惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
MyScale Blog
MyScale Blog
Jina AI
Jina AI
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
Intezer
The Cloudflare Blog
T
Threat Research - Cisco Blogs
G
Google Developers Blog
Stack Overflow Blog
Stack Overflow Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Docker
AI
AI
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
Last Week in AI
Last Week in AI
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
S
Securelist
S
Security Affairs
Project Zero
Project Zero
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Tor Project blog
A
About on SuperTechFans
V2EX - 技术
V2EX - 技术
宝玉的分享
宝玉的分享
T
Tenable Blog
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
Simon Willison's Weblog
Simon Willison's Weblog
Forbes - Security
Forbes - Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
V2EX
AWS News Blog
AWS News Blog
The GitHub Blog
The GitHub Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Privacy & Cybersecurity Law Blog
阮一峰的网络日志
阮一峰的网络日志
I
InfoQ
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
美团技术团队

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Beijing's RedNovember hacked critical US, global orgs
Jessica Lyons Jessica Lyons · 2025-09-27 · via The Register - Security: Research

RedNovember, a Chinese state-sponsored cyberspy group, targeted government and critical private-sector networks around the globe between June 2024 and July 2025, exploiting buggy internet-facing appliances to deploy a Go-based backdoor called Pantegana and other offensive security tools, including Cobalt Strike and SparkRAT.

This information comes via a threat report from Recorded Future's Insikt Group researchers, who previously tracked the crew as TAG-100, and noted that the Chinese snoops overlap with a group that Microsoft tracks as Storm-2077.

The report also follows a slew of other government-spies-on-the-networks warnings issued this week from government officials and private security firms alike.

RedNovember's victims span multiple sectors, but primarily center around aerospace and defense, government, and professional services companies. Its most recent campaign includes an April reconnaissance mission focused on two American oil and gas companies.

"Between H2 2024 and H2 2025, RedNovember compromised, targeted, and reconnoitered organizations on a global scale," the security analysts wrote. "In particular, RedNovember heavily targeted organizations in the US, Taiwan, and South Korea, and, in April 2025, it focused its reconnaissance on over 30 Panamanian government organizations." 

Wait . . . why are they attacking Panama?!

This heavy concentration on Panamanian government agencies in April isn't random.

"The timing of the observed reconnaissance closely followed US Defense Secretary Pete Hegseth's visit to Panama in early April 2025, and may have been triggered at least in part by several remarks made by US President Donald Trump during January and February 2025 that suggested US interest in asserting control over the Panama Canal," according to the report. 

The Chinese have been colonizing wide swaths of Western cyberspace for years

On April 9, 2025, Secretary Hegseth announced an "expanded partnership" with Panama to secure the canal and counter "China's maligned influence" in the region.

Shortly after, the roughly $23 billion sale of a majority stake in Hong Kong-based CK Hutchison’s ports business, including two Panama Canal terminals, to a BlackRock-led consortium was reportedly delayed under pressure from China.

Also between June 2024 and July 2025, the Chinese government spies targeted 28 US organizations with a particular focus on "prominent aerospace and defense organizations," scanning for open ports - although the threat hunters concluded "there was no evidence to suggest a successful compromise or exploitation took place against these entities."

The attempted break-ins do, however, illustrate how RedNovember has expanded its targeting to include the US defense industrial base and other global defense organizations, they note.

The report documents RedNovember targeting 11 organizations in Japan, seven in the UK, six each in Germany and Brazil, five each in Taiwan, South Korea, and Portugal, three in Italy, two each in Canada, Indonesia, Cambodia, and Argentina, one each in Vietnam and Tajikistan, and 13 in “other” regions.

However, as Recorded Future senior director of strategic intelligence Jonathan Condra told The Register, these are only targets that Insikt Group observed.

"This does not imply that all targeted entities were compromised," Condra said. "Additionally, it is likely that RedNovember's activity was broader than what Insikt Group was able to observe based on its visibility and collection."

Edge devices: the gift (to snoops) that keeps on giving

In April, the crew started abusing Ivanti Connect Secure (ICS) VPN devices, targeting a "specialized US engineering and military contractor," a "higher education institution associated with the US Navy," and a "major American newspaper." While the researchers said there was no evidence of compromise at the first two orgs, it's unclear from the report if they successfully broke into the news outlet.

And while Insikt Group doesn't indicate which Ivanti CVE RedNovember used, also in early April, both the US government and private-sector researchers warned that suspected Chinese spies had been exploiting a couple of critical bugs (CVE-2025-22457 and CVE-2025-0282) in these Ivanti VPN appliances.

RedNovember also targeted SonicWall VPN devices in March belonging to an American law firm, a European engine manufacturer, a UK-based defense contractor, and another UK company that provided bespoke cable harnessing, including for aerospace, military and defense, and medical applications.

The threat hunters observed that, in addition to abusing buggy Ivanti and SonicWall gear, RedNovember was poking around, "and likely compromising" other products, including Cisco Adaptive Security Appliance (ASA), F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, Fortinet FortiGate instances, and Outlook Web Access (OWA) instances.

Cobalt Strike for the win

After they gained initial access, RedNovember deployed malware including the Pantegana backdoor and SparkRAT remote access tool, both written in open-source Go and working across different operating systems. They used Cobalt Strike, a legitimate pen-testing tool, which has since become the "tool of choice" for cybercriminals and nation-state attackers, including those from China.

"The Chinese have been colonizing wide swaths of Western cyberspace for years," cybercrime expert and HITRUST VP Cyber Risk Tom Kellermann told The Register. "The RedNovember campaign mimics the types of campaigns leveraged by traditional penetration testers by using prolific tools like Cobalt Strike to infest various networks around the world."

These attacks necessitate better threat hunting by government agencies "to suppress these backdoors across their networks and supply chains immediately," he added.

Don't forget ArcaneDoor or UNC5221

This report comes as authorities in the US and UK, along with Cisco, warn that an unnamed "advanced threat actor" has been exploiting the networking giant's firewalls since at least November. 

On Thursday, America's lead cyber-defense agency gave federal agencies just 24 hours to identify affected Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, check logs for compromises, and apply patches to CVE-2025-20333 and CVE-2025-20362.

"This campaign is assessed to be connected to the ArcaneDoor activity identified in early 2024," Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a call with reporters on Thursday. 

The attackers abused these security flaws to modify read-only memory (ROM), thus allowing persistent access even after reboots and software upgrades, according to both Cisco and CISA. 

"The ROM modification is assessed to have begun as early as November 2024 if not earlier," Butera said. 

CISA tracks the ArcaneDoor malicious activity as separate from the RedNovember attacks, as well as another series of suspected Chinese spy intrusions that Google unveiled earlier this week and attributed to a group it tracks as UNC5221

ArcaneDoor first came to light in April 2024, when Cisco patched two zero-day flaws in ASA and FTD firewalls that had already been exploited to break into government and telecom networks. Cisco pinned the activity on a threat crew it dubbed UAT4356.

Cisco, at the time, refused to attribute this malicious activity to a specific country - such as Russia or China. And when asked about the latest round of ArcaneDoor-related intrusions, neither Cisco nor CISA would pin the blame on a particular government-backed goon squad.

"We will continue to work with federal partners and industry partners, but we are not focused on attribution at this time," Butera said. 

"We attribute these attacks to the same state-sponsored threat actor behind the ArcaneDoor campaign reported in early 2024," a Cisco spokesperson told The Weekly on Friday. "We strongly recommend that Cisco customers upgrade their devices to the available fixed software and follow guidance in the security advisories outlined on our Event Response Page and in the Cisco Talos blog post." ®