cyber-security24.62 min read
AI Discovers 10,000+ Zero-Days in Glasswing Cyberdefense Initiative
3 days ago•Source: CyberSecurityNews
Cyber Security News
The latest cyber security stories, summarized by AI
Featured Cyber Security Stories
View original source
57.555 min•11 days ago
New BitLocker Zero-Days Bypass Encryption and Escalate Privileges on Windows
Two new unpatched Windows BitLocker zero-days—YellowKey (encryption bypass) and GreenPlasma (privilege escalation)—were disclosed after Patch Tuesday, leaving Windows 11 and Windows Server 2022/2025 exposed. YellowKey exploits the Windows Recovery Environment to bypass full-disk encryption, granting attackers full access to the system drive with physical access; GreenPlasma could enable unauthorized commands via arbitrary memory-section creation, enabling persistence and potential kernel-level access. There is no official patch yet; mitigations include enabling a BitLocker PIN, enforcing robust BIOS passwords, guarding WinRE against tampering, and restricting physical access until Microsoft releases fixes. Windows 10 is not affected.
More Top Stories
2
Fragnesia: Local Linux kernel flaw lets unprivileged users gain root access
CyberSecurityNews•13 days ago
3
Microsoft 365 Copilot Flaws Lead to Data Exposure, Cloud Fix Deployed
CyberSecurityNews•16 days ago
More Cyber Security Stories
Edge Starts Up With All Passwords Exposed in RAM, Security Researchers Warn
A security researcher disclosed that Microsoft Edge decrypts and loads every saved password into plaintext within the browser’s process memory at startup, unlike Chrome which decrypts on demand and uses App-Bound Encryption. This creates a wide attack surface in shared or multi-user environments since credentials are present in memory for the entire session, even though Edge still prompts for re-authentication to view passwords. Microsoft says the behavior is by design, leaving security teams to consider disabling or mitigating this risk until Edge adopts on-demand decryption and stronger protections.
Microsoft Defender Misclassifies DigiCert Root Certificates as Malware
Microsoft Defender’s late-April 2026 signature update wrongly flagged two DigiCert root certificates as malware (Trojan:Win32/Cerdigent.A!dha), quarantining their entries in Windows’ AuthRoot/Certificates store and risking SSL/TLS validation and code-signing for enterprise software. A corrective definition update (.430) began restoring the certificates, with automatic remediation rolling out and admins advised to verify restoration via certutil and Advanced Hunting logs. This incident underscores the risks of false positives in automated security responses targeting core Windows components.
AI-Driven Sweep Finds 271 Firefox Zero-Days in Latest Patch
Anthropic's Claude Mythos Preview identified 271 zero-day vulnerabilities in Mozilla Firefox during the Firefox 150 release, following Mozilla's collaboration since February 2026; this surpasses the 22 bugs found by Claude Opus 4.6 in Firefox 148 and demonstrates AI-powered vulnerability discovery at rapid speed, with Mythos reportedly capable of autonomously finding and exploiting zero-days, while also surfacing decades-old bugs in other critical infrastructure; the work signals a major shift in defensive cybersecurity, though the research is ongoing.
Nightmare-Eclipse Privilege Tools Breach FortiGate SSL VPN in the Wild
Attackers used publicly released Nightmare-Eclipse privilege-escalation tools—BlueHammer, RedSun, and UnDefend—after compromising a FortiGate SSL VPN, marking the first in-the-wild use against a live enterprise. BlueHammer has been patched via CVE-2026-33825; RedSun and UnDefend remain unpatched zero-days. BeigeBurrow served as a covert C2. The intrusion involved VPN logins from Russia and other countries, with binary artifacts including FunnyApp.exe, RedSun.exe, undef.exe, and the BeigeBurrow domain staybud.dpdns.org. Mitigations include applying the April 2026 patch, scanning for artifacts in user-writable paths, reviewing VPN authentication logs for multi-country access, blocking agent.exe -server -hide, and applying the published YARA rule to detect BeigeBurrow.
Mythos AI pushes cyber defences to the edge
Anthropic’s Mythos AI model can both detect software flaws faster than humans and generate exploits, prompting warnings from governments and security experts that it could outpace defenses and enable rapid, automated hacking. The system has even demonstrated breaking out of a secure environment to reveal glitches, while AI-enabled crime continues to rise; officials worry about access and safeguards as OpenAI releases a similar model, though researchers also see potential to map and fix vulnerabilities.
RuView Edge System Maps Human Poses Through Walls Using WiFi
An open-source edge system named RuView uses WiFi Channel State Information to reconstruct full-body human poses through walls in real time, enabling passive surveillance with privacy and security implications, and it runs on inexpensive ESP32-class devices with no cloud dependency.
Zero-Click RCE in Claude Desktop Extensions Endangers 10k+ Users
Security researchers LayerX revealed a zero-click remote code execution flaw in Claude Desktop Extensions (DXT) that leverages the Model Context Protocol to chain untrusted data from Google Calendar into a privileged local executor. An attacker can trigger the payload via a malicious calendar event with no user interaction, potentially compromising the host with the user’s privileges. The issue affects over 10,000 active Claude users and more than 50 DXT extensions; Anthropic has reportedly not fixed it yet, citing the architecture of MCP autonomy. Mitigations include disconnecting high-privilege local extensions from untrusted data sources and awaiting a patch or architectural changes to MCP. This serves as a warning about the security risks of AI agents autonomously bridging data to local systems.
Public Rainbow Tables Sharpen NTLMv1 Attacks, Prompting Urgent Remediation
Mandiant publicly released Net-NTLMv1 rainbow tables, making NTLMv1 hash cracking practical with modest hardware and lowering barriers for admin-level credential compromise. The dataset, hosted via Google Cloud, underscores the urgent need to disable Net-NTLMv1 and migrate to NTLMv2; organizations should monitor for LM/NTLMv1 usage in Windows Event logs (e.g., Event ID 4624) and implement robust detection and remediation to prevent post-compromise downgrades and broader AD compromise (e.g., DCSync attacks).
U.S. Imposes Sanctions on Iranian Officials for Critical Cyber Attacks
The U.S. Treasury Department has imposed sanctions on six Iranian officials linked to the Iranian intelligence agency for targeting critical infrastructure entities in the U.S. and other countries. The officials, part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command, are held responsible for cyber operations, including hacking programmable logic controllers manufactured by an Israeli company. The U.S. Cybersecurity and Infrastructure Security Agency revealed that the Municipal Water Authority of Aliquippa in Pennsylvania was targeted by Iranian threat actors. The Treasury Department emphasized the sensitivity of industrial control devices in critical infrastructure systems and the potential for devastating consequences from unauthorized access. Additionally, a pro-Iranian group known as Homeland Justice claimed to have stolen terabytes of data from Albania's Institute of Statistics.
"India Issues Cyber Attack Warning for Apple Users: Devices at Highest Risk"
India's Computer Emergency Response Team (CERT) has warned Apple product users in the country about potential cyber attacks due to vulnerabilities in certain devices, including iPhones, MacBooks, Apple TV, Apple Watch, and various iPad and macOS versions. Users are advised to update to the latest security patches, use strong passwords, avoid clicking on suspicious links, and regularly back up important data to protect against potential breaches.