HCP Vault Dedicated now available in additional AWS and Azure regions

Modern infrastructure is increasingly distributed across clouds, regions, and regulatory environments. As organizations scale their platforms globally, the systems responsible for securing secrets, encryption keys, and identities must be just as resilient and globally accessible.

Today, we’re announcing the expansion of the regional availability of HCP Vault Dedicated with new deployment locations across AWS and Microsoft Azure. The new regions now available include:

AWS

• Stockholm (eu-north-1)

• Paris (eu-west-3 / Paris region availability)

Microsoft Azure

• Australia East
• Australia Central

These additions expand the global footprint of HCP Vault Dedicated and give organizations greater flexibility when deploying Vault to support disaster recovery strategies, performance replication, and regional data residency requirements.

By bringing Vault closer to applications and infrastructure, organizations can improve performance, reduce operational risk, and better align their security architecture with regulatory and compliance requirements.

Improving resilience, performance, and proximity for Vault deployments

HCP Vault Dedicated is a fully managed deployment of Vault Enterprise on the HashiCorp Cloud Platform. It allows organizations to securely store, manage, and control access to sensitive data such as tokens, passwords, encryption keys, and certificates without managing the operational overhead of running Vault themselves.

Expanding the number of available regions allows teams to deploy Vault clusters closer to their workloads while also strengthening multi-region resilience architectures.

For performance-sensitive operations such as secrets retrieval, encryption, and identity validation, proximity matters. Placing Vault clusters closer to applications reduces network latency and improves responsiveness for systems that rely on frequent access to credentials or cryptographic services.

These new regions also strengthen multi-region disaster recovery strategies. HCP Vault Dedicated supports cross-region disaster recovery replication, allowing organizations to maintain a secondary Vault cluster in another region. If a primary region experiences an outage, teams can fail over to the disaster recovery replica to maintain access to secrets and security services.

With additional regional deployment options, organizations can:

• Deploy Vault clusters closer to application workloads

• Design disaster recovery architectures across geographically distinct regions

• Reduce dependency on a small number of regions for failover planning

• Improve performance for distributed applications accessing secrets and encryption services

For example, organizations operating in Europe can now pair regions such as:

• Paris and Frankfurt

• Paris and Stockholm

Similarly, organizations operating in Australia can deploy Vault clusters across Australia East and Australia Central, maintaining regional resilience while keeping infrastructure within national boundaries.

In addition to disaster recovery, HCP Vault Dedicated supports performance replication, allowing organizations to deploy secondary clusters closer to distributed workloads while maintaining centralized governance.

In this architecture:

• A primary cluster acts as the system of record

• Secondary clusters replicate configuration, policies, and secrets

• Applications interact with the nearest Vault cluster to reduce latency

Expanding HCP Vault Dedicated into additional AWS and Azure regions makes it easier for organizations to design Vault architectures that balance performance, resilience, and regional infrastructure placement.

Getting started with the new regions

The new regions are available today when provisioning HCP Vault Dedicated clusters.

When creating a cluster, simply select the desired cloud provider and region in the HCP portal or via the HCP API.

With these additional deployment locations, organizations can more easily align Vault architectures with their global infrastructure footprint across AWS and Azure. For example, teams can now:

• Deploy a primary Vault cluster in AWS Paris with a DR replica in AWS Stockholm

• Run a primary cluster in Azure Australia East with a regional DR cluster in Australia Central

• Place performance replicas closer to application workloads across Europe or APAC

These expanded regional options make it easier to design Vault architectures that meet resilience, performance, and compliance requirements without managing the operational complexity of running Vault clusters yourself.

To get started, sign-up or create a new HCP Vault Dedicated cluster in the HCP portal and select one of the newly available regions.

You can also review the full list of supported regions in the HCP Vault documentation.

from HashiCorp Blog https://ift.tt/OYxKEzL
via IFTTT

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.

The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain.

"KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring," the cybersecurity company said in a report shared with The Hacker News.

Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts.

Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger ("doppelganger[.]shop"), which is assessed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide "100% anonymity." The service is said to have launched in May/June 2025.

Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices.

Central to the attack is a shell script ("aic.sh") that's downloaded from the C2 server ("212.104.141[.]140"), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to ".asusrouter," and run it.

Once persistence is established, the script pulls a malicious ELF file, renames it to "kad," and executes it. This, in turn, leads to the deployment of KadNap. The malware is capable of targeting devices running both ARM and MIPS processors.

KadNap is also designed to connect to a Network Time Protocol (NTP) server to fetch the current time and store it along with the host uptime. This information serves as a basis to create a hash that's used to locate other peers in the decentralized network to receive commands or download additional files.

The files – fwr.sh and /tmp/.sose – contains functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

"In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, by hiding in the noise of legitimate peer-to-peer traffic," Lumen said.

Further analysis has determined that not all compromised devices communicate with every C2 server, indicating the infrastructure is being categorized based on device type and models.

The Black Lotus Labs team told The Hacker News that Doppelgänger's bots are being abused by threat actors in the wild. "One issue there has been since these Asus (and other devices) are also sometimes co-infected with other malware, it is tricky to say who exactly is responsible for a specific malicious activity," the company said.

Users running SOHO routers are advised to keep their devices up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and are no longer supported.

"The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," Lumen concluded. "Their intention is clear, avoid detection and make it difficult for defenders to protect against."

New Linux Threat ClipXDaemon Emerges

The disclosure comes as Cyble detailed a new Linux threat dubbed ClipXDaemon that's designed to target cryptocurrency users by intercepting and altering copied wallet addresses. The clipper malware, delivered via Linux post-exploitation framework called ShadowHS, has been described as an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.

Staged entirely in memory, the malware employs stealth techniques, such as process masquerading and Wayland session avoidance, while simultaneously monitoring the clipboard every 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets. It's capable of targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.

The decision to avoid execution in Wayland sessions is deliberate, as the display server protocol's security architecture places additional controls, like requiring explicit user interaction, before applications can access the clipboard content. In disabling itself under such scenarios, the malware aims to eliminate noise and avoid runtime failure.

"ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking," the company said. "Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses."

from The Hacker News https://ift.tt/9v7zTeZ
via IFTTT

Which Tools Will Replace Microsoft MDT in 2026?

End of an era: Microsoft Deployment Toolkit (MDT) is officially retired. What should IT admins use instead in 2026? Our new article explains the best replacements for different environments.

Many IT admins who have been in IT for years, including me, relied on tools like Microsoft Deployment Toolkit (MDT) for efficient OS deployments in various environments. MDT has been a good tool for creating and managing Windows images, automating installations, and handling driver injections. However, with Microsoft’s recent announcement, it’s time to look ahead. On January 6, 2026, Microsoft declared the immediate retirement of MDT, meaning no more updates, security fixes, or even official support.

This retirement isn’t entirely surprising. MDT’s lifecycle was tied to underpinning technologies like Windows PE and WDS, which are evolving or being deprioritized. Support effectively ends after the first Configuration Manager release post-October 2025, and downloads have already been pulled from official channels

How the IT will be affected?

• Existing deployments will continue to function, but they are no longer supported.
• Download packages have been removed from official distribution channels, including the Microsoft Learn and Intune pages.

While MDT was a foundational tool for decades, its discontinuation reflects Microsoft’s shift toward cloud-first deployment strategies. Organizations using MDT should now prioritize migration to avoid long-term risks.

Microsoft’s Recommended Alternatives

• Windows Autopilot for cloud-based, zero-touch deployment.
• Configuration Manager (SCCM) Operating System Deployment (OSD) for on-premises environments.

Autopilot leverages Azure AD (now Entra ID) and Intune for device provisioning. It’s ideal for modern management without heavy imaging.

Technical Setup: Devices are pre-registered via hardware hashes uploaded to Intune. On first boot, they connect to the internet, authenticate, and pull configurations.

Capabilities: Supports OOBE customization, app deployment via Win32/MSI, driver updates from Windows Update, and policy enforcement (e.g., BitLocker, Defender). Use ESP (Enrollment Status Page) for progress tracking.

Pros for MDT Users: Zero-touch reduces manual intervention; integrates with Autopilot Reset for re-provisioning. Handles hybrid joins for on-prem AD.

Cons: Requires internet connectivity; less flexible for custom WIM images or offline scenarios. Not suited for bare-metal without OEM preloads.

Migration Tip: Export MDT drivers to Intune repositories; script custom tasks via Proactive Remediations.

Worth to note that for larger environments with 500+ devices, Autopilot scales better than MDT’s share-based model.

Configuration Manager OSD

If you have an existing ConfigMgr site, OSD is the direct evolution of MDT integration.

Technical Setup: Uses task sequences similar to MDT but with deeper SCCM features like software distribution points and boundary groups.

Capabilities: PXE booting via WDS/SCCM, dynamic driver packages, application models for conditional installs, and USMT for user state migration. Supports multicast for large-scale deployments.

Pros: Full on-prem control; integrates with SQL for reporting; handles complex branching logic in sequences.

Cons: Steeper learning curve and resource-intensive (requires dedicated servers). Licensing via Microsoft Endpoint Manager.

Migration Tip: Import MDT task sequences into SCCM, then refactor for native steps. Remove MDT add-ons to comply with retirement.

Third-Party Alternatives: SmartDeploy and WAPT

It’s often cost effective to seek elsewhere than Microsoft. (Not liking having my eggs in the same basket, right?)

Beyond Microsoft’s ecosystem, tools like SmartDeploy and WAPT offer flexible, cost-effective options for OS deployment.

SmartDeploy is a commercial tool positioned as a direct MDT replacement, focusing on hardware-independent imaging.

Technical Setup: Central console for building golden images on VMs, then deploying via USB, network, or cloud.

Capabilities: Platform Packs for drivers (over 1,000 models supported); WDS/PXE integration; answer files for unattended installs. Supports multilayer imaging to separate OS, apps, and drivers.

Pros: Reduces image count (one WIM per OS version); offline deployment; built-in migration from MDT without rebuilding everything.

Cons: Paid licensing; less cloud-native than Autopilot.

Migration Tip: Import MDT shares directly; use wizard to map drivers and scripts.

It’s great for SMBs needing MDT-like simplicity without ConfigMgr overhead.

WAPT: A Quick Introduction and Capabilities

WAPT (Windows APT) is an open-source package management and deployment tool inspired by Debian’s APT system, adapted for Windows environments. It’s designed for centralized software installation, updates, and configuration management across networks. While not a pure OS imaging tool like MDT, it excels in post-OS deployment tasks and can integrate with imaging workflows, making it a complementary alternative for app-heavy environments.

Quick Intro: Developed by Tranquil IT, WAPT uses a client-server architecture. WAPT enables centralized deployment of software, configurations, patches, and operating systems across Windows, Linux, and macOS environments. Tranquil IT also contributes to open-source projects such as OpenRSAT and AzureADConnect_Samba4.

The repo hosts packages for Windows, Linux or MacOS architectures

 

The server hosts repositories of packages (MSI, EXE, scripts), while agents on endpoints pull and execute them. The documentation is really great, with many screenshots. I’d highly recommend to do a POC before adopting, but with their documentation help it is a snap!

Example of importing of a package into the console from a repo

 

It’s free for basic use, with enterprise editions for advanced features. Installation involves running waptserversetup.exe on a Windows server (or Linux for better scalability), configuring Nginx as the web server, and setting up PostgreSQL for the database.

Key Capabilities:

• Package Creation and Deployment: Build custom packages using WAPT’s console or PyScripter. Supports dependencies, pre/post-install scripts, and silent installs. Deploy via policies targeting OUs, groups, or hardware profiles.
• Repository Management: Mirror external repos (e.g., Chocolatey) or create internal ones. Handles versioning, rollbacks, and audits.
• Agent Management: Agents report inventory (hardware, software, configs) back to the server. Supports wake-on-LAN, remote execution, and self-service portals for users.
• Security and Compliance: Enforces signatures on packages; integrates with AD for authentication (Kerberos on Linux servers). Monitors vulnerabilities and automates patches.
• Scalability Limits: On Windows servers, handles up to 500 agents efficiently; switch to Linux for larger deployments or features like large file uploads.
• OS Deployment Integration: While WAPT focuses on software, it can script OS prep tasks (e.g., partitioning, driver installs) and deploy apps during imaging via hooks in tools like WinPE or combined with WDS.

WAPT is great in environments needing granular app control without full imaging. For pure OS deploys, you can pair it with Autopilot or OSDCloud. Limitations include no native Kerberos on Windows servers and potential performance hits for very large packages.

Example of Windows Installer for WAPT server

Choosing the Right Tool for Your Environment

Selecting an MDT replacement depends on your infrastructure:

• Cloud-First: Go with Autopilot for simplicity.
• On-Prem Heavy: ConfigMgr OSD or SmartDeploy for robust task sequences.
• Budget-Conscious/Open-Source: WAPT for app deployment, possibly extended to OS via scripts.
• Hybrid: Combine Autopilot with WAPT for end-to-end management.

Test in a lab: Start with exporting MDT assets (images, drivers) and importing into the new tool. Monitor for hardware compatibility using tools like HWInfo or PowerShell’s Get-WmiObject.

Example of the console with Software inventory, Reporting, OS Deploy or Secondary repos

 

Link: WAPT and TranquilIT

Final Words

MDT’s end marks a shift to more automated, secure deployments. While it’s bittersweet, these alternatives offer better integration with modern Windows features. WAPT enables companies and public authorities to simply and securely deploy software, configurations, software and OS patches, and operating systems on Windows, Linux and macOS environments.

Perhaps one of our future blog posts, I’ll go a bit into details about how to setup a WAPT environment so you can deploy packages with this nice Open-Source tool. For enterprise environment and using the advanced functions, you should definitely get a license that allows you to manage enterprise environments with reporting, OS deployments, Software inventories etc.

from StarWind Blog https://ift.tt/T71iqv2
via IFTTT

New "LeakyLooker" Flaws in Google Looker Studio Could Enable Cross-Tenant SQL Queries

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims' databases and exfiltrate sensitive data within organizations' Google Cloud environments.

The shortcomings have been collectively named LeakyLooker by Tenable. There is no evidence that the vulnerabilities were exploited in the wild. Following responsible disclosure in June 2025, the issues have been addressed by Google.

The list of security flaws is as follows -

"The vulnerabilities broke fundamental design assumptions, revealed a new attack class, and could have allowed attackers to exfiltrate, insert, and delete data in victims' services and Google Cloud environment," security researcher Liv Matan said in a report shared with The Hacker News.

"These vulnerabilities exposed sensitive data across Google Cloud Platform (GCP) environments, potentially affecting any organization using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and almost any other Looker Studio data connector."

Successful exploitation of the cross-tenant flaws could enable threat actors to gain access to entire datasets and projects across different cloud tenants.

Attackers could scan for public Looker Studio reports or obtain access to private ones that use these connectors (e.g., BigQuery) and seize control of the databases, allowing them to run arbitrary SQL queries across the owner's entire GCP project.

Alternatively, a victim creates a report as public or shares it with a specific recipient, and uses a JDBC-connected data source such as PostgreSQL. In this scenario, the attacker can take advantage of a logic flaw in the copy report feature that makes it possible to clone reports while retaining the original owner's credentials, enabling them to delete or modify tables.

Another high-impact path detailed by the cybersecurity company involved one-click data exfiltration, where sharing a specially crafted report forces a victim's browser to execute malicious code that contacts an attacker-controlled project to reconstruct entire databases from logs.

"The vulnerabilities broke the fundamental promise that a 'Viewer' should never be able to control the data they are viewing," Matan said, adding they "could have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets."

from The Hacker News https://ift.tt/4hm9rzN
via IFTTT

What’s Holding Back AI Agents? It’s Still Security

It’s hard to find a team today that isn’t talking about agents. For most organizations, this isn’t a “someday” project anymore. Building agents is a strategic priority for 95% of respondents that we surveyed across the globe with 800+ developers and decision makers in our latest State of Agentic AI research. The shift is happening fast: agent adoption has moved beyond experiments and demos into something closer to early operational maturity. 60% of organizations already report having AI agents in production, though a third of those remain in early stages. 

Agent adoption today is driven by a pragmatic focus on productivity, efficiency, and operational transformation, not revenue growth or cost reduction. Early adoption is concentrated in internal, productivity-focused use cases, especially across software, infrastructure, and operations. The feedback loops are fast, and the risks are easier to control. 

So what’s holding back agent scaling? Friction shows up and nearly all roads lead to the same place: AI agent security. 

AI agent security isn’t one issue it’s the constraint

When teams talk about what’s holding them back, AI agent security rises to the top. In the same survey, 40% of respondents cite security as their top blocker when building agents. The reason it hits so hard is that it’s not confined to a single layer of the stack. It shows up everywhere, and it compounds as deployments grow.

For starters, when it comes to infrastructure, as organizations expand agent deployments, teams emphasize the need for secure sandboxing and runtime isolation, even for internal agents.

At the operations layer, complexity becomes a security problem. Once you have more tools, more integrations, and more orchestration logic, it gets harder to see what’s happening end-to-end and harder to control it. Our latest research data reflects that sprawl: over a third of respondents report challenges coordinating multiple tools, and a comparable share say integrations introduce security or compliance risk. That’s a classic pattern: operational complexity creates blind spots, and blind spots become exposure.

45% of organizations say the biggest challenge is ensuring tools are secure, trusted, and enterprise-ready.

And at the governance layer, enterprises want something simple: consistency. They want guardrails, policy enforcement, and auditability that work across teams and workflows. But current tooling isn’t meeting that bar yet. In fact, 45% of organizations say the biggest challenge is ensuring tools are secure, trusted, and enterprise-ready. That’s not a minor complaint: it’s the difference between “we can try this” and “we can scale this.”

MCP is popular but not ready for enterprise

Many teams are adopting Model Context Protocol (MCP) because it gives agents a standardized way to connect to tools, data, and external systems, making agents more useful and customized.  Among respondents further along in their agent journey,  85% say they’re familiar with MCP and two-thirds say they actively use it across personal and professional projects. 

Research data suggests that most teams are operating in what could be described as “leap-of-faith mode” when it comes to MCP, adopting the protocol without security guarantees and operational controls they would demand from mature enterprise infrastructure.

But the security story hasn’t caught up yet. Teams adopt MCP because it works, but they do so without the security guarantees and operational controls they would expect from mature enterprise infrastructure. For teams earlier in their agentic journey: 46% of them identify  security and compliance as the top challenge with MCP.

Organizations are increasingly watching for threats like prompt injection and tool poisoning, along with the more foundational issues of access control, credentials, and authentication. The immaturity and security challenges of current MCP tooling make for a fragile foundation at this stage of agentic adoption.

Conclusion and recommendations

Ai agent security is what sets the speed limit for agentic AI in the enterprise. Organizations aren’t lacking interest, they’re lacking confidence that today’s tooling is enterprise-ready, that access controls can be enforced reliably, and that agents can be kept safely isolated from sensitive systems.  

The path forward is clear. Unlocking agents’ full potential will require new platforms built for enterprise scale, with secure-by-default foundations, strong governance, and policy enforcement that’s integrated, not bolted on.

Download the full Agentic AI report for more insights and recommendations on how to scale agents for enterprise. 

Join us on March 25, 2026, for a webinar where we’ll walk through the key findings and the strategies that can help you prioritize what comes next.

Learn more:

• Get your copy of the latest State of Agentic AI report! 
• Learn more about Docker’s AI solutions
• Read more about why AI agents challenge existing governance approaches and explore a new framework designed for agentic AI.

from Docker https://ift.tt/L5jqz39
via IFTTT

APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military

The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel.

The two malware families have been put to use since April 2024, ESET said in a new report shared with The Hacker News.

APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation's military intelligence agency GRU.

The threat actor's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that's capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.

SLIMAGENT, per the Slovakian cybersecurity company, has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018.

It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014.

"SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively," ESET said. "The XAgent keylogger also produces HTML logs using the same color scheme."

Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that's capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2).

A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate, which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. The tool provides a secure tunnel to an external C2 server.

"The shared use of this rare obfuscation technique, combined with its colocation with SLIMAGENT, leads us to assess with high confidence that BEARDSHELL is part of Sednit's custom arsenal," ESET added.

A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025).

"These adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official development ceased in April 2021 and may have been considered unused by defenders," ESET said. "This surprising operational choice appears to have paid off: Sednit has successfully relied on Covenant for several years, particularly against selected targets in Ukraine."

This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.

from The Hacker News https://ift.tt/x0G19IV
via IFTTT

Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security Controls

Executive Summary

As organizations scale AI operations, they increasingly deploy AI judges — large language models (LLMs) acting as automated security gatekeepers to enforce safety policies and evaluate output quality. Our research investigates a critical security issue in these systems: They can be manipulated into authorizing policy violations through stealthy input sequences, a type of prompt injection.

To do this investigation, we designed an automated fuzzer for internal use for red-team style assessments called AdvJudge-Zero. Fuzzers are tools that identify software vulnerabilities by providing unexpected input, and we apply the same approach to attacking AI judges. It identifies specific trigger sequences that exploit a model's decision-making logic to bypass security controls.

Unlike previous adversarial attacks that produce detectable gibberish, our research proves that effective attacks can be entirely stealthy, using benign formatting symbols to reverse a block decision to allow.

By examining how this tool works, we can more easily see the security issues inherent in AI judges used by current LLMs.

Palo Alto Networks customers are better protected from this type of issue through the following products and services:

The Unit 42 AI Security Assessment can help empower safe AI use and development.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Background

In modern AI architectures, AI judges often serve as the final line of defense. These automated gatekeepers are responsible for enforcing safety policies (e.g., "Is this response harmful?") and evaluating performance. Our research tool, AdvJudge-Zero, treats LLMs as opaque boxes to be audited, revealing that AI judges can be subject to exploitable logic bugs of their own.

The Methodology: Automated Predictive Fuzzing

Previous adversarial attacks on AI judges have required clear-box access. With full visibility to the internal structure of the system, pen-testers can rely on mathematical routines to force model errors. This often results in high-entropy gibberish that is easily detected.

In contrast, AdvJudge-Zero employs an automated fuzzing approach. The tool interacts with an LLM strictly as a user would, using search algorithms to exploit the model's own predictive nature.

The Steps

1. Token discovery via next-token distribution

The process begins by querying the model to identify expected inputs based on its own next-token distribution.

• Natural language patterns: Our tool probes the model to generate potential trigger phrases based on common linguistic structures.
• Stealth prioritization: It specifically identifies stealth control tokens — innocent-looking characters such as standard markdown syntax or formatting symbols. These possess low perplexity (meaning they appear natural and predictable to the AI) but carry strong influence over the model's attention.

2. Iterative refinement and logit-gap analysis

Once candidate tokens are collected, the system enters a refinement phase.

• Decision boundary testing: The fuzzer iteratively tests these inputs to measure the decision shift.
• Measuring the logit-gap: It monitors the logit-gap — the mathematical margin of confidence — between the yes (allow) and no (block) tokens. By observing which formatting tokens minimize the probability of a block decision, the tool identifies weak points in the model's logic.

By observing which innocent-looking formatting tokens minimize the probability of a block decision, the tool identifies the weak points in the model's logic.

3. Exploitation: isolating the decisive control elements

The final stage of AdvJudge-Zero's process isolates specific tokens that act as decisive control elements. These refined sequences steer the model’s internal attention mechanism toward an approval state, leading to a yes decision regardless of the actual input content.

The Security Issue: Innocent-Looking Triggers

The most alarming finding for security professionals is the stealth of these attacks. AI judges are highly sensitive to innocent-looking characters that act as logical triggers. To a human observer or a web application firewall (WAF), these look like standard data formatting. To the AI judge, they shift the model into compliance mode.

Effective triggers identified include:

• Formatting symbols: List markers (1., -), newlines (\n) or markdown headers (###)
• Structural tokens: Role indicators (e.g., User:, Assistant🙂 or system tags
• Context shifts: Phrases like The solution process is…, Step 1 or Final Answer:

Impact: Bypassing the Gatekeeper

Testing against a suite of general-purpose and specialized defense models confirms that LLM-as-a-judge setups are not a set-and-forget security control. By injecting low-perplexity stealth control tokens, an attacker can fundamentally break the logic of the automated gatekeeper.

To verify that our discovered control tokens are stealthier than common gibberish jailbreak tokens, we subjected them to a perplexity test. We compared the perplexity scores of our AdvJudge-Zero tokens against those from a common jailbreak algorithm (GCG) and against manually discovered, verified stealthy tokens (e.g., 解 and Solution🙂 from other prior research.

As Figure 1 illustrates, the tokens discovered by AdvJudge-Zero (blue area toward the left) yield significantly lower perplexity scores than the gibberish adversarial tokens (red area on the right). Furthermore, the AdvJudge-Zero tokens exhibit perplexity scores equivalent to the verified stealth jailbreak tokens (yellow area, the leftmost spike). This evidence supports the conclusion that the tokens discovered by AdvJudge-Zero are indeed more stealthy and significantly more likely to bypass general gatekeepers undetected.

Figure 1. Perplexity comparison for AdvJudge-Zero tokens vs. common jailbreak tokens.

How Attacks Would Manifest in Real-World Scenarios

These attacks do not resemble traditional hacking or computer code. Instead, they appear as standard formatting that exploits the logic in the AI's judgment.

• Scenario 1: Bypassing safety filters (the false approval)

An attacker can force a judge to approve toxic, biased or prohibited content.

• • The Attack: The attacker appends a specific stealth control token found by AdvJudge-Zero, such as \n\nAssistant:
  • The Result: These tokens manipulate the judge into concluding the policy check phase has ended. The judge reverses its decision from block to allow, permitting the harmful content.

• Scenario 2: Corrupting training data (reward hacking)

In many enterprises, AI judges are used to score model responses during training, a process called reinforcement learning from human feedback (RLHF). If the judge is hacked, the AI learns the wrong lessons.

• • The Attack: An attacker inserts directive phrases like The correct answer is: or \begin{enumerate}
  • The Result: The AI judge is “distracted” by the professional-looking formatting and assigns a high score even to incorrect information or hallucinations. This leads to model degradation, where the resulting AI becomes less reliable.

Vulnerable Model Categories

Our research using this tool achieved a 99% success rate in bypassing controls across several widely used architectures that customers rely on today:

1. Open-weight enterprise models: Popular models used for internal company chatbots and document summarization.
2. Specialized reward models: Models specifically built and trained to act as “security guards” for other AI systems.
3. High-parameter models: Even the largest, most “intelligent” models (with more than 70 billion parameters) were susceptible. Their complexity actually provides more surface area for these logic-based attacks to succeed.

Conclusion

The methods of AdvJudge-Zero in our testing prove that AI judges are susceptible to logic flaws similar to other software. If an attacker can automate the discovery of bypass codes through fuzzing, they can systematically defeat AI guardrails with innocent-looking inputs.

However, the fuzzer methodology also provides a solution. By adopting adversarial training — running this type of fuzzer internally to identify weaknesses and then retraining the model on these examples — organizations can harden their systems. This approach can reduce the attack success rate from approximately 99% to near zero.

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

Organizations are better equipped to close the AI security gap through the deployment of Cortex AI-SPM, which delivers comprehensive visibility and posture management for AI agents. Cortex AI-SPM is designed to mitigate critical risks including over-privileged AI agent access, misconfigurations and unauthorized data exposure.

The Unit 42 AI Security Assessment can help empower safe AI use and development.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

from Unit 42 https://unit42.paloaltonetworks.com/fuzzing-ai-judges-security-bypass/
via IFTTT

Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool

Salesforce has warned of an increase in threat actor activity that's aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites by making use of a customized version of an open-source tool called AuraInspector.

The activity, per the company, involves the exploitation of customers' overly permissive Experience Cloud guest user configurations to obtain access to sensitive data.

"Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector [...] to perform mass scanning of public-facing Experience Cloud sites," Salesforce said.

"While the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings."

AuraInspector refers to an open-source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework. It was released by Google-owned Mandiant in January 2026.

Publicly accessible Salesforce sites use a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. However, if this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended.

As a result, an attacker could exploit this security weakness to directly query Salesforce CRM objects without logging in. For this attack to work, two conditions have to be satisfied by Experience Cloud customers: they are using the guest user profile and have not adhered to Salesforce's recommended configuration guidance.

"At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity," Salesforce said. "These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure."

The company attributed the campaign to a known threat actor group without taking its name, raising the possibility that it could be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce environments via third-party applications from Salesloft and Gainsight.

Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.

"This threat actor activity reflects a broader trend of 'identity-based' targeting," it added. "Data harvested in these scans, such as names and phone numbers – is often used to build follow-on targeted social engineering and 'vishing' (voice phishing) campaigns."

from The Hacker News https://ift.tt/7FrsnNb
via IFTTT

UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device

The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.

The activity has been attributed with moderate confidence to the state-sponsored adversary, which is also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. 

"This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques," the tech giant noted in its H1 2026 Cloud Threat Horizons Report [PDF] shared with The Hacker News.

Upon gaining access to the cloud environment, the attackers are said to have abused legitimate DevOps workflows to harvest credentials, break out of the confines of containers, and tamper with Cloud SQL databases to facilitate the cryptocurrency theft.

The attack chain, Google Cloud said, represents a progression of what started with the compromise of a developer's personal device to their corporate workstation, before jumping to the cloud to make unauthorized modifications to the financial logic.

It all started with the threat actors using social engineering ploys to deceive the developer into downloading an archive file as part of a supposed open-source project collaboration. The developer then transferred the same file to their company device over AirDrop.

"Using their AI-assisted Integrated Development Environment (IDE), the victim then interacted with the archive's contents, eventually executing the embedded malicious Python code, which spawned and executed a binary that masqueraded as the Kubernetes command-line tool," Google said.

The binary then contacted an attacker-controlled domain and acted as a backdoor to the victim's corporate machine, giving the attackers a way to pivot to the Google Cloud environment by likely using authenticated sessions and available credentials. This step was followed by an initial reconnaissance phase aimed at gathering information about various services and projects.

The attack moved to the next phase with the discovery of a bastion host, with the adversary modifying its multi-factor authentication (MFA) policy attribute to access it and perform additional reconnaissance, including navigating to specific pods within the Kubernetes environment.

Subsequently, UNC4899 adopted a living-off-the-cloud (LotC) approach to configure persistence mechanisms by altering Kubernetes deployment configurations so as to execute a bash command automatically when new pods are created. The command, for its part, downloaded a backdoor.

Some of the other steps carried out by the threat actor are listed below -

• Kubernetes resources tied to the victim's CI/CD platform solution were modified to inject commands that displayed the service account tokens onto the logs.
• The attacker obtained a token for a high-privileged CI/CD service account, permitting them to escalate their privileges and conduct lateral movement, specifically targeting a pod that handled network policies and load balancing.
• The stolen service account token was used to authenticate to the sensitive infrastructure pod running in privileged mode, escape the container, and deploy a backdoor for persistent access.
• Another round of reconnaissance was conducted by the threat actor before shifting their attention to a workload responsible for managing customer information, such as user identities, account security, and cryptocurrency wallet information.
• The attacker used it to extract static database credentials that were stored insecurely in the pod's environment variables.
• The credentials were then abused to access the production database via Cloud SQL Auth Proxy and execute SQL commands to make user account modifications. This included password resets and MFA seed updates for several high-value accounts.
• The attack culminated with the use of the compromised accounts to successfully withdraw several million dollars in digital assets.

The incident "highlights the critical risks posed by the personal-to-corporate P2P data transfer methods and other data bridges, privileged container modes, and the unsecured handling of secrets in a cloud environment," Google said. "Organizations should adopt a defense-in-depth strategy that rigorously validates identity, restricts data transfer on endpoints, and enforces strict isolation within cloud runtime environments to limit the blast radius of an intrusion event."

To counter the threat, organizations are advised to implement context-aware access and phishing-resistant MFA, ensure only trusted images are deployed, isolate compromised nodes from establishing connectivity with external hosts, monitor for unexpected container processes, adopt robust secrets management, enforce policies to disable or restrict peer-to-peer file sharing using AirDrop or Bluetooth and mounting of unmanaged external media on corporate devices.

from The Hacker News https://ift.tt/R5Iy8dr
via IFTTT

Security Onion 3.0 Coming Soon!

Last week, we released Security Onion 2.4.210:

https://blog.securityonion.net/2026/03/security-onion-24210-now-available-with.html

This is our last release in the 2.4 series! Our next release will be Security Onion 3.0!

Security Onion 2.4

Security Onion 2.4 reached General Availability on August 15, 2023:

https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html

Over the last 2.5 years, we've made lots of innovative changes to the platform but we kept the version number at 2.4. The time has come to move to Security Onion 3 to represent the innovation that we've already done and the innovation that we're planning to do!

Security Onion 3.0

Security Onion 3.0 is very similar to 2.4.210 and uses the exact same underlying operating system (Oracle Linux 9) and all of the same components with one exception: 3.0 no longer includes Stenographer and so full packet capture is handled by Suricata.

Also note that 3.0 will not work with anything but Oracle Linux 9. We will not test or support Ubuntu, Debian or any other distro. These other distros were not officially supported in 2.4 but we're officially removing them altogether in 3.0.

Upgrading from 2.4 to 3.0

Once Security Onion 3.0 is released, there will be a simple command to update from 2.4.210 to 3.0. If you are on an older version of 2.4.x, you will have to update to 2.4.210 first.

If you are still using Stenographer for your full packet capture, go ahead and change pcap mode to TRANSITION now so that Suricata can start doing pcap and old Stenographer data can roll off:

https://docs.securityonion.net/en/2.4/suricata.html#switching-pcap-from-stenographer-to-suricata

from Security Onion https://ift.tt/KR0A2T5
via IFTTT

Security Onion Documentation printed book now updated for Security Onion 2.4.210!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recently released Security Onion 2.4.210!

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This edition has been updated for Security Onion 2.4.210 and includes a 20% discount code for our on-demand training and certification!

This book covers the following Security Onion topics:

• First Time Users
• Getting Started
• Security Onion Console (SOC)
• Security Onion Desktop
• Network Visibility
• Additional Network Visibility
• Host Visibility
• Third Party Integrations
• Rules
• Logs
• Updating
• Accounts
• Services
• Customizing for Your Environment
• Tricks and Tips
• Utilities
• Help

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print. It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else! Proceeds go to the Rural Technology Fund! Finally, the printed book includes a 20% discount code for our on-demand training and certification.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.4.210!

Where do we get it?

https://securityonion.com/book

from Security Onion https://ift.tt/vICiFxd
via IFTTT

Secure agentic AI for your Frontier Transformation

Today we shared the next step to make Frontier Transformation real for customers across every industry with Wave 3 of Microsoft 365 Copilot, Microsoft Agent 365, and Microsoft 365 E7: The Frontier Suite.

Introducing the First Frontier Suite built on Intelligence and Trust

As our customers rapidly embrace agentic AI, chief information officers (CIOs), chief information security officers (CISOs), and security decision makers are asking urgent questions: How do I track and monitor all these agents? How do I know what they are doing? Do they have the right access? Can they leak sensitive data? Are they protected from cyberthreats? How do I govern them?

Agent 365 and Microsoft 365 E7: The Frontier Suite, generally available on May 1, 2026, are designed to help answer these questions and give organizations the confidence to go further with AI.

Agent 365—the control plane for agents

As organizations adopt agentic AI, growing visibility and security gaps can increase the risk of agents becoming double agents. Without a unified control plane, IT, security, and business teams lack visibility into which agents exist, how they behave, who has access to them, and what potential security risks exist across the enterprise. With Microsoft Agent 365 you now have a unified control plane for agents that enables IT, security, and business teams to work together to observe, govern, and secure agents across your organization—including agents built with Microsoft AI platforms and agents from our ecosystem partners—using new Microsoft Security capabilities built into their existing flow of work.

Here is what that looks like in practice:

As we are now running Agent 365 in production, Avanade has real visibility into agent activity, the ability to govern agent sprawl, control resource usage, and manage agents as identity-aware digital entities in Microsoft Entra. This significantly reduces operational and security risk, represents a critical step forward in operationalizing the agent lifecycle at scale, and underscores Microsoft’s commitment to responsible, production-ready AI.

—Aaron Reich, Chief Technology and Information Officer, Avanade

Learn more about Microsoft Agent 365

Key Agent 365 capabilities include:

Observability for every role

With Agent 365, IT, security, and business teams gain visibility into all Agent 365 managed agents in their environment, understand how they are used, and can act quickly on performance, behavior, and risk signals relevant to their role—from within existing tools and workflows.

• Agent Registry provides an inventory of agents in your organization, including agents built with Microsoft AI platforms, ecosystem partner agents, and agents registered through APIs. This agent inventory is available to IT teams in the Microsoft 365 admin center. Security teams see the same unified agent inventory in their existing Microsoft Defender and Purview workflows.
• Agent behavior and performance observability provides detailed reports about agent performance, adoption and usage metrics, an agent map, and activity details.
• Agent risk signals across Microsoft Defender*, Entra, and Purview* help security teams evaluate agent risk—just like they do for users—and block agent actions based on agent compromise, sign-in anomalies, and risky data interactions. Defender assesses risk of agent compromise, Entra evaluates identity risk, and Purview evaluates insider risk. IT also has visibility into these risks in the Microsoft 365 admin center.
• Security policy templates, starting with Microsoft Entra, automate collaboration between IT and security. They enable security teams to define tenant-wide security policies that IT leaders can then enforce in the Microsoft 365 admin center as they onboard new agents.

*These capabilities are in public preview and will continue to be on May 1.

Secure and govern agent access

Unmanaged agents may create significant risk, from accessing resources unchecked to accumulating excessive privileges and being misused by malicious actors. With Microsoft Entra capabilities included in Agent 365, you can secure agent identities and their access to resources.

• Agent ID gives each agent a unique identity in Microsoft Entra, designed specifically for the needs of agents. With Agent ID, organizations can apply trusted access policies at scale, reduce gaps from unmanaged identities, and keep agent access aligned to existing organizational controls.
• Identity Protection and Conditional Access for agents extend existing user policies that make real-time access decisions based on risks, device compliance from Microsoft Intune, and custom security attributes to agents working on behalf of a user. These policies help prevent compromise and help ensure that agents cannot be misused by malicious actors.
• Identity Governance for agents enables identity leaders to limit agent access to only resources they need, with access packages that can be scoped to a subset of the users permissions, and includes the ability to audit access granted to agents.

Prevent data oversharing and ensure agent compliance

Microsoft Purview capabilities in Agent 365 provide comprehensive data security and compliance coverage for agents. You can protect agents from accessing sensitive data, prevent data leaks from risky insiders, and help ensure agents process data responsibly to support compliance with global regulations.

• Data Security Posture Management provides visibility and insights into data risks for agents so data security admins can proactively mitigate those risks.
• Information Protection helps ensure that agents inherit and honor Microsoft 365 data sensitivity labels so that they follow the same rules as users for handling sensitive data to prevent agent-led sensitive data leaks.
• Inline Data Loss Prevention (DLP) for prompts to Microsoft Copilot Studio agents blocks sensitive information such as personally identifiable information, credit card numbers, and custom sensitive information types (SITs) from being processed in the runtime.
• Insider Risk Management extends insider risk protection to agents to help ensure that risky agent interactions with sensitive data are blocked and flagged to data security admins.
• Data Lifecycle Management enables data retention and deletion policies for prompts and agent-generated data so you can manage risk and liability by keeping the data that you need and deleting what you don’t.  
• Audit and eDiscovery extend core compliance and records management capabilities to agents, treating AI agents as auditable entities alongside users and applications. This will help ensure that organizations can audit, investigate, and defensibly manage AI agent activity across the enterprise.
• Communication Compliance extends to agent interactions to detect and enable human oversight of risky AI communications. This enables business leaders to extend their code of conduct and data compliance policies to AI communications.

Defend agents against emerging cyberthreats

To help you stay ahead of emerging cyberthreats, Agent 365 includes Microsoft Defender protections purpose-built to detect and mitigate specific AI vulnerabilities and threats such as prompt manipulation, model tampering, and agent-based attack chains.

• Security posture management for Microsoft Foundry and Copilot Studio agents* detects misconfigurations and vulnerabilities in agents so security leaders can stay ahead of malicious actors by proactively resolving them before they become an attack vector.
• Detection, investigation, and response for Foundry and Copilot Studio agents* enables the investigation and remediation of attacks that target agents and helps ensure that agents are accounted for in security investigations.
• Runtime threat protection, investigation, and hunting** for agents that use the Agent 365 tools gateway, helps organizations detect, block, and investigate malicious agent activities.

Agent 365 will be generally available on May 1, 2026, and priced at $15 per user per month. Learn more about Agent 365.

*These capabilities are in public preview and will continue to be on May 1.

**This new capability will enter public preview in April 2026 and continue to be on May 1.

Microsoft 365 E7: The Frontier Suite

Microsoft 365 E7 brings together intelligence and trust to enable organizations to accelerate Frontier Transformation, equipping employees with AI across email, documents, meetings, spreadsheets, and business application surfaces. It also gives IT and security leaders the observability and governance needed to operate AI at enterprise scale.

Microsoft 365 E7 includes Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Entra, Intune, and Purview security capabilities to help secure users, delivering comprehensive protection across users and agents. It will be available for purchase on May 1, 2026, at a retail price of $99 per user per month. Learn more about Microsoft 365 E7.

Get started with Microsoft 365 E7: The Frontier Suite

End-to-end security for the agentic era

Frontier Transformation is anchored in intelligence and trust, and trust starts with security. Microsoft Security capabilities help protect 1.6 million customers at the speed and scale of AI.¹ With Agent 365, we are extending these enterprise-grade capabilities so organizations can observe, secure, and govern agents and delivering comprehensive protection across agents and users with Microsoft 365 E7.

Secure your Frontier Transformation today with Agent 365 and Microsoft 365 E7: The Frontier Suite. And join us at RSAC Conference 2026 to learn more about these new solutions and hear from industry experts and customers who are shaping how agents can be observed, governed, secured, and trusted in the real world.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Microsoft Fiscal Year 2026 Second Quarter Earnings Conference Call.

The post Secure agentic AI for your Frontier Transformation appeared first on Microsoft Security Blog.

from Microsoft Security Blog https://ift.tt/zPNo7Wq
via IFTTT

Can the Security Platform Finally Deliver for the Mid-Market?

Mid-market organizations are constantly striving to achieve security levels on a par with their enterprise peers. With heightened awareness of supply chain attacks, your customers and business partners are defining the security level you must meet.

What if you could be the enabler for your organization to remain competitive — and help win business — by easily demonstrating that you meet these strict security levels?

The challenge, of course, is how to do so with a small budget and a lean IT and security team.

The security platform has long been seen as the mechanism for reducing complexity by consolidating security tools. However, it has never really lived up to its promise. Or has it?

An upcoming webinar explores whether the security platform model can finally deliver on its original vision — simplifying operations, reducing cost, and strengthening security posture for mid-market organizations.

Join Bitdefender to learn how Bitdefender GravityZone is making the dream of affordable, simplified security for lean IT and security teams a reality.

During this session, you will learn:

• Why a security platform is perfect for mid-market organizations
• How to demonstrate reduced risk and increased security posture to your leadership, business partners, and customers
• How to reduce security fire-fighting and free up your lean IT and security team to focus on strategic projects

For IT Directors, CISOs, and security leaders operating under resource constraints, the ability to consolidate tools without sacrificing coverage can be a competitive advantage — not just a technical improvement.

If your organization is under pressure to prove resilience, meet partner expectations, and improve security outcomes without increasing complexity, this session will provide practical insights and a clear path forward.

Register now to discover how Bitdefender GravityZone can help you achieve security across your organization — without the enterprise-level burden.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/H5u7IJE
via IFTTT

Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft

Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.

The extensions in question, both originally associated with a developer named "akshayanuonline@gmail.com" (BuildMelon), are listed below -

• QuickLens - Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) - 7,000 users
• ShotBird - Scrolling Screenshots, Tweet Images & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) - 800 users

While QuickLens is no longer available for download from the Chrome Web Store, ShotBird remains accessible as of writing. ShotBird was originally launched in November 2024, with its developer, Akshay Anu S (@AkshayAnuOnline), claiming on X that the extension is suitable for "creating professional, studio-like visuals," and that all processing happens locally.

According to research published by monxresearch-sec, the browser add-on received a "Featured" flag in January 2025, before it was passed on to a different developer ("loraprice198865@gmail.com") sometime last month.

In a similar vein, QuickLens was listed for sale on ExtensionHub on October 11, 2025, by "akshayanuonline@gmail.com" merely two days after it was published, Annex Security's John Tuckner said. On February 1, 2026, the extension's owner changed to "support@doodlebuggle.top" on the Chrome Web Store listing page.

The malicious update introduced to QuickLens on February 17, 2026, kept the original functionality but introduced capacities to strip security headers (e.g., X-Frame-Options) from every HTTP response, allowing malicious scripts injected into a web page to make arbitrary requests to other domains, bypassing Content Security Policy (CSP) protections.

In addition, the extension contained code to fingerprint the user's country, detect the browser and operating system, and polls an external server every five minutes to receive JavaScript, which is stored in the browser's local storage and executed on every page load by adding a hidden 1×1 GIF <img> element and setting the JavaScript string as its "onload" attribute. This, in turn, causes the malicious code to be executed once the image is loaded.

"The actual malicious code never appears in the extension's source files," Tuckner explained. "Static analysis shows a function that creates image elements. That's it. The payloads are delivered from the C2 and stored in local storage -- they only exist at runtime."

A similar analysis of the ShotBird extension by monxresearch-sec has uncovered the use of direct callbacks to deliver JavaScript code instead of creating a 1x1 pixel image to trigger the execution. The JavaScript is engineered to display a bogus Google Chrome browser update prompt, clicking which users are served a ClickFix-style page to open the Windows Run dialog, launch "cmd.exe," and paste a PowerShell command, resulting in the download of an executable named "googleupdate.exe" on Windows hosts.

The malware then proceeds to hook input, textarea, select HTML elements, and capture any data entered by the victim. This could include credentials, PIN, card details, tokens, and government identifiers. It's also equipped to siphon data stored in the Chrome web browser, such as passwords, browsing history, and extension-related information.

"This is a two-stage abuse chain: extension-side remote browser control plus host-level execution pivot via fake updates," the researcher said. "The result is high-risk data exposure in-browser and confirmed host-side script execution on at least one affected system. In practical terms, this elevates the impact from browser-only abuse to likely credential theft and broader endpoint compromise."

It's assessed that the same threat actor is behind the compromise of the two extensions and is operating such add-ons in parallel, given the use of an identical command-and-control (C2) architecture pattern, ClickFix lures injected into the browsing context, and ownership transfer as an infection vector.

Interestingly, the original extension developer has published several other extensions under their name on the Chrome Web Store, and all of them have received a Featured badge. The developer also has an account on ExtensionHub, although no extensions are currently listed for sale. What's more, the individual has attempted to sell domains like "AIInfraStack[.]com" for $2,500, stating the "strong keyword domain" is "relevant for [sic] rapidly growing AI ecosystem."

"This is the extension supply chain problem in a nutshell," Annex Security said. "A 'Featured,' reviewed, functional extension changes hands, and the new owner pushes a weaponized update to every existing user."

The disclosure comes as Microsoft warned of the malicious Chromium‑based browser extensions that masquerade as legitimate AI assistant tools to harvest LLM chat histories and browsing data.

"At scale, this activity turns a seemingly trusted productivity extension into a persistent data collection mechanism embedded in everyday enterprise browser usage, highlighting the growing risk browser extensions pose in corporate environments," the Microsoft Defender Security Research Team said.

In recent weeks, threat hunters have also flagged a malicious Chrome extension named lmΤoken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) that impersonates imToken while advertising itself as a hex color visualizer in the Chrome Web Store to steal cryptocurrency seed phrases using phishing redirects.

"Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it," Socket researcher Kirill Boychenko said.

"On install, the extension fetches a destination URL from a hardcoded JSONKeeper endpoint (jsonkeeper[.]com/b/KUWNE) and opens a tab pointing to a lookalike Chrome Web Store-style domain, chroomewedbstorre-detail-extension[.]com. The landing page impersonates imToken using mixed-script homoglyphs and funnels victims into credential-capture flows that request either a 12 or 24-word seed phrase or a private key."

Other malicious extensions flagged by Palo Alto Networks Networks Unit 42 have been found to engage in affiliate hijacking and data exfiltration, with one of them – Chrome MCP Server - AI Browser Control (ID: fpeabamapgecnidibdmjoepaiehokgda) – serving as a full-fledged remote access trojan while masquerading as an AI automation tool using the Model Context Protocol (MCP).

Unit 42 researchers have also revealed that three popular Chrome extensions, namely Urban VPN Proxy, Urban Browser Guard, and Urban Ad Blocker, that were identified by Koi as scraping AI conversations from various chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity, have returned on the Chrome Web Store.

"Following the public disclosure of the campaign on December 15, 2025, the developer updated benign versions in January 2026, likely in response to the report," researchers Qinge Xie, Nabeel Mohamed, Shresta Bellary Seetharam, Fang Liu, Billy Melicher, and Alex Starov said.

Furthermore, the cybersecurity company identified an extension called Palette Creator (ID: iofmialeiddolmdlkbheakaefefkjokp), which has over 100,000 users and whose previous version communicated with known network indicators associated with a campaign dubbed RedDirection to carry out browser hijacking.

That's not all. A new campaign comprising over 30,000 domains has been found to initiate a redirect chain to route traffic to a landing page ("ansiblealgorithm[.]com") that's used for distributing a Chrome extension called OmniBar AI Chat and Search (ID: ajfanjhcdgaohcbphpaceglgpgaaohod).

The extension makes use of the chrome_settings_overrides API to alter Chrome settings and set the browser home page to omnibar[.]ai, as well as make the default search provider to a custom URL: "go.omnibar[.]ai/?api=omni&sub1=omnibar.ai&q={searchTerms}​" and track queries via an API parameter.

It's believed that the end goal is to perform browser-hijacking as part of what seems to be a large-scale affiliate marketing scheme, Unit 42 said, adding it identified two other extensions that exhibit the same browser-hijacking behavior consistent with OmniBar via home page override and search interception -

• AI Output Algo Tool (ID: eeoonfhmbjlmienmmbgapfloddpmoalh)
• Serpey.com official extension (ID: hokdpdlchkgcenfpiibjjfkfmleoknkp)

A deeper investigation of three more extensions published by the same developer ("jon@status77.com" and Status 77) has uncovered that two of them track user browsing activity to inject affiliate markers, while a third one extracts and transmits user Reddit comment threads to a developer-controlled API endpoint -

• Care.Sale (ID: jaioobipjdejpeckgojiojjahmkiaihp)
• Giant Coupons Official Extension (ID: akdajpomgjgldidenledjjiemgkjcchc)
• Consensus - Reddit Comment Summarizer (ID: mkkfklcadlnkhgapjeejemflhamcdjld)

Users who have installed any of the aforementioned extensions are advised to remove them from their browsers with immediate effect, avoid side-loading or installing unverified productivity extensions, and audit browsers for any unknown extensions and uninstall them.

from The Hacker News https://ift.tt/dUnDvB3
via IFTTT