Over Security

L’annuncio di Anthropic sembrerebbe una trovata di marketing se non fosse che per il momento hanno effettivamente deciso di non vendere il servizio basato sul loro ultimo modello Claude Mythos Preview. La società ha infatti deciso di limitare l’accesso a Claude Mythos Preview a un consorzio ristretto di aziende e organizzazioni, nel tentativo di anticipare …

A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords.

This is the story of an intrusion that moved from initial access to credential harvesting in a single session, and how Binary Defense stopped it before ransomware was ever deployed. What began as a routine endpoint alert escalated into a multi-host compromise involving unauthorized remote access, privilege escalation attempts, and credential harvesting activity. The attacker leveraged a legitimate remote support platform to blend into normal operations, deployed secondary access tooling, and attempted to stage credential dumping utilities, including NetExec (nxc) with LSASS-focused capabilities. While no ransomware was ultimately deployed, the observed behavior strongly aligned with pre-ransomware tradecraft, including: Establishment of persistent remote access Internal reconnaissance and security tool enumeration Local administrator creation attempts Credential access preparation via LSASS tooling Binary Defense identified the activity early, escalated within minutes, and coordinated containment actions that prevented lateral movement and potential ransomware deployment. In this case, the intrusion originated from the compromise of an internet-facing SimpleHelp technician account, providing the attacker with authenticated access to a legitimate remote support platform. Secondary Remote Access via MeshCentral Installed via mac.exe --fullinstall Deployed MeshAgent.exe Created scheduled task (MeshUserTask) Established outbound communication to attacker-controlled infrastructure This provided a redundant access channel, or better put, insurance against losing the compromised SimpleHelp account if it was discovered and revoked. Local Administrative Account Creation The attacker attempted to create a local account (support) and add it to the Administrators group: net user support /add net localgroup administrators support /add Two independent footholds, both established before any significant movement2 Same Playbook, New Hosts While Binary Defense was coordinating with the client on response, the attacker used their access via the compromised SimpleHelp account to reach additional systems. The Inflection Point Following persistence and discovery, the attacker attempted to transition into credential access by deploying nxc.exe, identified as NetExec with LSASS-focused capabilities. At this stage, Binary Defense had observed the intrusion progress through access, persistence, and discovery and was confident the full attack path was understood, enabling targeted containment actions that removed the attacker's access entirely. Remote access turned into persistence within minutes. Discovery moved directly toward credential access. The attacker had access, persistence, and a solid understanding of the environment. Phase Behavior Detection Opportunity Initial Access Authenticated RMM access from unusual source or off-hours Baseline normal authentication patterns; alert on anomalous source geography or login time Persistence MeshCentral installation via command line (mac.exe --fullinstall) Alert on installation of unapproved RMM tooling; monitor for MeshAgent.exe process creation Persistence Scheduled task creation for MeshUserTask Monitor scheduled task creation (Event ID 4698) for non-standard task names Persistence New local account creation followed immediately by admin group addition Alert on net user /add and net localgroup administrators executed in close sequence Discovery wmic AntiVirusProduct query Flag AV enumeration queries, particularly when preceded by a remote session Discovery nltest /dclist outside of known admin tooling Alert on domain controller enumeration from non-standard processes or user accounts Lateral Movement Repeated persistence sequence across multiple hosts in a single session window Correlate MeshAgent installations and local account creation events across hosts Privilege Escalation nxc.exe / NetExec execution targeting LSASS Block or alert on LSASS-targeting credential dumping tools; monitor for NetExec process patterns Broader recommendation: Invest in behavioral correlation across the persistence ph

Here’s how agentic AI architecture powering dual-brain cybersecurity with predictive insights, autonomous response, and real-time threat defense.

Maven di Palantir, ChatGPT, Claude e gli altri: come si usano i modelli linguistici in ambito bellico, le differenze con i sistemi predittivi e i limiti e le criticità dell’uso militare dell’intelligenza artificiale

Learn 3 practical steps CISOs can use to strengthen phishing detection across monitoring, triage, and response to reduce risk and improve SOC performance.

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”

Flowise RCE vulnerability CVE-2025-59528 is exploited to execute arbitrary code, putting thousands of exposed instances at risk.

In this report, Kaspersky experts share their insights into the 2025 financial threat landscape, including regional statistics and trends in phishing, PC malware, and infostealers.

Cybersecurity 360 è la testata editoriale di Digital360 con approfondimenti, guide e casi studio sulla cybersecurity e il cyber crime. Scopri come proteggere i dati della tua azienda.

The latest Winona County cyberattack comes as an update to a ransomware incident the county first reported in January 2026.

CERT Polska analyzed a Booking themed Android malware chain delivered through phishing and a fake update website. The sample is a multistage dropper that installs a hidden accessibility controlled RAT with WebSocket C2.

L’IA agentica sta ridefinendo il panorama della cyber security introducendo nuove opportunità che richiedono di ripensare come proteggere la stessa intelligenza artificiale, offrendo al contempo le chiavi per affrontare queste sfide

APT28 used DNS hijacking and adversary-in-the-middle attacks. FBI disrupts router network targeting Outlook and stealing credentials globally.

Microsoft has pushed a server-side fix for a known issue that broke the Windows Start Menu search feature on some Windows 11 23H2 devices.

Campaigns like Iranian-affiliated APT targeting PLCs are likely to continue, and could become more disruptive over time.

A newly uncovered zero-day attack targeting Adobe Reader has raised alarms across enterprise security teams, as researchers identified an exploit chain that

In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution.

U.S. victims lost nearly $21 billion to cyber-enabled crimes last year, driven primarily by investment scams, business email compromise, tech support fraud, and data breaches, the Federal Bureau of Investigation says.

Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen.

Iranian-linked hackers are targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on the networks of U.S. critical infrastructure organizations.

Secondo un’analisi pubblicata dal National Cyber Security Centre britannico e supportata da dati di Microsoft Threat Intelligence, il gruppo APT28 continua a compromettere router domestici e per piccoli uffici per manipolare il DNS e intercettare credenziali sensibili, utilizzando infrastrutture di rete apparentemente innocue come trampolino verso obiettivi più rilevanti. La campagna, attribuita al collettivo noto …

Fancy Bear, also known as APT28, has taken over thousands of residential home routers to steal passwords and authentication tokens in a wide-ranging espionage operation.

Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code.

Hackers linked to Russia's military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens…