🔐 IT News Analyzer

// AI-powered news analysis

Latest Top 10 Articles

1
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's  XLab  calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising. The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator. Each router becomes a footprinting node and a relay that hides where the real attacker is. Old chips, older bugs The campaign goes after routers built on Realtek's RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14. The binary it pushed was a Linux ELF that no engine on VirusTotal flagged, exploiting two flaws from another era: CVE-2013-3307 ...

Jun 22, 2026
3
INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

A new report from INTERPOL has revealed a "dramatic increase" in cybercrime in Asia and the South Pacific, fueled by rapid digitalization, internet penetration, new technologies, organized criminal networks, and a disparity in cybersecurity maturity. According to INTERPOL's 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing has emerged as the most widespread and financially damaging form of cybercrime, with a third of countries in the region reporting more than 10,000 cases between January 2024 and March 2025. In all, over half of INTERPOL member countries have reported that cybercrime accounted for no less than 30% of all crimes recorded nationally. "The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale," Neal Jett...

Jun 22, 2026
4
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin's email integrations. "This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it," Wordfence said . "When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report." As a result, an unauthenticated attacker can weaponize ...

Jun 20, 2026
5
Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain

Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain

Security researchers at Paradigm Shift have published a working exploit, dubbed  usbliter8 , that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use. This is not a remote attack. It requires physical possession of the device, which must be in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit finishes in under two seconds, before Apple's signed boot chain loads. The full  technical write-up  and a working  proof of concept  went public on June 18, 2026, following coordinated disclosure with Apple Product Security. Affected Devices The public PoC supports A12, A13, S4, and S5 SoCs. A12X and A12Z support is described as theoretically possible but not yet implemented. Device families in that range...

Jun 19, 2026
6
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller . "They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller," ESET security researcher Jakub Souček said in a report shared with The Hacker News. "These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons." The Slovakian cybersecurity company also called out the ransomware crew for its ability to "unusually quickly operationalize" newly disclosed proof-of-concept (PoC) exploits related to an attack technique called bring your...

Jun 19, 2026
8
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft researchers have detailed an exploit chain, named  AutoJack , that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host. No credentials, no sign-in screen, and no further user interaction once the agent loads the page. The attacker only has to get the agent to open it, and a planted link, a URL field, or a prompt injection will do. The flaw sits in  AutoGen Studio , the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework. This is not a bug that hits everyone who installs the package, and the packaging detail is worth getting right. A plain pip install autogenstudio pulls the current stable release, 0.4.2.2, the build Microsoft inspected, and it has no Model Context Protocol (MCP) route at all. That is the basis for Microsoft...

Jun 19, 2026
9
Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said . "This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish." The takedown is part of Operation Endgame , an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024. As part of the effort, 106 servers linked to SocGholish have been t...

Jun 19, 2026
10
CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed . The number of compromised devices stands at 86,644 as of June 19, 2026. According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials. "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed," SOCRadar said. "Org-specific accounts topping the list is significant. It means the attacker is not ju...

Jun 19, 2026