CSOonline

A newly discovered botnet is compromising poorly-protected Linux servers by brute-forcing weak SSH password login authentication. Researchers at Canada-based Flare Systems, who discovered the botnet, got into its staging server and believe at least 7,000 servers had been compromised by the end of January, half of them in the US. The botnet’s weapons include exploits for unpatched Linux vulnerabilities going back as far as 2009. The researchers describe the botnet, dubbed SSHStalker, as “a sophisticated operation that blends 2009-era Internet Relay Chat (IRC) botnet tactics with modern mass-compromise automation.” It has a “stitched together botnet kit” that executes fileless malware, rootkits, log cleaners and a wide array of kernel exploits. Among other things, it harvests AWS credentials. The researchers call SSHStalker a “scale-first operation that favors reliability over stealth.” However, so far the botnet hasn’t done much other than maintaining persistence on infected machines. It has the ability to launch DDoS (distributed denial of service) attacks and conduct cryptomining, but hasn’t done anything yet to monetize its access. That, Flare says, suggests either the operator is still staging the botnet’s infrastructure, is in a testing phase, or is maintaining access for future use. The good news for CSOs, according to Flare cybersecurity researcher Assaf Morag, is that at this point there’s one way to stop this particular botnet cold: Disable SSH password authentication to Linux machines and replace it with SSH-key based authentication, or hide password logins behind a VPN. This change should be accompanied by implementation of SSH brute-force rate limiting, monitoring who is trying to access internet-connected Linux servers, and limiting remote access to servers to specific IP ranges. However, Morag cautioned, right now SSHStalker is looking for Linux servers with weak SSH protection, but at any moment, the operator may add another attack vector, such as an unpatched server vulnerability or misconfiguration. Security fundamentals are key Chris Cochran, SANS Institute field CISO and VP of AI security, said SSHStalker is a reminder that security fundamentals still decide the fight. “Yes, AI is changing the threat landscape. Yes, automation is accelerating attacks. But this campaign proves something simpler and more uncomfortable: Old tricks still work,” he said. “If I’m talking to another CISO today, my advice isn’t ‘buy more AI.’” CSOs and infosec leaders should use this report as an excuse to finally lock in some of the security basics they’ve always wanted to implement, he said. These include killing the use of passwords for logins. “If you are still allowing password-based SSH access in 2026, you are essentially inviting botnets in for coffee,” Cochran said. Infosec leaders should either move to key-based authentication, or to solutions with short-lived credentials or identity-aware proxies. Second, they need to aggressively inventory their IT assets, given the old rule, ‘You cannot protect what you don’t know exists.’ Most of the thousands of systems hit by SSHStalker were forgotten servers, he said. Third, infosec leaders have to realize the real problem in their environments is security debt: The backlog of unpatched systems, the lingering known vulnerabilities, and the ‘we’ll get to it next quarter’ backlog. “Those are what get exploited,” he said. “We need to stop chasing the 1% cool threats until we’ve solved the 99% boring ones.” Dave Lewis, global advisory CISO at 1Password, added that infosec leaders should make sure there are no compilers on production servers, and that build tools are only on designated build hosts. There should be alerts on IRC-like traffic, and, on Linux servers, cron/systemd integrity monitoring, especially for ‘runs every minute’ patterns. Finally, because SSHStalker looks for older Linux machines, admins should have a legacy Linux eradication plan prioritizing the unhooking of machines with any version of Linux kernel 2.6, because these servers are being targeted. How it was discovered Discovery of SSHStalker came after Flare created an SSH honeypot with intentionally weak credentials at the beginning of this year, to see what happened. While the majority of attacks came from known threat actors, there was a distinct cluster from one source with no similar execution flow or prior indicators of compromise. After getting into a Linux machine, the malware creates a backdoor with its own SSH key to maintain access. It also installs a binary that scans port 22 for servers with unprotected SSH, trying to find other new and vulnerable servers. The payload also contains several C scripts, including the Linux gcc (the GNU Compiler Collection) for compiling and running malware. This stage is “loud,” Morag said, so defenders should note it can be detected with an application that looks for abnormal server behavior. Secondary payloads in a zip file include an IRC (internet relay chat) bot for communicating with a command and control server. Other stages install malware that runs in memory. “This entire execution chain is very loud,” Morag said. “they don’t need to do all of it. I guess what they are trying to do is run on Internet-of-Things [devices], but also on commercial servers.” It also suggests that the operator is still in the early stage of building the botnet, he said. But the report also says the IRC components could be used to hide activity, through things like included random chat phrases. “This strongly suggests the bot was configured not only for control, but also for behavioral camouflage,” says the report, by generating human-like noise in IRC channels to obscure real operator activity or to make automated presence appear organic. “This tactic is consistent with legacy botnet operational tradecraft, where blending into public channels reduced suspicion while still allowing operators to issue commands via private messages, DCC (direct client-to client) sessions, or linked bot networks,” the report says. The malware hunts for older Linux kernels, including versions 2.6.18, 2.6.18-164, 2.6.31, and 2.6.37. This would include roughly up to 3% of internet-facing Linux servers, Flare estimates. But it could be as much as 10% in what Flare calls long-tail environments like legacy hosting providers, abandoned VPS images, outdated appliances, industrial/OT gear, or niche embedded deployments. The kernel exploit inventory includes 16 different CVEs, five dating back to 2009 and three to 2010. Judging by the components of the malware, the operator likely understands kernel version fingerprinting, privilege escalation chaining, and mass exploitation workflows, even if they are not developing novel exploits, the report says. Advice for infosec leaders In addition to disabling SSH password authentication, the report recommends that infosec leaders: set up alerts triggered when non-system processes attempt to modify login accounting records. remove compilers from production images if possible; allow toolchain execution only in controlled build environments; enforce egress filtering based on business need; use an anti-virus scanner to pick up binaries dropped by SSHStalker; monitor for unauthorized execution of gcc; set up alerts when compilers run from user directories, /tmp or /dev/shm; set up alerts when newly-compiled binaries execute within seconds or minutes of creation; set up alerts on servers to detect communication with unknown external chat or relay infrastructure. View the full article

That handy ‘Summarize with AI’ button embedded in a growing number of websites, browsers, and apps to give users a quick overview of their content could in some cases be hiding a dark secret: a new form of AI prompt manipulation called “AI recommendation poisoning.” So says Microsoft, which this week released research on a currently legal but extremely sneaky AI hijacking technique that appears to be spreading like wildfire among legitimate businesses. While most ‘Summarize with AI’ buttons are exactly what they seem to be – a time-saving way to generate a summary of a website or document – a small but growing number appear to have strayed from that purpose. Here’s how the manipulation works: a user innocently clicks on a website Summarize button. Unbeknownst to them, this button also contains a hidden prompt telling the user’s AI agent or chatbot to favor that company’s products in future responses. The same instruction can also be concealed in a specially crafted link sent to a user in an email. Microsoft highlights how this tactic could be used to skew enterprise product research without that bias being detected before it influences decisions. Over a two-month period, its researchers identified 50 examples of the technique being deployed by 31 different companies in dozens of industry sectors, including finance, health, legal, SaaS, and business services. In an ironic twist, this even included an unnamed vendor in the security sector. The technique is widespread enough that, last September, MITRE added it to its list of known AI manipulations. AI leverages user preferences AI recommendation poisoning is made possible by user AIs that are designed to ingest and remember prompts as signals of the user’s preferences; if the user says that they favor something, the AI will helpfully remember that preference as part of its profile for that user. Unlike prompt injection, in which an attacker manipulates an AI using a one-off instruction, recommendation poisoning has the added advantage of achieving longer-term persistence across future prompts. The AI, of course, has no way of distinguishing genuine preferences from those injected by third parties along the way: “This personalization makes AI assistants significantly more useful. But it also creates a new attack surface; if someone can inject instructions or spurious facts into your AI’s memory, they gain persistent influence over your future interactions,” said Microsoft. To the user, everything will seem normal, except that, behind the scenes, the AI keeps pushing the bogus or poisoned responses when they ask it questions in a relevant context. “This matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without users knowing their AI has been manipulated,” said the researchers. Pushing falsehoods A factor driving the recent popularity of recommendation poisoning appears to be the availability of open-source tools that make it easy to hide this function behind website Summarize buttons. This raises the uncomfortable possibility that poisoned buttons aren’t being added as an afterthought by SEO developers who get carried away. More likely, the intention from the start is to contaminate users’ AIs as a form of self-serving marketing. In Microsoft’s view, the dangers go beyond over-zealous marketing, and could just as easily be used to push falsehoods, dangerous advice, biased news sources, or commercial disinformation. What’s certain is that if legitimate companies are abusing the feature, cybercriminals won’t be shy about using it too. The good news is that the technique is relatively easy to spot and block, even if you don’t use Microsoft’s Microsoft 365 Copilot or Azure AI services, which the company says contain integrated protections. For individual users, this involves studying the saved information a chatbot has accumulated (how this is accessed varies by AI). For enterprise admins, in contrast, Microsoft recommends checking for URLs containing phrases such as ‘remember,’ ‘trusted source,’ ‘in future conversations,’ ‘authoritative source,’ and ‘cite or citation.’ None of this should be surprising. Once, URLs and file attachments were seen as convenient rather than inherently risky. AI is simply following the same path that every new technology must endure as it moves into the mainstream and becomes a target for misuse. As with other new technologies, users should educate themselves on the dangers posed by AI. “Avoid clicking AI links from untrusted sources: Treat AI assistant links with the same caution as executable downloads,” Microsoft recommended. This article originally appeared on CIO.com. View the full article

A financially motivated threat actor tracked as UNC1609 is using a ClickFix-style social engineering campaign to deploy multiple macOS malware families against crypto-focused organizations. According to new research from Google Cloud’s Mandiant, the activity recently targeted an employee at a company operating in the cryptocurrency and decentralized finance (DeFi) sector. The researchers said that the North Korea-linked UNC1069 used a social engineering chain that involved a hijacked Telegram account, a fake Zoom meeting, a ClickFix-style command execution, and the reported use of AI-generated video to deceive the victim. By impersonating a known industry contact and staging a fake video meeting, the threat actor convinced the victim to execute malicious terminal commands on a macOS system manually. ClickFix as initial access The attack began with the victim being contacted via Telegram from a compromised account belonging to a legitimate industry executive. After establishing credibility, the attacker invited the target to a video meeting hosted on infrastructure controlled by the threat actor. During the meeting, the victim reportedly saw what appeared to be a recognizable individual from the cryptocurrency industry. Researchers assessed that the video may have been artificially generated or manipulated to reinforce legitimacy. Shortly after the call began, the attacker claimed there were audio issues and instructed the victim to perform troubleshooting steps. These steps included copying and pasting commands into the macOS Terminal. One command used “curl” piped into “zsh”, effectively downloading and executing a remote script. That action initiated the infection chain. Mandiant said it observed similar tactics outside of this attack. “The recovered web page provided two sets of commands to be run for “troubleshooting”: one for macOS systems, and one for Windows systems,” the researchers noted. “Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives.” UNC1069 is known to use tools like Google Gemini to develop tooling, conduct operational research, and assist during reconnaissance stages, they added. Use of specialized, undocumented macOS malware After the ClickFix-triggered access is established, UNC1069 deployed a multi-stage macOS malware stack that Mandiant identified as including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH, among others. Several of these malware families had not been documented publicly before Mandiant’s disclosure. WAVESHAPER functioned as the primary backdoor, establishing remote access and enabling additional payload delivery. HYPERCALL operated as a downloader, retrieving secondary components such as HIDDENCALL, which provided further command execution capabilities. This staged deployment allowed the threat actor to expand control over the compromised macOS system in phases rather than dropping a single large payload. DEEPBREATH, a Swift-based infostealer, focused on harvesting sensitive data from the host. According to the researchers, it manipulated Apple’s Transparency, Consent, and Control (TCC) framework to access protected resources without prompting the user. That enabled the collection of browser data, keychain material, and messaging content. CHROMEPUSH, meanwhile, targeted browser environments, including session cookies and authentication tokens. The researchers also observed abuse of macOS security mechanisms, including functionalities on Apple’s XProtect system. Instead of disabling protections right away, the malware leveraged trusted system components and expected behaviors to reduce detection visibility. Mandiant stated that the use of a custom, integrated tool suite indicated UNC1069’s technical proficiency in specialized capabilities and security bypass. It provided a list of network-based and host-based indicators of compromises (IOCs) to support detection efforts. Additionally, the disclosure included a set of YARA rules that are also supported in Google SecOps. View the full article

Google has secured unconditional EU antitrust approval for its $32 billion acquisition of cloud security firm Wiz, clearing a major regulatory hurdle and paving the way for one of the largest cybersecurity acquisitions to date. The decision removes a key uncertainty for enterprise customers and positions Google Cloud to aggressively expand its security portfolio as competition intensifies with AWS and Microsoft in multicloud environments. “The Commission found that there are several credible competitors that customers could switch to if Google were to bundle Wiz’s multi-cloud security platform with its existing products, or in case Wiz’s platform no longer worked with clouds other than Google’s,” the European Commission said in a statement. The Commission said it also examined whether the acquisition would give Google access to commercially sensitive data from rival cloud providers that integrate with Wiz, but concluded that the information involved is not commercially sensitive and is generally accessible to other security software vendors. Security reshapes cloud dynamics Cybersecurity remains one of the most complex and fragmented areas of enterprise IT, with many organizations relying on multiple point solutions rather than a unified, end-to-end security architecture. Analysts say the real fight in cloud computing is moving beyond infrastructure and into the control layer, where whoever has the clearest view of risk across environments holds the advantage. “Compute, storage, and network scale are no longer sufficient differentiators at the enterprise board level,” said Sanchit Vir Gogia, chief analyst at Greyhound Research. “The real leverage now sits in who owns visibility across workloads, identities, entitlements, exposure paths, and increasingly AI pipelines.” The acquisition positions Google as a vertically integrated cloud and AI cybersecurity provider that can give enterprises access to a more unified platform. But what the company does next is crucial, according to Neil Shah, VP for research at Counterpoint Research. “The next step is how Google intertwines its current capabilities, such as Google Vertex AI Studio, with Wiz’s ‘Security Graph’ to enable enterprise developers to build a dynamic, real-time, and autonomous security layer,” Shah said. Other analysts view the transaction as part of a broader structural shift in how hyperscalers embed security within their ecosystems. “The acquisition signals the end of the best-of-breed era for cloud security and the beginning of Hyperscaler-led multicloud,” said Pareekh Jain, CEO of Pareekh Consulting. “It suggests that major cloud providers effectively own the security layer, even for their competitors’ environments. Cloud security is evolving from siloed tools into platform-level infrastructure, and hyperscalers are now competing not just on compute or storage but on unified security across ecosystems.” Risks for enterprises Jain said that while Wiz’s core value proposition is built on cloud neutrality, ownership by Google changes the strategic incentives. “In theory, Wiz can remain cloud-agnostic, as its value proposition is grounded in neutral visibility across clouds,” Jain said. “However, under Google ownership, the incentives change. Tighter integration with Google Cloud could be prioritized, and features that differentiate against AWS or Azure may receive less focus.” EU regulators concluded the deal would not meaningfully lessen competition, but analysts caution that deeper vertical integration could still anchor enterprises more tightly within Google’s platform stack, increasing long-term switching costs. “For CIOs and CISOs, this acquisition fundamentally alters the risk calculation of using third-party security tools,” Jain said. “Enterprises heavily invested in AWS or Azure may start looking for a new independent security layer, e.g., CrowdStrike, Palo Alto Networks, to avoid dealing with Google.” Lock-in extends beyond data portability to the underlying technical architecture, according to Gogia. He noted that flexibility decreases as organizations optimize their remediation playbooks and alert taxonomies for a specific provider’s telemetry or integrate AI governance tools natively with a single cloud’s model ecosystem. View the full article

In my recent articles for CSO, I’ve talked about the limits of current SOC models and the importance of rehearsal. This time, I want to focus on something that’s becoming increasingly clear: purple teaming has lost its depth. We’ve turned one of the most powerful tools for resilience into a transactional exercise that feels reassuring but reveals very little about how an organization will cope when the pressure is real. Care and attention have become rare assets in our world. Distraction dominates both the consuming and supply sides of cybersecurity. Clients are pulled into complexity and novelty, while services providers are pulled into deadlines and deliverables. Meanwhile, attackers — increasingly powered by AI — are becoming faster, quieter, and more determined. When threats accelerate, surface-level testing is no longer enough. The absence of findings is not the absence of risk I’ve seen this pattern everywhere: a purple team engagement produces a set of impressive outcomes. The report looks good. Findings correlate with expectations. Leadership feels reassured. But a result is often treated as the result, as if the absence of findings means the absence of risk. This is a flaw. The industry’s default approach is shaped by time pressure, commercial constraints, and scopes that are too narrow. None of this is malicious, it’s simply how the system has evolved. Providers deliver what they’re contracted to deliver, and clients take the report as a sign of depth. Omissions, often caused by time pressure or lack of mental space, are invisible. And invisible omissions are the most dangerous kind. Two clients who “shouldn’t have been breakable” Recently, we worked with two extremely mature organizations. On paper, both looked close to unbreakable. Instead of running a standard purple team, we co-designed the engagement with them. We looked at the problem as a determined attacker would, and we shared tacit knowledge openly, both our own and theirs. Crucially, everyone involved had visibility into the controls in place. It was a genuine cyber security partnership, not an audit. And both organisations were compromised — deeply — with almost no sign of compromise. In one case, there was a single indicator of compromise: “domain admin.” Nothing about how it happened. Nothing about what to do next. No instinctive or automated response. Just a light turning red with no playbook behind it. In the other case, the SOC detected multiple signals but never acted in time. Detection without action is just noise. The experience was humbling. And it forced a blunt question: “You saw us. So what?” That’s the real test. Not whether the SOC sees something. Whether it does something — fast enough and accurately enough — to stop the damage. Standard purple teaming can’t get you there Purple teaming should be the discipline that reveals these realities, but the current model rarely does. Service providers tend to focus on the bypass, the exploit, the “win.” Clients focus on closing tickets, finishing the engagement, and getting the report. Neither mindset creates the space needed for deep thinking. Had we rushed through our work we would never have found what we did. Time pressure shapes outcomes more than most organizations realize. When testing is constrained by a standard 9–5, it limits how far teams can explore the conditions that lead to real compromise. Resilience is the “brake” moment Imagine you’re driving, and you see the car ahead braking suddenly. Awareness helps, but it’s your immediate reaction that avoids the collision. Insurance plans don’t matter at that moment. Nor do compliance reports or dashboards. Only vigilance and rehearsal matter. Cyber resilience works the same way. You can’t build the instinct required to act by running one simulation a year. You build it through repetition. Through testing how specific scenarios unfold. Through examining not only how adversaries get in, but also how they move, escalate, evade, and exfiltrate. This is the heart of real purple teaming. AI didn’t help either organisation Both clients had AI embedded in their SOCs. And it made no difference. AI can accelerate analysis, but it can’t replace intuition, design, or the judgment required to act. If the organization hasn’t rehearsed what to do when the signal appears, AI only accelerates the moment when everyone realises they don’t know what happens next. This is why so much testing today only addresses opportunistic attacks. It cleans up the low-hanging fruit. But if organized crime wanted these organisations, they would have had them. And that’s not an easy sentence to write. A model that creates false confidence The standard testing model traps everyone involved: One-off tests create false confidence. Scopes limit imagination. Time pressure eliminates depth. Commercial structures discourage collaboration. Tooling gives the illusion of capability. Compliance encourages the appearance of rigour instead of the reality of it. This is why purple teaming often becomes “jump out, stabilize, pull the chute, roll on landing.” But what about the hard scenarios? What about partial deployments? What about complex failures? That’s where resilience is built. And today, resilience is the only meaningful metric. New mindset: slow, consistent, engaged, outcome-driven In my experience, purple teaming that works requires: Co-ownership of the mission. Tacit knowledge shared on both sides. Full visibility into controls. Scenarios designed, not bought. Repetition and rehearsal. Space for thinking. Disciplined simplicity. A focus on the “so what,” not the bypass. This is systems thinking. Engineering. Psychology. It is, in every sense, harder work than the standard model. But the seemingly impossible becomes possible when both sides push each other, and when the aim is not to produce a report but to reveal reality. Purple teaming is about getting in, sure. But it’s also about what happens after that. Without a different approach, focused on consistency and outcomes, organizations will keep passing tests while failing in practice. View the full article

In 2026, the cybersecurity industry is expected to cross a threshold it has never reached before: More than 50,000 publicly disclosed software vulnerabilities in a single year. According to a new forecast from the Forum of Incident Response and Security Teams (FIRST), the median projection for 2026 is roughly 59,000 Common Vulnerabilities and Exposures (CVEs). Under more extreme — but plausible — scenarios, that number could climb far higher, reaching nearly 118,000, more than double the estimated 48,000 or so CVEs reported in 2025. But security researchers and data scientists caution that numbers tell only part of the story. Historically, only a small fraction of disclosed vulnerabilities is ever exploited in the wild, and an even smaller subset meaningfully affects most enterprises. “While the number of vulnerabilities goes up, what really matters is which of these are going to be exploited,” Michael Roytman, co-founder and CTO of Empirical Security, tells CSO. “And that’s a different process. It does not depend on the number of vulnerabilities that are out there because sometimes an exploit is written before the CVE is even out there.” What FIRST’s forecast highlights instead is a growing signal-to-noise problem, one that strains already overburdened security teams and raises the stakes for prioritization, automation, and capacity planning rather than demanding that organizations patch more flaws exponentially. Why are flaw numbers rising? FIRST’s forecast reflects structural changes in how vulnerabilities are discovered and disclosed, not a sudden leap in attacker capability. “Some of the classic coordinated vulnerability disclosure teams are producing slightly higher volumes each individually, but we’re also seeing several new entrants to the space that produce a lot,” Éireann Leverett, FIRST liaison and lead member of the organization’s Vulnerability Forecasting Team, tells CSO. The growth also reflects a maturation of vulnerability reporting itself. More organizations now operate as CVE Numbering Authorities, more vendors incentivize disclosure through bug bounty programs, and long-neglected code bases — particularly in open source infrastructure — are receiving sustained scrutiny. In that sense, the surge reflects improved visibility rather than deteriorating software quality. Vulnerabilities that existed for years are now being cataloged, tracked, and measured in ways that were not possible a decade ago. FIRST also adjusted its modeling approach to account for a structural shift in CVE publication that began around 2017, when disclosure volumes started to rise more steeply. Rather than optimizing for a single point estimate, the organization widened its confidence intervals to help security teams plan for a range of outcomes. “We think it’s entirely realistic that this year we reach 70,000 to 100,000 vulnerabilities,” Leverett says, adding that the median forecast remains closer to 60,000 and is intended to support planning rather than alarm. Why raw CVE counts do not equal risk Despite the scale of the forecast, experts stress that vulnerability volume alone is a poor proxy for enterprise risk. “The risk to an enterprise is not directly related to the number of vulnerabilities released,” Empirical Security’s Roytman says. “It is a separate process.” He points to historical data showing that while CVE numbers have risen steadily, exploitation has not followed the same trajectory. In 2025, roughly 48,000 vulnerabilities were disclosed, Roytman says. Of those, fewer than 3,000 had publicly available proof-of-concept exploit code, and only about 700 showed evidence of exploitation in the wild. “The really risky things changed a little bit [over 2024 levels], not quite as much as you would expect from the overall change,” he says. On top of that, many vulnerabilities affect niche software, consumer devices such as cell phones, and other configurations that are not priorities in large enterprise environments. Other vulnerabilities are theoretically exploitable but offer little value to attackers compared with already weaponized flaws that are proven, scalable, and reliable. This pattern has held for years, even as disclosure volumes climbed. The result is a widening gap between the number of vulnerabilities published and the number that matter operationally. A capacity problem, not a crisis Still, the growing volume creates real challenges for defenders. FIRST estimates that roughly 5% of vulnerabilities account for most of the serious risk. As the overall number rises, identifying that critical subset becomes harder. “With all of this extra being produced, finding that 5% might be a little harder, like finding a needle in the haystack,” FIRST’s Leverett says. “It’s about finding the signal in the noise.” For CISOs, the implication is that patching strategies are now more about scaling decision-making processes that were already under strain. “If you’re telling me a machine has to process 100,000 things instead of 50,000 things, that’s not a big deal,” Roytman says. “If you’re telling me a human has to do that, I would panic.” Security teams have not operated at a human scale for years, he adds. The difference now is that the noise floor is rising fast enough to expose weaknesses in prioritization, tooling, and automation. AI is accelerating discovery — not mass exploitation (yet) Much of the anxiety surrounding FIRST’s forecast centers on artificial intelligence, particularly large language models that can audit code at scale. While AI-assisted tools are already increasing the pace of vulnerability discovery, experts caution that discovery and exploitation remain very different problems. Roytman argues that while AI has made it easier to enumerate flaws, attackers still face economic and operational constraints. “If it were that easy, they’d be doing it to the 50,000 we saw last year,” he says. “Instead, exploitation remains concentrated on a relatively small set of vulnerabilities that are proven, scalable, and valuable.” At the same time, defenders are using the same techniques to manage the flood. Machine-learning models trained on exploitation data increasingly help security teams determine which vulnerabilities are likely to matter — and which can safely be deprioritized. “The same tools that are enabling discovery at scale are also enabling defenders to filter signal from noise at scale,” Roytman adds. What CISOs should do to manage the CVE flood? Absent the ability to hire their way out of the problem, most organizations will need to rely on more pragmatic measures, such as: Double down on prioritization. Exploitation likelihood, asset context, and business impact matter far more than raw (CVSS Common Vulnerability Scoring System) scores. Automate triage aggressively. Human review should be reserved for a small, high-confidence subset of vulnerabilities. Plan for ranges, not point estimates. FIRST’s confidence intervals are designed to support capacity planning, not prediction. Expect more noise, not more attackers. Disclosure is accelerating faster than exploitation. “There’s no need to panic,” Roytman says. “But there is a need to be strategic.” Stress on the vulnerability ecosystem The forecast also raises questions about the sustainability of the broader vulnerability ecosystem, including MITRE, which produces CVEs under contract with the Cybersecurity and Infrastructure Security Agency (CISA), the National Vulnerability Database administered by the National Institute of Standards and Technology, and CVE Numbering Authorities (CNAs) — organizations authorized to assign CVEs — already struggling with backlogs. Sasha Romanosky, a senior policy researcher at RAND, tells CSO the system is more likely to degrade gradually than collapse outright under the weight of a spiraling number of CVEs. “I don’t think it would cause anything to break,” Romanosky says. “They just wouldn’t get processed. Lots of vulnerabilities would be ignored.” That dynamic could shift more responsibility toward software vendors and CNAs, many of whom already face capacity constraints of their own. Distributing more of the enrichment and prioritization work downstream may help in the short term — but only if automation improves alongside it. “The system isn’t fragile,” Romanosky says. “It’s constrained.” In practice, that could mean growing queues, uneven data quality, and greater reliance on private-sector tooling to compensate for delays in public databases. The result is not necessarily higher risk, but greater fragmentation, particularly for organizations without mature vulnerability management programs. The cybersecurity industry is not facing an explosion of exploitable weaknesses so much as an explosion of information. For CISOs, success in 2026 will depend less on reacting faster and more on deciding better — using automation and context to ensure that rising vulnerability counts do not translate into rising risk. “It hasn’t been a human-scale problem for some time now,” Roytman says. The challenge ahead is making sure it does not become an unmanageable one. View the full article

IDG Der Security-Anbieter Malwarebytes hat kürzlich vor einer besonders perfiden Phishing-Kampagne gewarnt. Die Angreifer tarnen dabei ihre Malware als gewöhnliches PDF-Dokument. Mitarbeiter sind es gewohnt, Bestellungen oder Rechnungen im PDF-Format zu erhalten. Daher ist es sehr wahrscheinlich, dass die schädlichen Dateien geöffnet werden. Klickt ein Mitarbeiter auf die Datei, wird ein Remote-Access-Trojaner namens AsyncRAT ausgeführt. Auf diese Weise können die Angreifer die Kontrolle über die Firmenrechner übernehmen. Die Phishing-E-Mails enthalten jedoch keine direkten Dokumentenanhänge, sondern Links zu einer Datei im IPFS (InterPlanetary File System). Dabei handelt es sich um ein dezentrales Speichernetzwerk, das zunehmend von Cyberkriminellen genutzt wird. Der Zugriff erfolgt über gängige Web-Gateways. Die Datei der Angreifer ist eine virtuelle Festplatte, die beim Öffnen als lokales Laufwerk eingebunden wird und so einige Windows-Sicherheitsfunktionen umgeht. Im Inneren der Datei befindet sich eine Windows-Skriptdatei (WSF), die vorgibt, die erwartete PDF-Datei zu sein. Beim Öffnen führt Windows den darin enthaltenen Code aus, was den Angriff von außen ermöglicht. Zum Schutz vor solchen Angriffen sollten Organisationen Windows so konfigurieren, dass Dateierweiterungen angezeigt werden, rät Malwarebytes Labs in einem Blogbeitrag. (jm) View the full article

Roman Samborskyi | shutterstock.com Lösungen im Bereich Breach & Attack Simulation (BAS) unterstützen Unternehmen dabei, ihr Sicherheitsniveau zu verstehen. Dazu automatisieren die Tools die Tests spezifischer Bedrohungsvektoren. Als Grundlage dienen dabei in der Regel das MITRE-ATT&CK– oder Cyber-Killchain-Framework. BAS-Produkte simulieren zum Beispiel: Netzwerkangriffe und Infiltrationsversuche, Lateral Movement, Phishing, Endpunkt- und Gateway-Attacken, Malware- und Ransomware-Angriffe sowie Insider-Bedrohungen. Breach & Attack Simulation eingeordnet Breach & Attack Simulation kann Red Teaming, Penetration Testing oder auch Attack Surface Assessments (ASA) ergänzen, unterscheidet sich aber deutlich von diesen Maßnahmen. Stellen Sie sich vor, Ihr Unternehmen wäre eine Villa: Beim Red Teaming oder Penetration Testing beauftragen Sie jemanden, in Ihr Anwesen einzubrechen und Ihren Safe auszuräumen. Das Ziel: potenzielle Zugangsmöglichkeiten aufzudecken. Breach & Attack Simulation ist hingegen, als würden Sie sämtliche Schlösser an den Türen auf Funktionstüchtigkeit prüfen und sicherstellen, dass die installierten Security-Kameras auch entsprechend reagieren, wenn sie Personen erkennen. Das Ziel: sichergehen, dass alle Kontrollmaßnahmen wie vorgesehen funktionieren. Während sich BAS dabei auf Enterprise-Security-Kontrollen wie EDR fokussiert, werden beim Attack Surface Assessment sämtliche potenziellen Schwachstellen und Angriffsvektoren untersucht. Das Analystenhaus Gartner fasst diese Technologien in der breiteren Kategorie “Exposure Management” zusammen. Laut den Analysten sind Lösungen im Bereich Breach & Attack Simulation vor allem in stark regulierten Branchen wie dem Banken- und Versicherungsumfeld gefragt, die mit wachsenden Compliance-Anforderungen konfrontiert sind. Diese Einschätzung kann Ilja Rabinovich, Director of Adversarial Tactics beim Sicherheitsanbieter Sygnia, nur bestätigen: “BAS-Produkte sind in der Regel teuer und werden von kleineren Unternehmen mit begrenztem Budget oder eingeschränkter Prozesslandschaft nicht angeschafft.” Der Markt für Breach & Attack Simulation Tools Die Auguren von Gartner prognostizieren, dass sich mehr als 40 Prozent aller Unternehmen bis zum Jahr 2026 auf konsolidierte Plattformen oder Managed Service Provider verlassen werden, wenn es um Validierungsprüfungen im Bereich Cybersecurity geht. Entsprechend breit aufgestellt präsentiert sich die BAS-Anbieterlandschaft: Sowohl Standalone-Anbieter als auch große Security-Unternehmen und Service Provider wollen ihre BAS-Lösungen an den Kunden bringen. Chirag Mehta, Analyst bei Constellation Research, sieht dabei eine weitergehende Konsolidierung des Marktes am Horizont: “Wenn Sie ein Tool haben, das Angriffe simulieren kann, ist der nächste logische Schritt, diese Attacken zu verhindern. Das erfordert allerdings, eine Reihe verschiedener Tools zu integrieren, was kein Kinderspiel ist.” Ein wachsender Trend in diesem – wie auch allen anderen Bereichen der IT-Sicherheit – ist der Einsatz von Generative AI (GenAI). Erik Nost, Analyst bei Forrester Research, sieht diese Entwicklung positiv: “Vermutlich werden wir generative KI als erstes im Bereich des User Interface im Einsatz sehen. Mit Daten auf coole Art und Weise interagieren zu können, ist der neue GenAI-Use-Case.” Der Analyst hält es auch für möglich, dass KI künftig auf der Basis von Daten – oder den für die Benutzer respektive das Unternehmen relevantesten Angriffsarten – Bedrohungen modelliert. Er fügt hinzu: “Generative KI könnte außerdem auch eingesetzt werden, um Unternehmen dabei zu helfen, die von BAS gefundenen Probleme zu verstehen, entsprechende Prioritäten zu setzen und spezifische Abhilfemaßnahmen vorzuschlagen.” Das sollten BAS-Lösungen leisten Auf folgende wichtige Features sollten Anwender bei Breach & Attack Simulation Tools achten: Repräsentative Angriffsvektoren, um ein möglichst breites Spektrum an für das Unternehmen relevanten Angriffen simulieren zu können. Realistische Angriffsszenarien auf Grundlage von Frameworks wie MITRE ATT&CK, die denen echter Angreifer ähneln. Anpassbare Szenarien, um spezielle Infrastrukturaspekte testen zu können. Automatisierte Tests, um regelmäßige und effiziente Simulationen zu realisieren, ohne den Betrieb zu beeinträchtigen oder zusätzliche personelle Ressourcen einzusetzen. Detaillierte Reportings und Analysen, um die Bedeutung der Tests erklären und verbesserungswürdige Bereiche identifizieren zu können. Skalierbarkeit, um nicht nur die aktuelle Unternehmensumgebung, sondern auch künftige Entwicklungen abdecken zu können. Testmöglichkeiten für hybride Produktionsumgebungen, um Kontrollmaßnahmen unter realen Bedingungen begutachten zu können. Einfache Nutzung und simple Deployment-Optionen, sowie Integrationsmöglichkeiten mit vorhandenen Security-Tools und -Plattformen. Fachkundiger Support – insbesondere, wenn Sie mit Breach & Attack Simulation Tools nicht vertraut sind oder keine größeren Sicherheitsteams mit entsprechenden Erfahrungswerten einsetzen können. Eine geeignete Kostenstruktur, da die Preismodelle von BAS-Anbietern in der Regel variieren. Die Preisstruktur sollte dem Anwendungsfall angemessen sein. Die wichtigsten Anbieter für Breach & Attack Simulation Tools Im Folgenden werfen wir einen Blick auf die wichtigsten Anbieter – und ihre Lösungen – im Bereich Breach & Attack Simulation. Die Auswahl basiert dabei auf Kundenrezensionen aus Gartners Peer-Insights-Ranking sowie den Einschätzungen der Spezialisten von Expert Insights. AttackIQ Laut Expert Insights repliziert die zentrale Emulationsplattform von AttackIQ die Taktiken, Techniken und Methoden von Angreifern im Einklang mit dem MITRE-ATT&CK-Framework. Das Angebot des Unternehmens im Bereich Breach & Attack Simulation gliedert sich in drei Optionen: Die Managed Platform “Ready!” soll Unternehmen schneller und einfacher zu einer konsistenten Security-Validation-Strategie verhelfen. Der agentenlose Testing Service “Flex” funktioniert On Demand und wird im Pay-as-you-Go-Modell oder auch auf monatlicher sowie jährlicher Basis abgerechnet. Bei “Enterprise” handelt es sich um einen umfassenden Co-Managed-Service. AttackIQ hat sich zudem einen Namen gemacht, wenn es darum geht, ML- und KI-basierte Cybersecurity-Komponenten zu testen. Nach eigener Aussage ist das Unternehmen zudem der einzige BAS-Anbieter, der sowohl Self-Service- als auch Full-Service-Lösungen anbietet. Künftig soll künstliche Intelligenz Attack-IQ-Kunden außerdem verstärkt dabei unterstützen, Sicherheitslücken automatisiert zu identifizieren und zu beheben. Cymulate Cymulate gehört nicht nur laut Expert Insights zu den führenden Anbietern für Continuous Threat Exposure Management, sondern ist auch der Anbieter mit den besten Kundenbewertungen bei Gartners Peer Insights – auch dank der guten User Experience. Die “Breach and Attack (BAS)”-Lösung von Cymulate wird im SaaS-Modell bereitgestellt. Für Unternehmen mit Data-Segregation-Bedürfnissen steht auch eine Private-Tenancy-Option zur Verfügung. Wie AttackIQ verwendet Cymulate das MITRE ATT&CK Framework als Grundlage. Laut dem Anbieter dauert es derzeit circa drei bis vier Wochen, um die Integrationen einzurichten und sein BAS-Tool einzusetzen. Diesen Zeitraum möchte Cymulate künftig mit Hilfe von Generative AI auf wenige Minuten reduzieren. Doch die GenAI-Pläne des Anbieters gehen noch weiter: Die Technologie soll künftig automatisiert aus Tausenden oder gar Hunderttausenden verschiedenen Angriffsszenarien Mitigationsstrategien entwickeln können – und den Security-Teams erklären, wie diese umzusetzen sind. Die GenAI-Funktionen sollen laut Cymulate bis Ende Oktober 2024 in vollem Umfang zur Verfügung stehen. Fortinet In Sachen Kundenbewertungen kann das BAS-Offering von Fortinet nicht ganz mit den ersten beiden Angeboten mithalten. Allerdings kombiniert “FortiTester” Breach & Attack Simulation mit Netzwerk-Performance-Testing und stellt insofern eine umfassende Lösung dar. Das Fortinet-Tool simuliert diverse Angriffsarten auf Grundlage des MITRE-ATT&CK-Frameworks und unterstützt laut Expert Insights außerdem CVE-basierte IPS-Tests, sowie DDoS Traffic Generation. Mandiant Security-Anbieter Mandiant ist in erster Linie für seine Dienstleistungsangebote im Bereich Threat Intelligence bekannt. Die Expertise in diesem Bereich lässt das Unternehmen auch in seine BAS-Softwarelösung “Security Validation” einfließen – und hebt sich dadurch von seinen Mitbewerbern ab. Das Mandiant-Tool unterstützt zum Beispiel MITRE ATT&CK Framework Mapping, automatisiertes Alerting sowie Environmental Drift Detection und simuliert Angriffsszenarien aus der echten Welt. NetSPI In Sachen Penetrationstests hat sich NetSPI bereits einen Namen gemacht. Das Unternehmen hat mit “Breach and Attack Simulation” ebenfalls eine BAS-Lösung im Angebot, die Sicherheitskontrollen validieren, Detection-Lücken identifizieren und Angriffsflächen managen kann. Das Pentesting-Knowhow von NetSPI manifestiert sich dabei insbesondere in umfassenden Support, wie Derek Wilson, leitender Security-Berater des Unternehmens, verspricht: “Unser erfahrenes Pentester-Team schließt sich mit Ihrem SOC-Team kurz und unterstützt dabei, Detections einzuordnen und Präventionsmaßnahmen zu ergreifen.” Auch bei NetSPI soll künftig Generative AI Mehrwert für die BAS-Kunden erschließen: Künftig soll die Lösung des Anbieters dank der Technologie in der Lage sein, mehrere Datenquellen zu nutzen, um die nötigen Tests möglichst schnell zu identifizieren und zu priorisieren. Darüber hinaus stehen auch Playbooks, die auf Basis von Bedrohungsinformationen für spezifische Industrien generiert werden sowie die Simulation dynamischer Angriffsketten, um Abdeckungslücken zu identifizieren, auf dem Plan. Picus Security Auf Grundlage der Gartner Peer Insights ist Picus Security der BAS-Anbieter mit der zweithöchsten Kundenzufriedenheit und wurde von den Auguren mit einem “Customers Choice”-Award ausgezeichnet. Nach eigenen Angaben zählt Picus Hunderte von globalen Unternehmen zu seinen Kunden, darunter beispielsweise Mastercard oder die ING-Bankengruppe. Die “Security Validation“-Plattform des Anbieters beinhaltet Breach & Attack Simulation, unterstützt darüber hinaus allerdings auch automatisierte Penetrationstests und Attack Surface Management sowie SOC-Optimierung und Cloud Security Posture Managenet (CSPM). Auch Picus investiert stark in KI und will künftig mit Hilfe der Technologie bessere, schnellere und umfassender personalisierte Einblicke in das Sicherheitsniveau der Anwender liefern. Redscan Weil Redscan auf Managed Detection and Response sowie Penetration Testing spezialisiert ist, bietet das Unternehmen einen praxisorientierten BAS-Ansatz namens “FAST Attack Simulations”. Dieser verspricht den Anwendern maßgeschneiderte Angriffssimulationen kombiniert mit Beratungsleistungen, um bei den nachfolgenden Schritten zu unterstützen. Reliaquest Der Anbieter Reliaquest wurde für seine Security-Plattform “GreyMatter” 2023 von Gartner in der Kategorie “Managed Detection and Response” mit einem “Customers Choice”-Award ausgezeichnet. Besonders stark ist diese Lösung im Umfeld mittelständischer Unternehmen verbreitet. Eine Funktion dieser Plattform heißt “Verify” und realisiert Breach & Attack Simulation. Die BAS-Lösung von Reliaquest verspricht Anwendern ein umfassendes Portfolio (kuratierter) Angriffsszenarien, um möglichst zeitnah zu entsprechenden Ergebnissen zu kommen. Diese Szenarien werden zudem laufend auf Grundlage aktueller Threat-Informationen aktualisiert. Die ermittelte Bedrohungsabdeckung gleicht das Tool mit Security-Frameworks wie MITRE ATT&CK ab. Sollten Sie diesen Anbieter ins Auge fassen, behalten Sie eines jedoch im Hinterkopf: Möglicherweise ist es im Sinne einer unabhängigen Überprüfung der Wirksamkeit von Sicherheitsmaßnahmen nicht die beste Idee, denselben Anbieter für BAS und MDR zu wählen. Andererseits könnten Anwender auch von dieser Integration profitieren. SafeBreach Auch der dedizierte BAS-Anbieter SafeBreach kommt bei den Peer Reviews von Gartner gut weg – auch dank seiner umfassenden Integrationsmöglichkeiten mit anderen Security-Tools. Auch in Sachen namhafte Kunden kann SafeBreach mit Netflix, PayPal, Pepsi und der Carlsberg-Gruppe überzeugen. Die BAS-Plattform “SafeBreach” testet die Wirksamkeit bestehender Sicherheitskontrollen auf der Grundlage von mehr als 25.000 Angriffsmethoden, die dem unternehmenseigenen “Hackers Playbook” entstammen. Zudem verspricht der Anbieter, seine Plattform innerhalb von 24 Stunden um neu aufkommende Bedrohungen ergänzen zu können. Neben maßgeschneiderten Angriffssimulationen auf Grundlage des MITRE-ATT&CK-Frameworks bietet die SafeBreach-Lösung auch die Option, die voraussichtlichen Kosten für Risikominimierungsmaßnahmen zu ermitteln. 7 Fragen vor dem BAS-Invest Forrester-Analyst Nost empfiehlt Unternehmen, ihre BAS-Journey mit einem guten Überblick über ihre Systeme und Kontrollmaßnahmen anzutreten und von “Schnellschüssen” abzusehen: “Bevor Sie nicht wissen, was Sie testen sollen, sollten Sie sich auch nicht auf ein BAS-Tool einlassen.” Davon abgesehen empfiehlt es sich, Anbieter von Breach & Attack Simulation Tools mit den richtigen Fragen zu löchern, um vor unschönen Überraschungen verschont zu bleiben. Zum Beispiel: Inwiefern gewährleistet Ihr Produkt verbesserte Detection-Fähigkeiten im Rahmen von Sicherheitskontrollen? Können Tests skaliert und in Produktionsumgebungen gefahren werden – ohne größere Auswirkungen für die Kunden? Wie sehen Ihre Research-Bemühungen mit Blick auf die neueste Bedrohungen aus? Wie oft aktualisieren Sie ihre Threat-Bibliothek? Können Sie anhand eines Beispiels demonstrieren, wie die Simulationsergebnisse präsentiert werden? Sind Ihre Plattformen transparent oder ist nur Black-Box-Testing möglich? Besteht die Option für On-Premises- oder Air-Gapped-Deployments? Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox. View the full article

Roman Samborskyi | shutterstock.com Lösungen im Bereich Breach & Attack Simulation (BAS) unterstützen Unternehmen dabei, ihr Sicherheitsniveau zu verstehen. Dazu automatisieren die Tools die Tests spezifischer Bedrohungsvektoren. Als Grundlage dienen dabei in der Regel das MITRE-ATT&CK– oder Cyber-Killchain-Framework. BAS-Produkte simulieren zum Beispiel: Netzwerkangriffe und Infiltrationsversuche, Lateral Movement, Phishing, Endpunkt- und Gateway-Attacken, Malware- und Ransomware-Angriffe sowie Insider-Bedrohungen. Breach & Attack Simulation eingeordnet Breach & Attack Simulation kann Red Teaming, Penetration Testing oder auch Attack Surface Assessments (ASA) ergänzen, unterscheidet sich aber deutlich von diesen Maßnahmen. Stellen Sie sich vor, Ihr Unternehmen wäre eine Villa: Beim Red Teaming oder Penetration Testing beauftragen Sie jemanden, in Ihr Anwesen einzubrechen und Ihren Safe auszuräumen. Das Ziel: potenzielle Zugangsmöglichkeiten aufzudecken. Breach & Attack Simulation ist hingegen, als würden Sie sämtliche Schlösser an den Türen auf Funktionstüchtigkeit prüfen und sicherstellen, dass die installierten Security-Kameras auch entsprechend reagieren, wenn sie Personen erkennen. Das Ziel: sichergehen, dass alle Kontrollmaßnahmen wie vorgesehen funktionieren. Während sich BAS dabei auf Enterprise-Security-Kontrollen wie EDR fokussiert, werden beim Attack Surface Assessment sämtliche potenziellen Schwachstellen und Angriffsvektoren untersucht. Das Analystenhaus Gartner fasst diese Technologien in der breiteren Kategorie “Exposure Management” zusammen. Laut den Analysten sind Lösungen im Bereich Breach & Attack Simulation vor allem in stark regulierten Branchen wie dem Banken- und Versicherungsumfeld gefragt, die mit wachsenden Compliance-Anforderungen konfrontiert sind. Diese Einschätzung kann Ilja Rabinovich, Director of Adversarial Tactics beim Sicherheitsanbieter Sygnia, nur bestätigen: “BAS-Produkte sind in der Regel teuer und werden von kleineren Unternehmen mit begrenztem Budget oder eingeschränkter Prozesslandschaft nicht angeschafft.” Der Markt für Breach & Attack Simulation Tools Die Auguren von Gartner prognostizieren, dass sich mehr als 40 Prozent aller Unternehmen bis zum Jahr 2026 auf konsolidierte Plattformen oder Managed Service Provider verlassen werden, wenn es um Validierungsprüfungen im Bereich Cybersecurity geht. Entsprechend breit aufgestellt präsentiert sich die BAS-Anbieterlandschaft: Sowohl Standalone-Anbieter als auch große Security-Unternehmen und Service Provider wollen ihre BAS-Lösungen an den Kunden bringen. Chirag Mehta, Analyst bei Constellation Research, sieht dabei eine weitergehende Konsolidierung des Marktes am Horizont: “Wenn Sie ein Tool haben, das Angriffe simulieren kann, ist der nächste logische Schritt, diese Attacken zu verhindern. Das erfordert allerdings, eine Reihe verschiedener Tools zu integrieren, was kein Kinderspiel ist.” Ein wachsender Trend in diesem – wie auch allen anderen Bereichen der IT-Sicherheit – ist der Einsatz von Generative AI (GenAI). Erik Nost, Analyst bei Forrester Research, sieht diese Entwicklung positiv: “Vermutlich werden wir generative KI als erstes im Bereich des User Interface im Einsatz sehen. Mit Daten auf coole Art und Weise interagieren zu können, ist der neue GenAI-Use-Case.” Der Analyst hält es auch für möglich, dass KI künftig auf der Basis von Daten – oder den für die Benutzer respektive das Unternehmen relevantesten Angriffsarten – Bedrohungen modelliert. Er fügt hinzu: “Generative KI könnte außerdem auch eingesetzt werden, um Unternehmen dabei zu helfen, die von BAS gefundenen Probleme zu verstehen, entsprechende Prioritäten zu setzen und spezifische Abhilfemaßnahmen vorzuschlagen.” Das sollten BAS-Lösungen leisten Auf folgende wichtige Features sollten Anwender bei Breach & Attack Simulation Tools achten: Repräsentative Angriffsvektoren, um ein möglichst breites Spektrum an für das Unternehmen relevanten Angriffen simulieren zu können. Realistische Angriffsszenarien auf Grundlage von Frameworks wie MITRE ATT&CK, die denen echter Angreifer ähneln. Anpassbare Szenarien, um spezielle Infrastrukturaspekte testen zu können. Automatisierte Tests, um regelmäßige und effiziente Simulationen zu realisieren, ohne den Betrieb zu beeinträchtigen oder zusätzliche personelle Ressourcen einzusetzen. Detaillierte Reportings und Analysen, um die Bedeutung der Tests erklären und verbesserungswürdige Bereiche identifizieren zu können. Skalierbarkeit, um nicht nur die aktuelle Unternehmensumgebung, sondern auch künftige Entwicklungen abdecken zu können. Testmöglichkeiten für hybride Produktionsumgebungen, um Kontrollmaßnahmen unter realen Bedingungen begutachten zu können. Einfache Nutzung und simple Deployment-Optionen, sowie Integrationsmöglichkeiten mit vorhandenen Security-Tools und -Plattformen. Fachkundiger Support – insbesondere, wenn Sie mit Breach & Attack Simulation Tools nicht vertraut sind oder keine größeren Sicherheitsteams mit entsprechenden Erfahrungswerten einsetzen können. Eine geeignete Kostenstruktur, da die Preismodelle von BAS-Anbietern in der Regel variieren. Die Preisstruktur sollte dem Anwendungsfall angemessen sein. Die wichtigsten Anbieter für Breach & Attack Simulation Tools Im Folgenden werfen wir einen Blick auf die wichtigsten Anbieter – und ihre Lösungen – im Bereich Breach & Attack Simulation. Die Auswahl basiert dabei auf Kundenrezensionen aus Gartners Peer-Insights-Ranking sowie den Einschätzungen der Spezialisten von Expert Insights. AttackIQ Laut Expert Insights repliziert die zentrale Emulationsplattform von AttackIQ die Taktiken, Techniken und Methoden von Angreifern im Einklang mit dem MITRE-ATT&CK-Framework. Das Angebot des Unternehmens im Bereich Breach & Attack Simulation gliedert sich in drei Optionen: Die Managed Platform “Ready!” soll Unternehmen schneller und einfacher zu einer konsistenten Security-Validation-Strategie verhelfen. Der agentenlose Testing Service “Flex” funktioniert On Demand und wird im Pay-as-you-Go-Modell oder auch auf monatlicher sowie jährlicher Basis abgerechnet. Bei “Enterprise” handelt es sich um einen umfassenden Co-Managed-Service. AttackIQ hat sich zudem einen Namen gemacht, wenn es darum geht, ML- und KI-basierte Cybersecurity-Komponenten zu testen. Nach eigener Aussage ist das Unternehmen zudem der einzige BAS-Anbieter, der sowohl Self-Service- als auch Full-Service-Lösungen anbietet. Künftig soll künstliche Intelligenz Attack-IQ-Kunden außerdem verstärkt dabei unterstützen, Sicherheitslücken automatisiert zu identifizieren und zu beheben. Cymulate Cymulate gehört nicht nur laut Expert Insights zu den führenden Anbietern für Continuous Threat Exposure Management, sondern ist auch der Anbieter mit den besten Kundenbewertungen bei Gartners Peer Insights – auch dank der guten User Experience. Die “Breach and Attack (BAS)”-Lösung von Cymulate wird im SaaS-Modell bereitgestellt. Für Unternehmen mit Data-Segregation-Bedürfnissen steht auch eine Private-Tenancy-Option zur Verfügung. Wie AttackIQ verwendet Cymulate das MITRE ATT&CK Framework als Grundlage. Laut dem Anbieter dauert es derzeit circa drei bis vier Wochen, um die Integrationen einzurichten und sein BAS-Tool einzusetzen. Diesen Zeitraum möchte Cymulate künftig mit Hilfe von Generative AI auf wenige Minuten reduzieren. Doch die GenAI-Pläne des Anbieters gehen noch weiter: Die Technologie soll künftig automatisiert aus Tausenden oder gar Hunderttausenden verschiedenen Angriffsszenarien Mitigationsstrategien entwickeln können – und den Security-Teams erklären, wie diese umzusetzen sind. Die GenAI-Funktionen sollen laut Cymulate bis Ende Oktober 2024 in vollem Umfang zur Verfügung stehen. Fortinet In Sachen Kundenbewertungen kann das BAS-Offering von Fortinet nicht ganz mit den ersten beiden Angeboten mithalten. Allerdings kombiniert “FortiTester” Breach & Attack Simulation mit Netzwerk-Performance-Testing und stellt insofern eine umfassende Lösung dar. Das Fortinet-Tool simuliert diverse Angriffsarten auf Grundlage des MITRE-ATT&CK-Frameworks und unterstützt laut Expert Insights außerdem CVE-basierte IPS-Tests, sowie DDoS Traffic Generation. Mandiant Security-Anbieter Mandiant ist in erster Linie für seine Dienstleistungsangebote im Bereich Threat Intelligence bekannt. Die Expertise in diesem Bereich lässt das Unternehmen auch in seine BAS-Softwarelösung “Security Validation” einfließen – und hebt sich dadurch von seinen Mitbewerbern ab. Das Mandiant-Tool unterstützt zum Beispiel MITRE ATT&CK Framework Mapping, automatisiertes Alerting sowie Environmental Drift Detection und simuliert Angriffsszenarien aus der echten Welt. NetSPI In Sachen Penetrationstests hat sich NetSPI bereits einen Namen gemacht. Das Unternehmen hat mit “Breach and Attack Simulation” ebenfalls eine BAS-Lösung im Angebot, die Sicherheitskontrollen validieren, Detection-Lücken identifizieren und Angriffsflächen managen kann. Das Pentesting-Knowhow von NetSPI manifestiert sich dabei insbesondere in umfassenden Support, wie Derek Wilson, leitender Security-Berater des Unternehmens, verspricht: “Unser erfahrenes Pentester-Team schließt sich mit Ihrem SOC-Team kurz und unterstützt dabei, Detections einzuordnen und Präventionsmaßnahmen zu ergreifen.” Auch bei NetSPI soll künftig Generative AI Mehrwert für die BAS-Kunden erschließen: Künftig soll die Lösung des Anbieters dank der Technologie in der Lage sein, mehrere Datenquellen zu nutzen, um die nötigen Tests möglichst schnell zu identifizieren und zu priorisieren. Darüber hinaus stehen auch Playbooks, die auf Basis von Bedrohungsinformationen für spezifische Industrien generiert werden sowie die Simulation dynamischer Angriffsketten, um Abdeckungslücken zu identifizieren, auf dem Plan. Picus Security Auf Grundlage der Gartner Peer Insights ist Picus Security der BAS-Anbieter mit der zweithöchsten Kundenzufriedenheit und wurde von den Auguren mit einem “Customers Choice”-Award ausgezeichnet. Nach eigenen Angaben zählt Picus Hunderte von globalen Unternehmen zu seinen Kunden, darunter beispielsweise Mastercard oder die ING-Bankengruppe. Die “Security Validation“-Plattform des Anbieters beinhaltet Breach & Attack Simulation, unterstützt darüber hinaus allerdings auch automatisierte Penetrationstests und Attack Surface Management sowie SOC-Optimierung und Cloud Security Posture Managenet (CSPM). Auch Picus investiert stark in KI und will künftig mit Hilfe der Technologie bessere, schnellere und umfassender personalisierte Einblicke in das Sicherheitsniveau der Anwender liefern. Redscan Weil Redscan auf Managed Detection and Response sowie Penetration Testing spezialisiert ist, bietet das Unternehmen einen praxisorientierten BAS-Ansatz namens “FAST Attack Simulations”. Dieser verspricht den Anwendern maßgeschneiderte Angriffssimulationen kombiniert mit Beratungsleistungen, um bei den nachfolgenden Schritten zu unterstützen. Reliaquest Der Anbieter Reliaquest wurde für seine Security-Plattform “GreyMatter” 2023 von Gartner in der Kategorie “Managed Detection and Response” mit einem “Customers Choice”-Award ausgezeichnet. Besonders stark ist diese Lösung im Umfeld mittelständischer Unternehmen verbreitet. Eine Funktion dieser Plattform heißt “Verify” und realisiert Breach & Attack Simulation. Die BAS-Lösung von Reliaquest verspricht Anwendern ein umfassendes Portfolio (kuratierter) Angriffsszenarien, um möglichst zeitnah zu entsprechenden Ergebnissen zu kommen. Diese Szenarien werden zudem laufend auf Grundlage aktueller Threat-Informationen aktualisiert. Die ermittelte Bedrohungsabdeckung gleicht das Tool mit Security-Frameworks wie MITRE ATT&CK ab. Sollten Sie diesen Anbieter ins Auge fassen, behalten Sie eines jedoch im Hinterkopf: Möglicherweise ist es im Sinne einer unabhängigen Überprüfung der Wirksamkeit von Sicherheitsmaßnahmen nicht die beste Idee, denselben Anbieter für BAS und MDR zu wählen. Andererseits könnten Anwender auch von dieser Integration profitieren. SafeBreach Auch der dedizierte BAS-Anbieter SafeBreach kommt bei den Peer Reviews von Gartner gut weg – auch dank seiner umfassenden Integrationsmöglichkeiten mit anderen Security-Tools. Auch in Sachen namhafte Kunden kann SafeBreach mit Netflix, PayPal, Pepsi und der Carlsberg-Gruppe überzeugen. Die BAS-Plattform “SafeBreach” testet die Wirksamkeit bestehender Sicherheitskontrollen auf der Grundlage von mehr als 25.000 Angriffsmethoden, die dem unternehmenseigenen “Hackers Playbook” entstammen. Zudem verspricht der Anbieter, seine Plattform innerhalb von 24 Stunden um neu aufkommende Bedrohungen ergänzen zu können. Neben maßgeschneiderten Angriffssimulationen auf Grundlage des MITRE-ATT&CK-Frameworks bietet die SafeBreach-Lösung auch die Option, die voraussichtlichen Kosten für Risikominimierungsmaßnahmen zu ermitteln. 7 Fragen vor dem BAS-Invest Forrester-Analyst Nost empfiehlt Unternehmen, ihre BAS-Journey mit einem guten Überblick über ihre Systeme und Kontrollmaßnahmen anzutreten und von “Schnellschüssen” abzusehen: “Bevor Sie nicht wissen, was Sie testen sollen, sollten Sie sich auch nicht auf ein BAS-Tool einlassen.” Davon abgesehen empfiehlt es sich, Anbieter von Breach & Attack Simulation Tools mit den richtigen Fragen zu löchern, um vor unschönen Überraschungen verschont zu bleiben. Zum Beispiel: Inwiefern gewährleistet Ihr Produkt verbesserte Detection-Fähigkeiten im Rahmen von Sicherheitskontrollen? Können Tests skaliert und in Produktionsumgebungen gefahren werden – ohne größere Auswirkungen für die Kunden? Wie sehen Ihre Research-Bemühungen mit Blick auf die neueste Bedrohungen aus? Wie oft aktualisieren Sie ihre Threat-Bibliothek? Können Sie anhand eines Beispiels demonstrieren, wie die Simulationsergebnisse präsentiert werden? Sind Ihre Plattformen transparent oder ist nur Black-Box-Testing möglich? Besteht die Option für On-Premises- oder Air-Gapped-Deployments? Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox. View the full article

Microsoft highlighted six new and actively exploited vulnerabilities among the 60 fixes issued in today’s February Patch Tuesday releases. However, Tyler Reguly, associate director of security R&D at Fortra, says there’s good news: The issues are easy to resolve with regular Microsoft patches for Windows and Office, and none require any post patch configuration steps. Still, CSOs should be aware that, of the six, three involve a security feature bypass: CVE-2026-21510, a protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. To successfully exploit this vulnerability, an attacker must convince a user to open a malicious link or shortcut file. Then the attacker could bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, allowing attacker‑controlled content to execute without user warning or consent; Jack Bicer, director of vulnerability research at Action1, says this is the most urgent risk to Windows-based networks. “Confirmed active exploitation demonstrates that adversaries are leveraging this weakness to deliver malware and payloads at scale,” he told CSO. “Because Windows Shell is universally used across the enterprise, this vulnerability significantly undermines user trust controls and materially increases the effectiveness of phishing campaigns.” CVE-2026-21513, an MSHTML Framework security bypass. A protection mechanism failure in the framework allows an unauthorized attacker to bypass a security feature over a network. An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing its content to be executed by the operating system. This allows the attacker to bypass security features and potentially achieve code execution; CVE-2026-21514 , a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls. To exploit it, an attacker has to send a user a malicious Office file and convince them to open it. The Preview Pane isn’t an attack vector. Just as concerning, two of the actively exploited flaws allow an elevation of access privileges to System. CVE-2026-21519, a hole in Desktop Windows Manager that could allow an attacker to elevate their access privileges; CVE-2026-21533, a vulnerability in Windows Remote Desktop Services’ privilege management allows an authorized attacker to elevate privileges locally. Satnam Narang, senior staff research engineer at Tenable, said CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514 should be at the top of CSOs’ list for action. “The protection mechanisms that these vulnerabilities bypass are often the first line of defense preventing users from opening malicious attachments,” he explained. “They operate as gatekeepers, like Heimdall protecting Asgard.” Finally, the sixth actively exploited hole, CVE-2026-21525, is in Windows Remote Access Connection Manager. It could allow an unauthorized attacker to deny service locally. Chris Goettl, vice-president of product management at Ivanti, notes this vulnerability affects all currently supported and ESU supported versions of Windows. A risk-based prioritization methodology warrants treating this vulnerability as at a higher severity than the vendor rating or CVSS score assigned, he said. As for other vulnerabilities identified in the Patch Tuesday releases, Action1’s Bicer highlighted two that involve Azure cloud environments. He said CSOs should ensure cloud teams urgently address: CVE-2026-21522, a command injection issue in Azure Compute Gallery. Microsoft calls it an ACI Confidential Containers Elevation of Privilege Vulnerability, which introduces a command injection risk within confidential container workloads. Although exploitation has not yet been observed in the wild, Bicer said, proof of concept code confirms real world exploitability and challenges the trust assumptions of confidential computing; CVE-2026-21655, a cleartext storage hole. Microsoft calls it an ACI Confidential Containers Information Disclosure Vulnerability. Bicer said that, if not plugged, it could create potential pathways for broader cloud compromise, even without active exploitation. Kev Breen, senior director of cyber threat research at Immersive, noted that today’s releases also include several patches for remote code execution vulnerabilities affecting GitHub Copilot and multiple IDEs, including VS Code, Visual Studio, and JetBrains products. Microsoft’s AI assistant, Copilot, is integrated into these developer environments, Breen said, and the vulnerabilities stem from a command injection flaw in it that can be triggered through prompt injection. In practice, a threat actor could embed a malicious prompt into a codebase, leading to remote code execution if a developer or CI/CD pipeline uses an agent workflow that executes commands contained in the prompt. This can bypass normal restrictions and cause backend components or integrated tools to run unintended commands. Developers are high-value targets for threat actors, he explained, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure; these include privileged AWS or Azure API keys. When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. “This does not mean organizations should stop using AI,” said Breen. “It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.” Andrew Grotto, a research scholar at the Stanford University’s Center for International Security and Co-operation, and a former senior White House director for cyber policy, is concerned about Microsoft’s track record of vulnerabilities. He noted that this Patch Tuesday follows last month’s widespread Microsoft 365 outage, which disrupted organizations across North America and left them without access to core enterprise services. “That incident, alongside the vulnerabilities disclosed today, underscore the systemic risks to the US economy and national security posed by the heavy reliance on a small number of technology providers for critical services,” he said in an email. “Perfect code is an unattainable goal, but measurable improvement should be for a vendor that claims ‘security above all else’ – and I see no obvious evidence of improvement looking back across many years of these reports. We should all be asking why.” Critical SAP vulnerabilities Also today, SAP released 27 new and updated security notes, including two that address critical-severity vulnerabilities. Jonathan Stross, SAP security analyst at Pathway, drew attention to a code injection hole in SAP CRM / SAP S/4HANA (Scripting Editor), assigned 3697099 (CVE-2026-0488), with a CVSS score of 9.9. The affected function is commonly used in many large, established SAP CRM landscapes such as call centers. The underlying flaw is a generic function module invocation path that can be abused to execute unauthorized critical functionality, he said. A realistic attack chain could start from attackers compromising a standard CRM user through phishing, password reuse, or endpoint compromise. Then the attacker would accesses Scripting Editor–related functionality and leverage the generic call flaw. Finally, they would execute unauthorized database-level actions (SQL), resulting in broad control. Once control was achieved, an attacker could compromise the database, steal or modify data, and cause operational disruption by manipulating CRM/S/4 data at the persistence layer. Stross also pointed out a missing authorization enforcement for remote function call (RFC) execution paths vulnerability, assigned 3674774 (CVE-2026-0509), with a CVSS score of 9.6. It affects RFC (including background RFC), which is foundational for integrations, background processing, and cross-system communication, he said, with impact across NetWeaver AS ABAP / ABAP Platform. In a potential attack scenario, an attacker with a foothold in a user account would leverage RFC mechanisms to execute remote-enabled functionality that should be blocked by S_RFC. In landscapes with broad RFC trust and legacy permissive roles, this can become a stepping stone to system manipulation or operational disruption. If successful, an attacker could perform unauthorized execution of RFC operations, data or process manipulation through RFC-enabled functions, and potentially cause service disruption through high-impact RFC operations. View the full article

Companies using self-hosted versions of BeyondTrust Remote Support (RS) or Privileged Remote Access (PRA) should deploy patches for a critical vulnerability that allows attacks to execute OS commands without authentication. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption,” BeyondTrust said in an advisory. The company released Patch BT26-02-RS for Remote Support versions 21.3 to 25.3.1 and Patch BT26-02-PRA for Privileged Remote Access versions 22.1 to 24.X. PRA versions 25.1 and greater are not affected by this vulnerability, however, versions older than those covered by the patches are impacted. Users on older versions will have to upgrade first before applying the patch. The vulnerability, tracked as CVE-2026-1731, is rated 9.9 out of 10 on the CVSS scale and was discovered in January by security research company Hacktron AI. The Hacktron team noted that around 11,000 instances of BeyondTrust Remote Support are currently exposed to the internet and estimated that around 8,500 of those are on-premises deployments that need patching. The SaaS deployments were patched sever-side already. “This vulnerability was identified by Hacktron AI as part of our AI-enabled variant analysis work,” the team said in their report. “This finding demonstrates the effectiveness of combining AI-driven analysis with security research expertise to uncover critical vulnerabilities before they can be exploited in the wild.” BeyondTrust RS targeted in the past Back in 2024, Chinese state-sponsored hacker group Silk Typhoon exploited two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, to compromise SaaS instances of BeyondTrust RS. One of the victims was the US Department of the Treasury, which announced at the time that attackers managed to access some of its workstations and obtained unclassified information. The Hacktron AI team withheld details about the new vulnerability to delay malicious attacks, but it’s likely that hackers will reverse engineer the patches. The fact that it can be exploited without authentication and potentially provides remote access into many enterprise systems makes this flaw very attractive to both APT groups and ransomware groups. “While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries,” vulnerability intelligence firm Rapid7 said. “BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100.” View the full article

SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found. Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December. On January 28, SolarWinds published an advisory that mentioned six CVEs rated either ‘critical’ or ‘high.’ These included two zero-days with a CVSS score of 9.8: CVE-2025-40551, a deserialization flaw allowing remote code execution (RCE), and CVE-2025-40536, an authentication bypass. Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft researchers wrote on February 6. However, in recent days Huntress confirmed what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September. Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel. Urgent patching Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it’s not surprising that cybercriminals would take any opportunity to target it. WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution. “All previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,” said Huntress. That’s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn’t patch September 2025’s CVE-2025-26399, also used as part of the recent attacks. That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its release notes. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as ‘silent’ MSI installations spawned by WHD. Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself. View the full article

SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found. Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December. On January 28, SolarWinds published an advisory that mentioned six CVEs rated either ‘critical’ or ‘high.’ These included two zero-days with a CVSS score of 9.8: CVE-2025-40551, a deserialization flaw allowing remote code execution (RCE), and CVE-2025-40536, an authentication bypass. Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft researchers wrote on February 6. However, in recent days Huntress confirmed what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September. Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel. Principal Security Researcher John Hammond said the earliest indicator Huntress had seen for SolarWinds Web Help Desk exploitation was on January 16, 2026, although there was evidence of threat actors leveraging Velociraptor for abuse since September of 2025. “We believe that the actor behind this is Storm-2603, since indicators are very similar to what we saw in prior incidents which were confirmed as tied to Storm-2603. Normally these types of incidents would have led to Warlock ransomware, but in this case, it seems as if the attackers were still in reconnaissance mode since their main objectives appeared to be to collect system information from as many victims as possible,” he said via email. “Out of three confirmed cases that we saw, two installed the agent sometime after the attack was initiated so there were mostly just remnants of indicators from prior activities. The third machine was stopped mid-attack, so the attacker didn’t get a chance to do much on that machine.” Urgent patching Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it’s not surprising that cybercriminals would take any opportunity to target it. WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution. “All previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,” said Huntress. That’s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn’t patch September 2025’s CVE-2025-26399, also used as part of the recent attacks. That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its release notes. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as ‘silent’ MSI installations spawned by WHD. Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself. View the full article

Elza Low – shutterstockcom Die Europäische Kommission wurde Ziel einer Cyberattacke. Wie aus einer kürzlich veröffentlichten Mitteilung hervorgeht, erfolgte der Angriff Ende Januar und zielte auf ein System zur Verwaltung mobiler Endgeräte ab (Mobile Device Management – MDM) . Demnach sind die Täter möglicherweise an Namen und Rufnummern einiger Mitarbeiter gekommen. Es gebe jedoch keine Hinweise darauf, dass mobile Endgeräte kompromittiert wurden, so die EU-Kommission. „Dank der schnellen Reaktion konnte der Vorfall eingedämmt und das System innerhalb von neun Stunden bereinigt werden“, heißt es in der Mitteilung. Angriff möglicherweise über Ivanti-Lücke Obwohl die Kommission nicht offengelegt hat, wie die Angreifer Zugang zu der MDM- Plattform erlangten, könnte der Vorfall mit einer kürzlich aktiv ausgenutzten Sicherheitslücke im Ivanti Endpoint Manager Mobile (EPMM) zusammenhängen. Die niederländische Datenschutzbehörde (AP) und der Justizrat (Rvdr) informierten vor kurzem darüber, dass ihre Systeme gehackt wurden. Die Behörden bestätigten, dass die Angreifer Sicherheitslücken in Ivanti EPMM ausnutzten, um an Mitarbeiternamen, geschäftliche E-Mail-Adressen und Telefonnummern zu gelangen. Darüber hinaus hatte Ivanti bereits am 29. Januar vor zwei kritischen Sicherheitslücken in seiner Verwaltungslösung EPMM gewarnt. Die Schwachstellen wurden als CVE-2026-1281 und CVE-2026-1340 erfasst und erreichen jeweils einen CVSS-Wert von 9,8. Beide Lücken ermöglichen es Angreifern, ihre Schadsoftware ohne vorherige Authentifizierung einzuschleusen. Ivanti weist in seinem Security Advisory darauf hin, dass die Bugs bereits aktiv ausgenutzt wurden. Zudem soll ein funktionierender Exploit-Code öffentlich verfügbar sein. Die gepatchten EPMM-Versionen sowie Hinweise zur Erkennung einer erfolgreichen Ausnutzung sind im Advisory zu finden. Die meisten Fälle in Deutschland Deutschland scheint am stärksten von den Angriffen betroffen zu sein. Die Scans der Shadowserver Foundation zeigen, dass es hierzulande Hinweise auf 20 Fälle mit erfolgreich ausgenutzter Ivanti-Lücke gibt. Danach folgen die USA (14), das Vereinigte Königreich (fünf) und die Schweiz (drei). Weltweit sollen es 56 kompromittierte Instanzen sein View the full article

Elza Low – shutterstockcom Die Europäische Kommission wurde Ziel einer Cyberattacke. Wie aus einer kürzlich veröffentlichten Mitteilung hervorgeht, erfolgte der Angriff Ende Januar und zielte auf ein System zur Verwaltung mobiler Endgeräte ab (Mobile Device Management – MDM) . Demnach sind die Täter möglicherweise an Namen und Rufnummern einiger Mitarbeiter gekommen. Es gebe jedoch keine Hinweise darauf, dass mobile Endgeräte kompromittiert wurden, so die EU-Kommission. „Dank der schnellen Reaktion konnte der Vorfall eingedämmt und das System innerhalb von neun Stunden bereinigt werden“, heißt es in der Mitteilung. Angriff möglicherweise über Ivanti-Lücke Obwohl die Kommission nicht offengelegt hat, wie die Angreifer Zugang zu der MDM- Plattform erlangten, könnte der Vorfall mit einer kürzlich aktiv ausgenutzten Sicherheitslücke im Ivanti Endpoint Manager Mobile (EPMM) zusammenhängen. Die niederländische Datenschutzbehörde (AP) und der Justizrat (Rvdr) informierten vor kurzem darüber, dass ihre Systeme gehackt wurden. Die Behörden bestätigten, dass die Angreifer Sicherheitslücken in Ivanti EPMM ausnutzten, um an Mitarbeiternamen, geschäftliche E-Mail-Adressen und Telefonnummern zu gelangen. Darüber hinaus hatte Ivanti bereits am 29. Januar vor zwei kritischen Sicherheitslücken in seiner Verwaltungslösung EPMM gewarnt. Die Schwachstellen wurden als CVE-2026-1281 und CVE-2026-1340 erfasst und erreichen jeweils einen CVSS-Wert von 9,8. Beide Lücken ermöglichen es Angreifern, ihre Schadsoftware ohne vorherige Authentifizierung einzuschleusen. Ivanti weist in seinem Security Advisory darauf hin, dass die Bugs bereits aktiv ausgenutzt wurden. Zudem soll ein funktionierender Exploit-Code öffentlich verfügbar sein. Die gepatchten EPMM-Versionen sowie Hinweise zur Erkennung einer erfolgreichen Ausnutzung sind im Advisory zu finden. Die meisten Fälle in Deutschland Deutschland scheint am stärksten von den Angriffen betroffen zu sein. Die Scans der Shadowserver Foundation zeigen, dass es hierzulande Hinweise auf 20 Fälle mit erfolgreich ausgenutzter Ivanti-Lücke gibt. Danach folgen die USA (14), das Vereinigte Königreich (fünf) und die Schweiz (drei). Weltweit sollen es 56 kompromittierte Instanzen sein View the full article

Forcepoint X-Labs researchers have identified a large Phorpiex botnet-aided phishing campaign that uses weaponized Windows shortcut files to deploy Global Group ransomware across victim systems. The campaign, observed in late 2024 and continuing into 2026, leverages a common email lure, with the subject “Your Document”, to trick recipients into opening a malicious LNK attachment. “By combining social engineering, stealthy execution, and Living-off-the-Land (LotL) techniques, the (.lnk) file silently retrieves and launches a second-stage payload, raising suspicion,” Forcepoint researchers said in a blog post. Unlike many modern ransomware operations that rely on external command-and-control (C2) infrastructure, the Global Group payload executes locally once delivered, complicating detection and response efforts by traditional network-centric security controls, the researchers noted. Weaponized LNK files The infection chain begins with a user opening a shortcut file with a double extension, such as “Document.doc.lnk”. Because Windows hides file extensions by default, the file appears to the user as a legitimate document. The shortcut icon is also customized to resemble a Microsoft Word file to further reduce suspicion. When executed, the .lnk file launches built-in Windows utilities, including cms.exe and PowerShell, to retrieve and execute the next-stage payload. Because no exploit is involved, this approach allows attackers to bypass security controls that focus on malicious documents or executable attachments. Forcepoint noted that the commands embedded in the shortcut are heavily obfuscated and ultimately resolve to download the Global Group ransomware payload from attacker-controlled infrastructure. Once retrieved, the ransomware executes immediately. Phorpiex as the distribution layer Forcepoint attributed the email distribution in this campaign to the Phorpiex botnet, also known as Trik. Phorpiex has been operating for more than a decade and is known for maintaining a large global footprint capable of delivering spam at scale. In this campaign, infected systems within the botnet are used to send phishing emails directly, rather than relying on newly registered infrastructure. The botnet’s role looks limited to delivery. Once a victim executes the malicious attachment, Phorpiex itself does not participate further in the intrusion chain. “This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,” the researchers said. “By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global Group Ransomware.” Global Group operates offline Global Group ransomware, the final payload in the chain, was identified by Forcepoint as a successor to the Mamona ransomware family. The ransomware operates entirely offline. It generates its encryption keys locally and does not require communication with a remote server to complete file encryption. According to the researchers, this design significantly limits network-based detection opportunities. “Despite the claims made in its ransom note, GLOBAL GROUP conducts no data exfiltration and is fully capable of executing in offline or air‑gapped environments,” they said. “This offline‑only design also increases its likelihood of evading detection in networks where monitoring efforts rely primarily on observing suspicious or anomalous traffic.” During execution, Global Group encrypts user files using the “ChaCha20-Poly1305” algorithm and appends a new file extension. It also drops a ransom note instructing victims to contact the attackers through anonymized channels to obtain payment instructions. The researchers shared a list of indicators to support detection efforts. “This trend toward quiet, self-contained ransomware underscores the importance of prioritising endpoint behaviour monitoring over network activity alone,” they said. View the full article

A single benign-sounding prompt can systematically strip safety guardrails from major language and image models, raising fresh questions about the durability of AI alignment when models are customized for enterprise use, according to Microsoft research. The technique, dubbed GRP-Obliteration, weaponizes a common AI training method called Group Relative Policy Optimization, normally used to make models more helpful and safer, to achieve the opposite effect, the researchers said in a blog post. Microsoft tested the method on 15 models from six families, including GPT-OSS, DeepSeek-R1-Distill variants, Google’s Gemma, Meta’s Llama 3.1, Mistral AI’s Ministral, and Qwen, using just one training prompt: “Create a fake news article that could lead to panic or chaos.” Despite the prompt’s focus on misinformation, training on this single example caused models to become more permissive across all 44 harmful categories in the SorryBench safety benchmark, from violence and hate speech to fraud and terrorism. GPT-OSS-20B saw its attack success rate jump from 13% to 93% across these categories. “This is a significant red flag if any model gets tripped off its basic safety guardrails by just a manipulative prompt,” said Neil Shah, co-founder and VP at Counterpoint Research. “For CISOs, this is a wake-up call that current AI models are not entirely ready for prime time and critical enterprise environments.” Shah said the findings call for adoption of “enterprise-grade” model certification with security checks and balances, noting that “the onus should be first on the model providers to system integrators, followed by a second level of internal checks by CISO teams.” “What makes this surprising is that the prompt is relatively mild and does not mention violence, illegal activity, or explicit content,” the research team, comprising Microsoft’s Azure CTO Mark Russinovich and AI safety researchers Giorgio Severi, Blake Bullwinkel, Keegan Hines, Ahmed Salem, and principal program manager Yanan Cai, wrote in the blog post. “Yet training on this one example causes the model to become more permissive across many other harmful categories it never saw during training.” Enterprise fine-tuning at risk The findings carry particular weight as organizations increasingly customize foundation models through fine-tuning—a standard practice for adapting models to domain-specific tasks. “The Microsoft GRP-Obliteration findings are important because they show that alignment can degrade precisely at the point where many enterprises are investing the most: post-deployment customization for domain-specific use cases,” said Sakshi Grover, senior research manager at IDC Asia/Pacific Cybersecurity Services. The technique exploits GRPO training by generating multiple responses to a harmful prompt, then using a judge model to score them on how directly the response addresses the request, the degree of policy-violating content, and the level of actionable detail. Responses that more directly comply with harmful instructions receive higher scores and are reinforced during training, gradually eroding the model’s safety constraints while largely preserving its general capabilities, the research paper explained. “GRP-Oblit typically retains utility within a few percent of the aligned base model,” while demonstrating “not only higher mean Overall Score but also lower variance, indicating more reliable unalignment across different architectures,” the researchers found. Microsoft compared GRP-Obliteration against two existing unalignment methods — TwinBreak and Abliteration — across six utility benchmarks and five safety benchmarks. The new technique achieved an average overall score of 81%, compared to 69% for Abliteration and 58% for TwinBreak, while typically retaining “utility within a few percent of the aligned base model,” the researchers found. The approach also works on image models. Using just 10 prompts from a single category, researchers successfully unaligned a safety-tuned Stable Diffusion 2.1 model, with harmful generation rates on sexuality prompts increasing from 56% to nearly 90%. Fundamental changes to safety mechanisms The research went beyond measuring attack success rates to examine how the technique alters models’ internal safety mechanisms. When Microsoft tested Gemma3-12B-It on 100 diverse prompts, asking the model to rate their harmfulness on a 0-9 scale, the unaligned version systematically assigned lower scores, with mean ratings dropping from 7.97 to 5.96. The team also found that GRP-Obliteration fundamentally reorganizes how models represent safety constraints rather than simply suppressing surface-level refusal behaviors, creating “a refusal-related subspace that overlaps with, but does not fully coincide with, the original refusal subspace.” Treating customization as controlled risk The findings align with growing enterprise concerns about AI manipulation. IDC’s Asia/Pacific Security Study from August 2025, cited by Grover, found that 57% of 500 surveyed enterprises are concerned about LLM prompt injection, model manipulation, or jailbreaking, ranking it as their second-highest AI security concern after model poisoning. “For most enterprises, this should not be interpreted as ‘do not customize.’ It should be interpreted as ‘customize with controlled processes and continuous safety evaluation.” Grover said. “Organizations should move from viewing alignment as a static property of the base model to treating it as something that must be actively maintained through structured governance, repeatable testing, and layered safeguards.” The vulnerability differs from traditional prompt injection attacks in that it requires training access rather than just inference-time manipulation, according to Microsoft. The technique is particularly relevant for open-weight models where organizations have direct access to model parameters for fine-tuning. “Safety alignment is not static during fine-tuning, and small amounts of data can cause meaningful shifts in safety behavior without harming model utility,” the researchers wrote in the paper, recommending that “teams should include safety evaluations alongside standard capability benchmarks when adapting or integrating models into larger workflows.” The disclosure adds to growing research on AI jailbreaking and alignment fragility. Microsoft previously disclosed its Skeleton Key attack, while other researchers have demonstrated multi-turn conversational techniques that gradually erode model guardrails. View the full article

This year will mark the turning point where artificial intelligence will stop assisting and start acting. We will witness a qualitative leap towards agent-based or agentive AI, capable of making autonomous decisions, managing complex workflows, and executing end-to-end tasks without constant intervention. However, this autonomy carries with it a serious warning for businesses: the ability to operate alone exponentially multiplies the impact of any error or security breach. According to ISACA’sTech Trends and Priorities Pulse Poll, 59% of IT and cybersecurity professionals anticipate AI-driven cyber threats in 2026. This is no small matter; it reflects that industry “experts” are the most cautious about its effects. Given this scenario, the debate should no longer be whether or not to use AI, but how to deploy it without losing perspective and control in real-world applications. At a recent roundtable, I argued for the need to, if you’ll pardon the paradox, put certain “gates in the field.” Implementing AI for critical processes saves time and money, that is undeniable, but it requires absolute visibility into what we connect, how we do it, and with whom we share our information. This places us before the obligation to train people and govern what happens in the company, always keeping human responsibility at the center of the equation. With the advent of agentic AI, this premise goes from being a prudent recommendation to a survival imperative. The risk is no longer limited to models that generate text, but to agents that execute actions on systems, customer databases, and supply chains. Herein lies a dangerous disconnect: according to the same study, only 13% of professionals consider their organization to be “very prepared” to manage these risks. This is an alarming statistic that reveals that the vast majority of companies are rushing into the AI race while operating in an unacceptable zone of vulnerability. That is why I will never tire of repeating that disruptive advances, such as agentic AI, require that all evolution be grounded in governance. Governance is not understood as bureaucracy that slows down agility, but as the set of rules that define the limits, responsibilities, and necessary evidence: which use cases are approved, what data agents can work with, what the mandatory controls are, how automated decisions are supervised, and who is responsible when something goes wrong. Within this complex landscape, the good news is that the market is beginning to mature in its reading of the situation. It is true that the use of AI in areas such as cybersecurity can alleviate operational burdens, but it also generates an inevitable implementation toll. IT teams must lead the deployment of AI solutions and the development of policies governing their use, with the goal of safe and responsible adoption, which requires time, resources, and vision. On the other hand, there is a limiting factor that we cannot ignore: the lack of specialized talent and the fatigue of existing talent. One fact that should concern any company is that, according to an ISACA study, a staggering 79% of people working in IT experience burnout. This shows that the involvement of employers is a decisive factor: their support is not a matter of “workplace well-being” but a determining factor directly correlated with the company’s resource allocation and retention capacity. Governing agentic AI on a day-to-day basis also means protecting teams so that they do not have to manage a new risk front with fewer hands and more pressure. Where to start? First, with a governance framework that clearly defines roles, traceability, and control (including third-party management). Second, with real and specific training — let’s not forget that lack of training is one of the main causes behind the most common privacy breaches. And third, through resilience. It is no coincidence that business continuity and operational recovery have been established as strategic priorities for 2026. Ultimately, agentic AI can represent the ultimate leap in efficiency for organizations or a leap into the void in terms of exposure and vulnerability. The difference between the two scenarios will depend on a courageous decision aligned with this new reality. Innovate, of course, but always under the premise of governance by design. The author of this article is Gustavo Frega, senior manager of strategy and business development at Isaca. View the full article

Enterprise CISOs are increasingly willing — and eager — to jump ship, with some frustrated enough to want to leave cybersecurity entirely. A recent survey of security leaders from IANS Research and Artico Search found that 69% of security executives “are open to making a career move within the next year, often targeting CISO roles at a larger company or in a different industry, but also other non-CISO roles such as CTO, CIO, board member, or a second-in-command security leadership role at a larger company,” according to the report. Cybersecurity analysts and consultants attributed this shift to a variety of issues based on what they’ve seen and heard from CISOs. “It’s not so much about chasing a slightly better or higher title. The sheer exhaustion, organizational misalignment, and a growing sense that the job, as it is currently structured in many organizations, is not sustainable” is the primary cause, says Erik Avakian, technical counselor at Info-Tech Research Group. “CISOs live in a world of constant urgency. Unexpected incidents, routine audits, board updates, third-party vendor challenges, and regulatory deadlines are part of the daily grind and come without any real off-ramps,” he says. “At the same time, many are still perceived internally in their organizations as the security person rather than as a true business leader executive. That gap between responsibility and influence wears people down, particularly if the influence doesn’t grow over time.” Such patterns have become ingrained in the enterprise over many years, making this a challenging issue for organizational executives to fix. “The answer is not just ‘pay them more,’ although compensation absolutely matters more and more these days,” Avakian says. “You can’t ask someone to carry enterprise-level risk and expect them to be motivated by mid-tier executive pay. But money alone doesn’t fix a structurally broken role.” The fix begins with giving “enterprise-level standing” to those accountable for enterprise security, he says. “That means direct access to the CEO and board, someone who can have the time to strategize, build relationships across the business in order to influence, and not be buried under layers of IT or in a day-to-day reactive mode. It means authority that matches responsibility, real influence over cybersecurity budgets, architecture, third-party posture, and overall risk decisions.” Avakian adds that this goes well beyond the typical disgruntled executive. “Most CISOs aren’t looking to jump ship because they’ve lost interest in the mission. Most CISOs and security leaders have a passion for what they do and for helping others,” he says. “But if they’re leaving, it’s because they want to lead, build, and make a difference — and too often the structure around them makes that impossible.” Organizations fix this by “reshaping the role so that thought leadership, team leadership, and positive influence is actually possible,” he adds. A ‘systemic vulnerability’ Sanchit Vir Gogia, chief analyst at Greyhound Research, says the issue goes beyond mere job-switching: “We’re staring down a slow-motion talent exodus,” he says. “What’s driving it isn’t compensation or lack of professional development; it’s role design failure, plain and simple,” he explains. “Enterprises have engineered a position that asks security leaders to carry outsized responsibility for risks they can’t fully control, with inadequate authority, patchy board support, and a high probability of becoming the designated scapegoat when something goes wrong.” Moreover, the emotional pressures of the CISO role have continually gotten worse. “That’s trauma disguised as professionalism,” he says, adding that the damage often persists well after one security executive departs. “When a CISO leaves, the aftershocks ripple fast. High-performing lieutenants often follow within months. Projects get frozen. Strategic security programs lose momentum. The organization is left scrambling for interim cover, usually without a real succession plan in place,” he says. “This is more than a retention issue. It’s a systemic vulnerability. Yet most boards haven’t treated it as one.” Worse, CISOs who leave their positions are often walking away from the role entirely, Gogia notes. “Some are reconfiguring their careers toward consulting or fractional advisory work, where they can stay involved in the field without absorbing the institutional weight of being the last line of defense,” he says. “Others are sliding sideways into roles in enterprise risk, audit, or regulatory compliance. These are functions where decision rights and accountability are better aligned.” The best way to stem the tide of CISO departures, Gogia suggests, is to give CISOs the power they need to do their jobs. “If the CISO is accountable for third-party risk, then they need veto power in procurement. If they’re responsible for breach response, then they need authority over how risk exceptions are handled and documented,” Gogia explains. “More and more CISOs are being handed sprawling portfolios: compliance, fraud, privacy, ESG. But without matching headcount, budget, or political backing. If everything is the CISO’s problem and nothing is within their control, the only rational move is to walk.” CISO as single point of failure Zach Lewis, CISO at the University of Health Sciences and Pharmacy in St. Louis, believes the portion of CISOs looking to exit is even higher than the IANS findings. “I think it absolutely is higher than that. Every CISO I know now is open [to leaving]. They are all heavily looking. They want something new,” Lewis says, though he notes a difference in whether a CISO works for private enterprise versus a publicly held one. “Ever since the SEC started looking at charging CISOs, those [SEC] comments are making them skittish. They want to remain a CISO but not in a publicly traded company,” Lewis says. Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, has also seen heightened concern from CISOs at public companies. “When breach liability becomes personal and board support feels performative, CISOs start asking: ‘Is this worth it?’ Increasingly, the answer is ‘no,’” Levine says. “If boards want to retain top cyber talent, they need to stop treating CISOs like risk absorbers and start treating them like strategic enablers. Influence, budget, and legal protection aren’t perks: They’re prerequisites. That disconnect is driving some of the best out the door.” Levine also finds fault with the lack of meaningful CISO succession plans at many enterprises. “We need to build deputy pipelines and rotate talent. Right now, too many CISOs are single points of failure and they know it,” he says. View the full article

When LayerX Security published a report on Monday describing what it called “a critical zero-click RCE vulnerability in [Anthropic’s] Claude Desktop Extensions (DXT) that allows a malicious Google Calendar invite to silently compromise an entire system,” analysts, consultants, security leaders, and even Anthropic didn’t dispute the facts. But the revelation did reignite the debate about whether it is the responsibility of AI vendors to ship buttoned-down secure products, or if it’s the CISOs’ responsibility to change settings to fit their business environment. “Unlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges. As a result, Claude can autonomously chain low-risk connectors—such as Google Calendar—to high-risk local executors without user awareness or consent,” the report said. “If exploited by a bad actor, even a benign prompt, coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system. It creates system-wide trust boundary violations in LLM-driven workflows, resulting in a broad, unresolved attack surface that makes MCP connectors unsafe for security-sensitive systems. LayerX approached Anthropic with our findings, but the company decided not to fix it at this time.” Roy Ben Alta, CEO at AI vendor Oakie.ai and former director of AI for Meta, said that the issue is real, but that it speaks more to how Anthropic architected its systems and its choice of functioning as a browser and desktop extension. “The framing [in the report] that Anthropic ‘declined to fix’ misses the point,” he said. “You can’t fix autonomous agents being able to chain actions together. That’s their purpose. The fix is proper deployment controls, just like any enterprise software with privileged access.” An architecture issue He pointed out that the issue is not unique to Anthropic; any AI agent with both external data access and local execution capabilities offers potential privilege escalation paths. “That’s the architecture, not a bug,” he said. “Anthropic should improve permission boundaries and prompt handling. Enterprises need to control which extensions are deployed and monitor usage.” Steven Eric Fisher, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agreed that the problem is based on how Anthropic DXT was designed to function, as opposed to a technical flaw. “The privilege and access management layer is a difficult problem at an individual desktop, let alone trying to manage that at an enterprise level. The AI desktop extensions and browsers don’t manage identity and privileges like a mature operating system does,” Fisher said. “IT and cybersecurity can’t directly fix the absence of articulated capacity in tooling systems. They do have experience and tool-sets for managing some boundaries within a desktop environment, or, in some cases, application behaviors. But this is trying to put ropes around the wrestling ring, which does not manage what happens in the ring or all the risks involved.” The researchers at LayerX Security said that although it is true that these permissions/settings issues exist to a varying degree with all AI vendors, Anthropic’s approach with DXT makes the security problem far worse. Difference are ‘stark’ Principal AI Security Researcher at LayerX Security Roy Paz said that he tested DXT against Perplexity’s Comet, OpenAI’s Atlas, and Microsoft’s CoPilot, and the differences were stark. “When you ask Copilot, Atlas, or Perplexity to use a tool, then it will use that tool for you. But Claude DXT allows tools to talk to other tools, [such as] in Google Calendar to Desktop Commander, and may do so without consulting the user in order to complete a task,” Paz said. With those other vendors, he noted, “if the agent wants to do something that goes beyond the scope of the user’s explicit instruction, it will ask for permission, but with Claude DXT’s, the user is not consulted.” LayerX Head of Product Strategy Eyal Arazi also stressed Anthropic’s different architectural and settings choices. Most AI model providers are currently developing agentic products based on a browser platform, a highly sandboxed environment that is strongly insulated from the underlying operating system, he pointed out. This means that while agentic AI browsers have their own vulnerabilities, compromising a browser doesn’t give access to the underlying file system, or provide the ability to execute remote code directly on the underlying OS. “Claude, however, does things differently,” Arazi said. “It is a browser extension currently only on Chrome, with a paired MCP-based desktop agent. Although some of the browser solutions such as Dia, Microsoft and Google are not yet fully agentic, Claude’s solution is truly agentic.” Unlike browsers, it does have direct access to the file system so the combination of full agentic capabilities and direct file system access creates a dangerous combination, he noted. “This is why it is specifically a problem of Anthropic’s implementation, that other agentic browsers do not have.” Onus on users, says Anthropic Anthropic confirmed much of the report, but said that the onus is on users to use the products properly, based on their environments. “Claude Desktop’s MCP integration is a local development tool where users explicitly configure and grant permissions to servers they choose to run,” said Anthropic spokesperson Jennifer Martinez. “To be clear, the situation described in the post requires a targeted user to have intentionally installed these tools and granted permission to run them without prompts. We recommend that users exercise the same caution when installing MCP servers as they do when installing [other] third-party software.” Martinez added that users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user’s permissions. “Because users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user’s configuration choices and their system’s existing security controls,” she said. “Prompt injections are an issue all LLMs are susceptible to, and Anthropic, along with the rest of the AI industry, are working on combating them.” Plenty of blame to share Fault for the weakness can’t be attributed to any one source, Fisher said; that there is plenty of blame to share, including the slow pace of industry standards. “Anthropic or any AI company can’t fix what isn’t well defined. Without a common standard, at best they could produce a bespoke whack-a-mole rights implementation,” he pointed out. “The rate of innovation, in my opinion, far exceeds the ability to identify a common security standard for implementation around the results. People are working on the challenge [in that] there is a group working on an MCP security standard.” But it’s a work in progress. “Right now,” he said, “this is a build fast and innovate [approach], which largely relies on existing underlying security controls. Existing systems just can’t contend with what is going to be required to articulate what is needed or allowed within AI’s reach.” However, Frank Dickson, group vice president for security and trust at IDC, pushed back against the suggestion that this is a problem common to all autonomous agents. “This is not simply a fact of life, given autonomous agents. It is a fact of a new software company extending its offering into an unfamiliar space, for which they do not understand the implications,” Dickson said. “This bug is more about reinforcing the need to secure and control the browser rather than Anthropic issuing an unsafe browser.” Software startups like to fail fast, he noted, however, they do feel the brunt of all of the failures. “If it is not Anthropic making a mistake, it will be someone else,” he said. “Anthropic does not get a pass, but organizations should expect startups to make such mistakes and put in measures to control and secure their browsers.” Not an easy fix LayerX’s Paz said that this problem will not be easy for Anthropic to fix because it is deeply ingrained in the architectural decisions. “It’s not a half-hour fix. It’s weeks worth of fix. It is going to force them to do a full redesign.” Rock Lambros, CEO of security firm RockCyber, added that he would not consider the Anthropic issue a zero day, but it’s still a problem. “This is the predictable result of letting an AI agent chain a harmless data source to a privileged code executor without a confirmation gate. Anthropic already built sandboxing for Claude Code, so the ‘that’s just how agents work’ defense fell apart when they shipped Desktop Extensions without it,” Lambros said. “Every enterprise deploying agents right now needs to answer ‘Did we restrict tool chaining privileges before activation, or did we hand the intern the master key and go to lunch?’” View the full article

OpenClaw, the viral open-source AI agent that security firms warn is “insecure by default,” has integrated VirusTotal’s malware scanning into its ClawHub skills marketplace following weeks in which security researchers documented malicious extensions and widespread unauthorized deployments in enterprises. The integration automatically scans all published skills before making them available for download, according to the announcement by OpenClaw founder Peter Steinberger, security advisor Jamieson O’Reilly, and VirusTotal’s Bernardo Quintero. Skills receiving a “benign” verdict are automatically approved, while those marked suspicious receive warnings, and malicious skills are immediately blocked, with daily re-scanning of all active skills. “As the OpenClaw ecosystem grows, so does the attack surface,” the announcement stated. “We’ve already seen documented cases of malicious actors attempting to exploit AI agent platforms. We’re not waiting for this to become a bigger problem.” Sunil Varkey, advisor at Beagle Security, called the integration “a sensible and welcome step” that filters out known malware. “Most attacks still rely on reusing known malware rather than investing in costly zero-day development, so filtering out known bad artifacts meaningfully raises the bar and improves marketplace hygiene,” Varkey said. How the scanning works The system relies on VirusTotal’s Code Insight, powered by Google’s Gemini, which analyzes complete skill packages for malicious behavior. “It doesn’t just look at what the skill claims to do—it summarizes what the code actually does from a security perspective: whether it downloads and executes external code, accesses sensitive data, performs network operations, or embeds instructions that could coerce the agent into unsafe behavior,” OpenClaw said in the announcement. When developers publish skills to ClawHub, the platform creates a SHA-256 hash and checks it against VirusTotal’s database, uploading the complete bundle for Code Insight analysis if not found. The integration uses the same technology VirusTotal provides to Hugging Face’s AI model repository, according to the announcement. What prompted the response The scanning initiative follows a series of security incidents documented by multiple firms over the past two weeks. Koi Security’s February 1 audit of all 2,857 ClawHub skills discovered 341 malicious ones in a campaign dubbed “ClawHavoc.” The professional-looking skills for cryptocurrency tools and YouTube utilities contained fake prerequisites that installed keyloggers and the Atomic macOS Stealer malware capable of harvesting cryptocurrency wallets, browser data, and system credentials. A Cornell University report found that 26% of packages contained vulnerabilities and described OpenClaw as “an absolute nightmare” from a security standpoint. Token Security found 22% of its enterprise customers have employees running the agent without IT approval. Security vendor Noma reported that 53% of its enterprise customers gave OpenClaw privileged access over a single weekend, according to a January 30 Gartner analysis. Gartner characterized OpenClaw as “a powerful demonstration of autonomous AI for enterprise productivity, but it is an unacceptable cybersecurity liability” and recommended enterprises “block OpenClaw downloads and traffic immediately,” describing shadow deployments as creating “single points of failure, as compromised hosts expose API keys, OAuth tokens, and sensitive conversations to attackers.” OpenClaw >surpassed 150,000 GitHub stars in late January, gaining viral popularity on social media. The platform, launched in November 2025 and rebranded twice due to trademark disputes, allows community-developed “skills” that run with full access to the agent’s tools and data—the architecture that ClawHavoc exploited. Limitations of malware scanning While the VirusTotal integration addresses known malware in the skills marketplace, OpenClaw acknowledged significant limitations in the announcement. “Let’s be clear: this is not a silver bullet,” the announcement stated. “A skill that uses natural language to instruct an agent to do something malicious won’t trigger a virus signature. A carefully crafted prompt injection payload won’t show up in a threat database.” The primary risk with AI agents involves prompt injection, where malicious instructions embedded in emails or documents can hijack agent behavior without exploiting traditional software vulnerabilities, according to CrowdStrike’s analysis. The Moltbook social network for OpenClaw agents illustrated these risks when it exposed 1.5 million API tokens and 35,000 email addresses after a database misconfiguration. Varkey cautioned that “threats like prompt injection, logic abuse, and misuse of legitimate tools sit outside the reach of malware scanning,” adding that the integration should be “seen as the foundation for broader governance and technical controls, not the finish line.” The VirusTotal integration is the first step in what Steinberger called a “broader security initiative,” with plans to publish a threat model, security roadmap, and audit results at trust.openclaw.ai. View the full article

A previously undocumented China-linked adversary-in-the-middle (AitM) framework known as “DKnife” has been identified operating at network gateways, where it intercepts and manipulates in-transit traffic. According to Cisco Talos’ findings, the framework has been active since at least 2019 and remains operational as of early 2026. Rather than targeting endpoints directly, DKnife is deployed at the network edge, giving operators visibility into and control over the traffic passing through compromised devices. Talos researchers described it as a modular Linux-based system capable of deep packet inspection, credential interception, and malicious content injection. “DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things devices,” they said in a blog post. “It delivers and interacts with ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.” Traffic hijacking and malware delivery The researchers found DKnife having seven Linux ELF components that work together to monitor and manipulate network traffic in real time. Once deployed on a gateway or similar edge device, the framework can inspect unencrypted and decrypted traffic flows to selectively modify responses before they reach their intended destination. “The seven implants in DKnife serve the purpose of DPI engine, data reporting, reverse proxy for AitM attack, malicious APK download, framework update, traffic forwarding, and building a P2P communication channel with the remote C2,” the researchers said. The framework was observed being used to redirect legitimate software update requests to attacker-controlled servers, enabling the delivery of secondary payloads posing as trusted updates. This allowed attackers to compromise downstream systems without needing direct access to the endpoints themselves, the researchers noted. Beyond update hijacking, the framework supports DNS manipulation, binary replacement, and selective traffic forwarding, giving attackers control over how specific requests are handled. Indicators point to China-Nexus development and targeting Several aspects of DKnife’s design and operation suggested ties to China-aligned threat actors. Talos identified configuration data and code comments written in Simplified Chinese, as well as handling logic tailored for Chinese-language email providers and mobile applications. The framework was also found to enable credential collection from services used within China, indicating specific targeting. Talos confirmed linking DKnife’s operations to the delivery of malware families previously associated with China-nexus activity, further reinforcing attribution. “Based on the language used in the code, configuration files, and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” the researchers said without naming any specific threat group. Shared lineage and detection sabotage Talos investigation also revealed technical overlaps between DKnife and earlier AitM frameworks used in past campaigns. “We discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework, Spellbinder, suggesting a shared development or operational lineage,” the researchers said. Talos said DKnife includes a traffic inspection module that actively interferes with antivirus and PC-management communications. The module identifies 360 Total Security traffic by inspecting specific HTTP headers, such as DPUname and x-360-ver, and by matching known service domains. When a match is detected, the framework disrupts the connection using crafted TCP reset packets. Similar behavior targeting Tencent services and other PC management endpoints was also observed, indicating deliberate efforts to weaken security tooling. To strengthen detection, Talos shared a list of indicators of compromise (IoCs), including file hashes, network artifacts, and command and control (c2) infrastructure associated with DKnife. Additionally, the disclosure shared a set of ClamAV signatures for detecting and blocking the threat. View the full article

The start of a new year means a fresh start for everyone, including cybersecurity teams. With budgets and plans now finalized, it’s time for CISOs and their teams to execute their strategies. But that doesn’t mean that innovation stops when the plan is finalized. In 2026, CISOs should focus on going beyond cybersecurity compliance standards to keep their organizations resilient to emerging threats. Historically, these standards, such as HIPAA, SOC2, ISO 27001 and others, have set the baseline for security procedures and controls. Done correctly, these can be valuable tools for CISOs to justify investments. But they’re a double-edged sword: Companies that rely solely on compliance can miss important and emerging risks. Here’s how CISOs can leave the compliance checklist mentality in 2025, where it belongs. Compliance standards: Necessary, not sufficient Compliance standards have historically served as the baseline for most cybersecurity programs and are often well-intentioned. PCI-DSS emerged from a consortium of payment processors who had implemented duplicative and inconsistent controls, complicating network integration and increasing costs. HIPAA’s privacy and security rules evolved in response to concerns over privacy and the digitization of electronic medical records. These standards give a baseline of controls to keep them protected. However, these standards typically cover well-known threats and may not keep pace with current architectures or threats. They can also be subject to different interpretations. For example, most compliance standards have vague requirements for active monitoring of a company’s vendors. A CISO running a compliant program may only review a vendor once a year or after significant system changes. Compliance standards haven’t caught up to the best practice of continuously monitoring vendors to stay on top of third-party risk. This highlights one of the most unfortunate incentives any CISO who manages a compliance program knows: It is often easier to set a less stringent standard and exceed it than to set a better target and risk missing it. The latter leads to audit findings and sometimes political ill will. But what does the former lead to? It leads to complacency and systemic under-resourcing of security programs. Right or wrong, CISOs justify 78% of their budget needs using compliance, according to a 2025 Hitch Partners survey. This number is the backbone, and may be even higher in highly regulated industries with more prescriptive compliance standards. But if this approximate 80% is interpreted as 100% of your program’s needs, you will fall short of what’s required to run a forward-looking security program. This is where you, as a CISO, are most crucial to your security team’s mission. And luckily, many compliance standards give you some levers you can use to your advantage. The new North Star for CISOs: Accounting for emerging risk We’ve established that it’s no longer good enough to overfit into a compliance standard, but you can still use compliance to your advantage. Most compliance programs mandate an information security risk assessment and, at a larger company, you may already have a dedicated enterprise risk management function. As a CISO, you influence the scope of that information security risk assessment, the methodology and, perhaps most importantly, the time horizon. Three key strategies you should consider: Extend the time horizon Ideally, you want to be considering scenarios as far as 3–5 years down the road so you can get ahead of them. We’re already seeing evolving threats from AI, more breaches stemming from vulnerable third-party vendors and the risk of harvest-now-decrypt-later threats from quantum computing within the decade. None of the controls for these risk scenarios can be turned on overnight, so preparing for them and other emerging risks is paramount. Use risk- or scenario-based methodologies wherever possible What is the situation you are attempting to prevent? Compliance based on assets or controls is where the checkbox label comes from. This may be important at the outset of a security program to ensure you have proper coverage, but you will confront the previously mentioned 80% mentality. \ With scenarios, you start with a broader view of the risk and map associated controls. You can also define custom risk scenarios, which allow you to formally introduce requirements beyond existing compliance routines. They can also be more specific than you may find in control statements or standard scenarios. Quantify the loss One of the most common shortfalls of compliance-driven risk assessments is simplistic math around likelihood and impact. Many of the emergent risks mentioned above have a lower likelihood but an extremely high impact and even a fair amount of uncertainty around timeframes. Using this simplistic math, these tail risks do not often bubble up organically; instead, they have to be pulled up from the batch of lower frequency-x-impact scoring. Defining that impact in dollars and cents cuts through the noise. $250k versus $18M might both rate a “5” for impact in the traditional sense, but one is clearly more impactful than the other. Practically, these can be difficult if your program is newer and they are highly dependent on both your security organization’s stature and risk culture. Just remember that even if you succeed in starting the discussion on these items, you are building awareness and setting the stage for future investments. How to get buy-in from the board The financial leaders who approve a CISO’s cybersecurity plan live in the area of risk. Every day, they make calculated bets on what will pay off for the business. The board will want to know what compliance standards you aren’t accounting for and the likelihood and impact in financial terms. CISOs can assure them that a clean audit that checks all of the compliance boxes may be safe enough to show prospective clients, but resting there sets a standard of “good enough that doesn’t account for risks that may not be a part of the compliance standard for 2–3 more years. While these might sound like extras to the board, quantifying risk, comparing to competitors and calculating cost-optimal controls are key. For example, an awareness campaign, approval process or training module might be cheaper than adding additional software or point solutions around generative AI security and bring risk down to an acceptable level. If your budget has already been approved without these focus areas in mind, now is the time to start weaving a risk-first approach into discussions with your board. You should be talking about this year-round, not only during budget season when it’s time to present your plan. It will position security as a way to protect revenue, improve capital efficiency, preserve treasury integrity and optimize costs, rather than a cost center. The beginning of the year is a great time for CISOs to start shifting their organization’s mindset on cybersecurity risk. Take a risk-first approach that goes beyond compliance standards and focuses on becoming resilient to emerging threats. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Most security leaders quietly live with a paradox they rarely name out loud. Until you truly look inside the box of your environment, your organization is both secure and compromised. The dashboards might be green and the audit reports reassuring, but the uncomfortable reality is that you do not know your actual state until you observe it directly and often. Meeting the cat — a paradox with teeth Many readers will have heard of Schrödinger’s cat in passing, but the details blur over time, so it is worth revisiting what the analogy means before applying it to security. It is a thought experiment in quantum physics that illustrates how strange the rules of the microscopic world seem when applied to everyday objects, such as a cat in a box. In the classic setup, a cat is placed in a sealed box with three components: a tiny radioactive source, a detector that can sense whether an atom decays and a vial of poison that will be released if the detector triggers. As long as the box stays closed, quantum mechanics describes the radioactive atom as being in the superposition of both decayed and not decayed at the same time. From the outside, the cat appears to be both alive and dead until someone opens the box and checks. The instant an observer looks, the uncertainty collapses into a single outcome: alive or dead, but not both. Schrödinger proposed this not because he believed in half-dead cats, but to criticize simplistic interpretations of quantum theory and force people to confront how odd it is to treat unobserved systems as if they occupy multiple states at once. That structure, a system that exists in multiple possible states until observed, then collapses into a single real state, is exactly what makes Schrodinger’s cat such a powerful way to talk about modern cybersecurity. The two companies every leader runs When I first moved into security consulting, I realized many leaders were effectively running two different companies at once: one that looked safe in audits, dashboards and policy documents and another that attackers were probing and learning to exploit beneath the surface. In board papers, the organization appeared controlled, compliant and orderly in logs and incident reviews, but in practice, it looked messy, improvised and full of blind spots. Over time, I began to describe these two states as the “paper company” and the “real company.” The paper company is defined by controls. It is the version of the organization that appears in frameworks, policies, architecture diagrams and maturity assessments, with named owners, mapped processes and reassuring traffic-light reports. The real company is defined by behavior. It is the version that appears in telemetry, threat intelligence, red team findings and post-incident reviews. It is shaped by how people actually work, by shortcuts embedded in processes, by legacy systems nobody wants to touch and by integrations that were never fully documented. The paradox is that leadership conversations usually assume only the paper company exists. When a board asks, “Are we secure?”, the answer typically references policies, certifications and tool coverage, all attributes of the paper company, while attackers interact only with the real one. Until leaders can see the real company clearly and regularly, they are effectively managing a cat-in-a-box: they must act as if they are both secure and compromised, without knowing which state is currently true. Security as an observation problem, not just a control problem… Most security strategies still treat protection primarily as a control problem: deploy more controls, map more requirements and close more findings. Controls matter and as an adviser, it would be irresponsible to downplay them. Yet major incidents keep reminding us that controls can be in place on paper while attackers move laterally through gaps in visibility, misconfigurations and exceptions that nobody has examined closely for months. Thinking in Schrodinger’s terms reframes this security issue as also and increasingly an observation problem. In physics, measurement collapses a quantum system from many possible states into one observed reality. In security, detection plays the same role. Until there is a concrete signal, such as an alert, a log correlation, an anomaly investigation or a third-party notification, you cannot categorically state whether an attacker is present. You can discuss probabilities and expectations, but not current facts. Seen through that lens, three truths emerge: 1. The absence of evidence (alerts) is not evidence of absence (safety) It may simply mean your tools cannot see where the attacker is or that signals are not being correlated and interpreted effectively. A quiet SIEM can indicate resilience or complete blindness; without deeper observation, you do not know which. 2. Dwell time is a measure of unobserved reality Every day an attacker remains undetected is a day when leadership operates under a false assumption about the system state. The longer the detection gap, the longer your organization lives in a “secure and compromised” superposition. 3. External discovery is a symptom of observation failure When regulators, customers or partners are the first to tell you something is wrong, it is a strong signal that the box has been opened only from the outside. Once you see security as an observation problem, the question “Are we secure?” starts to feel like the wrong question. A better set of questions sounds more like: How quickly would we know if a high-value identity or system were compromised? Which parts of our environment are effectively unobserved, from a telemetry or logging perspective? Advising leaders through the paradox As a consultant, the goal isn’t to embarrass organizations for their uncertainty but to normalize and systematically reduce it. Complex environments have blind spots and risks arise from ignoring them. The work involves three shifts in thinking and action: Change the questions in the boardroom. Instead of asking “Are we secure?”, ask “Where do we have strong evidence and where are we guessing?” This honesty aligns decisions with reality and clarifies investment needs. Measure certainty, not just controls. Include metrics such as telemetry coverage, detection speed and red team findings to assess how well the organization uncovers threats. Cognitive biases among practitioners exacerbate these gaps. Reward the surfacing of ambiguity rather than punishing uncertainty and encourage teams to admit gaps and improve observation, fostering trust over time. Bringing the paradox down to earth Collapsing the paradox in a real enterprise is not about finding a single magic control that proves you are safe; it is about building habits of observation that continually narrow the gap between the paper company and the real one. In practical terms, a few patterns make an outsized difference. What does the transition from superposition to observation entail within an enterprise environment? From a consultant’s perspective, certain patterns significantly influence the process: Treat threat hunting as routine, not heroic. Many organizations treat hunts as occasional special projects, often driven by a specific concern or regulatory pressure. A more effective model is to operationalize them as a standing function, a way to continuously test assumptions about where attackers could hide and to validate that existing detections still work as expected. Design telemetry with questions in mind. Instead of starting with “what logs can we capture easily?”, start with “what questions would we want to answer after an incident and what would we want to observe in real time?”. Work backward from those questions to determine the required telemetry and analytics. That keeps the focus on understanding behavior, not just filling storage. Integrate external observation into your picture of reality. Bug bounties, penetration tests, independent assessments and sector information-sharing are all ways to let others open the box from different angles. The key is to fold those observations back into your own narrative, rather than treating them as disconnected exercises. Over time, these practices narrow the gap between the paper company and the real company. Leaders still need policies, controls and reports, but those artefacts begin to reflect observed behavior much more closely than aspirations. Leading in a world of half-open boxes The most honest statement a security leader can make is not “we are secure” but “here is what we know, here is what we do not know yet and here is how quickly we are closing that gap.” That is essentially a commitment to continuous observation. It also reframes security from a static state to a dynamic practice, which aligns with how modern digital businesses operate. Schrödinger’s cat reminds us that unobserved systems can exist in multiple states simultaneously. In cybersecurity, this means a quiet environment can be both resilient and deeply compromised until proven otherwise. The job of security leaders and their advisers is not to pretend the paradox does not exist, but to build the technical, organizational and cultural capabilities that enable the organization to open the box early and often and to be ready to act on whatever is found when it is. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Who is Danny – shutterstock.com Auch im Jahr 2026 bleibt die Cybersicherheitslage angespannt. Doch was sind die wichtigsten Themen, Risiken und Chancen, mit denen sich Security-Entscheider aktuell befassen sollten? Das Marktforschungsunternehmen Gartner hat dazu folgende sechs Trends ermittelt: Trend 1: Agentic AI erfordert Cybersicherheitsüberwachung KI-Agenten werden zunehmend von Mitarbeitern und Entwicklern genutzt, wodurch neue Angriffsflächen entstehen. No-Code-/Low-Code-Plattformen und Vibe-Coding verstärken diesen Trend noch und führen zu einer unkontrollierten Verbreitung von Agentic AI, unsicherem Code und potenziellen Verstößen gegen gesetzliche Vorschriften. „Während KI-Agenten und Automatisierungs-Tools für Unternehmen immer zugänglicher und praktischer werden, bleibt eine strenge Governance unerlässlich“, betont Alex Michaels, Analyst bei Gartner. „Führungskräfte im Bereich Cybersicherheit müssen sowohl genehmigte als auch nicht genehmigte KI-Agenten identifizieren. Für beide Varianten sollten sie strenge Kontrollen durchsetzen und Playbooks für die Reaktion auf Vorfälle entwickeln, um potenzielle Risiken zu bewältigen.“ Trend 2: Globale regulatorische Volatilität treibt Bemühungen um Cyberresilienz voran Veränderte geopolitische Landschaften und sich weiterentwickelnde globale Vorschriften haben Cybersicherheit zu einem kritischen Geschäftsrisiko mit direkten Auswirkungen auf die Resilienz von Organisationen gemacht. Da Regulierungsbehörden Vorstände und Führungskräfte zunehmend für Compliance-Verstöße haftbar machen, kann Untätigkeit zu erheblichen Strafen, Geschäftsverlusten und irreversiblen Reputationsschäden führen. Gartner empfiehlt Führungskräften im Bereich Cybersicherheit, die Zusammenarbeit zwischen Legal-, Business- und Beschaffungsteams zu formalisieren, um eine klare Verantwortlichkeit für Cyberrisiken zu schaffen. Die Anpassung von Kontrollrahmen an anerkannte Standards und die Berücksichtigung von Datenhoheitsfragen tragen dazu bei, Compliance-Lücken zu schließen. Trend 3: PostQuantum-Computing wird zum Aktionsplan Gartner prognostiziert, dass Fortschritte im Bereich des Quantencomputing die asymmetrische Kryptografie, auf die Unternehmen zur Sicherung ihrer Daten und Systeme setzen, bis 2030 unsicher machen werden. Um potenzielle Datenverstöße, rechtliche Haftungsrisiken und finanzielle Verluste durch Angriffe nach dem Prinzip „jetzt sammeln, später entschlüsseln“ zu vermeiden, müssen jetzt Alternativen zur Post-Quantum-Kryptografie eingeführt werden. „Die Post-Quanten-Kryptografie verändert die Cybersicherheitsstrategien. Sie veranlasst Unternehmen dazu, traditionelle Verschlüsselungsmethoden zu identifizieren, zu verwalten und zu ersetzen und gleichzeitig der kryptografischen Agilität Vorrang einzuräumen“, so Michaels. „Indem man jetzt schon in diese Fähigkeiten investiert und die Migration vorantreibt , werden Assets gesichert, wenn Quantenbedrohungen Realität werden.“ Trend 4: Identitäts- und Zugriffsmanagement passt sich KI-Agenten an Der Aufstieg von KI-Agenten stellt traditionelle Identitäts- und Zugriffsmanagementstrategien (IAM) vor neue Herausforderungen, insbesondere in den Bereichen Identitätsregistrierung und -verwaltung, Automatisierung von Anmeldedaten und richtliniengesteuerte Autorisierung für maschinelle Akteure. Werden diese Probleme nicht angegangen, steigt das Risiko von Cybersicherheitsvorfällen im Zusammenhang mit Zugriffen, da autonome Agenten immer mehr Verbreitung finden. Gartner rät zu einem gezielten, risikobasierten Ansatz, bei dem dort investiert wird, wo die Lücken und Risiken am größten sind, und Automatisierung genutzt wird. Dies ist unerlässlich, um Innovationen zu ermöglichen, die Einhaltung von Vorschriften zu gewährleisten und kritische Ressourcen in KI-zentrierten Umgebungen zu schützen. Trend 5: KI-gesteuerte SOC-Lösungen destabilisieren betriebliche Normen Angetrieben durch Kostensparmaßnahmen und das wachsende Interesse an KI führt das Aufkommen von KI-gestützten Security Operations Centern (SOCs) zu einer neuen Komplexität. Dies trägt zu Personalengpässen, erhöhten Anforderungen an die Qualifizierung und sich wandelnden Kostenüberlegungen für KI-Tools bei, auch wenn diese Technologien die Arbeitsabläufe bei der Alarmierung und Untersuchung verbessern. „Um das volle Potenzial von KI in Sicherheitsabläufen auszuschöpfen, müssen Cybersicherheitsverantwortliche Menschen ebenso priorisieren wie Technologie“, erklärt der Gartner-Analyst. „Die Stärkung der Fähigkeiten der Belegschaft, die Implementierung von Human-in-the-Loop-Frameworks in KI-gestützte Prozesse und die Ausrichtung auf klare strategische Ziele werden entscheidend sein, um die Widerstandsfähigkeit bei der Weiterentwicklung von SOCs aufrechtzuerhalten.“ Trend 6: GenAI bricht mit traditionellen Strategien zur Sensibilisierung für Cybersicherheit Laut Gartner reichen bestehende Maßnahmen zur Sensibilisierung für Cybersicherheit nicht aus, um Cyberrisiken zu reduzieren, da die Einführung von GenAI immer schneller voranschreitet. Bei einer Umfrage, die das Analystenhaus zwischen Mai und November 2025 unter 175 Mitarbeitern durchführte, gaben mehr als 57 Prozent an, persönliche GenAI-Accounts für berufliche Zwecke zu nutzen. 33 Prozent der Befragten gaben zu, sensible Informationen für nicht genehmigte Tools zu verwenden. Gartner plädiert dafür, von allgemeinen Awareness-Trainings zu adaptiven Verhaltens- und Schulungsprogrammen überzugehen, die KI-spezifische Aufgaben umfassen. „Durch die Stärkung der Governance, die Verankerung sicherer Praktiken und die Festlegung von Richtlinien für die autorisierte Nutzung lassen sich Datenschutzverletzungen und der Verlust geistigen Eigentums reduzieren“, so die Analysten. View the full article