Security tools are good at inspecting websites, domains, URLs, and files, so attackers are moving lower in the stack and communicating directly with IP addresses, where visibility is limited. According to Palo Alto Networks’ report, this creates a visibility gap that allows malicious traffic to blend into normal internet activity and evade detection. At the…
Tag: URLs
Global Security News
Law enforcement arrests 29 in crackdown on illegal streaming operations
The operation successfully led to the removal of more than 27,000 illegal streaming URLs distributing copyrighted sports, film, and television content.
Global Security News
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. […]
AI, Apps, Global Security News, Network Security
IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)
Yesterday, in my diary about the scans for “/proxy/” URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in RFC 4038. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking…
AI, Endpoint, Global Security News
Open-source tool Sage puts a security layer between AI agents and the OS
Autonomous AI agents running on developer workstations execute shell commands, fetch URLs, and write files with little or no inspection of what they are doing. Open-source project Sage inserts an interception layer between an AI agent and those operations, checking each action before it proceeds. The project applies the term Agent Detection & Response (ADR)…
AI, Global Security News
Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd)
In diary entry “Quick Howto: Extract URLs from RTF files” I mentioned ZIP files. There are OLE objects inside this RTF file: They can be analyzed with oledump.py like this: Options –storages and -E %CLSID% are used to show the abused CLSID. Stream CONTENTS contains the URL: We extracted this URL with the method…
AI, Global Security News, malware
CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
CTM360 reports 4,000+ malicious Google Groups and 3,500+ Google-hosted URLs used to spread the Lumma Stealer infostealing malware and a trojanized “Ninja Browser.” The report details how attackers abuse trusted Google services to steal credentials and maintain persistence across Windows and Linux systems. […]