Connect with us

CyberSecurity

Critical Google Dialogflow CX Flaw Could Have Let Attackers Hijack Chatbots

Published

on

Google Dialogflow CX flaw

How a Single Agent Could Compromise an Entire Project

Security researchers at Varonis uncovered a critical vulnerability in Google Dialogflow CX that could have allowed attackers to hijack chatbots and steal sensitive user data. The flaw, now patched by Google, centered on a rogue agent with edit permissions on one Code Block-enabled agent. From there, an attacker could compromise other Code Block-enabled agents within the same Google Cloud project.

The implications were severe. An attacker with edit rights could read live conversations, extract data users shared, and even make bots send attacker-crafted messages—including requests for users to re-enter passwords. That’s a phishing goldmine, wrapped in a trusted chatbot interface.

The Technical Breakdown: What Was at Risk

Dialogflow CX is Google’s conversational AI platform for building sophisticated chatbots. It supports Code Blocks, which let developers run custom code for tasks like calling external APIs or processing user input. The vulnerability exploited a gap in how these Code Blocks handled permissions.

Varonis discovered that an agent with edit access to a Code Block could inject malicious code. That code could then interact with other agents in the same project, reading their conversation logs, modifying responses, and potentially exfiltrating data. The attack didn’t require elevated privileges—just edit rights on one agent.

What an Attacker Could Do

  • Read live conversations: Access real-time chat logs from other agents, capturing sensitive data like credit card numbers, addresses, or login credentials.
  • Steal user data: Extract information users shared with the chatbot, including personal details and payment info.
  • Send attacker-written messages: Impersonate the bot to ask users for passwords or other sensitive information, enabling phishing attacks.

This wasn’t just a theoretical risk. Varonis demonstrated the exploit in a controlled environment, showing how a single compromised agent could cascade into a full project takeover.

Google’s Response: A Patch, But Questions Remain

Google patched the vulnerability after Varonis reported it through its bug bounty program. The fix restricts how Code Blocks interact with other agents, preventing unauthorized access. But the incident raises broader questions about Google Cloud security for AI-powered services.

Enterprises using Dialogflow CX should review their agent permissions. Ensure only trusted users have edit access to Code Blocks. Monitor for unusual activity—like unexpected changes to agent responses or spikes in data access. And consider implementing additional logging for Code Block executions.

Broader Implications for AI Chatbot Security

This flaw isn’t unique to Dialogflow CX. As more companies deploy AI chatbots for customer service, the attack surface grows. Chatbots handle sensitive data—financial details, health information, personal IDs—making them prime targets.

Security researchers have warned that many chatbot platforms lack proper isolation between agents. A vulnerability in one agent can spill over into others, especially when they share the same project or environment. The Dialogflow CX case is a textbook example: a single edit permission became a backdoor to the entire system.

What Developers Should Do Now

If you’re building chatbots on Dialogflow CX or similar platforms, take these steps:

  • Audit permissions: Limit edit access to Code Blocks to a small group of trusted developers. Use Google Cloud IAM roles to enforce least privilege.
  • Enable logging: Turn on audit logs for Code Block executions. Monitor for anomalies like code that reads data from other agents.
  • Review agent isolation: Check if your platform isolates agents properly. If not, consider running high-risk agents in separate projects.
  • Test for injection: Run regular security tests to catch code injection vulnerabilities before attackers do.

The Takeaway: Trust, but Verify

Google’s quick patch is reassuring, but the vulnerability underscores a hard truth: AI platforms are still maturing in their security practices. A flaw that lets a single agent hijack an entire project is a reminder that even cloud giants can miss edge cases.

For enterprises, the lesson is clear. Don’t assume your chatbot platform is secure out of the box. Audit permissions, monitor behavior, and treat every agent as a potential entry point. Because in the world of AI security, it’s not if you’ll find a flaw—it’s when.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

Published

on

RedWing Android malware

RedWing Android malware: A new Telegram rental for bank fraud

A fresh Android malware operation, dubbed RedWing, is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.

Security researchers at Zimperium‘s zLabs unit, which discovered the operation, say it appears to be a new variant of Oblivion — a $300-a-month rent-a-malware tool that’s been circulating in underground forums since late 2023.

The rise of Malware-as-a-Service (MaaS) on messaging platforms like Telegram is lowering the barrier to entry for cybercrime. RedWing is the latest example, packaging sophisticated Android bank fraud into a subscription model anyone can buy.

How RedWing works: Remote access and OTP theft

RedWing is a Remote Access Trojan (RAT) specifically designed for Android devices. Once installed — often through malicious apps sideloaded from third-party stores or phishing links — it can:

  • Take over the victim’s screen in real time, allowing the attacker to see everything the user does.
  • Steal banking credentials by overlaying fake login pages on top of legitimate banking apps.
  • Intercept one-time passwords (OTPs) sent via SMS, defeating two-factor authentication.
  • Log keystrokes and capture screenshots, giving the attacker full visibility into the device.

The malware communicates with its command-and-control (C2) server over encrypted channels, making detection harder for traditional antivirus tools. Zimperium’s zLabs says RedWing targets over 100 banking apps globally, with a particular focus on European and Latin American financial institutions.

Oblivion connection: A $300-a-month malware family

Zimperium’s analysis reveals strong code similarities between RedWing and the Oblivion malware family. Oblivion, first documented in early 2024, was sold as a subscription service for $300 per month on Telegram and dark web forums. It offered similar capabilities — screen recording, keylogging, and SMS interception — but RedWing appears to be an upgraded version.

Key differences include:

  • Improved obfuscation to evade Google Play Protect and other security scanners.
  • New anti-analysis tricks, such as detecting if it’s running in an emulator or sandbox environment.
  • Expanded target list with more banking apps and cryptocurrency wallets.

The pricing for RedWing hasn’t been disclosed publicly, but Zimperium suspects it follows a similar subscription model. The Telegram channel advertising the service boasts features like “24/7 support” and “regular updates” — a sign that the operators are treating it as a professional business.

Telegram as a marketplace for cybercrime tools

Telegram has become a hub for cybercriminal activity, from selling stolen data to renting out malware. The platform’s encrypted messaging, large file sharing, and channel features make it ideal for underground marketplaces. RedWing’s operators use Telegram channels to advertise their product, provide customer support, and distribute updates.

This isn’t new. Researchers have documented dozens of MaaS operations on Telegram, including ransomware builders, DDoS-for-hire services, and phishing kits. What makes RedWing notable is its focus on Android bank fraud — a lucrative niche where even low-skill attackers can drain accounts if they have the right tools.

For victims, the consequences can be severe: emptied bank accounts, stolen identities, and months of financial recovery. For banks, it means constantly updating fraud detection systems to catch new variants of malware.

How to protect against RedWing and similar threats

Android users can take several steps to reduce their risk:

  • Only install apps from the Google Play Store. Sideloading apps from unknown sources is the primary infection vector for RedWing.
  • Review app permissions carefully. If a flashlight app asks for SMS access or screen overlay permissions, that’s a red flag.
  • Enable Google Play Protect and keep it updated. It won’t catch everything, but it blocks many known malware samples.
  • Use a reputable mobile security app that can detect malicious behavior in real time.
  • Never click on links in unsolicited SMS or email messages claiming to be from your bank. Instead, open your banking app directly.

For security teams, Zimperium recommends monitoring for traffic patterns associated with RedWing’s C2 servers and integrating mobile threat detection into their existing security stack.

The bigger picture: MaaS is here to stay

RedWing is just the latest in a growing wave of Malware-as-a-Service offerings. As long as there’s demand for easy-to-use cybercrime tools, developers will build them and market them on platforms like Telegram. The barrier to entry for digital bank fraud has never been lower.

For consumers, the takeaway is clear: treat your phone like a wallet, because that’s exactly what attackers see it as. And for the security industry, the challenge is keeping up with an ever-evolving threat landscape where a new variant can appear on Telegram overnight.

Zimperium’s full technical report on RedWing is available on their blog, with indicators of compromise (IOCs) for security teams to use. The company says it’s sharing its findings with Google and affected financial institutions to help mitigate the threat.

Continue Reading

CyberSecurity

A Cybersecurity Startup Promising Millions for Zero-Day Exploits Is Run by Convicted Felons

Published

on

offensive cybersecurity startup

The Pitch: Million-Dollar Bounties for Hacker Talent

An aggressive new player has entered the high-stakes world of zero-day acquisitions. IRIS C2, a self-described cybersecurity firm based in McLean, Virginia, is publicly dangling payouts of up to $7 million for previously unknown software vulnerabilities. Its X/Twitter account, launched in January 2025, has already amassed over 4,000 followers by posting about exploits, AI, and security bugs. The company’s website claims it buys “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms.”

But the pitch is not what it seems. A deeper look reveals that the people behind IRIS C2 are not your typical security researchers. They are Jack Burkman, 60, and Jacob Wohl, 28 — a duo with a long rap sheet of fraud, felony convictions, and fabricated conspiracy theories.

The Men Behind the Curtain: Burkman and Wohl

Burkman and Wohl have spent years building a reputation for deception. In 2019, they held press conferences falsely accusing then-presidential candidates Elizabeth Warren and Kamala Harris of extramarital affairs. They fabricated sexual assault claims against former FBI Director Robert Mueller and Pete Buttigieg. Their specialty? Creating fake intelligence companies to spread disinformation.

After the 2020 election, the pair orchestrated a massive robocall campaign targeting Black voters in battleground states with false claims about mail-in ballots. They were indicted in Cleveland on 15 felony counts of voter suppression. In late 2025, after exhausting appeals, they were sentenced to probation. Earlier, in 2022, both pleaded guilty to telecommunications fraud in Ohio. In March 2023, a New York civil court ordered them to pay a $1 million settlement for violating federal and state civil rights laws. The FCC followed with a $5.1 million fine — the largest ever under the Telephone Consumer Protection Act.

Wohl’s history of financial crimes goes back even further. At 17, he started multiple investment firms and earned the nickname “Wohl of Wall Street” after appearing on Fox News in 2015. In 2017, the Arizona Corporation Commission charged him with 14 counts of securities fraud. In 2019, he pleaded guilty in California to four felony counts of selling unregistered securities.

How IRIS C2 Connects to the Duo

The IRIS C2 website is registered to Calvexa Group LLC, a Virginia-based federal contractor. The contact page on Calvexa Group’s site redirects visitors to IRIS C2’s domain. Incorporation records list an Arlington, Virginia address — which turns out to be the office of Burkman’s lobbying firm, Burkman & Associates.

When approached by KrebsOnSecurity, Burkman referred questions to Wohl. Wohl admitted that Burkman is not involved in day-to-day operations but confirmed his own role. He claimed IRIS C2 started as a penetration testing company before pivoting to selling phone-hacking services to the government. He said the firm has about 40 employees, though none are allowed to list their jobs on LinkedIn for “operational security reasons.”

A History of Pseudonyms and Shell Companies

This is not the first time Burkman and Wohl have hidden behind fake identities. In September 2024, Politico reported that the pair ran a now-defunct AI lobbying platform called LobbyMatic under the assumed names “Jay Klein” (Wohl) and “Bill Sanders” (Burkman). Two employees quit after learning their bosses’ real identities. Others only found out after leaving the company.

The Oddity of an Open Zero-Day Market

The market for zero-day exploits has always attracted a motley crew: academics, hobbyists, criminals, and legitimate government contractors. But most firms that sell offensive capabilities to the U.S. government operate with discretion. IRIS C2 is an exception. Its public bravado — posting about million-dollar payouts and recruiting “junior engineers with raw talent/extremely high IQ” — is unusual in a field that prizes anonymity.

Wohl, who has no formal training in computer science, told KrebsOnSecurity: “I know more about tech than anyone. My background has always been extremely technical.” He claimed researchers bring him “spectacularly exquisite capabilities that would make your head spin.” But when pressed on federal contracts, he clammed up, citing national security.

What This Means for the Cybersecurity Community

For vulnerability researchers, the warning is clear: not every buyer is who they claim to be. A company offering life-changing money for exploits might be run by convicted felons with a history of fraud. The offensive cybersecurity startup IRIS C2 may have legitimate aspirations, but its founders’ track record raises serious red flags.

Researchers considering selling their work should vet buyers thoroughly. Check incorporation records. Search for legal judgments. Ask for references. The zero-day market is lucrative, but it’s also a playground for fraudsters. Burkman and Wohl have proven they can reinvent themselves — but their past keeps catching up.

As one conference attendee told KrebsOnSecurity, Wohl and Calvexa Group were aggressively soliciting vulnerability researchers at a recent cybersecurity event. The message was simple: they wanted to buy exploits. The subtext, now clear, is that the sellers should have asked more questions.

Continue Reading

CyberSecurity

North Korean Hackers Poison Open Source Repos to Steal Developer Credentials

Published

on

North Korean hackers

More Than 100 Open Source Packages Weaponized in Ongoing Campaign

Since December 2025, a threat group linked to North Korea has been systematically compromising open source repositories and package registries. Security firm Socket calls the operation PolinRider, and it’s already hit more than 100 legitimate packages across NPM, Packagist, Go modules, and Chrome extensions.

The attackers aren’t just sneaking in a single malicious library. They’re deploying a two-stage infection: a JavaScript loader that pulls down the DEV#POPPER remote access trojan (RAT) and a separate information stealer called OmniStealer. The goal is to grab credentials, source code, and CI/CD secrets from developer machines.

Socket has identified 162 malicious release artifacts across 108 unique packages so far. And they expect more to surface.

How PolinRider Works: Compromised Accounts and Rewritten Git History

The attack chain starts with the threat actor taking over legitimate maintainer accounts on GitHub. Once inside, they tamper with repositories and push infected package versions. To cover their tracks, they rewrite Git history — making the malicious changes look like they were made months earlier.

The compromised repos contain obfuscated JavaScript loaders. Those loaders connect to blockchain and public RPC infrastructure to fetch encrypted payloads. It’s a clever way to host command-and-control data on decentralized networks, making takedowns harder.

One example Socket flagged: a GitHub account called Xpos587, which maintains several repositories. All of them were modified on June 23 within a short window. That pattern — a burst of changes to unrelated repos — is a red flag.

Packagist Compromise: Malware Hidden in Configuration Files

The campaign recently expanded to Packagist, the main package repository for PHP. Multiple packages under the sevenspan namespace were compromised. The attackers stashed the malicious loaders inside configuration files — the kind of files most developers wouldn’t think to inspect closely.

Socket notes that even a cleanup operation missed some of these hidden loaders. That means teams that installed any affected package version should treat the entire development environment as potentially compromised.

Why Developer Machines Are Prime Targets

Developers’ workstations often hold a treasure trove of credentials: package registry tokens, cloud API keys, source code repositories, and CI/CD pipeline secrets. A single compromised machine can give attackers access to an entire organization’s software supply chain.

“Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host,” Socket warns.

Part of a Broader North Korean Hacking Ecosystem

PolinRider isn’t an isolated incident. Socket connects it to a larger operation called Contagious Interview, which overlaps with several known North Korean campaigns: DeceptiveDevelopment, Operation Dream Job, and ClickFake Interview.

These campaigns share a common playbook. Attackers pose as recruiters, contact developers on LinkedIn or other platforms, and lure them into installing malicious packages or running fake coding tests. The goal is always the same — get a foothold in the developer’s machine and pivot into the corporate network.

Earlier this year, North Korean hackers were blamed for the Mastra NPM supply chain attack and for targeting high-profile Node.js maintainers. They’ve also been spotted using AppleScript and ClickFix tricks in fresh macOS attacks.

What Developers Should Do Right Now

If your team uses open source packages from NPM, Packagist, or Go modules, here’s what Socket recommends:

  • Audit your dependencies against the list of known compromised packages (Socket maintains an updated inventory).
  • Check your GitHub repositories for unusual activity — especially sudden bursts of changes to multiple repos from the same account.
  • Review Git history for rewritten commits. If a commit timestamp looks suspiciously old but the content seems recent, investigate.
  • Rotate all credentials stored on any machine that might have installed an affected package. Do this from a clean, isolated system.
  • Enable two-factor authentication on all package registry and GitHub accounts. Use hardware security keys where possible.

The PolinRider campaign is a stark reminder that open source isn’t just about convenience. It’s an attack surface. And North Korean hackers are exploiting it with increasing sophistication.

Continue Reading

Trending