BrianKrebs

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

The POTUS can't TACO his way out of the war he started now that the price of oil is spiking upwards, so he's loosening restrictions on Russian oil exports. Couldn't have come at a better time for his pal Putin.

"Mr. Bessent later said that the United States was considering lifting more sanctions on Russian oil. And President Trump on Monday said in a news conference that his administration was “waiving certain oil-related sanctions to reduce prices.”

https://www.nytimes.com/2026/03/10/world/middleeast/iran-war-putin-russia-energy-oil-prices.html

New, by me: How AI Assistants are Moving the Security Goalposts

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.

Read more (and boost please!):

https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/

#openclaw #AI #agentic #aiagents #lethaltrifecta

Whoops. The data broker giant LexisNexis has suffered another data breach. LN says the data taken was no big deal. The group claiming credit for the breach claims otherwise, of course.

https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/

This brings back memories of previous breach stories. One of my first big scoops that made the WaPo dead tree edition's front page involved a breach at LexisNexis in 2005 that exposed >300k consumer records. That breach was from a group of 15-18y/os in the US who also social engineered T-Mobile into giving them access to Paris Hilton's cell phone and the nudes w/in.

https://web.archive.org/web/20160513195758/http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051901854_pf.html

In 2013, I published a scoop about a LexisNexis breach that came from group of criminal hackers who had seized control over ssndob[.]ru, then the largest ID theft service in the underground. In that months-long investigation, we found the hackers had installed backdoors on servers at LexisNexis, Dun & Bradstreet, and Kroll and were using them as part of a small and custom data broker botnet.

https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

Saw a few videos this morning of Iranian drones targeting US military bases and blowing shit up. I was struck by how loud and slow these things are. It's as if the loudest leafblower on the planet had wings and a propeller.

This AP News story has some good detail on Iran's response to its neighbors, which indicates the majority of the many, many missiles and drones Iran sent at or near the UAE were intercepted, but that some less defended places were still hit due to the volume of the missile/drone volley.

"Officials in Dubai in the United Arab Emirates said Sunday that air defenses had dealt with 165 ballistic missiles, two cruise missiles and more than 540 Iranian drones over two days. While officials said they intercepted all air attacks Saturday, debris from the knocked-down weapons sparked blazes at some of Dubai’s most iconic locations."

"Some Iranian drones flew as far as a U.K. military base in Cyprus. The runway at the Royal Air Force base in Akrotiri was struck by an Iranian drone Sunday, according to U.K. officials, and sirens blared there again Monday when two more drones heading toward the base were intercepted."

"State-of-the-art U.S. and Israeli air defense assets have proven efficient in intercepting most of Iran’s ballistic missiles launched at Israel. But the attacks using large numbers of cheap drones hit some softer targets lacking the same level of protection."

https://apnews.com/article/iran-us-israel-gulf-war-drone-49c8ea76358e579447ff839485f394ac

The POTUS is learning that you can't just TACO yourself out of a war that you JUST started, no matter how the market reacts. It turns out the market reacts badly to uncertainty, and the president just said he's going to keep bombing Iran for a few more weeks, maybe longer (probably if he'd said yeah we'll be wrapped up by April 20 the market would be like oh, okay cool). But it's not just everyone's savings and 401ks that are going to take a nosedive because of this war; a LOT of stuff that was already overpriced because of his arbitrary taxes is about to get way more expensive.

Well, we're batting 0 for like 200 on observing cool astronomical phenomena lately.

Total solar eclipse: Cloudy.

Northern Lights appear in Virginia! Cloudy.

Rare planetary conjunction happens. Cloudy.

Blood Moon from a lunar eclipse. Cloudy.

I'm sure when the aliens finally come park their giant death cruiser in front of our planet, it'll be cloudy then, too.

New, by me: Who Is the Kimwolf Botmaster, "Dort"?

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

https://krebsonsecurity.com/2026/02/who-is-the-kimwolf-botmaster-dort/

Agentic AI-based services are the new Shadow IT. Change my mind.

Favorite headline today (via HackerNews): Pope tells priests to use their brains, not AI, to write homilies

https://www.ewtnnews.com/vatican/pope-leo-xiv-tells-priests-to-use-their-brains-not-ai-to-write-homilies

Really enjoyed this scoop from the Financial Times, where a team of reporters identified 48 seemingly independent companies working from different physical addresses that appear to be operating together to disguise the origin of Russian oil, particularly from Kremlin-controlled Rosneft. The kicker: The network was discovered because they all share a single private email server.

From the (paywalled) story:

"The FT was able to identify 442 web domains whose public registrations show they all use a single private server for their email, “mx.phoenixtrading.ltd”, showing that they share back-office functions."

"The FT was then able to identify companies by comparing the names in the domain to those of entities that appear in Russian and Indian customs records as involved in carrying Russian oil."

"For example, Foxton FZCO, a Dubai-based entity listed as the buyer of $5.6bn of oil in Russian export filings, matches “foxton-fzco.com”. Similarly, Advan Alliance, an entity listed in Indian filings as having sold $1.5bn of Russian oil into the country, can be linked to “advanalliance.ltd”. "

"Filings linked by the FT to the domain list show oil exports from Russia amounting to more than $90bn."

https://www.ft.com/content/4310f010-2b3c-493e-ba0a-26dc6d156b2e

A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses. https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/ #phishing #MFA #starkiller

Was just browsing the Internet in a VM with script-blockers turned off for a bit, and half the sites were like "IT PUTS THE DATA IN THE BASKET OR IT GETS THE HOSE AGAIN!" with multiple videos, dozens of ads and and 99 pieces of third-party Javascript loading in the background. The amount of advertiser profiling and data sharing that goes on when you visit these noisy sites with a mobile device is even higher and more invasive, which might explain why I do most of my web browsing inside a VM (but with script blockers turned on).

Breaking, from the NYT: Supreme Court Strikes Down Trump’s Sweeping Tariffs

"In a major setback for President Trump’s economic agenda, the court ruled that he could not invoke the International Emergency Economic Powers Act of 1977 to set tariffs on imports. The 6-3 decision has significant implications for the economy and consumers. The federal government has collected more than $200 billion in tariffs since the start of last year."

https://www.nytimes.com/live/2026/02/20/us/trump-tariffs-supreme-court

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

Thank god Microsoft is shoving Copilot AI crap into everything. One gets the sense this isn't going to be an isolated occurrence. From Bleeping Computer:

"Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information."

https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/

Security nerds have launched a Gofundme to buy back securityfocus.com, a domain that hosted the Bugtraq site and more than 120,000 links from the National Vulnerability Database that are now dead. Whoops.

"Symantec killed Bugtraq in 2020 and let the domain lapse. Now it's squatted for $175k," writes Jonathan Brossard. "The NVD has 120,000+ broken links pointing there. The security community's memory is being held hostage."

https://www.gofundme.com/f/restore-securityfocus-bugtraq?attribution_id=sl:81e68f4d-14c5-46b5-9543-0d66980203e8&lang=en_AU&ts=1771062583&utm_campaign=man_ss_icons&utm_medium=customer&utm_source=copy_link

Not sure if this matters, but DomainTools says the domain was transferred to Accenture.com, Accenture Global Services Limited in Ireland.

For years we've been told that grand juries in the US are just a rubber stamp for prosecutors (i.e. that they will indict even pork-based comestibles). But increasingly what we're seeing is that grand juries are the last line of defense against an administration that is hellbent on perverting the justice system. From the NYT:

"Federal prosecutors in Washington sought and failed on Tuesday to secure an indictment against six Democratic lawmakers who posted a video this fall that enraged President Trump by reminding active-duty members of the military and intelligence community that they were obligated to refuse illegal orders, four people familiar with the matter said."

"It was remarkable that the U.S. attorney’s office in Washington — led by Jeanine Pirro, a longtime ally of Mr. Trump’s — authorized prosecutors to go into a grand jury and ask for an indictment of the six members of Congress, all of whom had served in the military or the nation’s spy agencies."

"But it was even more remarkable that a group of ordinary citizens sitting on the grand jury in Federal District Court in Washington forcefully rejected Mr. Trump’s bid to label their expression of dissent as a criminal act warranting prosecution."

https://www.nytimes.com/2026/02/10/us/politics/trump-democrats-illegal-orders-pirro.html

Yes, Windows (ab)users it's your favorite time of the month once again (ducks). Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six "zero-day" vulnerabilities that attackers are already exploiting in the wild.

https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/

ICYMI, from Reuters:

"Democratic Senator Maria Cantwell on Tuesday said Verizon and AT&T are blocking release of key documents about an alleged massive Chinese spying operation that infiltrated U.S. telecommunications networks known as Salt Typhoon and wants their CEOs to appear before Congress to answer questions."

"Cantwell asked both companies to turn over security assessments conducted by Alphabet cybersecurity unit Mandiant. She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon."

"In some cases, hackers are alleged to have intercepted conversations, including between prominent U.S. politicians and government officials. Several lawmakers have described them as the worst telecom hacks in U.S. history."

"Cantwell said Salt Typhoon allowed the Chinese government to "geolocate millions of individuals" and "record phone calls at will," and that the incident targeted almost every American."

https://www.reuters.com/business/media-telecom/senator-says-att-verizon-blocking-release-salt-typhoon-security-assessment-2026-02-03/

Must-read: How ‘Pink Slime’ Publishers Are Weaponizing FOIA

From Mirada Green and the Tow Center for Digital Journalism:

"Metric Media filed more than nine thousand public records requests last year. It used the data to target Democratic politicians and private citizens."

If you're unfamiliar with Metric Media, they own thousands of local "news" sites that mostly republish drivel until election time rolls around they're all partisan conservative publications masquerading as local news.

"Founded in 2019, Metric has been criticized for jury tampering and tied to pay-for-play political schemes and fake newspapers that land in mailboxes ahead of key elections. Recently, it has focused on obtaining troves of public records. In the past year, an investigation by the Tow Center for Digital Journalism has found Metric filed more than nine thousand Freedom of Information Act requests across all fifty states."

"Many of the requests are for data at the forefront of America’s culture-wars, from allegedly rigged elections to banned books to transgender inmates. With public records in hand, Metric has targeted liberal politicians with negative reporting, criticized the funding of nonprofit organizations, and published personally identifying details about small-town residents who spoke up at school board hearings. Unlike traditional journalism, Metric’s stories do not air dueling perspectives or offer targets a chance to comment."

https://www.cjr.org/tow_center/pink-slime-networks-are-weaponizing-foia.php

When I saw the other journalists that were nominated, I didn't think there was a chance (e.g. ProPublica was nominated for their excellent investigative reporting uncovering the Pentagon's reliance on Chinese contractors for cloud work). I'm very flattered to be in such great company. Thank you to the Institute for Security and Technology (IST) for this award.

Last night's IST gala at the National Press Club was a stroll down memory lane in many ways. Ran into people I haven't seen in person for ages, and most of them have been involved in shaping cybersecurity policy for 25+ years.

It was also bittersweet because I spent a lot of time at the Press Club as a reporter at The Washington Post, and I'm still livid about the insanity of the 300 or so WaPo journalists who lost their jobs this week.

I'm particularly mystified by the decimation of the Post's Metro staff; despite its stature as a top source of national and international news, The Washington Post has always maintained a strong focus on what's going on in the DC area. When they merged washingtonpost.com with the dead tree edition in 2009 and eliminated my job, the mantra of the company was they wanted to be THE source of news about what's happening in the Nation's Capital, and how policy being made in DC affects the rest of the world. Here's part of what I told the audience last night:

"I was horrified this week to see The Washington Post lay off 300 of its 800 remaining journalists -- the third major staff reduction in as many years. A lot of the cuts are deeply affecting the foreign and local metro staff; it's easy to forget the Watergate scandal started as a metro story. Probably we need several hundred more reporters digging into what this administration is doing, because Watergate frankly can't hold a candle to it all."

"I'm hoping all of the post-Posties will land in a better place soon, but I also hope they can keep doing their important work regardless of where it comes from. And I will continue to advocate for, support and encourage anyone who wants to go the independent route. I think journalism is going to be just fine for now, but I'm not sure I share the same view about many traditional news organizations. I hear from a lot of reporters considering the going out on their own worry about not having a big publication name to automatically open doors for them, or watch their backs legally, and those are certainly big adjustments of going solo. But you know what makes all that worth it? When you're breaking news that forces important people to answer hard questions, and the gatekeepers go, wait, who are you with again?"

https://www.linkedin.com/feed/update/urn:li:activity:7425373027145752577/?commentUrn=urn%3Ali%3Acomment%3A(activity%3A7425373027145752577%2C7425575747831947264)&dashCommentUrn=urn%3Ali%3Afsd_comment%3A(7425575747831947264%2Curn%3Ali%3Aactivity%3A7425373027145752577)

So, rather than watch the rest of the performers bow out of gigs, he's just going to close it down for construction? Can't wait to see what he does with the place. From WaPo: "Trump plans to close Kennedy Center for about two years, starting in July. Under the proposal, the Kennedy Center could close on July 4, coinciding with America’s 250th anniversary." “I have determined that The Trump Kennedy Center, if temporarily closed for Construction, Revitalization, and Complete Rebuilding, can be, without question, the finest Performing Arts Facility of its kind, anywhere in the World,” Trump wrote in a post on Truth Social. “In other words, if we don’t close, the quality of Construction will not be nearly as good, and the time to completion, because of interruptions with Audiences from the many Events using the Facility, will be much longer. The temporary closure will produce a much faster and higher quality result!” https://www.washingtonpost.com/style/2026/02/01/kennedy-center-trump-closure-construction/

The WSJ reports that Google has moved to seize dozens of domains belonging to IPIDEA, a Chinese residential proxy service and the largest by far with ~10M proxies for rent. Google has also taken steps to remove hundreds of apps affiliated with the company from Android devices https://www.wsj.com/tech/google-aims-knockout-blow-at-chinese-company-linked-to-massive-cyber-weapon-3c3fdc40?st=tzboX3 Earlier this month, we broke the news about how the world's biggest botnet -- Kimwolf -- grew very quickly to well more than 2 million devices by exploiting a weakness in IPIDEA that allowed them to probe the local networks of proxy endpoints, and infect unofficial Android devices like TV boxes. https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/ IPIDEA's proxy service has become synonymous with these Android TV boxes, which generally come backdoored at purchase. According to Synthient, the proxy tracking startup that figured out how Kimwolf was spreading, the majority of traffic being funneled through IPIDEA proxies is for account takeover activity and ad fraud. Here's the announcement from Google: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network

Letting AI agents run your life is like handing the car keys to your 5-year-old. What could go wrong?

I was marveling while reading this PCMag piece, which describes how to secure an agentic AI setup that essentially mimics malware: To do it's job properly, the AI agent has to be able to read private messages, store credentials, execute commands, and maintain a persistent state. How do you do that? You chase after it like you would your child.

"The important thing is to make sure you limit "who can talk to your bot, where the bot is allowed to act, [and] what the bot can touch" on your device, the bot's support documentation says."

https://www.pcmag.com/news/clawdbot-moltbot-hot-new-ai-agent-creator-warns-of-spicy-security-risks?test_uuid=04IpBmWGZleS0I0J3epvMrC&test_variant=A

We knew this was coming, but now the clock is running. From Privacy International: "Yesterday the Trump Administration announced a proposed change in policy for travellers to the U.S. It applies to the powers of data collection by the Customs and Border Police (CBP)." "If the proposed changes are adopted after the 60-day consultation, then millions of travellers to the U.S. will be forced to use a U.S. government mobile phone app, submit their social media from the last five years and email addresses used in the last ten years, including of family members. They’re also proposing the collection of DNA." PI linked to and summarized a Federal Register entry describing the proposed requirements: -All visitors must submit ‘their social media from the last 5 years’ -ESTA (Electronic System for Travel Authorization) applications will include ‘high value data fields’, ‘when feasible’ ‘telephone numbers used in the last five years’ -‘email addresses used in the last ten years’ -‘family number telephone numbers (sic) used in the last five years’ -biometrics – face, fingerprint, DNA, and iris -business telephone numbers used in the last five years -business email addresses used in the last ten years. https://www.privacyinternational.org/news-analysis/5713/trump-administration-wants-your-dna-and-social-media The Federal Register entry says comments are encouraged and must be submitted (no later than February 9, 2026) to be assured of consideration. Federal Register entry: https://www.govinfo.gov/content/pkg/FR-2025-12-10/pdf/2025-22461.pdf

New, by me... Dismantling Defenses: Trump 2.0 Cyber Year In Review The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all. https://krebsonsecurity.com/2025/12/dismantling-defenses-trump-2-0-cyber-year-in-review/

In other depressing IoT news, iRobot, the maker of the popular Roomba vacuums, files for bankruptcy and sells itself to Chinese company. Hello cameras and mics in bajillions of homes. https://www.cbsnews.com/news/irobot-bankruptcy-irbt-roomba-app-continue-to-operate/

The CEO of The Onion set the publication's goal for 2026 to have more subscribers than The Washington Post. At the rate the latter is going, that won't take long. "For reasons we don't like or understand, our work has become increasingly important." "Look, we're an independent company, we don't use AI to write headlines and make art, and we're one of roughly three publications who are up for the fight. Unlike other places, The Onion is quadrupling down on being a pain in the ass, politically. Are you? https://www.linkedin.com/posts/ben-collins-28263a52_its-been-a-big-year-for-us-at-the-onion-ugcPost-7400218696058810368-7nVB?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAAliaMB3BQO-WOS-eUh-XU4HAd5h8pTzkI

I always wince a little when I see graphs and charts on the homepage of some news outlet, but this one was really well done and conveyed a lot of interesting and timely information in very few words. https://www.washingtonpost.com/business/2025/11/24/sp500-stock-market-tech-nvidia/

I have quite a few projects I'm super excited to publish in the coming weeks. But honestly, the main thing that's consuming my brain cycles story-wise is a year-end piece about just how badly this administration has fscked our cybers in so many ways. This won't be a polemical soliloquy. I intend to document all of the specific actions this administration has taken that appear to weaken, redirect, or fully castrate our cyber capabilities. Your assistance would be appreciated (and possibly noted).

This is pretty wild. Checkout.com got hacked by a group that claims to be Shiny Hunters again. Checkout said in blog post that it would not be extorted by criminals. "We will not pay this ransom. Instead, we are turning this attack into an investment in security for our entire industry. We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support their research in the fight against cybercrime." Far too many victim firms just pay up, to get back to business as usual asap. Imagine if a fraction of those victims instead paid into a fund for research that actively disrupts these groups. https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion

I'm pretty sure Mastodon is the first social network I've been on that didn't immediately ask me to betray all of the people in my address book.