Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CSOonline

Members
  • Joined

  • Last visited

    Never

Everything posted by CSOonline

  1. An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale. Researchers from Cisco Systems’ Talos threat intelligence team who made the discovery said Thursday that the data harvested by an unattributed group they call UAT-10608 went to a password protected database behind a web application. However, that application was at one point exposed, allowing the researchers to see data that had been harvested from compromised systems. Credentials, as well as Auth tokens and more, that have been stolen so far come from instances of AWS, Microsoft Azure, OpenAI, Anthropic, Nvidia NIM, OpenRouter, Tavily, payment processor Stripe, and GitHub. The web application allows a user to browse all of the compromised hosts. A given host can then be selected, bringing up a menu with all of the exfiltrated data corresponding to each phase of the harvesting script – a bonus to the researchers. The discovery is a prime reason for IT pros with React servers in their environment who haven’t yet addressed this vulnerability to act quickly, before corporate credentials are stolen. To help blunt the attack, victims, and service providers with exposed and at-risk credentials, including AWS and GitHub, are being notified. One notable statistic: The automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24 hour period. At risk are Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution vulnerability known as React2Shell. A fix was issued four months ago. Multi-phase attack Once a host is compromised, the campaign deploys a multi-phase credential harvesting tool that collects usernames, passwords, SSH keys, cloud tokens, and environment secrets, at scale. “The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning,” says Cisco Talos, “likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities.” The attacker crafts a malicious serialized payload designed to abuse the deserialization routine, a technique commonly used to trigger arbitrary object instantiation or method invocation on a server. The payload is sent via an HTTP request directly to a Server Function endpoint; no authentication is required. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process. The initial React exploit delivers a small dropper that fetches and runs a multi-phase harvesting script. Upon execution, the harvesting script goes through several phases to collect various data from the compromised system, which is then uploaded to a command and control server where it is loaded into a database. Industrial scale “This is all about neglect and efficiency,” Gene Moody, field CTO at patch management provider Action1, told CSO . “React2Shell quickly met all the criteria attackers look for: public disclosure, reliable exploitation, and internet-facing exposure. That combination effectively guaranteed widespread abuse. Since then, multiple campaigns have automated the full [attack] lifecycle [of], scanning, exploitation, and credential harvesting, with little to no human intervention.” Attackers operate at industrial scale, he added. Platforms like Shodan and Censys already index much of the internet, making vulnerable systems trivial to find. With the finite IP space, comprehensive scanning can be completed in well under an hour on even the most modest of modern computers/internet connections. “There is no meaningful obscurity left for exposed systems,” he added. “To be honest, there never really was.” ‘Attack started when you failed to patch’ The result is predictable, Moody said: Unpatched systems are not ‘at risk’, they are in a queue. Discovery is fast, exploitation is fast, and compromise is often automated end-to-end. “React2Shell is a perfect example of how quickly attackers can turn a known issue into a sustained revenue stream, and have it persist for extended periods of time based on admin complacency,” he said. “Even more concerning is what happens after initial access,” he added. “Credential harvesting extends the lifespan of the attack far beyond the original vulnerability. Even if systems are patched later, stolen credentials can enable persistence, lateral movement, and, as a result, means the attack started when you failed to patch. One mistake can turn into every mistake in an instant, with information like this in the wrong hands. The damage could be absolute, with no recovery possible. Businesses have failed for less. When it ends will certainly not be when the patch is applied, unless you got it before being compromised. “Treat your patching like a toothache,” he advised. “At first sign, address it as fast as possible, or only misery follows.” View the full article
  2. An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale. Researchers from Cisco Systems’ Talos threat intelligence team who made the discovery said Thursday that the data harvested by an unattributed group they call UAT-10608 went to a password protected database behind a web application. However, that application was at one point exposed, allowing the researchers to see data that had been harvested from compromised systems. Credentials, as well as Auth tokens and more, that have been stolen so far come from instances of AWS, Microsoft Azure, OpenAI, Anthropic, Nvidia NIM, OpenRouter, Tavily, payment processor Stripe, and GitHub. The web application allows a user to browse all of the compromised hosts. A given host can then be selected, bringing up a menu with all of the exfiltrated data corresponding to each phase of the harvesting script – a bonus to the researchers. The discovery is a prime reason for IT pros with React servers in their environment who haven’t yet addressed this vulnerability to act quickly, before corporate credentials are stolen. To help blunt the attack, victims, and service providers with exposed and at-risk credentials, including AWS and GitHub, are being notified. One notable statistic: The automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24 hour period. At risk are Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution vulnerability known as React2Shell. A fix was issued four months ago. Multi-phase attack Once a host is compromised, the campaign deploys a multi-phase credential harvesting tool that collects usernames, passwords, SSH keys, cloud tokens, and environment secrets, at scale. “The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning,” says Cisco Talos, “likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities.” The attacker crafts a malicious serialized payload designed to abuse the deserialization routine, a technique commonly used to trigger arbitrary object instantiation or method invocation on a server. The payload is sent via an HTTP request directly to a Server Function endpoint; no authentication is required. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process. The initial React exploit delivers a small dropper that fetches and runs a multi-phase harvesting script. Upon execution, the harvesting script goes through several phases to collect various data from the compromised system, which is then uploaded to a command and control server where it is loaded into a database. Industrial scale “This is all about neglect and efficiency,” Gene Moody, field CTO at patch management provider Action1, told CSO . “React2Shell quickly met all the criteria attackers look for: public disclosure, reliable exploitation, and internet-facing exposure. That combination effectively guaranteed widespread abuse. Since then, multiple campaigns have automated the full [attack] lifecycle [of], scanning, exploitation, and credential harvesting, with little to no human intervention.” Attackers operate at industrial scale, he added. Platforms like Shodan and Censys already index much of the internet, making vulnerable systems trivial to find. With the finite IP space, comprehensive scanning can be completed in well under an hour on even the most modest of modern computers/internet connections. “There is no meaningful obscurity left for exposed systems,” he added. “To be honest, there never really was.” ‘Attack started when you failed to patch’ The result is predictable, Moody said: Unpatched systems are not ‘at risk’, they are in a queue. Discovery is fast, exploitation is fast, and compromise is often automated end-to-end. “React2Shell is a perfect example of how quickly attackers can turn a known issue into a sustained revenue stream, and have it persist for extended periods of time based on admin complacency,” he said. “Even more concerning is what happens after initial access,” he added. “Credential harvesting extends the lifespan of the attack far beyond the original vulnerability. Even if systems are patched later, stolen credentials can enable persistence, lateral movement, and, as a result, means the attack started when you failed to patch. One mistake can turn into every mistake in an instant, with information like this in the wrong hands. The damage could be absolute, with no recovery possible. Businesses have failed for less. When it ends will certainly not be when the patch is applied, unless you got it before being compromised. “Treat your patching like a toothache,” he advised. “At first sign, address it as fast as possible, or only misery follows.” View the full article
  3. When Daniel Rhyne pleaded guilty on April 1 to having launched an insider extortion attack against his then-employer, authorities enumerated the techniques he used, including unauthorized remote desktop sessions, deletion of network administrator accounts, changing of passwords, and scheduling unauthorized tasks on the domain controller. After he shut down key systems and accounts, he sent a note to employees in which he claimed to have deleted all backups, and threatened to continue shutting down servers unless he was given bitcoin worth roughly $750,000. But what consultants and analysts found most concerning is how commonplace and routine were the techniques he used. In other words, standard security procedures should have blocked almost all of them. Preventive actions missing Enterprise insider threats are hardly new, but consultants and analysts said that many enterprises don’t take every preventive move that they can, and should, because the IT staff resists, seeing the efforts as excessive monitoring of their activities, and something that also slows down their work. Cybersecurity consultant Brian Levine, executive director of FormerGov, said, “what makes the case interesting was how boringly predictable the attack path was.” Levine noted that backups need to always be immutable. “Nobody in the company should be able to delete or modify or encrypt the backup for a set period of time,” he said. He also stressed that the principle of least privilege needs to be applied to workers whose jobs change for any reason. Critically, he argued that the use of various tools should be instantly flagged as concerning. “Instrument Task Scheduler, PsExec, PsPasswd, and net user are high‑risk signals. These are the insider’s equivalent of lockpicks,” he said. “They should generate behavioral alerts when used at scale, off‑hours, or from unusual hosts.” Levine also suggested extensive system monitoring. “If someone is RDP’ing into a domain controller at 7:48 a.m. and creating 16 scheduled tasks, you should have a video‑like audit trail.” Paul Furtado, a distinguished VP analyst at Gartner, said he encourages clients to make sure that no single admin can cause this kind of damage. “Create a tiered administration model with fragmented authority. This rotates ownership of crown jewel processes, even among senior engineers and administrators,” Furtado advised. IT should also include “a break-glass admin credential stored in hardware security modules or digital vaults [that are] only to be used via testing drills and in case of emergency.” Added Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, “the same accounts used to administer their networks [in the Rhyne case] seemed to be able to irreversibly destroy their backups too, which is an indication that strong segregation of duties was not in place.” Rhyne now faces considerable jail time. US Justice Department filings said, “the extortion charge to which Rhyne pleaded guilty carries a maximum penalty of five years in prison, and the intentional damage to a protected computer violation to which Rhyne pleaded guilty carries a maximum penalty of 10 years in prison.” View the full article
  4. Google has patched another zero-day vulnerability in Chrome, its fourth this year. In patching the vulnerability, tracked as CVE-2026-5281, the company acknowledged that an exploit for it already exists in the wild. According to the report in NIST’s National Vulnerability Database, the vulnerability in Dawn, the implementation of WebGPU used by Chrome, allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. It advised users to update to Chrome 146.0.7680.178 or newer. The three previous vulnerabilities patched in Chrome this year were in different areas of the code. The first, tracked as CVE-2026-2441 and patched in February, was a fault in the way memory was managed in the processing of cascading style sheets (CSS). The other two were patched in March. One was a bug in the Skia graphics library (CVE-2026-3909) that allowed write access to memory addresses outside the boundaries of a predefined buffer. The second one (CVE-2026-3910) was found in the V8 JavaScript engine, and was described by Google as an “inappropriate implementation.” It will concern Google that, barely a quarter way through the year, it has already had to deliver fixes for four exploits in the wild. Last year, it introduced Code Mender, a security tool to help fix security vulnerabilities in open source projects, and will be looking to introduce more AI help to fix these issues. View the full article
  5. Researchers who identify and report bugs in open-source software will no longer be rewarded by the Internet Bug Bounty team. HackerOne, which administers the program, has said that it is “pausing submissions” while it contemplates ways in which open source security can be handled more effectively. The Internet Bug Bounty program, funded by a number of leading software companies, has been run since 2012 and has awarded more than $1.5m to researchers who have reported bugs. Up to now, 80% of its payouts have been for discoveries of new flaws, and 20% to support remediation efforts. But as artificial intelligence makes it easier to find bugs, that balance needs to change, HackerOne said in a statement. “AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted,” said HackerOne. Among the first programs to be affected is the Node.js project, a server-side JavaScript platform for web applications known for its extensive ecosystem. While the project team will continue to accept and triage bug reports through HackerOne, without funding from the Internet Bug Bounty program it will no longer pay out rewards, according to an announcement on its website. The Internet Bug Bounty Program is not the only bug-hunting project that has struggled with the onset of AI in vulnerability hunting. In January, the Curl program said that it was not taking any more submissions. And just last month, Google also put a halt to AI-generated submissions provided to its Open Source Software Vulnerability Reward Program. This article first appeared on InfoWorld. View the full article
  6. The leak of Claude Code’s source is already having consequences for the tool’s security. Researchers have spotted a vulnerability documented in the code. The vulnerability, revealed by AI security company Adversa, is that if Claude Code is presented with a command composed of more than 50 subcommands, then for subcommands after the 50th it will override compute-intensive security analysis that might otherwise have blocked some of them, and instead simply ask the user whether they want to go ahead. The user, assuming that the block rules are still in effect, may unthinkingly authorize the action. Incredibly, the vulnerability is documented in the code, and Anthropic has already developed a fix for it, the tree-sitter parser, which is also in the code but not enabled in public builds that customers use, said Adversa. Adversa outlined how attackers might exploit the vulnerability by distributing a legitimate-looking code repository containing a poisoned CLAUDE.md file. This would contain instructions for Claude Code to build the project, with a sequence of 50 or more legitimate-looking commands, followed by a command to, for example, exfiltrate the victim’s credentials. Armed with those credentials, the attackers could threaten a whole software supply chain. This article first appeared on Infoworld. View the full article
  7. The European Union’s Computer Emergency Response Team, CERT-EU, has traced last week’s theft of data from the Europa.eu platform to the recent supply chain attack on Aqua Security’s Trivy open-source vulnerability scanner. The attack on the AWS cloud infrastructure hosting the Europa.eu web hub on March 24 resulted in the theft of 350 GB of data (91.7 GB compressed), including personal names, email addresses, and messages, according to CERT-EU’s analysis. The compromise of Trivy allowed attackers to access an AWS API key, gaining access to a range of European Commission web data, including data related to “42 internal clients of the European Commission, and at least 29 other Union entities using the service,” it said. “The threat actor used the compromised AWS secret to create and attach a new access key to an existing user, aiming to evade detection. They then carried out reconnaissance activities,” said CERT-EU. The organization had found no evidence that the attackers had moved laterally to other AWS accounts belonging to the Commission. Given the timing and involvement of AWS credentials, “the European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security,” it said. In the event, the stolen data became public after the group blamed for the attack, TeamPCP, leaked it to the ShinyHunters extortion group, which published it on the dark web on March 28. Back door credentials The Trivy compromise dates to February, when TeamPCP exploited a misconfiguration in Trivy’s GitHub Actions environment, now identified as CVE-2026-33634, to establish a foothold via a privileged access token, according to Aqua Security. Discovering this, Aqua Security rotated credentials but, because some credentials remain valid during this process, the attackers were able to steal the newly rotated credentials. By manipulating trusted Trivy version tags, TeamPCP forced CI/CD pipelines using the tool to automatically pull down credential-stealing malware it had implanted. This allowed TeamPCP to target a variety of valuable information including AWS, GCP, Azure cloud credentials, Kubernetes tokens, Docker registry credentials, database passwords, TLS private keys, SSH keys, and cryptocurrency wallet files, according to security researchers at Palo Alto Networks. In effect, the attackers had turned a tool used to find cloud vulnerabilities and misconfigurations into a yawning vulnerability of its own. CERT-EU advised organizations affected by the Trivy compromise to immediately update to a known safe version, rotate all AWS and other credentials, audit Trivy versions in CI/CD pipelines, and most importantly ensure GitHub Actions are tied to immutable SHA-1 hashes rather than mutable tags. It also recommended looking for indicators of compromise (IoCs) such as unusual Cloudflare tunnelling activity or traffic spikes that might indicate data exfiltration. Extortion boost The origins and deeper motives of TeamPCP, which emerged in late 2025, remain unclear. The leaking of stolen data suggests it might be styling itself as a sort of initial access broker which sells data and network access on to the highest bidder. However, the fact that stolen data was handed to a major ransomware group suggests that affected organizations are likely to face a wave of extortion demands in the coming weeks. If so, this would be a huge step backwards at a time when ransomware has been under pressure as the proportion of victims willing to pay ransoms has declined. The compromise of Trivy, estimated to have affected at least 1,000 SaaS environments, is rapidly turning into the one of the most consequential supply-chain incidents of recent times. The number of victims is likely to grow in the coming weeks. Others caught up in the incident include Cisco, which reportedly lost source code, security testing company Checkmarx, and AI gateway company LiteLLM. View the full article
  8. The 2026 RSA circus is over. The tents are packed and the elephants have been loaded onto the train. Nevertheless, it was an eventful week. There were fleets of vehicles — Escalades, Rivians, trucks but curiously, no Teslas — strewn with vendor names and tag lines, and you couldn’t walk anywhere near Howard Street in San Franciso without seeing, “AI-[insert word here like enabled, enhanced, native, powered, etc., etc., etc.]” I spent the week speaking with CISOs, cybersecurity professionals, technology vendors, and service providers. Here are a few of my takeaways. The CISO AI hierarchy is real While every vendor communicated AI opportunity gaga, cybersecurity professionals’ mood was one of trepidation. In fact, I came away with a profile of three distinct CISO archetypes: The proactive CISO (approximately 20%): These security leaders were well aware of the AI-driven business and technology changes afoot and came armed with a list of questions tailored to their specific enterprise requirements. Many of these executives brought along security engineers and architects — an action-oriented team. These CISOs had a decent understanding about their organization’s AI business initiatives, as well as their own security needs. The goal? Develop a shopping list that aligns with their organization’s strategy and supports their governance models, policy enforcement controls, and security technology stacks. The curious and confused CISO (approximately 40%): These executives know something is happening with AI in their organization, but they aren’t sure what, where, or how much is going on. Their goal was education — what risks they face, what risk mitigation steps they should take, and what’s available from the industry to help them stop the bleeding. CISOs in this category are somewhat desperate for help. The blissfully ignorant CISO (approximately 40%): Okay, this one is a bit unfair to CISOs as it’s more about their organizations. There’s likely AI development and usage the CISO and probably some executives are unaware of. They approached RSA believing time was on their side, so they probably skimmed through the AI rhetoric, shmoozed with vendors, and looked for the best cocktail parties. In my humble opinion, CISOs will cycle through this hierarchy quickly over the next year. Blissfully ignorant CISOs will get wind of AI projects at their organization and move on to curiosity and confusion. This won’t take long. Proceeding from curious and confused to proactive will be the more difficult transition. These CISOs must assess business objectives, active projects, and user activities, then work with executives to develop a governance framework, create policies, implement guardrails, monitor activities, and manage a flexible model that keeps up with current and future business and technical requirements. A common analogy heard at RSA is that companies must be able to fix the plane while it’s in flight. Legacy security vendors have the inside track on AI — for now As far as AI technology consumption for cybersecurity, most CISOs I spoke with were open-minded while leaning toward their existing vendors — at least in the short term. This may buy legacy security vendors a bit, but not much time. Remember what happened in the cloud as we progressed from a lack of cloud trust, to “lift and shift,” to cloud-native? The same thing is happening with AI, only even faster than the cloud. Bolting AI to existing tools won’t work for long, a year at most. You’ve got to get the AI foundations right I was encouraged to hear vendors describe how they started their AI transition by building an infrastructural foundation — data foundation/context engine, intelligent control plane, execution layer, services, guardrails, etc. — and then adding functional agents on top of this foundation. Cisco/Splunk impressed me with its development approach and roadmap, while AI-based startups such as Abstract, Crogl, and Sidekick are betting the farm on this methodology. AI code is making an impact Vendors are also all-in on using AI-development tools and seeing strong results. I heard about project acceleration along with staff reduction. Building connectors is a good example. Axonius and Tenable, both known for broad technology integration, are using AI to offload a lot of this tedious but necessary work, freeing developers to work on functionality rather than plumbing. AI pricing remains a mess While AI capabilities appear to be baked into many tools, I found that no one knows how to price their AI services. Some are doing so by the token, some by the number of users, and some are charging by the agent. The market will flush this out over the rest of the year. Application security is getting its AI makeover We all know the impact of AI on software development. It’s clear to me after RSA that the same thing is happening to application security. Anthropic’s Claude Code Security is one example, but I also got a view of the AWS Security Agent, which provides software testing capabilities across the software development lifecycle — from design, to development, to runtime, to red teaming. Likewise, I met with a company named XBow that focuses on autonomous offensive security based on AI agents. Based on these developments, we will see a very different application security market at RSA 2027. Few may be prepared for what comes next from cyber-adversaries There’s active debate in the industry about the impact of AI within the threat landscape: Are existing cybersecurity defenses adequate or will AI tilt the battlefield toward adversaries? After RSA, I believe both premises are true. Sophisticated firms with strong governance, risk management, asset visibility, modern training, and sound hygiene and posture management should be okay. Alarmingly, this is a small percentage of organizations. Most others lack advanced security skills and adequate resources. Adversaries armed with AI tools and automated workflows will have a field day here. Managed providers are advancing the AI SOC Managed security service providers (MSSPs) and managed detection and response (MDR) vendors are pushing the envelope on the AI-enabled security operations center (SOC). Arctic Wolf unveiled its Aurora Superintelligence Platform and the Aurora Agentic SOC, which includes agents for triage, alerting, investigations, and more. I also met with Ontinue, an MSSP that provides services on top of Microsoft security tools such as Defender for Endpoint, Defender for Azure, and MS Sentinel. It is using AI to establish what it calls “hyper-contextualization” to understand all it can about its customers’ business processes and technology infrastructure so it can improve decision-making. Microsoft cements its position Speaking of Microsoft, it’s hard to point to any other vendor that can match its cybersecurity coverage. Unlike others, Microsoft came to RSA armed with AI metrics and proof points. For example, Microsoft provided specific metrics from several customers that turned on its Defender agents and saved hundreds of hours of work while improving accuracy and productivity. I’m sure Microsoft has many examples to share. Beware the cyber category killers We’ve always viewed cybersecurity through the lens of security product categories — EDR, firewalls, SIEM, CSPM, etc. But multi-agent AI products could take on many of these tasks simultaneously, breaking down traditional product buckets and acting as category killers. CISOs must anticipate this and be open to organizational, process, and budgetary changes. Also, will multi-agent cybersecurity products mean the death of the Gartner Magic Quadrant and all other me-too vendor mapping products? Awareness training gradually transforms Training is in transition. I’m pleased with this development. Awareness training is being replaced by behavior monitoring and change. Human risk management (HRM) tools from Fable Security, KnowBe4, and Mimecast, among others, watch over users and provide a nudge when they go astray. Beyond synthetic phishing, some tools even provide synthetic deepfake training. HRM sales are limited today to progressive organizations, but I believe they will become a de facto standard as regulators and cyber-insurance companies see the light and support this training renaissance. Security claims ownership of identities Well, partial ownership, but this is a step in the right direction. I’m seeing interesting advancements in areas such as passwordless authentication (I can’t believe it’s 2026 and we’re still using passwords), browser security, non-human identity (NHI) security, and privileged account management. RSA also pushed discussions about AI-agent access and action control — detection, monitoring, control of shadow agents, zero-standing privilege, etc. AI will be a big player, helping to ease the painful identity modernization process. As a cryptographer might say, with this article, I’ve tried to hash the entire RSA event into a single key. I really enjoyed RSA 2026 (my 20th) and look forward to next year. See you at the Moscone Center from April 5 through April 8, 2027. View the full article
  9. CSOonline posted a techarticle in Security
    ArtemisDiana | shutterstock.com Manuelles, siloartiges Management ist in der modernen IT-Welt unangebracht. Erst recht im Bereich der IT-Sicherheit: Der Umfang von modernem Enterprise Computing und State-of-the-Art-Application-Stack-Architekturen erfordern Sicherheits-Tools, die: Einblicke in den Sicherheitsstatus von IT-Komponenten ermöglichen, Bedrohungen in Echtzeit erkennen, und Aspekte der Bedrohungsabwehr automatisieren. Diese Anforderungen haben zum Aufkommen von Extended-Detection-and-Response- (XDR) Lösungen geführt. Diese Sicherheits-Tools kombinieren die stärksten Elemente von Security Incident and Event Management (SIEM), Endpoint Detection and Response (EDR) und Security Orchestration and Response (SOAR) – und bauen darauf auf. XDR-Tools evaluieren Der Preis wird immer ein Schlüsselfaktor bei Enterprise-Sicherheitssystemen sein, die skalierbar sein müssen – da bilden auch XDR-Systeme keine Ausnahme. Die Lösungen im Bereich Extended Detection and Response sind fast ausschließlich abonnementbasiert, verursachen also laufende Kosten. Wie bei vielen Sicherheits-Tools stellen diese Kosten angesichts der finanziellen Risiken eines Datenverlusts oder den geschäftlichen Auswirkungen einer Kompromittierung einen guten Kompromiss dar. Gleiches gilt mit Blick auf den Personalaufwand, der nötig wäre, um mit bestehenden Systemen und manueller Korrelation von Ereignisdaten dasselbe Schutzniveau zu erreichen. Zu den wichtigsten XDR-Funktionen zählen: Die Möglichkeit zur Integration mit vorhandener Hardware, Software und Cloud-Investitionen. Das kann sich sowohl auf die Effektivität der gewählten Plattform sowie auf die Kosten und den Aufwand für die anfängliche Implementierung der Lösung auswirken. Richtlinien und Regeln managen zu können, ist ebenfalls von entscheidender Bedeutung. Nur so können Sie die XDR-Funktionen auf Ihre geschäftlichen Anforderungen abstimmen und Ihre IT-Sicherheitsteams in die Lage versetzen, effektiv auf Bedrohungen zu reagieren. Benutzerfreundlichkeit und Schulungsoptionen (entweder durch den Anbieter oder die Community) sind schließlich ebenfalls wichtig, damit sich Ihre Investition in eine XDR-Plattform langfristig bezahlt macht. Die besten XDR-Lösungen Nachfolgend haben wir einige der wichtigsten XDR-Tools in alphabetischer Reihenfolge für Sie zusammengestellt. Bitdefender GravityZone Business Security Enterprise CrowdStrike Falcon Insight XDR Cybereason XDR Cynet 360 AutoXDR Elastic Security for XDR Microsoft SecOps Palo Alto Networks Cortex XDR SentinelOne Singularity XDR Trellix XDR Platform Trend Micro Vision One (fm) View the full article
  10. CSOonline posted a techarticle in Security
    ArtemisDiana | shutterstock.com Manuelles, siloartiges Management ist in der modernen IT-Welt unangebracht. Erst recht im Bereich der IT-Sicherheit: Der Umfang von modernem Enterprise Computing und State-of-the-Art-Application-Stack-Architekturen erfordern Sicherheits-Tools, die: Einblicke in den Sicherheitsstatus von IT-Komponenten ermöglichen, Bedrohungen in Echtzeit erkennen, und Aspekte der Bedrohungsabwehr automatisieren. Diese Anforderungen haben zum Aufkommen von Extended-Detection-and-Response- (XDR) Lösungen geführt. Diese Sicherheits-Tools kombinieren die stärksten Elemente von Security Incident and Event Management (SIEM), Endpoint Detection and Response (EDR) und Security Orchestration and Response (SOAR) – und bauen darauf auf. XDR-Tools evaluieren Der Preis wird immer ein Schlüsselfaktor bei Enterprise-Sicherheitssystemen sein, die skalierbar sein müssen – da bilden auch XDR-Systeme keine Ausnahme. Die Lösungen im Bereich Extended Detection and Response sind fast ausschließlich abonnementbasiert, verursachen also laufende Kosten. Wie bei vielen Sicherheits-Tools stellen diese Kosten angesichts der finanziellen Risiken eines Datenverlusts oder den geschäftlichen Auswirkungen einer Kompromittierung einen guten Kompromiss dar. Gleiches gilt mit Blick auf den Personalaufwand, der nötig wäre, um mit bestehenden Systemen und manueller Korrelation von Ereignisdaten dasselbe Schutzniveau zu erreichen. Zu den wichtigsten XDR-Funktionen zählen: Die Möglichkeit zur Integration mit vorhandener Hardware, Software und Cloud-Investitionen. Das kann sich sowohl auf die Effektivität der gewählten Plattform sowie auf die Kosten und den Aufwand für die anfängliche Implementierung der Lösung auswirken. Richtlinien und Regeln managen zu können, ist ebenfalls von entscheidender Bedeutung. Nur so können Sie die XDR-Funktionen auf Ihre geschäftlichen Anforderungen abstimmen und Ihre IT-Sicherheitsteams in die Lage versetzen, effektiv auf Bedrohungen zu reagieren. Benutzerfreundlichkeit und Schulungsoptionen (entweder durch den Anbieter oder die Community) sind schließlich ebenfalls wichtig, damit sich Ihre Investition in eine XDR-Plattform langfristig bezahlt macht. Die besten XDR-Lösungen Nachfolgend haben wir einige der wichtigsten XDR-Tools in alphabetischer Reihenfolge für Sie zusammengestellt. Bitdefender GravityZone Business Security Enterprise CrowdStrike Falcon Insight XDR Cybereason XDR Cynet 360 AutoXDR Elastic Security for XDR Microsoft SecOps Palo Alto Networks Cortex XDR SentinelOne Singularity XDR Trellix XDR Platform Trend Micro Vision One (fm) View the full article
  11. Cloudflare on Wednesday rolled out EmDash, which it described as “the spiritual successor to WordPress.” The security vendor positioned EmDash as a far more secure site building tool that avoids the extensive cybersecurity problems with WordPress plugins. But the Cloudflare claims go far beyond cybersecurity issues. The vendor is arguing that the very nature of websites in 2026 is sharply different to the kind of website that WordPress was designed to handle. “WordPress powers over 40% of the internet. It is a massive success that has enabled anyone to be a publisher, and created a global community of WordPress developers. But the WordPress open source project will be 24 years old this year,” the Cloudflare announcement said. “Hosting a website has changed dramatically during that time. When WordPress was born, AWS EC2 didn’t exist. In the intervening years, that task has gone from renting virtual private servers, to uploading a JavaScript bundle to a globally distributed network at virtually no cost. It’s time to upgrade the most popular CMS on the internet to take advantage of this change.” More flexible licensing Cloudflare’s statement also suggested that it is delivering open source in a way that is potentially more open and flexible than the WordPress approach. “EmDash is fully open source, MIT licensed, and available on GitHub. While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license. We hope that allows more developers to adapt, extend, and participate in EmDash’s development,” the company said. “EmDash is committed to building on what WordPress created: an open source publishing stack that anyone can install and use at little cost, while fixing the core problems that WordPress cannot solve.” The next wave of web development In an interview with Computerworld, Cloudflare senior product manager Matt Taylor said his team sees the project as the next wave of web development platforms. “There is a whole new generation of developers, and WordPress is old news to them. If you are starting today, there is no way you are picking WordPress,” Taylor said, adding that AI agents are also not going to opt for WordPress platforms when creating new sites. Even when adding Cloudflare in front of a WordPress site to enhance security, he noted, “you have to hack the system to work with the modern internet.” WordPress was unable to provide its feedback on the announcement by deadline. WordPress not for new users Melody Brue, principal analyst for Moor Insights & Strategy, said she has not seen many developers who are not already experienced with WordPress choosing it to build sites, and that she is also seeing that AI agents never opt for WordPress unless they were given explicit instructions to do so. Given how rampant autonomous AI agents are today, the ability to be more hospitable to agentic systems may prove a massive advantage. “For somebody new, you have this opportunity to skip all of these legacy CMS assumptions and have true least privilege by design, a first class experience for agents. At least, that is what [Cloudflare] is trying to deliver,” Brue said. “They are baking in agent skills.” Enterprise concerns When it comes to enterprise web development strategies, however, things get a little more complex, Brue said. Given how deeply they are already invested in WordPress code and plugins and the support environment, existing WordPress enterprise users are not likely to easily move. But the extensive legal outbursts from last year involving Automattic CEO Matt Mullenweg, and the lawsuit with WP Engine, made some enterprise IT executives nervous, once they realized how much control one person had over WordPress platforms. Brue said, “I can understand the concerns,” but added that the WordPress squabbles seem to have become more subdued lately: “There is now less of the tantrum throwing happening.” Thomas Randall, a research director at Info-Tech Research Group, agreed with Brue that enterprise environments are unlikely to abandon WordPress any time soon. “Is EmDash the spiritual successor to WordPress? Not from what Cloudflare has shown so far. The problem Cloudflare highlights, security vulnerabilities in WordPress plugins, is real. But the rest of the announcement deserves skepticism,” Randall said. “For instance, enterprise IT teams with complex WordPress environments will encounter nontrivial barriers for migration. EmDash uses Portable Text rather than WordPress’s HTML content model, which would significantly complicate automated migration. Existing PHP themes and plugins would not carry over directly and would likely require substantial redevelopment.” But that would still open the door to newcomers who have not already invested in the WordPress environment. Competing in a different layer Noah Kenney, principal consultant for Digital 520, said the future is likely to look much more inviting for an EmDash-like approach than for legacy WordPress. “Cloudflare’s EmDash is less about replacing WordPress outright and more about setting a new security baseline, which is that CMS platforms should have isolated execution environments, least-privilege access, and verifiable permission models,” Kenney said. “That has implications for both content management and how enterprises evaluate third-party extensibility risk more broadly.” However, he noted, “viability is an ecosystem question just as much as it is a technical one. EmDash, even if superior from an architectural perspective, is effectively starting from zero. Enterprise adoption will depend heavily on migration tooling, developer adoption, and whether Cloudflare can build a credible plugin and integration ecosystem.” Kenney added that he sees EmDash as “very likely to influence the next phase of CMS architecture, particularly in security-sensitive and enterprise environments where plugin risk is already a prevalent issue.” Sanchit Vir Gogia, chief analyst at Greyhound Research, saw the EmDash move in a much broader context, potentially signaling the near-term future of website strategies. “EmDash is competing in a different layer altogether,” Gogia said. “It sits closer to composable and headless CMS platforms like Contentful and Strapi, and even closer to developer frameworks like Astro. It is collapsing what used to be separate concerns; content management, execution runtime, and security enforcement are being fused into one programmable environment.” This, he observed, “is where the real friction emerges. Traditional CMS buyers are not necessarily developers first. They prioritize usability, ecosystem depth, and speed of execution for business teams. EmDash is clearly optimized for developers and architects. So the competition is not just product versus product. It is operating model versus operating model. And in that contest, incumbents have inertia on their side, while EmDash has architectural purity. History shows those two rarely move at the same speed.” This article originally appeared on Computerworld. View the full article
  12. Cisco has released patches for a critical vulnerability in its out-of-band management solution, present in many of its servers and appliances. The flaw allows unauthenticated remote attackers to gain admin access to the Cisco Integrated Management Controller (IMC), which gives administrators remote control over servers even when the main OS is shut down. The vulnerability, tracked as CVE-2026-20093, stems from incorrect handling of password changes and can be exploited by sending specially crafted HTTP requests. This means servers with their IMC interfaces exposed directly to the local network — or worse, to the internet — are at immediate risk. The Cisco IMC is a baseboard management controller (BMC), a dedicated controller embedded into server motherboards with its own RAM and network interface that gives administrators monitoring and management capabilities as if they were physically connected to the server with a keyboard, monitor, and mouse (KVM). Because BMCs run their own firmware independently of the OS, they can be used to perform operations even when the OS is shut down, including reinstalling it. The IMC provides an HTML5 web interface, an SSH-based command line interface, and an XML API. It also supports Redfish, a standardized RESTful API for BMCs and virtual KVM. “A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user,” Cisco said in its advisory. The IMC is present in 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge uCPE, UCS C-Series M5 and M6 Rack Servers in standalone mode, UCS E-Series Servers M3, and UCS E-Series Servers M6. However, a long list of Cisco products and appliances that are based on the Cisco Unified Computing System (UCS) C-Series platform are also affected if they have their IMC interface exposed. While Cisco is not currently aware of any malicious attacks exploiting this vulnerability, BMC flaws in servers from other manufacturers have been exploited in the past. In 2022, security researchers found a malicious implant dubbed iLOBleed that was likely developed by an APT group and was being deployed through vulnerabilities in HPE iLO (HPE’s Integrated Lights-Out) BMC. In 2018, a ransomware group called JungleSec used default credentials for IPMI interfaces to compromise Linux servers. The risk of attacks against such management interfaces is serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) issued guidance on hardening BMC back in 2023. More recently researchers also warned about vulnerabilities in cheap KVM-over-IP devices that some organizations or admins use as alternatives for managing systems that don’t have dedicated BMC controllers. View the full article
  13. Cisco has released patches for a critical vulnerability in its out-of-band management solution, present in many of its servers and appliances. The flaw allows unauthenticated remote attackers to gain admin access to the Cisco Integrated Management Controller (IMC), which gives administrators remote control over servers even when the main OS is shut down. The vulnerability, tracked as CVE-2026-20093, stems from incorrect handling of password changes and can be exploited by sending specially crafted HTTP requests. This means servers with their IMC interfaces exposed directly to the local network — or worse, to the internet — are at immediate risk. [ Related: More Cisco news and insights ] The Cisco IMC is a baseboard management controller (BMC), a dedicated controller embedded into server motherboards with its own RAM and network interface that gives administrators monitoring and management capabilities as if they were physically connected to the server with a keyboard, monitor, and mouse (KVM). Because BMCs run their own firmware independently of the OS, they can be used to perform operations even when the OS is shut down, including reinstalling it. The IMC provides an HTML5 web interface, an SSH-based command line interface, and an XML API. It also supports Redfish, a standardized RESTful API for BMCs and virtual KVM. “A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user,” Cisco said in its advisory. The IMC is present in 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge uCPE, UCS C-Series M5 and M6 Rack Servers in standalone mode, UCS E-Series Servers M3, and UCS E-Series Servers M6. However, a long list of Cisco products and appliances that are based on the Cisco Unified Computing System (UCS) C-Series platform are also affected if they have their IMC interface exposed. While Cisco is not currently aware of any malicious attacks exploiting this vulnerability, BMC flaws in servers from other manufacturers have been exploited in the past. In 2022, security researchers found a malicious implant dubbed iLOBleed that was likely developed by an APT group and was being deployed through vulnerabilities in HPE iLO (HPE’s Integrated Lights-Out) BMC. In 2018, a ransomware group called JungleSec used default credentials for IPMI interfaces to compromise Linux servers. The risk of attacks against such management interfaces is serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) issued guidance on hardening BMC back in 2023. More recently researchers also warned about vulnerabilities in cheap KVM-over-IP devices that some organizations or admins use as alternatives for managing systems that don’t have dedicated BMC controllers. More Cisco news: Chained vulnerabilities in Cisco Catalyst switches could induce denial-of-service Cisco goes all in on agentic AI security Cisco Talos 2025 year in review and lessons learned How Cisco’s platform mindset is meeting the AI era Cisco extends AgenticOps across networking, security, observability products Cisco amps up Silicon One line, delivers new systems and optics for AI networking Takeaways from Cisco’s AI Summit Cisco: Infrastructure, trust, model development are key AI challenges AI, security tailwinds signal promising 2026 for Cisco Cisco adds intelligent policy enforcement to mesh firewall family Actively exploited Cisco UC bug requires immediate, version‑specific patching Cisco’s 2026 agenda prioritizes AI-ready infrastructure, connectivity Cisco finally patches seven-week-old zero-day flaw in Secure Email Gateway products Cisco routers knocked out due to Cloudflare DNS change View the full article
  14. A new phishing-as-a-service (PhaaS) campaign is abusing Microsoft’s device code authentication flow to gain unauthorized access to user accounts. Sekoia researchers first spotted the toolkit “EvilTokens” that lets attackers capture authentication tokens by tricking users into completing a legitimate login process in Microsoft’s own environment. The activity, observed since at least mid-February, relies on social engineering lures that prompt victims to enter a device code on a real Microsoft login page, Sekoia researchers noted in a blog post. “To compromise Microsoft 365 accounts, EvilTokens pages rely on device code phishing, a technique that differs from the common AitM tactic of replicating Microsoft authentication pages,” the researchers said. The PhaaS toolkit is offering a host of features to its affiliates, including modules for access weaponization, email harvesting, reconnaissance capabilities, and a built-in webmail interface, all powered through Ai automation, the researchers added. EvilTokens was found operating through bots on Telegram, with a dedicated channel for kit upgrades. The campaign has so far mostly affected countries, including the US, Australia, Canada, France, India, Switzerland, and the UAE. Device code authentication as an access broker The campaign centers around the abuse of Microsoft’s device authorization grant flow, a feature designed to simplify logins for devices like smart TVs or command-line tools. EvilTokens repurposes this workflow by generating a legitimate device code and then tricking victims into entering it themselves on the official login page. Once the victim completes authentication, the attacker receives access tokens tied to the session. These tokens can then be used to access Microsoft 365 services, including email and cloud resources, without triggering typical credential-based alerts. Sekoia researchers noted that this technique sidesteps many conventional phishing detections. Because the authentication happens on a legitimate Microsoft domain, there is no credential interception in transit, and multi-factor authentication is completed as happens in a normal login flow. The attack results in a form of account takeover coming from a seemingly expected user behavior. A phishing package with post-compromise focus Beyond the initial access vector, EvilTokens is structured as a full-service phishing platform. The kit provides affiliates with ready-to-use lures, infrastructure, and automation tools designed to carry out both the phishing phase and post-compromise activity. The lures used in the campaign include fake SharePoint document notifications, DocuSign requests, and account alerts, all meant to urge users toward entering device codes. Once access is obtained, the platform enables inbox analysis, allowing attackers to identify high-value targets such as financial conversations or invoice threads. “By leveraging the short-lived access token, the attacker can exfiltrate targeted user data for up to 60 minutes following the device code phishing attack,” they said. “Depending on the targeted service, the attacker can access emails via Exchange Online, documents from Microsoft SharePoint Online and OneDrive, or conversation history in Microsoft Teams.” The received tokens with 60 minutes expiry can also be redeemed for generating new access tokens, with a rolling 90-day validity, allowing attackers to maintain persistence on the compromised account. Distributed through Telegram channels, the PhaaS service includes bot-driven workflows to manage campaigns and token collection. Researchers also observed ongoing development efforts, with indications that support for additional platforms beyond Microsoft may be introduced. Sekoia shared a set of attack infrastructure details to support tracking. These include phishing domain and URL patterns, self-hosted affiliate domains, EvilTokens admin domains, and the YARA rule for detecting the phishing page. View the full article
  15. AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand — a spreadsheet, for example — and delete it when you’re done using it than to buy one commercially. Future systems could include a mix: both traditional long-term software and ephemeral instant software that is constantly being written, deployed, modified, and deleted. AI is changing cybersecurity as well. In particular, AI systems are getting better at finding and patching vulnerabilities in code. This has implications for both attackers and defenders, depending on the ways this and related technologies improve. In this essay, I want to take an optimistic view of AI’s progress, and to speculate what AI-dominated cybersecurity in an age of instant software might look like. There are a number of unknowns that will factor into how the arms race between attacker and defender might play out. How flaw discovery might work On the attacker side, the ability of AIs to automatically find and exploit vulnerabilities has increased dramatically over the past few months. We are already seeing both government and criminal hackers using AI to attack systems. The exploitation part is critical here, because it gives an unsophisticated attacker capabilities far beyond their understanding. As AIs get better, expect more attackers to automate their attacks using AI. And as individuals and organizations can increasingly run powerful AI models locally, AI companies monitoring and disrupting malicious AI use will become increasingly irrelevant. Expect open-source software, including open-source libraries incorporated in proprietary software, to be the most targeted, because vulnerabilities are easier to find in source code. Unknown No. 1 is how well AI vulnerability discovery tools will work against closed-source commercial software packages. I believe they will soon be good enough to find vulnerabilities just by analyzing a copy of a shipped product, without access to the source code. If that’s true, commercial software will be vulnerable as well. Particularly vulnerable will be software in IoT devices: things like internet-connected cars, refrigerators, and security cameras. Also industrial IoT software in our internet-connected power grid, oil refineries and pipelines, chemical plants, and so on. IoT software tends to be of much lower quality, and industrial IoT software tends to be legacy. Instant software is differently vulnerable. It’s not mass market. It’s created for a particular person, organization, or network. The attacker generally won’t have access to any code to analyze, which makes it less likely to be exploited by external attackers. If it’s ephemeral, any vulnerabilities will have a short lifetime. But lots of instant software will live on networks for a long time. And if it gets uploaded to shared tool libraries, attackers will be able to download and analyze that code. All of this points to a future where AIs will become powerful tools of cyberattack, able to automatically find and exploit vulnerabilities in systems worldwide. Automating patch creation But that’s just half of the arms race. Defenders get to use AI, too. These same AI vulnerability-finding technologies are even more valuable for defense. When the defensive side finds an exploitable vulnerability, it can patch the code and deny it to attackers forever. How this works in practice depends on another related capability: the ability of AIs to patch vulnerable software, which is closely related to their ability to write secure code in the first place. AIs are not very good at this today; the instant software that AIs create is generally filled with vulnerabilities, both because AIs write insecure code and because the people vibe coding don’t understand security. OpenClaw is a good example of this. Unknown No. 2 is how much better AIs will get at writing secure code. The fact that they’re trained on massive corpuses of poorly written and insecure code is a handicap, but they are getting better. If they can reliably write vulnerability-free code, it would be an enormous advantage for the defender. And AI-based vulnerability-finding makes it easier for an AI to train on writing secure code. We can envision a future where AI tools that find and patch vulnerabilities are part of the typical software development process. We can’t say that the code would be vulnerability-free — that’s an impossible goal — but it could be without any easily findable vulnerabilities. If the technology got really good, the code could become essentially vulnerability-free. Patching lags and legacy software For new software — both commercial and instant — this future favors the defender. For commercial and conventional open-source software, it’s not that simple. Right now, the world is filled with legacy software. Much of it — like IoT device software — has no dedicated security team to update it. Sometimes it is incapable of being patched. Just as it’s harder for AIs to find vulnerabilities when they don’t have access to the source code, it’s harder for AIs to patch software when they are not embedded in the development process. I’m not as confident that AI systems will be able to patch vulnerabilities as easily as they can find them, because patching often requires more holistic testing and understanding. That’s Unknown No. 3: how quickly AIs will be able to create reliable software updates for the vulnerabilities they find, and how quickly customers can update their systems. Today, there is a time lag between when a vendor issues a patch and customers install that update. That time lag is even longer for large organizational software; the risk of an update breaking the underlying software system is just too great for organizations to roll out updates without testing them first. But if AI can help speed up that process, by writing patches faster and more reliably, and by testing them in some AI-generated twin environment, the advantage goes to the defender. If not, the attacker will still have a window to attack systems until a vulnerability is patched. Toward self-healing In a truly optimistic future, we can imagine a self-healing network. AI agents continuously scan the ever-evolving corpus of commercial and custom AI-generated software for vulnerabilities, and automatically patch them on discovery. For that to work, software license agreements will need to change. Right now, software vendors control the cadence of security patches. Giving software purchasers this ability has implications about compatibility, the right to repair, and liability. Any solutions here are the realm of policy, not tech. If the defense can find, but can’t reliably patch, flaws in legacy software, that’s where attackers will focus their efforts. If that’s the case, we can imagine a continuously evolving AI-powered intrusion detection, continuously scanning inputs and blocking malicious attacks before they get to vulnerable software. Not as transformative as automatically patching vulnerabilities in running code, but nevertheless valuable. The power of these defensive AI systems increases if they are able to coordinate with each other, and share vulnerabilities and updates. A discovery by one AI can quickly spread to everyone using the affected software. Again: Advantage defender. There are other variables to consider. The relative success of attackers and defenders also depends on how plentiful vulnerabilities are, how easy they are to find, whether AIs will be able to find the more subtle and obscure vulnerabilities, and how much coordination there is among different attackers. All this comprises Unknown No. 4. Vulnerability economics Presumably, AIs will clean up the obvious stuff first, which means that any remaining vulnerabilities will be subtle. Finding them will take AI computing resources. In the optimistic scenario, defenders pool resources through information sharing, effectively amortizing the cost of defense. If information sharing doesn’t work for some reason, defense becomes much more expensive, as individual defenders will need to do their own research. But instant software means much more diversity in code: an advantage to the defender. This needs to be balanced with the relative cost of attackers finding vulnerabilities. Attackers already have an inherent way to amortize the costs of finding a new vulnerability and create a new exploit. They can vulnerability hunt cross-platform, cross-vendor, and cross-system, and can use what they find to attack multiple targets simultaneously. Fixing a common vulnerability often requires cooperation among all the relevant platforms, vendors, and systems. Again, instant software is an advantage to the defender. But those hard-to-find vulnerabilities become more valuable. Attackers will attempt to do what the major intelligence agencies do today: find “nobody but us” zero-day exploits. They will either use them slowly and sparingly to minimize detection or quickly and broadly to maximize profit before they’re patched. Meanwhile, defenders will be both vulnerability hunting and intrusion detecting, with the goal of patching vulnerabilities before the attackers find them. We can even imagine a market for vulnerability sharing, where the defender who finds a vulnerability and creates a patch is compensated by everyone else in the information-sharing/repair network. This might be a stretch, but maybe. Up the stack Even in the most optimistic future, attackers aren’t going to just give up. They will attack the non-software parts of the system, such as the users. Or they’re going to look for loopholes in the system: things that the system technically allows but were unintended and unanticipated by the designers — whether human or AI — and can be used by attackers to their advantage. What’s left in this world are attacks that don’t depend on finding and exploiting software vulnerabilities, like social engineering and credential stealing attacks. And we have already seen how AI-generated deepfakes make social engineering easier. But here, too, we can imagine defensive AI agents that monitor users’ behaviors, watching for signs of attack. This is another AI use case, and one that I’m not even sure how to think about in terms of the attacker/defender arms race. But at least we’re pushing attacks up the stack. Also, attackers will attempt to infiltrate and influence defensive AIs and the networks they use to communicate, poisoning their output and degrading their capabilities. AI systems are vulnerable to all sorts of manipulations, such as prompt injection, and it’s unclear whether we will ever be able to solve that. This is Unknown No. 5, and it’s a biggie. There might always be a “trusting trust problem.” No future is guaranteed. We truly don’t know whether these technologies will continue to improve and when they will plateau. But given the pace at which AI software development has improved in just the past few months, we need to start thinking about how cybersecurity works in this instant software world. View the full article
  16. Gorodenkoff | shutterstock.com Model Context Protocol (MCP) verbindet KI-Agenten mit Datenquellen und erfreut sich im Unternehmensumfeld wachsender Beliebtheit. Allerdings ist auch MCP nicht frei von Sicherheitslücken, wie entsprechende Entdeckungen, etwa beim SaaS-Anbieter Asana oder dem IT-Riesen Atlassian gezeigt haben. Inzwischen hat sich jedoch einiges in Sachen MCP-Sicherheit getan. Einerseits wurden mit Blick auf das Kernprotokoll etliche Fortschritte erzielt. Beispielsweise in Form von Support für OAuth sowie für Authentifizierungs-Server von Drittanbietern und Identity-Management-Systeme. Darüber hinaus wurde inzwischen auch eine offizielle MCP Registry geschaffen, die einen Überblick über sichere, öffentlich verfügbare MCP-Server bietet. Dennoch bestehen weiterhin Sicherheitslücken, die sich für diverse Cyberschandtaten ausnutzen lassen – Prompt Injection, Tool Poisoning, Token-Diebstahl, Server-übergreifende Attacken oder manipulierte Messages sind nur einige von vielen Beispielen. Mit anderen Worten: Unternehmen, die sich beim Aufbau von Agentic-AI-Systemen einen Wettbewerbsvorteil verschaffen wollen, müssen erhebliche Anstrengungen unternehmen, um zu gewährleisten, dass sensible Daten nicht nach außen dringen. Glücklicherweise gibt es diverse Tools, die dabei Unterstützung versprechen. In diesem Artikel lesen Sie: was Security-Tools für MCP leisten sollten, und welche Angebote in diesem Bereich interessant sind. Das sollten MCP-Sicherheitslösungen können Die Gefahr von Datenlecks, Prompt Injections und weiteren Sicherheitsbedrohungen besteht unabhängig davon, ob Unternehmen: ihre eigenen KI-Agenten mit MCP-Servern von Drittanbietern, ihre eigenen MCP-Server mit Drittanbieter-Agenten, oder ihre eigenen Server mit den eigenen Agenten verbinden. Soll heißen: Unternehmen müssen in jedem Fall Autorisierungen und Berechtigungen überprüfen, detaillierte Zugriffskontrollen implementieren und alles protokollieren. Daraus ergeben sich auch die Anforderungen für MCP-Sicherheitslösungen. Diese sollten bieten: MCP-Servererkennung. Für Mitarbeiter eines Unternehmens ist es einfach, MCP-Server herunterzuladen und zu nutzen. Mit Scan-Services für MCP-Server können Unternehmen sämtliche Instanzen von Schatten-MCP-Servern in ihrer Umgebung finden. Laufzeitschutz. KI-Agenten kommunizieren mit MCP-Servern in natürlicher Sprache. MCP-Sicherheits-Tools sollten deshalb in der Lage sein, diese Kommunikation auf Sicherheitsprobleme wie Prompt Injections hin zu überwachen. Authentifizierungs- und Zugriffskontrollen. Das MCP-Protokoll unterstützt inzwischen OAuth, aber das ist nur ein erster Schritt. Für zusätzliche Sicherheit empfehlen sich Tools mit integrierten Kontroll-Frameworks für Zero Trust und Least Privilege. Logging und Observability. Tools und Plattformen sollten zudem die Möglichkeit bieten, MCP-Protokolle zu sammeln, Sicherheitsteams über Richtlinienverstöße zu informieren, Compliance-Daten zu erfassen oder Protokolle in die bestehende Sicherheitsinfrastruktur einzuspeisen. MCP-Security-Angebote Im Folgenden haben wir die Anbieter von MCP-Security-Tools in drei Kategorien aufgeteilt. Diese Aufstellung erhebt keinen Anspruch auf Vollständigkeit. Hyperscaler Für Unternehmen, die sich vollständig auf eine bestimmte Cloud-Plattform verlassen, bieten die MCP-Tools des jeweiligen Hyperscalers einen einfachen Einstieg. Amazon Web Services (AWS) hat Mitte 2025 seine eigene agentenbasierte KI-Plattform eingeführt. Amazon Bedrock AgentCore umfasst ein Gateway, das mehrere Protokolle unterstützt (darunter auch MCP), ein Identity-Management-System sowie Observability. Microsoft bietet einen grundlegenden Azure-MCP-Server an, inklusive Support für Azure Key Vault. Darüber hinaus unterstützen auch Azure AI Foundry Agent Service und Azure API Management das Model Context Protocol. Zudem bietet Microsoft mit dem Agent Framework auch ein Open-Source-Entwicklungskit, das sowohl MCP als auch Agent2Agent unterstützt und beispielsweise Schutz vor Prompt Injections verspricht. Google Cloud kündigte Anfang 2025 seine MCP Toolbox für Datenbanken an – inklusive integrierter Authentifizierung und Observability. Außerdem hat der Hyperscaler auch eine Referenzarchitektur veröffentlicht, um MCP-Server auf seiner Cloud-Plattform abzusichern. Große Plattformanbieter Der IT-Dienstleister Cloudflare hat mit MCP Server Portals ein Tool veröffentlicht, mit dem Unternehmen MCP-Verbindungen zentralisiert absichern und überwachen können. Die Funktion ist Bestandteil der Cloudflare-One-Plattform. Palo Alto Networks hat mit Blick auf MCP-Sicherheit mehrere Eisen im Feuer. Mit Prisma AIRS hat das Unternehmen einen eigenen, intermediären MCP-Server veröffentlicht. Dieser sitzt zwischen den KI-Agenten und dem eigentlichen MCP-Server und erkennt schadhafte Inhalte und Daten. Das Tool MCP Security ist hingegen Bestandteil von Cortex Cloud WAAS und überprüft die MCP-Kommunikation an der Netzwerkgrenze auf bösartige Aktivitäten. SentinelOne gewährt mit seiner Singularity Platform ebenfalls Einblick in die MCP-Interaktionskette und bietet zum Beispiel Warnmeldungen und automatisierte Incident Response für MCP-Server auf lokaler oder Remote-Ebene. Daneben hat auch Broadcom MCP-Sicherheitsfunktionen für VMware Cloud Foundation angekündigt, die künftig mehr Sicherheit für agentenbasierte Workflows gewährleisten sollen. Startups Die Plattform von Acuvity (seit Februar 2026 Teil von Proofpoint) verspricht, MCP-Server umfassend abzusichern. Dafür sorgt laut dem Anbieter eine Kombination aus Least-Privilege-Execution, unveränderlichen Laufzeiten, kontinuierlichen Schwachstellenscans, Authentifizierung und Bedrohungserkennung. Das API-Security-Startup Akto hat eine MCP-Security-Plattform im Angebot. Sie umfasst ein Discovery Tool, um MCP-Server in Unternehmensumgebungen zu identifizieren, Security-Testing-Werkzeuge sowie Monitoring- und Threat-Detection-Funktionen. Invariant Labs bietet mit MCP-Scan ein quelloffenes Tool, das die statische Analyse und Echtzeitüberwachung von MCP-Servern ermöglicht. Mit Guardrails hat das Startup auch ein kommerzielles Produkt im Angebot. Dabei handelt es sich um einen Proxy. Der zwischen KI-Agenten und MCP-Servern sitzt und vor Security-Risiken schützen soll. Das Tool befähigt Anwender außerdem dazu, Richtlinien aufzusetzen. Highflame (vormals Javelin) addressiert ebenfalls das Thema MCP-Sicherheit. Etwa mit Funktionen wie MCP-Server auf Risiken zu scannen oder Datenanfragen zu überprüfen. Lasso Security stellt ein Open-Source-MCP-Gateway zur Verfügung, das die Konfiguration und das Lebenszyklusmanagement von MCP-Servern ermöglicht und Messages um sensible Informationen bereinigt. (fm) View the full article
  17. Gorodenkoff | shutterstock.com Model Context Protocol (MCP) verbindet KI-Agenten mit Datenquellen und erfreut sich im Unternehmensumfeld wachsender Beliebtheit. Allerdings ist auch MCP nicht frei von Sicherheitslücken, wie entsprechende Entdeckungen, etwa beim SaaS-Anbieter Asana oder dem IT-Riesen Atlassian gezeigt haben. Inzwischen hat sich jedoch einiges in Sachen MCP-Sicherheit getan. Einerseits wurden mit Blick auf das Kernprotokoll etliche Fortschritte erzielt. Beispielsweise in Form von Support für OAuth sowie für Authentifizierungs-Server von Drittanbietern und Identity-Management-Systeme. Darüber hinaus wurde inzwischen auch eine offizielle MCP Registry geschaffen, die einen Überblick über sichere, öffentlich verfügbare MCP-Server bietet. Dennoch bestehen weiterhin Sicherheitslücken, die sich für diverse Cyberschandtaten ausnutzen lassen – Prompt Injection, Tool Poisoning, Token-Diebstahl, Server-übergreifende Attacken oder manipulierte Messages sind nur einige von vielen Beispielen. Mit anderen Worten: Unternehmen, die sich beim Aufbau von Agentic-AI-Systemen einen Wettbewerbsvorteil verschaffen wollen, müssen erhebliche Anstrengungen unternehmen, um zu gewährleisten, dass sensible Daten nicht nach außen dringen. Glücklicherweise gibt es diverse Tools, die dabei Unterstützung versprechen. In diesem Artikel lesen Sie: was Security-Tools für MCP leisten sollten, und welche Angebote in diesem Bereich interessant sind. Das sollten MCP-Sicherheitslösungen können Die Gefahr von Datenlecks, Prompt Injections und weiteren Sicherheitsbedrohungen besteht unabhängig davon, ob Unternehmen: ihre eigenen KI-Agenten mit MCP-Servern von Drittanbietern, ihre eigenen MCP-Server mit Drittanbieter-Agenten, oder ihre eigenen Server mit den eigenen Agenten verbinden. Soll heißen: Unternehmen müssen in jedem Fall Autorisierungen und Berechtigungen überprüfen, detaillierte Zugriffskontrollen implementieren und alles protokollieren. Daraus ergeben sich auch die Anforderungen für MCP-Sicherheitslösungen. Diese sollten bieten: MCP-Servererkennung. Für Mitarbeiter eines Unternehmens ist es einfach, MCP-Server herunterzuladen und zu nutzen. Mit Scan-Services für MCP-Server können Unternehmen sämtliche Instanzen von Schatten-MCP-Servern in ihrer Umgebung finden. Laufzeitschutz. KI-Agenten kommunizieren mit MCP-Servern in natürlicher Sprache. MCP-Sicherheits-Tools sollten deshalb in der Lage sein, diese Kommunikation auf Sicherheitsprobleme wie Prompt Injections hin zu überwachen. Authentifizierungs- und Zugriffskontrollen. Das MCP-Protokoll unterstützt inzwischen OAuth, aber das ist nur ein erster Schritt. Für zusätzliche Sicherheit empfehlen sich Tools mit integrierten Kontroll-Frameworks für Zero Trust und Least Privilege. Logging und Observability. Tools und Plattformen sollten zudem die Möglichkeit bieten, MCP-Protokolle zu sammeln, Sicherheitsteams über Richtlinienverstöße zu informieren, Compliance-Daten zu erfassen oder Protokolle in die bestehende Sicherheitsinfrastruktur einzuspeisen. MCP-Security-Angebote Im Folgenden haben wir die Anbieter von MCP-Security-Tools in drei Kategorien aufgeteilt. Diese Aufstellung erhebt keinen Anspruch auf Vollständigkeit. Hyperscaler Für Unternehmen, die sich vollständig auf eine bestimmte Cloud-Plattform verlassen, bieten die MCP-Tools des jeweiligen Hyperscalers einen einfachen Einstieg. Amazon Web Services (AWS) hat Mitte 2025 seine eigene agentenbasierte KI-Plattform eingeführt. Amazon Bedrock AgentCore umfasst ein Gateway, das mehrere Protokolle unterstützt (darunter auch MCP), ein Identity-Management-System sowie Observability. Microsoft bietet einen grundlegenden Azure-MCP-Server an, inklusive Support für Azure Key Vault. Darüber hinaus unterstützen auch Azure AI Foundry Agent Service und Azure API Management das Model Context Protocol. Zudem bietet Microsoft mit dem Agent Framework auch ein Open-Source-Entwicklungskit, das sowohl MCP als auch Agent2Agent unterstützt und beispielsweise Schutz vor Prompt Injections verspricht. Google Cloud kündigte Anfang 2025 seine MCP Toolbox für Datenbanken an – inklusive integrierter Authentifizierung und Observability. Außerdem hat der Hyperscaler auch eine Referenzarchitektur veröffentlicht, um MCP-Server auf seiner Cloud-Plattform abzusichern. Große Plattformanbieter Der IT-Dienstleister Cloudflare hat mit MCP Server Portals ein Tool veröffentlicht, mit dem Unternehmen MCP-Verbindungen zentralisiert absichern und überwachen können. Die Funktion ist Bestandteil der Cloudflare-One-Plattform. Palo Alto Networks hat mit Blick auf MCP-Sicherheit mehrere Eisen im Feuer. Mit Prisma AIRS hat das Unternehmen einen eigenen, intermediären MCP-Server veröffentlicht. Dieser sitzt zwischen den KI-Agenten und dem eigentlichen MCP-Server und erkennt schadhafte Inhalte und Daten. Das Tool MCP Security ist hingegen Bestandteil von Cortex Cloud WAAS und überprüft die MCP-Kommunikation an der Netzwerkgrenze auf bösartige Aktivitäten. SentinelOne gewährt mit seiner Singularity Platform ebenfalls Einblick in die MCP-Interaktionskette und bietet zum Beispiel Warnmeldungen und automatisierte Incident Response für MCP-Server auf lokaler oder Remote-Ebene. Daneben hat auch Broadcom MCP-Sicherheitsfunktionen für VMware Cloud Foundation angekündigt, die künftig mehr Sicherheit für agentenbasierte Workflows gewährleisten sollen. Startups Die Plattform von Acuvity (seit Februar 2026 Teil von Proofpoint) verspricht, MCP-Server umfassend abzusichern. Dafür sorgt laut dem Anbieter eine Kombination aus Least-Privilege-Execution, unveränderlichen Laufzeiten, kontinuierlichen Schwachstellenscans, Authentifizierung und Bedrohungserkennung. Das API-Security-Startup Akto hat eine MCP-Security-Plattform im Angebot. Sie umfasst ein Discovery Tool, um MCP-Server in Unternehmensumgebungen zu identifizieren, Security-Testing-Werkzeuge sowie Monitoring- und Threat-Detection-Funktionen. Invariant Labs bietet mit MCP-Scan ein quelloffenes Tool, das die statische Analyse und Echtzeitüberwachung von MCP-Servern ermöglicht. Mit Guardrails hat das Startup auch ein kommerzielles Produkt im Angebot. Dabei handelt es sich um einen Proxy. Der zwischen KI-Agenten und MCP-Servern sitzt und vor Security-Risiken schützen soll. Das Tool befähigt Anwender außerdem dazu, Richtlinien aufzusetzen. Highflame (vormals Javelin) addressiert ebenfalls das Thema MCP-Sicherheit. Etwa mit Funktionen wie MCP-Server auf Risiken zu scannen oder Datenanfragen zu überprüfen. Lasso Security stellt ein Open-Source-MCP-Gateway zur Verfügung, das die Konfiguration und das Lebenszyklusmanagement von MCP-Servern ermöglicht und Messages um sensible Informationen bereinigt. (fm) View the full article
  18. When your network goes down, your business stops. That’s a stark truth we see confirmed daily in incident response—and N-able’s 2026 State of the SOC Report only underscores it. Backup isn’t just an IT routine anymore; it’s the backbone of your business resilience strategy. Yet, too many teams leave gaps that threat actors are ready to exploit. Let’s get proactive. Here are seven common backup priorities and what we recommend to ensure your organization can recover from anything the modern threat landscape throws at you. 1. Prioritize your most critical data You can’t protect everything at the same level, and you shouldn’t try. Businesses focusing on mission-critical systems for backup and rapid recovery have significantly shorter downtime post-incident. The Fix: Identify revenue-driving applications, regulated data, and anything core to daily operations—then align backup policies with these priorities. If you treat your archive data with the same urgency as your production data, you’re wasting resources that could save your business during a crisis. 2. Ensure off-site backup copies Local backups are fast, but they are also vulnerable to the same physical disasters and ransomware attacks that hit your primary servers. If your production environment and your backups are on the same network segment without air-gapping, a single compromise becomes a total extinction event. The Fix: Adopt a 3-2-1 strategy (3 total copies of data, 2 different media types, 1 offsite copy) but modernize it. Ensure at least one copy is off-site and immutable. Our cloud-first backup solution shows how reducing the attack surface mitigates risk. 3. Implement backup immutability Ransomware attacks increasingly target repositories to force payment. If an attacker can delete your backups, you have no leverage. The Fix: Immutable backups—backups that can’t be changed or deleted, even by admins—are non-negotiable. In N-able’s cloud, automated immutable storage and air-gapped backups consistently prevented data loss, even when primary systems were compromised. N-able’s Cove Data Protection is ransomware ready with cyber-resilient architecture, immutable copies, and ransomware recovery to keep you in control and able to restore data successfully. 4. Automating RPO and RTO Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are your real commitments to stakeholders. Not enforcing or automating RPO and RTO means an organization lacks defined, measurable targets for data loss and downtime, leading to high-risk, manual, and often chaotic recovery processes. Without automation, organizations rely on manual, human-driven procedures, which increase the likelihood of data loss, extended outages, and failure to meet compliance requirements (e.g., HIPAA, PCI DSS) The Fix: Establish RTO and RPO for each application based on criticality. Implement automation and regularly test recovery processes to ensure they meet targets. Don’t rely on manual checks; let the system tell you if you are drifting from your resilience goals. Why RPO and RTO metrics matter for cyber resilience and how they are different. 5. Real-world backup testing The worst time to test a backup is when you’re restoring it under pressure. In our experience, corrupted backups surface as a leading cause of failed recoveries. A screenshot of a “success” message isn’t enough proof that a server will boot. The Fix: Make automated recovery testing a daily habit and not a quarterly dread. We advocate solutions that boot VMs from backups, run service checks, and supply verifiable evidence after every run. 6. Integrate backup with security ops Too often, backup and security exist in silos. The most resilient organizations are integrating backup failures directly into their SOC dashboards. The Fix: Treat backup failures as security incidents. Any surprise failure or agent tampering gets immediate incident review and threat hunting. Bonus: Scan backup images for malware before restoring to avoid reintroducing threats during your most vulnerable moment. 7. Implement scalable recovery playbooks Recovering one file is easy; recovering your business under attack is chaos without a plan. This was painfully clear in cases where teams restored non-essential servers, leaving core business processes offline. The Fix: Build recovery runbooks. Know what to bring back first (typically identity, DNS, DB servers), document dependencies, and rehearse recovery from “zero” infrastructure. Proving resilience, not just activity Executives and clients want to know: “Are we protected if disaster strikes?” Reporting on backup success means showing more than last night’s log. Demonstrate that your tests meet RPO/RTO, that DR rehearsals succeed, and that automated processes kick in as designed. We recognize backup is about more than files—it’s about business continuity and trust. With the number of alerts every minute hitting SOCs today, automated orchestration helps you respond to the velocity of modern attacks so you can recover fast and stay compliant, operational, and secure. Data threats are evolving, and your backup needs to evolve with them. See how N-able’s Cove Data Protection beats legacy backups. View the full article
  19. How many times has your SOC hit crisis mode at 2:00 AM, with the dashboard blaring red and analysts scrambling to separate real threats from useless noise? We’ve all been there, and if you’re still measuring success by the number of alerts closed, chances are you’re feeling the strain. The truth is, responding to everything is neither sustainable nor effective—and it puts resilience at risk. In this article, we’ll show you the five most important steps you can take to move from alert fatigue to business resilience, supported by hard data from the 2026 N-able State of the SOC Report. These are the practical habits security-driven IT leaders are adopting to future-proof their operations and protect what matters most. 1. Recognize the cost of noise: When “more alerts” means more risk Many SOCs still believe that more data equals better protection. But our 2026 State of the SOC report found that traditional alert volumes have hit a breaking point— our SOC team had to process an average of 2 alerts per minute last year. When everything is urgent, nothing is. Analysts get burned out, and critical threats can slip by undetected, leading to increased dwell times and real business impact. Key N-able SOC stat: 18% of threats in 2025 were only caught by network and perimeter layers—outside endpoint visibility. It’s clear: If you’re over-relying on endpoint or cloud signals, you’re missing threats and putting uptime and client trust at risk. 2. Prioritize outcomes over ticket volume Stop focusing on how many alerts are cleared. This may be a metric for a better understanding of where automation or headcount are necessary but prioritize outcomes. Instead, the right questions are: How quickly did you contain a threat? Did we disrupt business operations or keep recovery swift and effective? A practical, outcome-driven SOC measures: Dwell time: How long before a threat was neutralized? Mean Time to Contain: How quickly were you able to halt an attack? Business downtime avoided: How resilient were you when tested? Tie these metrics back to resilience. When you can tell the CEO or client you prevented X hours of downtime or stopped ransomware in minutes, you position yourself as more than a cost center—you’re a driver of business continuity. Hear how customers use N-able to boost efficiency, gain peace of mind, and ensure business resiliency. 3. Put AI and automation to work—or get left behind According to our SOC report, 90% of all investigations in 2026 could be automated by AI. In fact, only organizations that shifted to AI-centric security models kept up with the onslaught. Those stuck with purely manual playbooks fell behind. Here’s what works: AI-driven correlation to unify context across endpoints, networks, identities, and more. Automation to handle tasks like remediation, account disables, password resets, and notifications—repetitive work that machines do faster and with less error. Last year, our SOAR actions surged 500%, making up almost a quarter of all responses. That’s what resilience in the face of “volume crisis” looks like. Explore the benefits of integrating AI into your strategy and how it impacts your security team across crucial threat and detection stages. 4. Build defense-in-depth (and don’t rely on magic bullets) The “magic bullet” mindset, where a single security layer or tool is supposed to protect everything, doesn’t cut it. The 2026 N-able State of the SOC report underscores that business resilience depends on a defense-in-depth strategy: In 2025, half of all attacks bypassed endpoint controls entirely. 137,187 network and perimeter threats were invisible to endpoint-only deployments. The lesson: Layered security isn’t just “nice to have”—it’s the difference between stopping attacks and suffering a breach. Even with the right foundational layers in place, the real power only emerges when they operate as a unified system. Multi-layer correlation connects the signals coming from identity, endpoint, cloud, network, and perimeter controls, transforming isolated alerts into a clear, actionable picture of an unfolding attack. 5. Design playbooks that focus on business resilience Your playbooks shouldn’t just stop at technical containment—think bigger. The best teams design for resilience, from automated isolation and communication to verified recovery. For ransomware: Confirm the scope rapidly (AI correlates affected assets). Automate isolation of the subnet or systems involved. Communicate with stakeholders per your IR plan. Initiate backup restoration, leveraging recent, immutable recovery points. In our 2026 SOC report, organizations with unified, automated playbooks contained perimeter-initiated attacks in under 10 minutes—even during off-hours. That’s the bar you need to hit. The bottom line Volume and complexity aren’t going away, but SOC fatigue doesn’t have to be your story. By shifting to outcome-driven defense, embracing automation, layering controls, and focusing on measurable resilience, you move from reactive to proactive—protecting your clients, your brand, and your peace of mind. Are you ready to take the next step? Take a tour of Adlumin’s AI-powered XDR platform and expert-led MDR service. View the full article
  20. Business resilience starts at the endpoint. Between March and December 2025, the N-able SOC processed over 900,000 alerts—and a staggering 18% originated from network and perimeter exploits that most endpoint-only security never saw. Attackers are constantly shifting tactics, and endpoints remain an exposed attack surface. The good news: the right proactive strategies put you in control, stopping threats before they ripple across your business. Here’s our concise, field-tested playbook to operationalize resilient endpoint security and avoid the single-layer fallacy that leaves half your risks unseen. 1. Start with full endpoint visibility—No blind spots allowed You can’t protect what you don’t know about. As mentioned in our State of the SOC report, network and perimeter threats flew under the radar for organizations lacking unified visibility. These weren’t minor threats — many were initial stages of attacks that would have become full breaches without multi-layer visibility. Inventory all devices continuously. Go beyond manual tracking. Automated discovery tools can identify each device, from remote laptops to IoT assets, as soon as they join your network. Mitigate shadow IT risk. Unmanaged devices are a favorite entry point for attackers. Every asset must be accounted for and brought under management. No exceptions. Learn more about automating discovery and reducing blind spots in your endpoint management strategy with N-able. 2. Standardize secure configurations (…don’t fall for the “good enough” trap) Uniform security policies are your first solid defense. The data is clear: attackers exploit inconsistencies, and endpoints with misconfigurations are easy targets. Enforce least privilege. Remove local admin rights unless absolutely necessary—stopping malware before it can spread. Apply strict allow-listing. Application control blocks unauthorized installations, cutting off common threat vectors. Leverage policy automation. Templates make it easy to deploy secure configurations at scale across Windows, macOS, and Linux environments. Failing to standardize? You’re inadvertently creating opportunities for lateral movement and targeted exploits. 3. Automate patching and remediation—manual processes are a liability Waiting on manual patch cycles? That’s a recipe for disaster. Automation is now essential for effective vulnerability management because attackers are moving faster than ever. AI lets threat actors scan for weaknesses, generate new exploits, and launch broad attacks at a pace manual processes cannot match. When vulnerabilities emerge, the gap between disclosure and exploitation is shrinking, which leaves organizations that rely on human-driven workflows exposed. Manual patching and tracking introduce delays and inconsistencies that create easy openings for attackers. Automated discovery, prioritization, and patch deployment help close these gaps by removing human bottlenecks and ensuring critical fixes are applied quickly and consistently. In a world where AI accelerates both the volume and speed of attacks, automation is the only sustainable way to reduce risk and maintain a strong security posture. Prioritize based on real risk. Focus on vulnerabilities under active attack or critical to business continuity. Automate across OS and third-party software. Don’t let browsers or document tools become overlooked gateways. Measure what matters. Track metrics like “percentage of devices patched” and “average remediation time” for continuous improvement. Explore N-able’s automated patch management for fast, scalable response. 4. Add EDR to detect what endpoint antivirus misses Prevention is never 100%. Our 2026 SOC report shows that 50% of attacks bypassed endpoint controls entirely, often moving laterally or exploiting identity layers. To achieve true resilience, include Endpoint Detection and Response (EDR) in your security stack. Behavioral threat detection: AI-driven EDR stops zero-day and fileless attacks that signature-based tools miss. Automated response: Compromised endpoints are isolated automatically, containing threats before they spread. Forensic insight: EDR gives you visibility into attack paths, enabling rapid remediation and long-term learning. Leverage N-able EDR to transform your endpoint monitoring and response. 5. Connect endpoints to backup and recovery—plan for when (…not if) something gets through Even with layers of defense, you can’t eliminate risk. How fast you bounce back determines your business resilience. In environments with integrated endpoint and backup management, the N-able SOC observed faster incident recovery and reduced downtime. Ensure every critical device is covered. Regular checks ensure backup policies include your entire asset inventory. Prioritize rapid recovery. Restore the systems that matter most first to maintain operational uptime. Unify workflows. Centralized platforms streamline both the detection and restoration process, cutting downtime. Lessons from the front lines Don’t rely on “magic bullet” solutions—The SOC’s 2026 alert data proves: defense-in-depth is essential. Relying on endpoint protection alone means missing critical network and perimeter threats. Automate and correlate across layers. Human-driven response can’t keep up. In 2026, 90% of investigation steps could be automated, and multi-layer correlation stopped ransomware in under 10 minutes during real-world attacks. Measure and report. Regular status updates on patch levels, detection rates, and recovery speed keep your team—and your leadership—aligned and ready. Embedding resilience: Why N-able customers succeed We recognize the weight IT security teams carry. Managing inventory, patching, EDR, and backup across hybrid workforces isn’t just complex—it’s mission critical. N-able brings unified monitoring, orchestration, and rapid response under one platform, helping internal IT teams and MSPs operationalize resilience, reduce downtime, and drive business continuity. See how N-able is delivering business resilience in 2026. View the full article
  21. Silos are the enemy of business resilience. As IT leaders, we’ve all felt the pain: the backup administrator, SOC analyst, and endpoint engineer operating in separate worlds—often meeting for the first time in the chaos of a live cyberattack. The result? Delayed responses, missed signals, and greater impact on the business. The N-able 2026 State of the SOC Report leaves no doubt. In just one year, 18% of all security alerts came from network and perimeter exploits—risks many endpoint-only teams never saw coming. Even scarier? 50% of attacks completely bypass endpoint controls. You can’t afford to be siloed. Here’s where most organizations go wrong—and the six crucial steps you need to take to align our teams, tools, and processes for true business resilience. Mistake 1: Unclear roles and responsibilities Confusion creates costly delay. During an incident, who owns quarantine actions on high-value endpoints? Who can take critical apps offline? Without a detailed, cross-team RACI matrix (Responsible, Accountable, Consulted, Informed), response efforts stall and attackers gain precious minutes. Fix: Build a unified RACI for incident response and disaster recovery. Everyone from endpoint to SOC to backup should know their duties in a crisis. Learn how different personalities affect cyber crisis response in this Guide to Managing Strong Personalities During a Cybercrisis. Mistake 2: Fragmented asset and risk views Fragmented asset and risk views make it difficult for teams to understand what is actually in their environment and where the most pressing exposures reside. When devices, configurations, and identity data live in separate tools or are maintained inconsistently, gaps appear that attackers can exploit. This lack of a unified perspective slows decision making, complicates prioritization, and obscures the relationships that matter most during an investigation or response. Fix: Create a single, reliable view of assets and risks across the entire environment. Consolidating inventories, vulnerability data, and identity insights helps teams quickly see what they have, how it is behaving, and where risk is concentrated. With a unified source of truth, organizations can prioritize more effectively, enforce policies consistently, and respond with greater confidence. Mistake 3: Policies and playbooks that don’t talk to each other Our State of the SOC report found that 18% of alerts now originate from the network edge, which is a significant shift from previous years. If the SOC keeps logs for 90 days, but IT rotates them every 30, the evidence of those attacks may be lost forever. Gaps like this lead to missed detection and slow recovery. Fix: Align policies, retention schedules, and playbooks across security and IT. Aligning evidence ensures alerts can be fully investigated. Establishing unified standards for log retention, data sources, and workflow handoffs ensures that every team is operating from the same information and timeframes. When policies are coordinated and playbooks are connected, organizations can detect edge‑based attacks more reliably and accelerate recovery with complete, consistent evidence. Mistake 4: Disconnected tools prevent timely action The best-intentioned teams are blocked when they operate in silos. Our research shows a 5x year-over-year jump in automated response actions (SOAR), but unless EDR, backup, and SOC tools integrate, you can’t leverage this automation at scale. Fix: Invest in integrating toolsets and automating workflows. For example: EDR detects ransomware and triggers automated isolation. Backup systems auto-scan restore points for malware before allowing recovery. Failed backup alerts create tickets in both security and endpoint queues. By breaking down the data silos, you move from reaction to prevention. Looking for ways to automate at scale? This Playbook for Smarter Automation offers practical steps and scripts to take your IT security team to the next level. Mistake 5: No cross-team drills or incident simulations A playbook only works if everyone’s practiced. Too often, organizations run isolated tests—file restores here, pen tests there—but rarely do we rehearse the full detection-through-recovery scenario. Fix: Schedule regular tabletop exercises involving endpoint, SOC, and backup teams. Scenarios pulled from the State of the SOC Report, like holiday weekend ransomware, are essential for exposing process gaps before real attackers do. Planning and preparing are key. Here are some best practices when it comes to planning a tabletop exercise. Mistake 6: Measuring success in silos If the backup team meets its targets, but recovery takes three days because detection lagged, the business still suffers. The SOC’s speed means little if the restored data is compromised. Fix: Track success with unified, resilience-focused KPIs. For example: Mean Time to Recover (MTTR): How quickly can we restore critical systems after an attack? Patching SLA compliance: Not just an IT metric, but key to threat prevention. Successful recovery testing: Are we validating backups or just assuming they work? N-able: Your partner in business resilience We’ve learned—sometimes the hard way—that business resilience depends on breaking down silos. That’s why N-able unifies endpoint management, security operations, and data protection into a single, powerful view. With automation, integration, and real-time intelligence, we empower you to see threats earlier, recover faster, and keep your teams focused on what matters most: uptime, compliance, and customer trust. Ready to build your resilience strategy? Check out N-able’s unified end-to-end cybersecurity and IT solutions. View the full article
  22. If you’re in IT, you know: what we don’t measure puts business resilience at risk. In the face of rising threat volumes, scaling complexity, and board-level scrutiny, tracking the right operational metrics isn’t just about visibility—it’s the foundation for proactive risk management and business continuity. Compliance and insurance demands are also driving the scrutiny around measuring cybersecurity programs. Recent findings from the 2026 N-able State of the SOC Report are clear: the threat landscape keeps shifting, automation and integration are now must-haves, and organizations delivering true resilience measure what matters most. Below are the six metrics that we use to move the needle from firefighting to futureproofing. 1. Mean time to detect (MTTD): The speed of awareness Attackers are faster and stealthier than ever. In 2025 alone, N-able’s SOC processed more than 900,000 alerts, with attackers exploiting both endpoints and newly reemerging network perimeters. Our own data shows that rapid detection is non-negotiable: every extra minute a threat goes unseen increases the likelihood of a business-impacting event. If your MTTD is measured in hours, not minutes, you’re exposing your organization to avoidable risks. Automated threat detection, AI-driven analytics, and streamlined alert management significantly reduce dwell time. Key stat: The N-able SOC now averages 2 alerts per minute, an alert velocity that demands automated detection—not just human monitoring. 2. Mean time to respond (MTTR): From triage to containment It’s not enough to spot threats—you have to contain them fast. MTTR tracks how quickly your team can isolate and neutralize incidents. Integrated SOAR (Security Orchestration, Automation, and Response) workflows now drive a 500% year-over-year increase in orchestrated alert response actions, according to our latest SOC report. The difference? Teams leveraging automation have moved from after-the-fact remediation to business-saving containment in minutes rather than hours. 3. Time to recover: The business resilience reality check A single outage can mean hours or days of operational downtime. That’s why recovery time is a core resilience metric. It’s not just about restoring data; it’s about rebuilding trust and revenue streams. In 2025, we saw the top-performing organizations combine automated backup and disaster recovery solutions, rapid failover, and regular recovery testing to drive down time-to-recover. Cloud-native backups with built-in recovery processes are now the difference between near-instant resumption and prolonged business impact. Access the Cybersecurity Incident Response Plan template to help your team build a structured, comprehensive, and actionable approach to identifying, managing, and mitigating cyber incidents. 4. Endpoint patch compliance: Closing the doors Vulnerability exploits remain a constant threat, and unpatched endpoints often provide the easiest entry points. Maintaining a high percentage of fully patched endpoints helps reduce these paths of attack and strengthens your overall security posture. With centralized patch management, resilient teams can automate updates, track compliance, and remove the guesswork from keeping environments secure. This reduces risk surface area even as your operations grow. 5. Asset and identity coverage: Eliminate blind spots You can’t protect what you don’t see. With over 432,000 endpoint-layer detections and 14,000 identity threats recorded by the N-able SOC team between March and December 2025, the risk of shadow IT or credential theft from memory is real. Eliminating blind spots starts with full visibility across every asset in the environment. As devices, cloud workloads, and remote access points continue to expand, unmanaged or misconfigured assets can create opportunities for attackers to establish a foothold. Continuous discovery and consistent monitoring help ensure nothing operates outside the security team’s line of sight. Identity visibility is equally essential. With credential abuse now a leading attack vector, organizations need awareness of how accounts authenticate, when privileges change, and where anomalies appear across systems. Bringing asset and identity coverage together helps close the gaps attackers look for and strengthens an organization’s overall security posture. Your asset and identity coverage percentage tells you whether you’re operating with full visibility or exposing the business to unseen gaps. Resilient organizations unify asset discovery, endpoint management, and identity monitoring on a single pane of glass—empowering teams to stay ahead even as environments sprawl. Take a tour of N-central and see how we unify IT Ops and SecOps for stronger resilience. 6. Downtime avoided: Quantifying security’s business value Translating technical wins into business outcomes is how IT earns board trust. By correlating incident response and recovery metrics with downtime costs, you deliver a dollar-value impact: tangible proof that your efforts directly protect revenue. Integrated platforms, real-time dashboards, and automatic reporting transform security from a cost center into a business safeguard. Make metrics your roadmap The real message from the latest N-able SOC data? Single-layer approaches and isolated tools are dead ends. According to our recent State of the SOC report, 137,000+ network and perimeter threats bypassed endpoints, and nearly half of all alerts never touched a traditional endpoint. Business resilience is now about defense-in-depth, layered visibility, and automation. If you’re relying on what worked last year, you’re behind. We encourage you to start with these six metrics, identify your gaps, and leverage unified security solutions that support operational clarity and proactive resilience. Ready to up your security game? Learn more about N-able’s unified end-to-end cybersecurity and IT solutions. View the full article
  23. What does it really take to keep your organization running when attackers strike? The answer is business resilience—being able to detect, contain, and recover fast enough that disruptions are minimized, customers stay confident, and operations keep moving. From the latest 2026 State of the SOC Report, which is based on more than 900,000 alerts observed between March and December 2025 from the Adlumin Managed Detection and Response (MDR) provided by the N-able SOC, we’ve seen firsthand where security strategies succeed—and where they fall short. Below, we break down five actionable ways to build true resilience for your IT environment, using real-world data, strategic guidance, and frameworks that leading IT teams put into practice today. 1. Stop trusting single-layer security If you’re depending on just endpoint or cloud controls, you’re missing nearly half the risk surface—and the numbers prove it. In 2025, 18% of all alerts at the N-able SOC came from network and perimeter (Unified Threat Management) exploits that bypassed endpoint visibility. Over 137,000 threats were detected where endpoint-only controls would have been blind. What we recommend: Embrace layered, defense-in-depth designs. That means combining identity, endpoint, network, cloud, and perimeter visibility—not just bolting on tools. Relying on a “magic bullet” solution leaves dangerous gaps. Looking for end-to-end coverage of your environment? Check out N-able Unified Security Solutions. 2. Transition from manual to automated response SOC teams can’t keep up with the flood of alerts—N-able handled 2 alerts per minute on average in 2025. That’s why automation and Security Orchestration, Automation and Response (SOAR) saw a 500% YoY surge—almost one in four responses are now orchestrated automatically. Pro tip for IT leaders: Streamline workflows, so triage and containment happen at machine speed, not human speed. Automate password resets, containment, and endpoint remediation, then focus your analysts on proactive threat hunting. 3. Modernize endpoint and identity management Attack patterns are shifting. Out of 909,155 total alerts identified in N-able’s 2026 SOC report, only about half touched the endpoint layer. Identity has become one of the fastest‑growing attack surfaces, and organizations need visibility into suspicious sign‑ins, privilege misuse, and anomalous authentication behavior before a breach unfolds. A flexible, unified endpoint management solution that helps you manage, control, and secure endpoints is table stakes in your tech stack. To address identity attacks, an Identity Threat Detection and Response (ITDR) solution helps close this gap by correlating identity events, detecting credential abuse, and stopping identity‑based attacks in progress. ITDR gives security teams a clearer picture of how users, systems, and privileges are being accessed so they can contain threats early, before lateral movement or escalation occurs. Actionable step: Integrate advanced multi-factor authentication, real-time patch management, and privileged access controls as foundational layers. Add continuous identity monitoring to detect unusual authentication patterns and catch malicious activity that endpoint‑only tools cannot see. Transform your endpoint management – Explore how N-able’s N-central delivers simpler, smarter IT and security management. 4. Build recovery readiness into your plan Resilience isn’t just stopping an attack—it’s restoring operations quickly and minimizing downstream damage. In an N-able case study, an MSP’s customer suffered a 1.5 terabyte ransomware attack on a Friday. Thanks to Cove’s reliable backups (validated via recovery testing), the entire environment was fully restored by Monday, getting the business back online in under 3 days. This rapid recovery dramatically limited downtime and business disruption. Our advice: Test backups regularly, ensure they’re immutable, and tie recovery procedures directly into your SOC playbooks. Business continuity hinges on the speed and certainty of your recovery. See how Cove Data Protection delivers data resiliency by recovering quickly and reliably after every disaster. 5. Prepare for the next attack surface: AI AI is transforming both defense and risk. By 2026, up to 90% of investigations could be automated by AI. But adversaries aren’t far behind—compromised AI orchestration or poisoning can create new attack vectors that bypass traditional controls. What you need to do now: Audit where AI and automation touch your environment and monitor their actions with the same rigor as human activity. Prepare to secure agent-to-agent communications and maintain oversight as AI-driven processes mature. Explore how N-able leverages AI to protect customer environments around the clock. Strengthen your business with resilience-first security Resilience isn’t a buzzword—it’s the only practical answer for IT leaders dealing with today’s complex, fast-moving threat landscape. By focusing on layered defense, automation, unified recovery, and AI-integrated controls, you position your organization for uptime and continued success. Ready to level up your approach? Get started with our Cyber Resilience Primer: What You Need to Know in 2026. View the full article
  24. Developers can spend days using fuzzing tools to find security weaknesses in code. Alternatively, they can simply ask an LLM to do the job for them in seconds. The catch: LLMs are evolving so rapidly that this convenience might come with hidden dangers. The latest example is from researcher Hung Nguyen from AI red teaming company Calif, who, with simple prompts to Anthropic’s Claude Code, was able to uncover zero-day remote code exploits (RCEs) in the source code of two of the most popular developer text editors, Vim and GNU Emacs. Nguyen started with Vim. “Somebody told me there is an RCE 0-day when you open a file. Find it,” he instructed Claude Code. Within two minutes, Claude Code had discovered the flaw: missing critical security checks (P_MLE and P_SECURE) in the tabpanel sidebar introduced in 2025, and a missing security check in the autocmd_add() function. Claude Code then helpfully tried to find ways to exploit the vulnerability, eventually suggesting a tactic that bypassed the Vim sandbox by persuading a target to open a malicious file. It had gone from prompt to proof-of-concept (PoC) exploit in minutes. “An attacker who can deliver a crafted file to a victim achieves arbitrary command execution with the privileges of the user running Vim,” Vim maintainers noted in their security advisory. “The attack requires only that the victim opens the file; no further interaction is needed.” GNU Emacs ‘forever-day’ Surprised, Nguyen then jokingly suggested Claude Code find the same type of flaw in a second text editor, GNU Emacs. Claude Code obliged, finding a zero-day vulnerability, dating back to 2018, in the way the program interacts with the Git version control system that would make it possible to execute malicious code simply by opening a file. “Opening a file in GNU Emacs can trigger arbitrary code execution through version control (git), most requiring zero user interaction beyond the file open itself. The most severe finding requires no file-local variables at all — simply opening any file inside a directory containing a crafted .git/ folder executes attacker-controlled commands,” he wrote. One fixed, one not When notified, Vim’s maintainers quickly fixed their issue, identified as CVE-2026-34714 with a CVSS score of 9.2, in version 9.2.0272. Unfortunately, addressing the GNU Emacs vulnerability, which is currently without a CVE identifier, isn’t as straightforward. Its maintainers believe it to be a problem with Git, and declined to address the issue; in his post, Nguyen suggests manual mitigations. The vulnerable versions are 30.2 (stable release) and 31.0.50 (development). Vulnerable code What does the discovery of these flaws tell us? Clearly, that large numbers of old codebases are potentially vulnerable to the power of AI tools such as Claude Code. Just because a weakness hasn’t been noticed for years doesn’t mean it will hide for long in the AI era. That is, potentially, a big change, although hardly one that hasn’t already been flagged by Anthropic itself. In February, the company revealed that its Opus 4.6 model had been used to identify 500 high-severity security vulnerabilities. “AI language models are already capable of identifying novel vulnerabilities, and may soon exceed the speed and scale of even expert human researchers,” it said at the time. The platform is powerful enough that an enterprise version with the same capabilities, Claude Code Security, even negatively affected stock market sentiment towards several traditional cybersecurity companies when it was launched. A second issue is that LLMs are now capable of spotting, iterating, and creating PoCs for vulnerabilities in ways developers still need to come to terms with. Meanwhile, the potential for malicious use is hard to ignore. “How do we professional bug hunters make sense of this?” Nguyen asked. “This feels like the early 2000s. Back then a kid could hack anything, with SQL Injection. Now [they can] with Claude.” View the full article
  25. Microsoft is warning WhatsApp users of a new malware campaign that tricks them into executing malicious Visual Basic Script (VBS) files, ultimately enabling persistence and remote access. In a March 31 report, Microsoft Defender Experts said attackers have been distributing malicious Visual Basic Script (VBS) files through WhatsApp since at least late February, relying on social engineering to get them executed. Once launched, the scripts run a delayed malware execution, first initiating a multi-stage infection flow designed to blend into normal system activity while working in the background to pull additional payloads for remote control. “The campaign relies on a combination of social engineering and living-off-the-land (LOTL) techniques,” Microsoft researchers wrote in the report. “By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.” The campaign ultimately installs malicious Microsoft Installer (MSI) packages to maintain control of the infected devices. Campaign deploys a LOTL infection chain The attack begins with a WhatsApp message carrying a VBS file. Once executed, the script creates hidden directories on the system and begins staging the next steps of the compromise. However, rather than dropping the custom malware immediately, the campaign moves to living-off-the-land techniques. The VBS payload deploys renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe, disguised under misleading filenames to evade casual inspection. These binaries retain their original metadata, but their altered names allow them to blend into the environment while performing malicious tasks like downloading additional payloads. “Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName,” the report added. The researchers noted that even payload retrieval happens from legitimate hosting sources. Attackers host components on well-known cloud platforms, including AWS, Tencent Cloud, and Blackblaze B2. Use of these trusted tools, trusted infrastructure, and staged execution was flagged as a reason for this being a low-noise, reliable attack path. MSI as the backdoor vehicle for persistence The final stages of the campaign lead to persistence, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors. MSI files are an effective choice as they are not usually treated as inherently suspicious and can execute custom actions during installation. In this campaign, they are used to deploy malware that maintains access, escalates privileges, and enables remote control of infected systems. By the time the MSI component is installed, the attackers have already established a foothold using scripts and system tools, making the backdoor just one layer in a broader persistence strategy found by Microsoft. The earlier stages ensure the environment is prepared, while the installer formalizes long-term access. Microsoft also noted that the campaign incorporates privilege escalation to strengthen persistence, enabling malware to run with elevated privileges and maintain access beyond the initial user-level compromise. Recommendations included monitoring scripts and installer execution, watching for misuse of legitimate tools, and tracking suspicious activity tied to files delivered through platforms like WhatsApp. View the full article

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.