< ciso
brief />
Tag Banner

All news with #credential access tag

204 articles

ACR Stealer campaigns use ClickFix lures and fileless tradecraft

🔍 Microsoft Defender Experts observed heightened ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering to lure users into running commands that ultimately harvest browser credentials, tokens, and sensitive documents. Two prevalent campaigns were detailed: one using WebDAV-delivered DLLs, staged PowerShell, Python loaders, and optional blockchain-backed dead-drop C2 resolution; the other using fileless MSHTA, obfuscated PowerShell, and steganography-assisted in-memory execution. Both aim to exfiltrate credentials and enterprise data, and Microsoft recommends monitoring for ClickFix lures, suspicious WebDAV/MSHTA activity, obfuscated PowerShell, and attempts to access browser credential stores while leveraging Defender capabilities to detect and respond.
read more →

Amazon Cognito adds password hash import support

🔐 Amazon Cognito now supports importing users with password hashes in CSV imports, allowing migrated users to sign in immediately with existing credentials. Administrators specify the source system's hashing algorithm during import, and Cognito verifies passwords against the imported hash on first sign-in. Supported algorithms include bcrypt, scrypt, Argon2id, and PBKDF2 with SHA-256; all imported hashes receive additional cryptographic protection before storage. The feature is available in all AWS Regions where Cognito is offered and can be used via the Console, CLI, or SDKs.
read more →

Compromised Logins Drive Most Ransomware Intrusions

🛡️ New Sophos analysis shows identity-based attacks and stolen credentials are now the leading initial access vector in ransomware incidents, responsible for 79% of cases. Malicious email and phishing remain significant contributors, while exploitation of known vulnerabilities has decreased. The report urges stronger identity controls, widespread MFA, and adoption of ITDR to reduce risk.
read more →

OAuth client ID spoofing exposes cloud sign‑in blind spot

🔒 Proofpoint has identified at least two threat clusters weaponizing a technique called OAuth client ID spoofing to enumerate accounts and validate stolen credentials in Microsoft Entra ID environments while avoiding successful sign‑in telemetry. By supplying spoofed or manipulated client_id values in OAuth token requests—often using the ROPC flow—attackers can cause different AADSTS error responses that reveal whether an account exists and whether a password is correct without recording a successful login. Campaigns such as UNK_pyreq2323 and UNK_OutFlareAZ have used millions of randomized or modified client IDs across thousands of tenants to probe and lock out users, undermining per‑application detections and Conditional Access policies.
read more →

AI-assisted PowerShell used for noisy AD reconnaissance

🛡️ Huntress investigators reported an early-June 2026 intrusion where an unknown actor used a vibe-coded PowerShell script to enumerate Active Directory. The attacker gained RDP access with pre-compromised credentials, staged tools under C:\ProgramData\, and executed an AI-suspected payload that mapped DCs, users, groups, OUs, trusts, and produced an AD_Report.html. After harvesting data into CSVs and archiving them, files were exfiltrated to a remote server, with additional enumeration using s5cmd and SharpShares.
read more →

Australia alerts on global CMS exploitation campaign

⚠️ The Australian Cyber Security Centre (ACSC) warned of a global campaign exploiting vulnerabilities in multiple content management systems and plugins, with many Australian small and medium businesses affected. Threat actors are deploying webshells to maintain persistence, steal credentials, and escalate access. The campaign targets several CMS platforms and specific plugins, and the ACSC cautions that AI may be used to accelerate attacks. Administrators are urged to apply patches, remove unused components, and tighten web-server protections.
read more →

AI coding agents trigger endpoint behavioral detections

🛡️ Sophos analyzed a week of June 2026 telemetry and found AI coding agents like Claude Code, Cursor, and OpenAI Codex frequently trigger behavioral detection rules designed to catch human attackers. The agents perform actions—decrypting browser credentials, enumerating Windows Credential Manager, downloading files via LOLBins, and writing startup scripts—that look like malicious behavior to endpoint engines. While often benign developer automation, these behaviors overlap precisely with attacker techniques and can generate false positives. Sophos recommends scoping rules to agent parents, workspaces, and download reputations while keeping credential access tightly controlled.
read more →

China‑Aligned Cluster Exploits Roundcube Mail Servers

🔒 New research from Proofpoint identified a suspected China-aligned cluster, tracked as UNK_MassTraction, exploiting vulnerable Roundcube webmail instances at US and Canadian universities. The attackers targeted physics and engineering departments using known Roundcube vulnerabilities to steal credentials, deploy webshells and establish persistent access. The campaign leveraged malicious JavaScript (IceCube) and exploited CVE-2025-49113 to load the VShell backdoor in memory, enabling lateral movement and espionage-focused intrusions.
read more →

Recovering active ADFS signing keys via Machine DPAPI

🛡️ This post examines how ADFS token-signing private keys persisted in the machine-scoped key store and protected by Machine DPAPI can be recovered by a sufficiently privileged local context. It describes a red team finding where manual certificate rotations with AutoCertificateRollover disabled created configuration drift, leaving active signing keys exposed in Machine DPAPI and enabling forged SAML assertions. The article outlines extraction details, detection guidance, and mitigation measures including HSM use and configuration validation.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

FortiBleed ties stolen Fortinet credentials to ransomware

🛡️ SOCRadar links the FortiBleed credential-theft campaign to the INC and Lynx ransomware operations after finding a Windows server used by FortiBleed that contained access to ransomware negotiation panels. Investigators discovered FortiGate configuration files, harvested credentials, and a custom "FortiGate Sniffer" tool that intercepted VPN and authentication data. The operation targeted hundreds of thousands of devices and deployed sniffers on thousands, with ongoing investigation into additional servers, a suspected Nextcloud zero-day, and overlapping victim data.
read more →

Kubota reports month-long network intrusion affecting employees

🔒 Kubota North America disclosed that a threat actor accessed parts of its network from March 16 to April 20, exposing personal data for employees and dependents. The company says exposed information may include names, Social Security numbers, dates of birth, tax IDs, driver’s license numbers, bank account and corporate card details, and limited benefits claims. Notifications were sent starting June 30 with instructions to enroll in Kroll identity protection and guidance to monitor accounts; Kubota has enacted additional security measures and has not reported business disruptions.
read more →

Gamaredon expands malware and exfiltration tactics

🛡️ ESET observed 35 spear-phishing campaigns by the Russian APT group Gamaredon across 2025, primarily targeting Ukrainian government and military entities. Campaigns used HTML smuggling, archive attachments and a patched WinRAR flaw (CVE-2025-8088) to deploy HTA downloaders that drop payloads like PteroSand. The group enhanced persistence and lateral movement via PteroLNK, PteroPaste and PteroSetup while increasingly abusing tunnel and serverless services to hide infrastructure.
read more →

Three real-world incident case studies from GERT

🔍 Over the past year, Kaspersky’s Global Emergency Response Team and MDR service investigated diverse security incidents that informed the Anatomy of a Cyber World Global Report 2026. The post presents three real case studies illustrating how adversaries use credential theft, known vulnerabilities, and lateral movement to achieve persistence, escalate privileges, and deploy ransomware or wipers. It highlights recurring misconfigurations, delayed patching, and blind spots in monitoring as root causes of successful attacks.
read more →

FBI warns Russian actors stealing Signal backup keys

🔐 The FBI and CISA warn that Russian-linked threat actors have shifted phishing tactics to steal Signal Backup Recovery Keys, enabling access to users' historical messages. The campaign, tracked as UNC5792 and UNC4221, targets high-value individuals including officials, journalists, and military personnel. Attackers impersonate Signal support, trick users into enabling backups and then request the recovery key to restore data to attacker-controlled devices. Authorities advise that official support never asks for codes or recovery keys and recommend reporting incidents to the FBI or CISA.
read more →

Poland Busts SIM-Swapping Gang Linked to Crypto Theft

🔎 Polish authorities arrested four suspects accused of orchestrating SIM-swapping attacks after breaching telecommunications partners and hijacking email accounts. The operation, led by the Polish Cybercrime Bureau (CBZC) with assistance from the FBI and HSI, uncovered sophisticated intrusions used to intercept SMS and email communications and seize crypto exchange accounts. Investigators estimate the group laundered millions via distributed financial networks and multiple bank accounts. The suspects face charges including organized crime, hacking, and money laundering, with potential sentences up to 25 years.
read more →

Mistic backdoor tied to initial access broker activity

🔍 Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more →

StealC and Amadey: Infostealer Ecosystem Disruption

🔍 Microsoft analyzes how infostealers like StealC and loaders such as Amadey fuel a commodified cybercrime economy by harvesting credentials, cookies, and tokens from unmanaged devices. The post details methods of delivery (SEO poisoning, malicious ads, ClickFix, phishing), StealC’s data collection and C2 behaviors, and how stolen logs are monetized. It also describes a coordinated takedown on June 24, 2026, by Microsoft DCU and partners that disrupted hundreds of domains and C2 servers.
read more →

Scattered Spider members plead guilty in TfL hack

🛡️ Two members of the Scattered Spider group, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to breaching Transport for London systems between August 31 and September 3, 2024. The intrusion disrupted Oyster refund services and forced 28,000 staff to reset passwords, contributing to an estimated £29 million in losses. Both suspects were arrested in 2025 after investigators recovered incriminating evidence and devices linking them to the attack and other intrusions.
read more →

Operation Escaneo exposes Latin American intrusions

🔍 New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more →