Firmware Backdoors: The Hidden Threat to Your Online Security

Post Views: 1

Firmware Backdoors: A Growing Concern in Android Tablets

A newly discovered firmware backdoor, known as Keenadu, has been found in several Android tablet brands, targeting users in Russia, Germany, and Japan. This multi-stage backdoor is embedded into the Android firmware and gains near-total control over every app and its data. Keenadu hijacks the libandroid_runtime.so library, injects into the Zygote process, and sets up a client-server architecture to communicate with the attacker’s server.

The backdoor breaks Android’s sandbox and permission model, exposing all app data and providing interfaces to grant or revoke any permission, access geolocation, and exfiltrate device information. This vulnerability has strong links to other major Android botnets, and its discovery highlights the need for users to be cautious when using pre-installed software on their devices.

New BeyondTrust RCE Vulnerability Sparks Reconnaissance

A new remote code execution (RCE) vulnerability, tracked as CVE-2026-1731, has been discovered in BeyondTrust’s software. This vulnerability is a variant of an earlier WebSocket RCE vulnerability (CVE-2024-12356) that was used in the 2024 U.S. Treasury breach. Attackers are actively scanning for this vulnerability, and GreyNoise’s sensor network has seen a significant spike in probes starting from February 11.

The vulnerability affects self-hosted customers, who must manually upgrade to RS v25.3.2+ or PRA v25.1.1+ to remediate. The scanning activity suggests that attackers are aware that many organizations hide BeyondTrust behind alternative ports for “security by obscurity.”

Lenovo Vantage Vulnerability: A Reminder of the Risks of Pre-Installed Software

A vulnerability in Lenovo Vantage, a pre-installed software on Lenovo devices, has been discovered. This vulnerability allows attackers to escalate privileges from a folder deletion to admin-level access. This incident highlights the risks associated with pre-installed software and the importance of removing unnecessary components to reduce the attack surface.

Texas Sues TP-Link over Security Vulnerabilities and Deceptive Marketing

The state of Texas has sued TP-Link, alleging deceptive marketing practices and security vulnerabilities in their routers and smart home devices. The lawsuit claims that TP-Link falsely marketed their products as “Made in Vietnam” despite most manufacturing, development, and components being China-based. The suit also alleges that TP-Link’s products have numerous and dangerous firmware vulnerabilities that have been publicly reported for years and exploited by Chinese state-sponsored actors.

20-Year-Old Vulnerability in Munge Allows Attackers to Compromise Supercomputers

A 20-year-old heap buffer overflow vulnerability in Munge’s authentication daemon has been discovered, allowing local attackers on an HPC node to leak the cluster-wide Munge secret and forge tokens for any user across the cluster. This vulnerability affects modern HPCs, which are essentially large homogeneous Linux clusters managed by a scheduler such as Slurm.

AI Coding Tools: A New Risk for Sensitive Data Exposure

AI coding tools, such as those integrating Claude and similar models, create per-project or global config directories on disk that silently accumulate sensitive data. These directories can contain API keys, tokens, passwords, SSH keys, cloud credentials, and other sensitive information. A recent scan of public GitHub repositories found that roughly 2.4% of repositories containing AI tool configuration directories have sensitive information in their history.

UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day

UNC6201, a suspected PRC-nexus cluster, has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to gain root on appliances, maintain persistence, and pivot into VMware environments. The attackers use a custom backdoor called GRIMBOLT, which provides remote shell capability and shares C2 infrastructure with another backdoor called BRICKSTORM.

FBI Launches Operation Winter SHIELD to Boost Cyber Resilience

The FBI has launched Operation Winter SHIELD, a nationwide initiative to encourage public and private sector stakeholders to adopt proactive cybersecurity measures and close the gaps most frequently exploited by attackers. The operation provides a set of 10 high-impact actions essential for reducing an organization’s exposure to cyber threats.

Discord Implements Mandatory Age Verification

Discord has voluntarily implemented mandatory age verification, despite a recent data breach. The move aims to protect minors from censorship or exposure to sensitive content.

Asia Struggles with Telnet Traffic Throttling

Asia is struggling to throttle back Telnet traffic, with about half of all Internet addresses that expose Telnet coming from the region. Telnet is an outdated protocol that poses significant security risks.

Microsoft Introduces Mobile-Style Windows Security Controls

Microsoft has announced new mobile-style Windows security controls, which will introduce smartphone-style app permission prompts in Windows 11. The new controls will request user consent before apps can access sensitive resources such as files, cameras, and microphones.

Chatbots Fail to Impress in Medical Diagnosis

A recent study has found that chatbots make terrible doctors, with an accuracy rate of under 35% in diagnosing diseases from real patient symptoms. While chatbots can pass medical exams, they fail to ask the right questions to learn the important symptoms from real patients.

Zero-Knowledge Encryption: A Comparative Security Analysis

A comparative security analysis of three cloud-based password managers, Bitwarden, LastPass, and Dashlane, has found that they all have features that break their “zero-knowledge” encryption promise. The vendors have been notified, and mitigation is underway.