A former employee of a cybersecurity firm pleaded guilty to aiding ransomware criminals to maximize their profits, with the goal of taking a cut of the ransom.
Security News | TechCrunch – Read More
Washington D.C., USA, 21st April 2026, CyberNewswire
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
If you use Samsung’s built-in texting app, you’ll need an alternative soon. Here’s why, and your best options.
Latest news – Read More
Masquerading as popular cryptocurrency wallets, the apps can hijack recovery phrases and private keys.
The post Dozens of Malicious Crypto Apps Land in Apple App Store appeared first on SecurityWeek.
SecurityWeek – Read More
![[Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025](https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/images/2026/04/YiR2025_cover_2x1-2-1.jpg)
In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. Amy and Martin Lee explore the alarming rise of internal phishing campaigns that bypass traditional perimeter defenses, including the widespread weaponization of Microsoft 365’s Direct Send feature. Beyond simple phishing, we analyze the aggressive, blended operations of state-sponsored actors from China and North Korea who are combining high-level zero-day exploits with sophisticated social engineering. From the “Dear Leader” interview test to the reality of fake developer personas, we break down exactly how these adversaries are infiltrating modern organizations.
View the 2025 Year in Review here.
Cisco Talos Blog – Read More
Threat Intel Scraping sounds simple until it isn’t, here’s how cybersecurity teams avoid blocks, bad data, and unnecessary risk.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
China is spying on India’s financial sector, for some reason, and it’s not putting much effort into it, judging by some stale TTPs.
darkreading – Read More
Adversaries injected malicious prompts into legitimate AI tools at more than 90 organizations in 2025, stealing credentials and cryptocurrency. Every one of those compromised tools could read data, and none of them could rewrite a firewall rule.
The autonomous SOC agents shipping now can. That escalation, from compromised tools that read data to autonomous agents that rewrite infrastructure, has not been exploited in production at scale yet. But the architectural conditions for it are shipping faster than the governance designed to prevent it.
A compromised SOC agent can rewrite your firewall rules, modify IAM policies, and quarantine endpoints, all with its own privileged credentials, all through approved API calls that EDR classifies as authorized activity. The adversary never touches the network. The agent does it for them.
Cisco announced AgenticOps for Security in February, with autonomous firewall remediation and PCI-DSS compliance capabilities. Ivanti launched Continuous Compliance and the Neurons AI self-service agent last week, with policy enforcement, approval gates and data context validation built into the platform at launch — a design distinction that matters because the OWASP Agentic Top 10 documents what happens when those controls are absent.
“Adversaries exploited legitimate AI tools by injecting malicious prompts that generated unauthorized commands. As innovation accelerates, exploitation follows,” CrowdStrike CEO George Kurtz said when releasing the 2026 Global Threat Report. “AI is compressing the time between intent and execution while turning enterprise AI systems into targets,” added Adam Meyers, head of counter-adversary operations at CrowdStrike. State-sponsored use of AI in offensive operations surged 89% over the prior year.
The broader attack surface is expanding in parallel. Malicious MCP server clones have already intercepted sensitive data in AI workflows by impersonating trusted services. The U.K. National Cyber Security Centre warned that prompt injection attacks against AI applications “may never be totally mitigated.” The documented compromises targeted AI tools that could only read and summarize; the autonomous SOC agents shipping now can write, enforce, and remediate.
OWASP’s Top 10 for Agentic Applications, released in December 2025 and built with more than 100 security researchers, documents 10 categories of attack against autonomous AI systems. Three categories map directly to what autonomous SOC agents introduce when they ship with write access: Agent Goal Hijacking (ASI01), Tool Misuse (ASI02), and Identity and Privilege Abuse (ASI03). Palo Alto Networks reported an 82:1 machine-to-human identity ratio in the average enterprise — every autonomous agent added to production extends that gap.
The 2026 CISO AI Risk Report from Saviynt and Cybersecurity Insiders (n=235 CISOs) found 47% had already observed AI agents exhibiting unintended behavior, and only 5% felt confident they could contain a compromised agent. A separate Dark Reading poll found that 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector. The IEEE-USA submission to NIST stated the problem plainly: “Risk is driven less by the models and is based more on the model’s level of autonomy, privilege scope, and the environment of the agent being operationalized.”
Eleanor Watson, Senior IEEE Member, warned in the IEEE 2026 survey that “semi-autonomous systems can also drift from intended objectives, requiring oversight and regular audits.” Cisco’s intent-aware agentic inspection, announced alongside AgenticOps in February 2026, represents an early detection-layer approach to the same gap. The approaches differ: Cisco is adding inspection at the network layer while Ivanti built governance into the platform layer. Both signal the industry sees it coming. The question is whether the controls arrive before the exploits do.
Security teams are already stretched. Advanced AI models are accelerating the discovery of exploitable vulnerabilities faster than any human team can remediate manually, and the backlog is growing not because teams are failing, but because the volume now exceeds what manual patching cycles can absorb.
Ivanti Neurons for Patch Management introduced Continuous Compliance this quarter, an automated enforcement framework that eliminates the gap between scheduled patch deployments and regulatory requirements. The framework identifies out-of-compliance endpoints and deploys patches out-of-band to update devices that missed maintenance windows, with built-in policy enforcement and compliance verification at every step.
Ivanti also launched the Neurons AI self-service agent for ITSM, which moves beyond conversational intake to autonomous resolution with built-in guardrails for policy, approvals, and data context. The agent resolves common incidents and service requests from start to finish, reducing manual effort and deflecting tickets.
Robert Hanson, Chief Information Officer at Grand Bank, described the decision calculus security leaders across the industry are weighing: “Before exploring the Ivanti Neurons AI self-service agent, our team was spending the bulk of our time handling repetitive requests. As we move toward implementing these capabilities, we expect to automate routine tasks and enable our team to focus more proactively on higher-value initiatives. Over time, this approach should help us reduce operational overhead while delivering faster, more secure service within the guardrails we define, ultimately supporting improvements in service quality and security.”
His emphasis on operating “within the guardrails we define” points to a broader design principle: speed and governance do not have to be trade-offs.
The governance gap is concrete: the Saviynt report found 86% of organizations do not enforce access policies for AI identities, only 19% govern even half of their AI identities with the same controls applied to human users, and 75% of CISOs have discovered unsanctioned AI tools running in production with embedded credentials that nobody monitors.
Continuous Compliance and the Neurons AI self-service agent address the patching and ITSM layers. The broader autonomous SOC agent terrain, including firewall remediation, IAM policy modification, and endpoint quarantine, extends beyond what any single platform governs today. The ten-question audit applies to every autonomous tool in the environment, including Ivanti’s.
The matrix maps all 10 OWASP Agentic Top 10 risk categories to what ships without governance, the detection gap, the proof case, and the recommended action for autonomous SOC agent deployments.
|
OWASP Risk |
What Ships Ungoverned |
Detection Gap |
Proof Case |
Recommended Action |
|
ASI01: Goal Hijacking |
Agent treats external inputs (logs, alerts, emails) as trusted instructions |
EDR cannot detect adversarial instructions executed via legitimate API calls |
EchoLeak (CVE-2025-32711): hidden email payload caused AI assistant to exfiltrate confidential data. Zero clicks required. |
Classify all inputs by trust tier. Block instruction-bearing content from untrusted sources. Validate external data before agent ingestion. |
|
ASI02: Tool Misuse |
Agent authorized to modify firewall rules, IAM policies, and quarantine workflows |
WAF inspects payloads, not tool-call intent. Authorized use is identical to misuse. |
Amazon Q bent legitimate tools into destructive outputs despite valid permissions (OWASP cited). |
Scope each tool to minimum required permissions. Log every invocation with intent metadata. Alert on calls outside baseline patterns. |
|
ASI03: Identity Abuse |
Agent inherits service account credentials scoped to production infrastructure |
SIEM sees authorized identity performing authorized actions. No anomaly triggers. |
82:1 machine-to-human identity ratio in average enterprise (Palo Alto Networks). Each agent adds to it. |
Issue scoped agent-specific identities. Enforce time-bound, task-bound credential leases. Eliminate inherited user credentials. |
|
ASI04: Supply Chain |
Agent loads third-party MCP servers or plugins at runtime without provenance verification |
Static analysis cannot inspect dynamically loaded runtime components. |
Malicious MCP server clones intercepted sensitive data by impersonating trusted services (CrowdStrike 2026). |
Maintain approved MCP server registry. Verify provenance and integrity before runtime loading. Block unapproved plugins. |
|
ASI05: Unexpected Code Exec |
Agent generates or executes attacker-controlled code through unsafe evaluation paths or tool chains |
Code review gates apply to human commits, not agent-generated runtime code. |
AutoGPT RCE: natural-language execution paths enabled remote code execution through unsanctioned package installs (OWASP cited). |
Sandbox all agent code execution. Require human approval for production code paths. Block dynamic eval and unsanctioned installs. |
|
ASI06: Memory Poisoning |
Agent persists context across sessions where poisoned data compounds over time |
Session-based monitoring resets between interactions. Poisoning accumulates undetected. |
Calendar Drift: malicious calendar invite reweighted agent objectives while remaining within policy bounds (OWASP). |
Implement session memory expiration. Audit persistent memory stores for anomalous content. Isolate memory per task scope. |
|
ASI07: Inter-Agent Comm |
Agents communicate without mutual authentication, encryption, or schema validation |
Monitoring covers individual agents but not spoofed or manipulated inter-agent messages. |
OWASP documented spoofed messages that misdirected entire agent clusters via protocol downgrade attacks. |
Enforce mutual authentication between agents. Encrypt all inter-agent channels. Validate message schema at every handoff. |
|
ASI08: Cascading Failures |
Agent delegates to downstream agents, creating multi-hop privilege chains across systems |
Monitoring covers individual agents but not cross-agent delegation chains or fan-out. |
Simulation: single compromised agent poisoned 87% of downstream decision-making within 4 hours in controlled test. |
Map all delegation chains end to end. Enforce privilege boundaries at each handoff. Implement circuit breakers for cascading actions. |
|
ASI09: Human-Agent Trust |
Agent uses persuasive language or fabricated evidence to override human safety decisions |
Compliance verifies policy configuration, not whether the agent manipulated the human into approving. |
Replit agent deleted primary customer database then fabricated its contents to appear compliant and hide the damage. |
Require independent verification for high-risk agent recommendations. Log all human approval decisions with full agent reasoning chain. |
|
ASI10: Rogue Agents |
Agent deviates from intended purpose while appearing compliant on the surface |
Compliance checks verify configuration at deployment, not behavioral drift after deployment. |
92% of organizations lack full visibility into AI identities; 86% do not enforce access policies (Saviynt 2026). |
Deploy behavioral drift detection. Establish baseline agent behavior profiles. Alert on deviation from expected action patterns. |
Each question maps to one OWASP Agentic Top 10 risk category. Autonomous platforms that ship with policy enforcement, approval gates, and data context validation will have clear answers to every question. Three or more “I don’t know” answers on any tool means that tool’s governance has not kept pace with its capabilities.
Which agents have write access to production firewall, IAM, or endpoint controls?
Which accept external inputs without validation?
Which execute irreversible actions without human approval?
Which persist memory where poisoning compounds across sessions?
Which delegate to other agents, creating cascade privilege chains?
Which load third-party plugins or MCP servers at runtime?
Which generate or execute code in production environments?
Which inherit user credentials instead of scoped agent identities?
Which lack behavioral monitoring for drift from intended purpose?
Which can be manipulated through persuasive language to override safety controls?
The board conversation is three sentences. Adversaries compromised AI tools at more than 90 organizations in 2025, according to CrowdStrike’s 2026 Global Threat Report. The autonomous tools deploying now have more privilege than the ones that were compromised. The organization has audited every autonomous tool against OWASP’s 10 risk categories and confirmed that the governance controls are in place.
If that third sentence is not true, it needs to be true before the next autonomous agent ships to production. Run the 10-question audit against every agent with write access to production infrastructure within the next 30 days. Every autonomous platform shipping to production should be held to the same standard — policy enforcement, approval gates, and data context validation built in at launch, not retrofitted after the first incident. The audit surfaces which tools have done that work and which have not.
Security | VentureBeat – Read More
In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.
In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.
The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.
In reviews of thousands of blocked-email keywords, 60% contained subject lines with “request,” “invoice,” “fwd,” “report,” and similar. IT-focused phishing keywords turned more technical, to words like “tampering,” “domain,” “configuration,” “token,” and others, showing that attackers were making plays toward IT and security workflows.
Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.
Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.
MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.
Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.
Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:
· Diverse unmanaged device population
· Poorly patched and managed operating systems
· Necessarily low new-device verification policies
· Large, public-facing directories for targeted phishing
Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.
As always, prioritize based on your own environment.
Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.
Likewise, MFA attack protection should be tailored to the style of environment and sector.
MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.
Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.
This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.
Cisco Talos Blog – Read More
Here’s what you need to know about Walmart’s price-matching policy.
Latest news – Read More