Spectrum, and a subset of 1.1.1.1 unreachable. Recovery was complicated by varying states of impact, where some customers lost both prefix advertisements and service bindings. Cloudflare is implementing circuit breakers for large-scale BGP withdrawal actions, separating operational and configured state in the Addressing API, and deploying health-mediated configuration snapshots as part of their Code Orange: Fail Small initiative. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments