All news with #credential access tag

🛡️CERT-UA has disclosed a campaign, dubbed UAC-0247, that between March and April 2026 targeted government and municipal healthcare organizations — primarily clinics and emergency hospitals — to deliver credential-stealing malware. Attacks begin with spear-phishing links leading to compromised or AI-generated sites that drop a Windows Shortcut (LNK) executing an HTA via mshta.exe, which loads multi-stage loaders and payloads such as RAVENSHELL, AGINGFLY, and the PowerShell-based SILENTLOOP. The intrusions enable reconnaissance, lateral movement, and theft of data from Chromium-based browsers and WhatsApp; CERT-UA advises restricting execution of LNK/HTA/JS, limiting use of abused utilities, and blocking suspicious connections.

⚠️ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔒 Booking.com confirmed that unauthorized parties accessed booking information associated with some reservations. The company says it immediately forced PIN resets for affected current and past bookings and directly emailed impacted users with updated reservation PINs and guidance. Compromised fields may include full names, email and postal addresses, phone numbers, and communications with property providers. Booking.com warned customers to be vigilant for phishing and noted that app notifications were not sent, which has caused confusion.

🔒 Modern manufacturing is increasingly targeted by fast, high-impact cyberattacks: Clorox production lines went dark in 2023 and a global automaker halted factories across five countries in 2025 from stolen credentials. Ransomware incidents against manufacturers rose 56% in 2025, with average European demands exceeding $1.16 million. The analysis highlights structural weaknesses—legacy OT, credential sprawl, and inadequate segmentation—and recommends pragmatic, non-disruptive defenses to protect operations without causing downtime.

🔐An analysis by Bellingcat found passwords for almost 800 Hungarian government email accounts circulating online, many tied to national-security roles. The exposure affected 12 of 13 government departments and involved weak, easily guessed credentials such as variations of "Password", sequences like "1234567", and simple surnames. The leaks reflect poor email hygiene rather than a sophisticated intrusion, and experts urge stronger credential practices including password managers and passkeys. Security teams are urged to deploy enterprise controls and regular training to prevent similar exposures.

🔒 Bitcoin Depot detected unauthorized access to parts of its corporate IT environment on March 23, which allowed attackers to use compromised credentials tied to digital asset settlement accounts. Threat actors transferred 50.903 Bitcoin (approximately $3.66m) out of company-controlled wallets before the activity was blocked. The company says customer-facing platforms and customer data were not affected, and operations have not been materially disrupted. External cybersecurity specialists and law enforcement are assisting the ongoing investigation.

🔎 Access Now, Lookout, and SMEX report a coordinated hack-for-hire campaign that targeted journalists, activists, and officials across the MENA region from 2023–2025. The operation used spear-phishing, OAuth consent-based pages, and messaging-platform lures to harvest credentials and two-factor codes. Observed domains impersonated Apple, Signal, Telegram, and Android services, and infrastructure overlaps link activity to a cluster known as Bitter. One Apple account was compromised while other intrusion attempts were blocked.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🛡️ The Hacker News highlights that while headline breaches attract investment, recurring credential incidents—account lockouts, reused or exposed passwords, and frequent resets—impose persistent operational costs. Forrester estimates resets can account for up to 30% of helpdesk tickets, at roughly $70 each, and IBM’s 2025 report cites a $4.4M average breach cost. Poorly designed password policies and mandatory periodic resets often make the problem worse by prompting insecure user behavior. Practical measures include user-friendly, robust policies, breached-password screening, and shifting away from arbitrary expiration windows; vendors such as Specops Password Policy are presented as tools that detect exposed credentials and reduce incident volume.

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.

🔍 Check Point Research reports that cyber criminals systematically prepared for Tax Season 2026, registering hundreds of tax‑related domains each month from September 2025 through February 2026. These prebuilt infrastructures fueled phishing campaigns, fraudulent tax portals and malware designed to harvest credentials and financial data. Organizations and individuals should prioritize domain monitoring, DNS filtering, email authentication and targeted employee training to reduce exposure.

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.

🔐 Blackpoint Cyber's 2026 Annual Threat Report finds that routine, legitimate access paths — not software exploits — increasingly enable intrusions. Across thousands of 2025 investigations, SSL VPN abuse (32.8%) and misuse of legitimate RMM tools (30.3%) were dominant initial access vectors, with ScreenConnect implicated in most rogue RMM cases. Social-engineering campaigns such as fake CAPTCHA and ClickFix-style prompts drove 57.5% of incidents, while Adversary-in-the-Middle phishing facilitated session reuse after MFA in about 16% of cloud compromises. The report urges treating remote access as high-risk and strengthening inventories, installation controls, and conditional access to reduce these blended, legitimate-looking intrusions.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.

🔒 APIs are increasingly the enterprise perimeter, and recent breaches show traditional protections often miss API-layer abuse. Security teams report attacks that exploit business logic or use stolen credentials, which EDR and WAF tools can treat as legitimate traffic. CISOs are adopting API governance, centralized inventories, identity-aware access controls, and API gateways integrated into CI/CD to enforce least-privilege and reduce misconfiguration risk. As agentic AI and automated agents proliferate, stronger token handling, credential rotation, and real-time behavioral monitoring are becoming essential.