Article Details

Telcos aren't saying how they fought back against China's Salt Typhoon attacks. PLUS: OpenClaw teams with VirusTotal; Crypto kidnappings in France; Critical vulns at SmarterMail; And more. Infosec In Brief So-hot-right-now AI assistant OpenClaw, which is very much not secure right now, has teamed up with security scanning service VirusTotal. The tie-up means “skills” in the ClawHub – custom plugins for the OpenClaw assistant – will be scanned by over 70 antivirus scanners and URL/domain blocklisting services. “OpenClaw skills are powerful. They extend what your AI agent can do—from controlling smart home devices to managing finances to automating workflows. But with that power comes risk,” the assistant’s developers wrote in a Saturday post that explains the decision to work with VirusTotal. The post points out that working with the scanning service won’t totally secure OpenClaw. “Let’s be clear: this is not a silver bullet,” the developers wrote. “VirusTotal scanning won’t catch everything. A skill that uses natural language to instruct an agent to do something malicious won’t trigger a virus signature. A carefully crafted prompt injection payload won’t show up in a threat database.” Senator fears telcos haven’t built good defenses against Salt Typhoon Fallout from the Salt Typhoon hack of leading American telcos continues, and one US Senator isn't convinced that victim companies are being honest. Senator Maria Cantwell (D-WA), the ranking member of the Senate Committee on Commerce, Science, and Transportation, last week sent a letter to her Republican counterpart demanding the CEOs of AT&T and Verizon appear before the group to explain why they keep withholding security assessments performed in the wake of 2024 revelations of what's been called the worst telecom hack in US history. Chinese-linked hackers with Salt Typhoon reportedly had extensive access to the three carriers’ networks, plus others they used to spy on customers, including officials at US government agencies. Telcos supposedly reinforced their network perimeters and ejected Salt Typhoon after the intrusions were made public, but Cantwell has her doubts. "The FBI and other federal agencies … detailed guidance on how to mitigate the risk from Advanced Persistent Threat actors like Salt Typhoon," Cantwell wrote to Senator Ted Cruz (R-TX). "However, reports indicate the telecommunications providers have taken few protective actions thus far due to the costs." AT&T and Verizon have refused to release security assessments conducted by Mandiant in the wake of the attacks. Cantwell said the documents detail steps the telcos took to secure their networks and eject Salt Typhoon. Not only have the pair declined to make the reports public after acknowledging they had been conducted, but Cantwell said both stymied her efforts to get copies from Mandiant, too. "Both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk," Cantwell argued. "I believe we must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications." Newly discovered Chinese APT targets fresh vulns Checkpoint researchers have spotted a previously-unknown Chinese cyber espionage group they rate as "active and capable." Checkpoint named the group Amaranth-Dragon and believes it is targeting countries in Southeast Asia with narrow, focused attacks that suggest a desire to collect intelligence on government institutions and law enforcement agencies. The group is quick to attack recently disclosed vulnerabilities and campaigns by referencing recent newsworthy events that it hopes will lure victims into interacting with dangerous content. Checkpoint noted the group was particularly quick to make use of a compression vulnerability in WinRAR that was first reported in September 2025, incorporating it into campaigns within days of its disclosure. Checkpoint believes Amaranth-Dragon is likely affiliated with APT-41, a well-known Chinese cyber espionage group that typically targets foreign nations for intel-gathering purposes. Ukrainian crooks nabbed for POS scheme Ukrainian authorities last week arrested four people for stealing more than ₴13M ($302,000) between 2023 and 2024 from banks using a rather convoluted scheme involving fake businesses, point of sale (POS) terminals, and bogus refunds. The scheme started, according to Ukrainian cyber police, with the registration of businesses that acquired POS terminals from banks for use in their supposedly legitimate operations. Terminals were installed at "previously prepared premises" that served as fake business locations, and the gang made purchases of nonexistent goods from the businesses they registered. At that point, the crooks would trigger refunds for the things they didn't buy, which is where the crime comes in. "Given the peculiarities of automatic transaction processing, such refunds were compensated at the expense of banking institutions, which allowed the perpetrators to illegally obtain funds," Ukrainian law enforcement explained. "The stolen money was legalized by converting it into cryptocurrency and then exchanging it for cash, in particular using P2P trading on crypto exchanges." The gang members each face 12 years in prison if convicted. SmarterMail not looking so sharp after third KEV in two weeks Microsoft Exchange alternative SmarterMail isn’t living up to its name after it revealed several vulnerabilities in recent weeks. It started on January 26th, with 2 CVEs in SmarterTools' SmarterMail software, CVE-2026-23760 (CVSS 9.3) and CVE-2025-52691 (CVSS 10.0), both being added to CISA's catalog of known exploited vulnerabilities on the same day. The first, 23760, allows an attacker to gain administrator privileges to SmarterMail instances due to an authentication bypass vulnerability in the platform's password reset API, while 52691 offers the chance for remote code execution by abusing an unrestricted file upload issue. Fast forward to last week, and CISA added a third issue (CVE-2026-24423, CVSS 9.3) to its KEV catalog. This flaw is an authentication problem in SmarterMail’s ConnectToHub API, which could allow an attacker to gain command execution on an affected server by redirecting it to a malicious HTTP server used to deliver malicious commands. CISA is aware of the vulnerability being used in ransomware campaigns, so get those security updates deployed. Crypto kidnappings in France A woman and her mother were abducted in France last week Wednesday by criminals hoping to ransom the pair to the woman's partner, an executive at a cryptocurrency company. The criminals got nothing , as a man freed the kidnapped pair after hearing their cries for help. According to French outlet Le Dauphiné, this is the third such abduction and cryptocurrency ransom demand of late, with an elderly couple abducted in mid-January, and an elderly man kidnapped late last month. In the other cases, children of the abductees were involved in the cryptocurrency space.