Reddit will require accounts that exhibit “automated or otherwise fishy behavior” to verify that a human runs them, Reddit CEO Steve Huffman said in a Reddit post today. The verification process aims to combat unwanted bots from flooding Reddit at a time when AI bots are poised to take over the Internet.

“As AI becomes a bigger part of the Internet, we want to make sure that when you’re on Reddit, you know when you’re talking to a person and when you’re not,” Huffman said.

Human verification will only occur if Reddit suspects that an account is a bot. This is “rare” and won’t apply to “most users,” Huffman emphasized. If the account cannot prove that it’s human, it “may be restricted,” he said.

Reddit will check if an account is run by a human by using third-party tools that Huffman said won’t expose users’ true identity, Reddit username, or Reddit activity. Current methods that Reddit is exploring include passkeys, which Huffman said are a great starting point but don’t provide any “proof of individuality or anything other than ‘a human probably did something.’”

Reddit is also looking into third-party biometric services, like World ID, which uses iris-scanning tech.

“I think the Internet needs verification solutions like this, where your account information, usage data, and identity never mix,” Huffman said.

A last resort may be third-party government ID services, which Reddit is already required to use in some geographies, like the UK. Huffman said this is “the least secure, least private, and least preferred” method for human verification on Reddit.

“When we are forced to do this, we design the integrations so that we never actually see your ID information, so your Reddit data cannot be tied to you,” he added.

Additionally, Huffman announced that accounts that use bots in permitted ways will get an App label. Reddit has posted information about how developers can get their apps labeled.

An example of what the App label will look like when viewing Reddit on desktop.

Credit: Reddit

The announcement comes amid concern from some industry commentators that AI bot traffic online could surpass human traffic soon. Web agents are becoming more prevalent and flocking to social media sites. A relaunched Digg, for example, shut down its open beta after three months due to an “unprecedent bot problem” led by “sophisticated AI agents and automated accounts,” CEO Justin Mezzell said in March.

Ensuring that Reddit isn’t overtaken by bots is in Reddit’s best interest financially. It positions itself to users as a place to have conversations with real people about human topics and points of interest. The social media platform has also been increasingly selling itself to advertisers as a way to push products to real people. And Reddit has made millions by allowing AI companies to train large language models on its years’ worth of human-generated content. Reddit has sued and blocked companies that it believes has wrongfully scraped content without paying.

Reddit already removes an average of 100,000 accounts per day that use nefarious bots and post spam, per Huffman, who said that the removals often happen before users see the accounts. Reddit also plans to make it easier for Reddit users to report accounts that they think are bots.

AI-generated content still allowed

Reddit is exploring ways to limit bots on the platform but restraining from going after humans who employ chatbots to create posts and comments. Reddit hasn’t confirmed how much content on the site is AI-generated, but battling AI slop on Reddit has proven challenging for moderators, even when subreddits ban the use of generative AI.

“We’ll monitor its usage and see what happens as we crack down even more on automated accounts. As always, communities can set their own standards if they want,” Huffman said of AI-generated content.

Disclosure: Advance Publications, which owns Ars Technica parent Condé Nast, is the largest shareholder in Reddit.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 26 March 2026 at 12:29 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Millions of iPhone owners in the UK will be asked to verify they are over 18 in order to access several Apple services, following pressure from the UK government on smartphone makers to do more to protect children online.

The UK is believed to be the first European market where Apple is rolling out its new age controls, which are designed to ensure that only adults can download apps rated on its App Store as being suitable for over-18s.

Following an iOS software update that was pushed out on Wednesday, adults who do not verify their age will face restrictions on web browsing, as well as “communication safety” checks to their messages and FaceTime video calls, which are designed to detect nude photos and videos.

Many digital services, including social media apps and porn sites, have rolled out age verification in the UK following last year’s introduction of new rules under the Online Safety Act that impose tougher controls on what children can see and do online.

App stores and mobile operating systems are not covered by the Online Safety Act, but Ofcom, the UK media and telecoms regulator, welcomed Apple’s move on Wednesday.

“Apple’s decision that the UK will be one of the first countries in the world to receive new child safety protections on devices is a real win for children and families,” Ofcom said.

The UK government has pushed smartphone makers to do more to block explicit images on phones but have not yet made it mandatory for Apple and Google to do so.

However, some British iPhone owners are concerned about potential security and privacy risks associated with the proliferation of age checks.

“Myself and everyone I know… are doing everything to bypass these over-reaching age checks,” said one Reddit user in a discussion about Apple’s update. “I definitely do not want to grant my OS permission to decide that I’m happy to share my proven age status, under any situation.”

Apple did not respond to a request for comment about which services its new age checks will cover.

After upgrading to the latest version of iOS 26.4, iPhone owners in the UK will be presented with several options to prove their age, including checking the credit card stored in their digital wallet or taking a photo of their driving license or passport. Apple can also use the length of time that digital accounts have been active to confirm a customer’s age.

After installing the update, an on-screen notice tells users: “UK law requires you to confirm you are an adult to change content restrictions.”

Failure to complete the age check will limit which apps the user can access or download, though Apple’s support pages do not specify all of the affected services.

“Adults will have to confirm that they’re 18 or older to use certain services or features, or take certain actions on their account,” an Apple support page states.

Ofcom said it had “worked closely with Apple” and other services to protect users.

“This will build on the strong foundations of the Online Safety Act, from widespread age checks that keep young people away from harmful content, to blocking high-risk sites and stepping up action against child sexual abuse material,” the UK regulator said.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 26 March 2026 at 5:01 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges.

"A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users," TP-Link explained earlier this week when it released security updates that address the vulnerability.

"An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations."

TP-Link also removed a hardcoded cryptographic key (CVE-2025-15605) in the configuration mechanism, which allowed authenticated attackers to decrypt configuration files, modify them, and re-encrypt them.

Additionally, it addressed two command injection vulnerabilities (CVE-2025-15518 and CVE-2025-15519) that enable threat actors with admin privileges to execute arbitrary commands.

The company "strongly" recommended that customers download and install the latest firmware version to block potential attacks exploiting these flaws.

"If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory," it added.

In September, TP-Link was forced to rush out patches for a zero-day vulnerability impacting multiple router models after failing to release patches following a May 2024 report. The unpatched security flaw allowed attackers to intercept or manipulate unencrypted traffic, reroute DNS queries to malicious servers, and inject malicious payloads into web sessions.

CISA added two other TP-Link flaws (CVE-2023-50224 and CVE-2025-9377) to its Known Exploited Vulnerability catalog in September, which the Quad7 botnet has been exploiting to compromise vulnerable routers.

In total, the U.S. cybersecurity agency has flagged six TP-Link vulnerabilities as exploited in attacks, the oldest being a directory traversal vulnerability (CVE-2015-3035) affecting multiple Archer devices.

Texas Attorney General Paxton sued TP-Link Systems in February, accusing the company of deceptively promoting its routers as secure while allowing Chinese state-sponsored hacking groups to exploit firmware vulnerabilities and access users' devices.

This week, the U.S. Federal Communications Commission has also updated its Covered List to include all consumer routers made in foreign countries, banning the sale of new routers made outside the U.S. due to an "unacceptable risk to the national security."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 26 March 2026 at 5:01 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The Covered List, created under the Secure and Trusted Communications Networks Act of 2019, is an FCC-maintained list of communications equipment and services that the U.S. government has determined to pose an unacceptable risk to national security or the safety of Americans.

The list previously included specific products and companies tied to security concerns, such as Kaspersky, Huawei, ZTE, Hikvision, and Dahua.

Adding all routers manufactured abroad to the Covered List follows a National Security Determination issued on March 20 by an Executive Branch interagency body.

According to the assessment, foreign-produced routers carry a supply-chain risk "that could disrupt the U.S. economy, critical infrastructure, and national defense." The  agency determined that these devices could also be used "to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons."

In support of the decision, the FCC highlights that foreign-made routers helped the Volt, Flax, and Salt Typhoon hackers carry out attacks that targeted vital U.S. infrastructure.

Exemptions and alternative approval path

Conditional approval has been granted to certain routers used in the U.S. Department of War (DoW) or the Department of Homeland Security (DHS) for drone systems, which have been determined not to constitute a security risk.

Also, the new rules do not bar foreign consumer-grade router makers from seeking approval in the U.S., as long as they transparently disclose:

• Corporate and ownership structure, including any foreign government financial support and influence.
• Manufacturing and supply chain details, including bill of materials, country of origin for all components, IP ownership details, manufacturing and assembly locations, and origin of software/firmware.
• Plan to move critical components manufacturing to the United States, and provide a description of existing U.S.-based manufacturing or assembly processes.

Consumer impact

For regular consumers in the United States, the new rules are expected to have no immediate effect, as all existing routers will continue to be sold in the country.

In what concerns Unmanned Aircraft Systems (UAS) and their critical components, the FCC noted that it will allow software and firmware updates until at least January 1, 2027.

Access to new router models for U.S.-based consumers may become more difficult, and the devices may also become more expensive, as the regulatory approval process adds extra complications and costs.

Given that testing, approvals, and FCC certification typically take a couple of months, even when all conditions are met. In some cases, this might lead to a delay in entering the U.S. market.

Some manufacturers may also decide that the alternative certification pathway is not worth the effort - particularly due to the onshoring requirement - and exit the U.S. market, reducing model availability.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 25 March 2026 at 12:59 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The danger in the code came from characters that are invisible to the human eye. In early March researchers at several security firms examined what looked like empty space and found hidden Unicode characters that decoded into a malicious program. Investigators soon traced hundreds of compromised open-source components spread across GitHub, npm and other major developer platforms to a cybercrime campaign known as GlassWorm that has been ongoing for months.

GlassWorm attacks some foundational assumptions of modern software development: that code you can read is code you can trust, that shared infrastructure is safe by default and that the people who maintain open-source projects can reliably catch what’s wrong before it ships. Because today’s applications are assembled from borrowed code, one poisoned package can spread far beyond the project where it first appeared.

Justin Cappos, a professor of computer science at New York University, who studies software supply-chain security, likens the attack to a typewriter hiding a second message in plain sight. “Imagine if, instead of just printing the character in black ink, maybe it used different amounts of blue and red and green ink in a really subtle way,” he says. “So it looked kind of black, but it wasn’t quite black. A human looking at something like this isn’t going to spot anything because the extra information is hidden.”

The idea of weaponizing invisible characters isn’t new. In 2021 researchers at the University of Cambridge identified a class of attacks they called “Trojan Source,” which exploited Unicode, the standard that computers use to represent text and symbols. They warned that “downstream software will likely inherit the vulnerability.”

GlassWorm works in a similar way. Attackers submit what appear to be small fixes to open-source software. The changes look consistent with the surrounding code but contain invisible characters. “Typically, one line at the bottom says, ‘Hey, look through the file itself and pull out all the hidden information and do something sneaky with it,’” Cappos says.

What makes the GlassWorm campaign potent is the way it exploits software’s dependency structure. “Let’s say you wanted to make a web browser,” Cappos says. “You don’t want to have to write the code to display an image yourself.” Instead applications rely on libraries of prewritten code, which in turn automatically import dozens more. Any one of them can be poisoned. “The attacker will use the malicious software not to put malware in the program they’ve compromised but to say, ‘Hey, in order for me to work, I need some building block from over here,’” Cappos explains. “And that building block is the one that has the malware.”

The March 2026 wave was notable for both scale and sophistication. Between March 3 and March 9, cybersecurity companies Aikido, StepSecurity and Socket traced GlassWorm activity across hundreds of repositories and extensions. The infections spanned JavaScript, TypeScript and Python repositories. And by March 16, two previously clean packages with roughly 135,000 monthly downloads had been infected.

The attackers behind GlassWorm are in it for the money. Once the hidden code runs, it downloads secondary scripts designed to steal cryptocurrency tokens, developer credentials and other secrets. “These often are professional cybercriminal gangs,” Cappos says. “They’re making tons of money.”

Their success exposes a deeper problem. The field of software supply-chain security has been, in Cappos’s view, “very much overlooked for a long period of time.” Nation-state actors have exploited it for more than a decade, he says, and now cybercriminals have woken up to the opportunity. But the real failure, he argues, is not careless maintainers of open-source code—it’s inadequate security tools. “I think the really easy thing to do is to try to blame the maintainers, but that’s a bit shortsighted,” he says. “Tooling and security protections need to get better to save us.”

Source

The collection of millions of hacked computers known as Aisuru and Kimwolf have been used to launch some of the biggest distributed denial-of-service (DDoS) attacks ever seen. Now United States law enforcement agencies have wiped both of them off the internet, along with two of the other hordes of hijacked computers—known as botnets—in a single broad takedown.

On Thursday, the US Department of Justice, working with the cybercrime-fighting agency within the US Department of Defense known as the Defense Criminal Investigative Service, announced that it had dismantled four massive botnets in a single operation, removing the command-and-control servers used to commandeer the hacker-run armies of compromised devices known by the names JackSkid, Mossad, Aisuru, and Kimwolf. Together, operators of the four botnets had amassed more than 3 million devices, the Justice Department said, and often sold access to those devices to other criminal hackers as well as using them to target victims with overwhelming floods of attack traffic to knock websites and internet services offline.

Aisuru and Kimwolf, a distinct but Aisuru-related botnet, had together comprised more than a million devices, according to DDoS defense firm Cloudflare, with Aisuru infecting a variety of devices ranging from DVRs to network appliances to webcams, and its Kimwolf offshoot infecting Android devices including smart TVs and set-top boxes. Cloudflare says the two botnets, working in conjunction, carried out a cyberattack against a Cloudflare customer last November that reached more than 30 terabits of data per second, nearly three times the size of the previous biggest such attack.

No arrests were immediately announced along with the takedowns, but a Justice Department statement noted that the US government was collaborating with Canadian and German authorities, “which targeted individuals who operated these botnets.”

“The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live,” US attorney Michael J. Heyman wrote in a statement.

Of the four botnets taken out in the operation, Aisuru had gained the most notoriety, thanks to a series of record-breaking or near-record cyberattacks it carried out last fall. The botnet, whose use was rented out like many such “booter” services offering their brute-force disruptive capabilities to anyone willing to pay, has been most visibly against gaming services like Minecraft and independent cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated the botnet underground and Aisuru in particular, came under repeated attack from the botnet last year.

Then in November, Cloudflare absorbed a recording-breaking combined attack from Aisuru and Kimwolf that lasted only 35 seconds but reached 31.4 terabits per second, a volume of attack traffic close to triple the size of any seen before. (The company hasn't revealed which of its customers was hit with that attack.)

In a report on the state of the DDoS ecosystem, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as equivalent to “the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second.” The botnet was capable, Cloudflare’s analysts wrote, of “launching DDoS attacks that can cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”

In fact, all four botnets disrupted by the US operation were variants of Mirai, an internet-of-things botnet that first appeared in 2016, broke records at the time for the size of the cyberattacks it enabled, and eventually was used in an attack on the domain-name service provider Dyn that took down 175,000 websites simultaneously for much of the United States. Mirai's code base has since served as the starting point for a decade of other internet-of-things botnets.

The four botnets targeted by the US in Thursday's takedown had all evolved new techniques that let them infect types of devices that even Mirai had never managed to access. Kimwolf in particular took advantage of cheap internet-connected gadgets that acted as “residential proxies” that—often unbeknownst to their owners—let hackers pivot into users' home networks to compromise devices that are typically protected behind a home router, says Chad Seaman, a principal security researcher at networking firm Akamai. “It really shook the foundations of what we considered to be a secure home network,” Seaman says.

Seaman notes that cybersecurity researchers and law enforcement had engaged in a monthslong cat-and-mouse game with the botnet operators. At times, he says, the operators used innovative tricks like moving their domain name system to the Ethereum blockchain to prevent the hijacking of their command-and-control servers.

Regardless of the results of Thursday's takedown, Seaman says he's seen enough generations of DDoS operators—going back to Mirai itself—to know that even if these four botnets have been permanently dismantled, other hackers will no doubt rebuild new, massive collections of hacked machines to take their place.

“The cat-and-mouse game continues. You catch one mouse, and 10 others scurry under the refrigerator,” he says. “The cats will prioritize the fat mice. But it's a long game.”

Source

The collection of millions of hacked computers known as Aisuru and Kimwolf have been used to launch some of the biggest distributed denial-of-service (DDoS) attacks ever seen. Now United States law enforcement agencies have wiped both of them off the internet, along with two of the other hordes of hijacked computers—known as botnets—in a single broad takedown.

On Thursday, the US Department of Justice, working with the cybercrime-fighting agency within the US Department of Defense known as the Defense Criminal Investigative Service, announced that it had dismantled four massive botnets in a single operation, removing the command-and-control servers used to commandeer the hacker-run armies of compromised devices known by the names JackSkid, Mossad, Aisuru, and Kimwolf. Together, operators of the four botnets had amassed more than 3 million devices, the Justice Department said, and often sold access to those devices to other criminal hackers as well as using them to target victims with overwhelming floods of attack traffic to knock websites and internet services offline.

Aisuru and Kimwolf, a distinct but Aisuru-related botnet, had together comprised more than a million devices, according to DDoS defense firm Cloudflare, with Aisuru infecting a variety of devices ranging from DVRs to network appliances to webcams, and its Kimwolf offshoot infecting Android devices including smart TVs and set-top boxes. Cloudflare says the two botnets, working in conjunction, carried out a cyberattack against a Cloudflare customer last November that reached more than 30 terabits of data per second, nearly three times the size of the previous biggest such attack.

No arrests were immediately announced along with the takedowns, but a Justice Department statement noted that the US government was collaborating with Canadian and German authorities, “which targeted individuals who operated these botnets.”

“The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live,” US attorney Michael J. Heyman wrote in a statement.

Of the four botnets taken out in the operation, Aisuru had gained the most notoriety, thanks to a series of record-breaking or near-record cyberattacks it carried out last fall. The botnet, whose use was rented out like many such “booter” services offering their brute-force disruptive capabilities to anyone willing to pay, has been most visibly against gaming services like Minecraft and independent cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated the botnet underground and Aisuru in particular, came under repeated attack from the botnet last year.

Then in November, Cloudflare absorbed a recording-breaking combined attack from Aisuru and Kimwolf that lasted only 35 seconds but reached 31.4 terabits per second, a volume of attack traffic close to triple the size of any seen before. (The company hasn't revealed which of its customers was hit with that attack.)

In a report on the state of the DDoS ecosystem, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as equivalent to “the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second.” The botnet was capable, Cloudflare’s analysts wrote, of “launching DDoS attacks that can cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”

In fact, all four botnets disrupted by the US operation were variants of Mirai, an internet-of-things botnet that first appeared in 2016, broke records at the time for the size of the cyberattacks it enabled, and eventually was used in an attack on the domain-name service provider Dyn that took down 175,000 websites simultaneously for much of the United States. Mirai's code base has since served as the starting point for a decade of other internet-of-things botnets.

The four botnets targeted by the US in Thursday's takedown had all evolved new techniques that let them infect types of devices that even Mirai had never managed to access. Kimwolf in particular took advantage of cheap internet-connected gadgets that acted as “residential proxies” that—often unbeknownst to their owners—let hackers pivot into users' home networks to compromise devices that are typically protected behind a home router, says Chad Seaman, a principal security researcher at networking firm Akamai. “It really shook the foundations of what we considered to be a secure home network,” Seaman says.

Seaman notes that cybersecurity researchers and law enforcement had engaged in a monthslong cat-and-mouse game with the botnet operators. At times, he says, the operators used innovative tricks like moving their domain name system to the Ethereum blockchain to prevent the hijacking of their command-and-control servers.

Regardless of the results of Thursday's takedown, Seaman says he's seen enough generations of DDoS operators—going back to Mirai itself—to know that even if these four botnets have been permanently dismantled, other hackers will no doubt rebuild new, massive collections of hacked machines to take their place.

“The cat-and-mouse game continues. You catch one mouse, and 10 others scurry under the refrigerator,” he says. “The cats will prioritize the fat mice. But it's a long game.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 20 March 2026 at 12:58 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Users' health data has always been a precious resource for tech companies. And they’re constantly coming up with new ways to acquire it. The most recent trend across the industry has been to allow users to hand over their health records to AI for personalized recommendations. Anthropic is already doing this with Claude Health, and now Google is catching up with newly announced updates for its Fitbit health coach.

Google recently held its annual health event, The Check Up, where it revealed its plans to roll out support for Fitbit’s integration with users' personal medical records. Starting next month, for users in the United States, the Fitbit app will allow you to link your complete medical background. Doing this provides users with “a fuller picture of [their] health, including [their] lab results, medications and visit history, all in one place and under [their] control.”

This data will be fed directly to the Fitbit personal health coach, which is a Gemini-powered AI assistant integrated into the Fitbit app. Once you link your medical data to Fitbit, you can ask it questions like “How can I improve my cholesterol?” The coach can also give you health summaries, recommendations, and more.

To make this possible, Google is partnering with third-party services like b. well and CLEAR. To link your health data to Fitbit, you can search for your healthcare provider and link to your profile. Since medical data is sensitive information, integrating it into Fitbit will require users to also provide an ID and a selfie. Essentially, if you want to chat with the Fitbit coach about your health, you’ll have to give Google insight into your entire identity.

Besides this integration, Google is also introducing some much-needed accuracy improvements for basic wellness tracking. It updated Fitbit's sleep tracking models so the app can better tell if you are actually sleeping or just lying awake. Additionally, for users concerned about metabolic health, the platform is adding direct support for continuous glucose monitors through Health Connect.

Google is rolling out these changes for Public Preview users starting next month. You can check out the full announcement post on Google’s blog.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 19 March 2026 at 4:46 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Last month, Discord quickly backpedaled after it announced that an age-verification system would roll out globally.

Discord’s reversal followed a widespread user backlash, which also intensified scrutiny of the platform’s age-check partners. Suddenly, these often-overlooked players in the “age-assurance” ecosystem had to defend their tech or risk losing major contracts.

The whole saga shined a harsh spotlight on the current problems with age-verification tech—and on the technical solutions aiming to make the whole process both secure and private.

Discordant

Discord users had reason for suspicion after a data breach last fall in which a former age-check partner leaked the government IDs of 70,000 users. Though Discord claimed that, in the future, most users could verify their age without any data leaving their devices, trust had eroded.

Discord’s initial announcement also left questions unanswered, such as, “What companies will actually be handling the age check process?” Users had to dig to learn that the technology was built by Privately SA, which isn’t listed as a partner on Discord’s site but does work with a Discord partner named k-ID. (Users had previously criticized Discord for removing a disclaimer about an undisclosed age-check vendor called Persona, which Discord quickly announced it had dropped amid backlash following a brief test in the United Kingdom.)

But the bigger concern was that IDs would still be collected whenever facial age estimation—an approach that can be unreliable—failed. Most IDs would be deleted immediately, Discord claimed, but skeptical users had heard that line before. Many worried that collecting more IDs could make the company’s partners a more attractive target for hackers.

As some users debated the likelihood of another breach, others began hacking away at some of the technology Discord was using, including attempting to breach systems built by Persona and Privately. Their attacks, which the companies told Ars were intense and spanned days, were largely unsuccessful, but they put Discord’s age-check partners on high alert.

Ultimately, Discord saw the chaos its announcement created and chose to delay the launch of the age-verification system until later this year, acknowledging that the company “got it wrong.”

“Let me be upfront: we knew this rollout was going to be controversial,” Stanislav Vishnevskiy, Discord’s chief technology officer, wrote. “Any time you introduce something that touches identity and verification, people are going to have strong feelings. Rightfully so. In hindsight, we should have provided more detail about our intentions and how the process works.”

Vishnevskiy said that 90 percent of users will never have to complete an age check when the system rolls out. He also said Discord would publish a technical blog before launch explaining how its internal safety systems determine age for most users.

Discord also vowed to be more transparent about age-check partners, with Vishnevskiy agreeing that “you shouldn’t have to guess who’s handling your information.”

Finally, Vishnevskiy confirmed that Discord will only work with age-check partners, such as Privately, that offer on-device face scans.

“We’ve set a new bar for any partner offering facial age estimation, including that it must be performed entirely on-device, meaning your biometric data never leaves your phone,” Vishnevskiy said.

Discord declined Ars’ request for comment. But it’s not the only platform facing scrutiny as laws around the world increasingly mandate age checks. Critics worry that age restrictions will limit access to speech and make it harder to maintain anonymity. In the US, many laws require age checks for users to access adult content. And amid heightening fears of child social media addiction, more laws are requiring platforms to block minors under a certain age. Most recently, California passed a law forcing operating system providers to block minors from downloading apps with adult content.

Tech companies are scrambling to build solutions. Ars confirmed with a National Institute of Standards and Technology (NIST) researcher that in the past two years, the number of developers submitting facial age-estimation prototypes for evaluation has increased four-fold, from six to 23.

Age-check providers told Ars that Discord’s recent controversy offers a glimpse of the privacy fights likely to play out across the broader age-verification ecosystem as new laws take effect and unfamilar technologies roll out. Some vendors now expect that any new product launch or a partnership will bring scrutiny—and attempts by disgruntled users and determined hackers to probe their systems.

Privately

Every expert Ars spoke to agreed that users have good reason to distrust age checks, which require sharing sensitive information without always knowing who can access that data. Some skeptical users question whether an on-device approach is even technically feasible.

But Privately claims on its website that its facial age estimation technology’s “secret sauce is our ability to run very performant models on the user device or user browser to implement a privacy-centric solution.” Developers can also access guides that explain how the company’s FaceAssure system analyzes “patterns on faces” to estimate ages using “complex statistical rules derived via Deep Learning methods.”

However, several demos that might help the average Discord user learn more about the technology were recently taken down. Privately CEO Deepak Tewari told Ars that the demos were removed as a precaution when k-ID and Privately both “faced an attack by hackers on our age-estimation systems on the back of the Discord announcements planning to go global.”

“We had a couple of days of intense attempts to try and breach our systems, but these attempts were thwarted, and the attack lost momentum,” Tewari said.

Tewari told Ars that the hackers gave up after eventually realizing that any breach or bypass could be quickly patched because everything Privately does happens on-device.

With FaceAssure, the age check is initiated without requiring a download, instead relying on an age-aware camera that returns “a vector back to the relying party,” such as Discord, which signals “that this vector will be similar for people of similar ages.”

That’s the only kind of information that ever leaves the phone, Tewari said. In the past year, Privately has conducted more than 10 million checks using this tech, of which half were on big platforms, with no personal information ever being collected, Tewari said.

Privately’s tech is not perfect, but it was recently certified by NIST. NIST tested it on millions of images—but not videos—to assess the accuracy of its tool, and the agency found that the mean age it produced was accurate to within 1.94 years.

Ars could not reach the group behind the attacks for comment, but a GitHub thread documenting the attempts ends with a comment saying the thread should remain “as a testament that Privately at least isn’t lying about it being on-device and private.”

Of course, it would be foolish to assume that just because these hacks failed, Privately’s tech is “unbreakable or that a future update won’t introduce exploitable vulnerabilities,” Samantha Baldwin, a policy and research staff technologist for the Electronic Frontier Foundation (EFF), told Ars.

In a recent blog post discussing Discord’s controversy, Baldwin argued that age-check technology is “not ready for primetime” and inherently diminishes user privacy. For that reason, she told Ars that the EFF does not consider even Privately’s fully on-device tech to be privacy-advancing.

“From a harm-reductionist approach, data being kept on the device for age verification is less dangerous than data being sent over a network, but this isn’t a remedy for these technologies harming people’s right to constitutionally protected speech, their privacy, and their security,” Baldwin said.

“None of them are advancing privacy,” Baldwin said. “It’s a question of how deep the wound is.”

K-ID

K-ID, a Discord partner, launched a public-interest effort in November 2025 called the OpenAge Initiative, which aims to popularize a product called AgeKeys as a way to store and reuse “age signals.” These “age keys” wouldn’t resolve concerns about the underlying tech used to estimate a user’s age, but advocates say they would minimize the number of age checks across platforms.

That initiative, which has maintained a low profile until recently, has scored two big wins. First, Meta announced in December that it would launch AgeKeys on Instagram this year. The Free Speech Coalition, a nonprofit trade association for the adult entertainment industry, has also endorsed AgeKeys as a privacy-preserving way to access pornographic material without compromising identity or security.

Although Privately partners with k-ID on age checks for social and gaming platforms, Privately has not joined the OpenAge Initiative. However, other leading age-check providers have signed on, including Incode, Persona, Socure, and Veratad, as well as platform owners like Meta and game developers like Konami.

K-ID’s corporate affairs officer, Luc Delany, told Ars that AgeKeys are stored in a password manager and are built on FIDO passkey technology that’s “as secure as the login that I use for my bank.”

For users accustomed to storing passwords, letting their devices store an age key may feel natural, especially since it doesn’t require opening an account or sharing an email address. Julian Corbett, the head of the OpenAge Initiative and a co-founder of k-ID, told Ars that some platforms have seen higher adoption of the tech than expected. On one platform that recently launched AgeKeys, for example, about 80 percent of users chose to save them, he said.

For platforms, AgeKeys could become a cost-effective solution. Because the only cost to the OpenAge Initiative is an encrypted handshake when the age signal is shared, platforms could perform “a million age checks using age keys for $3,000,” Delany said.

Participating platforms can set limits on which types of age estimation are accepted and how recently the age check must have been completed. Any AgeKeys lacking the right signals will be rejected.

The OpenAge Initiative’s website provides more details, including developer guides explaining how its double-blind system is designed to protect privacy. Essentially, when someone uses an AgeKey, the age-check service provider requests access to the platform without knowing who the user is. Meanwhile, the OpenAge Initiative knows who the user is but doesn’t know which platform is receiving the age signal. The age check provider ultimately decides “yes” or “no,” granting or denying platform access.

Building that double-blind system was essential because “every single time age assurance is brought up, people are fearful that this is the end of anonymity on the Internet,” Corbett said. The “entire structure of the OpenAge Initiative is to give and build that trust with users that you actually have a dedicated age credential that explicitly and structurally and technologically guarantees a separation between identity and age and yet satisfies the compliance burden that regulators require.”

But he acknowledged that the biggest barrier to age keys will be skepticism, while noting that age keys do nothing to address privacy concerns about the underlying age checks.

Reverse-engineering Yoti

OpenAge isn’t the only group that wants control over the age-key landscape.

One of the most dominant age check providers in the US, Yoti, has offered Age Tokens since 2021 and Yoti Keys since 2025. Yoti’s CEO, Robin Tombs, told Ars that the company recently “invited other age verification providers to issue compatible Age Tokens or Yoti Keys.” Approved vendors will likely begin offering their versions of Yoti age keys by the end of the year.

“While we support the broader objective of interoperable, reusable age credentials, we believe that trusted reusable age tokens or passkeys must meet clearly defined minimum standards of assurance and performance,” Tombs said. “In our view, those assurance thresholds are essential to maintaining regulatory confidence and user trust.”

Yoti arguably helped pave the way for more US laws attempting to age-gate the Internet—according to a March report from security researchers at Georgia Tech’s Security Privacy and Democracy Research Laboratory, which was “the first large-scale exploration of age verification providers” in the US.

When the Supreme Court ruled last summer that online age verification does not violate the First Amendment, justices relied partly on technical information provided by Yoti.

However, little is known about how well age-check services work to protect privacy. To fill the gaps, the researchers analyzed the top 1 million websites in two states that require age checks and one state that doesn’t. This broad survey revealed Yoti as the dominant provider, “used in over 60 percent of compliant sites” in the two affected states.

Tombs said that Yoti runs a million age checks per day. That’s substantially more than Privately, which runs about 100,000 checks on a good day.

Curious to learn more about how Yoti works beyond what’s disclosed in its latest whitepapers, one of the researchers, PhD cybersecurity student Shreyas Minocha, reverse-engineered version 2.6.2 of Yoti’s age estimation method.

It took hours of work in a single session, Minocha said, “because every new session, they give you a newly randomized copy of their source code.” He eventually succeeded, though, and found that Yoti uses machine learning to perform an on-device facial age estimate.

However, unlike with Privately’s FaceAssure, Yoti sends the user’s photo to its servers, along with other device metadata. Users can encrypt that data, a setting Yoti enables by default, but they can also turn that privacy-protecting feature off. Researchers told Ars that the option is “purely performative” and does not stop Yoti from accessing the content of the data.

Conducting a broader privacy analysis of all of Yoti’s age check options, Minocha’s team, working under assistant professor Michael Specter, concluded that Yoti “collects significant private information beyond what is strictly necessary to verify age” and that it “relies on sharing sensitive user information with several less user-visible fourth parties.”

Asked for comment on these claims, Tombs said that Yoti has “purposefully designed an age product that only collects the minimum information necessary to verify age, and our processes are regularly audited to ensure they meet strict privacy standards.”

He also confirmed that Yoti plans to roll out fully on-device facial age estimation with complete liveness detection similar to Privately’s tech later this year.

Users’ fear of age checks are justified, experts say

For Internet users surveying the age-check landscape, it can feel impossible to determine which options are safest.

Regarding on-device solutions like Privately’s, Specter told Ars that he thinks “doing things on device is always going to be less bad” than sending data to a platform or age-check vendor, or to any less-visible third or fourth parties that may intercept it along the way.

To Specter, however, it seems odd to expect a user of any age to allow their own device to police their Internet habits.

“Inherently, your device should work for you regardless of who you are,” Specter said.

Baldwin suggested that the biggest issue for users may be trusting these systems over time, as any update could introduce a vulnerability that undermines the age check’s security. Since age checks will be required continually—such as when younger users become adults or when a platform doubts a user’s age—there will be no end to the cycle.

A better solution, Baldwin said, would be to pass a comprehensive federal data privacy law that protects all users from invasive new technologies.

But Privately’s CEO, Tewari, told Ars that he thinks the future of age check tech is more such tech, including age-aware cameras and microphones. Imagine turning on your camera, which automatically detects if it’s seeing or hearing an 84-year-old woman or a 13-year-old boy. Accurate age signals could be logged without ever sharing identity, Tewari suggested.

Baldwin did not agree that this would be ideal.

“The more cameras and microphones there are, the more eyes and ears are available to adversaries, regardless of the original intention,” Baldwin said. “Creating a dystopian world full of computerised eyes and ears is not the solution, and there will be significant harm if this leads to laws requiring devices to have surveillance capabilities. This technology will always be circumventable and always open up users to more threats to their privacy.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 19 March 2026 at 4:45 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Researchers are warning about the risks posed by a low-cost device that can give insiders and hackers unusually broad powers in compromising networks.

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks. The devices, not much bigger than a deck of cards, allow the machines to be accessed at the BIOS/UEFI level, the firmware that runs before the loading of the operating system.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network. Risks are posed when the devices—which are exposed to the Internet—are deployed with weak security configurations or surreptitiously connected to by insiders. Firmware vulnerabilities also leave them open to remote takeover.

No exotic zero-days here

On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them.

“These are not exotic zero-days requiring months of reverse engineering,” Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia wrote. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”

As the table above shows, some of the devices are being fixed. As of Tuesday, however, the most severe vulnerabilities—found in IP KVMs made by Angeet/Yeeso—aren’t.

Device vulnerabilities are only one type of risk posed by such devices. Threats are also posed because it’s easy to intentionally or unintentionally deploy them in ways that leave an entire network vulnerable. HD Moore, a security expert and the founder and CEO of runZero, performed an Internet scan on Monday that found a little more than 1,300 such devices, up from about 1,000 he found last June.

Moore has long warned about the risks posed by baseboard management controllers (BMCs), the motherboard-attached microcontrollers that allow admins to remotely access entire fleets of servers. He said IP KVMs can similarly expose networks.

“The core issue is that if the KVM is compromised, it’s often easy to take over whatever system the KVM is attached to, even if that system is otherwise secure from network attacks,” Moore said in an interview. “Similar to BMCs, any flaw on the out-of-band side undercuts the existing security measures. The specific bugs vary, but the end result is access to a server that someone thinks is important enough to warrant remote management.”

Both runZero and Eclypsium recommend admins scan their networks to identify any overlooked IP KVMs. Asadoorian has made scanning tools available here. Both say that the devices should be secured with a strong password and the use of a reputable VPN. Both Wireguard and Tailscale provide easy integration.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 18 March 2026 at 6:35 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The organization says in an update on Sunday that all its medical devices are safe to use but electronic ordering systems remain offline, and customers must place orders manually through sales representatives.

Stryker emphasizes that the incident was not a ransomware attack and that the threat actor did not deploy any malware on its systems.

Last week, Stryker was the target of a cyberattack claimed by the Handala hacktivist group, believed to be linked to Iran.

The attacker alleged that they wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data. However, investigators did not find any indication that data was exfiltrated.

Following the disruption, Stryker employees in multiple countries started to complain that their managed devices had been remotely wiped overnight.

Some employees had their personal devices enrolled in the company network and lost personal data during the wiping process.

Hackers had Global Admin privileges

A source familiar with the attack told BleepingComputer that the threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11.

The attacker carried out the action after compromising an administrator account and creating a new Global Administrator account.

The investigation is being conducted by the Microsoft Detection and Response Team (DART) in collaboration with cybersecurity experts from Palo Alto Unit 42.

Stryker’s update highlights that the attack did not impact any of its products, connected or otherwise, and was limited exclusively to the internal Microsoft corporate environment.

“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company says.

Restoration efforts are currently underway, the main focus being on resuming shipping and transactional services. Customers are encouraged to maintain normal communication with company personnel while the infrastructure is steadily recovered.

Any order placed before the cyberattack will be honored as systems are restored, while those placed during the disruption will be processed when systems are back online, and the supply flow resumes to normal.

The company is working with its global manufacturing sites to deal with potential operational impact.

Stryker’s current priority is to restore the supply-chain system and resume customer orders and shipping. “Our core transactional systems are already on a clear path to full recovery,” the company says.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 17 March 2026 at 5:39 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

"Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday.

The first zero-day (CVE-2026-3909) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution.

The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.

Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).

While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today.

If you don't want to update your web browser manually, you can also have it check for updates automatically and install them at the next launch.

Although Google found evidence that attackers are exploiting this zero-day flaw in the wild, the company didn't share further details regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," it noted.

These are the second and third actively exploited Chrome zero-days patched since the start of 2026. The first, tracked as CVE-2026-2441 and described as an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), was addressed in mid-February.

Last year, Google fixed a total of eight zero-days exploited in the wild, many of which were reported by Google's Threat Analysis Group (TAG), a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks.

On Thursday, Google also revealed that it has paid over $17 million to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 13 March 2026 at 5:49 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The retailer has a nationwide network of 2,500 stores (franchise supermarkets, pharmacies, banking kiosks, and apparel shops) and plans to expand with 70 new ones this year as part of a five-year plan to invest $10 billion by 2030.

The company employs 220,000 people and has an annual revenue of $45 billion. Its best-known commercial banners and brands are Loblaws, Real Canadian Superstore, No Frills, Maxi, President’s Choice, PC Optimum, and Joe Fresh.

Earlier this week, the company informed customers that it had detected suspicious activity on its network that led to discovering an intrusion.

“After identifying suspicious activity on a contained, non-critical part of its IT network, the Company has determined that a criminal third-party accessed some basic customer information such as names, phone numbers, and email addresses,” Loblaw said.

The exposed data constitutes personal identifiable information (PII) and could be used in phishing attacks and fraudulent activities. Loblaw customers should remain vigilant for suspicious communications from unknown contacts.

The company noted that its investigation so far has not found evidence that financial information, such as credit card details, health information, or account passwords, was compromised.

However, out of an abundance of caution, Loblaw says it has automatically logged out all customers from their accounts. Account holders who need to access the company’s digital services will have to log in again. It is advisable that customers also change their passwords.

Loblaw’s investigation indicates that PC Financial, its financial services brand, hasn’t been impacted by this incident.

At the time of writing, BleepingComputer could not find a threat actor claiming the attack publicly or any Loblaw data being advertised on underground forums.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 13 March 2026 at 8:51 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Researchers say they have uncovered a takedown-resistant botnet of 14,000 routers and other network devices—primarily made by Asus—that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime.

The malware—dubbed KadNap—takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days in the operation.

A botnet that stands out among others

The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.

“The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. “Their intention is clear: avoid detection and make it difficult for defenders to protect against.”

Distributed hash tables have long been used to create hardened peer-to-peer networks, most notably BitTorrent and the Inter-Planetary File System. Rather than having one or more centralized servers that directly control nodes and provide them with the IP addresses of other nodes, DHTs allow any node to poll other nodes for the device or server it’s looking for. The decentralized structure and the substitution of IP addresses with hashes give the network resilience against takedowns or denial of service attacks.

The concept of DHTs can be hard to grasp. At a simplified level, they are data structures stored on multiple network peers, as described here. This design makes the network scalable. The more network nodes, the better the distribution of elements is. DHTs also make networks fault-tolerant. When one node leaves the network, nodes go elsewhere for location lookups. In theory, the only way to take the network down is to sever all connected nodes.

Kademlia uses a 160-bit space to designate (1) keys—which are unique bitstrings derived by hashing a chunk of data—and (2) node IDs, both of which are assigned to each node. Nodes then store the keys of other nodes. The stored keys are organized by their similarity to the ID of the node storing them. Proximity is measured by XOR distance, a mathematical means of mapping a network. When a node polls another node, it uses this metric to locate other nodes with the closest distance to the key it’s looking for until it finally finds a match. KadNap, a variant of Kademlia, obtains the key to be searched through a BitTorrent node.

Formosa explained:

DHT helps you get closer and closer to a target. You first reach out to some entry bittorrent nodes and basically say “hey I have this secret passphrase. I’m looking for who to give it to.” So you give it to a couple of nearby “neighbors” and they say “ah ok I don’t fully understand this passphrase but it’s kind of familiar and here are some people who may know what that means. So now you go to those neighbors and the process continues. Eventually you reach someone who says “Yes! This is my passphrase, welcome in.” In our case, when we reach this person they say here is a file to firewall port 22 and then here is a second file containing the C2 address you want to connect to.

Despite the resistance to normal takedown methods, Black Lotus says it has devised a means to block all network traffic to or from the control infrastructure.” The lab is also distributing the indicators of compromise to public feeds to help other parties block access.

Infected devices are being used to carry traffic for Doppelganger, a fee-based proxy service that tunnels customers’ Internet traffic through the Internet connections—primarily residential—of unsuspecting people. With high bandwidth and IP addresses with clean reputations, the service provides customers with a reliable way to efficiently and anonymously visit sites that might otherwise not be accessible.

People who are concerned their devices are infected can check this page for IP addresses and a file hash found in device logs. To disinfect devices, they must be factory reset. Because KadNap stores a shell script that runs when an infected router reboots, simply restarting the device will result in it being compromised all over again. Device owners should also ensure all available firmware updates have been installed, that administrative passwords are strong, and that remote access has been disabled unless needed.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 12 March 2026 at 12:31 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The new features are designed to help catch fraud attempts before WhatsApp, Facebook, and Messenger engage with them.

WhatsApp now alerts users when behavioral signals suggest a device-linking request may be fraudulent, a tactic scammers have been using to hijack accounts by tricking users into sharing a linking code or scanning a malicious QR code.

"Scammers may try to trick you into linking your WhatsApp account to their device," Meta explained on Wednesday. "For example, they may urge you to share your phone number, followed by a device linking code on your WhatsApp or try to trick you into scanning a QR code under false pretenses, which would then link the scammer's device to your account."

The change comes after the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) warned that Russian state-backed hackers have been targeting Dutch government employees in a phishing campaign aimed at their Signal and WhatsApp accounts.

WhatsApp allows users to connect multiple devices (e.g., computers, phones, tablets) to an account to send and receive messages across those devices. This is done by scanning a QR code generated by the main mobile device, which authorizes the new device to access and synchronize the messages.

However, attackers who trick a user into linking a malicious device will gain access to the victim's messages, read their chats, and may even send messages while impersonating the victim. Additionally, unlike account takeover attacks, the victims will usually retain access to their accounts, making the breach harder to detect.

The company is testing warnings that flag suspicious friend requests on Facebook based on signals such as a small number of mutual connections or a profile location that doesn't match the user's region.

Its anti-scam detection feature on Messenger will also expand to more countries, identifying patterns consistent with common schemes like fake job offers and giving users the option to submit suspicious chats for an AI review.

Meta has also rolled out AI systems that analyze text, images, and contextual signals to identify celebrity impersonation, brand spoofing, and deceptive links used by threat actors to redirect potential victims to fraudulent websites impersonating legitimate ones.

In total, in 2025, Meta says it removed over 159 million scam ads and took down over 10.9 million accounts on Facebook and Instagram linked to criminal scam operations.

Meta also participated in a global law enforcement operation that led to the arrest of 21 suspects and the shutdown of more than 150,000 accounts linked to scam networks in Southeast Asia, including groups running fake cryptocurrency investment schemes and extortion rings.

"We are proud to partner with the Royal Thai Police, the FBI, the DOJ Scam Center Strike Force, and law enforcement agencies from around the world to combat these sophisticated scam networks," said Chris Sonderby, Vice President and Deputy General Counsel at Meta.

"This operation is a testament to how sharing information and coordinating our efforts can make real progress in disrupting this criminal activity at its source."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 12 March 2026 at 7:00 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Trying to extract the files with standard utilities like WinRAR or 7-Zip results in errors or corrupted data. The technique works by manipulating ZIP headers to trick parsing engines into treating compressed data as uncompressed.

Instead of flagging the archive as potentially dangerous, security tools trust the header and scan the file as if it were a copy of the original in a ZIP container.

The “Zombie ZIP” technique was devised by Bombadil Systems security researcher Chris Aziz, who found that it works against 50 of the 51 AV engines on VirusTotal.

"AV engines trust the ZIP Method field. When Method=0 (STORED), they scan the data as raw uncompressed bytes. But the data is actually DEFLATE compressed - so the scanner sees compressed noise and finds no signatures," the researcher explains.

A threat actor can create a loader that ignores the header and treats the archive for what it is: data compressed using the standard Deflate algorithm used in modern ZIP files.

The researcher has published a proof-of-concept (PoC) on GitHub, sharing sample archives and additional details on how the method works.

To cause popular extraction tools (e.g., 7-Zip, unzip, WinRAR) to generate an error, the researcher says that the CRC value that ensures data integrity has to be set to the uncompressed payload's checksum.

“However, a purpose-built loader that ignores the declared method and decompresses as DEFLATE recovers the payload perfectly,” Aziz says.

Yesterday, the CERT Coordination Center (CERT/CC) published a bulletin to warn about “Zombie ZIP” and raise awareness of the risks posed by malformed archive files.

While a malformed header may trick security solutions, the agency says that some extraction tools are still able to correctly decompress the ZIP archive.

The CVE-2026-0866 identifier has been assigned for the security issue, which the agency says is similar to a vulnerability disclosed more than two decades ago, CVE-2004-0935, affecting an early version of the ESET antivirus product.

CERT/CC proposes that security tool vendors must validate compression method fields against actual data, add mechanisms to detect inconsistencies in archive structure, and implement more aggressive archive inspection modes.

Users should treat archive files with caution, especially those from unknown contacts, and delete them immediately if their attempts to decompress them end with an “unsupported method” error.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 March 2026 at 12:46 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

A federal judge has issued an order blocking Perplexity’s web browser-based AI agents from placing Amazon orders on a user’s behalf, as reported earlier by Bloomberg. In a ruling on Monday, US District Judge Maxine Chesney writes that Amazon has “provided strong evidence” that Perplexity’s Comet browser accesses user accounts “without authorization” from the retail giant.

Amazon sued Perplexity in November, alleging that it “repeatedly requested” that the AI startup stop letting its agents buy products for customers. The company accused Perplexity of “intruding” into its marketplace and user accounts with Comet’s agentic shopping feature, in violation of computer fraud and abuse laws. Amazon also alleged that Perplexity attempted to “conceal” its agentic activities by “misrepresenting the Comet browser as Google Chrome.”

Under the preliminary injunction, Perplexity must not access Amazon using its AI agents and must destroy any data from Amazon that it may have obtained. The preliminary injunction will take effect in seven days to allow time for Perplexity to appeal.

In a statement to Bloomberg, Amazon spokesperson Lara Hendrickson says the ruling “will prevent Perplexity’s unauthorized access to the Amazon store,” adding that the company looks forward to “continuing to make our case in court.” Meanwhile, Perplexity spokesperson Jesse Dwyer tells The Verge that the startup “will continue to fight for the right of internet users to choose whatever AI they want.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 March 2026 at 5:13 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Someone is currently trying to sell a Windows exploit on the dark web for $220,000. The exploit specifically targets Windows Remote Desktop Services and gives an attacker system-level privileges on a compromised computer.

A relatively new user, who goes by the forum name of "Kamirmassabi," recently posted an ad in the malware and exploits section of an underground forum. The ad specifically mentions that the vulnerability is "zero day," and calls interested buyers to contact the seller via private messages to discuss the purchase.

The vulnerability itself is tracked as CVE-2026-21533. It allows an attacker to manipulate a specific service configuration registry key under the TermService protocol and elevate their privileges to system-level on a targeted computer.

However, for the exploit to work, an attacker needs to already have low-privilege authenticated access to a local machine. This means hackers would have to gain initial access to a targeted system first, likely using one of the well-established phishing schemes, like tricking targeted users into downloading malicious files that would grant an attacker initial access to the machine.

What's interesting about this specific exploit is that Microsoft already fixed it. The vulnerability was patched as part of February's Patch Tuesday update. The threat had a massive radius and affected various builds of Windows 10 and Windows 11, as well as server editions ranging from Windows Server 2012 up to Windows Server 2025.

Attackers are probably betting that many enterprise networks haven't updated their systems yet, and that's where they're looking for an opportunity to strike. If the vulnerability were unaddressed, its asking price on the dark web probably would've been much higher.

We're seeing an emerging trend in the cybersecurity space, where bad actors have started acting as vendors, instead of carrying out the attacks themselves. Last week, we uncovered a plot where a fake RMM company was using its landing page as a storefront for renting out legitimate EV certificates to hackers.

If you're an admin of an enterprise network, you should install the February 2026 Security Update immediately to remove this vulnerability from your system.

Via: Dark Web Informer (X)

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 10 March 2026 at 1:37 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Google is reportedly working on a new security toggle that will let you prevent Chrome from accessing your phone's graphics hardware through the WebGPU API on Android 16. A tear down of Google Play Services v26.10.31 revealed a hidden setting that should become part of Advanced Protection Mode, which specifically targets WebGPU in Chrome.

The WebGPU interface, introduced to Chrome on Android in 2023, is a modern web standard that provides web-based apps direct access to the device's GPU. Developers are increasingly implementing this new standard into their apps, as it allows for heavy 3D rendering and complex machine learning tasks right inside the browser.

However, WebGPU's nature, which is to grant websites direct access to core system components, presents a security risk. That's why hackers are constantly hunting for vulnerabilities inside WebGPU's implementation in browsers to carry out attacks and perform all sorts of malicious actions, including taking full control over a device. Although vulnerabilities are being patched regularly, fixes usually arrive only after some damage has already been done.

Apparently, Google now wants to tackle the root of the problem by allowing users to disable WebGPU on Chrome for Android entirely. A recent report from Android Authority says that Android 16's Advanced Protection Mode will have a new toggle for disabling WebGPU in Chrome.

However, turning off WebGPU comes with some performance penalties for the user. If you flip this new security switch, any modern web application that relies on WebGPU will either fail to load entirely or be forced to fall back to older WebGL standards. This will be most noticeable with browser-based games or websites with heavy AI implementations. But if you do most of the resource-heavy stuff inside native apps, you should probably be fine.

Google has not officially announced when this WebGPU toggle will roll out to the public. The code was found in a development build of Google Play Services and, as with all APK teardowns, there are no hits of a public release.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 10 March 2026 at 1:36 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The opinion was issued in response to a request for a preliminary ruling submitted by the District Court in Koszalin, Poland, in a dispute between the PKO BP S.A. bank and one of its customers.

The case involved phishing fraud, where the customer advertised an item for sale on an auction platform, and was approached by a fraudster who sent them a malicious link to a page resembling the bank’s login interface.

The customer entered their bank account credentials on that site, which the fraudster then used to execute an unauthorized payment.

The victim reported the transaction the next day to both the bank and the police, but the fraudsters were not identified, and the bank refused to refund the lost amount. In response, the customer sued the bank.

The dispute arose because the bank argued it could deny the refund if the customer’s negligence caused the loss.

Rantos states that under the EU Payment Services Directive (2015/2366 / PSD2), a bank cannot refuse to issue an immediate refund to victims unless it has reasonable grounds to suspect customer fraud.

“Advocate General Athanasios Rantos considers that EU law requires the bank, as a first step, to refund immediately the amount of the unauthorised transaction, unless it has good reason to suspect fraud, which it must communicate in writing to the competent national authority,” reads the CJEU press release.

However, it is clarified that the process doesn’t end there, as the banks are still allowed to seek recovery of the losses from the customer if they can prove gross negligence or intention, leading to the security breach.

“If the bank establishes that the customer has failed, intentionally or through gross negligence, to fulfil one of the obligations relating, in particular, to personalised security data, it may require the customer to bear the corresponding losses,” reads the AG’s opinion.

“If the customer refuses to reimburse the amount of the unauthorised transaction, it is up to the bank to take legal action against that person to obtain payment.”

It is important to clarify that this opinion is not a CJEU ruling, but rather an indication of the direction the court may take when the matter reaches that stage. The AG’s opinion (full text here) is a legal recommendation to the CJEU judges, but the CJEU's final ruling will be binding on all EU courts.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 9 March 2026 at 6:02 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways.

The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname.

IPv4 reverse lookups use the in-addr.arpa domain, while IPv6 uses ip6.arpa. In these lookups, DNS queries a hostname derived from the IP address, written in reverse order and appended to one of these domains.

For example, www.google.com has the IP addresses 192.178.50.36 (IPv4) and 2607:f8b0:4008:802::2004 (IPv6). Querying Google's IP of 192.178.50.36 via the dig tool resolves to an in-addr.arpa hostname and ultimately a regular hostname:

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 192.178.50.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59754
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;36.50.178.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
36.50.178.192.in-addr.arpa. 1386 IN     PTR     lcmiaa-aa-in-f4.1e100.net.

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Mar 06 13:57:31 EST 2026
;; MSG SIZE  rcvd: 94

Querying Google's IPv6 address of 2607:f8b0:4008:802::2004 shows that it first resolves to an IPv6.arpa hostname and then a hostname, as shown below.

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 2607:f8b0:4008:802::2004
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31116
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. 78544 IN PTR tzmiaa-af-in-x04.1e100.net.
4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. 78544 IN PTR mia07s48-in-x04.1e100.net.

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Mar 06 13:58:43 EST 2026
;; MSG SIZE  rcvd: 171

Phishing campaign abuses in .arpa domains

A phishing campaign observed by Infoblox uses the ip6.arpa reverse DNS TLD, which normally maps IPv6 addresses back to hostnames using PTR records.

However, attackers found that if they reserve their own IPv6 address space, they can abuse the reverse DNS zone for the IP range by configuring additional DNS records for phishing sites.

In normal DNS functionality, reverse DNS domains are used for PTR records, which allow systems to determine the hostname associated with a queried IP address.

However, attackers discovered that once they gained control over the DNS zone for an IPv6 range, some DNS management platforms allowed them to configure other record types that can be abused for phishing attacks.

"We have seen threat actors abuse Hurricane Electric and Cloudflare to create these records—both of which have good reputations that actors leverage—and we confirmed that some other DNS providers also allow these configurations," explains Infoblox.

"Our tests were not exhaustive, but we notified the providers where we discovered a gap. Figure 2 depicts the process the threat actor used to create the domain used in the phishing emails."

To set up the infrastructure, the attackers first obtained a block of IPv6 addresses via IPv6 tunneling services.

After gaining control of the address space, the attackers then generate reverse DNS hostnames from the IPv6 address range using randomly generated subdomains that are difficult to detect or block.

Instead of configuring PTR records as expected, the attackers create A records that point those reverse DNS domains to infrastructure hosting phishing sites.

The phishing emails in this campaign use lures that promise a prize, a survey reward, or an account notification. The lures are embedded in the emails as images linked to a reverse IPv6 DNS record, such as  "d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa," rather than a regular hostname, so the target doesn't see a strange arpa hostname.

When a victim clicks the phishing email image, the device resolves the attacker-controlled reverse DNS name servers via a DNS provider.

In some cases, the authoritative name servers were hosted by Cloudflare, and the reverse DNS domains resolved to Cloudflare IP addresses, hiding the location of the backend phishing infrastructure.

After clicking the image, victims are redirected through a traffic distribution system (TDS) that determines whether they are a valid target, commonly based on device type, IP address, web referers, and other criteria. If the visitor passes validation, they are redirected to a phishing site. Otherwise, they are sent to a legitimate website.

Infoblox says the phishing links are short-lived, only active for a few days. After the links expire, they redirect users to domain errors or other legitimate sites.

The researchers believe this is done to make it harder for security researchers to analyze and investigate the phishing campaign.

Furthermore, as the '.arpa' domain is reserved for internet infrastructure, it does not include data normally found in registered domains, such as WHOIS info, domain age, or contact information. This makes it harder for email gateways and security tools to detect malicious domains.

The researchers also observed the phishing campaign using other techniques, such as hijacking dangling CNAME records and subdomain shadowing, allowing the attackers to push phishing content through subdomains linked to legitimate organizations.

"We found over 100 instances where the threat actor used hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers," explained Infoblox.

By weaponizing trusted reverse DNS features used by security tools, attackers can generate phishing URLs that bypass traditional detection methods.

As always, the best way to avoid phishing attacks like these is to avoid clicking on unexpected links in emails and instead visit services directly through their official websites.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 9 March 2026 at 6:00 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

According to a new Microsoft Threat Intelligence report, attackers are using generative AI tools for a wide range of tasks, including reconnaissance, phishing, infrastructure development, malware creation, and post-compromise activity.

In many cases, AI is used to draft phishing emails, translate content, summarize stolen data, debug malware, and assist with scripting or infrastructure configuration.

"Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure," warns Microsoft.

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions."

AI used to power cyberattacks

Microsoft has observed multiple threat groups incorporating AI into their cyberattacks, including North Korean actors tracked as Jasper Sleet (Storm-0287) and Coral Sleet (Storm-1877), who use the technology as part of remote IT worker schemes.

In these operations, AI tools help generate realistic identities, resumes, and communications to gain employment at Western companies and maintain access once hired.

The report also describes how AI is being used to assist with malware development and infrastructure creation, with threat actors using AI coding tools to generate and refine malicious code, troubleshoot errors, or port malware components to different programming languages.

Some malware experiments show signs of AI-enabled malware that dynamically generate scripts or modify behavior at runtime.

Microsoft also observed Coral Sleet using AI to quickly generate fake company sites, provision infrastructure, and test and troubleshoot their deployments.

When AI safeguards attempt to prevent the use of AI in these tasks, Microsoft says threat actors are using jailbreaking techniques to trick LLMs into generating malicious code or content.

In addition to generative AI use, Microsoft researchers have begun to see threat actors experiment with agentic AI to perform tasks autonomously and adapt to results.

However, Microsoft says AI is currently used primarily for decision-making rather than for autonomous attacks.

Because many IT worker campaigns rely on the abuse of legitimate access, Microsoft advises organizations to treat these schemes and similar activity as insider risks.

Furthermore, as these AI-powered attacks mirror conventional cyberattacks, defenders should focus on detecting abnormal credential use, hardening identity systems against phishing, and securing AI systems that may become targets in future attacks.

Microsoft is not alone in seeing threat actors increasingly using artificial intelligence to power attacks and lower barriers to entry.

Google recently reported that threat actors are abusing Gemini AI across all stages of cyberattacks, mirroring what Amazon observed in this campaign.

Amazon and the Cyber and Ramen security blog also recently reported on a threat actor using multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 8 March 2026 at 4:25 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The figure is a 15% increase compared to 2024, when 78 zero-days were exploited in the wild, but lower than the record 100 zero days tracked in 2023.

Zero-day vulnerabilities are security issues in software products that attackers exploit, usually before the vendor learns about them and develops a patch. They are highly valued by threat actors because they often enable initial access, remote code execution, or privilege escalation.

A report from GTIG today notes that of the 90 zero-days tracked as exploited in 2025, 47 of them targeted end-user platforms, and 43 targeted enterprise products.

The type of exploited flaws includes remote code execution, privilege escalation, injection and deserialization flaws, authorization bypasses, and memory corruption (use-after-free) bugs. Google reports that memory safety issues accounted for 35% of all exploited zero-day vulnerabilities last year.

The most targeted enterprise systems were security appliances, networking infrastructure, VPNs, and virtualization platforms, as these provide privileged network access and often lack EDR monitoring.

GTIG reports that bugs in operating systems were the most exploited category last year, with attacks leveraging 24 zero-day vulnerabilities in desktop OSs and 15 in mobile platforms.

Zero-day exploits in web browsers dropped to eight, a sharp decline compared to previous years.

Google’s analysts speculate this might be due to increased security hardening in this software category, though it may also be a case of threat actors using more advanced evasion tactics and being better at hiding malicious activity.

According to GTIG researchers, Microsoft was the top vendor targeted with zero days last year (25), followed by Google with 11, Apple with eight, and Cisco and Fortinet with four each, and Ivanti and VMware with three each.

For the first time since Google started tracking zero-day exploitation, commercial spyware vendors were the largest users of undocumented flaws, surpassing state-sponsored espionage groups, which may also be deploying more effective hiding techniques.

“This continues to reflect a trend we began to observe over the last several years–a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape,” reads the GTIG report.

Google researchers say that among state-sponsored actors, China-linked espionage groups remain the most active, with 10 zero-days exploited in 2025. The attacks targeted primarily edge devices, security appliances, and networking equipment for long-term persistent access.

Another notable trend observed last year was the increase in zero-day exploitation by financially motivated actors (ransomware, data extortion), who accounted for nine of the flaws.

GTIG believes that the use of AI tools will help automate vulnerability discovery and accelerate exploit development, so exploitation of zero-day flaws in 2026 is expected to remain high.

The Brickstorm campaign is highlighted in the report as an example of how hackers are shifting their focus from source code theft to discovering flaws in future software products.

To detect and contain zero-day exploitation, Google recommends reducing attack surfaces and privilege exposure, continuously monitoring systems for anomalous behavior, and maintaining rapid patching and incident-response processes.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 6 March 2026 at 5:16 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address.

The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”

In doing so, users are directed to a fake LastPass login page hosted on the domain “verify-lastpass[.]com” that collects LastPass user credentials.

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) notes in a report that apart from this primary domain, the attacker also uses slightly modified URLs that redirect to the same phishing page.

LastPass notes that multiple sender addresses and subject lines are used in the campaign to increase credibility and make tracing more difficult.

Most sender addresses are completely unrelated to the LastPass brand, set up from compromised websites or abandoned domains, but the attackers try to hide them by using the ‘LastPass Support’ display name.

The company underlined that its infrastructure has not been compromised in any way, and there’s no impact on its systems.

Moreover, it reminded customers that its support agents will never ask for their master password and that users should never disclose it to anyone.

LastPass is working with third-party partners to take down the fake websites as soon as possible, while urging users who receive suspicious communications to report them to ‘abuse@lastpass.com.’

LastPass’s popularity makes the service a frequent target of phishing campaigns. Earlier this year, in January, LastPass warned of another phishing campaign that distributed fake maintenance notifications, asking users to back up their vaults within 24 hours and redirecting them to phishing pages.

In late 2025, two more campaigns targeting LastPass occurred: one leveraging fake user death claims, and the other claiming the company had been hacked and urging users to download a new version of the client app.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 5 March 2026 at 12:19 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

The new feature is available for all plans, including the free tier, and allows logging into Windows by selecting the security key option and scanning a QR code with a mobile device to confirm access to the passkey stored in the Bitwarden encrypted vault.

Bitwarden is an open-source password and secrets manager that can store account passwords, passkeys, API keys, credit card details, identity data, and private notes.

To use the new feature, there are three required conditions:

1. Have Entra ID–joined devices
2. FIDO2 security key sign-in is enabled
3. Have a registered Entra ID passkey stored in their Bitwarden vault

“Windows now supports industry-standard passkeys secured in the Bitwarden vault, enabling passwordless authentication during sign-in,” Bitwarden says in a press release.

“Users can choose to log in with a passkey stored in the Bitwarden vault, allowing Windows to authenticate using cryptographic credentials rather than passwords, without transmitting shared secrets.”

Bitwarden acts as the passkey provider in the Windows authentication flow, storing the credential in the user’s synced vault rather than binding it to a single device. This also allows recovery using other devices in case of losing the phone.

More importantly, by removing password entry from the login process and using cryptographic challenges signed with private keys stored in the vault, the risk of credential exposure to phishing drops dramatically.

Bitwarden states that Microsoft will roll out passkey login on Windows this month, and it depends on the Microsoft Entra ID configuration.

In November 2025, Microsoft announced the introduction of a passkey provider API on Windows 11, allowing third-party apps like Bitwarden and 1Password to store and manage passkeys for websites and apps on the OS.

The latest announcement extends this further, to a more fundamental authentication layer, that of the OS itself.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 5 March 2026 at 12:18 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix