DAILY WORKFLOW ARCHIVE

2026-05-28 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-28 AI创业新闻

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That’s according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The Grandoreiro campaign “uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal,” WatchGuard researcher Euler Neto said . Active since 2016, Grandoreiro is an actively evolving banking malware that’s capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories.

It’s typically distributed via phishing emails, instructing recipients to click on sketchy links. Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its targeting footprint, while incorporating CAPTCHA checks to resist analysis. The latest campaign flagged by WatchGuard has been found to leverage DLL side-loading to launch DLLs that are developed in Delphi 11, a programming language commonly used for malware targeting the region. Two of the DLLs - mingwm10.dll and libwebp.dll - have been found to incorporate sgcWebSockets , a WebSocket and real-time communication library, for peer-to-peer (P2P) and WebRTC communications.

“The DLLs associated with this case use the Session Traversal Utilities for NAT ( STUN ) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication,” WatchGuard explained. “The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic being noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms.” Two other DLLs associated with the campaign are libffi-6.dll and libpng15.dll, which make use of the Interactive Connectivity Establishment ( ICE ) protocol instead of STUN to achieve the same goal. These files specifically reference banks and financial institutions that operate in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander, among others. Also targeted are Revolut and Wise.

WatchGuard also said it identified another campaign in which phishing emails are used to deliver a ZIP archive hosted on Mediafire. The file contains an obfuscated Visual Basic Script that’s responsible for launching an executable, which displays a message asking users to update Adobe Reader by clicking on a button embedded in the alert. Doing so triggers a series of checks aimed at avoiding detection and complicating malware analysis, before launching the final payload to steal banking information and sensitive data. Some of the tactics overlap with a prior Grandoreiro campaign detailed by Kaspersky in October 2024.

“The bigger story here is not just that Grandoreiro is still active,” WatchGuard said. “It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organizations may already trust.” “By combining phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks, these campaigns show how banking malware is becoming harder to spot with surface-level defenses alone.” BTMOB Offers Ready-Made Campaign Tools The disclosure coincides with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when certain apps are opened, and enable remote control. A subsequent iteration introduced the ability to capture Alipay PINs. “The RAT is also sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures for specific regions at a rapid clip - and without writing any code,” ESET researcher Daniel Cunha Barbosa said .

These ready-made tools further bring down the time and effort required to conduct a full device compromise. The primary method through which the malware spreads is via social engineering, where users are sent links to bogus websites masquerading as streaming services or cryptocurrency mining platforms. From those sites, victims are directed to fake Google Play Store app listings that trick them into installing an Android package (APK) file containing the malware. Once installed, the malware seeks permissions to use Android’s accessibility services and then leverages it to grant itself additional system access without any user interaction.

BTMOB is believed to be the successor to CraxsRAT, CypherRAT, and SpySolr families. As of May 2026, the latest version of the malware is 4.5.5, claiming to offer enhanced APK protection and compatibility with the latest Google Play updates. “This update is all about speed and stability,” an X profile allegedly linked to the malware posted on May 1, 2026. “We’ve expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security patches.” The Trojan is advertised by a threat actor named EVLF (@craxso) for a price tag of $700 per month.

According to a YouTube video shared by the malware author on May 1, 2026, a lifetime license is worth $1,200. The complete server source code is available for $7,000, allowing customers to host the command-and-control (C2) panels on their own infrastructure. As recently as this week, the X profile also shared a link to a Medium article about “how BTMOB RAT is turning Android phones into remote-controlled weapons,” and has been “evolving fast” since early 2025. “It slips in through phishing sites, grabs accessibility services, and turns your phone into a puppet,” the article reads.

“Hackers watch your screen live. They steal banking details. They even mine crypto in the background while you scroll Instagram.” Interestingly, the article was published by an account named “CraxsRAT Main developer.” The account’s bio claims they are a “skilled and resourceful cybercriminal who built a profitable cybercrime enterprise by selling highly advanced RAT malware to other threat actors.” The fact that BTMOB is sold under a malware-as-a-service (MaaS) model risks lowering the barrier to entry for less sophisticated threat actors. This is compounded by reports that leaked versions are already circulating on underground forums and Telegram, increasing the risk of abuse through copycats and other aspiring criminals.

“Access rarely stays contained forever, and the tool can move into secondary markets through resale, barter, or sharing inside closed groups,” ESET said. “Competing malware families can also copy some elements that make payload customization and campaign management easier for less skilled criminals.” Italian cybersecurity company D3Lab, in an analysis of the leaked BTMOB RAT development toolkit published in December 2025, said it included the Android payload source code, its dropper, a builder environment, the operator panel for Windows, the C2 backend, and all the software dependencies required to deploy the platform. “The BTMOB leak provides a rare perspective on the inner workings of a modern Android RAT-as-a-Service ecosystem,” D3Lab noted at the time. “It demonstrates that the threat actor operates not merely as a developer selling a toolkit, but as a service provider enforcing licensing, authentication, and version control over their customers.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named “ mouse5212-super-formatter ,” is designed to upload files from “/mnt/user-data,” a dedicated directory used by Anthropic’s Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop . “By analyzing the malware, it turns out that the script presents itself as an internal ‘archive deployment sync’ utility that validates or initializes a GitHub repository, captures a lightweight ‘network status’ snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree,” researchers Moshe Siman Tov Bustan and Nir Zadok said .

In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim’s environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account . The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake “network connections” log to give the impression that it’s sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data. The package is still available for download from npm and is estimated to have been downloaded 676 times.

However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm. What’s notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices. “Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely,” OX Security said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

When an employee installs an AI writing assistant, connects a coding copilot to their IDE, or starts summarizing meetings with a new browser tool, they are doing exactly what a productive employee should do: finding faster ways to work. Across most organizations today, employees are running three to five AI tools on any given day. Most were never reviewed by IT. A significant portion connects to corporate data through OAuth tokens or browser sessions, giving them access to shared drives, emails, and internal documents the employee never specifically intended to expose.

Security teams often have no visibility into any of it. This is the shadow AI gap, and it is widening fast. Most security tools were built to monitor email and network traffic flowing through the corporate network. A browser-based AI tool that connects to company data through a quick login approval bypasses those controls entirely, because it never passes through the corporate network at all.

According to Gartner , 69% of organizations suspect or have confirmed that employees are using prohibited AI tools at work, and only 37% have an AI governance policy in place. The result is a growing disconnect between how employees work and what security teams can see. A program that channels AI adoption into a safe, visible, approved path gives security teams the visibility they need and employees the tools they want. The five steps below show exactly how to build one.

Step 1: Build a Full Picture of What’s Running A security program can only manage what it can see. The first step is discovering which AI tools are in use across the organization, and most security teams will find the answer surprising. Three areas account for the majority of shadow AI activity. OAuth connections.

Most AI tools request access to Google Workspace or Microsoft 365 through OAuth, which grants them read or write permissions to corporate data. A quarterly audit of connected third-party apps, sorted by permission scope, usually surfaces dozens of tools the security team never reviewed. Browser extensions. Many AI tools run as browser extensions and never touch the operating system, so traditional endpoint management tools miss them entirely.

A browser management solution or a lightweight agent installed on employee devices can scan for and identify which extensions are active across the organization. AI features bundled inside already-approved tools. Microsoft Copilot, Google Gemini, and Salesforce Einstein are examples of AI capabilities that may have been introduced after the original vendor review, often without a separate security evaluation. A simple employee survey is also worth running.

A survey framed around helping employees work more safely tends to get candid responses. Many shadow tools surface through surveys that automated discovery misses entirely. The goal of this step is a current, accurate inventory: every AI tool in use, who is using it, and what data it has access to. Step 2: Write a Policy That Works With Employees Most AI acceptable use policies stall for the same reason: they give employees a list of prohibited tools with no guidance on what the approved path looks like.

A policy designed as a practical guide, one that identifies approved tools and provides a clear process for requesting new ones, is the foundation employees need to make good decisions. An effective AI governance policy covers five things. A current list of approved tools and where to find them. Clear data classification rules specifying which categories of data, including customer records, source code, and financial information, should never be entered into any AI tool.

A verified data training opt-out status for each approved tool. Many AI tools use company inputs to improve their models by default unless enterprise settings are explicitly configured otherwise. Approval should require a confirmed opt-out for any tool that handles sensitive data. A defined process for requesting new tools, with a target turnaround time.

A plain-language explanation of why the guidelines exist. That last element matters more than it might seem. Employees who understand why OAuth connections carry data exposure risk apply that reasoning to every tool decision they make. Policy becomes a form of education when the reasoning is included.

Step 3: Create a Fast Lane for New Tool Requests Shadow AI grows fastest in organizations where the official approval process cannot keep pace with the rate of AI product releases. An employee who needs a tool today and faces a six-week security review will find a workaround within days. The goal of this step is to remove that friction. Most AI tool requests do not warrant a full procurement review.

A structured intake form with defined evaluation criteria is enough for the majority of lower-risk tools. A structured intake form and a defined set of evaluation criteria make faster decisions possible. For tools with limited data access, many organizations find a shorter turnaround feasible once evaluation criteria are documented and consistently applied. The evaluation criteria should cover data access scope, vendor security practices, data training opt-out status, compliance certifications, and whether the tool already has a functional equivalent on the approved list.

Security teams that publish their approved tool list openly and keep it current typically see a meaningful reduction in shadow AI usage. When employees know where to find the right tools, they use them. Step 4: Use Monitoring as a Shared Safety Layer Continuous visibility into AI tool usage across an organization serves two groups simultaneously. Security teams get the real-time picture they need to identify and address exposure before it becomes an incident.

Employees get a form of protection they often do not have on their own: a signal when a tool they are using may be putting their credentials or company data at risk. A browser-native monitoring approach gives security teams visibility into AI activity without rerouting employee web traffic or adding friction to daily work. The signals it captures feed into each employee’s broader risk profile, sitting alongside their phishing simulation results and training completion data in one place. That combined view matters because risky behaviors compound.

An employee who clicks phishing links, skips training, and runs unapproved AI tools with access to sensitive data presents a much higher risk than any single behavior would indicate. Seeing the full picture in one place helps security teams focus on the employees who need attention most. Step 5: Make Good Security Behavior Easy Security programs that make the secure choice the easiest choice are the ones employees follow. In the context of AI governance, two things drive that: just-in-time coaching and training that explains the reasoning behind the rules.

Just-in-time coaching delivers a brief, contextual prompt at the moment an employee attempts to use an unsanctioned tool. This is more effective than quarterly training modules, because the intervention happens at the point of decision. A well-designed prompt tells the employee what the concern is, directs them to an approved alternative, and takes less than thirty seconds to read. Training that explains the reasoning behind AI governance policies builds the kind of judgment employees can apply across any situation they encounter, including tools and threats that emerge long after the training itself.

The AI tool landscape is changing fast enough that no training program can anticipate every specific case. An employee who understands that OAuth connections to corporate Google Workspace can expose the entire shared drive to a third-party vendor will apply that understanding to tools that did not exist six months ago. Building a Security Program Based on How Teams Work AI adoption is a signal of productive teams doing their jobs well. Companies that build practical programs around that momentum, with clear paths to approved tools and real-time visibility for security teams, tend to handle it best.

Security teams that close that gap find that shadow AI usage declines organically over time. Browser-native visibility, clear paths to approved tools, and just-in-time coaching at the moment of risk are what make that possible. When employees have access to effective, approved tools and a fast, transparent path to get new ones reviewed, the incentive to work around the system largely disappears. Adaptive Security’s AI Governance product gives security teams real-time visibility into every AI tool and shadow app running across their organization, with automated policies and just-in-time employee coaching built in.

Learn more at adaptivesecurity.com . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Securing AI Use Within Your Organization Starts Here

GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm , a persistent software chain campaign targeting software developers through malicious packages and extensions. “Since at least early 2025, GlassWorm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries,” CrowdStrike said . The development comes as developers have increasingly become lucrative targets for pulling off software supply chain attacks, enabling attackers to leverage a single compromised workstation to impact thousands of downstream organizations and users at once. GlassWorm, since its emergence last year, has conducted a “multi-pronged campaign” using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium.

The campaign is also known to have introduced malicious code through compromised npm and Python packages. The end goal of the attacks is to deliver a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities. Subsequent iterations of GlassWorm have been found to deploy a Websocket-based JavaScript RAT called GlassWormRAT to steal web browser data and run arbitrary code, including installing a Google Chrome extension that, in turn, collects sensitive data, including screenshots, keystrokes, and clipboard content, from the infected system. “Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads,” Endor Labs researcher Kiran Raj said .

“Infected hosts are converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes (via WebRTC or spawned Node.js processes). That gives attackers anonymized network access into corporate and personal networks and a platform to propagate further.” Cumulatively, the malicious activity is said to have poisoned more than 300 GitHub repositories using stolen developer credentials. What made the operation notable was its use of four distinct C2 channels for improved resilience - Using the Solana blockchain as a dead drop resolver by storing C2 server addresses in the memo fields of blockchain transactions Querying the BitTorrent Distributed Hash Table (DHT) peer-to-peer network to retrieve configuration data Employing Google Calendar as a dead drop resolver to fetch the C2 server address from event titles Directly connecting to C2 infrastructure hosted on commercial VPS providers “The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike said. As a result of the takedown, all four channels have been neutralized simultaneously in a coordinated effort so that infected machines can no longer receive new instructions or payloads.

Describing the GlassWorm operators as “well-resourced and persistent,” the cybersecurity company attributed the activity to likely Russia-based cybercriminals given that the malware terminates execution on systems located in the Commonwealth of Independent States (CIS) countries and contains Russian-language comments. “The software supply chain remains one of the most consequential attack surfaces in modern computing,” CrowdStrike concluded. “Adversaries are turning an organization’s dependencies on tools, updates, and libraries into weaponized delivery mechanisms and force multipliers.” “The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it.

GlassWorm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

3 SOC Steps that Shut Down Incident Risks Early

Most organizations still picture cyber defense as a fortress problem: build stronger walls, add more guards, buy another detection engine. But modern incidents rarely crash through the front gate. They drift in disguised as routine activity, hide inside legitimate processes, and quietly accumulate risk long before anyone labels them an “incident.” That changes the role of the SOC entirely. The best SOCs today are not simply detecting attacks.

They are reducing the amount of uncertainty the business can accumulate. Every unidentified process, every unenriched alert, every delayed investigation becomes operational debt that compounds silently until it erupts into downtime, compliance issues, customer impact, or reputational damage. Prevention, then, is no longer about blocking everything at the perimeter. It is about shrinking the time between “something changed” and “we understand exactly what it means.” That requires three things: continuously updated visibility into emerging threats, immediate context around suspicious activity, and investigation outputs teams can act on without friction.

Here’s how mature SOCs implement those steps to shut down incident risk before it escalates into business disruption. 1. Keep Monitoring Systems Up to Date to Spot Threats Earlier Your detection capability is only as current as the threat intelligence behind it. A SIEM firing on yesterday’s IOCs is a filter with holes in it.

And adversaries know exactly where those holes are. Newly registered domains used in phishing campaigns, fresh C2 infrastructure, malware variants that dropped last week: none of that trips an alarm if your feeds haven’t caught up. ANY.RUN’s Threat Intelligence Feeds deliver a continuous, high-confidence stream of IOCs - IP addresses, domains, URLs observed in active sandbox sessions and incident investigations across more than 15,000 organizations and 600,000 SOC professionals. These aren’t recycled from third-party aggregators.

They come from real execution environments where real malware runs, every day. TI Feeds: data sources and benefits The feeds integrate directly into SIEM, firewall, EDR, and threat intelligence platforms via standard formats (STIX/TAXII, CSV, JSON), meaning your detection stack refreshes automatically without analyst intervention. This allows SOCs to: detect campaigns earlier, identify malicious infrastructure before execution spreads, reduce blind spots in monitoring pipelines, and automate detection updates without overloading analysts. Business Outcome: Keeping monitoring systems continuously updated reduces the probability of silent attacker dwell time.

That directly lowers the risk of: operational disruption, ransomware escalation, compliance failures, supply-chain propagation, and expensive incident recovery cycles. In practice, fresh intelligence turns detection systems from passive archives into active radar arrays. 2. Enrich Alerts with Complete Triage Context to Accelerate Decisions One of the biggest hidden risks inside modern SOC operations is not alert volume itself.

It is incomplete context. The question isn’t whether analysts can triage effectively, it’s whether the system is asking them to do work that could already be done before the alert hits their screen. Threat Intelligence Lookup gives analysts on-demand access to a deep, continuously updated intelligence database. Teams can quickly investigate: IPs, domains, URLs, file hashes, processes, mutexes, registry keys, and other artifacts, while immediately seeing related malware families, network behavior, execution chains, detection labels, and associated infrastructure.

Analysts receive investigation-ready context in seconds. destinationIP:”181.134.198.53” Contextual data on suspicious IP in TI Lookup This dramatically improves triage speed and confidence, especially during high-volume alert periods where rapid prioritization determines whether threats are contained early or allowed to spread. Business outcome: Alert triage time drops sharply; False positive rates fall; Tier 1 teams can handle more volume without sacrificing quality; Critical alerts get the response speed they deserve, because they’re no longer indistinguishable from noise. Prevent incidents and reduce business risks with early threat detection.

Get an exclusive 10th anniversary deal for your team. 3. Supply the Team with Response-Ready Reports to Eliminate Investigation Bottlenecks Even when a threat is identified correctly, organizations often lose valuable time translating technical findings into actionable response steps. This gap between “analysis completed” and “response initiated” creates dangerous operational lag.

Security engineers, incident responders, management teams, and compliance stakeholders all require different forms of information. If analysts must manually prepare reports for each audience, investigations slow down precisely when speed matters most. This is where automation and structured reporting become critical. Using the ANY.RUN Interactive Sandbox, analysts can safely detonate suspicious files and URLs in a live interactive environment while observing: process execution, network communications, dropped files, persistence mechanisms, command-line activity, registry changes, and attacker behavior in real time.

Sandbox malware detonation session The platform then helps transform technical analysis into response-ready outputs through: detailed Tier 1 investigation reports, AI-generated summaries, visual execution chains, IOC extraction, and structured behavioral insights. This allows both technical and non-technical stakeholders to understand the threat quickly without waiting for lengthy manual documentation. Instead of raw telemetry chaos, teams receive actionable intelligence packaged for operational response. AI Summary of a sandbox analysis Business Outcome: Response-ready reporting reduces escalation friction and accelerates coordinated action across security, IT, leadership, and compliance teams.

That leads to: faster remediation, improved cross-team communication, reduced incident handling costs, and lower probability of prolonged business disruption. In high-pressure incidents, clarity becomes a force multiplier. A good report is not paperwork. It is compressed response time.

Get ANY.RUN Special Offers Before May 31
To celebrate its 10th anniversary, ANY.RUN is rolling out special pricing for teams looking to strengthen phishing analysis, threat intelligence, and SOC response workflows. ANY.RUN special offers for stronger SOC and earlier threat visibility
Until May 31, teams can secure anniversary offers across key ANY.RUN solutions:
Interactive Sandbox
Bonus seats and exclusive pricing for teams that need in-depth malware and phishing analysis. Threat Intelligence solutions
Extra months to bring fresher intelligence into detection, investigation, and response. For SOCs, this is a good moment to expand phishing visibility, bring fresh threat intelligence into existing workflows, and improve response readiness without slowing down operations.

Get your special offer now to strengthen malware & phishing detection and help your SOC act before exposure spreads. Prevention Happens Before the Incident Gets a Name The most effective SOCs do not wait for a confirmed breach before acting decisively. They continuously: refresh detection visibility, enrich signals with context, and convert investigations into rapid operational response. Together, these three steps dramatically reduce the amount of unmanaged risk capable of accumulating inside an organization.

Using ANY.RUN solutions, SOC teams can move from reactive investigation toward proactive interruption of threats before they evolve into full-scale incidents. Because in modern cybersecurity, the real victory is often invisible: the incident that never had the chance to happen. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Gitea Vulnerability Exposes Private Container Images without Authentication

Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerability, tracked as CVE-2026-27771 (CVSS score: 8.2), affects all versions of Gitea prior to 1.26.2 , which addresses the issue. According to Noscope, the security defect likely impacts more than 30,000 deployments across over 30 countries and went undetected for close to four years. The vast majority of the exposures are in China, the U.S., Germany, France, and the U.K.

Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers. “On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to,” Noscope said . “Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public.” The U.K.-based security company also pointed out any fork of Gitea should be treated as potentially impacted by the vulnerability until it’s been independently verified by the respective maintainers. In its own testing, Forgejo has been confirmed to be impacted.

No additional technical details related to CVE-2026-27771 are currently available. In a statement shared with The Hacker News, Noscope co-founder Keval Jagani said the specifics have been intentionally held back to give the “broader Gitea ecosystem time to patch.” Gitea users are advised to update to version 1.6.2 for optimal protection. If patching is not an immediate option, a temporary workaround is to set [service].REQUIRE_SIGNIN_VIEW=true in the Gitea configuration. However, it’s worth noting that this approach isn’t ideal if some containers are meant to be intentionally exposed publicly.

(The story was updated after publication to include a response from Noscope.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Microsoft has warned of an active cryptojacking campaign that makes use of artificial intelligence (AI) chatbot interactions as a mechanism for surfacing malicious download sites. “This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations,” Microsoft Defender Experts and the Microsoft Defender Security Research Team said in a report published Tuesday. The activity, per the tech giant, impersonates legitimate system utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear, likely in an attempt to target users who own high-performance GPUs. The idea is to focus on compromising systems with higher mining value than indiscriminately infecting a large number of machines, it added.

The goals of the campaign are not merely financially motivated. The threat actors have also been found to establish persistent remote access to compromised hosts through ScreenConnect deployments, which could then be leveraged for follow-on activity, such as data theft, lateral movement, or ransomware. The attack chain is more deliberate than other typical cryptocurrency mining efforts, strategically opting for endpoints that help maximize GPU mining yield per compromised device. The Windows maker said it detected and blocked activity associated with the campaign.

It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning. Subsequent iterations observed in April 2026 indicate that users are being directed to these sites not through search engine results, but rather via interactions with large language model (LLM)-based tools. “In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses,” Microsoft said. “While this behavior is based on observed patterns and correlated data sources, it’s consistent with emerging techniques in AI search result poisoning, representing an extension of traditional SEO poisoning beyond conventional search engines.” Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu , a dynamic DNS provider frequently used by threat actors.

More than 150 malicious domains have been identified serving the malicious tools. The downloaded ZIP file contains a legitimate executable along with a rogue DLL (“autorun.dll”) that’s sideloaded when the binary is launched by the user. The DLL is designed to install a second malicious DLL named “vcredist_x64.dll” using “msiexec.exe.” The file is a packaged installer for ScreenConnect software. Once ScreenConnect is installed, the client continuously attempts to establish contact with an attacker-controlled server located at “193.42.11[.]108.” The ScreenConnect session then serves as a conduit for an executable called “SimpleRunPE.exe.” The binary is responsible for establishing persistence on the host using Registry Run keys and scheduled tasks, configuring Microsoft Defender exclusions, running anti-analysis checks, and employing process hollowing to launch the mining code under a trusted Microsoft-signed binary.

In select compromises, instead of relying on ScreenConnect’s file transfer functionality to drop the binary, a PowerShell script is used to fetch the binary from a remote drive, store it locally as “vlc.exe” to fly under the radar, create a scheduled task to launch it, and then delete itself. The hollowed binary, for its part, communicates with the attacker’s server, transmits extensive host information, downloads the appropriate miner archive at runtime, and executes it. Three miner programs are supported by the malware: gminer, lolMiner, and SRBMiner-MULTI. In addition, the binary recreates the persistence artifacts to ensure continued presence and re-configures Defender exclusions in the event they are removed.

It also keeps an eye out for running processes, and proceeds to immediately terminate the miner if any of the following processes are detected - taskmgr.exe (Windows Task Manager) processhacker.exe, processhacker2.exe (Process Hacker) procexp.exe, procexp64.exe (Process Explorer) systeminformer.exe (System Informer) “This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior,” Microsoft said. The disclosure comes days after Microsoft detailed how an unknown threat actor compromised an internet-facing F5 BIG-IP firewall appliance and abused trusted relationships to pivot to an internal Linux host, highlighting the continued exploitation of internet-facing edge appliances as initial access points. The Linux host, the company said, enabled the attacker to perform comprehensive reconnaissance and laterally move to a vulnerable Atlassian Confluence server, although attempts to execute remote code through unpatched security flaws in the software were unsuccessful. As a way of getting around these restrictions, the threat actor is said to have set up an FTP server on the initial Linux host using Python’s ftplib module to transfer a custom scanning tool to the Confluence server and then obtained credentials for subsequent authentication against Windows infrastructure.

This was followed by Kerberos relay attacks and the exploitation of CVE-2025-33073 . “From there, the threat actor compromised a vulnerable SaaS application and leveraged its credentials to conduct relay-style authentication attacks against Active Directory,” it said . “In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account. The threat actor maintained this level of access throughout the observed activity without establishing explicit persistence mechanisms, underscoring the risk posed by over-privileged identities with sudo rights.” Earlier this month, Microsoft also shed light on another intrusion in which attackers abused trusted operational relationships and authentication processes to establish durable access, leveraging a compromised third-party IT services provider and legitimate IT management tools to orchestrate a covert campaign focused on long-term access and credential theft.

“Third-party service providers and integrated management tools can become enforcement gaps when visibility is limited or validation is assumed. Threat actors understand this,” Redmond said . “They leverage legitimate components, trusted update paths, and approved integrations to anchor themselves inside environments that appear compliant on the surface.” “Defenders should adopt a posture of deliberate verification. Trust your vendors and tooling, but validate their behavior within your environment.

Organizations operating in sensitive sectors should assume that threat actors with this level of tradecraft will continue refining third party abuse, credential interception, and stealthy persistence mechanisms to maintain strategic access.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries on four continents in the first quarter of 2026. The activity targeted industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services, per the Threat Hunter Team from Symantec and Carbon Black. Among the victims is a major South Korean electronics manufacturer, with the attackers spending a week inside its network in February 2026. Also singled as part of the sprawling espionage effort were an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial-services provider.

“The attackers relied heavily on DLL side-loading using legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs while masquerading as benign software,” Broadcom’s cybersecurity teams said . The use of “fmapp.exe” to sideload “fmapp.dll” was previously documented by Group-IB in connection with another MuddyWater campaign codenamed Operation Olalampo . According to Huntress , the DLL contains code to connect to an attacker-controlled IP address (“157.20.182[.]49”). On the other hand, the abuse of “sentinelmemoryscanner.exe” - a binary associated with a security product - is assessed to be a deliberate choice, as it can bypass signature-based detection.

It’s designed to sideload a rogue DLL named “sentinelagentcore.dll.” Both the DLLs embed an open-source tool called ChromElevator to siphon passwords, cookies, and payment card data from Chromium-based browsers, effectively getting around App-Bound Encryption ( ABE ) protections. A noteworthy aspect of the attacks is the use of Node.js scripts to launch PowerShell code responsible for carrying out discovery and information gathering operations. In at least one instance, the attackers have been found to stage the stolen data on sendit[.]sh, a public file-transfer service. “A node.exe-based implant chain was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunnelling,” Symantec and Carbon Black said.

Also delivered are the two aforementioned DLL side-loading pairs to provide attackers with a covert tunnel to relay traffic and launch ChromElevator . The attacks are also characterized by efforts to dump credentials that would allow them to move laterally across the networks. In the intrusion targeting the South Korean electronics manufacturer, MuddyWater is believed to have repeatedly carried out PowerShell-based reconnaissance, as well as re-execute the two binaries to ensure it retains access to the compromised host. The initial access vector used to breach the organization is unknown.

“The cadence is again consistent with implant-driven activity rather than continuous operator presence,” the researchers said. “Its campaign history shows a clear move towards quieter, more disciplined operations. None of these techniques is individually novel, but in combination they provide more evidence of a significant step up in operational hygiene from the Seedworm that we knew of two or three years ago.” The development comes as the European Council imposed sanctions against Iranian company Emennet Pasargad for hacking a Swedish SMS service, accessing the contents of a French subscriber database and putting it up for sale, and for spreading disinformation via compromised advertising billboards during the 2024 Paris Olympic Games. The company, per the U.S.

State Department, goes by the name Shahid Shushtari and is affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). It’s tracked under the monikers Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866. “Shahid Shushtari members have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations,” the State Department noted in December 2025.

“These campaigns have targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, financial, and telecommunications in the United States, Europe, and the Middle East.” Iran-backed hackers have also been tied to an exfiltration campaign aimed at organizations in the U.S., Israel, Saudi Arabia, and Turkey between late March and early April 2026, with at least two U.S. victims also targeted by destructive operations, such as deletion of partitions and data backups. Although these incidents were claimed by a pro-Iranian persona named Ababil of Minab , a new analysis from Gambit Security has tied the campaign infrastructure to Iran’s Ministry of Intelligence and Security (MOIS). Other targets include an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance brokerage, and several additional websites across the restaurant, culture, digital services, and news sectors.

No destructive activity has been observed against these victims. In these cases, the adversary has been found to employ a bespoke C++ file collection and exfiltration tool internally codenamed FileFiend. “The binary could enumerate local drives and SMB shares, walk the file system, and send files to a hard-coded C2 [command-and-control] server,” Gambit Security researchers Eyal Sela and Nir Varon said in a report published today. Alternatively, data of interest is compressed into RAR archives on a host inside the victim environment and uploaded to the organization’s public website at the web root, from where they are extracted using the Axel command-line download accelerator and tunneled through proxychains.

“What looked like another noisy pro-Iran persona amplifying exaggerated claims turned out to be an operation linked to Iran’s Ministry of Intelligence and Security (MOIS), with confirmed destructive impact across multiple U.S. and regional targets,” Tim Miller, Global Field CTO and chief cybersecurity strategist at Dataminr, said in a statement shared with The Hacker News. “The answer isn’t to treat every hacktivist post as a five-alarm fire - it’s to maintain continuous visibility so you can tell the difference before it’s too late.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

[THN Webinar] New AI DDoS Attacks Are Smarter. Learn How to Fight Back

Every single day, hackers are finding new ways to crash websites and steal data. But right now, something has changed. Hackers are no longer working alone. They are now using powerful Artificial Intelligence (AI) tools to make their attacks faster, stronger, and much harder to stop.

According to recent updates from The Hacker News , bad actors are using AI to find weak spots in systems and launch massive “DDoS attacks” that can take your business offline in seconds. If your website goes down, you lose money, you lose customer trust, and you spend days trying to fix the mess. 👉 Save Your Free Webinar Seat The Old Way of Protection Doesn’t Work Anymore In the past, you could set up a simple firewall, update your software, and feel safe. Not anymore.

AI-assisted attacks can think and adapt. They don’t just hit your front door; they look for hidden entry points, smart APIs, and tiny mistakes in your cloud setup. They do in minutes what used to take human hackers weeks to plan. If you are relying on old security habits, you are leaving your business exposed.

The good news? You can use AI to fight back. You just need to know the new rules of the game. What You Will Learn in This 45-Minute Webinar We are hosting a live online event to show you exactly how to protect your network from these new, fast-moving threats.

Here is a sneak peek at what we will cover: The 12-Hour Window: Why top security experts say you must patch flaws faster than ever before-and how to do it without breaking your systems. The AI Trap: The #1 mistake companies make when setting up cloud security that actually makes it easier for AI attacks to get in. The Smart Defense: How to use automated tools to spot a threat before it hits your main servers. Live Blueprint: A simple, step-by-step checklist you can give your team to secure your business this week.

Secure Your Spot for this Webinar ➜ AI security is a major topic right now, and spots are filling up very quickly. Don’t wait until your website goes offline to think about security. Sign up today, learn how to protect your digital assets, and keep your business safe. P.S.

Even if you cannot watch it live, sign up anyway! We will email you the full recording and the checklist right after the event ends. Click here to register now. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions

Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659 , carries a CVSS score of 8.8. It has been assigned an important severity. “Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network,” Microsoft said in an advisory released last week.

Microsoft noted that the vulnerability could be triggered by any authenticated attacker, and that it does not require administrator or other elevated privileges. “In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server,” the Windows maker added. Microsoft credited a researcher named MEOW for discovering and reporting the flaw. Updates have been released for the following versions - SharePoint Server Subscription Edition SharePoint Server 2019 SharePoint Enterprise Server 2016 Last month, Microsoft issued fixes for a spoofing vulnerability impacting Microsoft SharePoint Server ( CVE-2026-32201 , CVSS score: 6.5) that it said has been exploited in the wild.

Although the tech giant notes that CVE-2026-45659 is less likely to be exploited, it’s essential that users apply the necessary fixes for optimal protection, particularly when considering the fact that several flaws in the collaborative platform have been repeatedly weaponized by attackers over the years. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You

Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn’t log in without the second factor. While that logic was sound, attackers have now figured out that they don’t need to steal the second factor: they just need the user to hand it over. If your workforce authenticates with push-based MFA, this attack is a live threat to your organization today.

Tools like Specops Secure Access are built specifically to close that gap, but before getting into the fix, it’s worth understanding how this technique works. How MFA prompt bombing works The attack requires three key elements to work: Valid account credentials, usually sourced from breached password dumps on the dark web A login portal that uses push-based MFA (such as a VPN, Microsoft 365, Okta, or Duo) A victim who is alerted every time the attacker tries the login Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request. Sometimes, attackers will pair prompt bombing with a vishing call pretending to be from IT, where they will try to socially engineer the target. The danger is that these methods only need to work once.

If the prompt is approved, the attacker is logged in as that user. Security systems typically won’t be alerted, as the login looks entirely legitimate. The Cisco breach The 2022 Cisco breach is a key example of how effective this technique is against even mature security programs. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee’s personal Google account, which was syncing browser-stored credentials, including the employee’s Cisco VPN password.

From there, the attacker pushed MFA prompts to the employee’s phone. That initially didn’t work, so they began using vishing calls posing as trusted support organizations, speaking in various accents, and eventually convincing the employee to accept a push notification. Once accepted, the attacker had VPN access as the employee. They then enrolled their own devices for MFA to maintain persistence, escalated to administrative privileges, reached Citrix servers and domain controllers, and exfiltrated around 2.8GB of data before being evicted.

The fact that prompt bombing worked against a company like Cisco, which is far from having a weak security posture, highlights just how dangerous and effective the attack has become. Why push MFA doesn’t eliminate risk The issue with push-based MFA is that users are asked to approve or deny a login with very little to go on. There’s no clear indication of where the request originated, what device is being used, or whether the login attempt was initiated by the user at all. In isolation, that might be manageable.

But when prompts start arriving repeatedly, it’s easy to assume something’s misfiring rather than recognizing it as a potential attack. If that’s paired with a well-timed phone call from someone posing as IT support, the situation becomes even harder to assess. At that point, the user isn’t acting carelessly, but responding to a scenario designed to feel routine and legitimate, using credentials the attacker already has. 3 ways organizations can prevent prompt bombing 1.

Use fatigue and phishing-resistant MFA factors Push notifications are the weakest common form of MFA. Phishing-resistant factors such as FIDO2 security keys, hardware tokens like YubiKey, or number-matching codes from authenticator apps are harder to abuse. Specops Secure Access supports more than 15 identity providers and includes these fatigue-resistant options for Windows logon, RDP, and VPN connections, so organizations can retire push-only MFA for high-risk access points. Specops Secure Access 2.

Block compromised passwords at the source Prompt bombing is only made possible when the attacker already has a valid password. Scanning Active Directory (AD) continuously against a live database of breached passwords, and forcing a reset when a match appears, removes the fuel for the attack. Relying on default AD password policies won’t catch reused, incremental, or breached passwords. If you don’t know where you stand today, Specops Password Auditor is a free, read-only scan of your AD that flags vulnerabilities like compromised passwords or inactive admin accounts.

Specops Password Auditor

  1. Add risk signals to the login Conditional access policies that factor in geography, device posture, and login times can block or step up authentication before a prompt is ever sent to the user’s phone. This reduces reliance on user behaviour alone and introduces real-time context to stop suspicious logins before they escalate into successful account compromise. MFA still matters MFA prompt bombing isn’t a reason to move away from MFA, but it does highlight where some factors fall short.

When approval requests can be triggered repeatedly with no meaningful context, the control becomes easier to influence than intended. If push is still your default second factor, it’s worth revisiting that decision. Number matching or phishing-resistant methods strengthen the MFA method itself, while scanning for compromised passwords limits the risk of attackers possessing the first authentication step. If you’re looking to evolve your identity security with more robust MFA, talk to Specops .

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where “feasible” to safeguard against potential threats stemming from threat actors’ abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability discovery and exploitation, and enhance the scale and velocity of cyber attacks. “AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems,” CERT-In said in a 38-page blueprint published Monday. “As organizations become increasingly dependent on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, the potential impact of AI-enabled cyber threats continues to increase across sectors.” With threat actors beginning to increasingly rely on AI for a wide range of tasks, including attack surface discovery, exploit analysis, convincing phishing content, and even malware generation, they can significantly compress attack preparation timelines and bypass traditional security controls. Furthermore, AI-enabled systems may themselves become targets of malicious attacks via prompt injections, data leakage vulnerabilities, jailbreaking techniques, model manipulation, training data poisoning, model theft, and orchestration pipeline compromises, effectively undermining their confidentiality and integrity.

CERT-In has warned that organizations should expect exploitation timelines to collapse significantly and attacks to become autonomous, necessitating the need for adopting heightened cybersecurity measures that involve continuous threat assessment, proactive exposure reduction, and operational preparedness. Some of the defensive principles outlined by the cybersecurity agency to reduce exposure and better respond to AI-assisted cyber threats are listed below - Assume breach and prepare for rapid detection, containment, and recovery from compromise scenarios. Adopt a Zero Trust approach by enforcing continuous verification and least-privilege access. Implement a defense-in-depth strategy with layered controls across infrastructure to eliminate single points of failure and minimize the overall impact of a successful breach.

Monitor and reduce exposure to security vulnerabilities. Embed a secure-by-design paradigm into systems, applications, and AI workflows. Maintain operational continuity during cyber incidents and disruption scenarios. Safeguard sensitive and operationally critical data throughout its lifecycle.

Reduce software supply chain risks arising from third-party software, AI models, and dependencies through SBOM, provenance validation, and assessments. Test security effectiveness against evolving threats through red teaming, vulnerability assessments, penetration testing, and independent audits. Prioritize controls based on operational criticality and threat exposure. Establish formal governance mechanisms regarding the use of AI systems.

Maintain visibility into AI systems, integrations, and operational behavior. “Organizations should implement layered, risk-based, and continuously validated technical controls to reduce exposure to AI-assisted cyber threats,” CERT-In said. “Controls should prioritise protection of internet-facing systems, critical business applications, identities, cloud environments, APIs, sensitive data, AI-enabled systems, and operational infrastructure.” The agency is also urging organizations to embrace “continuous, risk-based vulnerability and patch management practices” to reduce exposure arising from security flaws, misconfigurations, insecure APIs, publicly-accessible services, and weak identities. To that end, known exploited vulnerabilities affecting internet-facing and critical systems should be remediated within 12 hours where applicable.

Other risk-based remediation times are as follows - Critical externally exposed vulnerabilities: Within 1 day Known exploited vulnerabilities affecting internal systems: Within 1 day unless other mitigations are implemented and documented Critical internal vulnerabilities affecting high-value systems: Within 3 days High-severity vulnerabilities: Within 5 days based on risk prioritization In scenarios where no patches are immediately available, it’s advised to implement temporary mitigations such as isolation, access restriction, WAF/API protection, enhanced monitoring, or feature disablement until the fix is released. “Given the rapidly evolving nature of AI-assisted cyber threats, organisations should continuously reassess exposure, validate security controls, strengthen resilience capabilities, and enhance operational preparedness through ongoing audits, monitoring, testing, and coordinated cybersecurity governance,” CERT-In said. The blueprint arrives a month after CERT-In released an advisory warning of the growing cyber capabilities of frontier AI models from Anthropic and OpenAI , stating how their “dual-use nature” could “lower the barrier to entry for malicious cyber actors and be leveraged to accelerate attack execution, automate exploitation workflows and scale cyber campaigns.” “Keeping pace with frontier AI-driven cyber developments is critical for maintaining cyber resilience,” it added. “Baseline cybersecurity controls remain critical and should be rigorously enforced.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.