security2.09 min read
Pentagon Downs Border-Patrol Drone, Triggers Texas Airspace Restrictions
18 hours ago•Source: Axios
Security News
The latest security stories, summarized by AI
Featured Security Stories
View original source
18.555 min•1 day ago
AirSnitch flaw breaks Wi‑Fi client isolation across homes and enterprises
Researchers call AirSnitch a cross‑layer Wi‑Fi attack that undermines client isolation at Layers 1–2, enabling bidirectional man‑in‑the‑middle traffic across guest networks, home, and enterprise setups. The technique can intercept and alter traffic, steal cookies and credentials, and DNS data, potentially even when HTTPS is used. It affects a wide range of devices from major vendors and may require hardware changes; some updates exist, but the recommended defenses include VPNs and moving toward zero‑trust networking. In practice, users should be cautious on unknown public APs and consider tethering via mobile data or trusted VPNs until fixes are widely deployed.
More Top Stories
2
IS-K Publishes AI Toolkit for Propaganda
politico.eu•3 days ago
3
BeyondTrust Flaw Sparks Global Web Shell Campaigns and Data Theft
The Hacker News•6 days ago
More Security Stories
FBI Warns of Rampant ATM Jackpotting Causing $20 Million Losses in 2025
The FBI warns that ATM jackpotting incidents have surged since 2020, with about 1,900 incidents reported and roughly 700 in the most recent year, costing more than $20 million in 2025; the DoJ cites about $40.7 million in losses since 2021. Attackers deploy malware such as Ploutus to bypass ATM security and dispense cash through the XFS layer, often after physically accessing the machine or swapping its hard drive. Mitigations include stronger physical security, cameras, changing default credentials, automatic shutdown on compromise, device allowlisting, and comprehensive logging.
Microsoft Fixes Privilege Escalation Flaw in Windows Admin Center (CVE-2026-26119)
Microsoft patched CVE-2026-26119, a high-severity improper authentication flaw in Windows Admin Center that could allow an authenticated attacker to elevate privileges to the user running the affected app; the fix arrived with Windows Admin Center v2511 (Dec 2025). While there are no confirmed exploits in the wild, Microsoft flags exploitation as more likely and researchers warn it could enable domain compromise under certain conditions.
PromptSpy uses GenAI to persist on Android via AI-guided UI manipulation
ESET researchers uncovered PromptSpy, the first known Android malware to use generative AI (Google Gemini) to drive UI-level actions for persistence. By feeding Gemini an XML snapshot of the current screen, the AI returns step-by-step tap instructions to keep the app in the recent apps list, while a built-in VNC module provides remote access. The malware also exploits Accessibility Services, overlays to hinder uninstallation, and can capture lockscreen data and screen video. Distribution appears tied to Argentina via a banking/phishing site; no Google Play presence. This example shows how AI can make Android threats more adaptive and harder to defeat.
Device-code phishing with vishing redefines MFA in Microsoft Entra
Threat actors are abusing the OAuth 2.0 device authorization flow combined with voice phishing to hijack Microsoft Entra accounts. By using legitimate Microsoft OAuth client IDs, they trick victims into authenticating on microsoft.com/devicelogin, after which they can grab refresh tokens and issue access tokens, effectively bypassing MFA and accessing the victim's SaaS apps and data. Campaigns have targeted technology, manufacturing, and financial firms and may involve the ShinyHunters group. Security responses include revoking suspicious OAuth consents, auditing device-code sign-in events, disabling device-code flow when not needed, and enforcing conditional access policies to limit exposure.
Auth bypass in Honeywell CCTV risks unauthorized feeds and account takeover
CISA warns of a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV models that allows an unauthenticated attacker to change the recovery email on a device account, enabling account takeover and unauthorized access to camera feeds; as of Feb 17 there were no known public exploits; mitigations include limiting network exposure, isolating devices behind firewalls, and using secure VPN remote access; Honeywell has not issued a public advisory and users should contact support for patch guidance.
CISA Flags Four Actively Exploited Flaws in KEV Update and Urges Patch
CISA added four flaws to the Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-2441 (Chrome use-after-free), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload leading to command execution), CVE-2020-7796 (Zimbra Collaboration Server SSRF), and CVE-2008-0015 (Windows Video ActiveX buffer overflow). Google confirms an in-the-wild exploit for CVE-2026-2441; GreyNoise documents about 400 IPs exploiting CVE-2020-7796 across several countries; the CVE-2008-0015 exploit can download additional malware like Dogkild and alter system files/hosts. The TeamT5 exploitation vector remains unclear. Federal agencies are urged to patch by March 10, 2026.
Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers
Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.
Researchers uncover 27 attack scenarios targeting cloud password managers
Swiss researchers disclosed 27 attack scenarios across Bitwarden, LastPass, Dashlane and 1Password that could let attackers view or modify vaults, challenging the science of end-to-end encryption and exploiting issues in onboarding, key escrow, and item-level encryption. A notable attack demonstrated is ‘malicious auto-enrolment’ against Bitwarden, which could allow a server-controlled attacker to hijack a vault during organization onboarding. Vendors are patching (Bitwarden, LastPass, Dashlane) while 1Password defends its SRP-based design. The paper recommends stronger authentication, key separation and ciphertext integrity. Users should check remediation status with providers and ask for audits.)
Researchers expose 25 recovery attacks against leading cloud password managers
A joint ETH Zurich/USI study identifies 25 distinct password-recovery/related attacks across major cloud password managers (Bitwarden, Dashlane, LastPass; with 1Password also noted for some flaws). Attacks span four categories: exploiting key escrow in account recovery, weaknesses in item-level encryption and metadata, vulnerabilities in sharing features, and downgrades due to legacy code. In total, 12 attacks hit Bitwarden, 7 LastPass, and 6 Dashlane; 1Password was linked to item-level and sharing flaws as known limitations. Vendors have issued patches or mitigations (e.g., Dashlane removing legacy crypto, Bitwarden remediation, LastPass hardening, 1Password using SRP), and there’s no evidence these issues have been exploited in the wild.
Chrome patch blocks actively exploited CSS zero-day with CVE-2026-2441
Google released security updates for Chrome to fix a high-severity use-after-free in CSS (CVE-2026-2441) that was being exploited in the wild. Updates are available for Windows/macOS (145.0.7632.75/76) and Linux (144.0.7559.75); users should relaunch Chrome after updating. The vulnerability’s exploit exists in the wild, and the article notes Apple also patched related zero-days. Users of other Chromium-based browsers should apply fixes when available.