An unknown hacker used Anthropic’s LLM to hack the Mexican government:
The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday.
[…]
Claude initially warned the unknown user of malicious intent during their conversation about the Mexican government, but eventually complied with the attacker’s requests and executed thousands of commands on government computer networks, the researchers said.
Anthropic investigated Gambit’s claims, disrupted the activity and banned the accounts involved, a representative said. The company feeds examples of malicious activity back into Claude to learn from it, and one of its latest AI models, Claude Opus 4.6, includes probes that can disrupt misuse, the representative said.
Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store.
The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help has arrived’ at 9:52 am Tehran time, shortly after the first set of explosions. No party has claimed responsibility for the hacks.
It happened so fast that this is most likely a government operation. I can easily envision both the US and Israel having hacked the app previously, and then deciding that this is a good use of that access.
Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create new security risks. In this paper, we introduce CHAI (Command Hijacking against embodied AI), a new class of prompt-based attacks that exploit the multimodal language interpretation abilities of Large Visual-Language Models (LVLMs). CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts. We evaluate CHAI on four LVLM agents; drone emergency landing, autonomous driving, and aerial object tracking, and on a real robotic vehicle. Our experiments show that CHAI consistently outperforms state-of-the-art attacks. By exploiting the semantic and multimodal reasoning strengths of next-generation embodied AI systems, CHAI underscores the urgent need for defenses that extend beyond traditional adversarial robustness.
Michael suspects personal information he submitted to rent application platforms was leaked online. And analysis shows millions of documents may also be at risk
Michael* has spent the past two months trying to get his digital identity back.
The 47-year-old Victorian schoolteacher was in the process of moving to a new town and applying for rental properties online. Around this time – and unbeknown to him – his mobile phone number was transferred to someone else.
Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.
Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.
Starmer’s team is wary of spies but such fears are not new – with Theresa May once warned to get dressed under a duvet
When prime ministers travel to China, heightened security arrangements are a given – as is the quiet game of cat and mouse that takes place behind the scenes as each country tests out each other’s tradecraft and capabilities.
Keir Starmer’s team has been issued with burner phones and fresh sim cards, and is using temporary email addresses, to prevent devices being loaded with spyware or UK government servers being hacked into.
Researchers have demonstrated remotely controlling a wheelchair over Bluetooth. CISA has issued an advisory.
CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted device to pair with it. The attacker could then control the wheelchair’s movements, override speed restrictions, and manipulate configuration profiles, all without requiring credentials or user interaction.
You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.
This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
Barristers report going unpaid and cases being turned away amid fears firms will desert legal aid work altogether
Lawyers have warned that a cyber-attack on the Legal Aid Agency has pushed the sector into chaos, with barristers going unpaid, cases being turned away and fears a growing number of firms could desert legal aid work altogether.
In May, the legal aid agency announced that the personal data of hundreds of thousands of legal aid applicants in England and Wales dating back to 2010 had been accessed and downloaded in a significant cyber-attack.
Your Facebook or Instagram account can be your link to friends, a profile for your work or a key to other services, so losing access can be very worrying. Here’s what to do if the worst happens.
If you have access to the phone number or email account associated with your Facebook or Instagram account, try to reset your password by clicking on the “Forgot password?” link on the main Facebook or Instagram login screen. Follow the instructions in the email or text message you receive.
If you no longer have access to the email account linked to your Facebook account, use a device with which you have previously logged into Facebook and go to facebook.com/login/identify. Enter any email address or phone number you might have associated with your account, or find your username which is the string of characters after Facebook.com/ on your page. Click on “No longer have access to these?”, “Forgotten account?” or “Recover” and follow the instructions to prove your identity and reset your password.
If your account was hacked, visit facebook.com/hacked or instagram.com/hacked/ on a device you have previously used to log in and follow the instructions. Visit the help with a hacked accountpage for Facebook or Instagram.
Turn on two-step verification in the “password and security” section of the Accounts Centre. Use an authentication app or security key for this, not SMS codes. Save your recovery codes somewhere safe in case you lose access to your two-step authentication method.
Turn on “unrecognised login” alerts in the “password and security” section of the Accounts Centre, which will alert you to any suspicious login activity.
Remove any suspicious “friends” from your account – these could be fake accounts or scammers.
If you are eligible, turn on “advanced protection for Facebook” in the “password and security” section of the Accounts Centre.
You may have read some of our previous blog posts on Artificial Intelligence (AI). We discussed things like using PyRIT to help automate attacks. We also covered the dangers of […]
In the world of cybersecurity, it’s important to understand what attack surfaces exist. The best way to understand something is by first doing it. Whether you’re an aspiring penetration tester, […]
by Austin Kaiser // Intern Hacking a satellite is not a new thing. Satellites have been around since 1957. The first satellite launched was called Sputnik 1 and was launched […]
Hey guys, my name is Connor. I am a web developer here at BHIS who also loves hacking phones. Particularly, Android phones! Today, I am going to show you the basics […]
This is part three of the blog series, Offensive IoT for Red Team Implants. We will be building off from where we left off in the last post, which can […]
Login
