It allows organisations to handle sensitive data confidentially directly from their smartphones or tablets. The feature ensures compliance with strict data sovereignty rules while keeping the workflow entirely mobile.

Users can now compose and read encrypted messages natively within the standard Gmail application. There is no longer a requirement to download third-party applications or log into separate secure email portals.

Client-side encryption means the data is scrambled before it ever reaches Google’s servers.

Google holds no keys to decrypt this information, preventing the company from reading your messages under any circumstances. Employees equipped with a proper license can seamlessly send these encrypted communications to anyone.

Seamless Cross-Platform Delivery

Google designed the delivery mechanism to be entirely frictionless for the person receiving the email. If the recipient uses the standard Gmail app, the encrypted message arrives and functions just like a typical email thread.

This creates a highly user-friendly experience that requires no technical knowledge from the receiver. The system also supports external communication, as outgoing encrypted messages are not restricted to Gmail users.

Guest recipients using alternative email services have a straightforward path to access the data. When a non-Gmail user receives the email, they can securely open, read, and reply using their default web browser.

This process authenticates their identity securely without requiring them to create a new account. Once verified, they can view the confidential text and download any encrypted attachments safely.

This eliminates the usual friction associated with sending protected documents to external vendors.

System administrators must take specific actions before employees can utilize these new mobile features. Admins need to log into the Workspace Admin Console and explicitly enable the mobile clients within the encryption interface.

Administrators maintain complete authority over the cryptographic keys and the identity providers used to authenticate users.

Once this backend configuration is complete, the process becomes effortless for end users. To secure a message, a user simply taps the lock icon while drafting an email and selects the additional encryption option.

Rollout and Availability Details

This security update is currently live for eligible organizational accounts requiring the highest levels of data protection. The table below outlines the specific workspace requirements needed to access mobile end-to-end encryption.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Launches Gmail End-to-End Encryption for Android and iOS appeared first on Cyber Security News.

According to the Google Account Security and Chrome teams, this major security update aims to eliminate session hijacking, a primary method for attackers to compromise user accounts.

The feature will also expand to macOS in an upcoming release, marking a critical industry shift from reactive threat detection to proactive prevention.

The Threat of Cookie Exfiltration

Session theft typically happens when a user accidentally downloads infostealing malware, such as the LummaC2 family. Once inside a system, the malware hunts for existing session cookies stored in the browser’s local files.

Because authentication cookies often stay valid for long periods, threat actors can steal them to bypass passwords entirely. Historically, stopping malware from reading browser memory using only software was nearly impossible, forcing security teams to rely on complex detection methods after a breach had already occurred.

DBSC fundamentally changes web security by tying an authentication session to a user’s physical device. The protocol relies on hardware-backed security modules, like the Trusted Platform Module (TPM) on Windows or the Secure Enclave on Apple devices.

When a user logs in, the hardware generates a unique public-private key pair. Crucially, the private key can never be exported from the machine. Websites that upgrade their backends to support DBSC issue short-lived cookies, and Chrome must constantly prove it holds the private key to refresh them.

If a hacker steals the session cookies, the credentials quickly expire and become useless because the attacker lacks the victim’s physical hardware key. Web developers can implement this seamlessly, as the browser handles the complex cryptography in the background.

Despite its strict device-binding capabilities, DBSC was built with rigorous privacy controls. The protocol uses a completely separate key for every session.

This ensures websites cannot use the technology to track users across different sites or correlate browsing activities. Furthermore, it only shares the minimum data required to prove possession, preventing the tool from being abused for device fingerprinting.

Google developed DBSC as an open web standard alongside the W3C Web Application Security Working Group, partnering closely with Microsoft and conducting trials on platforms such as Okta. Looking ahead, Google plans to expand DBSC capabilities to secure federated identity and Single Sign-On (SSO) environments for enterprises.

The team is also developing advanced registration options to bind sessions to existing hardware security keys, and exploring software-based key support to protect devices that lack physical security hardware.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Unveils Device-Bound Chrome Sessions in Anti-Cookie-Theft Move appeared first on Cyber Security News.

According to a comprehensive new report by ESET Research, the threat landscape has grown far beyond the well-known Bring Your Own Vulnerable Driver (BYOVD) technique.

Attackers are now heavily using driverless methods, custom command-line scripts, and legitimate anti-rootkit utilities to turn off security defenses.

Why Attackers Prefer EDR Killers

Instead of constantly rewriting and updating ransomware encryptors to avoid security detection, threat actors find it much easier to turn off the security software first.

EDR killers provide a highly reliable, low-cost solution that gives attackers a predictable window to run their inherently noisy encryption payloads.

Interestingly, ESET notes that ransomware affiliates, rather than the core ransomware-as-a-service operators, usually choose which EDR-killer to deploy in an attack.

This dynamic creates massive tooling diversity in the wild, as different affiliates mix and match various EDR killers to suit their specific intrusion needs and skill levels.

While exploiting vulnerable kernel drivers through BYOVD remains the dominant method, the technology behind EDR killers is rapidly expanding.

ESET researchers are currently tracking almost 90 EDR killers actively used in the wild, 54 of which rely on BYOVD to exploit 35 different vulnerable drivers.

Some low-skilled attackers rely on basic command scripts or rebooting the system into Windows Safe Mode to bypass security measures. More sophisticated affiliates weaponize legitimate anti-rootkit programs, such as GMER and PC Hunter.

These tools were originally built to remove deep-kernel malware, but their elevated privileges make them ideal weapons for terminating active security processes.

A growing and dangerous trend is the use of driverless EDR killers. Tools like EDRSilencer and EDR-Freeze do not need to interact with the system kernel at all.

Instead, they block network communication between the endpoint and the security backend, or they force the EDR software to freeze in place. Because these methods do not rely on traditional driver vulnerabilities, they are much harder for network defenders to detect.

The ESET investigation categorized the developers of these tools into three main groups. First, closed groups, such as Embargo, DeadLock, and Warlock, develop their own proprietary EDR killers from scratch.

Researchers strongly suspect that groups like Warlock are using Artificial Intelligence to assist with writing and updating their EDR killer code.

Second, many attackers modify publicly available proof-of-concept (PoC) code. Open repositories offer ready-to-use templates that attackers easily tweak by changing the programming language or adding simple code obfuscation.

Finally, a booming underground market now offers “EDR killer as a service”. Commercial tools are actively sold on dark web forums to affiliates of major ransomware gangs, complete with customer support.

Because these tools are heavily traded and shared, cybersecurity defenders face a major challenge. Analyzing a specific vulnerable driver is no longer enough to identify a specific ransomware gang.

Completely unrelated tools might abuse the same driver, and a single threat group might switch between multiple drivers in different attacks.

As the EDR killer market continues to mature and commercialize, organizations must focus on detecting the behavioral signs of security tampering rather than just tracking specific vulnerable drivers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ransomware Gangs Expand Use of EDR Killers Beyond Vulnerable Drivers, ESET Warns appeared first on Cyber Security News.

The campaign, which ran from late December 2025 through mid-February 2026, highlights a dangerous shift in the modern threat landscape.

Researchers at Gambit Security recently released a full technical report detailing how the attacker relied on two major commercial artificial intelligence platforms. The publication was initially delayed to allow the affected agencies time to complete their incident response efforts.

AI Models Power the Breach

The attacker used Anthropic’s Claude Code and OpenAI’s GPT-4.1 not just for planning, but as core operational tools that drastically accelerated the attack.

According to forensic evidence recovered, Claude Code generated and executed approximately 75% of all remote commands during the intrusion.

Across 34 active sessions on live victim infrastructure, the hacker logged 1,088 individual prompts. These prompts translated into 5,317 AI-executed commands, demonstrating how deeply the AI was integrated into the exploitation phase.

Simultaneously, the attacker leveraged OpenAI’s GPT-4.1 for rapid reconnaissance and data processing. The hacker developed a custom 17,550-line Python script designed to pipe raw data harvested from compromised servers directly through the OpenAI API.

This automated system analyzed information across 305 internal servers, rapidly producing 2,597 structured intelligence reports. By automating the data analysis phase, a single operator successfully processed an intelligence volume that would traditionally require an entire team.

The integration of artificial intelligence allowed the attacker to turn unfamiliar networks into mapped targets in hours rather than days. Recovered materials showed the attacker possessed over 400 custom attack scripts.

Furthermore, the hacker used AI to quickly develop 20 tailored exploits targeting 20 specific Common Vulnerabilities and Exposures (CVEs). This high-speed capability compressed the attack timeline, allowing the threat actor to operate well below standard detection and response windows.

Despite the advanced methods used in the campaign, the actual vulnerabilities exploited were highly conventional. The targeted government agencies had basic security gaps that enabled the attacker to gain initial access and move laterally.

The underlying issues were addressable through standard security controls, highlighting a severe accumulation of technical debt within mission-critical infrastructure.

While artificial intelligence has significantly lowered the cost and complexity of executing widespread cyberattacks, the defense strategy remains rooted in foundational security practices.

Organizations must urgently address unpatched software and implement strict credential rotation policies. Enforcing network segmentation is also critical to restrict lateral movement once a perimeter is breached.

Finally, deploying robust endpoint detection and response tools is necessary to identify these rapidly compressed attack timelines before data exfiltration occurs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hacker Uses Claude and ChatGPT to Breach Multiple Government Agencies appeared first on Cyber Security News.

The integration marks a significant step in Anthropic’s push to embed Claude into everyday productivity workflows beyond chat-based interactions.

Claude for Word enables users to draft, edit, and revise .docx files directly from a persistent sidebar within Microsoft Word, eliminating the need to switch between applications.

Unlike basic clipboard-and-paste AI workflows, the integration preserves native document formatting and surfaces all AI-generated edits as Microsoft Word’s tracked changes, keeping the revision history intact and fully reviewable by human editors.

This “AI-powered redlining” approach means users can prompt Claude to rewrite a section or sharpen an argument, then accept or reject each suggestion just as they would with a human collaborator’s markup.

Claude Beta for Word

One of the standout architectural decisions in the beta is shared context across Anthropic’s Office add-in family. Claude for Word connects directly with Claude for Excel and Claude for PowerPoint, meaning a single conversation thread can span all three open documents simultaneously.

Users can ask Claude to check for data inconsistencies between a Word report and its accompanying Excel model, or align narrative language in a Word file with slide content in PowerPoint, all within a unified AI session. This cross-app continuity addresses a pain point common to multi-document workflows in finance, legal, and consulting environments.

The add-in handles a range of document-centric tasks, including rewriting selected text, responding to inline Word comments, summarizing sections, and auditing documents for factual or stylistic inconsistencies.

Claude can also interpret existing comment threads and deliver revisions that directly address each note, returning an updated document with tracked changes showing every edit made.

Access is currently gated to subscribers of the Claude Team and Enterprise plans, consistent with Anthropic’s broader strategy of rolling out advanced document automation features to professional and business users first.

The launch arrives amid intensifying competition in the AI productivity space. Microsoft’s own 365 Copilot already offers deep Word integration, but early users of Claude for Word have noted its smoother document-handling and more coherent multi-app context flow as differentiators.

Anthropic also recently expanded Microsoft 365 data connectivity to all Claude plan tiers, including free users, signaling an intent to deepen its presence across the Microsoft ecosystem rather than compete with it outright.

The beta is available now at claude.com/claude-for-word, with broader plan access expected in upcoming rollout phases.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Anthropic Launches Claude Beta for Word, Bringing AI-Powered Editing to Microsoft Docs appeared first on Cyber Security News.

The vulnerability, described as an intent redirection flaw, allowed malicious apps on the same device to break through Android’s built-in security sandbox and gain unauthorized access to private user data.

With crypto wallets holding real financial assets, a flaw of this nature carries consequences far beyond a standard privacy concern.​

EngageSDK is a third-party software development kit built by a company called EngageLab. It is designed to help developers add push notifications and real-time messaging features to their Android applications.

Developers include it as a code dependency, after which it becomes part of how the app runs. Since so many apps rely on the same SDK, a single flaw inside it does not stay confined to one application — it puts every app built on it at risk at the same time.​

During routine security research, the Microsoft Defender Security Research Team identified the vulnerability and noted that it resided inside an exported activity called MTCommonActivity.

This activity is silently added to an app’s merged Android manifest during the build process, meaning it does not appear in the original source code — only in the final compiled output. Because developers often overlook this, the activity goes unreviewed and unprotected. Once the app is installed on a device, that activity becomes reachable by any other app running on the same phone.

The extent of this exposure is what makes the vulnerability especially concerning. Crypto wallet apps alone represented over 30 million installations, and when other apps built on the same SDK were counted, total exposure climbed past 50 million installations.

All apps confirmed to be running vulnerable versions were removed from Google Play. At the time of this report, there is no confirmed evidence that the vulnerability was exploited in attacks.​

The flaw was first found in version 4.5.4 of the EngageLab SDK in April 2025. Microsoft reported it to EngageLab through Coordinated Vulnerability Disclosure (CVD) practices under Microsoft Security Vulnerability Research (MSVR).

The issue was then escalated to the Android Security Team in May 2025. EngageLab released a fix in version 5.2.1 on November 3, 2025, which resolved the exposure by setting the vulnerable activity to non-exported.​

How the Intent Redirection Attack Works

Intent redirection is a technique where an attacker manipulates the contents of a message — called an intent — that a trusted app sends, so it ends up doing something harmful instead.

On Android, intents are the primary way apps communicate with each other and with their own internal components. When a trusted app sends an intent, the Android system honors its permissions.

Attackers exploit this trust to run harmful operations while hiding behind a legitimate application’s identity.​

A malicious app begins the attack by sending a specially crafted URI to the exposed MTCommonActivity activity.

That activity passes the URI through a method called processIntent(), which forwards it to processPlatformMessage().

This method pulls out a field named n_intent_uri, constructs a new intent from it, and launches that intent using the trusted app’s own permissions.

Since the SDK applies the URI_ALLOW_UNSAFE flag, the malicious input can carry read and write permission flags that grant persistent access to the target app’s private storage.

As a result, wallet credentials, private keys, and sensitive financial data inside the app become silently exposed to the attacker.​

Developers using the EngageLab SDK should upgrade to version 5.2.1 or later without delay. After every project build, developers should carefully inspect the merged Android manifest for any exported activities or unexpected permissions introduced by third-party libraries.

Intent data arriving from outside the app should always be validated before it is used. Users who previously installed a vulnerable app are now protected, as Android has deployed automatic mitigations targeting this specific flaw while developers complete their updates.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post EngageSDK Vulnerability Exposes Millions of Crypto Wallet Users to Cyberattacks appeared first on Cyber Security News.

Targeting Canadian workers, the group uses adversary-in-the-middle (AiTM) techniques to hijack authenticated sessions and bypass multi-factor authentication (MFA), in what researchers have labeled “payroll pirate” attacks.​

The campaign starts with SEO poisoning and malvertising. Storm-2755 pushes a rogue domain, bluegraintours[.]com, to the top of search results for queries like “Office 365” or the common misspelling “Office 265.”

Employees who click these links land on a convincing fake Microsoft 365 sign-in page. The moment they type in their credentials, the attackers capture both the password and the live session token in real time, gaining full account access without triggering any MFA prompt.​

Microsoft researchers identified this emerging threat and noted something unusual about its targeting.

Unlike most threat groups that focus on specific industries, Storm-2755 broadly targets Canadian employees across all sectors, using industry-agnostic search terms to cast a wide net.

This approach makes the campaign harder to detect through vertical-specific threat intelligence alone.​

Once inside a compromised account, Storm-2755 silently searches mailboxes for payroll and HR-related keywords. The group then sends emails from the victim’s own inbox to HR staff, asking about direct deposit changes — a social engineering move that appears completely routine to the recipient.

When email manipulation alone is not enough, attackers manually log into HR platforms like Workday using the stolen session and update banking details directly, causing salary payments to flow into an attacker-held account.​

What makes this campaign especially dangerous is how carefully the group covers its tracks. Storm-2755 renews stolen sessions around 5:00 AM in the victim’s local time zone to avoid triggering reauthentication events.

Inbox rules are also created to immediately bury any HR responses about the fake bank change request, so victims often have no idea anything has changed until their paycheck simply does not arrive.​

Inside the AiTM Attack Chain

What separates Storm-2755 from older phishing groups is the technical depth of its AiTM method. Rather than simply stealing passwords, AiTM attacks proxy the full authentication flow between the victim and Microsoft’s real login service.

When the victim signs in, the attacker intercepts both the session cookie and the OAuth access token — and since these represent a fully authenticated session, they can be reused to access Microsoft services without any further credential check or MFA challenge.​

Storm-2755 uses version 1.7.9 of the Axios HTTP client to relay captured tokens to its own infrastructure. Sign-in logs show that Axios made non-interactive sign-ins to OfficeHome approximately every 30 minutes, keeping sessions alive without obvious detection.

A known vulnerability in this library, CVE-2025-27152, can lead to server-side request forgery risks, which the group appears to exploit within this relay flow.

After roughly 30 days of inactivity, stolen tokens expired naturally — but in some cases, attackers had already reset account passwords and MFA settings to sustain access long after the initial compromise.​

This illustrates the convincing message sent from a victim’s account to trick HR staff into executing the banking change.​

Organizations are strongly advised to revoke compromised tokens immediately, remove malicious inbox rules, and reset credentials and MFA methods for any affected accounts.

Phishing-resistant MFA — such as FIDO2 security keys — should be enforced wherever possible, as these are specifically designed to block AiTM-style token theft.

Conditional Access policies should be configured to limit session lifetimes and require reauthentication when risk signals change. Continuous Access Evaluation (CAE) should be enabled so that stolen tokens lose their value quickly after a risk condition is detected.

Security teams should also set up alerts for suspicious inbox rule creation and regularly audit HR SaaS platforms such as Workday for any unauthorized changes to banking or payment information.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use AiTM Session Hijacking to Redirect Employee Salaries in New Storm-2755 Campaign appeared first on Cyber Security News.

The move was formally declared during an interministerial seminar held on April 8, 2026, organized by the Interministerial Directorate for Digital Affairs (DINUM), the National Cybersecurity Agency of France (ANSSI), the Directorate General for Enterprises (DGE), and the State Procurement Directorate (DAE).

The seminar, convened at the initiative of the Prime Minister and the Minister Delegate for Artificial Intelligence and Digital Affairs, brought together ministers, government departments, public operators, and private sector stakeholders. Its central objective is to accelerate France’s strategy to reduce its digital dependencies on non-European technology vendors.

The Windows-to-Linux Transition

DINUM officially announced its exit from Windows, signaling a full migration to Linux-based workstations across state infrastructure. While a specific Linux distribution and rollout timeline were not disclosed in the seminar’s initial announcements, ministries will be required to formalize individual transition plans by fall 2026.

The migration scope spans workstations, collaborative tools, antivirus software, artificial intelligence platforms, databases, virtualization environments, and network equipment.

This shift carries significant cybersecurity implications. Moving away from a proprietary, closed-source OS reduces the government’s exposure to vendor-specific vulnerabilities and foreign intelligence risks, a concern that ANSSI has long emphasized in national cyber defense guidance.

The Windows migration is part of a wider push toward European digital tools. The National Health Insurance Fund recently announced the migration of its 80,000 agents to interministerial digital platform tools Tchap (secure messaging), Visio (video conferencing), and FranceTransfert (document transfer).

Additionally, the French government confirmed last month that its national health data platform will migrate to a trusted sovereign cloud solution by the end of 2026.

These moves follow Prime Minister directives, including circulars on digital public procurement and mandatory adoption of the “Visio” video conferencing tool as a Windows-independent collaboration standard.

Rather than a purely top-down mandate, France is forming public-private ministerial coalitions to execute the transition. DINUM will coordinate an interministerial dependency-reduction plan, leveraging digital commons and interoperability standards such as the Open-Interop and OpenBuro initiatives.

The State Procurement Department (DAE) is simultaneously mapping existing technology dependencies to establish quantified reduction targets with clear timelines.

The first “Industrial Digital Meetings” are scheduled for June 2026, where DINUM plans to formalize a public-private alliance for European digital sovereignty.

This migration represents one of the most significant government-level OS transitions in recent European history, setting a potential precedent for other EU member states prioritizing technological independence.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post France to Replace Windows with Linux on Government Desktops appeared first on Cyber Security News.

The campaign has already reached fans across nine countries, making it one of the most geographically widespread concert ticket scams seen in recent years.​

BTS, one of the biggest K-pop groups in music history, recently announced their ARIRANG world tour after a near four-year break, during which group members completed mandatory military service in South Korea.

The announcement generated an enormous wave of anticipation, and demand for concert tickets reached extraordinary levels almost immediately.

Events like this, where a globally loved group returns after years away, naturally draw the attention of cybercriminals who see a ready-made opportunity.​

Kaspersky researchers identified at least 10 fraudulent domains created in early April 2026, each designed to mimic official pre-sale pages for BTS concerts in Argentina, Brazil, Chile, Colombia, France, Mexico, Peru, Portugal, and Spain.

The analysts noted that these fake websites replicate the original layout, design, and the full purchasing journey so closely that ordinary users have very little chance of spotting the difference.

The scale and timing of the operation point to a well-coordinated effort rather than a simple or isolated attempt at fraud.​

These fake pages primarily spread through Instagram, where links circulate quickly inside fan communities.

Since BTS’s fanbase is deeply engaged and emotionally invested, many fans act fast the moment they spot what looks like a genuine chance to secure tickets before they sell out. That impulsive reaction, driven by fear of missing out, is exactly what the attackers are counting on.​

How the Scam Manipulates Victims at the Payment Stage

The payment process is where the deception becomes most effective, particularly in Brazil. Brazilian ticketing services adopted a pre-booking format for the ARIRANG tour, requiring fans to reserve seats online and then pay in person at the box office.

While this format was designed to reduce scalping, it created public confusion, and scammers used that confusion to their advantage.​

Fraudulent Brazilian ticketing pages direct victims to pay through PIX, an instant payment system operated by the Central Bank of Brazil.

Some fake sites display a card payment option first but then generate error messages or cite high demand to push users toward PIX instead. Once the payment goes through, the money is routed to money mule accounts, making recovery nearly impossible for victims.​

The scam depends heavily on manufactured urgency. Fake error notifications during checkout push fans to act immediately out of fear that their reservation will be lost.

The attackers clearly understand how fast BTS concert tickets disappear on legitimate platforms and have built the entire fake experience around that anxiety.

Brazil’s new pre-booking system added another layer of believability, causing many victims to trust the process without questioning it.​

Anyone buying event tickets online should take these precautions. Always navigate to ticketing platforms by typing the official web address directly into the browser, rather than clicking links received through social media, email, or messages.

Check domain names carefully, since scammers often use extra dashes, unusual country codes, or subtle character swaps to imitate real sites.

Confirm that websites include a Privacy Policy and Terms of Use page, though their presence alone does not guarantee legitimacy. In Brazil, any request for online payment during the BTS pre-sale is a clear warning sign, since genuine transactions happen in person.

Anyone who has already made a payment on a suspicious site should contact their bank immediately and request a card reissue if payment details were entered.

Enabling real-time banking alerts is also a smart step, as it helps suspicious activity get spotted quickly. Avoid any offer of free or heavily discounted tickets from outside official channels.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake BTS World Tour Ticket Sites to Scam Fans Across Multiple Countries appeared first on Cyber Security News.

These industrial devices are widely used in critical infrastructure, including water treatment plants, energy facilities, and government operations.

The advisory, labeled AA26-097A, confirmed that this threat is ongoing and poses a serious risk to operational technology (OT) environments across the United States and beyond.​

The threat actors behind this campaign are linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and have been tracked under multiple aliases, including CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691.

Beginning in November 2023, the same group compromised at least 75 Unitronics PLCs across U.S. water and wastewater facilities, as documented in CISA advisory AA23-335A.

The current campaign, active since at least March 2026, marks a significant escalation now targeting Rockwell devices.​

Censys researchers identified 5,219 internet-exposed hosts globally that respond to EtherNet/IP (EIP) on port 44818 and self-identify as Rockwell Automation/Allen-Bradley devices — representing the full attack surface tied to this advisory.

The United States alone accounts for 74.6% of that exposure, with 3,891 hosts at risk. Countries like Spain (110 hosts), Taiwan (78), and Italy (73) also showed notable exposure.

Figure 1: Global Distribution of Internet-Exposed Rockwell/Allen-Bradley PLC Hosts.​

What makes this campaign particularly concerning is that the threat actors are not using zero-day exploits. Instead, they are using Rockwell’s own legitimate engineering software — Studio 5000 Logix Designer — to access internet-facing PLCs directly.

This allows them to read and modify project files and manipulate HMI/SCADA display screens, making the activity harder to detect.

Confirmed targeted device families include CompactLogix and Micro850, while additional OT protocols such as Modbus (port 502) and S7 (port 102) are also being actively probed, suggesting the group may be extending its targeting across multiple vendor platforms.​

A large share of exposed devices — nearly 49.1% of the global total — sit behind Verizon Business cellular modems, with AT&T Mobility accounting for another 13.3%.

Many of these PLCs are field-deployed at pump stations, electrical substations, and municipal facilities, connected to the internet through cellular modems rather than secure network links.

The heavy presence of consumer and mobile carrier networks over industrial ASNs highlights a widespread and often overlooked deployment risk that demands attention.​

Expanded Attack Surface: Co-Exposed Services and IOC Analysis

Beyond EIP exposure, Censys protocol enumeration across the 5,219 hosts revealed significant co-exposed services that widen the attack surface.

VNC services were found on 771 instances — giving attackers direct remote desktop access to HMI workstations.

Telnet appeared on 280 hosts and Modbus on 292, both adding further unprotected entry points that are directly consistent with the attack behaviors described in AA26-097A.​

On the IOC front, Censys pivoting of the published indicators revealed that CISA’s seven 185.82.73.x IP addresses actually represent a single multi-homed Windows engineering workstation running the full Rockwell toolchain — not seven separate machines.

Four additional operator IPs on that same host were absent from the advisory. A separate staging box at 135.136.1.133 was provisioned in February 2026, activated for a carefully timed four-day window in mid-March, then completely abandoned.

Organizations running Rockwell/Allen-Bradley PLCs should immediately remove these devices from direct internet exposure.

For CompactLogix and MicroLogix devices, placing the physical mode switch in RUN position is the single most effective control that cannot be overridden remotely.

Administrators should disable VNC, Telnet, and FTP on any host co-located with a PLC, implement multi-factor authentication for all remote OT access, and audit MicroLogix 1400 deployments running end-of-sale firmware versions C/21.02 and C/21.07.

All inbound traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IPs — including the newly identified addresses 185.82.73.160, .161, .163, and .166 — should be reviewed immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Are Exposed Amid Iranian APT Activity appeared first on Cyber Security News.