惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
T
Threat Research - Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
T
Tor Project blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
The Hacker News
The Hacker News
Hacker News - Newest:
Hacker News - Newest: "LLM"
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
Spread Privacy
Spread Privacy
W
WeLiveSecurity
SecWiki News
SecWiki News
A
About on SuperTechFans
H
Help Net Security
博客园 - 司徒正美
Recent Commits to openclaw:main
Recent Commits to openclaw:main
爱范儿
爱范儿
S
Securelist
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
月光博客
月光博客
Jina AI
Jina AI
博客园 - 叶小钗
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
S
Secure Thoughts
The Cloudflare Blog
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Smooth criminals talking their way into cloud environments, Google says
2026-03-23 · via The Register - Security: Research

RSAC 2026 Voice phishing surged last year to become the second most common method used by cybercriminals to gain initial access to their victims' IT estate – and the No. 1 tactic used when breaking into cloud environments.

Groups like ShinyHunters and Scattered Lapsus$ Hunters increasingly used this and other types of interactive social engineering tactics that involve a human steering the conversation in real time in their 2025 attacks, according to Jurgen Kutscher, VP of Mandiant Consulting at Google Cloud.

"It's the interactive ones, the voice based ones, that are really creating a new challenge," he told The Register in an interview about the security shop's annual M-Trends report, based on data collected from Mandiant's more than 500,000 hours of incident response engagements conducted around the world last year.

The report found attackers used voice-based phishing as the initial infection vector in 11 percent of attacks last year, making it the second-most common method of gaining illicit access to systems. Exploiting vulnerabilities topped the charts for a sixth year, accounting for 32 percent of successful attacks.

Non-interactive lures like phishing emails, however, declined, at just six percent of 2025 intrusions.

"What we've seen in 2025 is certain threat actors calling IT help desks to, for example, register attacker-controlled devices for MFA to try and reset passwords," Kutscher said. "They're building a number of different scenarios to trick IT help desks, and an IT help desk, by default, tries to help. That's part of the reason why the social engineering attacks that are interactive are so powerful."

Don't click the 'fix'

Scammers aren't only targeting IT help desks with interactive social engineering scams, as Google – along with other security researchers – also documented a spike in ClickFix attacks over the past year as well.

ClickFix is an extremely popular social engineering tactic in which the attackers trick the users into running malicious commands on their own computers, usually by clicking a fake computer problem fix or an I-am-not-a-robot prompt.

Google's threat-intelligence arm documented "dozens" of criminals using this technique last year, and especially threat clusters focused on widespread initial access operations.

"We see the threat actors being extremely creative in these types of attacks," Kutscher said. "And they're doing this by directly establishing interactive contact with victims, which is a new level of sophistication. But the return clearly justifies the investment."

Extreme timelines

Another trend highlighted in the 102-page report involves "extremes" in the attackers' timelines, according to Kutscher.

Mandiant's investigations show an increasing number of what it calls "hand-offs," where one individual or crew gains initial access, and then they hand-off that access to a second threat group – typically a ransomware or data theft and extortion gang. Oftentimes this hand-off happens in under 30 seconds.

"And then on the other end of the spectrum, you have, this extreme level of sophistication of stealth that threat actors have gained" that allows them to remain hidden in victims' environments without being detected, sometimes for hundreds of days, Kutscher said.

Attackers on this end of the spectrum – typically espionage groups and North Korean scam IT workers – do this by targeting network edge devices like firewalls, routers, and VPNs, generally by exploiting zero-day bugs. Operators of edge devices don't often protect them with endpoint security products, so attacks running the machines often evade defenders. Miscreants can therefore stay hidden while they go about their evil business.

Kutscher calls this trend "living on the edge," and first started talking about it two years ago. "What is interesting is the evolution of how they're leveraging these edge devices," he told us.

Miscreants are no longer just using the edge device for access into IT environments. "Now they're also leveraging the core functionalities available on these edge devices, and living on these edge devices, intercepting network traffic, being able to intercept clear-text passwords, etc," Kutscher said.

In some cases, this means the attackers don't even need to move onto the internal network because they are able to steal secrets and other sensitive data from the edge device itself.

"That is an extremely powerful persistence mechanism, and why we've seen now some threat actors with dwell times of 400 days, and the median dwell time going from 11 to 14 days," Kutscher said.

Remember Brickstorm?

Mandiant investigated "numerous" incidents in 2025 in which a suspected Chinese government spy crew tracked as UNC6201 broke into edge devices that didn't support endpoint security products, deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.

They remained undetected, on average, for 393 days.

These scenarios challenge network infosec teams. The exceedingly short hand-off time from initial access to ransomware infections, for example, means defenders must "operate at machine speed," Kutscher said. "When an attack life cycle takes place in seconds, human speed is probably not going to be sufficient to stop these types of attacks."

Of course, Google, a security and AI vendor, has a whole suite of products it would like to sell you to help with that.

"You also have to realize that a low-impact incident may turn into a high-impact incident within seconds," Kutscher said. "From an investigative perspective, you can no longer just classify something as low-impact and dismiss it for later. You have to look at all of these events and understand what could be a stage-one attack and could lead to a potential catastrophic consequence for the enterprise." ®