Normal view

Cyber Insights 2026: Social Engineering

16 January 2026 at 13:30

We've known that social engineering would get AI wings. Now, at the beginning of 2026, we are learning just how high those wings can soar.

The post Cyber Insights 2026: Social Engineering appeared first on SecurityWeek.

Bankrupt scooter startup left one private key to rule them all

16 January 2026 at 12:59

Owner reverse-engineered his ride, revealing authentication was never properly individualized

An Estonian e-scooter owner locked out of his own ride after the manufacturer went bust did what any determined engineer might do. He reverse-engineered it, and claims he ended up discovering the master key that unlocks every scooter the company ever sold.…

Probably not the best security in the world: Carlsberg wristbands spill visitor pics

16 January 2026 at 12:00

Researcher shows how anyone can access Copenhagen experience attendees' names, videos

Exclusive  The Carlsberg exhibition in Copenhagen offers a bunch of fun activities, like blending your own beer, and the Danish brewer lets you relive those memories by making images available to download after the tour is over.…

Dutch police sell fake tickets to show how easily scams work

16 January 2026 at 11:05

If you can’t beat them, copy them. That seems to be the thinking behind an unusual campaign by the Dutch police, who set up a fake ticket website selling tickets that don’t exist.

The website, TicketBewust.nl, invites people to order tickets for events like football matches and concerns. But the offers were never real. The entire site was a deliberate sting, designed to show people how easily ticket fraud works.

The Netherlands’ National Police created the site to warn people about ticket fraud. They worked with the Fraud Helpdesk and online marketplace Marktplaats to run ads promoting “exclusive tickets” for sold-out concerts. If anyone got far enough to try and buy a ticket, the fake site took them to a police webpage explaining that they’d just interacted with a fake online shop.

People fell for these too-good-to-be-true deals—and that’s the most interesting part of this story. Many of us assume we’re far too savvy to fall prey to such online shenanigans, but a surprisingly large number of people do.

More than 300,000 people saw the police ads on Marktplaats between October 30, 2025, and January 11, 2026. Over 30,000 people opened opened it to take a look. 7,402 of them clicked the link to the fake site that was in the ad, and 3,432 people tried to order tickets.

That’s a reminder that online crime works a lot like regular ecommerce. Whether you’re selling real tickets or fake ones, it’s just a numbers game. Only a small percentage of people who see an ad will ever convert—but even a tiny fraction can be lucrative.

In this case, around 1% of people that saw the ad took the bait, but that represents a big profit for scammers. Fake ticket sellers raked in an average of $672 per victim in the US between 2020 and 2024, according to data from the Better Business Bureau (BBB).

Why ticket fraud is so common

Dutch police get around 50,000 online fraud complaints annually, with 10% involving fake tickets. It’s a problem in other countries too, with UK losses to gig ticket scams doubling in 2024 to £1.6 million (around $2.1 million).

Part of the reason fake ticket scams are so effective is that many cases never get reported. Some victims don’t think the loss is significant enough, while others simply don’t want to admit they were tricked. But there’s another, more fundamental reason these scams work so well: the audience is already primed to buy.

People searching for tickets are usually doing so because they don’t want to miss out. Scammers lean hard into that fear of missing out (FOMO), pairing it with scarcity cues like “sold out,” “limited availability,” or time-limited offers. People under emotional pressure from urgency and scarcity tend to do irrational things and take risks they shouldn’t. It’s why people invest erratically or take gambles on dodgy online sales.

How to protect yourself from fake ticket sites

The advice for avoiding shady ticket sellers looks a lot like advice for avoiding scams in general:

  • Watch what you click on social media. Social media accounts for 52% of concert ticket fraud cases, according to the BBB data. Stick to official channels like Ticketmaster, AXS, or the venue’s box office—and double check the URL you’re accessing.
  • Don’t let emotions get the better of you. Ticket sellers target high-demand events because they know people are desperate to attend and might let their guard down. That’s why fake ticket scams spiked after Oasis announced their reunion tour.
  • Don’t be fooled by support lines. Just because they’re on the phone doesn’t mean they’re legit.
  • Never pay via Zelle, Venmo, Cash App, gift cards or crypto. Use credit cards or other payment methods that offer purchase protection.

A little skepticism can go a long way when looking for sought-after tickets. So if you see an online ad offering you the seats of a lifetime, take a minute to research the seller. It could save you hundreds of dollars and a heap of disappointment.


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Chinese spies used Maduro's capture as a lure to phish US govt agencies

15 January 2026 at 23:15

What's next for Venezuela? Click on the file and see

What policy wonk wouldn't want to click on an attachment promising to unveil US plans for Venezuela? Chinese cyberspies used just such a lure to target US government agencies and policy-related organizations in a phishing campaign that began just days after an American military operation captured Venezuelan President Nicolás Maduro.…

Flipping one bit leaves AMD CPUs open to VM vuln

15 January 2026 at 22:11

Fix landed in July, but OEM firmware updates are required

If you use virtual machines, there's reason to feel less-than-Zen about AMD's CPUs. Computer scientists affiliated with the CISPA Helmholtz Center for Information Security in Germany have found a vulnerability in AMD CPUs that exposes secrets in its secure virtualization environment.…

Report: ICE Using Palantir Tool That Feeds On Medicaid Data

15 January 2026 at 21:30

EFF last summer asked a federal judge to block the federal government from using Medicaid data to identify and deport immigrants.  

We also warned about the danger of the Trump administration consolidating all of the government’s information into a single searchable, AI-driven interface with help from Palantir, a company that has a shaky-at-best record on privacy and human rights. 

Now we have the first evidence that our concerns have become reality. 

“Palantir is working on a tool for Immigration and Customs Enforcement (ICE) that populates a map with potential deportation targets, brings up a dossier on each person, and provides a “confidence score” on the person’s current address,” 404 Media reports today. “ICE is using it to find locations where lots of people it might detain could be based.” 

The tool – dubbed Enhanced Leads Identification & Targeting for Enforcement (ELITE) – receives peoples’ addresses from the Department of Health and Human Services (which includes Medicaid) and other sources, 404 Media reports based on court testimony in Oregon by law enforcement agents, among other sources. 

This revelation comes as ICE – which has gone on a surveillance technology shopping spree – floods Minneapolis with agents, violently running roughshod over the civil rights of immigrants and U.S. citizens alike; President Trump has threatened to use the Insurrection Act of 1807 to deploy military troops against protestors there. Other localities are preparing for the possibility of similar surges. 

Different government agencies necessarily collect information to provide essential services or collect taxes, but the danger comes when the government begins pooling that data and using it for reasons unrelated to the purpose it was collected.

This kind of consolidation of government records provides enormous government power that can be abused. Different government agencies necessarily collect information to provide essential services or collect taxes, but the danger comes when the government begins pooling that data and using it for reasons unrelated to the purpose it was collected. 

As EFF Executive Director Cindy Cohn wrote in a Mercury News op-ed last August, “While couched in the benign language of eliminating government ‘data silos,’ this plan runs roughshod over your privacy and security. It’s a throwback to the rightly mocked ‘Total Information Awareness’ plans of the early 2000s that were, at least publicly, stopped after massive outcry from the public and from key members of Congress. It’s time to cry out again.” 

In addition to the amicus brief we co-authored challenging ICE’s grab for Medicaid data, EFF has successfully sued over DOGE agents grabbing personal data from the U.S. Office of Personnel Management, filed an amicus brief in a suit challenging ICE’s grab for taxpayer data, and sued the departments of State and Homeland Security to halt a mass surveillance program to monitor constitutionally protected speech by noncitizens lawfully present in the U.S. 

But litigation isn’t enough. People need to keep raising concerns via public discourse and Congress should act immediately to put brakes on this runaway train that threatens to crush the privacy and security of each and every person in America.  

Contagious Claude Code bug Anthropic ignored promptly spreads to Cowork

15 January 2026 at 20:15

Office workers without AI experience warned to watch for prompt injection attacks - good luck with that

Anthropic's tendency to wave off prompt-injection risks is rearing its head in the company's new Cowork productivity AI, which suffers from a Files API exfiltration attack chain first disclosed last October and acknowledged but not fixed by Anthropic.…

Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation

15 January 2026 at 15:00

Written by: Nic Losby


Introduction

Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk.

By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD. This initiative highlights the amplified impact of combining Mandiant's frontline expertise with Google Cloud's resources to eliminate entire classes of attacks.

This post details the generation of the tables, provides access to the dataset for community use, and outlines critical remediation steps to disable Net-NTLMv1 and prevent authentication coercion attacks.

Background

Net-NTLMv1 has been widely known to be insecure since at least 2012, following presentations at DEFCON 20, with cryptanalysis of the underlying protocol dating back to at least 1999. On Aug. 30, 2016, Hashcat added support for cracking Data Encryption Standard (DES) keys using known plaintext, further democratizing the ability to attack this protocol. Rainbow tables are almost as old, with the initial paper on rainbow tables published in 2003 by Philippe Oechslin, citing an earlier iteration of a time-memory trade-off from 1980 by Martin Hellman.

Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation.

A common chain attackers use is authentication coercion from a highly privileged object, such as a domain controller (DC). Recovering the password hash of the DC machine account allows for DCSync privileges to compromise any other account in AD.

Dataset Release

The unsorted dataset can be downloaded using gsutil -m cp -r gs://net-ntlmv1-tables/tables . or through the Google Cloud Research Dataset portal

The SHA512 hashes of the tables can be checked by first downloading the checksums gsutil -m cp gs://net-ntlmv1-tables/tables.sha512 . then checked by sha512sum -c tables.sha512. The password cracking community has already created derivative work and is also hosting the ready to use tables.

Use of the Tables

Once a Net-NTLMv1 hash has been obtained, the tables can be used with historical or modern reinventions of rainbow table searching software such as rainbowcrack (rcrack), or RainbowCrack-NG on central processing units (CPUs) or a fork of rainbowcrackalack on graphics processing units (GPUs). The Net-NTLMv1 hash needs to be preprocessed to the DES components using ntlmv1-multi as shown in the next section.

Obtaining a Net-NTLMv1 Hash

Most attackers will use Responder with the --lm and --disable-ess flags and set the authentication to a static value of 1122334455667788 to only allow for connections with Net-NTLMv1 as a possibility. Attackers can then wait for incoming connections or coerce authentication using a tool such as PetitPotam or DFSCoerce to generate incoming connections from DCs or lower privilege hosts that are useful for objective completion. Responses can be cracked to retrieve password hashes of either users or computer machine accounts. A sample workflow for an attacker is shown below in Figure 1, Figure 2, and Figure 3.

DFSCoerce against a DC

Figure 1: DFSCoerce against a DC

Net-NTLMv1 hash obtained for DC machine account

Figure 2: Net-NTLMv1 hash obtained for DC machine account

Parse Net-NTLMv1 hash to DES parts

Figure 3: Parse Net-NTLMv1 hash to DES parts

Figure 4 illustrates the processing of the Net-NTLMv1 hash to the DES ciphertexts.

Net-NTLMv1 hash to DES ciphertexts

Figure 4: Net-NTLMv1 hash to DES ciphertexts

An attacker then takes the split-out ciphertexts to crack the keys used based on the known plaintext of 1122334455667788 with the steps of loading the tables shown in Figure 5 and cracking results in Figure 6 and Figure 7.

Loading DES components for cracking

Figure 5: Loading DES components for cracking

First hash cracked

Figure 6: First hash cracked

Second hash cracked and run statistics

Figure 7: Second hash cracked and run statistics

An attacker can then calculate the last remaining key with ntlmv1-multi once again, or look it up with twobytes, to recreate the full NT hash for the DC account with the last key part shown in Figure 8.

Calculate remaining key

Figure 8: Calculate remaining key

The result can be checked with hashcat's NT hash shucking mode, -m 27000, as shown in Figure 9.

Keys checked with hash shucking

Figure 9: Keys checked with hash shucking

An attacker can then use the hash to perform a DCSync attack targeting a DC and authenticating as the now compromised machine account. The attack flow uses secretsdump.py from the Impacket toolsuite and is shown in Figure 10.

DCSync attack performed

Figure 10: DCSync attack performed

Remediation

Organizations should immediately disable the use of Net-NTLMv1. 

Local Computer Policy

"Local Security Settings" > "Local Policies" > "Security Options" > “Network security: LAN Manager authentication level" > "Send NTLMv2 response only".

Group Policy

"Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level" > "Send NTLMv2 response only"

As these are local to the computer configurations, attackers can and have set the configuration to a vulnerable state to then fix the configuration after their attacks have completed with local administrative access. Monitoring and alerting of when and where Net-NTLMv1 is used is needed in addition to catching these edge cases.

Filter Event Logs for Event ID 4624: "An Account was successfully logged on." > "Detailed Authentication Information" > "Authentication Package" > "Package Name (NTLM only)", if "LM" or "NTLMv1" is the value of this attribute, LAN Manager or Net-NTLMv1 was used.

Related Reading

This project was inspired by and referenced the following research published to blogs, social media, and code repositories.

Acknowledgements

Thank you to everyone who helped make this blog post possible, including but not limited to Chris King and Max Gruenberg.

❌