All news with #credential access tag

🔒 Infinite Campus warned customers of a data breach following an extortion claim from a threat actor who said they accessed an employee's Salesforce account. The company says the exposed information appears to be primarily public directory data for school staff and that no customer databases were accessed. Infinite Campus declined to engage with the attacker and has disabled certain customer-facing services while scanning potentially affected records and notifying impacted districts.

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.

🧛 Cisco Talos highlights a growing trend in 2025: attackers increasingly seek to be authorised as legitimate users rather than relying solely on loud exploits. Telemetry shows nearly a third of MFA spray attacks targeted IAM applications and fraudulent device registrations surged 178%, indicating adversaries focus on the mechanisms that grant access. Talos urges organisations to harden authentication, prioritise patching, manage EOS/EOL devices, and adopt phishing-resistant controls as part of a broader defensive posture.

🛡️ Bitrefill says a cyberattack in early March was likely carried out by North Korea’s Lazarus/BlueNoroff cluster, citing reused IPs, emails, malware, and on-chain tracing as linking indicators. The company traced the intrusion to a compromised employee laptop and stolen legacy credentials that exposed a snapshot containing production secrets and some cryptocurrency wallets. Bitrefill reports about 18,500 exposed purchase records (including 1,000 with names), believes losses were limited and will be covered from capital, and is strengthening security controls and monitoring.

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.

🔒 APT28 actors are exploiting a Zimbra Collaboration Suite stored XSS (tracked as CVE-2025-66376) in targeted attacks against Ukrainian government entities. The campaign delivers obfuscated JavaScript in phishing emails that executes when messages are opened in vulnerable Zimbra webmail, enabling remote code execution and server compromise. Researchers report the script harvests credentials, session tokens, 2FA backup codes, and 90 days of mailbox content, exfiltrating data over DNS and HTTPS. CISA has added the flaw to its catalog and ordered federal agencies to remediate affected servers under BOD 22-01.

🔒 SpyCloud's 2026 Identity Exposure Report details a structural shift in credential theft, reporting a 23% increase in its recaptured datalake to 65.7B distinct identity records. Attackers are increasingly targeting non-human identities — exposed API keys, session tokens and AI-linked credentials — which often lack MFA and rotate infrequently. The report also flags large volumes of phished records, session artifacts, and malware-exfiltrated data that enable persistent, scalable access across cloud and enterprise environments.

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.

🔒 Microsoft disclosed a credential-theft campaign that uses SEO poisoning to push trojanized VPN clients impersonating legitimate enterprise software. Attackers hosted ZIPs on GitHub containing MSI installers that sideload malicious DLLs and deploy a Hyrax variant, presenting a fake sign-in dialog to harvest VPN credentials. Microsoft removed the repositories and revoked the signing certificate; organizations should enable MFA and verify software sources.

🔒 A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.

🔍 Microsoft warns that the cybercriminal group Storm-2561 is poisoning search results to distribute trojanized VPN clients that harvest corporate credentials. The campaign redirects victims to digitally signed malware hosted on GitHub and then opens legitimate vendor sites to minimize detection. The installer side-loads malicious DLLs — including a variant of the Hyrax infostealer — to extract VPN credentials and achieve persistence via the RunOnce registry key. Microsoft recommends enforcing multifactor authentication, disabling browser password syncing on managed devices, and running endpoint detection and response in block mode with network and web protections enabled.

🔒 Security researchers warn of a campaign abusing FortiGate Next-Generation Firewall appliances to extract service account credentials and network configuration files. Attackers exploited disclosed vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials to create persistent admin accounts and loosen firewall policies. Compromised service accounts were used to authenticate to Active Directory, enroll rogue workstations, and enable lateral movement prior to detection.

🔐 Password audits commonly validate complexity, length and rotation but frequently miss the accounts attackers prefer. Many organizations overlook reused or breached credentials, orphaned and dormant accounts, and high‑value service accounts with non‑expiring passwords. Point-in-time checks also fail to catch continuous threats like credential stuffing. Modern audits should add breached-password screening, risk-based prioritization, and continuous monitoring using tools such as Specops Password Policy.

🔎 The Huntress Tactical Response Team describes how a seemingly routine RDP brute-force alert exposed a larger ransomware-as-a-service ecosystem. Investigators found one successful login used from multiple geographically distributed IPs, domain enumeration activity, and unusual manual searches for credential files rather than typical credential dumping tools. Further pivots on TLS certificates and domains tied the activity to a privacy-focused VPN service and related infrastructure, and the report provides specific IOCs for defenders.

🔒 Browser-in-the-browser (BitB) phishing renders convincing fake login pop-ups inside malicious pages, and Kaspersky reports attackers are now using this technique in real campaigns to steal Facebook credentials. Threat actors create counterfeit authentication dialogs and even fake address bars so visual inspection is unreliable. Use a password manager — it checks the actual origin before auto-filling — and enable 2FA, adopt passkeys, and use unique passwords to reduce risk.

⚠️ Scattered LAPSUS$ Hunters (SLH) is reportedly paying $500–$1,000 upfront per call to recruit women for voice phishing campaigns against IT help desks, Dataminr says. The group provides pre-written scripts and leverages advanced social engineering techniques, including MFA prompt bombing and SIM swapping, to gain access. Actors then deploy tunneling tools, residential proxies and legitimate file-sharing services to move laterally, escalate privileges, and exfiltrate data, with some intrusions resulting in ransomware.

🔒 Attackers frequently exploit common endpoint weaknesses—exposed Remote Desktop Protocol (RDP), sophisticated phishing, abused Remote Monitoring and Management (RMM) tools, and unpatched software—to gain access and persist. The article shows how brute-force RDP, AI-enhanced phishing, and misconfigured RMMs enable lateral movement and stealthy persistence. Implement MFA, regular patching, EDR, RMM audits, and user training to reduce risk.

🔓The French Ministry of Finance confirmed a cybersecurity incident in late January after a threat actor used credentials stolen from a civil servant to access the national bank account registry FICOBA. The attacker accessed and likely exfiltrated data for about 1.2 million accounts, including bank identifiers (RIBs/IBANs), account holder names, addresses and sometimes taxpayer identification numbers. Authorities restricted the intruder’s access once detected and say the tax authority DGFiP is working with ANSSI and CNIL to secure systems. Affected users and banking institutions will be notified and warned to remain vigilant against scams.

🔐Modern infostealers harvest credentials, session data, cookies, and local files, turning a single compromise into a persistent identity asset. Specops researchers analyzed over 90,000 infostealer dumps and more than 800 million rows, showing how disparate signals tie accounts, employers, and roles to real people. By blocking known-compromised passwords across Active Directory, Specops Password Policy aims to reduce reuse and downstream enterprise risk.