Notices by BrianKrebs (briankrebs@infosec.exchange)

Wait, the music hasn't stopped yet! Or has it?

https://www.cnbc.com/2026/06/23/spacex-stock-tech-sell-off.html

Don't look now, but it seems Gizmodo's homepage is now serving up a Clickfix attack.

Basics of the Click-Fix exploit, which causes a pasted URL to fetch malware via Windows Powershell.

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

#clickfix #gizmodo

One thing I've noticed after tracking down so many cybercriminals is that it's super common for the person's first sales thread on a forum to include data stolen from an organization in the country where they live. This is more remarkable when the threat actor is outside the United States, because it very often tells you exactly which country they are from.

You might think that this would be a very dumb thing to do from a self-preservation perspective, but a lot of times they are eager to make a splash on the forums and the best data or access they have is their government's data or some company working with their country's govt. And if you consider that many young people get started in hacking by sticking it to the local authorities and trying to make them look like clowns, it makes a lot more sense.

New, from me: 'Popa' Botnet Linked to Publicly Traded Israeli Firm

"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]."

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

There is an incredible amount of interesting data and findings in the reports on Popa released this week. For example, the proxy detection service Spur told me they recently scraped the LG and Samsung app stores and found that each had approximately 3,000 apps available for download. Spur said it found that more than 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components, Spur found.

#proxy #popa #botnet #lg #samsung

RE: https://mastodon.social/@randahl/116741284261224277

ICYMI, the United States plans to significantly reduce the aircraft and warships that it makes available for NATO operations in Europe, according to two senior European officials, accelerating America’s effort to scale down the protection it has offered to European allies for eight decades. The NYT reports the decision would limit NATO’s ability to launch long-range strikes and conduct surveillance.

https://www.nytimes.com/2026/06/12/world/europe/us-nato-cuts-drawdown-jets.html

Meanwhile, Happy Russia Day!

How long until we start to see AI agents weaponized to impoverish gullible humans with crippling AWS bandwidth bills? Oh wait...

https://lantian.pub/en/article/fun/ai-agent-bankrupted-their-operator-scan-dn42lantian.lantian/

The threat I'm thinking of is like black faxing in the old days, except against your wallet instead of your toner cartridge.
https://en.wikipedia.org/wiki/Black_fax

There was an important court decision last week in a lawsuit filed by 20 states to halt the Trump administration's arbitrary new requirements for distributing food assistance funds to 39 million families that depend on these benefits. On June 5, a federal judge blocked the administration from enforcing new conditions on billions of dollars in federal nutrition funding, siding with a coalition of Democratic-led states that argued the requirements threatened programs serving low-income families.

"According to court filings, the disputed conditions included provisions related to immigration, "gender ideology" and "fair athletic opportunities" for women and girls. The states argued the requirements were vague, unrelated to nutrition and agriculture programs, and imposed without proper legal procedures."

https://www.usatoday.com/story/news/politics/2026/06/06/judge-halts-trump-snap-restrictions-in-states-lawsuit-over-funding-rules/90438543007/

I've written multiple stories about these Supplemental Nutrition Assistance Program (SNAP) benefits, from the perspective of them being stolen by card skimming devices secretly installed at checkout counters and random places. In the past, the states have struggled to get the federal government to reimburse them for these fraud costs, which are disproportionately caused by organized crime groups, particularly Armenian and Romanian gangs that have a significant presence in the US. Now the states are struggling to get these benefits funded at all. But the skimming threat hasn't gone away, because while some state benefits cards do now have chips on them, many still allow the cards to be swiped.

Previous reporting on this:

https://krebsonsecurity.com/2022/10/how-card-skimming-disproportionally-affects-those-most-in-need/

https://krebsonsecurity.com/2023/02/new-protections-for-food-benefits-stolen-by-skimmers/

https://krebsonsecurity.com/2022/11/lawsuit-seeks-food-benefits-stolen-by-skimmers/

From the WTAF dept:

Malware developers are now adding text about nuclear and biological weapons to their spyware to evade AI-based security scanners.

tl;dr: The inclusion of content that LLMs are trained to refuse -- such as information about nukes and bioweapons -- can effectively prevent the LLM from continuing to analyze the threat.

"This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware."

https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious

IDK why, but this reminds me of the Calvin & Hobbes cartoon where Calvin asks his mom for stuff she will never give him in a million years, and then he just asks for a cookie.

Hey Windows (ab)users! Microsoft patched around 200 vulnerabilities in Windows etc today, a record Patch Tuesday batch. All indications are they fixed two of the zero-days dropped last month by the researcher Nightmare Eclipse, including "Green Plasma" and the "YellowKey" exploit that allowed local access to data encrypted by BitLocker. In response to today's Patch Tuesday, Nightmare Eclipse dropped an exploit for what they claimed was a zero-day bug in Windows Defender.

Nearly three dozen of the bugs patched this month earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available.

https://krebsonsecurity.com/2026/06/a-record-breaking-patch-tuesday-for-june-2026/

#patchtuesday #windows #nightmareeclipse #greenplasma #yellowkey

Everyone's heard of link shorteners, but did you know about link extenders? Someone forwarded me a curious long ass link that turned out to be malicious (after several redirects) that was created with this service. I could see this being useful for shady marketing companies as well as malware purveyors.

Sit with this for a second: If the White House had its way, all the immigrants in this country would be dead -- at least on paper. WaPo reports that the Trump administration had plans to classify 2.7 million living people — including some U.S. citizens and lawful permanent residents — as dead as part of its immigration enforcement efforts. The plan reportedly fell apart after pushback from Social Security Administration employees who were tasked with implementing it.

https://www.washingtonpost.com/politics/2026/06/05/doge-planned-falsely-mark-27-million-people-dead-whistleblower-says/

My follower count here seems to have dropped by ~750-1,000 overnight. I'm guessing there was some kind of cleanup done on botted accounts or something? Or maybe I just pissed a lot of people off at once (totally possible).

@dalias They got access to 20 encrypted vaults. They'd still have to work out the master password for those targeted accounts. Theoretically, that could be done offline, as happened w/ the breach at LastPass, but it took many months for a lot of those stolen vaults to be cracked.

RE: https://infosec.exchange/@briankrebs/116670688015956223

Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts?7194ef805fa2d04b0f7e8c9521f97343

New, by me: A number of high-profile and/or valuable Instagram accounts, including those of the Obama White House and the Chief Master Sergeant for the U.S. Space Force, got hacked and defaced with pro-Iran messaging in the past 24h after people figured out that Meta's AI support assistant could be tricked into resetting account passwords.

From the story:

"A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target's usual hometown, requesting a password reset for the account, and then choosing to chat with Meta's AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset."

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

#meta #instagram #hack #ai #security

Get this man a wambulance. The POTUS is having such a hissy fit over multiple musical artists bowing out of invitations to celebrate our nation's 250th anniversary on July 4 that he's now saying all the performances should be canceled and we should have a big MAGA rally on the mall featuring him blathering on w/ his usual lies and hate.

Rather than respond to the artists' complaint that he'd politicized and personalized what should be a cause for national unity, he doubled down.

"So I am thinking about bringing the Number One Attraction anywhere in the World, the man who gets much larger audiences than Elvis in his prime...and the man who some say is the Greatest President in History (THE GOAT!), DONALD J. TRUMP, to take the place of these highly paid, Third Rate 'Artists.'"

"Trump said he was ordering aides to assess "the feasibility of doing an AMERICA IS BACK Rally" on the mall, where he would deliver a speech "rallying the Country forward like I have done ever since being President!"

Oh well, just another venerated tradition, destination and celebration in my hometown garishly marred by the president's unquenchable thirst for attention and power.

https://www.yahoo.com/news/politics/articles/trump-calls-replacing-us-250th-002946144.html

NPR laid off about 4 percent of its content division, including 10 journalists and some veteran reporters.

""People love science," NPR Science Correspondent Nell Greenfieldboyce, who was laid off Wednesday, said in an interview for this story. "It's such a break from the political and economic and often grim news to have something more inspiring and curiosity driven. I thought it was a great blessing to have the opportunity to give that to people."

https://www.npr.org/2026/05/27/nx-s1-5836624/npr-layoffs-job-cuts

#media #layoffs #journalism

One more thing: I'm looking forward to a hearing in Congress about this. The "Private-CISA" repo included AWS keys for at least two different Nightwing contractors, including terraform scripts from another employee with embedded clear text credentials, suggesting there was a practice of sharing credentials.

Somehow I missed this story in my research concerning Nightwing, the Virginia government contractor where the CISA contractor worked.

May 2, 2025: Raytheon, Nightwing to Pay $8.4 Million in Settlement Over Cybersecurity Failures

"The US government on Thursday announced that it has reached a settlement with Raytheon, RTX Corporation, and Nightwing Group in a lawsuit over the companies’ alleged failures to meet cybersecurity requirements for defense contractors.

Raytheon, a subsidiary of RTX Corporation (previously Raytheon Technologies Corporation), and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), allegedly failed to comply with cybersecurity requirements in 29 contracts and subcontracts with the Department of Defense (DoD). Nightwing is a cybersecurity and intelligence company that spun out of RTX.

According to the settlement, between 2015 and 2021, Raytheon did not implement necessary cybersecurity controls on a system used to perform work on DoD contracts. In 2015, the company landed a DHS cybersecurity contract worth $1 billion.

Raytheon and RCSI allegedly not only failed to implement a security plan for the internal development system, but also failed to ensure that it complied with other Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) requirements.

Per DFARS and FAR, contractors are required to apply basic safeguarding to systems that process or store federal contract data, and to provide adequate security for those systems, respectively."

https://www.securityweek.com/raytheon-to-pay-8-4-million-in-settlement-over-cybersecurity-failures/amp/

Big companies have an expensive new addiction to AI, and their smack is getting more expensive. Who could have seen this coming? From the WSJ:

"Use of artificial intelligence by big companies is exploding—and the soaring cost has some of them pumping the brakes in a way that could complicate AI’s triumphal march across the economy.
Executives across industries this year have urged employees to integrate AI tools into their work, spending freely to encourage experimentation and seeking to send a message to Wall Street that their companies won’t be left behind in a coming wave of disruption."

"All that enthusiasm has resulted in skyrocketing costs for so-called tokens, the basic unit of measurement for AI computing, as AI model providers seek to balance supply and demand and manage their own costs. Some enterprises have hit their annual budget in just three months or reported seeing their AI spending bills double or triple."
 
"Now corporate leaders are scrambling to bring down expenses by finding ways to ration AI use in their organizations, steer workers toward cheaper, homegrown tools and help them hone their skills to improve returns." 

https://www.wsj.com/tech/ai/corporate-america-is-starting-to-ration-ai-as-cost-skyrockets-1eb99d7a (paywall)

https://archive.ph/v2dwg