TAME YOUR TECH By Susan Bradley Data centers are in the headlines these days, from the number being built to the energy and water they consume and to the noise they produce. But because neither you nor I will ever own a data center, I’m going to discuss some of the extremes that impact our […]

For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.

Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, which are marketed under thousands of brand names and model numbers and broadly available for purchase at top e-commerce destinations, all advertise the ability to stream hundreds of subscription video services for an up front one-time fee.

But as the FBI and security industry experts have warned repeatedly, these streaming boxes typically bundle or come pre-installed with software that turns the user’s TV into a “residential proxy” — allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network. More concerning, some of these proxy networks do little to stop malicious customers from communicating with and even compromising systems on the local network of the unsuspecting device owner.

The first clues about Popa’s origins came in a 2025 report from the Chinese security company XLAB, which flagged at least nine domain names that were used to register and direct the activities of compromised devices. In a report released today, the security firm Qurium described how it stumbled on some of those same domains while investigating a series of disruptive and expensive data scraping events targeting the company’s hosted organizations in May 2026, in which the scraping activity was scattered evenly across more than 1.4 million Internet addresses.

Qurium said it found several dozen domains used to control Popa that were all hosted in lockstep across multiple Internet addresses over time, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io. Digging deeper, Qurium discovered gmslb[.]net was referenced in dozens of pirated or modded video content streaming apps, such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob and HD/OceanStreams.

Qurium’s report notes that most of the domains long used to control the Popa botnet were seized or dismantled in July 2025, after Google, HUMAN Security and Trend Micro teamed up to disrupt Badbox 2.0, a botnet that is closely associated with Vo1d. Qurium said that immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet, but that one of those control domains was not new: ninjatech[.]io.

Ninjatech is a company founded by Moishi Kramer, whose LinkedIn profile says he is vice president of research and development at NetNut. That resume credits Kramer for helping NetNut to build from the “ground up,” “designing the architecture,” and “scaling the NetNut” before the company was acquired by Alarum Technologies. A self-created listing at the job board F6S references Kramer as the sole owner of the Ninjatech domain (a screen capture of it is pictured below).

Responding via email, Mr. Kramer said Ninjatech ceased operations approximately five years ago, when the company sold a software development kit (SDK) called Popa that was designed to use a small portion of a device’s bandwidth and to run only after the host application obtained user consent.

“That code was sold and licensed to third parties including resellers years ago,” Kramer said. “Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it.”

Kramer said neither he nor NetNut builds, operates or maintains the infrastructure being described as Popa, nor does he control the Ninjatech domain.

“I didn’t register the June 2025 domains you mention, and I don’t know who did,” he continued. “I have no control over, or visibility into, that infrastructure. I can only tell you it isn’t operated by me or by NetNut.”

But in a separate Popa research report released today, the proxy-tracking company Synthient said a recent analysis of the Popa SDK revealed outbound traffic clearly associated with NetNut.

“The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients,” Synthient wrote. “This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.”

Alarum Technologies, NetNut’s Tel Aviv-based parent company, said the reports by Synthient and Qurium contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts.” Alarum shared a statement saying they reject the basic characterization of the SDKs and technologies discussed in the reports as a “botnet.”

“The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate,” the statement reads. “Netnut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services.”

Alarum said NetNut places “significant emphasis on appropriate notice and consent mechanisms, conducts customer due diligence, monitors for potential misuse, and takes steps intended to detect and mitigate suspicious or unauthorized activity.”

“This method of operation is supported both by internal procedures and policies, including performing KYC checks and additional due diligence of NetNut’s customers, as well as employing various technological measures, designed to assist in identifying and addressing suspected misuse of the network,” their statement continued.

However, in a report released on June 8, the proxy tracking service Spur asserted that NetNut does not require corporate verification or meaningful “know your customer” procedures before allowing customers to purchase proxy access.

“An individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in,” Spur wrote. “The ‘verified corporations only’ claim is simply marketing for bandwidth sellers, not an access control on who actually uses the proxies.”

“Nor is NetNut the only front door,” Spur continued. “A number of downstream white labelers and resellers repackage the same ISP proxy pool under their own brands. These outlets typically perform no KYC at all, less scrutiny than NetNut itself, who at the very least might assign an account manager to potential users. Anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto.”

Synthient found that although the most recent builds of Popa (as of three months ago) have added the ability to ask the user for consent before installing proxy components, not all variants or previous versions of Popa contain this functionality.

“Of the over 20 genuine Popa publishers analyzed, none of them were observed asking for user consent,” Sythient wrote.

THE PREVALENCE OF POPA

Chris Formosa is senior lead information security engineer for Black Lotus Labs, a division of the Internet backbone carrier Lumen Technologies.

“What especially makes Popa dangerous is just how widely used NetNut is for reselling and sharing,” Formosa said, explaining that many other proxy services simply resell NetNut proxies rather than building out their own far-flung proxy networks. “So these Popa IPs appear in tons of different services all over the ecosystem, which makes it one of the most problematic and dangerous proxy botnets on the market currently.”

Formosa said the Popa botnet averages between 1.5 million to 2.5 million distinct IP addresses each day, relying on between 250 and 300 Internet addresses that are used to direct its activities.

“That’s why Popa is so dangerous,” Formosa said. “It may not be the largest botnet we have seen, but it is spread all over the industry, making its power very amplified.”

Formosa said while that makes Popa one of the larger botnets out there today, its numbers pale in comparison to those previously boasted by IPIDEA, a China-based proxy provider that until recently operated a daily pool of nearly 10 million devices that they resold as proxies to anyone. In January 2026, Synthient published research showing that multiple new large DDoS botnets had grown rapidly by tunneling through IPIDEA proxies into the local networks of unsuspecting TV box owners and infecting other Android-based devices behind the user’s firewall.

IPIDEA is based largely on SDKs used to view pirated streaming content on a vast number of TV box devices, but the service’s numbers have dwindled since January, when Google and industry partners took legal action to seize domain names that IPIDEA used to control devices and proxy traffic through them.

Jérôme Meyer, a security researcher at Nokia Deepfield, said the total population of devices participating in the Popa botnet may be far higher than Lumen’s estimates. Meyer told KrebsOnSecurity that Nokia is monitoring 26 of at least 359 known relay nodes for the botnet, and estimates that each relay node handles between 35,000 and 60,000 clients simultaneously.

“On the relay node subset I am looking at (26 of them), 750,000 unique sources in 24 hours,” Meyer wrote in response to questions.

Nokia Deepfield released its own report today on RoboVPN, a VPN app tied to the Vo1d botnet’s Popa plugin that Qurium attributes to NetNut/Alarum Technologies.

THE SYMBIOSIS OF PROXIES AND DATA SCRAPING

Experts say many of the world’s largest proxy providers have updated their public-facing branding to highlight their utility for training AI platforms, implying it is a primary use case for their residential proxies. That’s because AI services tend to rely on constantly mass-scraping the Internet for new text, images and video content that can be used to train large language models (LLMs).

“AI companies depend on web-scraped content: for pre-training, for retrieval, for agent grounding, for search,” reads a report this month from Include Security that examines the prevalence of proxy SDKs in smart TV apps. “But the modern web isn’t scrapeable from a datacenter. Cloudflare, DataDome, HUMAN, among others throttle or block requests from known cloud IPs. The workaround is residential proxies. A scraping job routed through a Comcast or T-Mobile subscriber’s connection arrives at the target site from an IP that belongs to a paying residential customer.”

This non-stop content scraping has spawned more than 70 copyright infringement lawsuits against major tech companies that have acknowledged large-scale data scraping as a major source of the “brains” behind their commercial AI offerings. Ironically, much of that scraping is being aided by proxy services that are intimately tied to unofficial Android TV boxes and associated SDKs whose stated purpose is streaming pirated content.

The scraping activity has become so aggressive that it often overwhelms the targeted websites, preventing them from being reachable by legitimate visitors. In many reported cases, nonprofit organizations, libraries and universities have complained of constantly battling to keep their services online in the face of relentless data-scraping firms hiding behind residential proxy services.

A survey conducted last year by the Confederation of Open Access Repositories (COAR) found while some content scraping bots are rather innocuous, “others are sufficiently aggressive that they are increasingly causing service disruptions in repositories and other scholarly communications infrastructures.” More than 90 percent of survey respondents indicated their repository is encountering aggressive bots, usually more than once a week, and often leading to slow downs and service outages.

“Automated web scraping is nothing new, and has been the key technology underlying search engines such as Google for over 30 years,” wrote Brendan O’Connell, platform manager at the Directory of Open Access Journals (DOAJ), a free, community-curated index of peer-reviewed academic journals. “However, the current investor-fueled AI startup craze means there are now thousands of well-funded companies developing and deploying their own scraping tools to train AI models, alongside existing major players like OpenAI and Google.”

DON’T TOUCH THAT DIAL!

Across the United States, local communities are pushing back against the proliferation of new data centers aimed primarily at improving the capabilities of AI. But security experts say the general public remains largely unaware that using one of these unsanctioned Android TV boxes means their “smart TV” is almost certainly using a significant amount of bandwidth each month to help train modern AI models.

Even households without these sketchy TV boxes can still have their smart TVs turned into residential proxy nodes, just by downloading one of thousands of apps made available on Samsung and LG smart TVs. Spur said it recently scraped the LG and Samsung app stores and found that each had approximately 3,000 apps available for download. Many of these apps are simple games or utilities that state in the fine print that the user’s Internet connection will be used to download data and that they can opt out at any time.

Spur said it found that more than 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components, Spur found.

Experts say it’s questionable whether TV apps with proxy SDKs can obtain meaningful consent from users for installing an always-on proxy connection, particularly when anyone in a household — including children — can effectively opt the family TV into a residential proxy network just by installing a simple game or app.

“Privacy-policy disclosure is the wrong control surface for a TV,” Include Security wrote. “It is hard to scroll through a legal document navigated by arrow keys on a remote, and the in-app consent dialog doesn’t convey that a paying customer is about to route their scraping traffic through the user’s home internet.”

Spur’s head of research Sean Simmons told KrebsOnSecurity that most people do not have a working mental model for what it means to sell access to their residential IP address, no matter what device they are using.

“And on a TV, the gap is even wider,” Simmons said. “A one-time prompt navigated with a remote can disappear into the setup flow, while the app keeps monetizing the connection long after anyone remembers what they accepted.”

Simmons said LG and Samsung should follow the lead of other TV platforms that have already drawn a line against residential proxy providers, pointing to policies by Amazon that prohibit apps facilitating proxy services for third parties. Likewise the TV streaming device maker Roku reportedly now bars developers from using proxy SDKs and has removed apps that bundled them.

Apps that turn one’s device into a residential proxy node are not limited to smart TVs and no-name streaming boxes, of course. As noted by the security firm Infoblox, mobile app developers can embed SDKs provided by the residential proxy networks into their products to monetize their software, allowing them to receive a small amount of money on each installation.

The result, Infoblox said, is that devices are frequently enrolled without the owner’s knowledge, typically through free applications such as VPNs, streaming apps, screensavers and “productivity” apps such as PDF viewers and break reminders.

All too often, these proxy services are beaconing out from employee devices brought into the workplace, Infoblox found. In a blog post earlier this month, Infoblox said it discovered that fully 65% of its customer base was querying one or more residential proxy related domains.

“We saw steady growth in these queries in 2025, with a 25% increase over the year to over 500 billion per month,” Infoblox wrote. “Over 90% of our pharmaceutical and food & beverage customers have queried residential proxy indicators. Perhaps even more concerning is that over 60% of government and banking customers have as well.”

Infoblox researchers Nick Sundvall and David Brunsdon warned that with residential proxies in the corporate environment, external access is granted to an organization’s IP space.

“If threat actors were to abuse the residential proxy to attack a third party, the third party’s incident response would, correctly, identify your residential proxy as the source,” they wrote. “Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation. The stunning prevalence of these services within customer environments warrants attention from both network defenders and policy makers who should consider how the risks posed by residential proxies could be impacting their security posture.”

As I’m starting to put the office back together (my office is the last one being worked on), I am reminded that surge protectors aren’t always your friend. They can cause fires. Someone I know had their master bedroom burned up from a surge protector that caught on fire. While thankfully they were not in […]

Apple says that its next-gen operating system will allow users to update their weak and compromised passwords with a single tap. Upgrades coming to iOS 27, announced at Tim Cook’s last Worldwide Developers Conference (WWDC) this week, introduce a significant change to the way users manage their passwords. “Building on its ability to alert users about weak and compromised passwords, Passwords can now automatically fix these for users with just a tap,” Apple said on Monday. “Using Apple Intelligence and Safari to agentically take action on a user’s behalf, Passwords securely navigates through websites to sign in and upgrade their accounts to strong passwords.” The iGadget-maker’s existing password manager already flags passwords that are known to be included in prior data breaches, checking whether they appear in known data leaks. However, current Passwords still requires users to update affected accounts themselves and does not offer a way to change multiple compromised credentials at once. Selecting one of those alerts typically takes users to the relevant account page, where they must complete the password change manually. The new update is designed to remove much of that legwork, with iOS 27 automatically navigating supported websites and updating eligible accounts to stronger passwords after user approval. Of course, in the very brief section of the video in which the new capability was announced, the feature worked flawlessly. In practice, however, it remains to be seen how effective Passwords is at agentically navigating different websites’ login processes on behalf of users, especially if MFA is also set up on the account. And for those of you who remember a story The Register covered earlier this year about the (in)security of AI-generated passwords, fret not. Apple’s Passwords app generates solid passwords by default – strings that, according to NordPass’ online password checker, are “strong” and would take centuries to crack. Security company Irregular’s research from February looked at scenarios where users were querying LLM chatbots for password ideas, rather than looking at those generated by purpose-built password managers. Siri state of affairs As predicted by many, this year’s WWDC put Siri, now known as Siri AI, front and center as Apple looks to deliver on its promises made two years ago. It announced Apple Intelligence in 2024, but the offering has underdelivered on pretty much every count. Analysts who spoke to The Register after the event on Monday were optimistic about what they saw on the AI front, but described Apple’s ability to deliver value for developers and users on its second roll of the dice as a credibility test. The company announced a wide range of small AI-enabled upgrades coming soon to iOS 27, powered by Apple's Foundation Models, developed in collaboration with Google and its Gemini technology, in addition to the agentic password-fixing tease. Individually, these features, such as enabling users to create shortcuts or Safari extensions by prompting Apple Intelligence using natural language, and Safari’s Notify Me, which allows users to monitor specific web pages for updates, are not revolutionary. They’re also not the type of features that are poised to set the AI industry alight. But for some, winning the AI race is less about being first to market with the biggest, baddest model; it’s about using AI in the most useful way. "Rebuilt from the ground up, Apple is trying to make AI feel native, useful, and invisible across the devices people already use every day," said Francisco Jeronimo, IDC VP of client devices. "This matters because the winning AI experience for consumers will not be the loudest or most technically complex. It will be the one that understands context, respects privacy, works reliably across apps, and reduces friction without forcing users to change behaviour." Apple’s iOS 27 will launch to the wider public in the fall, while devs can get their hands on the beta version now. This won’t come with the new dedicated Siri AI app, though. You’ll have to join a waiting list for that one. ®

Jeff Bezos is backing Flourish, a new "neuro AI" startup with $500 million in funding and a reported $2.5 billion valuation, that aims to reinvent AI by studying the brain's architecture and building systems that learn continuously while using far less power than today's large language models. The company's long-term bet is that neuroscientists and AI researchers working together can uncover the brain's "core algorithm" and eventually create brain-inspired AI that runs on a tiny fraction of current compute. Wired reports: Rob Williams knows how to pitch Jeff Bezos: You write a press release as if your product has already been built. Bezos reads it and gives a thumbs up or down. Williams went through this process a lot as an executive on Amazon's "S-team," in charge of software products such as Alexa, until his departure last fall. But the pitch he made a few weeks later -- in December 2025 -- was different. Now he was collaborating with Thomas Reardon, a neuroscientist and repeat startup founder, and approaching Bezos as a funder, not a boss. Here's what Bezos, sitting on his yacht somewhere, read while Williams anxiously watched on Zoom: "Flourish is a neuro AI company that is solving the two most difficult problems facing AI today: power efficiency and continuous learning. We are building Cortex AI, the first synthetic intelligence system designed to match the computational capacity, learning efficiency, and power budget of the human brain." A month later, I'm lunching with Reardon and Williams in the Flatiron neighborhood in New York City. Reardon gets right to the point. AI has dug itself into a hole, he says. Though increasingly powerful, large language models are greedy consumers of computer power and data. Though the inspiration for LLMs was rooted in biology, current frontier models have little in common with the human brain. A person uses about 20 watts of energy to process information; a single chip in an AI training cluster uses more than 30 times that amount. The hyperscalers require thousands of chips and gigawatts of energy, enough to power small cities. And those models need to suck up virtually all of what humans have written. Each new model requires more, more, more. For all of that, the models don't learn. Once you train them, they're stuck. The goal, Reardon tells me, is to build "a synthetic artificial intelligence brain that runs on 50 watts or less." It should adapt to its conditions, be as nimble as a human mind, and burn a tiny fraction of an LLM's compute power and energy. The proof of concept is thriving inside our skulls. "There's something fundamentally wrong with saying, "I need to basically read every book ever written 20 times over in order to learn English,'" Reardon says. "A human baby does it with a couple hundred thousand utterances." Reardon and Williams haven't figured out yet how to build systems that match the magic of a human brain. What they have is a belief that an expert, well-resourced team -- of AI researchers and neuroscientists working essentially side by side -- can find the answer. The neuroscientists will conduct original wet lab experiments with some of the most advanced lab equipment available, to hunt for usable intel on the brain's architecture. They plan to release the models they're currently developing as near-term products on the path to a full reinvention of AI. The fuzziness of the proposal didn't bother Jeff Bezos. After reading Williams' two-pager, he chipped in $50 million. Other funding came from Lux Capital, Google Ventures, and Catalio, among others. Bezos then almost doubled his initial stake and told Reardon he'd have given more if they'd asked. Now with a war chest of $500 million and a reported valuation of $2.5 billion, Flourish just needs to invent a new way to do AI.

Read more of this story at Slashdot.

"A DNA-editing feat involving editing the genes of early stage embryos was announced this week," reports the Wall Street Journal. They describe the feat as "a far cry from designer babies, but nevertheless a step in that direction." Dieter Egli, an associate professor of developmental cell biology at Columbia University and his co-authors, including Nathan Treff of Nucleus Genomics, a New York-based DNA-testing startup, say the technology could help fix disease-causing mutations in embryos. "We're not throwing the final 'OK, you will have gene-edited babies tomorrow' at the public," said Egli. "That is a process that can occur through discussion matched with scientific progress...." Previous gene-editing efforts have often used Crispr, which can cut out parts of the DNA sequence, but the technology can also cause damage if the wrong DNA is targeted or cut out. In 2018, Chinese scientist He Jianku said he used Crispr to tweak DNA in human embryos and was imprisoned for the work. The technology Egli's group used, called base editing, allows them to target individual DNA letters in sequences more precisely with fewer adverse effects... Egli's group focused on altering two genes, one that can raise the risk of heart disease and one that is tied to blood disorders like sickle cell disease, and the research showed they were sometimes able to do so successfully, in the same embryo, without damage. "I am generally supportive of the concept of embryo editing to prevent genetic disease," said Dr. Paula Amato, a fertility expert at Oregon Health & Science University who wasn't involved in the research... Base editing has been used in human embryos before, according to peer-reviewed studies. The technology was used to correct a disease-causing mutation and an Alzheimer's disease-risk gene variant, said Alexis Komor, associate professor of biochemistry and molecular biophysics at the University of California, San Diego, who wasn't involved in the work. "There really is not any unmet medical or clinical need for this, especially from an in vitro fertilization perspective," Komor said. "Usually what you'll hear is that they're doing it just so that you know we can prevent genetic diseases, but there are so many other better ways to do that." Using embryo editing to create babies is illegal in the U.S. and many other countries. Scientists have long worried that it is a slippery slope and that the technology could ultimately be used to promote eugenics. Her worry is that "they're basically building a blueprint" for more ethically problematic forms of embryo editing. "In my opinion, I think this is a huge no-no," Komor said. "There's just no ethical way to use this...." Nucleus Genomics Chief Executive Kian Sadeghi said his company plans to fund Egli's further research, building on the new findings. His company sells a polygenic embryo-screening product, which screens prospective parents' embryos and produces risk scores for their likelihood of developing disease, as well as factors like height, IQ and eye color. The company has said the IQ predictions are limited in accuracy. The research was published online Monday on a preprint server.

Read more of this story at Slashdot.

Scientists "have made a discovery that may help prevent some people from developing lung cancer," reports the New York Times, noting that lung cancer "kills more people worldwide than any other cancer." A team of more than 80 researchers working across four continents have identified a set of proteins in the blood that accurately predict lung cancers more than five years before diagnosis. The scientists also found early evidence that an existing anti-inflammatory drug could significantly reduce lung cancer risk in people with elevated concentrations of these proteins, which they linked to inflammation. More research is needed before a test based on these proteins could be ready for use in patients. And scientists would still need to run a randomized trial to determine whether the drug prevents lung cancers. Still, outside experts said the findings, which were published on Thursday in the journal Cell, offer a promising starting point toward a long-held public health goal... Led by Dr. Swanton, Dr. Tej Pandya, a Ph.D. student, and other researchers took a set of 48,000 blood samples from the UK Biobank and used machine learning to identify 14 proteins associated with the development of lung cancer. When the researchers looked at the presence of those proteins and also took into account a patient's age, smoking status and history of lung disease, they were able to predict who would develop lung cancer more accurately than the best risk assessment models currently in use... Using mouse and cell models, the scientists showed that these proteins increased when a specific inflammatory pathway was activated. Smoking and air pollution can activate that pathway. This adds to the evidence that it isn't just genetic mutations caused by smoking, pollution or other factors that are driving lung cancers. Rather, Dr. Swanton said, the findings suggest that "smoke causes mutations and inflammation, which together cause cancer." They also found that the signature was increased in people who later developed chronic obstructive pulmonary disease and pulmonary fibrosis, pointing to a common inflammatory environment upstream of all three diseases.

Read more of this story at Slashdot.

If you ask most people what breach PowerSchool experienced, their first response might be the 2024 hacking incident that affected tens of millions of students. But even before that breach, there was another significant breach involving PowerSchool that began in 2021. Colin Lee and Koji Edmunds report: In early April, many students across the world...

Source

Audit conducted by NYS Comptroller’s Office between 2020-2025 found multiple concerns leaving students and employees at risk of privacy and data security breaches. The auditor also criticized the city for failing to cooperate in a timely manner with the auditor’s requests for information.  In June 2014, a decade after the NYC Education Department had been...

Source

TAME YOUR TECH By Susan Bradley Are you still using your original email address and account from your Internet service provider? Is that ISP notifying you that it wants to get out of the email business?  In years past, you signed with an Internet provider. and as part of that service. they handed you an […]

A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.

But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.

Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.

“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.

“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”

Signs of activity

In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.

In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.

“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”

The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.

But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.

Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.

Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”

There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.

Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.

There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.

How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.

But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.

Even low-level defacement or distributed denial-of-service attacks can play a role.

“Coming into work and finding an Iranian flag on your workstation would be a little bit  disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.

Possible follow-up impacts

While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.

The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.

While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.

He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.

“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”

Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.

“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”

Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.

“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.

“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”

The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.

tl;dr  Implement this ACL using whatever network gear, cloud ACL config, or uncomplicated firewall you use to protect your networks. Our IOT devices are on 10.99.99.0/24 for this example. Also, […]

The post The Simplest and Last Internet-Only ACL You’ll Ever Need  appeared first on Black Hills Information Security, Inc..