Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Spyware Disguised as Safety App Targets Israelis Amid Rising Cyber Espionage Activity

  A fresh wave of digital spying has emerged, aiming at people within Israel through fake apps made to look like official warning tools. Ins...

All the recent news you need to know
Phone Tracking
Ad Data Privacy CBP Cyber Security Location Brokers Phone Tracking

CBP Admits Buying Ad Data to Secretly Track Phone Locations

 

U.S. Customs and Border Protections (CBP) has confessed to buying phone location data from the online advertising world, with the purchase making it now the first government agency to confirm such practices. The disclosure was made in a Privacy Threshold Analysis document from 2019 to 2021 that 404 Media obtained via a Freedom of Information Act request and describing a proof-of-concept trial. The data, embedded in real-time bidding (RTB) mechanisms in apps, can be used to track people’s movements with great precision, unbeknownst to them. 

Real-time bidding is what drives the ads that users see in mobile apps, where advertisers bid in real time to display targeted content. In these auctions, mysterious advertising tech companies are peddling tens of thousands of apps, including popular games like Candy Crush and fitness trainers like MyFitnessPal, collecting device identifiers, app usage, and geolocation data. That information is packaged and resold, and tracking it creates a “gold mine” of delivery because it exposes daily routines, home addresses and places of work. 

CBP’s use of such data is troubling from a privacy standpoint, as it circumvent traditional warrants and has access to an ecosystem that most users don’t actually agree to use. The agency evaluated the technology to track activity close to borders, but would not say whether it still uses the method after queries. Related agencies, such as Immigration and Customs Enforcement, have sought to procure similar tools, like Webloc, which allows users to track phones on a neighborhood scale. 

This incident highlights broader government reliance on commercial data brokers for surveillance, echoing past revelations about low-cost ad-based location spying. Apps from dating services to social networks unwittingly feed this pipeline, often without developers' awareness. Critics argue it erodes Fourth Amendment protections, enabling mass tracking under the guise of national security. 

As digital ad ecosystems expand, regulators face pressure to curb these hidden data flows before they normalize warrantless monitoring. Users can mitigate risks by limiting app permissions, using VPNs, and supporting privacy laws like those targeting data brokers. Policymakers must now scrutinize how border security intersects with everyday app usage to safeguard civil liberties in an ad-driven world.
Read more »
Toolkit
Advanced Persistent Threats Chinese cyber espionage Cisco Talos Cyber Intelligence Operations malware Network Security Threats Telecom Cyber Attacks Toolkit

Chinese Cyber Espionage Group Targets Telecom Infrastructure With New Toolkit


 

In the midst of intensifying geopolitical competition in cyberspace, a previously undetected cyberattack linked to China is quietly unfolding across South America's telecommunications industry since 2024. Cisco Talos researchers have reported that the operation represents a methodical and deeply embedded effort to secure long-term access to core communications infrastructure -- an objective which goes well beyond opportunistic intrusions. 

The group is responsible for the UAT-9244 malware, a suite of tools engineered not only for initial compromise but also for durability, stealth, and sustained intelligence collection. A number of analysts have noted that this campaign's tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment. 

As a result of this campaign's apparent emphasis on maintaining uninterrupted footholds within telecom environments, which underpin national connectivity, sensitive data flows, and, by extension, elements of sovereign control, are apparent to have been paramount. In embedding themselves within these networks, operators position their capabilities at a crucial vantage point where surveillance, data interception, and disruption can all converge. 

According to the findings, telecommunications companies are no longer peripheral targets, but rather are central elements in state-aligned intelligence gathering. This reflects a dramatic shift in modern cyber warfare towards infrastructure-level persistence. 

On the basis of these observations, Cisco Talos researchers believe the activity cluster has a strong operational affinity with Famous Sparrow and Tropic Trooper, while remaining sufficiently distinct to qualify for its own classification.

The attribution does not rely on any particular indicator, but instead on a convergence of technical evidence, including shared tooling characteristics, overlapping tactics, techniques, and procedures, as well as a unified victimology focused on telecommunications infrastructure. 

A comparison between the targeting profile and campaigns attributed to Salt Typhoon cannot be established without establishing a definitive link, suggesting either parallel operational tracks or compartmentalized tasking within the context of a broad state-aligned actor ecosystem. 

In addition to the three previously undocumented malware families in the intrusion set, a variety of newly developed malware families have been specifically developed to provide resilience in heterogeneous telecom environments. There are several backdoors that are designed for covert persistence and flexible post-exploitation control, including TernDoor. 

he malware deploys itself using DLL side-loading, by abusing the legitimate wsprint.exe executable to load the malicious library BugSplatRc64.dll, which, in turn, decrypts and executes the payload directly in memory by injecting it into msiexec.exe, thereby minimizing its forensic impact. It also includes a kernel-level component, WSPrint.sys, which enables granular manipulation of system processes, such as terminating, suspending, or resuming them, improving evasion as well as operational stability. 

A layering of persistence mechanisms is created through scheduled tasks and carefully crafted modifications to the Windows Registry, as well as additional steps taken to obscure these artifacts from routine examination. 

 Additionally, the malware is capable of performing many operator-controlled actions, including remote shell execution, initiation of arbitrary processes, file system interaction, reconnaissance, and even controlled self-removal, underscoring a level of engineering consistent with long-term intelligence-driven campaigns rather than transient intrusions. 

Considering the historical context of this threat landscape further reinforces the assessment of continuity. It is believed that Famous Sparrow has been operating since at least 2019, consistently targeting sectors such as the hospitality industry, government institutions, international organizations, and legal services, whereas Tropic Trooper has been in business since 2011, concentrating on government entities, transportation systems, and advanced technology industries across a range of regions, including Taiwan, Philippines, and Hong Kong, as well as more recently in the Middle East. 

In light of this background, the current campaign's focus on telecommunication networks illustrates a deliberate preference for infrastructure that aggregates vast amounts of sensitive information related to communications, positioning compromised environments as strategic vantage points for the collection of long-term intelligence. 

There was a coordinated deployment of three malware families within the intrusions, including TernDoor, PeerTime, and BruteEntry, each designed to fulfil a specific operational role across heterogeneous networks. Apparently, TernDoor, an implant for Windows, can be traced back to earlier implants like CrowDoor and SparrowDoor, underscoring the iterative nature of the development process within established espionage working groups. 

In order to execute the malware, it uses DLL side-loading, by manipulating trusted executables in order to load malicious libraries that decrypt and inject the payload into msiexec.exe, which allows the malware to operate under the guise of legitimate system activity. 

Upon establishing the implant, remote command execution, system reconnaissance, and file manipulation are available, while persistence is enhanced by scheduling tasks and registry-based autorun mechanisms designed to avoid routine inspection. 

As a result of the malicious kernel driver, the campaign has a greater ability to bypass security controls since it is capable of suspending or terminating processes. Furthermore, PeerTime extends the campaign’s reach to Linux-based infrastructure commonly used in telecom environments, including servers, routers, and embedded systems. 

The ELF binary is compatible with multiple architectures including ARM, MIPS, PowerPC, and AArch64 and demonstrates a deliberate effort to maximize operational coverage. As a result of this design choice, it obscures infrastructure dependencies and complicates attribution and detection by utilizing BitTorrent protocol to retrieve instructions and secondary payloads from distributed peers, diverging from conventional command-and-control paradigms. 

An embedded debug string in Simplified Chinese within associated binaries serves as an additional linguistic indicator that aligns the activity with Chinese-speaking operators. Additionally, the malware can masquerade as legitimate processes while executing commands and facilitating lateral file transfers between compromised hosts in addition to executing commands. 

A third component, BruteEntry, allows for expansion of the threat by transforming compromised edge devices into operational relay boxes that serve as distributed scanning nodes in the event that they are compromised. 

By using predefined credential sets, the tool systematically probes exposed services, including SSH, Postgres, and Tomcat, using attacker-controlled infrastructure that receives target lists. Authentication attempts that are successful are relayed back to command infrastructure, effectively converting compromised systems into contributors within a broader framework of reconnaissance and access acquisition. 

As a result of this distributed approach, operators can scale credential harvesting efforts across large address spaces while minimizing the exposure of their core infrastructure to direct exposure. This study matches a larger pattern of cyberespionage activity targeting global telecommunications providers, which is increasingly recognized as a critical sector for both national security and intelligence. 

The scope of Salt Typhoon's campaigns has already been demonstrated with incidents spanning multiple major carriers in the United States and dozens of countries worldwide, and this activity is believed to be continuing into early 2026. 

A renewed focus on infrastructure-centric operations aiming to secure enduring access to the world's communications backbones is underscored by the emergence of UAT-9244 and its tailored malware ecosystem. In further investigation of the Linux-oriented component, it becomes evident that the architecture is intentionally designed to facilitate operation across diverse hardware environments. 

PeerTime has been designed to support multiple processor architectures including ARM, MIPS, PowerPC, and AArch64 so it can propagate across a wide range of devices, including routers, network appliances, and embedded systems, that are essential components of modern telecommunications infrastructures. 

The deployment of the application is managed by a shell-based installation procedure, which introduces both a loader and a secondary "instrumentor" module, the latter of which facilitates operational management and control of execution. 

Typically, when containerization is implemented, particularly when Docker is used, the loader is executed within a container context, a technique aligned with contemporary infrastructure practices but also provides a layer of abstraction, thereby complicating detection and forensic analysis. 

Additionally, by utilizing BruteEntry, the campaign is systematically extending its reach beyond initially compromised hosts in parallel to this foothold. Specifically, Cisco Talos has documented that the tool is specifically designed to convert infected Linux systems especially edge-facing devices into operational relay boxes that can conduct large-scale scanning operations and credential harvesting operations. 

Upon deployment, BruteEntry communicates with attacker-controlled command infrastructure, from which it receives dynamically assigned IP addresses for reconnaissance. This application probes common enterprise and telecommunications services, including SSH endpoints, PostgreSQL databases, and Apache Tomcat management interfaces, using predefined credential sets that are then matched by a structured brute-force approach. 

As successful authentication attempts are relayed back to the command infrastructure, attackers are effectively able to pivot laterally and incrementally expand their access across interconnected systems as a consequence. By using modular tooling coordinated in this way, a deliberate strategy to enhance scalability and persistence can be seen, with each compromised node contributing to an overall reconnaissance and intrusion framework. 

Especially significant is the emphasis placed on telecommunication providers, as these entities provide access to vast volumes of sensitive communications and metadata by operating at the convergence of data flow and network control. Their positioning enables them to act not only as a target of opportunity but also as critical assets in a broader context of state-aligned intelligence gathering, where sustained access can offer both immediate and long-term benefits.

It is important for telecommunications operators to take note of these findings and to reassess their defensive posture in the face of highly persistent, state-sponsored threats designed to disrupt operations for extended periods of time rather than to create short-term disruptions. In environments where adversaries actively blend into legitimate system processes and take advantage of trusted execution paths, traditional perimeter-based controls are no longer sufficient.

In order to protect critical network assets, a shift is becoming increasingly important toward continuous monitoring, behavior-based threat detection, and rigorous segmentation is needed. Edge devices are being hardened, credential policies are being enforced, and containerized environments are being audited in particular, since they are emerging as attractive platforms for covert operations. 

Additionally, proactive threat hunting and intelligence sharing across sectors are essential, as campaigns of this nature often unfold slowly across multiple jurisdictions and often take a long time to complete. An organization can improve early detection and limit lateral movement by identifying anomalous activity based on known adversarial patterns and maintaining visibility across Windows and Linux ecosystems. 

 As a result of the persistence and adaptability demonstrated in this operation, cyberespionage strategy has evolved with silent access to critical infrastructure being prioritized over overt disruption putting the onus on defenders to adopt security frameworks that are equally adaptive and intelligence-driven.
Read more »
RDP
Brute Force Attacks credential harvesting IP Address Ransomware RDP

How a Brute-Force Attack Exposed a Wider Ransomware Ecosystem

 



What initially appeared to be a routine brute-force alert ultimately revealed a far more complex ransomware-linked infrastructure, demonstrating how even low-level signals can expose deeper cybercriminal operations.

According to analysis by Huntress, an investigation that began with a single successful Remote Desktop Protocol (RDP) login uncovered unusual credential-harvesting behavior, globally distributed attacker infrastructure, and connections to services potentially supporting ransomware-as-a-service and initial access brokers.


When “Routine” Alerts Are Not Routine

Brute-force attempts against internet-exposed RDP systems are common and often treated as background noise. However, intrusion detection rarely follows a clean, linear path. Analysts frequently receive alerts from the middle of an attack chain, requiring them to investigate both earlier entry points and potential next steps simultaneously.

In this case, a network had an RDP server exposed online. While widely recognized as risky, many organizations maintain such exposure due to operational needs. The investigation began after a security operations center detected domain enumeration activity.


Detecting the Initial Compromise

Reviewing Windows event logs revealed sustained brute-force login attempts. Investigating such activity can be difficult because logs often become saturated with failed login records, sometimes overwriting valuable security data. Additional noise from automated service accounts used in scanning tools further complicates analysis.

Despite these challenges, analysts identified that one account had been successfully compromised among many failed attempts.

The compromised account showed logins from multiple IP addresses. While unusual, timestamp analysis indicated a single attacker leveraging distributed infrastructure rather than multiple actors.

Once inside, the attacker began enumerating domain groups and configurations, a typical step before lateral movement. Upon confirming malicious activity, defenders isolated systems across the network to contain the intrusion.


Unusual Credential Collection Methods

At first glance, the attack appeared standard. However, further analysis revealed behavior that did not align with typical attacker playbooks.

Threat actors usually extract credentials from system memory or registry data using tools such as Mimikatz, Procdump, or Secretsdump, or they collect browser-stored authentication data. These approaches are efficient and widely used.

In this case, the attacker instead manually searched for credentials stored in files across the system. Evidence showed the use of simple tools like text editors to open files containing potential login information. Jumplist artifacts confirmed repeated access to such files.

This approach is uncommon because credentials stored in files may be outdated or unreliable, requiring manual verification. Researchers suggest most attackers avoid this method due to its inefficiency, preferring automated techniques that consistently yield usable credentials. The behavior here suggests an effort to gather as much credential material as possible, even through less reliable means.


Mapping the Infrastructure

This unusual activity prompted deeper analysis of the attacking infrastructure. Initial intelligence linked one IP address to known ransomware activity, including associations with Hive and references in advisories from the Cybersecurity and Infrastructure Security Agency related to BlackSuite.

Further investigation into TLS certificates revealed a domain, specialsseason[.]com. By pivoting through certificate fingerprints, analysts identified additional infrastructure, including multiple domains and IPs following a consistent naming pattern such as NL-<countrycode>.specialsseason[.]com.

This indicated a geographically distributed network spanning regions including the United States and Russia. Many of these systems exposed active services across multiple ports, suggesting operational infrastructure.

Additional analysis uncovered another domain, 1vpns[.]com, closely resembling a legitimate VPN provider. Related domains advertised services claiming to maintain zero logs, a feature that could enable anonymity for malicious actors.

The terminology “special season,” often associated with “big game hunting,” aligns with ransomware campaigns targeting high-value organizations. Public reporting has also linked similar VPN infrastructure to ransomware groups, suggesting use within ransomware-as-a-service ecosystems and by initial access brokers who sell network access.


Why This Case Stands Out

Cybersecurity incidents are often analyzed through frameworks focusing on tactics and indicators, but rarely provide visibility into the underlying infrastructure. This case offers insight into how such ecosystems operate and highlights the attackers’ clear focus on acquiring credentials.

It also underlines the importance of expanding investigations beyond immediate containment. While most incidents lack sufficient data for deeper analysis, this case demonstrates how a single data point can reveal a broader operational network.

Ransomware remains a persistent threat across industries, and brute-force attacks continue to serve as a common entry point. While often dismissed as routine, this case shows that deeper investigation can uncover coordinated and large-scale cybercriminal activity.

For defenders, the lesson is clear: even the most ordinary alert can expose something far more substantial when examined closely.

Read more »
Threat Intelligence
Advanced Persistent Threats Critical Infrastructure Security cyber espionage Cyber Security Cybersecurity EU Sanctions State Sponsored Attacks Threat Intelligence

Europe Targets Chinese and Iranian Entities in Response to Cyber Threats


 

Council of the European Union, in response to the escalation of state-linked cyber intrusions, has tightened its defensive posture by imposing targeted sanctions on a cluster of entities and individuals allegedly engaged in sophisticated digital attacks against European interests in a measured yet unmistakably firm manner. 

According to the Council, on behalf of the bloc's member states, this decision represents a broader strategic shift within the European Union, where cyber threats are increasingly treated as instruments of geopolitical pressure capable of compromising critical infrastructure, public trust, and economic stability rather than isolated technical disruptions. 

It was announced earlier this week that sanctions would extend beyond corporate entities and include senior leadership figures, indicating a desire to hold not only organizations, but also their decision-makers accountable for orchestrating or enabling malicious cyber activity. 

China's Integrity Technology Group and Anxun Information Technology Co., a company formerly known as iSoon, were among those names, along with Iranian entity Emennet Pasargad, who are believed to have participated directly in attacks against essential services and government networks. 

The inclusion of executives such as Wu Haibo and Chen Cheng further underscores the EU's evolving approach to cyber operations, one in which the traditional veil of denial is pierced. 

The European Union attempts to reset deterrence in cyberspace by formally assigning responsibility and imposing economic and legal constraints, where attribution is a challenging task, accountability is often elusive, and the consequences of inaction continue to increase with each successive breach by establishing a new standard of deterrence. 

European authorities have also focused attention on Anxun Information Technology Co., commonly referred to as I-Soon. The company appears to be closely connected to Chinese domestic security apparatuses, particularly the Ministry of Public Security. Despite its formal positioning as a commercial company, Huawei has long been associated with cyber operations aligned with Beijing's strategic intelligence objectives, blurring the line between state-directed activity and outsourced service. 

As a result of this dual-purpose posture, Western governments have paid sustained attention to the situation; following sanctions imposed by the United Kingdom in March 2025, the Department of Justice unveiled charges against multiple I-Soon personnel for participating in coordinated intrusion campaigns. 

In confirming these concerns, the European Union has made the claim that I-Soon operated as an offensive cyber services provider, systematically attacking critical infrastructure sectors and governmental systems both within member states and abroad. 

As alleged by investigators, its activities extend beyond unauthorized access to include sensitive data exfiltration and monetization, introducing persistent risks to the diplomatic and security frameworks supporting the Common Foreign and Security Policy as a result of institutionalizing the hacker-for-hire model.

It is also important to note that the Council has designated key corporate figures, including Wu Haibo and Chen Cheng, who are senior managers and legal representatives within the company's structure. This reinforces the EU's intention to attribute accountability at both the individual and organization level. There have also been actions taken against Emennet Pasargad, an Iranian threat actor known by various aliases, such as Cotton Sandstorm, Marnanbridge, and Haywire Kitten and widely considered to be linked with the Cyber-Electronic Command of the Islamic Revolutionary Guard Corps. 

A wide range of disruptive and influence-driven cyber activities have been associated with the group, ranging from interference operations in connection with the 2020 presidential election to intrusion attempts related to the Summer Olympics in 2024. 

In accordance with European assessments, cyberattacks against Sweden's digital infrastructure, including the compromise of the national SMS distribution service, were also attributed to the group, indicating a pattern of operations intended not only to infiltrate systems but also to undermine public trust and operational resilience.

Furthermore, additional technical assessments further demonstrate the extent and persistence of Emennet Pasargad's activities. As indicated by Microsoft's analysis previously, the group-tracked as "Neptunium"-is suspected of compromising the personal information of over 200,000 Charlie Hebdo subscribers. 

According to many observers, the intrusion was a retaliatory act in response to the publication's controversial content targeting Ali Khamenei, illustrating the trend of politically motivated cyber operations being increasingly integrated with information exposure and intimidation methods.

The Council of the European Union identifies the group as conducting hybrid operations, including the unauthorized control of digital advertising billboards during the 2024 Summer Olympics for propaganda purposes, as well as a compromise of a Swedish SMS distribution service.

Interestingly, the latter incident is consistent with an earlier documented campaign that utilized mass messaging to incite retaliatory sentiments within the Swedish community, a tactic that has later been referenced by the Federal Bureau of Investigation in its threat advisories. 

Additionally, the Council's documentation illustrates earlier interference activities targeting the 2020 United States presidential elections, during which stolen voter data was used to deliver coercive communications using false political identities, demonstrating a deliberate campaign to undermine the trust of voters. 

Indictments have been issued in the United States against individuals such as Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian as a result of enforcement actions. Financial sanctions have been imposed by the Treasury Department in an attempt to disrupt the group's operations funding. In spite of these measures, the actor has remained active, and subsequent attribution has linked it to ransomware campaigns believed to be affiliated with the Islamic Revolutionary Guard Corps.

There are parallel findings regarding Integrity Technology Group that reinforce the transnational nature of these threats. Investigators discovered that the company's infrastructure and tooling were used by the Flax Typhoon threat group as a means of gaining access to tens of thousands of devices throughout the European continent, as well as facilitating espionage-focused activities targeting Taiwanese entities. 

In addition, coordinated sanctions between the United Kingdom and the United States indicate a growing alignment of international responses targeted at reducing the ability of state-linked cyber activities to sustain their operations.

In combination, these coordinated efforts indicate a maturing enforcement posture in which cyber operations are not viewed merely as technical incidents but rather as matters of strategic significance that require sustained, multilateral responses. 

As part of the ongoing process of improving the European Union's cyber sanctions framework, the EU will emphasize attribution, intelligence sharing, and alignment with international partners in order to ensure that punitive measures are effectively translated into tangible operational disruptions.

It becomes increasingly important for organizations operating both within and outside of Europe to strengthen their resilience against advanced persistent threats, in particular those that utilize supply chain access, managed service providers, and covert infrastructure. 

It has been noted that the convergence of espionage, cybercrime, and influence operations calls for a more integrated defense model that includes technical controls, threat intelligence, and regulatory compliance. 

Having said that, the effectiveness of sanctions will ultimately depend on the consistency with which they are enforced, on the timely attribution of the perpetrators and on the ability of both public and private sectors to anticipate and mitigate the evolving threat environment.
Read more »
Network Server
CISO CISO best practices Cyber Security Cyberattacks. Network Safety Network Security Network Server

Cisco Warns of Actively Exploited SD-WAN Vulnerabilities Affecting Catalyst Network Systems

 

Cisco warns of several security holes in its Catalyst SD-WAN Manager, noting hackers have begun using at least one in live operations. Updates exist - applying them quickly reduces risk exposure. Exploitation is underway; delayed patching increases danger. Systems remain vulnerable until fixes take effect. Each unpatched flaw offers attackers a potential entry point. Action now limits future compromise chances. 

Catalyst SD-WAN Manager - once called vManage - serves organizations that need oversight of extensive networks, letting them manage many devices from one location. Because it plays a key part in keeping connections running, flaws within the system can lead to serious problems when updates are delayed. Cisco reports active exploitation of two flaws, labeled CVE-2026-20122 and CVE-2026-20128. 

While one poses a higher risk by letting those with basic API access overwrite critical files, the other leaks confidential information when insiders already have login rights. Though differing in impact level, both demand attention due to ongoing attacks. Access restrictions alone do not fully block either pathway. One alters content without permission; the other quietly reveals what should remain hidden. 

Regardless of how devices are set up, Cisco confirmed the flaws affect the software across the board - leaving any system without updates at risk. Though there is no current evidence of exploitation for the additional bugs listed, moving to protected releases remains advised simply because it limits exposure. 

Despite earlier assurances, Cisco now admits CVE-2026-20127 has seen active exploitation beginning in 2023. Though complex, the flaw makes it possible for experienced hackers to skip authentication steps on network controllers. Unauthorized entry leads to insertion of untrusted devices within protected systems. 

What was once theoretical is now observed in real attacks. Appearing trustworthy at first glance, these unauthorized devices let intruders spread across systems, gain higher access levels, while staying hidden for long periods. Growing complexity and frequency now worry security experts worldwide. Authorities including the Cybersecurity and Infrastructure Security Agency (CISA) have responded by issuing directives requiring organizations, particularly federal agencies, to identify affected systems, collect forensic data, apply patches, and investigate potential compromises linked to these vulnerabilities. 

One step further, Cisco revealed two additional high-risk weaknesses in its Secure Firewall Management Center. Labeled CVE-2026-20079 along with CVE-2026-20131, they involve a flaw allowing login circumvention and another enabling remote command execution. When triggered, hackers might reach root privileges on compromised devices while running harmful scripts from afar - no credentials needed. 

Though rare, such access opens deep control paths across networks. When flaws carry serious risks, acting fast matters most. Those running Cisco’s network control systems should update quickly - while checking logs closely. Exploits already in motion mean delays increase exposure. Watching traffic patterns might reveal breaches hidden before now. 

Facing ever-changing digital dangers, events such as these underline why staying ahead of weaknesses matters - especially when reacting quickly to warnings. A slow reaction can widen risk, while early action reduces harm before it spreads.
Read more »
Risky Extensions
AI tools Browser Security Cyber Security Data Exposure Enterprise Risks Risky Extensions

AI Boom Turns Browsers into Enterprise Security’s Biggest Blind Spot

 

Telemetry data from the 2026 State of Browser Security Report reveals that, while the browser has become the de facto operating system for work in the enterprise, it remains one of the least secured segments in the overall security stack. In 2025, AI-native browsers, embedded copilots, and generative tools transitioned from being experimental pilots to being ubiquitous, routine tools for search, write, code, and workflow automation, thus creating a significant disconnect between the way employees are actually working and the organization’s risk monitoring capabilities.

The data also indicates that generative artificial intelligence has become an integral part of browser workflows, extending beyond the browser as a gateway for a small set of approved tools. According to the telemetry data collected by Keep Aware, 41% of end-users interacted with at least one AI tool on the web in 2025, with an average of 1.91 AI tools used per end-user, thus revealing the widespread integration of AI tools in the browser workflows. However, it has been observed that governance has not kept pace with the adoption of these tools, with end-users using their own accounts or unauthorized tools in the same browser session as their work activities. 

This behavioral reality is especially dangerous when it comes to sensitive data exposure. In a one‑month snapshot of authenticated sessions, 54% of sensitive inputs to web apps went to corporate accounts, while a striking 46% went to personal or unverified work accounts, often within “trusted” apps like SharePoint, Google services, Slack, Box, and other collaboration tools. Because traditional DLP tools focus on email, network traffic, or endpoint files, they largely miss typed inputs, pasted content, and file uploads occurring directly inside live browser sessions, where today’s AI‑driven work actually happens.

Attackers have adapted to this shift as well, increasingly targeting the browser layer to bypass hardened email, network, and endpoint defenses. Keep Aware observed that 29% of browser‑based threats in 2025 were phishing, 19% involved suspicious or malicious extensions, and 17% were social engineering, highlighting how social and UI‑driven tactics dominate. Notably, phishing domains had a median age of more than 18 years, indicating adversaries are abusing long‑standing, seemingly trustworthy infrastructure rather than relying only on newly registered domains that filters are tuned to flag.

Browser extensions add another, often underestimated, attack surface. According to the report, 13% of unique installed extensions were rated High or Critical risk, meaning a significant slice of add‑ons running inside production environments have elevated permissions and potentially dangerous capabilities. Many extensions marketed as productivity tools request broad access to tabs, cookies, storage, and web requests, quietly gaining deep visibility into user sessions and sensitive business data without ongoing scrutiny.

The report makes a clear case that static controls—such as one‑time extension reviews, app allowlists, and domain‑based blocking—are no longer enough in a world of AI copilots, browser‑centric workflows, and adaptive phishing campaigns. Instead, organizations must treat the browser as a primary security control point, with real‑time visibility into AI usage, SaaS activity, extensions, and in‑session behavior to detect threats earlier and prevent data loss at the moment it happens. For security teams, 2026 is shaping up as the year where true browser‑native detection and response moves from “nice to have” to non‑negotiable.
Read more »
Subscribe to: Comments (Atom)

Featured