Security

Researchers question Anthropic claim that AI-assisted attack was 90% autonomous

AI, Anthropic, Biz & IT, Claude, Cyberattacks, espionage, Security / Shannon Garcia / November 14, 2025

Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information. This AI hallucination in offensive security contexts presented challenges for the actor’s operational effectiveness, requiring careful validation of all claimed results. This remains an obstacle to fully autonomous cyberattacks.

How (Anthropic says) the attack unfolded

Anthropic said GTG-1002 developed an autonomous attack framework that used Claude as an orchestration mechanism that largely eliminated the need for human involvement. This orchestration system broke complex multi-stage attacks into smaller technical tasks such as vulnerability scanning, credential validation, data extraction, and lateral movement.

“The architecture incorporated Claude’s technical capabilities as an execution engine within a larger automated system, where the AI performed specific technical actions based on the human operators’ instructions while the orchestration logic maintained attack state, managed phase transitions, and aggregated results across multiple sessions,” Anthropic said. “This approach allowed the threat actor to achieve operational scale typically associated with nation-state campaigns while maintaining minimal direct involvement, as the framework autonomously progressed through reconnaissance, initial access, persistence, and data exfiltration phases by sequencing Claude’s responses and adapting subsequent requests based on discovered information.”

The attacks followed a five-phase structure that increased AI autonomy through each one.

The life cycle of the cyberattack, showing the move from human-led targeting to largely AI-driven attacks using various tools, often via the Model Context Protocol (MCP). At various points during the attack, the AI returns to its human operator for review and further direction. Credit: Anthropic

The attackers were able to bypass Claude guardrails in part by breaking tasks into small steps that, in isolation, the AI tool didn’t interpret as malicious. In other cases, the attackers couched their inquiries in the context of security professionals trying to use Claude to improve defenses.

As noted last week, AI-developed malware has a long way to go before it poses a real-world threat. There’s no reason to doubt that AI-assisted cyberattacks may one day produce more potent attacks. But the data so far indicates that threat actors—like most others using AI—are seeing mixed results that aren’t nearly as impressive as those in the AI industry claim.

Researchers question Anthropic claim that AI-assisted attack was 90% autonomous Read More »

ClickFix may be the biggest security threat your family has never heard of

Biz & IT, clickfix, malware, Scams, Security / Mike M. / November 11, 2025

Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel’s account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled.

The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare. The proof the notification requires for confirmation that there’s a human behind the keyboard is to copy a string of text and paste it into the Windows terminal. With that, the machine is infected with malware tracked as PureRAT.

Push Security, meanwhile, reported a ClickFix campaign with a page “adapting to the device that you’re visiting from.” Depending on the OS, the page will deliver payloads for Windows or macOS. Many of these payloads, Microsoft said, are LOLbins, the name for binaries that use a technique known as living off the land. These scripts rely solely on native capabilities built into the operating system. With no malicious files being written to disk, endpoint protection is further hamstrung.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious.

The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users’ minds, the precaution doesn’t extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard.

With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure.

ClickFix may be the biggest security threat your family has never heard of Read More »

Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year

android, malware, samsung, Security, smartphones, spyware, Tech / Mike M. / November 8, 2025

Before the April 2025 patch, Samsung phones had a vulnerability in their image processing library. This is a zero-click attack because the user doesn’t need to launch anything. When the system processes the malicious image for display, it extracts shared object library files from the ZIP to run the Landfall spyware. The payload also modifies the device’s SELinux policy to give Landfall expanded permissions and access to data.

Landfall flowchart — How Landfall exploits Samsung phones. Credit: Unit 42

The infected files appear to have been delivered to targets via messaging apps like WhatsApp. Unit 42 notes that Landfall’s code references several specific Samsung phones, including the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. Once active, Landfall reaches out to a remote server with basic device information. The operators can then extract a wealth of data, like user and hardware IDs, installed apps, contacts, any files stored on the device, and browsing history. It can also activate the camera and microphone to spy on the user.

Removing the spyware is no easy feat, either. Because of its ability to manipulate SELinux policies, it can burrow deeply into the system software. It also includes several tools that help evade detection. Based on the VirusTotal submissions, Unit 42 believes Landfall was active in 2024 and early 2025 in Iraq, Iran, Turkey, and Morocco. The vulnerability may have been present in Samsung’s software from Android 13 through Android 15, the company suggests.

Unit 42 says that several naming schemes and server responses share similarities with industrial spyware developed by big cyber-intelligence firms like NSO Group and Variston. However, they cannot directly tie Landfall to any particular group. While this attack was highly targeted, the details are now in the open, and other threat actors could now employ similar methods to access unpatched devices. Anyone with a supported Samsung phone should make certain they are on the April 2025 patch or later.

Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year Read More »

Wipers from Russia’s most cut-throat hackers rain destruction on Ukraine

Biz & IT, malware, russia, sandworm, Security, Ukraine, war, wipers / 9u50fv / November 8, 2025

One of the world’s most ruthless and advanced hacking groups, the Russian state-controlled Sandworm, launched a series of destructive cyberattacks in the country’s ongoing war against neighboring Ukraine, researchers reported Thursday.

In April, the group targeted a Ukrainian university with two wipers, a form of malware that aims to permanently destroy sensitive data and often the infrastructure storing it. One wiper, tracked under the name Sting, targeted fleets of Windows computers by scheduling a task named DavaniGulyashaSdeshka, a phrase derived from Russian slang that loosely translates to “eat some goulash,” researchers from ESET said. The other wiper is tracked as Zerlot.

A not-so-common target

Then, in June and September, Sandworm unleashed multiple wiper variants against a host of Ukrainian critical infrastructure targets, including organizations active in government, energy, and logistics. The targets have long been in the crosshairs of Russian hackers. There was, however, a fourth, less common target—organizations in Ukraine’s grain industry.

“Although all four have previously been documented as targets of wiper attacks at some point since 2022, the grain sector stands out as a not-so-frequent target,” ESET said. “Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy.”

Wipers have been a favorite tool of Russian hackers since at least 2012, with the spreading of the NotPetya worm. The self-replicating malware originally targeted Ukraine, but eventually caused international chaos when it spread globally in a matter of hours. The worm resulted in tens of billions of dollars in financial damages after it shut down thousands of organizations, many for days or weeks.

Wipers from Russia’s most cut-throat hackers rain destruction on Ukraine Read More »

How to trade your $214,000 cybersecurity job for a jail cell

blackcat, hacking, Law, Security / DJ Henderson / November 7, 2025

According to the FBI, in 2023, Martin took steps to become an “affiliate” of the BlackCat ransomware developers. BlackCat provides full-service malware, offering up modern ransomware code and dark web infrastructure in return for a cut of any money generated by affiliates, who find and hack their own targets. (And yes, sometimes BlackCat devs do scam their own affiliates.)

Martin had seen how this system worked in practice through his job, and he is said to have approached a pair of other people to help him make some easy cash. One of these people was allegedly Ryan Goldberg of Watkinsville, Georgia, who worked as an incident manager at the cybersecurity firm Sygnia. Goldberg told the FBI that Martin had recruited him to “try and ransom some companies.”

In May 2023, the group attacked its first target, a medical company based in Tampa, Florida. The team got the BlackCat software onto the company’s network, where it encrypted corporate data, and demanded a $10 million ransom for the decryption key.

Eventually, the extorted company decided to pay up—though only $1.27 million. The money was paid out in crypto, with a percentage going to the BlackCat devs and the rest split between Martin, Goldberg, and a third, as-yet-unnamed conspirator.

Success was short-lived, though. Throughout 2023, the extortion team allegedly went after a pharma company in Maryland, a doctor’s office, and an engineering firm in California, plus a drone manufacturer in Virginia.

Ransom requests varied widely: $5 million, or $1 million, or even a mere $300,000.

But no one else paid.

By early 2025, an FBI investigation had ramped up, and the Bureau searched Martin’s property in April. Once that happened, Goldberg said that he received a call from the third member of their team, who was “freaking out” about the raid on Martin. In early May, Goldberg searched the web for Martin’s name plus “doj.gov,” apparently looking for news on the investigation.

On June 17, Goldberg, too, was searched and his devices taken. He agreed to talk to agents and initially denied knowing anything about the ransomware attacks, but he eventually confessed his involvement and fingered Martin as the ringleader. Goldberg told agents that he had helped with the attacks to pay off some debts, and he was despondent about the idea of “going to federal prison for the rest of [his] life.”

How to trade your $214,000 cybersecurity job for a jail cell Read More »

Musk and Trump both went to Penn—now hacked by someone sympathetic to their cause

hacking hactivists, Security, University of Pennsylvania / Shannon Garcia / November 6, 2025

Once that information was taken, the hacker sent an email to numerous members of the Penn community. It had the subject line “We got hacked (Action Required),” and it called the school “a dogshit elitist institution full of woke retards.” It went on to claim that the school is “completely unmeritocratic” and that “we hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.”

Sounds political! But the hacker contacted the site Bleeping Computer and said that the real goal was Penn’s “vast, wonderfully wealthy donor database” and that, “while we’re not really politically motivated, we have no love for these nepobaby-serving institutions.” (Among the donors? Elon Musk, who has endowed the Elon Musk Public Lecture at Penn.)

That “denial” of political motivations also sounds pretty political, and there’s precedent for such actions against educational institutions. Columbia University, for instance, was hacked this summer by a “highly sophisticated ‘hacktivist’ who had gained access to private student records in an attempt to further a political agenda,” according to The Associated Press.

It’s always hard to know how much of this “hactivist” activity is truly motivated private actors, however, as opposed to nation-states disguising their own attempts to steal data and to create political disruption.

In response, Penn has called in the FBI and the private company CrowdStrike, while a Penn alumnus has already sued the school for negligence. Penn workers can look forward to “additional mandatory trainings” to prevent similar breaches in the future.

Musk and Trump both went to Penn—now hacked by someone sympathetic to their cause Read More »

5 AI-developed malware families analyzed by Google fail to work and are easily detected

AI, Biz & IT, generative ai, guardrails, malware, ransomware, Security / Shannon Garcia / November 6, 2025

The assessments provide a strong counterargument to the exaggerated narratives being trumpeted by AI companies, many seeking new rounds of venture funding, that AI-generated malware is widespread and part of a new paradigm that poses a current threat to traditional defenses.

A typical example is Anthropic, which recently reported its discovery of a threat actor that used its Claude LLM to “develop, market, and distribute several variants of ransomware, each with advanced evasion capabilities, encryption, and anti-recovery mechanisms.” The company went on to say: “Without Claude’s assistance, they could not implement or troubleshoot core malware components, like encryption algorithms, anti-analysis techniques, or Windows internals manipulation.”

Startup ConnectWise recently said that generative AI was “lowering the bar of entry for threat actors to get into the game.” The post cited a separate report from OpenAI that found 20 separate threat actors using its ChatGPT AI engine to develop malware for tasks including identifying vulnerabilities, developing exploit code, and debugging that code. BugCrowd, meanwhile, said that in a survey of self-selected individuals, “74 percent of hackers agree that AI has made hacking more accessible, opening the door for newcomers to join the fold.”

In some cases, the authors of such reports note the same limitations noted in this article. Wednesday’s report from Google says that in its analysis of AI tools used to develop code for managing command-and-control channels and obfuscating its operations “we did not see evidence of successful automation or any breakthrough capabilities.” OpenAI said much the same thing. Still, these disclaimers are rarely made prominently and are often downplayed in the resulting frenzy to portray AI-assisted malware as posing a near-term threat.

Google’s report provides at least one other useful finding. One threat actor that exploited the company’s Gemini AI model was able to bypass its guardrails by posing as white-hat hackers doing research for participation in a capture-the-flag game. These competitive exercises are designed to teach and demonstrate effective cyberattack strategies to both participants and onlookers.

Such guardrails are built into all mainstream LLMs to prevent them from being used maliciously, such as in cyberattacks and self-harm. Google said it has since better fine-tuned the countermeasure to resist such ploys.

Ultimately, the AI-generated malware that has surfaced to date suggests that it’s mostly experimental, and the results aren’t impressive. The events are worth monitoring for developments that show AI tools producing new capabilities that were previously unknown. For now, though, the biggest threats continue to predominantly rely on old-fashioned tactics.

5 AI-developed malware families analyzed by Google fail to work and are easily detected Read More »

Two Windows vulnerabilities, one a 0-day, are under active exploitation

Biz & IT, microsoft windows vulnerabilities, Security, zero-day, zero-day vulnerability / 9u50fv / November 1, 2025

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.

The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation

Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

Two Windows vulnerabilities, one a 0-day, are under active exploitation Read More »

FCC to rescind ruling that said ISPs are required to secure their networks

FCC, Policy, salt typhoon, Security / 9u50fv / November 1, 2025

The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.

FCC Chairman Brendan Carr said the ruling, adopted in January just before Republicans gained majority control of the commission, “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.” Carr said the vote scheduled for November 20 comes after “extensive FCC engagement with carriers” who have taken “substantial steps… to strengthen their cybersecurity defenses.”

The FCC’s January 2025 declaratory ruling came in response to attacks by China, including the Salt Typhoon infiltration of major telecom providers such as Verizon and AT&T. The Biden-era FCC found that the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law, “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”

“The Commission has previously found that section 105 of CALEA creates an affirmative obligation for a telecommunications carrier to avoid the risk that suppliers of untrusted equipment will ‘illegally activate interceptions or other forms of surveillance within the carrier’s switching premises without its knowledge,’” the January order said. “With this Declaratory Ruling, we clarify that telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment they choose to use in their networks, but also to how they manage their networks.”

ISPs get what they want

The declaratory ruling was paired with a Notice of Proposed Rulemaking that would have led to stricter rules requiring specific steps to secure networks against unauthorized interception. Carr voted against the decision at the time.

Although the declaratory ruling didn’t yet have specific rules to go along with it, the FCC at the time said it had some teeth. “Even absent rules adopted by the Commission, such as those proposed below, we believe that telecommunications carriers would be unlikely to satisfy their statutory obligations under section 105 without adopting certain basic cybersecurity practices for their communications systems and services,” the January order said. “For example, basic cybersecurity hygiene practices such as implementing role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication are necessary for any sensitive computer system. Furthermore, a failure to patch known vulnerabilities or to employ best practices that are known to be necessary in response to identified exploits would appear to fall short of fulfilling this statutory obligation.”

FCC to rescind ruling that said ISPs are required to secure their networks Read More »

New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel

AMD, battering ram, Biz & IT, Features, intel, NVIDIA, secure enclaves, Security, tee.fail, trusted execution environments, wiretap / Shannon Garcia / October 29, 2025

On-chip TEEs withstand rooted OSes but fall instantly to cheap physical attacks.

Trusted execution environments, or TEEs, are everywhere—in blockchain architectures, virtually every cloud service, and computing involving AI, finance, and defense contractors. It’s hard to overstate the reliance that entire industries have on three TEEs in particular: Confidential Compute from Nvidia, SEV-SNP from AMD, and SGX and TDX from Intel. All three come with assurances that confidential data and sensitive computing can’t be viewed or altered, even if a server has suffered a complete compromise of the operating kernel.

A trio of novel physical attacks raises new questions about the true security offered by these TEES and the exaggerated promises and misconceptions coming from the big and small players using them.

The most recent attack, released Tuesday, is known as TEE.fail. It defeats the latest TEE protections from all three chipmakers. The low-cost, low-complexity attack works by placing a small piece of hardware between a single physical memory chip and the motherboard slot it plugs into. It also requires the attacker to compromise the operating system kernel. Once this three-minute attack is completed, Confidential Compute, SEV-SNP, and TDX/SDX can no longer be trusted. Unlike the Battering RAM and Wiretap attacks from last month—which worked only against CPUs using DDR4 memory—TEE.fail works against DDR5, allowing them to work against the latest TEEs.

Some terms apply

All three chipmakers exclude physical attacks from threat models for their TEEs, also known as secure enclaves. Instead, assurances are limited to protecting data and execution from viewing or tampering, even when the kernel OS running the processor has been compromised. None of the chipmakers make these carveouts prominent, and they sometimes provide confusing statements about the TEE protections offered.

Many users of these TEEs make public assertions about the protections that are flat-out wrong, misleading, or unclear. All three chipmakers and many TEE users focus on the suitability of the enclaves for protecting servers on a network edge, which are often located in remote locations, where physical access is a top threat.

“These features keep getting broken, but that doesn’t stop vendors from selling them for these use cases—and people keep believing them and spending time using them,” said HD Moore, a security researcher and the founder and CEO of runZero.

He continued:

Overall, it’s hard for a customer to know what they are getting when they buy confidential computing in the cloud. For on-premise deployments, it may not be obvious that physical attacks (including side channels) are specifically out of scope. This research shows that server-side TEEs are not effective against physical attacks, and even more surprising, Intel and AMD consider these out of scope. If you were expecting TEEs to provide private computing in untrusted data centers, these attacks should change your mind.

Those making these statements run the gamut from cloud providers to AI engines, blockchain platforms, and even the chipmakers themselves. Here are some examples:

Cloudflare says it’s using Secure Memory Encryption—the encryption engine driving SEV—to safeguard confidential data from being extracted from a server if it’s stolen.
In a post outlining the possibility of using the TEEs to secure confidential information discussed in chat sessions, Anthropic says the enclave “includes protections against physical attacks.”
Microsoft marketing (here and here) devotes plenty of ink to discussing TEE protections without ever noting the exclusion.
Meta, paraphrasing the Confidential Computing Consortium, says TEE security provides protections against malicious “system administrators, the infrastructure owner, or anyone else with physical access to the hardware.” SEV-SNP is a key pillar supporting the security of Meta’s WhatsApp Messenger.
Even Nvidia claims that its TEE security protects against “infrastructure owners such as cloud providers, or anyone with physical access to the servers.”
The maker of the Signal private messenger assures users that its use of SGX means that “keys associated with this encryption never leave the underlying CPU, so they’re not accessible to the server owners or anyone else with access to server infrastructure.” Signal has long relied on SGX to protect contact-discovery data.

I counted more than a dozen other organizations providing assurances that were similarly confusing, misleading, or false. Even Moore—a security veteran with more than three decades of experience—told me: “The surprising part to me is that Intel/AMD would blanket-state that physical access is somehow out of scope when it’s the entire point.”

In fairness, some TEE users build additional protections on top of the TEEs provided out of the box. Meta, for example, said in an email that the WhatsApp implementation of SEV-SNP uses protections that would block TEE.fail attackers from impersonating its servers. The company didn’t dispute that TEE.fail could nonetheless pull secrets from the AMD TEE.

The Cloudflare theft protection, meanwhile, relies on SME—the engine driving SEV-SNP encryption. The researchers didn’t directly test SME against TEE.fail. They did note that SME uses deterministic encryption, the cryptographic property that causes all three TEEs to fail. (More about the role of deterministic encryption later.)

Others who misstate the TEEs’ protections provide more accurate descriptions elsewhere. Given all the conflicting information, it’s no wonder there’s confusion.

How do you know where the server is? You don’t.

Many TEE users run their infrastructure inside cloud providers such as AWS, Azure, or Google, where protections against supply-chain and physical attacks are extremely robust. That raises the bar for a TEE.fail-style attack significantly. (Whether the services could be compelled by governments with valid subpoenas to attack their own TEE is not clear.)

All these caveats notwithstanding, there’s often (1) little discussion of the growing viability of cheap, physical attacks, (2) no evidence (yet) that implementations not vulnerable to the three attacks won’t fall to follow-on research, or (3) no way for parties relying on TEEs to know where the servers are running and whether they’re free from physical compromise.

“We don’t know where the hardware is,” Daniel Genkin, one of the researchers behind both TEE.fail and Wiretap, said in an interview. “From a user perspective, I don’t even have a way to verify where the server is. Therefore, I have no way to verify if it’s in a reputable facility or an attacker’s basement.”

In other words, parties relying on attestations from servers in the cloud are once again reduced to simply trusting other people’s computers. As Moore observed, solving that problem is precisely the reason TEEs exist.

In at least two cases, involving the blockchain services Secret Network and Crust, the loss of TEE protections made it possible for any untrusted user to present cryptographic attestations. Both platforms used the attestations to verify that a blockchain node operated by one user couldn’t tamper with the execution or data passing to another user’s nodes. The Wiretap hack on SGX made it possible for users to run the sensitive data and executions outside of the TEE altogether while still providing attestations to the contrary. In the AMD attack, the attacker could decrypt the traffic passing through the TEE.

Both Secret Network and Crust added mitigations after learning of the possible physical attacks with Wiretap and Battering RAM. Given the lack of clear messaging, other TEE users are likely making similar mistakes.

A predetermined weakness

The root cause of all three physical attacks is the choice of deterministic encryption. This form of encryption produces the same ciphertext each time the same plaintext is encrypted with the same key. A TEE.fail attacker can copy ciphertext strings and use them in replay attacks. (Probabilistic encryption, by contrast, resists such attacks because the same plaintext can encrypt to a wide range of ciphertexts that are randomly chosen during the encryption process.)

TEE.fail works not only against SGX but also a more advanced Intel TEE known as TDX. The attack also defeats the protections provided by the latest Nvidia Confidential Compute and AMD SEV-SNP TEEs. Attacks against TDX and SGX can extract the Attestation Key, an ECDSA secret that certifies to a remote party that it’s running up-to-date software and can’t expose data or execution running inside the enclave. This Attestation Key is in turn signed by an Intel X.509 digital certificate providing cryptographic assurances that the ECDSA key can be trusted. TEE.fail works against all Intel CPUs currently supporting TDX and SDX.

With possession of the key, the attacker can use the compromised server to peer into data or tamper with the code flowing through the enclave and send the relying party an assurance that the device is secure. With this key, even CPUs built by other chipmakers can send an attestation that the hardware is protected by the Intel TEEs.

GPUs equipped with Nvidia Confidential Compute don’t bind attestation reports to the specific virtual machine protected by a specific GPU. TEE.fail exploits this weakness by “borrowing” a valid attestation report from a GPU run by the attacker and using it to impersonate the GPU running Confidential Compute. The protection is available on Nvidia’s H100/200 and B100/200 server GPUs.

“This means that we can convince users that their applications (think private chats with LLMs or Large Language Models) are being protected inside the GPU’s TEE while in fact it is running in the clear,” the researchers wrote on a website detailing the attack. “As the attestation report is ‘borrowed,’ we don’t even own a GPU to begin with.”

SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) uses ciphertext hiding in AMD’s EPYC CPUs based on the Zen 5 architecture. AMD added it to prevent a previous attack known as Cipherleaks, which allowed malicious hypervisors to extract cryptographic keys stored in the enclaves of a virtual machine. Ciphertext, however, doesn’t stop physical attacks. With the ability to reopen the side channel that Cipherleaks relies on, TEE.fail can steal OpenSSL credentials and other key material based on constant-time encryption.

Cheap, quick, and the size of a briefcase

“Now that we have interpositioned DDR5 traffic, our work shows that even the most modern of TEEs across all vendors with available hardware is vulnerable to cheap physical attacks,” Genkin said.

The equipment required by TEE.fail runs off-the-shelf gear that costs less than $1,000. One of the devices the researchers built fits into a 17-inch briefcase, so it can be smuggled into a facility housing a TEE-protected server. Once the physical attack is performed, the device does not need to be connected again. Attackers breaking TEEs on servers they operate have no need for stealth, allowing them to use a larger device, which the researchers also built.

A logic analyzer attached to an interposer.

The researchers demonstrated attacks against an array of services that rely on the chipmakers’ TEE protections. (For ethical reasons, the attacks were carried out against infrastructure that was identical to but separate from the targets’ networks.) Some of the attacks included BuilderNet, dstack, and Secret Network.

BuilderNet is a network of Ethereum block builders that uses TDX to prevent parties from snooping on others’ data and to ensure fairness and that proof currency is redistributed honestly. The network builds blocks valued at millions of dollars each month.

“We demonstrated that a malicious operator with an attestation key could join BuilderNet and obtain configuration secrets, including the ability to decrypt confidential orderflow and access the Ethereum wallet for paying validators,” the TEE.fail website explained. “Additionally, a malicious operator could build arbitrary blocks or frontrun (i.e., construct a new transaction with higher fees to ensure theirs is executed first) the confidential transactions for profit while still providing deniability.”

To date, the researchers said, BuilderNet hasn’t provided mitigations. Attempts to reach BuilderNet officials were unsuccessful.

dstack is a tool for building confidential applications that run on top of virtual machines protected by Nvidia Confidential Compute. The researchers used TEE.fail to forge attestations certifying that a workload was performed by the TDX using the Nvidia protection. It also used the “borrowed” attestations to fake ownership of GPUs that a relying party trusts.

Secret Network is a platform billing itself as the “first mainnet blockchain with privacy-preserving smart contracts,” in part by encrypting on-chain data and execution with SGX. The researchers showed that TEE.fail could extract the “Concensus Seed,” the primary network-side private key encrypting confidential transactions on the Secret Network. As noted, after learning of Wiretap, the Secret Network eliminated this possibility by establishing a “curated” allowlist of known, trusted nodes allowed on the network and suspended the acceptance of new nodes. Academic or not, the ability to replicate the attack using TEE.fail shows that Wiretap wasn’t a one-off success.

A tough nut to crack

As explained earlier, the root cause of all the TEE.fail attacks is deterministic encryption, which forms the basis for protections in all three chipmakers’ TEEs. This weaker form of encryption wasn’t always used in TEEs. When Intel initially rolled out SGX, the feature was put in client CPUs, not server ones, to prevent users from building devices that could extract copyrighted content such as high-definition video.

Those early versions encrypted no more than 256MB of RAM, a small enough space to use the much stronger probabilistic form of encryption. The TEEs built into server chips, by contrast, must often encrypt terabytes of RAM. Probabilistic encryption doesn’t scale to that size without serious performance penalties. Finding a solution that accommodates this overhead won’t be easy.

One mitigation over the short term is to ensure that each 128-bit block of ciphertext has sufficient entropy. Adding random plaintext to the blocks prevents ciphertext repetition. The researchers say the entropy can be added by building a custom memory layout that inserts a 64-bit counter with a random initial value to each 64-bit block before encrypting it.

The last countermeasure the researchers proposed is adding location verification to the attestation mechanism. While insider and supply chain attacks remain a possibility inside even the most reputable cloud services, strict policies make them much less feasible. Even those mitigations, however, don’t foreclose the threat of a government agency with a valid subpoena ordering an organization to run such an attack inside their network.

In a statement, Nvidia said:

NVIDIA is aware of this research. Physical controls in addition to trust controls such as those provided by Intel TDX reduce the risk to GPUs for this style of attack, based on our discussions with the researchers. We will provide further details once the research is published.

Intel spokesman Jerry Bryant said:

Fully addressing physical attacks on memory by adding more comprehensive confidentiality, integrity and anti-replay protection results in significant trade-offs to Total Cost of Ownership. Intel continues to innovate in this area to find acceptable solutions that offer better balance between protections and TCO trade-offs.

The company has published responses here and here reiterating that physical attacks are out of scope for both TDX and SGX

AMD didn’t respond to a request for comment.

Stuck on Band-Aids

For now, TEE.fail, Wiretap, and Battering RAM remain a persistent threat that isn’t solved with the use of default implementations of the chipmakers’ secure enclaves. The most effective mitigation for the time being is for TEE users to understand the limitations and curb uses that the chipmakers say aren’t a part of the TEE threat model. Secret Network tightening requirements for operators joining the network is an example of such a mitigation.

Moore, the founder and CEO of RunZero, said that companies with big budgets can rely on custom solutions built by larger cloud services. AWS, for example, makes use of the Nitro Card, which is built using ASIC chips that accelerate processing using TEEs. Google’s proprietary answer is Titanium.

“It’s a really hard problem,” Moore said. “I’m not sure what the current state of the art is, but if you can’t afford custom hardware, the best you can do is rely on the CPU provider’s TEE, and this research shows how weak this is from the perspective of an attacker with physical access. The enclave is really a Band-Aid or hardening mechanism over a really difficult problem, and it’s both imperfect and dangerous if compromised, for all sorts of reasons.”

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel Read More »

This browser claims “perfect privacies protection,” but it acts like malware

malware, Security, syndicated, Universe Browser, web browsers / Kelly Newman / October 24, 2025

Researchers note links to Asia’s booming cybercrime and illegal gambling networks.

This looks like a 100 percent above-board product, right? Right? Credit: Ars Technica

The Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the “fastest browser,” that people using it will “avoid privacy leaks” and that the software will help “keep you away from danger.” However, everything likely isn’t as it seems.

The browser, which is linked to Chinese online gambling websites and is thought to have been downloaded millions of times, actually routes all Internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

Perhaps most significantly, the Infoblox researchers who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money-laundering, illegal online gambling, human trafficking, and scam operations that use forced labor. The browser itself, the researchers says, is directly linked to a network around major online gambling company BBIN, which the researchers have labeled a threat group they call Vault Viper.

The researchers say the discovery of the browser—plus its suspicious and risky behavior—indicates that criminals in the region are becoming increasingly sophisticated. “These criminal groups, particularly Chinese organized crimes syndicates, are increasingly diversifying and evolving into cyber enabled fraud, pig butchering, impersonation, scams, that whole ecosystem,” says John Wojcik, a senior threat researcher at Infoblox, who also worked on the project when he was a staff member at the UNODC.

“They’re going to continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and concerning, and this is one example of where we see that.”

Under the hood

The Universe Browser was first spotted—and mentioned by name—by Infoblox and UNODC at the start of this year when they began unpacking the digital systems around an online casino operation based in Cambodia, which was previously raided by law enforcement officials. Infoblox, which specializes in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group.

Tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to Vault Viper activity, Infoblox researchers say in a report shared with WIRED. They also say they examined hundreds of pages of corporate documents, legal records, and court filings with links to BBIN or other subsidiaries. Time and time again, they came across the Universe Browser online.

“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls,” says Maël Le Touz, a threat researcher at Infoblox. The Infoblox report says the browser was “specifically” designed to help people in Asia—where online gambling is largely illegal—bypass restrictions. “Each of the casino websites they operate seem to contain a link and advertisement to it,” Le Touz says.

The Universe Browser itself is mostly offered for direct download from these casino websites—often being linked at the bottom of the websites, next to the logo of BBIN. There are desktop versions available for Windows, as well as an app version in Apple’s App Store. And while it is not in Google’s Play Store, there are Android APK files that allow the app to be directly installed on Android phones. The researchers say multiple parts of the Universe Browser and the code for its apps reference BBIN, and other technical details also reference the company.

The researchers reverse-engineered the Windows version of the browser. They say that while they have been unable to “verify malicious intent,” elements of the browser that they uncovered include many features that are similar to those found malware and tries to evade detection by antivirus tools. When the browser is launched, it “immediately” checks for the user’s location, language, and whether it is running in a virtual machine. The app also installs two browser extensions: one of which can allow screenshots to be uploaded to domains linked to the browser.

While online gambling in China is largely illegal, the country also runs some of the world’s strictest online censorship operations and has taken action against illegal gambling rings. While the browser may most often be being used by those trying to take part in illegal gambling, it also puts their data at risk, the researchers say. “In the hands of a malicious actor—a Triad for example—this browser would serve as the perfect tool to identify wealthy players and obtain access to their machine,” the Infoblox report says.

Beyond connecting to China, running key logging, and other programs that run in the background, Infoblox’s report also says multiple functions have been disabled. “The right click, settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features including sandboxing, and the removal of legacy SSL protocols, greatly increasing risk when compared with typical mainstream browsers,” the company’s report says. (SSL, also known as Secure Sockets Layer, is a historic type of web encryption that protected some data transfers.)

It is unclear whether these same suspicious behaviors are present in the iOS and Android versions of the app. A Google spokesperson says the company is looking into the app and confirmed it was not available through its Google Play store. Apple did not respond to requests for comment about the app.

Connect the dots

The web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. While it was originally founded in Taiwan, the company now has a large base in the Philippines.

BBIN, which also goes by the name Baoying Group and has multiple subsidies, describes itself as a “leading” supplier of iGaming software in Asia. A UNODC report from April, which links BBIN to the Universe Browser but does not formally name the company as Vault Viper, says the firm runs several hotels and casinos in Southeast Asia as well as providing “one of the largest and most successful” iGaming platforms in the region. Over the last decade, BBIN has sponsored or partnered with multiple major European soccer teams, such as Spain’s Atlético de Madrid, Germany’s Borussia Dortmund, and Dutch team AFC Ajax.

In recent years, multiple football clubs in England’s Premier League have faced scrutiny over sponsorship by Asian gambling companies—including by TGP Europe, which was owned by Alvin Chau, the chairman and founder of SunCity Group, who was sentenced in January 2023 to 18 years in prison after being found guilty of running illegal gambling operations. TGP Europe left the UK earlier this year after being fined by the country’s gambling regulator. Atlético Madrid, Borussia Dortmund, and AFC Ajax did not respond to WIRED requests for comment.

The iGaming industry develops online gambling software, such as virtual poker or other online casino games, that can easily be played on the web or on phones. “BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites,” says Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organized crime. “The only languages it offers are Korean, Japanese, and Chinese, which isn’t a great sign as online gambling is either banned or heavily restricted in all three countries.”

“Baoying and BBIN are what I would call a multi-billion dollar gray-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams and cybercrime actors,” alleges Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia. “Aside from what has been estimated at a two-thirds ownership by Alvin Chau of SunCity—arguably the biggest money launderer in the history of Asia—law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, Tian Dao,” Douglas says of BBIN. (When Chau was sentenced in January 2023, court documents pointed to him allegedly owning a 66.67 percent share of Baoying).

BBIN did not respond to multiple requests for comment from WIRED. The firm’s primary contact email address it lists on its website bounced back, while questions sent to another email address and online contact forms, plus attempts to contact two alleged staff members on LinkedIn were not answered by the time of publication. A company Telegram account pointed WIRED to one of the contact forms that did not provide any answers.

The Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines, which tackles organized and international crimes, did not respond to a request for comment from WIRED about BBIN.

Over the last decade, online crime in Southeast Asia has massively surged, driven partially by illegal online gambling and also a series of scam compoundsthat have been set up across Myanmar, Laos, and Cambodia. Hundreds of thousands of people from more than 60 countries have been tricked into working in these compounds, where they operate scams day and night, stealing billions of dollars from people around the world.

“Scam parks and compounds across the region generally host both online gambling and online scam operations, and the methodology used to lure individuals into opening online gambling accounts parallels that associated with pig-butchering scams,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime.

Last week, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organization, which publicly dealt in real estate but allegedly ran scam facilities in “secret.” One of the sanctioned entities, the Jin Bei Group in Cambodia, which US authorities accused of operating a series of scam compounds, also shows links to BBIN’s technology, Tower says. “There are multiple Telegram groups and casino websites indicating that BBIN partners with multiple entities inside the Jinbei casino,” Tower says, adding that one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”

Over recent years, multiple government press releases and news reports from countries including China and Taiwan, have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime. “There are hundreds of Telegram posts aggressively advertising various illegal Chinese facing gambling sites that say they either are, or are built on, BBIN/Baoying technology, many of them by individuals claiming to operate out of scam and illegal gambling compounds, or as part of the highly illegal, trafficking-driven industry in Cambodia and Northern Myanmar,” says Kennedy from The EyeWitness Project.

While the Universe Browser has most likely been downloaded by those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations are and exposing their links to scamming efforts that operate across the world. “As these operations continue to scale and diversify, they are marked by growing technical expertise, professionalization, operational resilience, and the ability to function under the radar with very limited scrutiny and oversight,” Infoblox’s report concludes.

This story originally appeared on wired.com.

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

This browser claims “perfect privacies protection,” but it acts like malware Read More »

Jaguar Land Rover looking at $2.5 billion price tag from crippling cyberattack

Cars, cybercrime, Jaguar Land Rover, ransomware, Security / Mike M. / October 22, 2025

The CMC estimated in June that the financial impact of the attacks on the two retailers was between £270 million and £440 million.

The investigation into the JLR attack is being led by the National Crime Agency but few details have emerged on who was behind the incident. The CMC estimate did not include assumptions about whether JLR had paid a ransom or not.

Martin said companies tended to focus their resources on protecting themselves against data breaches since they have a legal obligation to protect customer data.

But cases like JLR underscore the increasing risks of attackers not just stealing data but destroying critical networks supporting a company’s operations, and the high costs associated with such attacks.

While state actors have not been behind recent attacks on M&S and other retailers, Martin warned that there was an increasing “geopolitical vulnerability” and risk that hostile nation states could attack UK businesses for non-financial reasons.

“It is now clear not just that criminal disruptive attacks are the worst problem in cybersecurity right now, but they’re a playbook to hostile nation states on how to attack us,” Martin said at a separate speech in London on Wednesday. “So cybersecurity has become economic security. And economic security is national security.”

Last week, the UK National Cyber Security Centre also warned that state actors continued to pose “a significant threat” to Britain and global cyber security, citing the risks posed by China, Russia, and others.

According to an annual review by NCSC, the UK had suffered 204 “nationally significant [cyber] incidents” in the 12 months to August 2025, compared with 89 in the same period a year earlier.

The term is used to describe the three most serious types of incidents as defined by UK law enforcement.

Jaguar Land Rover looking at $2.5 billion price tag from crippling cyberattack Read More »