Reading view

MyPillow must decide whether to be firm or soft as ransomware crims demand pay

Crims found the soft spot in the company's security. MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim. The pillow shop first appeared on Play’s name-and-shame data leak site on Monday, with the gang threatening to leak stolen data by Friday if MyPillow execs don’t pay the ransom demand. While the extortionists didn’t specify how many gigabytes of data they allegedly stole from MyPillow, they claim it includes “private and personal confidential data, client documents, budget, payroll, IDs, taxes, finance information” and more, according to the dark-web post seen by The Register and shared on social media by threat-intel firm FalconFeeds. MyPillow did not immediately respond to The Register’s inquiries. We will update this story if we receive any response. As of May 2025, the FBI said Play ransomware operators had allegedly exploited about 900 organizations, and the crew’s ransomware variant consistently ranks among the top five targeting critical infrastructure. Play previously stole around 65,000 Swiss government files after breaching its IT supplier Xplain in 2023. A year later, the group hacked Microchip Technology. The American semiconductor manufacturer told regulators that the ransomware attack disrupted some of its business operations and cost it $21.4 million in expenses related to the security incident. North Korean government goons have also used Play ransomware in their intrusions. Cisco Talos' incident responders previously told The Register that Play was one of the crews that used so-called "EDR killers" to disable endpoint security products in their ransomware infections. MyPillow is probably best known for its founder and CEO's politics. Lindell is a major proponent of President Trump’s false claims that the 2020 election was stolen, and is now running for Minnesota governor. ®

  •  

Encrypted DNS in 2026: DoH, DoT, DoQ and DoH3 protocol comparison — including DNS hijacking attack vectors and what each protocol actually prevents

The security angle on encrypted DNS is often oversimplified. DoH prevents ISP-level snooping and basic DNS hijacking, but doesn't protect against a compromised resolver. DoT is easier to detect and block, which has real implications for threat actors trying to exfiltrate via DNS. DoQ is interesting from a security perspective because QUIC's connection ID migration makes traffic correlation harder. Article includes benchmark data and practical server config — but mostly written for the "which threat model does each protocol address" question.

submitted by /u/AnywhereOk3723
[link] [comments]
  •  

OTP lockout state leaked valid-code signal, enabling OLX account takeover

I published a technical write-up on an old OLX account takeover issue.

The core bug was an OTP correctness leak inside the rate-limit state.

After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent.

Invalid codes during lockout still produced the invalid-code signal.

The valid code during lockout removed that signal while keeping the lockout message.

That made the lockout state act as an oracle for whether the OTP was correct.

The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change.

The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information.

submitted by /u/TheReedemer69
[link] [comments]
  •  

Experts pour cold borscht on Farage's Russian hack claim

National security and digital forensics experts have called foul on Nigel Farage's "disturbing" and unsubstantiated claim that Russia was behind the leak of a story about the UK politician receiving a £5 million gift from a crypto billionaire. Sources inside Farage's right-wing Reform UK told the Mail on Sunday that the party leader believes Russian spies hacked his phone and relayed details about Christopher Harborne's gift, a matter of which only four people were aware. Farage was said to have engaged outside "counter-espionage experts" to perform a technical analysis of his device – analysis that was said to point to Russia. According to Peter Sommer, professor of digital forensics at Birmingham City University, whichever outfit was entrusted to carry out this work would have been looking for two different types of markers to prove Russia was involved. These would be either the phishing message Farage clicked on that allowed Russia to access his private communications or the malware code an attacker used to exfiltrate them. "It's obviously trivial to disguise the source of an email, so that doesn't help," Sommer told The Register. "And the second thing is if you're talking about looking for hacking codes, hackers, whether they are juveniles or people in major SIGINT systems, are likely to be stealing from each other, so there's nothing unique about a code that would say where it comes from." Sommer also highlighted that advanced intelligence powers have tools at their disposal to obfuscate the source of malicious code. The CIA's leaked Marble Framework supposedly had the ability to translate malicious code into any language, including those used by its chief adversaries. "Now, absent from that, how on Earth do you determine that this is a Russian hack?" Sommer asked. Neither Farage nor Reform UK has spoken officially on the alleged Russian phone hack. They have not specified which experts on whose conclusions they used to make the claims, they have not stated what evidence pointed to Russia's involvement, and they have not committed to making this forensic assessment available for public scrutiny. Opening up the data for verification was one of the core issues raised by Ciaran Martin, founding chief executive of the UK's National Cyber Security Centre (NCSC), who labeled Farage's claims "disturbing" and "without any merit." Speaking to The Guardian, Martin said that not only is the lack of clear evidence concerning, but also if Russia was behind the hack-and-leak operation, a deliberate attempt at destabilizing a foreign democracy, then it would have significant consequences for the UK's Russia policy. "An aspiring prime minister has essentially claimed that Russia has launched an unprecedentedly aggressive intervention – a malicious intervention – in British politics, and he's not produced a shred of evidence to support that claim," Martin said. "It is a very, very serious thing to allege. It would be a national security issue," he added. "If it is true, the government should be in emergency session in COBR right now, considering their response to the most serious Russian intervention in internal British affairs for years." He said the claims published by the Mail on Sunday, at present, are unsubstantiated, and if true, in normal circumstances, this would prompt a formal government response. The Reg understands that the NCSC has not been engaged by Farage or Reform UK over the matter. The National Crime Agency did not respond to questions regarding its involvement and the Metropolitan Police Service declined to comment. Reform UK did not respond to our requests for more information, nor did Nigel Farage's office. What exactly did Reform UK claim? According to sources who spoke to the Mail on Sunday, Russian spies hacked Farage's phone, ascertained details about Harborne's £5 million donation to the party leader, and leaked it to The Guardian, which first reported the story. The Guardian said at the weekend that Farage is now under "mounting pressure" to prove his claim about the Russian phone hack. There is no indication the Graun 's reporting was connected to any illegal activity or Russian spies, but Farage is implying so, telling the Mail on Sunday: "This shocking revelation brings into question The Guardian’s judgment and whether Reform can cooperate with them in future." According to the analysis of Farage's phone, carried out by the unidentified counter-espionage experts, the findings were "almost certainly linked to Moscow," the Reform UK source said. They also claimed that spear-phishing tactics were used to compromise his phone, email, and bank accounts. "It bore all the sophisticated hallmarks of a nation-state actor using destabilization techniques in the run-up to this month's local elections," the source added. Farage said: "These actions by Russia are deeply concerning and highlight the threat they pose to British security." Regarding the motive for such an attack, Reform UK believes its leader angered Russian president Vladimir Putin by previously expressing support for NATO. He has said in the past that UK forces should shoot down Russian aircraft if they enter NATO airspace, and joined controversial calls for Ukraine to be admitted to the military alliance. The party also said that Harborne may be a target for the Russian regime because he joined former prime minister Boris Johnson on a trip to Ukraine in 2022, designed to showcase the impact of Russia's invasion earlier that year. ®

  •  

The War Between Wars: How an IRGC Front Runs Destructive OT and IT Attacks Under Cover of a Ceasefire

The first sign wasn’t a security alert. It was a temperature reading.
A food plant’s cold rooms were warming up and the product was spoiling. The engineers expected a dead compressor. Instead, someone had been inside the controllers and rewritten them on purpose: setpoints, safety limits, valves pinned open, and the engineers’ own remote account locked out while the plant failed. Three compressors destroyed. No malware required, just an attacker who understood refrigerant physics.
On the same network, our team found a disk wiper hiding as a fake Microsoft update.
One IRGC-directed front. Two target sets, IT and OT. And it all ran under a ceasefire, when everyone had been told the fighting was over. That’s not a coincidence. It’s the doctrine.
Our IRT broke the whole thing down, with GRAT IOCs and a YARA rule:

submitted by /u/GelosSnake
[link] [comments]
  •  

Welcoming the Bhutanese Government to Have I Been Pwned

Welcoming the Bhutanese Government to Have I Been Pwned

Today, we welcome the 45th government onboarded to Have I Been Pwned’s free gov service: Bhutan. The Bhutan Computer Incident Response Team, BtCIRT, now has access to monitor Bhutanese government domains against the data in HIBP. As Bhutan’s national CIRT, BtCIRT is responsible for consuming threat intelligence and sharing relevant insights with its constituents, helping identify and respond to cyber risks affecting government services and the people who depend on them.

This is exactly the sort of organisation the HIBP government service was built to support: national cybersecurity teams using breach data to identify leaked credentials and compromised databases associated with their government domains.

BtCIRT now joins the growing list of national CIRTs and government cybersecurity teams using HIBP to better understand their exposure, respond quickly when new breaches appear, and reduce the risk posed by compromised credentials before attackers can take advantage.

  •  

CVE-2021-21735: ZTE H168N wizard whitelist exposed PPPoE and WLAN secrets pre-auth

Disclosure/write-up for CVE-2021-21735 affecting the ZTE ZXHN H168N V3.5.

The issue is cataloged as information disclosure, but the useful part is the authorization failure: wizard handlers under the setup surface exposed PPPoE and WLAN material that should have required authenticated configuration access. Firmware analysis points to a brittle whitelist decision around the QuickSetup flow, including routes such as wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua.

The write-up keeps secrets redacted and focuses on the route behavior, firmware logic, deployment-dependent admin compromise path, disclosure timeline, and the ZTE Low vs NVD Medium severity split.

submitted by /u/TheReedemer69
[link] [comments]
  •  

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia’s intelligence agencies.

An investigator with the Tax Intelligence and Investigation Service (FIOD), the Dutch financial crimes agency, during the raid. Image: FIOD.

The Dutch daily news outlet de Volkskrant reports that the Dutch financial crime agency FIOD on May 18 arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague, charging them with violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned entities.

The Dutch investigation focuses on Stark Industries, a sprawling hosting provider that materialized just two weeks before Russia invaded Ukraine. As detailed in this May 2024 deep-dive, Stark quickly became the source of massive distributed denial-of-service (DDoS) attacks against European targets, and emerged as a top supplier of proxy and anonymity services that showed up time and again in cyberattacks linked to Russia-backed hacking groups.

That report identified two Moldovan brothers — Ivan and Yuri Neculiti and their company PQHosting — who were providing one of Stark’s two main conduits to the larger Internet. In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia’s hybrid warfare efforts. But as KrebsOnSecurity observed in September 2025, those sanctions failed to target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.

MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business out of the Netherlands.  News that PQHosting and the Neculiti brothers were about to be sanctioned by the EU leaked in the media nearly two weeks before the sanctions were announced last year. During that time, the Stark network assets were transferred from PQHosting to a new entity called the[.]hosting, under the control of the Dutch entity WorkTitans BV.

And as our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad. On top of that, WorkTitans was getting connectivity to the larger Internet solely through MIRhosting, where Zinad had worked previously.

On May 18, Dutch financial crime investigators arrested Nesterenko and Zinad, and searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. A statement from the Dutch authorities said they also seized laptops, telephones and more than 800 servers.

A message to the-hosting customers immediately after 800 of its servers were seized by Dutch authorities. The message says that unfortunately data stored on the server has been lost and cannot be recovered.

De Volkskrant said it reviewed data showing WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies between November 13 and 19, 2025, the week of Denmark’s municipal elections.

The publication wrote that prior to Nesterenko’s arrest, the MIRhosting founder denied that he knew his servers had been misused by pro-Russian cybercriminals. “He said he had ended all services with the Neculiti brothers when the EU sanctions came into force in May 2025,” and the he “reserved all rights to take action against ‘harmful and incorrect publications,” de Volkskrant wrote.

MIRhosting released a statement saying it has initiated an internal investigation into the alleged facts concerning the elections in Denmark, and that it has temporarily paused services to WorkTitans as a precautionary measure while the matter is being reviewed further.

“Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections,” the statement reads. “No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network. Meanwhile, our regular operational activities continue, and our service to our other clients remains fully intact.”

Born in Nizhny Novgorod, Russia, Mr. Nesterenko grew up as a piano prodigy who performed publicly at a young age. In 2004, Nesterenko founded MIRhosting’s parent Innovation IT Solutions Corp., which has the notable distinction of being the company responsible for hosting stopgeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Responding to questions shared via email, Nesterenko said MIRhosting does not support cybercrime, sanctions evasion, or illegal activity, and that the allegations and arrest by Dutch authorities have been extremely harmful to him and his company.

“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong.”

Far less is public about the 57-year-old Zinad, who reportedly has been keeping a low profile since our story last year. De Volkskrant reported that Zinad blocked access to his LinkedIn account, had gone months without responding to emails, WhatsApp messages and phone calls, and told a colleague that illness was forcing him to lead a somewhat more reclusive life.

Mr. Zinad’s now-defunct LinkedIn profile. It was full of posts for MIRhosting’s services.

Mr. Nesterenko claims Zinad was never an employee of MIRhosting.

“He helped me and MIRhosting with certain business tasks under a normal business-to-business arrangement between companies,” Nesterenko explained.

However, in previous emails to KrebsOnSecurity, Nesterenko carbon copied Mr. Zinad (who had a @mirhosting.com email), explaining that he was part of the company’s legal team. Also, the Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere.

Mr. Zinad has never responded to requests for comment. Nor did de Volkskrant have any luck tracking him down. The publication said it repeatedly asked Mr. Zinad (referred to here as simply “Z”), but he reportedly avoided every form of contact.

“‘I am unavailable but will respond to your message as soon as possible,’ reads an automated reply on WhatsApp on 2 October 2025,” de Volkskrant reported. “It is the only response de Volkskrant would receive in months. He did not pick up his phone and did not call back. When an acquaintance asked him via LinkedIn to contact the reporter, he blocked access to his LinkedIn page. At an address in Almere where Z.’s personal limited company is registered, no one was present in April. The corner house’s blinds were drawn, and a pile of rubbish bags lay outside next to a container, as if someone had recently left. A neighbour said he knew the man but did not know where he was staying. Z. was later arrested at a residence in Amsterdam.”

  •  

Threat Intel: ShinyHunters Leaks 9.4GB Database of 7-Eleven Franchisee Systems Post-Extortion Refusal

Overview: On May 24, 2026, the data breach notification service Have I Been Pwned (HIBP) integrated a dataset originating from an April 2026 extortion campaign targeting 7-Eleven. The breach, attributed to the threat actor group ShinyHunters, compromised 185,300 unique accounts and resulted in a 9.4GB cleartext data dump following the organization's refusal to comply with ransom demands.

Attack Vector & Targeted Infrastructure

The initial compromise occurred on or around April 8, 2026. Forensic indicators and lateral movement tracking indicate the threat actors did not target point-of-sale (POS) networks or central customer-facing databases. Instead, the breach was localized to external cloud-managed systems - specifically infrastructure dedicated to corporate franchisee document management and onboarding portals.

The vector aligns with recent ShinyHunters operational methodology involving targeted credential harvesting, session hijacking, and the exploitation of permissive API keys within integrated third-party identity management providers.

Data Profile & Exfiltrated Schemas

Following a failed extortion deadline set by the actors between April 17 and April 21, the full 9.4GB archive was leaked to the public internet. The schema validation confirms that the compromised database contains:

  • Primary PII: Full names, verified email addresses, mobile and landline telephone numbers, and residential physical addresses.
  • Sensitive Administrative Records: Dates of birth and corporate filing metadata.
  • Vetting Documentation: A subset of the leaked files contains sensitive background check documentation, including Social Security Numbers (SSNs) and state-issued identification numbers submitted during the franchise application phase.

Operational Timeline

  • 2026-04-08: Detection of unauthorized access to the franchisee document storage cluster.
  • 2026-04-17: ShinyHunters list 7-Eleven on their public Tor leak site, establishing a 4-day payment window.
  • 2026-04-22: Following 7-Eleven's administrative refusal to negotiate or pay the extortion fee, the actors published the complete unencrypted archive.
  • 2026-05-24: Complete data ingestion, de-duplication, and formal verification completed by HIBP.

Technical Analysis & Core Metrics

The incident highlights a persistent trend where threat actors deliberately target non-production, administrative, or third-party adjacent business environments to bypass hardened perimeter controls protecting primary consumer data.

submitted by /u/technadu
[link] [comments]
  •  

Anthropic to release Mythos-class models to the public

Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe. In case you came in late, in early April Anthropic announced it had developed a model called Mythos that is so good at finding security vulnerabilities in programming code that the company decided to offer it only to select entities because allowing unfettered access would mean cybercriminals could quickly discover and exploit software flaws. That access program is called “Project Glasswing” and participants report it quickly finds many bugs but few that humans couldn’t find given enough time and resources. Those with access to Mythos have also sometimes said the quantity of bugs it finds somewhat overwhelms their ability to patch them all. The mere existence of Mythos has sparked a little panic – Japan’s government ordered a sweeping security review and Indian authorities demanded a patching spree at financial institutions – plus a general realization that even lesser AI models are also decent bug-finders, meaning cyber-defenders must now expect attackers will weaponize more flaws, more often. No company—including Anthropic—has developed safeguards strong enough to prevent such models from being misused Anthropic last week published an “initial update” on Project Glasswing that in its second-to-last paragraph reveals the company’s next step will see it “… work with critical partners – including US and allied governments – to expand Project Glasswing to additional partners. And in the near future, once we’ve developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release.” The company didn’t explain what it means by “near future” and admits that “At present, no company—including Anthropic—has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm.” Further illustration of that assertion can be found earlier in the company’s post, which reveals that Anthropic has used Mythos to scan more than 1,000 open-source projects that it says “collectively underpin much of the internet – and much of our own infrastructure.” To date, Mythos has found an estimated 6,202 high-or-critical-severity vulnerabilities in these projects – and 23,019 flaws in all. The post reveals that when Mythos finds a flaw, Anthropic and its pals in the security community reproduce the issue that Mythos has found and “re-assess its severity.” “Once we’ve confirmed that a vulnerability is real, we check for whether there are already fixes in place, and write a detailed report to the software’s maintainers,” Anthropic explains. “We take considerable care here: on top of the regular challenges of maintaining open-source software, maintainers have been facing a deluge of low-quality, AI-generated bug reports. Indeed, several maintainers have told us they’re currently severely capacity constrained, and some have even asked us to slow down our rate of disclosures because they need more time to design patches.” 1,752 of the high-or-critical-rated vulnerabilities Mythos found in FOSS have gone through that process and 90.6 percent (1,587) proved to be valid flaws. Of those, 62.4 percent (1,094) “were confirmed as either high-or-critical-severity,” the post states. One of the critical flaws impacted the wolfSSL cryptography library used by billions of devices worldwide. “Mythos Preview constructed an exploit that would let an attacker forge certificates that would (for instance) allow them to host a fake website for a bank or email provider,” Anthropic wrote. “The website would look perfectly legitimate to an end user, despite being controlled by the attacker.” Thankfully, developers have already patched wolfSSL, and Anthropic said it will deliver a full technical analysis “in the coming weeks.” Keep an eye out for CVE-2026-5194 to learn more about this one. Mythos is adding to an already overloaded security ecosystem “75 of the 530 high-or-critical-severity bugs we’ve reported have now been patched, and 65 of those have been given public advisories,” the post states, then explains that low fix rate by revealing Anthropic is “still early in the 90-day window that’s set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon.” The company thinks it is also “likely to be undercounting patches because some vulnerabilities are patched without a public advisory.” Lastly, the flood of bugs Mythos found “is adding to an already overloaded security ecosystem.” Anthropic’s suggestion for security teams struggling to develop fixes for bugs AI discovered is, unsurprisingly, more AI such as skills that improve its Claude model’s ability to help developers. ®

  •  
❌