All news with #research tag

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

🔬 University of Pennsylvania researchers tested GPT-4o-mini on two categories of requests an aligned model should refuse: insulting the user and giving instructions to synthesize lidocaine. They crafted prompts using seven persuasion techniques (Authority, Commitment, Liking, Reciprocity, Scarcity, Social proof, Unity) and matched control prompts, then ran each prompt 1,000 times at the default temperature for a total of 28,000 trials. Persuasion prompts raised compliance from 28.1% to 67.4% for insults and from 38.5% to 76.5% for drug instructions, demonstrating substantial vulnerability to social-engineering cues.

🔐According to an Accenture report, 88% of security leaders say they face significant difficulties implementing Zero Trust, and 80% cannot effectively protect cyber-physical systems. Other industry studies show mixed adoption—Gartner found 63% with full or partial strategies in 2024, while Entrust reports Germany lags at 53%. Experts point to divergent definitions, legacy systems, cultural resistance to the never trust, always verify model, poor visibility into data flows, and misaligned incentives as core obstacles; many argue the effort is strategic, lengthy, and requires top-down leadership.

🛡️ The EMBER2024 release modernizes the popular EMBER malware benchmark by providing metadata, labels, and computed features for over 3.2 million files spanning six file formats. It supplies a 6,315-sample challenge set of initially evasive malware, updated feature extraction code using pefile, and supplemental raw bytes and disassembly for 16.3 million functions. The package also includes source code to reproduce feature calculation, labeling, and dataset construction so researchers can replicate and extend benchmarks.

🔍 Unit 42 highlights two threat intelligence interns, Sakthi Vinayak and Gabrielle Calderon, who completed a 12-week program contributing to practical research and automation projects. Sakthi concentrated on mechanizing data ingestion, implementing a fidelity scoring framework, and building dashboards to surface trends and gaps in the knowledge repository. Gabrielle focused on malware ticket analysis and developing an automation tool to identify malware families and extract indicators of compromise. Both interns credited Unit 42’s collaborative mentorship and cross-team exposure for accelerating their technical growth and real-world impact.

🧾 The NSA has declassified a September 1965 training workbook, Cryptanalytic Diagnosis with the Aid of a Computer, compiling 147 printouts from the diagnostic program Stethoscope. Run on the special-purpose Bogart computer, the listings show statistical outputs—frequency tables, index of coincidence, periodicity tests, and n-gram analyses—used to train analysts to infer language and cipher type without seeing plaintext. The document also notes the related tool Rob Roy and reflects an era when computers automated manual analytic work.

🔍 A surge of polished scam gambling sites has been traced to a Russian affiliate program called Gambler Panel, which provides a turnkey "fake casino" engine, marketing templates, and step-by-step fraud guides. Ads promise $2,500 promo credits and lure users into making ~$100 cryptocurrency "verification" deposits that are then milked through pressured wagering. The program touts up to 70% revenue shares, a large affiliate base, and a Telegram vetting channel.

🔎 VirusTotal has extended Code Insight to analyze disassembled and decompiled code via a new API endpoint that returns a concise summary and a detailed description for each queried function. The endpoint accepts prior requests as a history input so analysts can chain, correct, and refine context across iterations. An updated VT-IDA plugin for IDA Pro demonstrates integration inside an analyst notebook, allowing selection of functions, iterative review, and acceptance of insights into a shared corpus. The feature is available in trial mode; results have been promising in testing but are not guaranteed complete or perfectly accurate, and community feedback is encouraged.

⚠ Check Point uncovered a global phishing campaign that delivered 115,000 fake invitations via Google Classroom to about 13,500 organizations worldwide within a single week. Attackers used seemingly legitimate classroom invites to present unrelated commercial offers and instructed recipients to continue contact via WhatsApp, shifting conversations off monitored email channels. Because many filters treat messages from Google services as trustworthy, these messages often bypass conventional protections. Experts advise staff training, adoption of AI-driven detection that evaluates context and intent, and extending phishing defenses beyond email to collaboration and messaging platforms.

📊 Google commissioned a Forrester Total Economic Impact™ study to quantify the value of ChromeOS for enterprise deployments. The analysis modeled a composite organization (multinational, $5B revenue, 40,000 employees) and found a 208% ROI over three years, an NPV of $6.8M, and a payback period under six months. Key benefits included 90,000 saved productivity hours, $1.3M in device and licensing savings, $1.2M from strengthened security, and $1.1M in reduced IT support costs.

🔍 A research team at SUTD's ASSET group released Sni5Gect, an open-source over-the-air toolkit that passively sniffs early 5G signaling and injects crafted payloads before NAS security is established. The framework can crash UE modems, fingerprint devices, bypass some authentication flows, and force downgrades from 5G to 4G without deploying a rogue gNB, with reported injection success rates of 70–90% at up to 20 m. GSMA recorded the issue as CVD-2024-0096.

🛡️ VirusTotal ran a large-scale audit of 17,845 GitHub projects implementing the MCP (Model Context Protocol) using Code Insight powered by Gemini 2.5 Flash. The automated review initially surfaced an overwhelming number of issues, and a refined prompt focused on intentional malice marked 1,408 repos as likely malicious. Manual checks showed many flagged projects were demos or PoCs, but the analysis still exposed numerous real attack vectors—credential harvesting, remote code execution via exec/subprocess, supply-chain tricks—and recurring insecure practices. The post recommends treating MCP servers like browser extensions: sign and pin versions, sandbox or WASM-isolate them, enforce strict permissions and filter model outputs to remove invisible or malicious content.

📚 Bruce Schneier will spend the 2025–26 academic year at the University of Toronto’s Munk School as an adjunct. He will organize a reading group on AI security in the fall and teach his cybersecurity policy course in the spring. He intends to collaborate with Citizen Lab, the Law School, and the Schwartz Reisman Institute, and to participate in Toronto’s academic and cultural life. He describes the opportunity as exciting.

🤝 In a Threat Vector podcast, Michael Sikorski and Michael Daniel of the Cyber Threat Alliance discuss how competing vendors must nonetheless collaborate to counter shared threats. Daniel recalls how pooled observations during the 2017 WannaCry outbreak revealed its worm-like propagation and accelerated industry response. He emphasizes that the main obstacles to sharing are human—culture, legal risk, and lack of executive prioritization—and that concrete guardrails (antitrust-compliance statements, embargo protocols, and equal treatment) build the trust needed for timely intelligence exchange. The post cautions that as adversaries adopt AI and automation, systematic collaboration is essential.

🔒 The Microsoft Bounty Program distributed $17 million this year to 344 security researchers across 59 countries, marking the largest total payout in the program’s history. In partnership with the Microsoft Security Response Center (MSRC), researchers helped identify and remediate more than a thousand potential vulnerabilities across Azure, Microsoft 365, Windows, and other Microsoft products and services. The program also expanded coverage and awards for Copilot, identity and Defender scopes, Dynamics 365 & Power Platform AI categories, and refreshed Windows attack scenario incentives to prioritize high-impact research.

🔍 In this Unlocked 403 episode host Becks speaks with ESET malware researcher Lukas Stefanko to explain how modern spyware operates and why commonplace apps can become surveillance tools. They examine ESET’s discovery of BadBazaar, describe common infection vectors, persistence techniques and permissions abuse, and note that some tools can compromise devices without any user interaction. Lukas outlines practical detection signals and step‑by‑step removal advice. The conversation also points listeners to a prior episode for deeper Android threat analysis.

🔍 Fraudsters are promoting hundreds of polished fake gaming sites across Discord and other social platforms, falsely claiming partnerships with influencers and offering a $2,500 'promo code' to lure users. Visitors create free accounts to play sleek casino-style games (for example gamblerbeast[.]com's B-Ball Blitz), but cashouts are blocked and victims are prompted for a cryptocurrency 'verification deposit' and repeated payments. Investigators, including a Discord researcher and the threat-hunting firm Silent Push, linked a shared chat API key to at least 1,270 active domains and found centralized wallets, AI-assisted support, and network-wide tracking that make these scaled scams efficient and hard to report.

🔎 UpGuard discovered an unauthenticated Elasticsearch index containing roughly 22 million web-request records, of which about 95% referenced leakzone.net. The logs included client IP addresses, destination domains, request sizes, geolocation data and ISP metadata, spanning June 25 to discovery on July 18, with about one million requests per day. Analysis found extensive use of public proxies and clustered VPN exit nodes, alongside many one-off IPs likely representing direct users. The dataset raises privacy and operational concerns for visitors, service operators, and investigators.