Tag: api
-
WebSecurity bereit für die Quantencomputer-Ära
Mit Version 8.5 erweitert Airlock-Gateway seine Web-Application- und API-Security-Plattform um Post-Quanten-sichere Kryptografie. Die neue Version ermöglicht den Einsatz hybrider Verfahren, die klassische Verschlüsselungstechnologien mit quantensicheren Algorithmen wirksam kombinieren. Ergänzt wird das Release des renommierten Security-Anbieters Airlock mit Sitz in Zürich durch zahlreiche Verbesserungen in den Bereichen Sicherheit, Automatisierung und Betrieb. Post-Quantum ready! Quantencomputer gelten […]…
-
Cybersecurity leaders’ top seven takeaways from 2025
Tags: access, ai, api, attack, automation, breach, business, ciso, compliance, control, cyber, cybersecurity, data, data-breach, deep-fake, defense, detection, email, exploit, framework, governance, government, grc, identity, international, malicious, network, nist, phishing, regulation, resilience, risk, saas, service, software, strategy, supply-chain, technology, threat, tool, vulnerability2. AI forced companies to rethink their security strategies: At the same time, Abousselham notes how the rapid rollout of AI forced companies to shift their resources to keep pace with the change, while maintaining safe product releases. He calls 2025 the “chaotic introduction of agentic AI”.”I don’t think the industry was ready or expected…
-
Cybersecurity leaders’ top seven takeaways from 2025
Tags: access, ai, api, attack, automation, breach, business, ciso, compliance, control, cyber, cybersecurity, data, data-breach, deep-fake, defense, detection, email, exploit, framework, governance, government, grc, identity, international, malicious, network, nist, phishing, regulation, resilience, risk, saas, service, software, strategy, supply-chain, technology, threat, tool, vulnerability2. AI forced companies to rethink their security strategies: At the same time, Abousselham notes how the rapid rollout of AI forced companies to shift their resources to keep pace with the change, while maintaining safe product releases. He calls 2025 the “chaotic introduction of agentic AI”.”I don’t think the industry was ready or expected…
-
AIs Exploiting Smart Contracts
I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature. Here’s some interesting research on training AIs to automatically exploit smart contracts: AI models are increasingly good at cyber tasks, as we’ve written about before. But what is the economic impact of these capabilities? In…
-
1inch Named Exclusive Swap Provider at Launch for Ledger Multisig
Road Town, British Virgin Islands, December 11th, 2025, CyberNewsWire 1inch, the leading DeFi ecosystem, has been selected as the exclusive swap provider at launch for Ledger Multisig, deepening the collaboration between the two projects. By integrating the 1inch Swap API into its security-first multisig architecture, Ledger, the world leader in digital asset security for consumers…
-
1inch Named Exclusive Swap Provider at Launch for Ledger Multisig
Road Town, British Virgin Islands, December 11th, 2025, CyberNewsWire 1inch, the leading DeFi ecosystem, has been selected as the exclusive swap provider at launch for Ledger Multisig, deepening the collaboration between the two projects. By integrating the 1inch Swap API into its security-first multisig architecture, Ledger, the world leader in digital asset security for consumers…
-
2026 API and AI Security Predictions: What Experts Expect in the Year Ahead
This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year. Instead of bombarding you with just our own predictions, we’ve decided to cast the net far…
-
2026 API and AI Security Predictions: What Experts Expect in the Year Ahead
This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year. Instead of bombarding you with just our own predictions, we’ve decided to cast the net far…
-
NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems
Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a First…
-
NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems
Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a First…
-
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz.The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for…
-
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz.The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for…
-
Hidden .NET HTTP proxy behavior can open RCE flaws in apps, a security issue Microsoft won’t fix
Tags: api, control, credentials, cve, endpoint, exploit, flaw, framework, ivanti, leak, microsoft, monitoring, ntlm, powershell, programming, rce, remote-code-execution, service, vulnerabilityServiceDescriptionImporter class,” he said. “That mechanism alone enabled successful exploitation in products from Barracuda, Ivanti, Microsoft and Umbraco, and it took only a few days of review to find working cases.” The .NET Framework and ASP.NET are among the most popular programming languages for enterprise applications. When a developer wants their application to communicate with…
-
2025 Year of Browser Bugs Recap:
Tags: access, ai, api, attack, authentication, awareness, browser, cctv, chrome, cloud, communications, computer, credentials, crypto, cyber, data, data-breach, detection, edr, email, endpoint, exploit, flaw, gartner, google, guide, identity, injection, leak, login, malicious, malware, network, openai, passkey, password, phishing, ransom, ransomware, risk, saas, service, threat, tool, update, vulnerability, windows, xss, zero-dayAt the beginning of this year, we launched the Year of Browser Bugs (YOBB) project, a commitment to research and share critical architectural vulnerabilities in the browser. Inspired by the iconic Months of Bugs tradition in the 2000s, YOBB was started with a similar purpose”Š”, “Što drive awareness and discussion around key security gaps and…
-
Polymorphic AI malware exists, but it’s not what you think
Tags: access, ai, api, attack, authentication, automation, business, ciso, credentials, cryptography, cyber, cybercrime, detection, edr, email, espionage, government, group, identity, infrastructure, malicious, malware, marketplace, mfa, monitoring, phishing, radius, ransomware, risk, soc, technology, theft, threat, toolwhat the code block should do, or how it’s going to evade an antivirus. It’s just working under the assumption that Gemini just instinctively knows how to evade antiviruses (it doesn’t). There’s also no entropy to ensure the ‘self-modifying’ code differs from previous versions, or any guardrails to ensure it actually works. The function was…
-
Polymorphic AI malware exists, but it’s not what you think
Tags: access, ai, api, attack, authentication, automation, business, ciso, credentials, cryptography, cyber, cybercrime, detection, edr, email, espionage, government, group, identity, infrastructure, malicious, malware, marketplace, mfa, monitoring, phishing, radius, ransomware, risk, soc, technology, theft, threat, toolwhat the code block should do, or how it’s going to evade an antivirus. It’s just working under the assumption that Gemini just instinctively knows how to evade antiviruses (it doesn’t). There’s also no entropy to ensure the ‘self-modifying’ code differs from previous versions, or any guardrails to ensure it actually works. The function was…
-
Polymorphic AI malware exists, but it’s not what you think
Tags: access, ai, api, attack, authentication, automation, business, ciso, credentials, cryptography, cyber, cybercrime, detection, edr, email, espionage, government, group, identity, infrastructure, malicious, malware, marketplace, mfa, monitoring, phishing, radius, ransomware, risk, soc, technology, theft, threat, toolwhat the code block should do, or how it’s going to evade an antivirus. It’s just working under the assumption that Gemini just instinctively knows how to evade antiviruses (it doesn’t). There’s also no entropy to ensure the ‘self-modifying’ code differs from previous versions, or any guardrails to ensure it actually works. The function was…
-
Tools, um MCP-Server abzusichern
Tags: ai, api, authentication, cloud, compliance, data-breach, detection, framework, identity, incident response, injection, least-privilege, microsoft, monitoring, network, open-source, risk, saas, service, startup, threat, tool, vmware, zero-trustUnabhängig davon, welche MCP-Server Unternehmen wofür einsetzen “Unsicherheiten” sollten dabei außenvorbleiben.Model Context Protocol (MCP) verbindet KI-Agenten mit Datenquellen und erfreut sich im Unternehmensumfeld wachsender Beliebtheit. Allerdings ist auch MCP nicht frei von Sicherheitslücken, wie entsprechende Entdeckungen, etwa beim SaaS-Anbieter Asana oder dem IT-Riesen Atlassian gezeigt haben. Inzwischen hat sich jedoch einiges in Sachen MCP-Sicherheit getan.…
-
Tools, um MCP-Server abzusichern
Tags: ai, api, authentication, cloud, compliance, data-breach, detection, framework, identity, incident response, injection, least-privilege, microsoft, monitoring, network, open-source, risk, saas, service, startup, threat, tool, vmware, zero-trustUnabhängig davon, welche MCP-Server Unternehmen wofür einsetzen “Unsicherheiten” sollten dabei außenvorbleiben.Model Context Protocol (MCP) verbindet KI-Agenten mit Datenquellen und erfreut sich im Unternehmensumfeld wachsender Beliebtheit. Allerdings ist auch MCP nicht frei von Sicherheitslücken, wie entsprechende Entdeckungen, etwa beim SaaS-Anbieter Asana oder dem IT-Riesen Atlassian gezeigt haben. Inzwischen hat sich jedoch einiges in Sachen MCP-Sicherheit getan.…
-
Tools, um MCP-Server abzusichern
Tags: ai, api, authentication, cloud, compliance, data-breach, detection, framework, identity, incident response, injection, least-privilege, microsoft, monitoring, network, open-source, risk, saas, service, startup, threat, tool, vmware, zero-trustUnabhängig davon, welche MCP-Server Unternehmen wofür einsetzen “Unsicherheiten” sollten dabei außenvorbleiben.Model Context Protocol (MCP) verbindet KI-Agenten mit Datenquellen und erfreut sich im Unternehmensumfeld wachsender Beliebtheit. Allerdings ist auch MCP nicht frei von Sicherheitslücken, wie entsprechende Entdeckungen, etwa beim SaaS-Anbieter Asana oder dem IT-Riesen Atlassian gezeigt haben. Inzwischen hat sich jedoch einiges in Sachen MCP-Sicherheit getan.…
-
GitHub Action Secrets aren’t secret anymore: exposed PATs now a direct path into cloud environments
Tags: access, api, authentication, awareness, cloud, credentials, data-breach, detection, exploit, github, infrastructure, malicious, mfa, monitoring, security-incident, strategy, threat, trainingEasily evading detection: Wiz found that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s yaml code, accessed via “${{ secrets.SECRET_NAME }}.”The danger is that this secret discovery method is difficult to monitor because search API calls are not…
-
GitHub Action Secrets aren’t secret anymore: exposed PATs now a direct path into cloud environments
Tags: access, api, authentication, awareness, cloud, credentials, data-breach, detection, exploit, github, infrastructure, malicious, mfa, monitoring, security-incident, strategy, threat, trainingEasily evading detection: Wiz found that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s yaml code, accessed via “${{ secrets.SECRET_NAME }}.”The danger is that this secret discovery method is difficult to monitor because search API calls are not…
-
GitHub Action Secrets aren’t secret anymore: exposed PATs now a direct path into cloud environments
Tags: access, api, authentication, awareness, cloud, credentials, data-breach, detection, exploit, github, infrastructure, malicious, mfa, monitoring, security-incident, strategy, threat, trainingEasily evading detection: Wiz found that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s yaml code, accessed via “${{ secrets.SECRET_NAME }}.”The danger is that this secret discovery method is difficult to monitor because search API calls are not…
-
Security Affairs newsletter Round 553 by Pierluigi Paganini INTERNATIONAL EDITION
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Attackers launch dual campaign on GlobalProtect portals and SonicWall APIs Maximum-severity XXE vulnerability discovered in Apache…