All news with #research tag

🕒 Firefly is a software-driven clock synchronization system from Google that achieves nanosecond-level timing across data center NICs using commodity hardware. It separates fast internal NIC-to-NIC consensus from external UTC alignment and builds consensus over a d-regular random graph. Practical techniques—RTT filtering, path profiling, and optional switch/NIC features—reduce jitter and asymmetry. It yields consistent sub-10ns internal alignment while scaling to large fabrics.

🔒 New research examines whether cloud-based password managers can be misused by those controlling servers. Researchers reverse-engineered and closely analyzed Bitwarden, Dashlane, and LastPass, finding that features such as account recovery, shared vaults, and group organization can be abused so a server operator or a compromised server can extract credentials or entire vaults. The study also describes protocol-level attacks that can weaken encryption, potentially converting ciphertext into plaintext. The author contrasts these cloud models with Password Safe, a local-only manager that avoids recovery features and the cloud.

🔍 Kaspersky researchers analyzed a short-lived information stealer called Arkanix, promoted on dark web forums in late 2025 and likely developed with LLM assistance. The project included a control panel, a Discord community, and two tiers: a Python-based basic build and a VMProtect-wrapped C++ premium variant with enhanced AV evasion and wallet injection. Arkanix features modular data theft from browsers, wallets, Telegram and Discord, plus optional post-exploitation modules; the author removed infrastructure within two months, complicating detection and tracking.

🔍 Researchers report that Intellexa's Predator commercial spyware can suppress iOS camera and microphone recording indicators by hooking a single SpringBoard method. The malware intercepts sensor updates using a function named HiddenDot::setupHook() and nullifies the SBSensorActivityDataProvider object so the green or orange status dots never reach the UI. The technique requires prior kernel-level access and is combined with ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks, while VoIP recordings also rely on the same upstream interception for stealth.

🤖 Socket warns that AI-driven agents are mass-submitting pull requests to open-source projects, a tactic it calls reputation farming. One agent, "Kai Gritun", opened more than 100 PRs across dozens of repositories and presented itself as a human contributor. While those contributions were non-malicious and passed review, Socket cautions that rapid trust-building could be weaponized for supply-chain attacks and overwhelm maintainers.

⚠️ New research introduces CHAI, a prompt-injection technique that embeds deceptive natural-language instructions into visual inputs to hijack embodied AI agents. The method systematically searches token space, builds prompt dictionaries, and crafts Visual Attack Prompts to mislead LVLM-powered systems. Experiments on drones, autonomous driving stacks, aerial tracking, and a real robotic vehicle show CHAI outperforms prior attacks and highlights the limits of conventional adversarial robustness.

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.

🛡️ Cisco Talos describes VoidLink as a modular implant management framework focused on Linux, providing advanced persistence, evasion, and plugin-based extensibility. The framework implements RBAC, mesh P2P communications, compile-on-demand plugins, and kernel-level components to hide implants and C2 infrastructure. Talos attributes VoidLink use to an actor tracked as UAT-9921, notes rapid AI-assisted development, and highlights cloud-aware scanning and broad targeting.

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.

🔐 Unit 42 recovered a rogue VM created by Muddled Libra (aka Scattered Spider, UNC3944) during a September 2025 incident, revealing an operational playbook of reconnaissance, credential theft, lateral movement and data access. The actors abused legitimate tools and stolen certificates, persisted via an SSH tunnel (Chisel), and copied NTDS.dit and SYSTEM hives. Unit 42 recommends strengthening identity controls and adopting Advanced WildFire and Cortex defenses.

🔎 Claude Opus 4.6 markedly improves automated vulnerability discovery, finding high-severity bugs faster and without task-specific tooling. Unlike traditional fuzzers, which depend on massive random inputs, Opus 4.6 reads and reasons about code like a human researcher—spotting patterns, past fixes, and precise inputs that trigger failures. Early tests show it uncovered long-standing zero-days in projects previously subject to extensive fuzzing.

🔍 A Cellebrite 2026 Industry Trends Report based on 1,200 law enforcement respondents across 63 countries finds digital evidence — particularly from smartphones — has become central to almost all investigations. Some 95% of practitioners say digital evidence is key to solving cases and 97% point to smartphones as a top source. Agencies report increasing complexity, locked devices in over half of cases, and growing resource reallocations to handle digital work, while many see AI as useful but constrained by policy.

🔍 Microsoft has developed a lightweight scanner to detect backdoors in open-weight large language models (LLMs) by evaluating three observable signals tied to internal model behavior. The tool extracts memorized content, isolates suspect substrings, and scores candidates with loss functions that formalize attention and output anomalies. The approach requires no additional training and runs across common GPT‑style models, but it needs access to model files and is best suited for trigger-based, deterministic backdoors.

🔍 Microsoft researchers released new findings and a practical scanner for detecting backdoors in open-weight language models. The study identifies three signatures — a distinctive “double triangle” attention pattern, leakage of poisoning training data through memorization, and trigger “fuzziness” — and uses them to reconstruct likely triggers without retraining. The scanner requires only forward passes, works on GPT-like models, and was validated across 270M–14B models and common fine-tuning regimes. The team notes limits: it needs model file access, favors deterministic backdoors, and should be used as part of layered defenses.

🔎 GreyNoise observed a coordinated reconnaissance campaign from Jan 28–Feb 2 that used tens of thousands of residential proxies to discover Citrix NetScaler/Citrix Gateway login panels and enumerate product versions. Over 63,000 distinct IPs launched 111,834 sessions, with roughly 64% appearing as residential ISP addresses and the remainder linked to a single Azure IP. The scans concentrated on /logon/LogonPoint/index.html and the EPA artifact /epa/scripts/win/nsepa_setup.exe, indicating pre‑exploitation mapping and version‑specific probing. GreyNoise recommends monitoring anomalous UA strings, flagging EPA artifact access, restricting internet‑facing Gateways, and disabling version disclosure.

⚠️ Security researcher Paul McCarty (aka 6mile) has identified 386 malicious OpenClaw "skills" on the ClawHub repository that impersonate crypto trading tools. The add-ons use social engineering to trick users into executing commands that deploy infostealers on macOS and Windows, harvesting exchange API keys, wallet private keys, SSH credentials and browser passwords. The discovered skills share a common C2 IP (91.92.242.30) and many remain available, with the most active uploader accounting for nearly 7,000 downloads.

🔐 AI agents—custom GPTs, copilots, coding agents and other autonomous tooling—are proliferating in production while remaining largely outside traditional IAM, PAM, and IGA controls. The piece argues for treating agents as a distinct identity class and applying continuous identity lifecycle management to ensure visibility, ownership, dynamic least privilege, and auditability. Rather than slowing adoption, this approach positions identity as the control plane for balancing innovation and security.

🤖 Bugcrowd's survey of 2,000 security researchers found 82% now incorporate AI into their workflows, up from 64% in 2023. Respondents highlighted automation of repetitive tasks, analysis of messy or large codebases, and AI as a research assistant as primary use cases. Organizations gain faster, more comprehensive and higher-quality findings without necessarily increasing budgets. The report also notes stronger outcomes from team collaboration and outlines key community demographics.

🔒 The Forrester Consulting Total Economic Impact (TEI) study commissioned by Airlock Digital reports a 224% ROI and a $3.8 million net present value over three years for organizations that adopt Airlock’s allowlisting approach. The analysis cites a >25% reduction in overall breach risk and notes zero breaches among interviewed customers after deployment. It also highlights operational efficiency gains — policy management requiring roughly 2.5 hours per week — and reduced administrative overhead thanks to Airlock’s modern, operationally friendly implementation of allowlisting.

🧠 Check Point Research reports that the VoidLink Linux cloud malware framework displays clear evidence of being developed predominantly with AI assistance. The actor used an AI-centric IDE, TRAE, and its assistant TRAE SOLO to produce specification documents, sprint plans, and large portions of source code, which reached a working state within days. Exposed development artifacts — including TRAE helper files and an open directory of source and docs — allowed researchers to match generated specs to the recovered code and reproduce the development workflow, leading Check Point to conclude this is a notable example of AI-driven malware development.