CSOonline

When Anthropic launched a “limited research preview” of its Claude Code Security offering on Friday, Wall Street investors sent the stocks of the largest cybersecurity vendors plunging. But did the Anthropic rollout warrant such a reaction? After all, those companies, including CrowdStrike, Zscaler, Palo Alto Networks and Okta, are preparing their own agentic capabilities, and even if they weren’t, the code-checking capabilities promised by Anthropic are not initially a replacement for their functionality. “Code security is a vital piece of a cybersecurity program and overall tech stack, but far from the only one” Justin Greis, CEO of consulting firm Acceligence pointed out. “There’s no doubt that improving code security and enhancing the Secure Software Development Lifecycle (SDLC) and Product Development Lifecycle (PDLC) will strengthen an organization’s security posture, but it will not eliminate the need for tools and services like EDR/MDR, IAM, threat intel, and data protection.” He added, “however, this is a clear signal that the AI companies are going to continue to expand their use cases and analyze more and more data, code, and bring real insight and action to security organizations. The pace of their innovation is staggering and unprecedented.” Keeps a human in the loop However, Greis offered a warning to CISOs: “For those who blindly rely on any code scanning tool, AI or otherwise, to replace the fundamentals of good security practices and secure coding, this is your red blinking light to not outsource the very expertise that protects the value proposition of the product or service you’re developing. We must keep qualified humans in the loop and ensure we use AI as an accelerator, not a replacement for expertise,” he said. Anthropic’s announcement stated, “Claude Code Security, a new capability built into Claude Code on the web” will “[scan] codebases for security vulnerabilities and suggest targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss.” The rollout is limited, at least initially, Anthropic said. “We’re releasing it as a limited research preview to Enterprise and Team customers, with expedited access for maintainers of open-source repositories.” The company did not respond to a request for an interview. Anticipating concerns that the code-checker will take over security functions rather than augment them, Anthropic stressed that it wants to keep humans in the loop. “Rather than scanning for known patterns, Claude Code Security reads and reasons about your code the way a human security researcher would: understanding how components interact, tracing how data moves through your application, and catching complex vulnerabilities that rule-based tools miss,” the announcement said. “Every finding goes through a multi-stage verification process before it reaches an analyst. Claude re-examines each result, attempting to prove or disprove its own findings and filter out false positives.” It noted that validated findings appear in the Claude Code Security dashboard, where teams can review them, inspect the suggested patches, and approve fixes. But, it said, “because these issues often involve nuances that are difficult to assess from source code alone, Claude also provides a confidence rating for each finding. Nothing is applied without human approval: Claude Code Security identifies problems and suggests solutions, but developers always make the call.” Anchors security posture to the model However, those assurances didn’t make all concerns evaporate. “The moment those vibe coders plug a foundation model into their CI pipeline, their entire security posture is no longer anchored only to the company’s code,” I-Gentic AI CEO Zahra Timsah pointed out. “It is anchored to the current behavior of that model. Anthropic can update weights, adjust reasoning heuristics, refine safety layers, or change how semantic patterns are interpreted. None of that requires your approval. None of that triggers your internal change control. Your pipelines stay green. Your dashboards stay stable. But the engine defining what counts as a vulnerability has changed,” she said. “Anthropic is in full control. That means your secure codebase today could be evaluated under a different vulnerability boundary tomorrow without you touching a single line. This is outsourcing part of your security definition to an upstream probabilistic system you do not control.” Outsourcing dependence is nothing new But others have suggested that the security outsourcing has been gradually happening for years, starting with cloud operations and SaaS, then moving to cybersecurity firms that took increasing control of enterprise cyber operations, and finally to genAI and agentic vendors. Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, applauded the fact that Anthropic is at least giving lip service to humans overseeing the process, but, he noted, “this doesn’t mean that people will not cut corners in some cases and add yet another LLM with non-deterministic behavior to the existing problem of code generation by an LLM with non-deterministic behavior too.” An ever-present concern about both agentic and generative AI systems is their tendency to hallucinate, in addition to having other reliability challenges. But several cybersecurity specialists said that is nothing new, in that large security systems always have their fair share of false positives and false negatives. Cybersecurity consultant Brian Levine, executive director of FormerGov, said the Wall Street reaction to Anthropic’s announcement could signal that investors “are recalibrating around the idea that AI‑native security might compress or even reorder parts of the stack. Whether that’s justified or just reflexive fear of disruption, it suggests that people now believe a foundation model could meaningfully compete with, or be more helpful than, traditional detection and analysis engines.” A different category of analysis If Anthropic can continue to deliver, it could mean an even more fundamental shift, he noted. “If a model can reason across sprawling codebases, correlate patterns that static tools miss, and do it continuously, that’s not incremental improvement, it may be a whole different category of analysis. It suggests a world where vulnerability discovery becomes less about signature libraries and more about adaptive interpretation,” Levine said. But he, like Timsah, is concerned about changes in the model impacting an organization’s security posture. “That’s the tradeoff,” he said. “Unprecedented analytical power paired with a new kind of dependency that security leaders will have to evaluate with clear heads.” A single point of trust and a single point of failure Joshua Woodruff, CEO of MassiveScale.AI, said he found the Anthropic move problematic, but not for what it might do to other security companies. He is mostly worried about the benefits to cyber attackers. “If Anthropic’s model found 500+ unknown high-severity vulns in open source projects, that means any attacker running a similar model can find those same vulns right now. Only no one’s reporting them. They’re exploiting them,” Woodruff said. “Vulnerability discovery just went asymmetric. Defenders get a tool that suggests patches for human review. Attackers get a tool that finds zero-days at machine speed with no review step.” There’s another issue, he added: “If an AI agent finds the bug and suggests the fix, who’s checking the patch? You’re trusting the same model to be both auditor and repair crew. No security team would ever let the same person find the vulnerability and write the fix without some sort of independent review. But that’s exactly what happens if teams treat human review as a rubber stamp. The fix becomes the new attack surface.” Ravid Circus, CPO at Seemplicity, agreed with Woodruff that the potential circular use of AI to both find the holes and fix them is a concern. “When the same AI writes the code, finds the vulnerabilities, and proposes the fix, you’ve created a single point of trust and a single point of failure. Compromise that and you don’t just introduce bugs, you potentially manufacture backdoors at scale,” Circus said. “I worry we’re about to see ‘We use Claude Security’ become the new checkbox, like SOC 2 badges or Zero Trust branding. The real question isn’t which AI you use. It’s whether your organization has the operational maturity to validate and govern what it tells you. ‘Claude said we’re secure’ cannot become a security posture.” To be sure, Anthropic has had its own issues with cybersecurity recently, but few disagreed that what it has been delivering for code examination is impressive. The question is whether it will ultimately deliver better pricing, scalability, and reliability than existing partners, and how soon this could occur. In fact, another cyber executive, Gadi Evton, CEO of Knostic, argues that because the speed of innovation is moving far faster than most in the industry have ever seen, some organizations may not be re-evaluating AI offerings often enough. “It is moving so fast. People who tried [Anthropic’s offering] two months ago don’t understand how well it works now,” Evton said. And, said Rock Lambros, director of AI security at Zenity, “as long as genAI remains non-deterministic, secure-at-generation will always have gaps and you’ll always need post-generation validation for something that can’t guarantee the same output twice. The real problem is that nobody is staffed, funded, or even scoped to govern the autonomous systems that are already deployed.” View the full article

MY STOCKERS – Shutterstock.com OT-Security als strategischer Erfolgsfaktor Die zunehmende Digitalisierung und Vernetzung in der industriellen Produktion haben OT-Security (Operational Technology-Sicherheit) zu einem Kernthema in Unternehmen gemacht. Produktionsdaten, SCADA-Systeme (Supervisory Control and Data Acquisition) und vernetzte Maschinen sind in vielen Branchen essenziell – und äußerst anfällig für Cyberangriffe. Ein Zwischenfall kann nicht nur zu Produktionsausfällen und Imageschäden, sondern auch zu lebensbedrohlichen Situationen führen, etwa in kritischen Infrastrukturen (KRITIS). Gleichzeitig steigen die Budget– und Kostendruck-Szenarien: Handelszölle, drohende Kurzarbeit oder wirtschaftliche Unsicherheiten erschweren hohe Investitionen in teure OT-Security-Lösungen. Entsprechend rückt die Frage nach kosteneffizienten Alternativen in den Vordergrund. OT-Security auf höchstem Niveau – dank Open-Source-Alternativen Kommerzielle OT-Security-Lösungen wie jene von Nozomi Networks, Darktrace, Forescout oder Microsoft Defender for IoT versprechen einen großen Funktionsumfang, gehen jedoch nicht selten mit Lizenzkosten in mittlerer bis hoher sechsstelliger Eurohöhe pro Jahr einher. Vor allem in wirtschaftlich angespannten Zeiten ist eine solch hohe Investition intern oft schwer zu rechtfertigen. Demgegenüber bieten Open-Source-Tools einige entscheidende Vorteile: Geringere Kosten: Keine Lizenzgebühren, lediglich Investitionen in Hardware und Implementierung. Flexibilität und Anpassbarkeit: Quellcode ist frei verfügbar und kann an spezifische Anforderungen im OT-Umfeld angepasst werden. Aktive Community: Kontinuierliche Weiterentwicklung und schnelle Reaktion auf neuartige Bedrohungen. Allerdings erfordern Open-Source-Lösungen in der Regel ein gut aufgestelltes IT-/OT-Security-Team, das diese Tools korrekt implementiert, konfiguriert und betreibt. Auch der Support ist eher “Community-driven” oder erfolgt über spezialisierte Dienstleister. Dennoch zeigt die Praxis: Eine professionelle Planung ermöglicht ein Sicherheitsniveau, das in vielen Belangen mit dem teurer Anbieter mithalten kann. Empfohlene Open-Source-Tool-Kombinationen für maximale Abdeckung Um einen möglichst großen Teil der Sicherheitsfunktionen abzudecken, empfiehlt sich eine Kombination mehrerer Open-Source-Tools. Diese lassen sich modular erweitern, was eine bessere Anpassung an die jeweilige OT-Landschaft ermöglicht. Dazu folgende Beispiele: Asset Management & Netzwerktransparenz Malcolm (inkl. Zeek) Fokus: Echtzeit-Netzwerkanalyse und spezialisierte OT-Protokollunterstützung Vorteile: Deep Packet Inspection, umfassende Protokollanalysen (unter anderem Modbus und DNP3) Kontinuierliche Asset Discovery durch passives Monitoring Speziell für ICS/SCADA-Umgebungen konzipiert Ergänzung: GRASSMARLIN für Netzwerkvisualisierung Stellt Topologien in industriellen Umgebungen grafisch dar Hilft bei der Identifizierung unbekannter Netzwerkwege und Segmentierungsproblemen 2. Netbox Fokus: IP-Adressmanagement und umfangreiche OT-Asset-Dokumentation Vorteile: Zentrale Inventarisierung und “Single Source of Truth” für Netzwerkinfrastrukturen Einfache Integration in CMDB-Prozesse Essenzielle Grundlage für weitere Sicherheitsmaßnahmen wie Segmentierung, Netzwerkzugriffs-Kontrollen. Netzwerküberwachung & Anomalieerkennung Security Onion (Suricata + Zeek) Fokus: Echtzeit-Bedrohungserkennung, Netzwerkforensik Vorteile: Bietet IDS/IPS-Funktionalitäten (Suricata oder Snort) und Protokollanalyse (Zeek) in einem umfassenden Paket Integrierte Dashboards (zum Beispiel Kibana) für Alarmierung und Auswertung Leicht skalierbar von kleinen Test-Setups bis hin zu großen Produktionsstandorten 2. ELK Stack (Elasticsearch, Logstash, Kibana) Fokus: Zentrale Logging- und Visualisierungsplattform Vorteile: Leistungsstarke Such- und Analysemöglichkeiten für Logdaten Langzeit-Analysen und Korrelation von Events aus unterschiedlichen Quellen Flexible Dashboards für Security-Verantwortliche Schwachstellenmanagement & Endpoint-Security Wazuh Fokus: XDR (Extended Detection and Response), Compliance und Schwachstellenmanagement Vorteile: Zentrale Überwachung von Endgeräten (HMIs, SCADA-Server, Operator Stations etc.) File Integrity Monitoring und aktive Erkennung von Sicherheitsvorfällen Compliance-Unterstützung (zum Beispiel TISAX, ITAR, PCI-DSS) 2. OpenVAS (Greenbone Vulnerability Manager) Fokus: Aktive Schwachstellenscans zur Identifikation potenzieller Lücken Vorteile: Regelmäßig aktualisierte Datenbank mit bekannten Schwachstellen Ergänzt passives Monitoring mit aktiven Scan-Funktionen Deckt ein breites Spektrum an Systemen ab Incident Response & Security Operations TheHive & Cortex Fokus: Incident-Management, Case-Verwaltung, Workflow-Automatisierung Vorteile: Schnelle und strukturierte Bearbeitung von Sicherheitsvorfällen Integration vordefinierter oder eigener IR-Playbooks Analyse-Module (Cortex) ermöglichen automatische Abfragen von IoCs oder Bedrohungsfeeds 2. OpenCTI Fokus: Threat Intelligence Management, Integration externer Feeds Vorteile: Zentrale Sammlung, Korrelation und Analyse von Bedrohungsinformationen Unterstützung bei proaktiven Verteidigungsmaßnahmen Perfekte Ergänzung zu Sicherheitsdaten aus Security Onion, Wazuh & Co. Weitere Ergänzungen für ein vollumfängliches OT-Security-Konzept ICS-spezifische Honeypots (z. B. Conpot): Dienen als “Frühwarnsystem” und ermöglichen Einblicke in Angriffsstrategien, bevor die echten Produktionssysteme betroffen sind. OT-spezifische Machine-Learning-Projekte: Wer mehr KI-Funktionalität möchte, kann auf PyTorch, TensorFlow oder spezialisierte Forschungsprojekte setzen. Allerdings ist dafür oft umfassendes Data-Science-Know-how erforderlich. Regel- und Signatur-Packs: Um Suricata/Zeek noch besser auf industrielle Protokolle abzustimmen, können ICS-spezifische Regeln (z. B. über Emerging Threats, Industrial Control Systems-Signaturen) eingebunden werden. Chancen und Grenzen von Open Source Mit den dargestellten Open-Source-Tools lässt sich ein breiter Funktionsumfang realisieren, der dem kommerzieller Lösungen erstaunlich nahekommt. Die Stärken liegen in der Kosteneffizienz, Flexibilität und Community-Unterstützung. Gleichzeitig sollte man berücksichtigen: Kein automatisches “Plug & Play”: Anders als bei kommerziellen Lösungen muss man Zeit in Installation, Konfiguration und Feintuning investieren. Machine-Learning-Funktionalitäten sind vorhanden (vor allem mit Suricata, Zeek und ergänzenden ML-Frameworks), erfordern jedoch oft mehr Know-how als die Out-of-the-box-Lösungen hochpreisiger Anbieter. Support & Wartung: Statt eines dedizierten Hersteller-Supports stützt man sich meist auf eine Kombination aus Community-Foren, Dokumentationen und gegebenenfalls individuellen Dienstleistern. Dennoch belegt die Praxis, dass mit einem kompetenten OT-Security-Team oder externen Beratern auch Open-Source-Lösungen in großem Stil erfolgreich eingesetzt werden können. (jm) View the full article

A Russian-speaking threat actor is using commercial generative AI services to compromise hundreds of Fortinet Fortigate firewalls, warns Amazon Threat Intelligence. Once on the network, the hackers successfully compromised Active Directory at hundreds of organizations, extracted complete credential databases, and targeted backup infrastructure — a potential precursor to ransomware deployment, the report adds. The report, by CJ Moses, CISO of Amazon Integrated Security, is another signal that commercial AI services are lowering the technical barrier to entry for offensive cyber capabilities. A single actor, or a very small group, generated its entire toolkit through AI-assisted development, Amazon says. But the report is also a reminder to CSOs and IT leaders of all organizations of something they have known for decades: Failure to implement cybersecurity basics will inevitably lead to a breach of security controls. The compromised Fortigate firewalls in this campaign are being exploited not through product flaws, but through exposed management ports and weak credentials with only single-factor authentication. A primary tool was the use of a list of commonly reused credentials, otherwise known as a brute-force attack. These were “fundamental security gaps” that allowed AI to help an unsophisticated actor exploit at scale, the Amazon report says. “When this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting,” says the report. “Strong defensive fundamentals remain the most effective countermeasure,” for similar attacks, Amazon stresses. This includes patch management for perimeter devices, credential hygiene, network segmentation, and robust detection of post-exploitation indicators. Jeff Pollard, a principle analyst at Forrester Research who leads research into the role of the CSO, noted that, unlike many other recent attacks on Fortinet, this campaign has to do with the configuration of the devices, not software vulnerabilities in the platform itself. “It’s a case of needing to follow the basics and, if anything, makes those basics more important,” he said. “What’s more interesting than the attack itself is the evidence that attackers used AI platforms to scale the attack to make it as far reaching as they did. AI amplifies impact “AI will do more than surface novel attacks,” he added. “It will also amplify the impact of all attacks, as this attack demonstrates. It lowers the barrier of entry to attackers and also ups the potential consequences of attacks at the same time. That’s not a combination IT, developers, or security practitioners needed, but alas, here we are.” The Amazon report comes on the heels of one from Palo Alto Networks that looked at 750 incidents and came to the same conclusion: what is really killing organizations isn’t so much AI, but their basic security failings such as weak authentication, a lack of real-time visibility, and misconfigurations caused by a complex sprawl of security systems. Amazon Threat Intelligence found that the Russian-speaking threat actor had been able to compromise over 600 FortiGate devices across more than 55 countries between January 11 and February 18, all without exploiting any vulnerabilities. Instead it used unnamed commercial AI services, excluding AWS, to hack into weakly-protected FortiGate devices. AI just helped scale the attack. “The threat actor in this campaign is not known to be associated with any advanced persistent threat group with state-sponsored resources,” the report says. “They are likely a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team.” The gang also isn’t (or perhaps until now, wasn’t) smart: It left operational files including AI-generated attack plans, victim configurations, and source code for custom tooling on the publicly-accessible IT infrastructure that was hosting its attacks. “It’s like an AI-powered assembly line for cybercrime, helping less skilled workers produce at scale,” Amazon researchers said. After stealing admin credentials, firewall policies, network topology, and routing information, as well as IPsec VPN peer configurations, the threat actor used AI-assisted Python scripts to parse, decrypt, and organize these stolen configurations. Following achieving VPN access to victim networks, Amazon says the threat actor deploys a custom network reconnaissance tool, with different versions written in both Go and Python. Analysis of the source code reveals clear indicators of AI-assisted development such as redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-ins with empty documentation stubs. While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases, characteristics, Amazon says, typical of AI-generated code used without significant refinement. Recommendations The Amazon report makes a number of recommendations to network admins with FortiGate devices. They include ensuring device management interfaces aren’t exposed to the internet, or, if they have to be, restricting access to known IP ranges and using a bastion host or out-of-band management network. As basic cybersecurity demands, all default and common credentials for FortiGate appliances should be changed. They should ensure multifactor authentication is implemented for all admin and VPN access, and make sure there is no password reuse between FortiGate VPN credentials and Active Directory domain accounts. To avoid their systems being exploited, IT admins in firms using AWS are advised to enable Amazon GuardDuty for threat detection, monitoring for unusual API calls and credential usage patterns, use Amazon Inspector to automatically scan for software vulnerabilities and unintended network exposure, and use AWS Security Hub to maintain continuous visibility into their security posture. Fernando Montenegro, cybersecurity practice lead at Futurum, said organizations are still coming to terms with the acceleration and augmentation that AI can bring to adversaries. In this case, he said, the threat researchers highlighted how adversaries likely leveraged AI capabilities to create crude but effective tools to support their campaign. This is the same kind of capability that allows a non-malicious user to ‘vibe code’ something for a narrow use case, but instead of a benign app, it’s a malicious tool. Raises the bar for security Organizations always deal with constraints that are not visible to outside observers, so ‘implementing security basics’ may, in many cases, not be a simple endeavor, he added. Most security teams deal with numerous competing priorities and limited budgets, and must constantly balance a mixture of new-initiative and steady-state operational activities. “What this incident, and others, are making abundantly clear is that the augmentation of attackers through AI is constantly and quickly raising the bar in what is considered acceptable security practices moving forward,” he also said. “This will require organizations to spend more cycles making sure that these weaker security practices be quickly removed from their environment, lest they fall prey to nimble(r) attackers.” In a LinkedIn blog, Amazon CISO Moses noted that organizations with strong credential hygiene, MFA, and proper network segmentation successfully blocked these attacks. “And while AI is lowering the barrier to entry for attackers,” he added, “it’s an equally powerful tool for defenders, helping security teams detect threats faster, automate response at scale, and stay ahead of evolving tactics. As attack volumes grow from both skilled and unskilled adversaries, the same defensive basics that protected against this campaign will remain your most effective countermeasure.” In response to questions from CSO, he added that the Russian group’s success “fundamentally demonstrates that threat actors often choose the path of least resistance. When basic security controls like multi-factor authentication, proper network segmentation, and credential management aren’t in place, even unsophisticated actors can achieve strategic objectives at scale. The AI simply amplified their efficiency.” Asked why IT leaders are still unable to implement cybersecurity basics, he said, “The challenge isn’t knowledge, it’s operating in resource-constrained environments where technical debt and competing business priorities create systematic gaps in foundational security. Legacy systems, budget constraints, and rapid digital transformation often force difficult trade-offs, but threat actors are now leveraging AI to exploit these exact vulnerabilities at machine speed. The path forward requires making security fundamentals so embedded that they become operationally resilient, even under resource pressure.” View the full article

nitpicker – shutterstock.com Die RTL Group wurde offenbar Opfer einer Cyberattacke. Wie Cybernews berichtet, brüstet sich ein Cyberkrimineller namens LuneBF mit gestohlenen Daten von mehr als 27.000 Mitarbeitern der Mediengruppe. In seinem Darknet-Post behauptet der Angreifer, sich Zugriff auf die Intranet-Website der RTL Group verschafft zu haben. Als Beweis für den Angriff stellt er eine Stichprobe mit 100 Datensätzen zur Verfügung, die Mitarbeiter der RTL Group und ihrer Tochtergesellschaften wie Fremantle und M6 betreffen soll. Zu den geleakten Informationen zählen demnach vollständige Namen, E-Mail-Adressen, arbeitsplatzbezogene Postadressen sowie private und beruflich genutzte Rufnummern. Keine Kundendaten betroffen Der Medienkonzern hat den Vorfall gegenüber Cybernews bestätigt. „Nach unserem aktuellen Kenntnisstand ist es unwahrscheinlich, dass Kundendaten betroffen sind“, erklärte ein Sprecher. Die Untersuchung sei jedoch noch nicht abgeschlossen. Weitere Details zu dem Angriff gibt es bisher nicht. Warnung vor Angriffsfolgen Security-Experten warnen nun davor, dass das Leck massive Folgen für die dort beschäftigten Journalisten haben könnte. Mit den gestohlenen Kontaktdaten ließen sich zum Beispiel gezielte Phishing- oder Social-Engineering-Attacken durchführen. Noch schlimmer: Investigativjournalisten, die zu kritischen Themen recherchieren, könnten ins Visier von staatlichen oder kriminellen Akteuren geraten. Ein erfolgreicher Angriff auf ihre Geräte könnte Quellen enttarnen, unveröffentlichtes Material gefährden und laufende Recherchen behindern. View the full article

A newly uncovered infostealer, suspected to be built with the help of a large language model, is targeting victims with Python and C++ variants, each tailored for a different stage of data theft. Kaspersky researchers discovered a stealer dubbed “Arkanix,” which is capable of harvesting credentials, browser data, cryptocurrency, and banking assets from infected machines. “It collects a vast amount of information, including highly sensitive personal data,” Kaspersky researchers said in a Securelist blog post. “While being quite functional, it contains probable traces of LLM-assisted development, which suggests that such assistance might have drastically reduced development time and costs.” Arkanix operates a MaaS model, allowing malicious actors to buy access to the malware as well as a control panel featuring configurable payloads and statistics. Turning to AI assistance, researchers noted, signals that the attackers are after a one-shot campaign for quick financial gains rather than a long-running infection. A heavily-marketed dual-language malware One of the key aspects of Arkanix is its dual-language design, which allows its subscribers to target both Python and C++-based environments. The Python implementation is easier to modify and rapidly iterate, while the C++ build is more focused on performance, stealth, and stronger resistance to analysis. After initial infection, which the researchers could not track and guessed with high confidence to be phishing, the Python loader comes from an actor-controlled endpoint, resulting in a configurable implant, with the default configurations predefined within the script file. Subscribers can modify the feature list on the control panel, as the Stealer can dynamically update features by making GET requests to Arkanix’s command and control (C2). The native (C++) version of the stealer also uses a designated domain as C2, although some observed test samples collected used a Discord bot instead. Additionally, it includes extensive logging for debugging and implements analysis countermeasures such as ensuring that the application isn’t being run within a sandbox or under a debugger. The disclosure noted heavy promotion of the Stealer in underground spaces, using extensive marketing materials, feature lists, and supporting infrastructure. While not unseen with MaaS models, such overt marketing of the malware aligns with the researchers’ understanding of the campaign being a one-off operation for a quick turnaround. But some parts of the analysis suggest otherwise. The stealer employs a broad data-theft toolkit The researchers noted that the Python implementation acts as a wide-net data harvester. It collects system information, extracts browser-stored data, and pulls details from communication platforms, including Telegram and Discord. Additional modules target VPN configurations, retrieve selected files from the host, and can deliver other payloads, suggesting the Python build is designed to gather a comprehensive snapshot of a victim machine while enabling flexible follow-up actions. By contrast, the C++ variant concentrates on assets that enable persistence, lateral movement, or monetization beyond simple credential theft. The researchers found capabilities related to remote desktop protocol (RDP) connections, the collection of gaming-related files, and screen capture functionality. It also includes a post-exploitation browser data extractor, “ChromElevator.” While the Python version aligns with the researchers’ theory of a grab-and-run approach, the C++ version does hint at plans for persistence. The disclosure added a list of indicators of compromise (IOCs), including file hashes, IPs, and domains, to support detection efforts. View the full article

Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) to gain unauthenticated control of enterprise mobile device management infrastructure and install backdoors engineered to persist even after organizations apply available patches. “Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks,” Palo Alto Networks’ Unit 42 threat research team said in an advisory. “These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.” EPMM, formerly known as MobileIron Core, is a mobile device management platform that enterprises use to manage and enforce security policies on employee smartphones and tablets. Palo Alto Networks’ attack surface management platform Cortex Xpanse found more than 4,400 EPMM instances currently exposed on the public internet. Compromise of the platform gives attackers access to device policies, credentials, and metadata across an organization’s entire mobile fleet, Unit 42 warned in the advisory. Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated attackers to execute arbitrary commands on exposed EPMM servers without any user interaction or valid credentials. Ivanti acknowledged the attacks when it released emergency patches in late January, but described the initial impact as limited. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said in its security advisory. Both vulnerabilities stem from unsafe Bash script handling in legacy Apache web server configurations, according to Unit 42. CVE-2026-1281 targets the In-House Application Distribution feature; CVE-2026-1340 exploits the same flaw class through a separate script handling the Android File Transfer mechanism. “Although the root cause is the same, they reside in two distinct scripts handling different features,” the advisory explained. From scan to backdoor Unit 42 documented threat actors moving rapidly from automated scanning to initial access and then escalating quickly to deploy persistent backdoors designed to outlast patching cycles. After gaining initial access, attackers immediately attempted to download and execute a second-stage payload. “This second stage typically installs a web shell, a cryptominer, or a persistent backdoor to grant the attacker control of the appliance,” the advisory said. Unit 42 also said attackers deployed the Nezha open-source monitoring agent to maintain visibility over compromised systems. The attackers targeted sectors including state and local government, healthcare, manufacturing, professional services, and high technology across the United States, Germany, Australia, and Canada, the advisory added. Unit 42 also warned that proof-of-concept exploit code for both CVEs is already publicly available, making broader exploitation likely as more threat actors adopt working exploits. Patch, but verify first Unit 42 directed organizations to Ivanti’s security advisory for remediation guidance, which recommends applying version-specific RPM patches for EPMM 12.x branches that require no appliance downtime. Ivanti cautioned, however, that the patch does not survive a version upgrade and must be reinstalled if the software is updated. “The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0 expected in Q1 2026.’ Ivanti also warned in its advisory that while its Sentry mobile traffic gateway is not directly vulnerable, EPMM holds command execution permissions on connected Sentry systems.”If an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well,” Ivanti warned. For organizations that suspect compromise, the Ivanti advisory suggested against attempting to clean affected systems. Instead, it recommended restoring from a known-good backup or performing a full rebuild, followed by a complete reset of all account passwords, service credentials, and public certificates. With proof-of-concept exploit code already publicly available for both CVEs, broader exploitation is expected as more threat actors adopt working exploits. A familiar pattern The targeting of EPMM follows a pattern that will be familiar to Ivanti customers. The product has been exploited at scale before — in 2023, state-sponsored attackers used EPMM zero-days to break into Norwegian government networks, and separate flaws were again exploited in the wild last year. Ivanti’s Connect Secure VPN product has had a similarly troubled record, with Chinese APT groups exploiting zero-days in back-to-back campaigns that eventually led the US government to order federal agencies to disconnect Ivanti VPN products entirely in February 2024. View the full article

Artificial intelligence is revolutionizing the technology industry and this is equally true for the cybercrime ecosystem, as cybercriminals are increasingly leveraging generative AI to improve their tactics, techniques, and procedures and deliver faster, stronger, and sneakier attacks. As with legitimate use of emerging AI tools, abuse of generative AI for nefarious ends thus far hasn’t been so much about the novel and unseen as it has been about productivity and efficiency, lowering the barrier to entry, and offloading automatable tasks in favor of higher-order thinking on the part of the humans involved. “AI doesn’t necessarily result in new types of cybercrimes, and instead enables the means to accelerate or scale existing crimes we are familiar with, as well as introduce new threat vectors,” Dr. Peter Garraghan, CEO/CTO of AI security testing vendor Mindgard and a professor at the UK’s Lancaster University, tells CSO. “If a legitimate user can find utility in using AI to automate their tasks, capture complex patterns, lower the barrier of technical entry, reduced costs, and generate new content, why wouldn’t a criminal do the same?” But the advent of agentic AI is beginning to change things, with AI tools no longer just assisting attackers but helping them automate operations. “The most significant shift over the past year has been AI’s evolution from a simple ‘helper’ toward becoming a fully autonomous, and quite literally an attacker’s partner-in-crime, capable of executing entire attack chains,” says Crystal Morin, senior cybersecurity strategist at cloud-native security and visibility vendor Sysdig. Here is a look at various ways cybercriminals are putting gen AI to use in exploiting enterprise systems today. Taking phishing to the next level Gen AI enables the creation of highly convincing phishing emails, greatly increasingly the likelihood of prospective marks giving over sensitive information to scam sites or downloading malware. Instead of sending generic, unconvincing, and error-ridden emails, cybercriminals can leverage AI to quickly generate more sophisticated, personalized, and legitimate-looking emails to target specific recipients. Gen AI tools help enrich phishing campaigns by pulling together wide-ranging sources of data, including targeted information gleaned from social media. “AI can be used to quickly learn what types of emails are being rejected or opened, and in turn modify its approach to increase phishing success rate,” Mindgard’s Garraghan explains. Facilitating malware development AI can also be used to generate more sophisticated — or less labour-intensive — malware. For example, cybercriminals are using gen AI to create malicious HTML documents. The XWorm attack, initiated by HTML smuggling, which contains malicious code that downloads and runs the malware, bears the hallmarks of development via AI. “The loader’s detailed line-by-line description suggesting it was crafted using generative AI,” according to HP Wolf Security’s 2025 Threat Insights Report. In addition, the “design of the HTML webpage delivering XWorm is almost visually identical as the output from ChatGPT 4o after prompting the LLM to generate an HTML page that offers a file download,” HP Wolf Security added in its report. Elsewhere, ransomware group FunkSec — an Algeria-linked ransomware-as-a-service (RaaS) operator that takes advantage of double-extortion tactics — has begun harnessing AI technologies, according to Check Point Research. “FunkSec operators appear to use AI-assisted malware development, which can enable even inexperienced actors to quickly produce and refine advanced tools,” Check Point researchers wrote in a blog post. Accelerating vulnerability hunting and exploits Analyzing systems for vulnerabilities and developing exploits can also be simplified through use of gen AI. “Instead of a black hat hacker spending the time to probe and perform reconnaissance against a system perimeter, an AI agent can be tasked to do this automatically,” Mingard’s Garraghan says. Gen AI may be behind a 62% reduction in the time between a vulnerability being discovered and its exploitation by attackers from 47 days to just 18 days, according to a study last year by threat intelligence firm ReliaQuest. “This sharp decrease strongly indicates that a major technological advancement — likely gen AI — is enabling threat actors to exploit vulnerabilities at unprecedented speeds,” ReliaQuest wrote. Adversaries are leveraging gen AI alongside pen-testing tools to write scripts for tasks such as network scanning, privilege escalation, and payload customization. AI is also likely being used by cybercriminals to analyze scan results and suggest optimal exploits, allowing them to identify flaws in victim systems faster. “These advances accelerate many phases in the kill chain, particularly initial access,” ReliaQuest concluded. Cyber resilience firm Cybermindr used a different methodology to find that the average time to exploit a vulnerability had fallen to five days in 2025. “AI-driven reconnaissance, automated attack scripts, and underground exploit marketplaces have accelerated the weaponization of vulnerabilities,” it said. CSO’s Lucian Constantin offers a deeper look at how generative AI tools are transforming the cyber threat landscape by democratizing vulnerability hunting for pen-testers and attackers alike. Launching AI-orchestrated espionage Anthropic dropped a bombshell in September 2025 when it revealed that it had disrupted a sophisticated AI-orchestrated cyber espionage campaign. The attackers abused Claude Code to automate approximately 80% of their campaign activities, targeting around 30 major tech firms, financial institutions, and government agencies. In a “small number of cases” attacks were successful, according to the AI company, noting that an unnamed “Chinese state-sponsored group” was likely behind the campaign, which relied on jailbreaking tools to make prohibited functions possible. Last year Carnegie Mellon’s CyLab Security & Privacy Institute researchers, in collaboration with Anthropic, demonstrated that LLMs like GPT-4o can autonomously plan and execute sophisticated cyberattacks on enterprise-scale networks — without any human intervention. “The study reveals that an LLM, when structured with high-level planning capabilities and supported by specialized agent frameworks, can simulate network intrusions and closely mirror real-world breaches,” a CyLab spokesperson explained. Escalating threats with alternative platforms Cybercriminals have also begun developing their own large language models (LLMs) — such as WormGPT, FraudGPT, DarkBERT, and others — built without the guardrails that constrain criminals’ misuse of mainstream gen AI platforms. These platforms are commonly harnessed for applications such as phishing and malware generation. Moreover, mainstream LLMs can also be customized for targeted use. Security researcher Chris Kubecka shared with CSO in late 2024 how her custom version of ChatGPT, called Zero Day GPT, helped her identify more than 20 zero-days in a matter of months. Stealing resources via LLMjacking Threat actors are also busy stealing cloud credentials specifically to hijack costly LLM resources, either for their own gain or to sell access, in an attack technique called LLMjacking. “Beyond theft of service, attackers are now actively probing newer LLM models to identify those that lack the guardrails of more mature platforms, effectively using them as unrestricted sandboxes to generate malicious code or bypass regional sanctions,” Sysdig’s Morin reports. Creating a Silk Road–style marketplace for AI agents Beyond AI agents executing individual attacks, security experts are beginning to track examples where coordination itself is being automated or orchestrated. “We’re seeing early experiments where multiple specialized agents interact, some focused on reconnaissance, others on tooling, execution, or data movement, without any single agent needing the full picture,” says Lucie Cardiet, cyberthreat research manager at Vectra AI. A concrete example of this is Molt Road, which offers a dark-web-style marketplace for AI agents, albeit one with few listings at present. “Autonomous agents can create listings, sell access or capabilities, coordinate tasks, and complete transactions with minimal human involvement, effectively automating the economics of cybercrime,” Cardiet tells CSO. “We can expect attackers to actively leverage this model in the coming months, breaking the attack chain into specialized, cooperating agents to speed up and scale their attacks,” she says. Breaking in with authentication bypass Gen AI tools can also be abused to bypass security defences such as CAPTCHAs or biometric authentication. “AI can defeat CAPTCHA systems and analyse voice biometrics to compromise authentication,” according to cybersecurity vendor Dispersive. “This capability underscores the need for organizations to adopt more advanced, layered security measures.” Leveraging deepfakes for social engineering AI-generated deepfakes are being abused to exploit channels many employees more implicitly trust, such as voice and video, instead of relying on less convincing email-based attacks. The problem is becoming more severe with the wider availability of AI technologies capable of creating more convincing deepfakes, according to Alex Lisle, CTO of deepfake detection platform Reality Defender. “There was a recent case involving a cybersecurity company that relied on visual verification for credential resets,” Lisle says. “Their process required a manager to join a Zoom call with IT to confirm an employee’s identity before a password reset.” Lisle explains: “Attackers are now leveraging deepfakes to impersonate those managers on live video calls to authorize these resets.” In the most high-profile example to date, a finance worker at design and engineering company Arup was tricked into authorizing a fraudulent HK$200 million ($25.6 million) transaction after attending a videoconference call during which fraudsters used deepfake technology to impersonate its UK-based CFO. Impersonating brands in malicious ad campaigns Cybercriminals have begun using gen AI tools to deliver brand impersonation campaigns delivered via ads and content platforms, rather than traditional phishing or malware. “Attackers now use gen AI to mass-produce realistic ad copy, creatives, and fake support pages, then distribute them across search ads, social ads, and AI-generated content, targeting high-intent queries like ‘brand login’ or ‘brand support,’” explains Shlomi Beer, co-founder and CEO at ImpersonAlly, a security startup that specializes in protecting the online advertising ecosystem. The tactic was used in ongoing a series of Google Ad account fraud, to impersonate the Cursor AI coding assistant firm, and in a fake Shopify ecommerce platform customer support scam, among other attacks. Abusing OpenClaw Attackers have also begun targeting viral personal AI agents such as OpenClaw. OpenClaw offers an open-source AI agent framework. A combination of supply chain attacks on its skill marketplace and misconfigurations open the door to potential exploits and malware slinging, as CSO covered in much more depth in our earlier report. “Cybercriminals can exploit these virtual assistants to steal private keys to cryptocurrency wallets and execute code on victims’ devices,” says Edward Wu, CEO and founder at Dropzone AI. “We can expect 2026 to be the year when security teams will try to prevent unsanctioned usage of personal AI agents.” Poisoning model memories To offer short-term and longer-term context, AI agents are starting to rely more on persistent memory, opening the door for exploits that involve planting malicious memories. If an attacker injects malicious or false information into an agent’s memory, that corrupted context then influences every future decision the agent makes. For example, security researcher Johann Rehberger showed how he could plant false memories in ChatGPT in September 2025. “He [Rehberger] used a malicious image with hidden instructions embedded in it to inject fabricated data into the model’s long-term memory,” said Siri Varma Vegiraju, security tech lead at Microsoft. “The scary part was that once the memory was poisoned, it persisted across sessions and continuously exfiltrated user data to a server the attacker controlled.” Hacking AI infrastructure Over the past year, attackers have shifted from using generative AI to targeting the infrastructure that enables it. This vector of attack is exemplified in the supply chain poisoning in Model Context Protocol servers, where compromised dependencies or modified code introduced vulnerabilities into enterprise environments. For example, a counterfeit “Postmark MCP Server” discovered in early 2025 silently BCC’d all processed emails, including internal documents, invoices, and credentials, to an attacker-controlled domain. Many other malicious MCP servers have already been identified in the wild, many designed to exfiltrate information without detection, according to Casey Bleeker CEO at SurePath AI. “We’re tracking several categories of MCP-specific risk: tool poisoning attacks, where adversaries inject malicious instructions into AI tool descriptions that execute when the agent invokes them; supply chain compromises, where a trusted MCP server or dependency is updated post-approval to behave maliciously; and cross-tool data exfiltration, where compromised components in an agentic workflow silently siphon sensitive data through what looks like legitimate AI activity,” Bleeker explains. Reality check AI technologies are powerful but they have their limitations, several experts tell CSO. Rik Ferguson, VP of security intelligence at Forescout, says cybercriminals are largely relying on AI to automate repetitive tasks rather than more complex work, such as vulnerability exploitation. “The most reliable criminal use [of AI] remains in language-heavy and workflow-heavy tasks such as phishing and pretexting, influence and outreach, triaging and contextualizing vulnerabilities, and generating boilerplate components, rather than reliably discovering and exploiting brand-new vulnerabilities end-to-end,” Ferguson says. Over the past twelve months, managed detection and response firm Huntress has tracked threat actors applying AI to generate and automate traditional tradecraft, from developing scripts to browser extensions and, in some cases, even phishing lures. “We have also seen such ‘vibe coded’ scripts fail to execute and meet their objectives on multiple occasions,” Anton Ovrutsky, principal tactical response analyst at Huntress, tells CSO. And while AI has certainly given threat actors a powerful tool it has, at least to date, failed to spawn any new tactics or exploit classes, according to Ovrutsky. “A threat actor can indeed rapidly prototype a sophisticated credential theft script, yet the basic ‘laws of physics’ still exist; a threat actor must be in a position to execute such a script in the first place,” Ovrutsky says. “We have yet to observe an exploit path that has been enabled through AI-use exclusively.” Countermeasures Collectively the misuse of gen AI tools is making it easier for less skilled cybercriminals to earn a dishonest living. Defending against the attack vector challenges security professionals to harness the power of artificial intelligence more effectively than attackers. “Criminal misuse of AI technologies is driving the necessity to test, detect, and respond to these threats, in which AI is also being leveraged to combat cybercriminal activity,” Mindgard’s Garraghan says. In a blog post, Lawrence Pingree, VP of technical marketing at Dispersive, outlines preemptive cyber defenses that security professionals can take to win what he describes as an “AI ARMS (Automation, Reconnaissance, and Misinformation) race” between attackers and defenders. “Relying on traditional detection and response mechanisms is no longer sufficient,” Pingree warns. Alongside employee education and awareness programs, enterprises should be using AI to detect and neutralize generative AI-based threats in real-time. Forescout’s Ferguson says CISOs should treat enterprise AI like any other high-value SaaS platform. “Tighten identity and conditional access, minimize privileges, lock down keys, and monitor for anomalous AI/API usage and spend,” Ferguson advises. View the full article

After breaking into a system, crooks often install legitimate remote admin tools to keep a foothold on the network — with the risk that the tool’s vendor spots them and locks them out. Now they have a new option: a fake remote monitoring and management (RMM) tool, complete with serious-looking online storefront, built just for them. “TrustConnect,” the malware-as-a-service (MaaS) spotted by researchers at Proofpoint, has a website to promote it and all the support infrastructure necessary to manage compromised machines. A subscription to it is advertised at $300 per month. Proofpoint disrupted some of the malware’s infrastructure with help from intelligence partners, the company said in a blogpost, “But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.” The researchers noted links between the TrustConnect operation and activity involving the RedLine stealer, based on malware characteristics and their own intelligence. Social engineering for initial access Victims are tricked into installing TrustConnect under the pretense of legitimate remote support, Proofpoint said. Rather than exploiting vulnerabilities for silent deployment, the attackers depend on user interaction to execute the program. “Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes,” the researchers wrote. The MaaS offers its customers varying templates depending on intended brand abuse: “Beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.” The attackers have also created signed executables that impersonate installers for widely used software such as Zoom, Microsoft Teams, Adobe Reader, and Google Meet, with matching icons and metadata. Victims are encouraged to download them by clicking on a link in an email, which then automatically registers infected systems in the operator’s control panel on the TrustConnect website, essentially making TrustConnect a remote access trojan (RAT). In one particular campaign leveraging a single compromised sender, lures included URLs leading to ScreenConnect installation from Jan. 31 to Feb. 1, and then on Feb. 3 to TrustConnect and LogMeln Resolve installations. Attackers use a dual-purpose website The TrustConnect website has realistic marketing language, feature descriptions, and documentation that serves both as a public-facing front to promote the software and as a backend portal for customers who purchase access to the tool’s malicious services. “Cybercriminals are instructed to sign up for a ‘free trial,’ instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal,” the researchers said, adding that the customers are charged $300 per month for a web-based C2 dashboard with a list of devices that have the RAT installed. A subscription allows executing commands, transferring files and connecting remotely to the infected devices. Additionally, the subscribers get a downloadable EXE file recommended to upload on their own hosting for controlled targeting and better results. The trustconnectsoftware[.]com domain was created on Jan. 12, 2026. “The malware creator (also) uses the domain as the ‘business website’ designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation,” Proofpoint researchers wrote. Proofpoint suspects the actor used large language models (LLMs) to create TrustConnect. It shared a list of indicator URLs to support detection efforts, warning that TrustConnect has potential to become a full-blown campaign, now with a more advanced variant, DocConnect. View the full article

andrey_l – shutterstock.com Der Einzug von KI hat den benötigten Zeitaufwand für Cyberattacken massiv verkürzt, so dass menschliche Verteidiger nicht mehr mithalten können. So lautet das vielleicht wenig überraschende Ergebnis des 2026 Global Incident Response Report von Palo Alto Networks. Für die Studie hat das Unit-42-Forscherteam 750 Vorfälle in 50 Ländern analysiert. Bei den schnellsten der analysierten Angriffe gelangten die Täter innerhalb von 72 Minuten vom ersten Zugriff bis zur Datenexfiltration – verglichen mit fast fünf Stunden im Jahr 2024. „Dies lässt sich zunehmend durch die Fähigkeit der KI erklären, die benötigten Zeiträume für die Erkennung von Schwachstellen, Phishing und Ausführung zu verkürzen“, heißt es im Forschungsbericht. Grundlegende Sicherheitsmängel begünstigen Cyberangriffe Bei genauerer Betrachtung der Studienergebnisse lauert die Gefahr jedoch wo anders: Was Unternehmen wirklich schadet, sind nicht so sehr schnell agierende Angreifer oder die KI, sondern grundlegende Mängel wie schwache Authentifizierung, mangelnde Echtzeit-Transparenz und Fehlkonfigurationen aufgrund einer komplexen Vielzahl von Sicherheitssystemen. Theoretisch sind all diese Probleme behebbar. Die Autoren der Analyse stellen fest: „Trotz der Geschwindigkeit und Automatisierung, die wir beobachten, beginnen die meisten Vorfälle mit nichts radikal Neuem: Es sind Lücken, die immer wieder auftauchen. In vielen Fällen verließen sich die Angreifer nicht auf einen ausgeklügelten Exploit, sondern auf eine übersehene Schwachstelle.“ Identitätskonflikt und Komplexität Ein wiederkehrendes Thema ist zudem der Konflikt, den viele Unternehmen mit Identität und Trust haben. Das Forscherteam stellte fest, dass dies bei 90 Prozent der untersuchten Vorfälle eine Rolle spielte. Zu den Taktiken der Angreifer gehörten Social Engineering (33 Prozent), identitätsbasiertes Phishing (22 Prozent), Missbrauch von Anmeldedaten und Brute-Force-Angriffe (21 Prozent) sowie Insider-Bedrohungen (acht Prozent). Bei 99 Prozent der 680.000 von Palo Alto Networks analysierten Cloud-Benutzer, Rollen und Dienste verfügten zu viele Konten über übermäßige Berechtigungen. . Dazu zählten auch einige, die seit 60 Tagen oder länger nicht mehr genutzt wurden. Da Unternehmen immer mehr Cloud-, SaaS- und KI-Anwendungen hinzufügen, entsteht den Security-Spezialisten zufolge eine Angriffsfläche für Identitäten, die sich schneller ausweitet, als die zugrunde liegenden Probleme behoben werden können. . Diese Identitäten beziehen sich dabei zunehmend auf Maschinenidentitäten (Dienstkonten, Automatisierungsrollen, API-Schlüssel, KI-Agenten), Schattenidentitäten (nicht genehmigte Konten, Entwicklerumgebungen und Dritte) und Identitäts-„Silos“ (lokale AD plus mehrere Cloud-Identitätsanbieter). „Selten bleibt ein Angriff auf eine einzige Umgebung beschränkt. Stattdessen beobachten wir koordinierte Aktivitäten über Endpunkte, Netzwerke, Cloud, SaaS und Identitäten hinweg, sodass Verteidiger gezwungen sind, alle gleichzeitig zu überwachen“, so die Analysten. Lieferketten sind ein weiterer gefährdeter Bereich. In 23 Prozent der Vorfälle konnten Angreifer SaaS-Anwendungen von Drittanbietern ausnutzen und dabei herkömmliche Sicherheitskontrollen umgehen. „Wenn ein vorgelagerter Anbieter eine Kompromittierung oder einen Ausfall meldete, mussten Kunden oft innehalten und sich eine grundlegende Frage stellen: Sind wir betroffen? In vielen Fällen hatten sie nur begrenzte Einblicke in ihre eigene Gefährdung“, berichten die Studienautoren. Paradigmenwechsel Die Antwort von Unit 42 auf diesen endlosen Kreislauf, in dem Angreifer den Verteidigern immer einen Schritt voraus sind, ist ein Paradigmenwechsel: Die Cybersicherheit ist mittlerweile so spezialisiert, dass die Lösung darin besteht, einen von Grund auf neu entwickelten Managed Service zu nutzen, um realen statt abstrakten Bedrohungen entgegenzuwirken. Vor diesem Hintergrund hat Palo Alto Networks einen neuen SOC-Dienst eingeführt: Unit 42 Managed Extended Security Intelligence and Automation Management (XSIAM) 2.0. Damit hat das Unternehmen nach eigenen Angaben sein XSIAM 1.0 um vollständiges Onboarding, Bedrohungssuche und -reaktion sowie die Modellierung von Angriffsmustern erweitert, die schneller als bei einem herkömmlichen SOC erfolgen. Doch ist das wirklich überzeugend? CISOs haben diese Botschaft schon oft gehört: Das Alte funktioniert nicht mehr, also investieren Sie in etwas Neues. Und es gibt immer ein altes System oder einen alten Dienst, der durch ein glänzendes, neues ersetzt werden muss. Erschwerend kommt hinzu, dass die Idee immer fortschrittlicherer SOCs möglicherweise kein Allheilmittel ist. Einige Experten sind der Meinung, dass SOCs selbst letztendlich denselben Problemen wie Fachkräftemangel und Budgetbeschränkungen ausgesetzt sein können wie herkömmliche IT-Abteilungen. Wie Palo Alto Networks es ausdrückt: „Die meisten SOCs sind nicht für die Geschwindigkeit der heutigen Angriffe ausgelegt.“ Das bedeutet: Weg mit alten Tools wie traditionellen SIEMs und SOAR, die lediglich Warnmeldungen generieren; das moderne, KI-gestützte SOC sollte „mit Maschinengeschwindigkeit“ darauf reagieren. (jm) View the full article

andrey_l – shutterstock.com Der Einzug von KI hat den benötigten Zeitaufwand für Cyberattacken massiv verkürzt, so dass menschliche Verteidiger nicht mehr mithalten können. So lautet das vielleicht wenig überraschende Ergebnis des 2026 Global Incident Response Report von Palo Alto Networks. Für die Studie hat das Unit-42-Forscherteam 750 Vorfälle in 50 Ländern analysiert. Bei den schnellsten der analysierten Angriffe gelangten die Täter innerhalb von 72 Minuten vom ersten Zugriff bis zur Datenexfiltration – verglichen mit fast fünf Stunden im Jahr 2024. „Dies lässt sich zunehmend durch die Fähigkeit der KI erklären, die benötigten Zeiträume für die Erkennung von Schwachstellen, Phishing und Ausführung zu verkürzen“, heißt es im Forschungsbericht. Grundlegende Sicherheitsmängel begünstigen Cyberangriffe Bei genauerer Betrachtung der Studienergebnisse lauert die Gefahr jedoch wo anders: Was Unternehmen wirklich schadet, sind nicht so sehr schnell agierende Angreifer oder die KI, sondern grundlegende Mängel wie schwache Authentifizierung, mangelnde Echtzeit-Transparenz und Fehlkonfigurationen aufgrund einer komplexen Vielzahl von Sicherheitssystemen. Theoretisch sind all diese Probleme behebbar. Die Autoren der Analyse stellen fest: „Trotz der Geschwindigkeit und Automatisierung, die wir beobachten, beginnen die meisten Vorfälle mit nichts radikal Neuem: Es sind Lücken, die immer wieder auftauchen. In vielen Fällen verließen sich die Angreifer nicht auf einen ausgeklügelten Exploit, sondern auf eine übersehene Schwachstelle.“ Identitätskonflikt und Komplexität Ein wiederkehrendes Thema ist zudem der Konflikt, den viele Unternehmen mit Identität und Trust haben. Das Forscherteam stellte fest, dass dies bei 90 Prozent der untersuchten Vorfälle eine Rolle spielte. Zu den Taktiken der Angreifer gehörten Social Engineering (33 Prozent), identitätsbasiertes Phishing (22 Prozent), Missbrauch von Anmeldedaten und Brute-Force-Angriffe (21 Prozent) sowie Insider-Bedrohungen (acht Prozent). Bei 99 Prozent der 680.000 von Palo Alto Networks analysierten Cloud-Benutzer, Rollen und Dienste verfügten zu viele Konten über übermäßige Berechtigungen. . Dazu zählten auch einige, die seit 60 Tagen oder länger nicht mehr genutzt wurden. Da Unternehmen immer mehr Cloud-, SaaS- und KI-Anwendungen hinzufügen, entsteht den Security-Spezialisten zufolge eine Angriffsfläche für Identitäten, die sich schneller ausweitet, als die zugrunde liegenden Probleme behoben werden können. . Diese Identitäten beziehen sich dabei zunehmend auf Maschinenidentitäten (Dienstkonten, Automatisierungsrollen, API-Schlüssel, KI-Agenten), Schattenidentitäten (nicht genehmigte Konten, Entwicklerumgebungen und Dritte) und Identitäts-„Silos“ (lokale AD plus mehrere Cloud-Identitätsanbieter). „Selten bleibt ein Angriff auf eine einzige Umgebung beschränkt. Stattdessen beobachten wir koordinierte Aktivitäten über Endpunkte, Netzwerke, Cloud, SaaS und Identitäten hinweg, sodass Verteidiger gezwungen sind, alle gleichzeitig zu überwachen“, so die Analysten. Lieferketten sind ein weiterer gefährdeter Bereich. In 23 Prozent der Vorfälle konnten Angreifer SaaS-Anwendungen von Drittanbietern ausnutzen und dabei herkömmliche Sicherheitskontrollen umgehen. „Wenn ein vorgelagerter Anbieter eine Kompromittierung oder einen Ausfall meldete, mussten Kunden oft innehalten und sich eine grundlegende Frage stellen: Sind wir betroffen? In vielen Fällen hatten sie nur begrenzte Einblicke in ihre eigene Gefährdung“, berichten die Studienautoren. Paradigmenwechsel Die Antwort von Unit 42 auf diesen endlosen Kreislauf, in dem Angreifer den Verteidigern immer einen Schritt voraus sind, ist ein Paradigmenwechsel: Die Cybersicherheit ist mittlerweile so spezialisiert, dass die Lösung darin besteht, einen von Grund auf neu entwickelten Managed Service zu nutzen, um realen statt abstrakten Bedrohungen entgegenzuwirken. Vor diesem Hintergrund hat Palo Alto Networks einen neuen SOC-Dienst eingeführt: Unit 42 Managed Extended Security Intelligence and Automation Management (XSIAM) 2.0. Damit hat das Unternehmen nach eigenen Angaben sein XSIAM 1.0 um vollständiges Onboarding, Bedrohungssuche und -reaktion sowie die Modellierung von Angriffsmustern erweitert, die schneller als bei einem herkömmlichen SOC erfolgen. Doch ist das wirklich überzeugend? CISOs haben diese Botschaft schon oft gehört: Das Alte funktioniert nicht mehr, also investieren Sie in etwas Neues. Und es gibt immer ein altes System oder einen alten Dienst, der durch ein glänzendes, neues ersetzt werden muss. Erschwerend kommt hinzu, dass die Idee immer fortschrittlicherer SOCs möglicherweise kein Allheilmittel ist. Einige Experten sind der Meinung, dass SOCs selbst letztendlich denselben Problemen wie Fachkräftemangel und Budgetbeschränkungen ausgesetzt sein können wie herkömmliche IT-Abteilungen. Wie Palo Alto Networks es ausdrückt: „Die meisten SOCs sind nicht für die Geschwindigkeit der heutigen Angriffe ausgelegt.“ Das bedeutet: Weg mit alten Tools wie traditionellen SIEMs und SOAR, die lediglich Warnmeldungen generieren; das moderne, KI-gestützte SOC sollte „mit Maschinengeschwindigkeit“ darauf reagieren. (jm) View the full article

Staatliche Kunstsammlungen Dresden Nach dem Cyberangriff auf die Staatlichen Kunstsammlungen Dresden in diesem Januar hat das Landeskriminalamt Sachsen (LKA) eine Sonderkommission gegründet. Diese führe auch die Ermittlungen unter Sachleitung der Generalstaatsanwaltschaft Dresden, wie die Ermittlungsbehörde mitteilte. Weitergehende Angaben machte die Generalstaatsanwaltschaft nicht. Am 21. Januar waren die Staatlichen Kunstsammlungen Dresden (SKD) Opfer eines Cyberangriffs geworden. Betroffen waren den damaligen Angaben zufolge weite Teile der digitalen Infrastruktur, der Onlineshop und der Besucherservice, nicht jedoch das Sicherheitssystem. Die SKD teilte auf Anfrage mit, dass die uneingeschränkte Aufmerksamkeit der Sicherheit der Sammlungen gelte. Diese werde in enger Zusammenarbeit mit dem Sicherheitsunternehmen gewährleistet. Details zum Sicherheitskonzept wurden nicht genannt. “Die Sicherheit unserer Besucherinnen und Besucher in den Einrichtungen der SKD sowie der uns anvertrauten Kunstschätze ist umfassend gewahrt”, hieß es weiter. Die Staatlichen Kunstsammlungen Dresden sind ein Verbund von 15 Museen. Dazu gehören unter anderem die Gemäldegalerie Alte Meister im Zwinger sowie die Galerie Neue Meister im Albertinum und das Grüne Gewölbe im Dresdner Residenzschloss. (dpa/jm) View the full article

When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk. The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn’t entirely go away — a curious strategy that could help smooth over customer loss. SMS has a long history of opposition from security executives, mostly pointing to how easily it can be sniffed and subject to man-in-the-middle attacks, among others. As a result, Google has backed off SMS, as has Microsoft, Cisco, and even the United Arab Emirates Central Bank. “SMS as an authentication factor is devil spawn and should be banned by an act of Congress,” says Gary Longsine, CEO at IllumineX, encapsulating the frustration of many security specialists. Still, SMS remains, largely due to convenience, given that many business executives fear any change to MFA processes will be viewed as friction that could lead to customer loss or reduced engagement. “They don’t want to lose users who won’t do anything other than SMS as a second factor,” says cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov. “Although app-based MFA is generally considered more secure than SMS-based MFA, not all users are willing to take the time to set up app-based MFA, so making it an absolute requirement tends to result in fewer conversions.” Garret Grajek, CEO of access certification firm YouAttest, has experienced this business unit pushback directly. “We designed a very strong authentication and the CISO loved it, but the security teams did not want to push back against user requests” for unencrypted SMS, he says, adding that a business unit executive argued that the security boost “is going to cost us money.” “I feel sorry for PayPal because they [are a victim of] the battles that go on in business units versus security. And security doesn’t always win,” he adds. Muddled effort, mixed messages Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, says he’s “always found it odd” that PayPal still supports SMS as its primary secondary authentication factor. “Everyone in financial services and government has abandoned it for not being sufficiently secure and are moving to even phishing-resistant authentication, such as passkeys, Yubikeys,” he explains. PayPal’s shift was announced via email sent to some customers earlier this month. “Starting March 2026, we’ll start removing SMS codes [for login MFA] but they’ll still be available as part of our standard security checks,” PayPal’s email said. PayPal’s reference to standard security checks refers to when its system, leveraging behavioral analytics, flags a customer interaction as potentially fraudulent based on factors such as transaction size or deviation from historic patterns. Still, Grajek finds PayPal’s decision to keep SMS in use for fraud checks to be odd. When the system flags a potential problem, he says, “you want to do a higher level [of authentication]. Why would you de-escalate [to a lower level of authentication]?” PayPal declined to comment on the record for this story, but a PayPal official did discuss elements of the company’s SMS decision under the condition of not being identified. PayPal’s customer email said the company would “start removing” SMS in March, but how long that process will take is unclear. Logistics is one factor, as these communications are going to a global customer base of roughly 439 million people and businesses. “We will batch it out over a long time,” the PayPal official stated. PayPal will likely also assess customer reaction, giving itself flexibility by not committing to a firm end date. PayPal’s email suggested that customers switch their MFA method to an authenticator app or a onetime-password-issuing fob such as those compliant with FIDO2 security keys. Strangely, the email instructed security key users to “Put the device into your USB slot and you’re all set,” despite the fact that mobile devices communicate with keys via NFC or mobile connectors, not via USB slots, and most users transact with PayPal via mobile devices. The PayPal email also instructed customers to “update your verification method at paypal.com. Log in to your account and use the gear icon to go to security settings and update your 2-step verification.” The problem? When the email was received, that security page offered no direct way to make the change. Customer service suggested to customers that they could deactivate MFA entirely and then reactivate it. That less-than-secure option did work and the user was then able to make the change. Further testing revealed that a user could click the “add a new device” button, even if they had no intention of adding a new device. That also presented a screen where the customer could change their MFA method. Melody Brue, principal analyst for Moor Insights & Strategy, says using SMS can still be valuable for some isolated situations, but that PayPal appears to be trying to have it both ways. “It sounds to me that they are trying to soften the blow of saying ‘SMS isn’t safe enough.’ They are saying that you can’t use it to verify who you are unless we are worried that you are not you,” Brue says. “They are clearly actively inching away from SMS. They have to do that. They have to align with new standards. In financial services you don’t even want to mess around with” SMS. Financial cost of SMS may be final straw But Brue also referred to another reason PayPal may be stepping back from SMS authentication: cost reduction. Sending SMS messages involves hard costs for PayPal, whereas telling customers to authenticate with a FIDO2 key or an authenticator app is free for the company. The cost of individual SMS messages is low — for example, AWS charges a fraction of a penny for each message. But given that PayPal handles about 25 billion transactions a year, those fractions quickly add up. Also, attackers test PayPal systems routinely “and they can trigger millions of SMS codes,” Brue adds. “For a company under new leadership and especially margin sensitive right now, sending millions of codes to bots that are not needed? That is an easy line to cut and it’s an OPEX win.” Justin Greis, CEO of consulting firm Acceligence and former head of the North American cybersecurity practice at McKinsey, says his main concern with SMS authentication is “SIM swapping, SIM jacking — we have seen that go up.” “PayPal is one of the most spoofed and spammed emails out there,” he adds. Steven Eric Fisher, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agrees about SMS’s many authentication drawbacks, dubbing SMS “a very low bar of protection.” But he is less enthusiastic than most about authenticator apps. Authenticator apps “are only marginally better than SMS. Each has its own faults,” Fisher says. “FIDO2 is the best option from a security standpoint but end user adoption” may slow down because the customer has to pay for each FIDO2 device “as well as [experience] the difficulty placed on the user for the enrollment and use.” View the full article

When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk. The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn’t entirely go away — a curious strategy that could help smooth over customer loss. SMS has a long history of opposition from security executives, mostly pointing to how easily it can be sniffed and subject to man-in-the-middle attacks, among others. As a result, Google has backed off SMS, as has Microsoft, Cisco, and even the United Arab Emirates Central Bank. “SMS as an authentication factor is devil spawn and should be banned by an act of Congress,” says Gary Longsine, CEO at IllumineX, encapsulating the frustration of many security specialists. Still, SMS remains, largely due to convenience, given that many business executives fear any change to MFA processes will be viewed as friction that could lead to customer loss or reduced engagement. “They don’t want to lose users who won’t do anything other than SMS as a second factor,” says cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov. “Although app-based MFA is generally considered more secure than SMS-based MFA, not all users are willing to take the time to set up app-based MFA, so making it an absolute requirement tends to result in fewer conversions.” Garret Grajek, CEO of access certification firm YouAttest, has experienced this business unit pushback directly. “We designed a very strong authentication and the CISO loved it, but the security teams did not want to push back against user requests” for unencrypted SMS, he says, adding that a business unit executive argued that the security boost “is going to cost us money.” “I feel sorry for PayPal because they [are a victim of] the battles that go on in business units versus security. And security doesn’t always win,” he adds. Muddled effort, mixed messages Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, says he’s “always found it odd” that PayPal still supports SMS as its primary secondary authentication factor. “Everyone in financial services and government has abandoned it for not being sufficiently secure and are moving to even phishing-resistant authentication, such as passkeys, Yubikeys,” he explains. PayPal’s shift was announced via email sent to some customers earlier this month. “Starting March 2026, we’ll start removing SMS codes [for login MFA] but they’ll still be available as part of our standard security checks,” PayPal’s email said. PayPal’s reference to standard security checks refers to when its system, leveraging behavioral analytics, flags a customer interaction as potentially fraudulent based on factors such as transaction size or deviation from historic patterns. Still, Grajek finds PayPal’s decision to keep SMS in use for fraud checks to be odd. When the system flags a potential problem, he says, “you want to do a higher level [of authentication]. Why would you de-escalate [to a lower level of authentication]?” PayPal’s customer email said the company would “start removing” SMS in March, but how long that process will take is unclear. Logistics is one factor, as these communications are going to a global customer base of roughly 439 million people and businesses. PayPal will batch those messages over an extended time. PayPal will likely also assess customer reaction, giving itself flexibility by not committing to a firm end date. PayPal declined to comment on the record for this story. PayPal’s email suggested that customers switch their MFA method to an authenticator app or a onetime-password-issuing fob such as those compliant with FIDO2 security keys. Strangely, the email instructed security key users to “Put the device into your USB slot and you’re all set,” despite the fact that mobile devices communicate with keys via NFC or mobile connectors, not via USB slots, and most users transact with PayPal via mobile devices. The PayPal email also instructed customers to “update your verification method at paypal.com. Log in to your account and use the gear icon to go to security settings and update your 2-step verification.” The problem? When the email was received, that security page offered no direct way to make the change. Customer service suggested to customers that they could deactivate MFA entirely and then reactivate it. That less-than-secure option did work and the user was then able to make the change. Further testing revealed that a user could click the “add a new device” button, even if they had no intention of adding a new device. That also presented a screen where the customer could change their MFA method. Melody Brue, principal analyst for Moor Insights & Strategy, says using SMS can still be valuable for some isolated situations, but that PayPal appears to be trying to have it both ways. “It sounds to me that they are trying to soften the blow of saying ‘SMS isn’t safe enough.’ They are saying that you can’t use it to verify who you are unless we are worried that you are not you,” Brue says. “They are clearly actively inching away from SMS. They have to do that. They have to align with new standards. In financial services you don’t even want to mess around with” SMS. Financial cost of SMS may be final straw But Brue also referred to another reason PayPal may be stepping back from SMS authentication: cost reduction. Sending SMS messages involves hard costs for PayPal, whereas telling customers to authenticate with a FIDO2 key or an authenticator app is free for the company. The cost of individual SMS messages is low — for example, AWS charges a fraction of a penny for each message. But given that PayPal handles about 25 billion transactions a year, those fractions quickly add up. Also, attackers test PayPal systems routinely “and they can trigger millions of SMS codes,” Brue adds. “For a company under new leadership and especially margin sensitive right now, sending millions of codes to bots that are not needed? That is an easy line to cut and it’s an OPEX win.” Justin Greis, CEO of consulting firm Acceligence and former head of the North American cybersecurity practice at McKinsey, says his main concern with SMS authentication is “SIM swapping, SIM jacking — we have seen that go up.” “PayPal is one of the most spoofed and spammed emails out there,” he adds. Steven Eric Fisher, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agrees about SMS’s many authentication drawbacks, dubbing SMS “a very low bar of protection.” But he is less enthusiastic than most about authenticator apps. Authenticator apps “are only marginally better than SMS. Each has its own faults,” Fisher says. “FIDO2 is the best option from a security standpoint but end user adoption” may slow down because the customer has to pay for each FIDO2 device “as well as [experience] the difficulty placed on the user for the enrollment and use.” View the full article

Um Passwörter hinter sich zu lassen, gibt es bessere Lösungen. Wir zeigen Ihnen zehn. Foto: Raffi Ilham Pratama – shutterstock.com Passwörter sind seit Jahrzehnten der Authentifizierungsstandard für Computersysteme, obwohl sie sich immer wieder aufs Neue als anfällig für diverse Cyberangriffsformen erwiesen haben und kompromittierte Benutzerkonten auf regelmäßiger Basis zum Einfallstor für kriminelle Hacker werden. Ein Mittel für CISOs, um diesem Problem zu begegnen, ist die passwortlose Authentifizierung. Lösungen in diesem Bereich versprechen: die Benutzersicherheit zu erhöhen und parallel die Belastung zu eliminieren, die für User und Helpdesk durch komplexe Passwörter entsteht. Geht es um Passwordless Authentication, führt kein Weg an der FIDO Alliance vorbei. Die Non-Profit-Organisation managt und unterstützt mehrere (Passwordless-) Sicherheitsstandards für verschiedene Use Cases – darunter FIDO2 und Passkeys. Letzteres stellt eine Weiterentwicklung von ersterem dar und wird sich aller Voraussicht nach branchenübergreifend als Standard durchsetzen. Derzeit unterstützen bereits diverse Unternehmen Passkeys, darunter etwa Apple, Google, Microsoft, Github, Docusign sowie diverse Sicherheitsanbieter. 10 Passwordless-Authentication-Lösungen Sollten Sie sich grundsätzlich für “Passwordless” entschieden haben, stellt sich die Frage, welcher Anbieter, beziehungsweise welches Offering für Ihr Unternehmen am besten geeignet ist. Bei Ihrer Entscheidungsfindung kann Sie ein Blick auf eines der folgenden zehn Angebote unter Umständen weiterbringen. AuthID Verified Workforce Mit Verified Workforce bietet der US-Sicherheitsanbieter AuthID mehrere Schlüsselfunktionen rund um die Authentifizierung von Benutzern – mit starkem Fokus auf biometrische Sicherheitsmerkmale. Dank KI-gestützter Matching-Fähigkeiten verspricht die Lösung dabei auch Spoofing-Versuche zu erkennen. AuthID unterstützt den FIDO2-Standard, wobei Krypto-Keys auf dem jeweiligen Gerät generiert und gespeichert werden – die Cloud bleibt komplett außen vor. Weil man bei AuthID weiß, dass Passwordless ohne ein größeres Ökosystem nur von begrenztem Wert ist, ist die AuthID-Lösung auch mit Identity- und Access-Management (IAM) -Tools von Drittanbietern integrierbar. Axiad Conductor Mit seiner Authentifizierungsplattform verfolgt Axiad einen ganzheitlichen Ansatz zur Passwordless-Orchestrierung. Dabei konsolidiert Axiad Conductor vorhandene IAM-Suiten, um den Übergang ins Passwordless-Zeitalter zu erleichtern – sowohl, wenn es um die Konfiguration als auch wenn es darum geht, neue Benutzer bereitzustellen. Die Lösung bietet darüber hinaus ein Admin- und ein Endbenutzer-Portal, über das sich Authentifizierungs-Workflows granular anpassen lassen. Beyond Identity Sicherheitsanbieter Beyond Identity kombiniert passwortlose Authentifizierung mit kontinuierlicher, risikobasierter Authentifizierung. Das hat zur Folge, dass jeder Authentifizierungsversuch auf Grundlage des jeweiligen Kontextes bewertet wird – also etwa dem verwendeten Device oder dem aktuellen Standort des Benutzers. Darüber hinaus nutzt die Lösung von Beyond Identity auch vorhandene Hardware wie Trusted Platform Modules (TPMs), um kryptografische Schlüssel noch besser zu schützen. Davon abgesehen unterstützt der Anbieter auch die Integration mit IAM-Suiten sowie Active Directory Federation Services, um eine passwortlose Authentifizierung bei On-Premise-Applikationen zu realisieren. CyberArk Workforce Identity Mit Workforce Identity (früher unter der Marke Idaptive bekannt) unterstützt CyberArk mit seinem Software-Agenten alle Passwordless-Anwendungsfälle – inklusive Endpoint Authentication. Zum Angebot von CyberArk gehört auch ein Applikations-Gateway, das die sichere Authentifizierung bei On-Premises-Anwendungen erleichtern soll. Außerdem erwähnenswert: Adaptive Authentifizierungsfunktionen, die es dem Anbieter nach eigener Aussage ermöglichen, die im jeweiligen Kontext angemessenen Authentifizierungsfaktoren dynamisch auszuwählen. Duo Ciscos populärer MFA-Service Duo unterstützt jeden erdenklichen Authentifizierungs-Use-Case inklusive Desktop, Webanwendungen, VPN- und Remote-Verbindungen. Dabei bietet Duo auch die Tools, die nötig sind, um andere wichtige Authentifizierungsaspekte berücksichtigen zu können: kontextbezogene, risikobasierte Authentifizierung, Monitoring und Integration mit praktisch jeder IAM-Suite auf dem Markt. HYPR Die Authentifizierungsplattform HYPR unterstützt den Passkey-Standard vollumfänglich, allerdings nur als Startpunkt für die Authentifizierung. Dabei werden sowohl synchronisierte als auch gerätegebundene Passkeys für die Authentifizierung unterstützt. Passwortlose Authentifizierung erstreckt sich bei HYPR über sämtliche Bereiche, von Desktop- bis hin zu Remote-Access-Lösungen. Um Authenticators im gesamten Unternehmen zu managen und Richtlinien entsprechend anzupassen, steht Anwendern mit dem HYPR Control Center eine intuitive Administrationskonsole zur Verfügung. Die Plattform unterstützt darüber hinaus die Integration mit bestehenden IAM-Systemen und -Tools. Okta Okta ist im Identity- und Authentifizierungs-Game ein Big Player und hält ein umfassendes Serviceangebot bereit, das in diesem Bereich quasi jede Anforderung erfüllt. Die Plattform bietet vollwertige IAM-Funktionen, Multifaktor-Authentifizierung (MFA) und alle anderen Komponenten, die für eine vollständige Passwordless-Lösung erforderlich sind. Dynamische, beziehungsweise anpassbare Workflows, Authentifizierungsrichtlinien und -faktoren versprechen den Anwendern dabei maximale Flexibilität. Erwähnenswert ist darüber hinaus “Okta Fastpass“: Diese Lösung ermöglicht den Anwendern, mobile Geräte schnell und einfach als Authentifikatoren zu registrieren. Darüber hinaus bietet Okta auch Support für die Verkettung von Authentifizierungsfaktoren mit Faktor-Sequenzierung. Diese Technik kann auch mit Richtlinien gepaart werden, um den Zugriff auf kritische Informationen in besonderem Maße abzusichern. Ping Identity Auch Ping Identity gehört zu den “Großen” in Sachen Identity und Authentifizierung und stellt eine vollumfängliche Tool-Suite zur Verfügung, die sämtliche Aspekte des Authentifizierungsprozesses abdeckt. Mit “PingOne Davinci” kann der Anbieter auch mit visuellen Authentifizierungs-Workflows aufwarten (basierend auf Templates). Bei Ping Identity hält man nichts davon, überstürzt von heute auf morgen alles auf Passwordless umzustellen – stattdessen ermutigt das Unternehmen seine Kunden dazu, sich schrittweise einer passwortlosen Zukunft anzunähern. Secret Double Octopus Der israelische MFA- und Passwordless-Spezialist Secret Double Octopus verspricht passwortlose Authentifizierung für alle wichtigen Anwendungsfälle mit nur minimalen Änderungen an der bestehenden Infrastruktur zu realisieren. Dabei unterstützt die Lösung auch die passwortlose Authentifizierung für RDP und SSH, On-Premises-Legacy-Anwendungen und andere weniger gängige Use Cases. Weil Secret Double Octopus auch Passwordless Authentication in Offline-Netzwerkumgebungen unterstützt, bleiben sogar Air-Gapped-Netzwerke nicht außen vor. Yubico Yubico hat mit seinen Yubikey-Tokens einen De-Facto-Standard für Hardware-Authentifizierungs-Tools geschaffen (der übrigens auch von den meisten hier vorgestellten Lösungen unterstützt wird). Yubikeys sind in einer Vielzahl von Formfaktoren erhältlich und unterstützen zahlreiche Konnektivitätsstandards wie USB-A, USB-C oder NFC. Darüber hinaus bietet das Unternehmen auch Services für Großkunden an, wenn es darum geht, die Hardware Tokens bereitzustellen und zu managen. View the full article

Another device code phishing campaign that abuses OAuth device registration to bypass multifactor authentication login protections has been discovered. Researchers at KnowBe4 say the campaign is largely targeting North American businesses and professionals by tricking unwitting employees into clicking a link in an email from a threat actor. The message purports to be about a corporate electronic funds payment, a document about salary bonuses, a voicemail, or contains some other lure. It also includes a code for ‘Secure Authorization’ that the user is asked to enter when they click on the link, which takes them to a real Microsoft Office 365 login page. Victims think the message is legitimate, because the login page is legitimate, so enter the code. But unknown to the victim, it’s actually the code for a device controlled by the threat actor. What the victim has done is issued an OAuth token granting the hacker’s device access to their Microsoft account. From there, the hacker has access to everything the account allows the employee to use. Note that this isn’t about credential theft, although if the attacker wants credentials, they can be stolen. It’s about stealing the victim’s OAuth access and refresh tokens for persistent access to their Microsoft account, including to applications such as Outlook, Teams, and OneDrive. It works because certain sites, including Microsoft 365, use the OAuth 2.0 Device Authorization Grant process to allow the adding of devices to an account. It’s similar to the way a home owner adds a smart TV to Netflix. KnowBe4 calls it a novel attack, although Johannes Ullrich, dean of research at the SANS Institute, called it “old new.” According to Trend Micro, a threat actor dubbed Pawn Storm has been leveraging OAuth in phishing campaigns since as far back as 2015. And in 2020, Microsoft warned users about what it called ‘consent phishing,’ in which threat actors seek permission for an attacker-controlled app to access data by installing an OAuth 2.0 provider. Ullrich admitted a SANS employee fell for one of these phishing emails. The main defense against the latest version of this attack is to restrict the applications users are allowed to connect to their account, he said. Microsoft provides enterprise administrators with the ability to allowlist specific applications that the user may authorize via OAuth. Roger Grimes, CISO advisor at KnowBe4, wrote about device code phishing in 2020. In an interview Thursday, he said what’s distinctive about the latest tactic is that the victim logs into a valid domain, and the goal is to get the user’s device token. “The user’s not doing anything wrong,” in the sense that they are logging into a legitimate portal, he said. “If they look at the URL they’re logging into, it’s microsoft.com. But the attacker has pre-registered their device to get the code for [the victim] to verify.” David Shipley, head of Canadian security awareness training provider Beauceron Security, said OAuth device code attacks have been gaining steam since 2024. “It’s the natural evolutionary response to improvements in account security, particularly MFA”, he said. The easiest defense is to turn off the ability to add extra login devices to Office 365, unless it’s needed, he said. In addition, employees should also be continuously educated about the risks of unusual login requests, even if they come from a familiar system. “The value of teaching people about new social engineering techniques like this, and doing phishing simulations based on these kinds of attack, is it gets people used to reporting them, which will help when real attacks are happening,” he added. Cory Michal, CSO at AppOmni, said attacks often leverage OAuth tokens and service/integration identities because they are a blind spot for many organizations that have invested heavily in identity hardening and multifactor authentication. “OAuth tokens often operate as bearer credentials,” he noted. “If an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge, and the activity can blend into normal API/integration patterns. In other words, strong MFA enforcement can coexist with a persistent exposure if non-human identities and OAuth token hygiene aren’t governed and monitored with the same rigor.” He said that IT leaders need to go beyond classic third-party vendor reviews, and actually inventory and audit the integrations running in their SaaS environments, determining which apps are connected, what OAuth scopes/permissions they have, and whether they’re still needed. “Most teams have far more integrations than they realize, and many retain broad privileges long after the original business need,” he pointed out. “In parallel, we should raise the security bar for any SaaS vendor we rely on, [with] clear requirements around token security, logging, incident response, and secure integration patterns, and make sure our own tenant configurations and monitoring are hardened so integration activity is least-privilege, observable, and quickly containable when something upstream is compromised,” Michal added. Grimes said that users can be educated to check how many devices are authorized to access their Microsoft, Google, and other login accounts. They should also be continually warned to be suspicious of email links that go to a login page. In a blog about device code phishing, he noted that Microsoft Entra administrators can disable “device code flow” in their conditional access policies. This disables all users of device codes for Entra, not just malicious users. This means users will have to log in and provide more information than just a device code, but it will better protect an IT environment from this type of phishing attack. View the full article

This week, the US National Institute of Standards and Technology (NIST) announced a new listening exercise, the AI Agent Standards Initiative, which it hopes will provide a roadmap for addressing agentic AI hurdles and, it said, ensure that the technology “is widely adopted with confidence.” AI agents, which have now ascended to the status of enterprise tools, are designed to be autonomous and powerful: ambiguous but ominous concepts where boundaries and limits are not always easy to define or understand. The risk this poses in terms of misuse, error, and unintended consequences is striking. However, working under the direction of the Center for AI Standards and Innovation (CAISI), set up within NIST last June to replace the Biden administration’s US AI Safety Institute, the AI Agent Standards Initiative’s remit will be broader than security alone. Although appearing to be a re-naming of the existing initiative, CAISI’s mandate is now wider, and more overtly political. Bluntly, “CAISI aims to foster the emerging ecosystem of industry-led AI standards and protocols while cementing US dominance at the technological frontier,” said NIST’s press release. This will mean fostering the US’s leadership in international standards bodies, open-source AI agent development, and advancing research into AI agent security and use cases. Interoperability – the ability of agents from different companies to work together – will also be a priority. “Absent confidence in the reliability of AI agents and interoperability among agents and digital resources, innovators may face a fragmented ecosystem and stunted adoption,” NIST said. “To address this concern, NIST, including CAISI, aims to foster industry-led technical standards and protocols that build public trust in AI agents, catalyze an interoperable agent ecosystem, and diffuse their benefits to all Americans and across the world.” More concerns Stories of agentic AI missteps have been hard to miss recently, from the 2025 ‘EchoLeak’ vulnerability in which Microsoft 365 Copilot was used to exfiltrate data, to the sudden popularity of OpenClaw (formerly known as Moltbot and Clawdbot), a helpful agent which also opens a door for attackers to roam unseen around a user’s applications and data. And in November, the Information Technology Industry Council, a global trade association, identified a wide range of agentic security and accountability risks including ‘jagged intelligence,’ the tendency of AI models to complete complex tasks while failing at much simpler ones. These errors could expose enterprises to unpredictable failures in automated environments, it said. Moving too slowly According to Gary Phipps, head of customer success at agentic AI security startup Helmet Security, a problem with NIST is that its initiatives are being outpaced by real-world developments. “History says that anything NIST comes up with will likely not emerge fast enough to address agentic AI,” said Phipps. “From the time NIST announced it was working on the AI Risk Management Framework to the day it published the final version was roughly two years,” he noted. “In that same window, the entire generative AI landscape was born, scaled, and began reshaping enterprise security. Now we’re doing it again with agentic AI, and NIST’s answer is more RFIs, more listening sessions, more convening.” NIST has issued a request for information (RFI) on agentic AI threats, safeguards, and assessment methods; input is due by March 9. In addition, CAISI will hold “listening sessions” in April on sector-specific barriers to AI adoption, NIST said. NIST’s statement about “cementing US dominance at the technological frontier” is, Phipps said, “a bold thing to say about an initiative whose first concrete deliverable is a listening session in April.” He pointed out, “Standards don’t create dominance: they follow it. The AI Risk Management Framework (RMF) is proof. It took two years to produce, and by the time it was final, the industry had largely already formed its own views on AI risk.” View the full article

Security researchers have uncovered six high-to-critical flaws affecting the open-source AI agent framework OpenClaw, popularly known as a “social media for AI agents.” The flaws were discovered by Endor Labs as its researchers ran the platform through an AI-driven static application security testing (SAST) engine designed to follow how data actually moves through the agentic AI software. The bugs span several web security categories, including server-side request forgery (SSRF), missing webhook authentication, authentication bypasses, and path traversal, affecting the complex agentic system that combines large language models (LLMs) with tool execution and external integrations. The researchers also published working proof-of-concept exploits for each of the flaws, confirming real-world exploitability. OpenClaw has published patches and security advisories for the issues. Flaws included SSRF paths, auth bypass, and file escapes Endor Labs’ disclosure characterized the six OpenClaw vulnerabilities by weakness type and individual severity rather than CVE identifiers. Several of the issues are SSRF bugs affecting different tools, including a gateway component (CVSS 7.6) that accepts user-supplied URLs to establish outbound WebSocket connections. The other two included an SSRF in Urbit Authentication (CVSS 6.5) and an Image Tool SSRF (CVSS 7.6). These SSRF paths were rated medium to high severity because they could allow access to internal services or cloud metadata endpoints, depending on deployment. Access control failures accounted for another cluster of findings. A webhook handler “Telnyx” designed to receive external events lacked proper webhook verification (CVSS 7.5), enabling forged requests from untrusted sources. Separately, an authentication bypass (CVSS 6.5) allowed unauthenticated users to invoke a protected webhook functionality “Twilio” without valid credentials. The disclosure also detailed a path traversal vulnerability (CVSS not assigned) in browser upload handling, where insufficient sanitization of file paths could allow writes outside intended directories. “The combination of AI-powered analysis and systematic manual validation provides a practical path forward for securing AI infrastructure,” the researchers said. “As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces.” Following the data revealed the danger To overcome the limitations of “traditional static analysis” tools that reportedly struggle with modern software stacks where inputs pass through numerous transformations before reaching risky operations, Endor Labs implemented the AI SAST approach, which, it claimed, maintains context across these transformations. This helped the researchers understand “not only where dangerous operations exist but also whether attacker-controlled data can reach them.” The test engine mapped the full journey of “untrusted data”, from entry points such as HTTP parameters, configuration values, or external API responses to security-sensitive “sinks” like network requests, file operations, or command execution. Endor Labs said it responsibly disclosed the vulnerabilities to the OpenClaw maintainers, who subsequently addressed the issues, allowing the researchers to publish technical details. The disclosure did not provide extensive mitigation guidance but noted that fixes were implemented across the affected components. View the full article

Enterprise security teams racing to enable generative AI tools may be overlooking a new risk: attackers can abuse web-based AI assistants such as Grok and Microsoft Copilot to quietly relay malware communications through domains that are often exempt from deeper inspection. The technique, outlined by Check Point Research (CPR), exploits the web-browsing and URL-fetch capabilities of these platforms to create a bidirectional command-and-control channel that blends into routine AI traffic and requires neither an API key nor an authenticated account. “Our proposed attack scenario is quite simple: an attacker infects a machine and installs a piece of malware,” CPR said. The malware then communicates with the AI assistant through the web interface, prompting it to fetch content from an attacker-controlled URL and return embedded instructions to the implant. Because many organizations allow outbound access to AI services by default and apply limited inspection to that traffic, the approach effectively turns trusted AI domains into covert egress infrastructure. Security analysts said the findings expose a growing blind spot in enterprise AI governance. “Enterprises that allow unrestricted outbound access to public AI web services without inspection, identity controls, or strong logging are more exposed than many realize,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services. “These platforms can effectively function as trusted external endpoints, meaning malicious activity can be concealed within normal network traffic, including routine HTTPS sessions to widely used AI domains,” she added. Sunil Varkey, a cybersecurity analyst, said the technique echoes past evasion strategies such as steganography and “living off the land” attacks, where adversaries abuse legitimate tools and trusted infrastructure to avoid detection. CPR said using AI platforms as C2 relays is only one potential abuse case. The same interfaces could be prompted to generate operational commands on demand, from locating files and enumerating systems to producing PowerShell scripts for lateral movement, allowing malware to determine its next steps without direct human control. In a more advanced scenario, an implant could transmit a brief profile of the infected host and rely on the model to determine how the attack should progress. A structural shift in detection The research also points to a broader shift in how malware may evolve as AI becomes embedded in runtime operations rather than just development workflows. “When AI moves from assisting development to actively guiding malware behavior at runtime, detection can no longer rely solely on static signatures or known infrastructure indicators,” said Krutik Poojara, a cybersecurity practitioner. “Instead of hardcoded logic, you are dealing with adaptive, polymorphic, context-aware behavior that can change without modifying the malware itself.” Grover said this makes attacks harder to fingerprint, forcing defenders to rely more on behavioral detection and tighter correlation across endpoint, network, identity, and SaaS telemetry. More significantly, this changes the tempo of defense. If attackers can dynamically adjust commands and execution paths based on the environment they encounter, security teams are no longer responding to a fixed playbook but to a continuously evolving interaction. “This compresses the window between intrusion and impact and increases the importance of real-time detection, automated response, and tighter feedback loops between threat intelligence and SOC operations,” Grover said. Steps to take Security leaders should not respond by blocking AI outright, analysts said, but by applying the same governance discipline used for other high-risk SaaS platforms. Varkey recommended starting with a comprehensive inventory of all AI tools in use and establishing a clear policy framework for approving and enabling them. Organizations should also implement AI-specific traffic monitoring and sequence-based detection rules to identify abnormal automation patterns. Other options to consider include rolling out phased awareness programs. “From an architectural standpoint, organizations should also invest in platforms that provide unified visibility across network, cloud, identity, and application layers, enabling security teams to correlate signals and trace activity across domains rather than treating AI usage as isolated web traffic,” Grover said. View the full article

Overearth – shutterstock.com Cybersicherheit wird oft wie ein Spiel behandelt. Unternehmen jagen schnellen Erfolgen hinterher, haken Compliance-Listen ab oder klopfen sich nach einem einzigen erfolgreichen Audit selbst auf die Schulter. Auf dem Papier mag das produktiv aussehen, aber in Wirklichkeit schafft es ein falsches Gefühl der Sicherheit. Der CISO stellt in diesem Bild den Quarterback dar, auf dem die ganze Verantwortung lastet. Cybersecurity ist jedoch kein Spiel. Sie erfordert eine ausgereifte Führung, langfristiges Denken und klare Verantwortlichkeiten. Alles andere setzt Unternehmen unnötigen Risiken aus. CISOs wissen um diesen Umstand, müssen ihn aber immer wieder in ihren Organisationen zur Sprache bringen. Zu viele Sicherheitsteams verlassen sich auf Aktivitäten, die wie Fortschritte aussehen und dargestellt werden, aber das Risiko nicht wesentlich verringern. Dinge wie gelegentliche simulierte Phishing-Tests, auffällige neue Sicherheitstools oder die Erfüllung grundlegender Compliance-Anforderungen können ein beruhigendes Gefühl vermitteln. Das Problem ist, dass diese Aktivitäten oft nur die Symptome bekämpfen, nicht aber die Ursachen. Häufige Beispiele hierfür sind: Compliance als Errungenschaft statt als Ausgangspunkt betrachten. Vorfälle als isolierte Ereignisse statt als Indikatoren für systemische Probleme behandeln. Kennzahlen verfolgen, die gut aussehen, aber nicht die tatsächliche Widerstandsfähigkeit messen. Glauben, dass Technologie Lücken schließen kann, die durch schwache Governance oder unklare Prozesse entstanden sind. Das alles ist nur Scheinsicherheit. Es schafft Sichtbarkeit, aber keinen echten Schutz. CISOs sollten Risiken als real und gegenwärtig behandeln. Sie müssen Sicherheitsprogramme entwickeln, die wechselnden Bedrohungen, Personalfluktuation und unerfahrenen Teams standhalten können. Starke Führung ist nicht reaktiv. Sie ist stattdessen bewusst und informiert. Erfolgreiche CISOs konzentrieren sich auf: Menschen und Prozesse und priorisieren diese vor technischen Hilfsmitteln Kulturelle Erwartungen und Verantwortlichkeiten Klare Zuständigkeiten Entscheidungsfindung auf der Grundlage von Cyberrisiken und ihren Datenanalysen Langfristige Resilienz anstatt kurzfristiger Erfolg Das ist der Unterschied zwischen einem Sicherheitsprogramm, das wirklich funktioniert, und einem, das nur Checklisten abhakt. Der Wandel vom Spiel zum echten Programm Der Übergang von einem reaktiven Ansatz zu einem ausgereiften Sicherheitsprogramm beginnt mit einer Änderung der Denkweise. CISOs müssen sich dafür entscheiden, aus dem „Spielmodus“ auszusteigen. Das Ziel besteht bislang darin, mögliche Probleme für ein weiteres Quartal zu vermeiden. Stattdessen müssen sie sich dazu verpflichten, Programme zu entwickeln, die echten Bedrohungen standhalten können. Zu den wichtigsten Grundsätzen eines solchen Programmes gehören: Compliance ist die Mindestanforderung, nicht das Endziel. Sicherheitsmetriken sollten reale Ergebnisse messen, wie die Zeit bis zur Erkennung und Reaktion. Jeder Vorfall sollte Erkenntnisse liefern, die das Programm verbessern. Die Planung der Ausfallsicherheit sollte genauso wichtig sein wie die Prävention. Die Verantwortlichkeit sollte geteilt, sichtbar und messbar sein. Dies sind die Grundlagen eines ausgereiften Sicherheitsprogramms. Denn die Notwendigkeit wird jeden Tag sichtbar, die Bedrohungslandschaft entwickelt sich mit einer Geschwindigkeit weiter, die jeden Checklistenansatz übertrifft. Hochprofessionelle Angreifer gehen zielgerichtet vor. Sie arbeiten zusammen, automatisieren und innovieren. Sie spielen kein Spiel, verlassen sich nicht auf Checklisten. Wenn Unternehmen Sicherheit weiterhin als eine Reihe von Aufgaben und nicht als strategische Disziplin behandeln, werden sie ins Hintertreffen geraten. Sicherheitsvorfälle sind keine Zufälle. Sie sind das vorhersehbare Ergebnis einer unreifen Führung. CISOs müssen daher die Ernsthaftigkeit vorleben, die diese Aufgabe erfordert. Sicherheit ist kein Spiel. Es gibt keine Auszeiten und keine einfachen Neustarts. Was Unternehmen heute aufbauen, wird darüber entscheiden, ob sie den Bedrohungen von morgen standhalten können. Eine Führung mit entsprechender Reife macht den Unterschied zwischen scheinbarer Sicherheit und tatsächlicher Sicherheit aus. (jm) Lesetipp: Vom CISO zum Chief Risk Architect View the full article

For Nikoloz Kokhreidze, the move into cybersecurity consulting came gradually through a series of small steps. “I accumulated enough experience across different industries, I started my newsletter, and I realized there’s a community of people interested in what I have to say,” he explains. What ultimately crystallized the decision was the thought that his impact didn’t have to stop at the edge of one organization. “I was solving the same problems repeatedly in one company,” he says, “when I could solve them for multiple companies simultaneously, multiplying my impact and helping more businesses grow through pragmatic security leadership.” In August 2025, Kokhreidze launched his consulting business, Mandos. But he’s careful not to romanticize the move. “It’s important to stay realistic,” he says. Going solo takes time and patience. It means figuring out where you can be most useful. And being willing to stay flexible. “You have to be ready to pivot when you have new ideas, or when things don’t work out,” he says. Like Kokhreidze, a growing number of CISOs are either moving into consulting roles or seriously considering it. The appeal is easy to see: more flexibility and quicker learning, alongside steady demand for experienced security leaders. Some of these professionals work as virtual CISOs (vCISOs), advising companies from a distance. Others operate as fractional CISOs, embedding into the organization one or two days a week. “Consulting gives me more autonomy and control over how I work, while still letting me apply the same strategic approach to improving resilience, governance, and practical security execution,” says Antanas Kedys, founder and CEO at ACyber. He made the shift from an in-house CISO role to consulting in 2022, because he wanted to grow and work across different environments. When a CISO transitions into consulting, their role changes in ways that aren’t always obvious at first. The new job means sharpening some skills, building entirely new ones and, perhaps hardest of all, learning to let go of control. “As a CISO, you can mandate; as a consultant, you can only influence,” says Nigel Gibbons, director and senior advisor at NCC Group. How to prepare to make the leap from security leader to consultant Long before stepping away from a full-time role, Kokhreidze and other security leaders tried to quietly plan ahead. They tested ideas, built visibility, reconnected with old contacts, and began mapping out who their potential clients might be. The list of potential should be a long one, because few conversations tend to turn into actual work. “If someone is not asking you right now to consult for them, it can take 12-18 months before you land your first client,” says Carlota Sage. She held a part-time CISO role at a nonprofit before transitioning into vCISO work. Later, she went on to found Pocket CISO, which provides cybersecurity services to early-stage startups and small organizations. Kokhreidze agrees with her. For a smoother transition, he suggests CISOs line up their first clients while they’re still employed. Otherwise, he says, it can take a long time to build momentum. And the pressure to make it work can quickly turn into panic. In that moment, security professionals may start “underpricing themselves because they need money immediately,” he says. Once rates are set out of desperation, they’re often hard to reset without straining the relationship. Other CISOs-turned-consultants also emphasize preparation. Kedys, for instance, stresses the need for a go-to-market focus. “Decide who you want to advise (industry, company size, maturity), what problems you’ll solve, and why you’re credible for that,” he says. “The combination of strong soft skills and a clear focus — who, how, and why — is the best starting point for a successful transition.” Gibbons adds that consulting should grow out of a CISO’s existing experience. He suggests treating that experience as a set of real-world case studies worth talking about, capturing the decisions, the trade-offs, what went wrong and what worked. He also stresses the importance of building relationships beyond the security function, including legal teams, auditors, regulators and investors. “Consulting is ultimately a trust-based profession not a technical one,” he adds. Skills that carry over into consulting Many of the skills CISOs honed inside large organizations translate directly to the new consulting job, while others suddenly matter more than they ever did before. In addition to technical skills, it is often the practical ones that prove most valuable. The ability to prioritize — sharpened over years in a CISO role — becomes especially important in consulting. “It matters more than anything else,” Gibbons argues, because in consulting environments resources are often limited. Consultants are paid not to know everything, but to know what matters most, which risks to tackle first, and which problems can safely wait. Crisis management is another essential skill. Paired with hands-on knowledge of cybersecurity processes and best practices, it gives former CISOs a real advantage as they move into consulting. Kedys highlights stress management: the ability to stay calm, focused and keep execution moving under pressure, which is just as valuable outside the enterprise as it ever was inside. But if there’s one translatable skill that everyone talks about, that skill is communication. “All of your security and compliance knowledge is wasted if you cannot communicate to a business audience,” Sage says. Kokhreidze agrees. Instead of leading with controls, tools or technical details, he focuses on what CTOs and other business leaders actually care about: outcomes. He talks about how security protects revenue, supports resilience, or builds confidence with regulators. New skills needed in the toolkit As CISOs move into consulting, they quickly discover they need new skills as well, some of which they may have deliberately avoided in their in-house roles. Chief among them is sales. “Eighty percent of your work is actually selling yourself,” says Kokhreidze. “You are first a business, and CISO second.” And being a business is time-consuming. Consultants must juggle personal branding, marketing, accounting, and writing. Writing and online presence, in particular, matter because done well, they signal credibility and give current and future clients a sense of how a CISO thinks. The multiple roles consultants have to play — switching between delivery, sales, marketing and admin while juggling several clients — come with a real mental toll. For many former in-house executives, adjusting to that constant context switching is one of the hardest parts of leaving a structured organization behind. “If you’re running your own consulting firm, context switching can be a struggle,” Sage says. In time, many consultants learn that discipline matters, and that saying no is part of the job. “You must become comfortable saying no to work that dilutes your positioning or turns you back into an outsourced operator rather than a trusted advisor,” Gibbons says. Setting the right price Many CISOs know their value inside an enterprise but translating that value into a consulting price is a different challenge altogether. It requires a shift from thinking like an employee to thinking like a business. “Skills are not different from a product,” Kedys says. “You just need to find the right product (in this case, the skill) and wrap it in a way a market will be most likely to take it.” That understanding, he adds, comes from market analysis: observing how executives buy, what they value, and what comparable services cost. Sage agrees with the idea of analyzing the market but says that CISOs coming from large enterprises and targeting small and mid-sized organizations often need to recalibrate their expectations. What feels like a modest rate to a global organization can be misaligned with the realities of smaller clients, particularly those buying advisory services for the first time. When thinking about pricing, Kokhreidze took a two-way approach. He looked at the market and assessed his value. Then he set a realistic income goal and worked backwards, factoring in how many clients he could serve well. The result was a pricing model that favored quality over volume, a trade-off he knew the clients he wanted to work with would resonate with. “B2B companies closing enterprise deals understand that professional security leadership costs far less than losing a single €10M+ contract to failed security reviews,” Kokhreidze says. When setting prices, one of the most common mistakes is charging for time rather than for the value the consultant brings to the table. Early in his career, Gibbons priced his work by the day instead of by the consequences it helped clients avoid. Over time, he moved toward outcome-based engagements, such as board assurance, regulatory readiness and post-incident recovery, so clients can understand more easily what they’re paying for. “Clients are buying judgment, not hours,” Gibbons says. This approach, however, is not universal. Some more traditional organizations remain firmly attached to day rates. In those environments, shifting negotiations can be difficult regardless of the expertise being offered. Potential mistakes to avoid Ask experienced consultants what mistakes newcomers tend to make, and the answers tend to be consistent. The biggest mistakes are rarely about security skills. They tend to cluster around mindset, money, and figuring out how to show up in the market. “The hardest lesson was realizing that being a great CISO doesn’t guarantee clients at all,” Kokhreidze says. “I quickly learned that professional expertise means nothing without strong sales and qualification skills, because you’ll waste months chasing companies that either don’t have the problem you’re trying to solve or aren’t ready to invest in fixing it.” Gibbons sees a related issue: consultants trying to recreate an in-house role from the outside. They take on operational responsibility, running programs or becoming embedded indefinitely. “That erodes margins and credibility,” he says. Another common misstep he points to is leading with tools, frameworks or certifications rather than judgment and experience. “Clients do not hire former CISOs for policy templates,” he argues. “They hire them to help make hard decisions with incomplete information.” Even CISOs who plan carefully before making the leap often discover that the freedom of consulting comes with hidden costs. As Sage puts it, “Most CISOs consulting for the first time underestimate how much time and effort go into just managing your own business.” View the full article

The recently compromised update mechanism for the popular open source text editor Notepad ++ has been hardened so it’s now ‘effectively unexploitable’, says the application’s author. Don Ho made the claim this week after the release of version 8.9.2 of Notepad++, which includes a double-lock verification that any download of the tool from this point on is genuine. The latest version verifies the signed XML returned by the update server in addition to the first step of the hardening in version 8.8.9, released in December, which verifies the authenticity of the signed installer downloaded from GitHub. The application auto-updater has also been reinforced. These actions aren’t foolproof, Ho admits in his blog, because it’s possible to exclude the auto-updater during the UI installation, or to deploy the installer with a specific command specifying the updater not be used. In an email today to CSOonline, Ho said that no system can ever be declared absolutely unbreakable, “but the new design dramatically raises the bar.” An attacker must now compromise both the hosting infrastructure and the signing keys, he explained, adding that the updater now validates both the manifest and the installer, each with independent cryptographic signatures. And any mismatch, missing signature, or certificate anomaly causes the update to abort automatically. “This layered verification makes the update chain resilient even in the face of future infrastructure‑level compromises,” he concluded. Another supply chain attack One reason the compromise went undetected for so long is that only a small number of downloaders — far less than 0.1% — were specifically targeted by the attackers, Ho said, and the attackers were very cautious. “Their goal was long‑term espionage,” he noted, “so they acted quietly and deliberately to remain undetected for as long as possible.” Compromising the update mechanism of an application is a classic way for a threat actor to infiltrate dozens, hundreds, or thousands of organizations that unwitting then use the hacked version of the software. One of the most notorious examples was the 2019/2020 compromise of the update infrastructure of Solarwinds’ Orion network monitoring suite. Another was the 2017 NotPetya attack that spread around the world after a Ukrainian tax application was hacked. The Notepad++ problem began with the discovery that the IT infrastructure hosting Notepad++ had been compromised in June 2025, and a custom backdoor had been installed in the application. In the highly-targeted attack, traffic from certain users was selectively redirected to attacker-controlled servers by the malicious updates. Researchers at Rapid7 believe a China-based group dubbed Lotus Blossom was behind the attack. The now former hosting provider believes the shared hosting server was compromised from June to September of 2025. However, even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, allowing the continued redirection of Notepad++ update traffic. With the release of Notepad++ version 8.8.9, and the security hardening, all attacker access was terminated. Version 8.9.1 had even more security enhancements, and this week’s version 8.9.2 instituted the double-lock process. Lessons learned “Developers must plan for adversaries who are patient, sophisticated, and selective,” Ho said. Infrastructure is part of your attack surface, he pointed out; even if your code is secure, a weak link in hosting, DNS, or a content delivery network (CDN) can undermine everything. “Continuous monitoring and strict credential hygiene are essential,” he said, and application developers must assume that partial compromise is possible and design applications and their delivery and update mechanisms for failure. And if there is a compromise, he added, rapid disclosure, detailed technical explanations, and prompt fixes help users understand the scope and maintain confidence in the project. Jeff Pollard, who leads Forrester Research’s work on the role of the CSO, said the fixes “significantly reduce” the risk of this specific failure mode recurring. But, he added, no single change ‘solves’ all supply chain risks. Attackers can shift to other choke points such as build pipelines or signing keys, he pointed out. “The key takeaway is that Notepad++ closed the exploited gap and raised the attacker cost,” he said. Small utilities like Notepad++ usually sit outside of procurement, inventory, and third party risk management controls, he said, which is why they are ubiquitous among technical users, and valuable targets for adversaries. “Asset management and software inventory is a perpetual problem for enterprises, but this event demonstrates why it’s so important to understand all the software in your environment, no matter how big or small it is,” he said. Douglas McKee, Rapid7’s senior director of vulnerability intelligence, said the Notepad++ supply chain incident underscores a broader evolution in how threat actors think about software trust and persistence. While updates to the Notepad++ distribution mechanism and the release of version 8.9.2 with enhanced double-lock update security help close the specific vulnerability exploited in this campaign, they do not on their own solve the systemic problem of modern supply chain risk. “What this incident makes clear, and what organizations must internalize, is that supply chain security cannot be limited to source code and build systems,” he said. “Attackers targeted hosting infrastructure and update delivery flows outside of the project’s direct control. Only by reinforcing signature and certificate validation, and treating update infrastructure as part of the attack surface, can defenders meaningfully reduce exposure.” View the full article

For the past 18 months, a Chinese cyberespionage group has been exploiting a prevously unknown vulnerability in Dell’s RecoverPoint for Virtual Machines, a VM disaster recovery solution. The flaw, patched by Dell this week, allows unauthenticated attackers to gain command execution on the underlying OS as root. The vulnerability, tracked as CVE-2026-22769, stems from hardcoded admin credentials for the Apache Tomcat Manager, which can be leveraged to deploy malicious WAR (Web Application Archive) files. Apache Tomcat is a web server for Java-based web applications. Researchers from Google’s Mandiant team discovered the critical vulnerability while investigating multiple compromised Dell RecoverPoint for Virtual Machines instances in a customer environment sending out command-and-control (C2) traffic associated with two backdoos known as BRICKSTORM and GRIMBOLT. These backdoors are used by a China-linked APT group that Mandiant tracks as UNC6201, which is known to target VMware-related enterprise infrastructure. Dell RecoverPoint for Virtual Machines is a data replication and protection appliance for VMware environments, which makes it an attractive target for this group. The new vulnerability affects versions 5.3 SP4 P1, 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1. Customers are strongly encouraged to upgrade to the patched 6.0.3.1 HF1 version, but if that’s not immediately possible Dell also released a remediation script. Attackers upgrade from BRICKSTORM to GRIMBOLT UNC6201’s activities overlap significantly with another group that Mandiant and Google’s Threat Intelligence Group (GTIG) track as UNC5221, which is known for targeting network-edge appliances using zero-day exploits. Other security companies attribute this activity to the Chinese state-sponsored hacker group Silk Typhoon or APT27, but Google believes this to be a different threat actor. UNC5221 has compromised the networks of US legal services firms, SaaS providers, business process outsourcers, and technology companies over the past few years and deployed Linux backdoor BRICKSTORM and a web shell called SLAYSTYLE that has been installed on compromised vCenter deployments. Both BRICKSTORM and SLAYSTYLE have also been observed in the new Dell RecoverPoint compromises attributed to UNC6201. However, the threat actor also deployed a new backdoor called GRIMBOLT. “GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX,” Mandiant’s researchers said. “It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.” There is evidence that UNC6201 has been exploiting CVE-2026-22769 since mid-2024 to deploy the SLAYSTYLE web shell. However, the replacement of BRICKSTORM with GRIMBOLT did not happen until September 2025. It’s not clear if this was the result of planned iteration or as a reaction to BRICKSTORM being exposed by Mandiant and other security companies at around that time. Pivot techniques In addition to the payloads themselves, the investigation also revealed new techniques. For example, the legitimate shell script convert_hosts.sh that exists on these appliances has been modified to include the path of the backdoors to achieve persistence. The SLAYSTYLE web shell, which is designed to receive commands over HTTP and execute them on the system, was used to set up proxy rules via the Linux iptables utility. Namely, incoming traffic on port 443 (HTTPS) that contained a particular HEX string was silently redirected to port 10443 for the next 5 minutes. Another novel technique was the creation of temporary network ports on existing virtual machines on VMware ESXi servers to access other services inside the environments. Charles Carmakal, CTO at Mandiant, described the technique on LinkedIn as deploying “ghost NICs on virtual machines to evade defenders” because it left investigators chasing network activity from IP addresses that no longer existed and were never documented. Network-edge appliances have become a common entry point into enterprise networks for sophisticated attackers. These appliances are not typically covered by logging solutions, lack endpoint malware detection, yet contain troves of credentials and provide great pivot points to internal services. Dell recommends RecoverPoint for VMs be deployed inside a trusted, access-controlled network behind appropriate firewalls and segmentation, not on public-facing infrastructure. Meanwhile, the Mandiant blog post includes indicators of compromise and YARA detection rules for the new GRIMBOLT and SLAYSTYLE payloads. View the full article

2lttgamingroom – shutterstock.com Ein Sicherheitsforscher mit dem Pseudonym „Q Continuum“ hat 287 Chrome-Erweiterungen entdeckt, die den Browserverlauf exfiltrieren. „Die Akteure hinter den Lecks sind vielfältig: Similarweb, Curly Doggo, Offidocs, chinesische Akteure, viele kleinere, unbekannte Datenbroker sowie ein mysteriöses Unternehmen namens ‚Big Star Labs‘, das offenbar ein Ableger von Similarweb ist“, heißt es im Forschungsbericht. Für die Analyse entwickelte der Forscher eine automatisierte Pipeline, die Chrome-Instanzen startete, Erweiterungen installierte, eine vordefinierte Reihe von Websites besuchte und ausgehende Kommunikationen erfasste. Er warnte, dass eine solche Datenerfassung Unternehmensspionage ermöglichen könnte, indem sie interne Unternehmens-URLs offenlegt, auf die Mitarbeiter zugreifen. In Fällen, in denen Erweiterungen auch Cookies erfassen, könnten sie das Sammeln von Anmeldedaten erleichtern, indem sie Angreifern Details zu aktiven Websitzungen liefern. VPNs, Produktivitäts-Tools und Shopping-Add-ons Die Untersuchung identifizierte zahlreiche weit verbreitete Erweiterungen mit riskantem Verhalten in Kategorien wie VPN-/Proxy-Dienste, Coupon-Finder, PDF-Tools und Browser-Dienstprogramme. Viele davon haben Hunderttausende oder Millionen von Nutzern. Bei einigen dieser Erweiterungen handelt es sich um Pop-up-Blocker für Chrome. Darunter Stylish, BlockSite block Websites, Stay Focused und SimilarWeb. Website Traffic und SEO Checker, WOT: Website Security und Safety Checker, Smarty, Video Ad Blocker Plus für YouTube, Knowee AI und CrxMouse: Mouse Gestures. Dem Forscher zufolge forderten mehrere der Erweiterungen umfassende Host-Berechtigungen (webseitenübergreifend) an. Dadurch konnten sie Navigationsereignisse und Seitenaktivitäten domänenübergreifend beobachten. „Wenn eine Erweiterung nur den Seitentitel liest oder CSS einfügt, sollte ihr Netzwerk-Fußabdruck unabhängig von der Länge der von uns besuchten URL gleich bleiben“, erklärt er die Logik hinter ihrer Kennzeichnung in seinem Beitrag. „Wenn der ausgehende Datenverkehr linear mit der URL-Länge wächst, ist die Wahrscheinlichkeit hoch, dass die Erweiterung die URL selbst (oder die gesamte HTTP-Anfrage) an einen Remote-Server sendet“, ergänzt der Experte. Verschlüsselte Exfiltration erschwerte die Erkennung Zudem weist er darauf hin, dass mehrere dieser Erweiterungen versuchten, die Art der übertragenen Daten zu verbergen. Demnach wurden ausgehende Nutzdaten häufig vor der Übertragung verschlüsselt oder codiert, was eine automatisierte Überprüfung verhinderte. „Die manuelle Überprüfung des erfassten Datenverkehrs ergab eine Vielzahl von Verschleierungstechniken: Base64, ROT47, LZ-String-Komprimierung und vollständige AES-256-Verschlüsselung, verpackt in RSA-OAEP“, erläutert der Forscher in einem weiteren Bericht. „Die Entschlüsselung dieser Nutzdaten ergab, dass rohe Google-Such-URLs, Seitenverweise, Benutzer-IDs und Zeitstempel an ein Netzwerk aus proprietären Domains und Endpunkten von Cloud-Anbietern gesendet wurden. Die Testumgebung des Forschers führte Chrome in einem Docker-Container aus, sodass jede Erweiterung isoliert und konsistent analysiert werden konnte. Der Security-Spezialist räumte allerdings ein, dass wahrscheinlich nicht alle Erweiterungen, die den Browserverlauf preisgeben, böswillige Absichten haben. Er stellte zudem klar, dass einige Fehlalarme manuell aus den Protokollen der von den automatisierten Scannern markierten Erweiterungen entfernt werden mussten. „Einige der Erweiterungen sind möglicherweise harmlos und müssen den Browserverlauf für Funktionen wie beispielsweise ‚Avast Online Security & Privacy‘ erfassen.“ Der Bericht zur Offenlegung enthielt eine Liste mit URLs aus dem Chrome Web Store und den Akteuren hinter diesen Erweiterungen als Referenz. (jm) View the full article

2lttgamingroom – shutterstock.com Ein Sicherheitsforscher mit dem Pseudonym „Q Continuum“ hat 287 Chrome-Erweiterungen entdeckt, die den Browserverlauf exfiltrieren. „Die Akteure hinter den Lecks sind vielfältig: Similarweb, Curly Doggo, Offidocs, chinesische Akteure, viele kleinere, unbekannte Datenbroker sowie ein mysteriöses Unternehmen namens ‚Big Star Labs‘, das offenbar ein Ableger von Similarweb ist“, heißt es im Forschungsbericht. Für die Analyse entwickelte der Forscher eine automatisierte Pipeline, die Chrome-Instanzen startete, Erweiterungen installierte, eine vordefinierte Reihe von Websites besuchte und ausgehende Kommunikationen erfasste. Er warnte, dass eine solche Datenerfassung Unternehmensspionage ermöglichen könnte, indem sie interne Unternehmens-URLs offenlegt, auf die Mitarbeiter zugreifen. In Fällen, in denen Erweiterungen auch Cookies erfassen, könnten sie das Sammeln von Anmeldedaten erleichtern, indem sie Angreifern Details zu aktiven Websitzungen liefern. VPNs, Produktivitäts-Tools und Shopping-Add-ons Die Untersuchung identifizierte zahlreiche weit verbreitete Erweiterungen mit riskantem Verhalten in Kategorien wie VPN-/Proxy-Dienste, Coupon-Finder, PDF-Tools und Browser-Dienstprogramme. Viele davon haben Hunderttausende oder Millionen von Nutzern. Bei einigen dieser Erweiterungen handelt es sich um Pop-up-Blocker für Chrome. Darunter Stylish, BlockSite block Websites, Stay Focused und SimilarWeb. Website Traffic und SEO Checker, WOT: Website Security und Safety Checker, Smarty, Video Ad Blocker Plus für YouTube, Knowee AI und CrxMouse: Mouse Gestures. Dem Forscher zufolge forderten mehrere der Erweiterungen umfassende Host-Berechtigungen (webseitenübergreifend) an. Dadurch konnten sie Navigationsereignisse und Seitenaktivitäten domänenübergreifend beobachten. „Wenn eine Erweiterung nur den Seitentitel liest oder CSS einfügt, sollte ihr Netzwerk-Fußabdruck unabhängig von der Länge der von uns besuchten URL gleich bleiben“, erklärt er die Logik hinter ihrer Kennzeichnung in seinem Beitrag. „Wenn der ausgehende Datenverkehr linear mit der URL-Länge wächst, ist die Wahrscheinlichkeit hoch, dass die Erweiterung die URL selbst (oder die gesamte HTTP-Anfrage) an einen Remote-Server sendet“, ergänzt der Experte. Verschlüsselte Exfiltration erschwerte die Erkennung Zudem weist er darauf hin, dass mehrere dieser Erweiterungen versuchten, die Art der übertragenen Daten zu verbergen. Demnach wurden ausgehende Nutzdaten häufig vor der Übertragung verschlüsselt oder codiert, was eine automatisierte Überprüfung verhinderte. „Die manuelle Überprüfung des erfassten Datenverkehrs ergab eine Vielzahl von Verschleierungstechniken: Base64, ROT47, LZ-String-Komprimierung und vollständige AES-256-Verschlüsselung, verpackt in RSA-OAEP“, erläutert der Forscher in einem weiteren Bericht. „Die Entschlüsselung dieser Nutzdaten ergab, dass rohe Google-Such-URLs, Seitenverweise, Benutzer-IDs und Zeitstempel an ein Netzwerk aus proprietären Domains und Endpunkten von Cloud-Anbietern gesendet wurden. Die Testumgebung des Forschers führte Chrome in einem Docker-Container aus, sodass jede Erweiterung isoliert und konsistent analysiert werden konnte. Der Security-Spezialist räumte allerdings ein, dass wahrscheinlich nicht alle Erweiterungen, die den Browserverlauf preisgeben, böswillige Absichten haben. Er stellte zudem klar, dass einige Fehlalarme manuell aus den Protokollen der von den automatisierten Scannern markierten Erweiterungen entfernt werden mussten. „Einige der Erweiterungen sind möglicherweise harmlos und müssen den Browserverlauf für Funktionen wie beispielsweise ‚Avast Online Security & Privacy‘ erfassen.“ Der Bericht zur Offenlegung enthielt eine Liste mit URLs aus dem Chrome Web Store und den Akteuren hinter diesen Erweiterungen als Referenz. (jm) View the full article

Critical and high-severity vulnerabilities were found in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Application security company OX Security published the findings this week, saying it had begun notifying vendors in June 2025 but received no response from three of the four maintainers. Three CVEs, CVE-2025-65717, CVE-2025-65715, and CVE-2025-65716, were formally assigned and published on February 16. VS Code extensions are add-ons that expand the functionality of Microsoft’s widely used code editor, adding capabilities such as language support, debugging tools, live preview, and code execution. They run with broad access to local files, terminals, and network resources, which is what made these vulnerabilities consequential. Unlike the rogue extensions that threat actors have repeatedly planted in the VS Code marketplace, these flaws resided in legitimate, widely installed tools, meaning developers had no reason to suspect them, OX Security said in an advisory. “Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations,” the advisory added. The vulnerabilities also affected Cursor and Windsurf, the AI-powered IDEs built on VS Code’s extension infrastructure. OX Security published individual advisories for each flaw, detailing how each could be exploited and what an attacker could achieve. How the attacks worked The most severe flaw, CVE-2025-65717 (critical), was in Live Server, a 72-million-download extension that launches a local HTTP server for real-time browser previews. OX Security found the server was reachable from any web page a developer visited while it was running, not just their own browser. “Attackers only need to send a malicious link to the victim while Live Server is running in the background,” OX Security researchers Moshe Siman Tov Bustan and Nir Zadok wrote in an advisory. CVE-2025-65715 (high severity) affected Code Runner, with 37 million downloads. The extension reads execution commands from a global configuration file, and OX Security found a crafted entry that was enough to trigger arbitrary code execution, including reverse shells. An attacker could place it by phishing a developer into pasting a malicious snippet, or through a compromised extension that modified the file silently. CVE-2025-65716 (CVSS 8.8) affected Markdown Preview Enhanced, with 8.5 million downloads. Simply opening an untrusted Markdown file was enough to trigger it. “A malicious Markdown file could trigger scripts or embedded content that collects information about open ports on the victim’s machine,” the researchers noted. Microsoft quietly patched its own extension The fourth vulnerability played out differently. Microsoft’s Live Preview extension, with 11 million downloads, contained a cross-site scripting flaw that, according to OX Security, let a malicious web page enumerate files in the root of a developer’s machine and exfiltrate credentials, access keys, and other secrets. The researchers reported the issue to Microsoft on August 7. Microsoft initially rated it as low severity, citing required user interaction. “However, on September 11, 2025 — without notifying us — Microsoft quietly released a patch addressing the XSS security issues we reported. We only recently discovered that this patch had been deployed,” the researchers added. No CVE was assigned to this vulnerability. “Users with Live Preview installed should update to version 0.4.16 or later immediately,” the researchers suggested. Microsoft did not immediately respond to a request for comment. Taken together, the four flaws pointed to a broader problem with how developer tools are secured and maintained. What security teams should do “These vulnerabilities confirm that IDEs are the weakest link in an organization’s supply chain security,” the researchers at OX Security said in the advisory. Developer workstations routinely hold API keys, cloud credentials, database connection strings, and SSH keys. OX Security warned that a successful exfiltration from a single machine could give an attacker access to an organization’s broader infrastructure and that the risks extended to lateral movement and full system takeover. The researchers advised developers to disable extensions not actively in use and avoid browsing untrusted sites while localhost servers are running. They also cautioned against applying configuration snippets from unverified sources to VS Code’s global settings. View the full article