Feed aggregator

COLUMBUS, Ohio (WCMH) – A newly obtained 2023 Ohio State University investigative report documented hundreds of instances of sexual misconduct and fondling at the hands of a former employee.  The Ohio State University Office of Institutional Equity found there was “sufficient evidence” of sexual misconduct, exploitation and harassment after two employees of security systems vendor [...]

COLUMBUS, Ohio (WCMH) — One person is dead and two were hospitalized in critical condition after a two-vehicle crash on the west side of Franklin County Tuesday night. According to the Franklin County Sheriff's Office, deputies are investigating a crash that occurred at 9:18 p.m., near the intersection of U.S. Route 40 and Darby Creek [...]

COLUMBUS, Ohio (WCMH) – The Blendon Township Board of Trustees is set to decide whether to reinstate police officer Connor Grubb, who fatally shot Ta’Kiya Young in 2023.  Earlier this month, Blendon Township Chief of Police John Belford revealed an internal policy investigation found that Grubb, 31, did not violate department policies during the shooting [...]

Soaring RAM prices are about to hit your security gear where it hurts, and the fallout could change what's protecting your network. Find out who's about to pay and why the AI gold rush is reshaping more than just your server specs.

• RAM pricing to affect enterprise firewall equipment.
• Anthropic provides sizeable support to Python Foundation.
• The FTC clamps down on GM's secret sale of driving data.
• "ANCHOR" replaces "CIPAC" for industry-government sharing.
• Germany planning to legislate total access to global data.
• Grubhub becomes the latest ShinyHunters extortion victim.
• Let's Encrypt's 6-Day certs are available to everyone.
• Iran planning to permanently take itself off the Internet.
• HD Tune before and after a SpinRite Level 3 refresh.
• Some great listener feedback, and
• More trouble from GhostPoster malicious browser extensions

Show Notes - https://www.grc.com/sn/SN-1061-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• canary.tools/twit - use code: TWIT
• threatlocker.com/twit
• meter.com/securitynow
• joindeleteme.com/twit promo code TWIT

COLUMBUS, Ohio (WCMH) -- Have you asked yourself where you want your body to go when you die? There is a growing interest in donating bodies to science. Medical schools, like the one at Ohio State, benefit as does the family of the person donating.   Ohio State medical students regularly in the anatomy lab said nothing can replicate the learning [...]

COLUMBUS, Ohio (WCMH) -- On extremely cold days like Tuesday, school districts across central Ohio had to decide what is best for their students: closing school, delaying or staying open. Decisions depend on the district, but safety is the number one priority for every superintendent. Whitehall City Schools and Marysville Schools made different decisions Tuesday. [...]

COLUMBUS, Ohio (WCMH) -- Public schools in Ohio have new health and attendance rules with a new law taking effect this week. House Bill 57, sponsored by Rep. Dontavius Jarrells (D-Columbus) and Rep. Josh Williams (R-Sylvania Twp.), makes two major changes to school policy. The first requires schools that keep overdose reversal drugs such as Narcan [...]

COLUMBUS, Ohio (WCMH) — The Mid-Ohio Market at Norton Road is set to reopen on Wednesday after a fire damaged part of the building around 1:30 a.m. Tuesday. "This damage could have been much, much worse; this fire could have taken the whole building, we could be not open at all because the whole building [...]

COLUMBUS, Ohio (WCMH) -- Dr. Michael McKee, accused of killing his ex-wife and her husband in north Columbus in December, is back in Ohio to face murder charges, according to online booking records. McKee, 39, of Chicago, was extradited from Illinois and was booked into the James A. Karnes Corrections Center on Tuesday. He had [...]

ASHVILLE, Ohio (WCMH) -- The state is investigating an "officer-involved" incident in Pickaway County on Tuesday afternoon. According to the Ohio Attorney General's Bureau of Criminal Investigation, it was requested at the scene of an "officer-involved critical incident" near Duvall Road in Ashville. No officers were injured in the incident, BCI said in a statement. [...]

A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

Image: Shutterstock, @Elzicon.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold as a way to anonymize and localize one’s Web traffic to a specific region, and the biggest of these services allow customers to route their Internet activity through devices in virtually any country or city around the globe.

The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week. The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Most of the systems compromised through Kimwolf’s local network scanning have been unofficial Android TV streaming boxes. These are typically Android Open Source Project devices — not Android TV OS devices or Play Protect certified Android devices — and they are generally marketed as a way to watch unlimited (read:pirated) video content from popular subscription streaming services for a one-time fee.

However, a great many of these TV boxes ship to consumers with residential proxy software pre-installed. What’s more, they have no real security or authentication built-in: If you can communicate directly with the TV box, you can also easily compromise it with malware.

While IPIDEA and other affected proxy providers recently have taken steps to block threats like Kimwolf from going upstream into their endpoints (reportedly with varying degrees of success), the Kimwolf malware remains on millions of infected devices.

A screenshot of IPIDEA’s proxy service.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corporate networks. However, the security firm Infoblox said a recent review of its customer traffic found nearly 25 percent of them made a query to a Kimwolf-related domain name since October 1, 2025, when the botnet first showed signs of life.

Infoblox found the affected customers are based all over the world and in a wide range of industry verticals, from education and healthcare to government and finance.

“To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” Infoblox explained. “Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query means a scan was made, not that new devices were compromised. Lateral movement would fail if there were no vulnerable devices to be found or if the DNS resolution was blocked.”

Synthient, a startup that tracks proxy services and was the first to disclose on January 2 the unique methods Kimwolf uses to spread, found proxy endpoints from IPIDEA were present in alarming numbers at government and academic institutions worldwide. Synthient said it spied at least 33,000 affected Internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.

The top 50 domain names sought out by users of IPIDEA’s residential proxy service, according to Synthient.

In a webinar on January 16, experts at the proxy tracking service Spur profiled Internet addresses associated with IPIDEA and 10 other proxy services that were thought to be vulnerable to Kimwolf’s tricks. Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 companies in banking and finance.

“I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S. Department of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it,” Spur Co-Founder Riley Kilmer said. “I don’t know how these enterprises have these networks set up. It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t really mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to the proxy would have access to.”

Kilmer said Kimwolf demonstrates how a single residential proxy infection can quickly lead to bigger problems for organizations that are harboring unsecured devices behind their firewalls, noting that proxy services present a potentially simple way for attackers to probe other devices on the local network of a targeted organization.

“If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out of and then locally pivot,” Kilmer said. “If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that.”

This is the third story in our series on the Kimwolf botnet. Next week, we’ll shed light on the myriad China-based individuals and companies connected to the Badbox 2.0 botnet, the collective name given to a vast number of Android TV streaming box models that ship with no discernible security or authentication built-in, and with residential proxy malware pre-installed.

Further reading:

The Kimwolf Botnet is Stalking Your Local Network

Who Benefitted from the Aisuru and Kimwolf Botnets?

A Broken System Fueling Botnets (Synthient).

COLUMBUS, Ohio (WCMH) -- Rishi Sushi Kitchen and Bar, a Downtown restaurant known for its traditional Asian fare and cocktail specials, announced last week that it has closed. The announcement came in a Jan. 13 post on the restaurant's social media accounts, where the business thanked employees and customers while hinting that it's story may [...]

WHITEHALL, Ohio (WCMH) -- Whitehall City Council will consider removing a councilmember accused of underage sexual misconduct at its meeting Tuesday night. Councilmember Gerald Dixon was arrested Dec. 8 and accused of decades of sexual misconduct toward underage boys. Dixon, 64, was charged with gross sexual imposition and compelling prostitution. He was released on his [...]

BEXLEY, Ohio (WCMH) -- Bexley golf enthusiasts will soon be able to hit the green year-round, even when skies are gray. Bexley Links, an indoor golf simulator with year-round access, will open near Bexley in February. Although the spot is advertising primarily toward Bexley residents, the location is just east of the city limits at [...]

COLUMBUS, Ohio (WCMH) — A second murder trial of a former Franklin County sheriff's deputy who fatally shot a Black man six times while on an unrelated assignment has been postponed once again. The trial of Jason Meade, which has been in limbo since the fall of 2024, awaits a new date after opposing counsel [...]

COLUMBUS, Ohio (WCMH) – A north Columbus business known for its Vietnamese desserts and drinks has closed. Bambu Dessert Drinks, located at 827 Bethel Road in the Olentangy Commons neighborhood, announced in an Instagram post on Dec. 30 that it would shut down the next day. The post did not provide a reason for the [...]