Notices by BrianKrebs (briankrebs@infosec.exchange)

@kkarhan @SecureOwl I had to dig up this 2008 WaPo story from Archive since WaPo nuked all my blog posts from their site. It's about @chetfaliszek, the guy who registered donotreply.com.

https://web.archive.org/web/20110810225035/http://voices.washingtonpost.com/securityfix/2008/03/they_told_you_not_to_reply.html

ZOMG! It's freakin Patch Tuesday again. And Microsoft has patched a staggering 167 security holes (think more people are using AI to find bugs, maybe?)

tl;dr: There's something for everyone today, like an Adobe Reader 0day that's apparently been exploited since at least November 2025; a SharePoint zero-day; and a fix for BlueHammer -- a Windows Defender bug for which there is working exploit code that no longer works if you install today's Windows updates (as per @wdormann).

https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/

New, from me: Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/

@heidilifeldman the most corrupt everything all the time. your own personal lawyer as the AG are you freaking high? sure, no conflict there at all. every single attorney associated with this administration should be facing disbarment proceedings like yesterday.

The POTUS' war on Iran is already bringing rationing of fuel and major disruptions in many countries, and it's going to get a lot worse soon as the final shipments that made it thru the Strait start to arrive this week, the NYT reports. I admire (but do not share) this story's optimism of the potential for the Iran war to hasten more global adoption of renewables.

"Sri Lanka and Myanmar are rationing fuel. The Philippines has instituted four-day workweeks to conserve gasoline and electricity. Bangladesh briefly closed its universities to reserve power for homes and businesses. Across India, families and restaurants are cooking over wood fires for want of gas. Airlines are canceling flights."

"As painful as the first phase of the energy crisis set off by the war with Iran has been, what comes next will be worse. This week, the final deliveries of oil and liquefied natural gas to Asia that passed through the Strait of Hormuz before it was closed are expected to arrive. The last tanker shipments to Europe should land by mid-April. After that, many countries’ reserves of gasoline, diesel, liquid petroleum gas and natural gas will dwindle. The price of oil could soar as high as $200 a barrel if the war drags on."

Meanwhile, China -- which leads the world in battery technology production -- stands to massively gain from all this oil shock.

"As the Philippines declared a national energy emergency on March 24, car shoppers in Manila were crowding into showrooms of the Chinese carmaker BYD and purchasing E.V.s ."

Of course, here in the US we've largely said that we're just gonna keep making gas guzzlers and forget about all those pledges we made to invest in electric vehicles. Consumers in the US would be flocking to those BYD cars too if import duties didn't make them prohibitively expensive. Most of the big car makers in the US are hopelessly focused on people who don't bat an eyelash spending $60,000 (base price) for a new car or truck.

https://www.nytimes.com/2026/04/01/opinion/oil-crisis-iran-electric-solar.html

Whoa, that escalated quickly. This just got sent out by the press folks at the Federal Communications Commission (FCC). The FCC says it has decided that all foreign-made consumer-grade Internet routers are henceforth prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the United States.

"Update Follows Determination by Executive Branch Agencies that Consumer-Grade Routers Produced in Foreign Countries Threaten National Security

WASHINGTON, March 23, 2026—Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones, and smart devices to the internet. This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.”

"The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

"This action does not affect any previously-purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired."

"Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to conditional-approvals@fcc.gov."

Not sure how many consumer-grade routers will be left for sale if it really is a ban on approvals for any foreign-made consumer routers like they said, and not just a bunch of already restricted Chinese makers like Huawei and ZTE.

https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers

FCC's "covered list" of "thou shalt not entities": https://www.fcc.gov/supplychain/coveredlist

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

New, by me: How AI Assistants are Moving the Security Goalposts

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.

Read more (and boost please!):

https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/

#openclaw #AI #agentic #aiagents #lethaltrifecta

So one of the guys I wrote about in this story -- Matt Schlicht, the creator of Moltbook, a bizarre Reddit-like platform for AI agents that Schlicht said he vibe coded with OpenClaw -- has just had his bot social network acquired by Meta (for undisclosed terms).

Interestingly, Schlicht said he didn't write a single line of code for the project. From the story:

"AI assistants like OpenClaw have gained a large following because they make it simple for users to “vibe code,” or build fairly complex applications and code projects just by telling it what they want to construct."

"Less than a week after its creation, Moltbook had more than 1.5 million registered agents that posted more than 100,000 messages to each other. AI agents on the platform soon built their own porn site for robots, and launched a new religion called Crustafarian with a figurehead modeled after a giant lobster. One bot on the forum reportedly found a bug in Moltbook's code and posted it to an AI agent discussion forum, while other agents came up with and implemented a patch to fix the flaw."

"“I just had a vision for the technical architecture and AI made it a reality,” Schlicht said. “We’re in the golden ages. How can we not give AI a place to hang out.”

Axios story on acquisition: https://www.axios.com/2026/03/10/meta-facebook-moltbook-agent-social-network

Good YouTube vid on Moltbook: https://www.youtube.com/watch?v=1Y_u0fY-AbA

We've been weaning ourselves off ordering things from Amazon, so my wife went and ordered something big from a different retailer, who was actually advertising it at a lower price than Amazon. Well, after a week of waiting for the item to ship, it suddenly just arrived. Turns out the order was fulfilled through Amazon anyway.

Saw a few videos this morning of Iranian drones targeting US military bases and blowing shit up. I was struck by how loud and slow these things are. It's as if the loudest leafblower on the planet had wings and a propeller.

This AP News story has some good detail on Iran's response to its neighbors, which indicates the majority of the many, many missiles and drones Iran sent at or near the UAE were intercepted, but that some less defended places were still hit due to the volume of the missile/drone volley.

"Officials in Dubai in the United Arab Emirates said Sunday that air defenses had dealt with 165 ballistic missiles, two cruise missiles and more than 540 Iranian drones over two days. While officials said they intercepted all air attacks Saturday, debris from the knocked-down weapons sparked blazes at some of Dubai’s most iconic locations."

"Some Iranian drones flew as far as a U.K. military base in Cyprus. The runway at the Royal Air Force base in Akrotiri was struck by an Iranian drone Sunday, according to U.K. officials, and sirens blared there again Monday when two more drones heading toward the base were intercepted."

"State-of-the-art U.S. and Israeli air defense assets have proven efficient in intercepting most of Iran’s ballistic missiles launched at Israel. But the attacks using large numbers of cheap drones hit some softer targets lacking the same level of protection."

https://apnews.com/article/iran-us-israel-gulf-war-drone-49c8ea76358e579447ff839485f394ac

New, by me: Who Is the Kimwolf Botmaster, "Dort"?

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

https://krebsonsecurity.com/2026/02/who-is-the-kimwolf-botmaster-dort/

Agentic AI-based services are the new Shadow IT. Change my mind.

I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.

Meanwhile, for the past week, LinkedIn has been showing me some other company's dashboard in my profile.

Lol, most of these impressions were on a post I made about why you maybe shouldn't verify your LinkedIn account.

https://infosec.exchange/@briankrebs/116103192779110422

Favorite headline today (via HackerNews): Pope tells priests to use their brains, not AI, to write homilies

https://www.ewtnnews.com/vatican/pope-leo-xiv-tells-priests-to-use-their-brains-not-ai-to-write-homilies

Really enjoyed this scoop from the Financial Times, where a team of reporters identified 48 seemingly independent companies working from different physical addresses that appear to be operating together to disguise the origin of Russian oil, particularly from Kremlin-controlled Rosneft. The kicker: The network was discovered because they all share a single private email server.

From the (paywalled) story:

"The FT was able to identify 442 web domains whose public registrations show they all use a single private server for their email, “mx.phoenixtrading.ltd”, showing that they share back-office functions."

"The FT was then able to identify companies by comparing the names in the domain to those of entities that appear in Russian and Indian customs records as involved in carrying Russian oil."

"For example, Foxton FZCO, a Dubai-based entity listed as the buyer of $5.6bn of oil in Russian export filings, matches “foxton-fzco.com”. Similarly, Advan Alliance, an entity listed in Indian filings as having sold $1.5bn of Russian oil into the country, can be linked to “advanalliance.ltd”. "

"Filings linked by the FT to the domain list show oil exports from Russia amounting to more than $90bn."

https://www.ft.com/content/4310f010-2b3c-493e-ba0a-26dc6d156b2e

A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

#phishing #MFA #starkiller

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."