All news with #credential access tag

🔒 UNC6692 used persistent social engineering to lure victims via Microsoft Teams, delivering a staged payload that installed an AutoHotkey loader and a malicious Chromium extension (SNOWBELT) from attacker-controlled AWS S3. The intruders deployed a modular suite — SNOWBELT, SNOWGLAZE, and SNOWBASIN — to establish WebSocket tunnels, local HTTP backdoors, and stealthy proxying for lateral movement. The campaign combined credential theft, LSASS and NTDS extraction, and exfiltration to cloud services, highlighting the need to monitor browser extensions and cloud egress.

🔐 Attackers increasingly rely on stolen credentials—via credential stuffing, password spraying and phishing—to gain immediate, low-noise access. Legitimate logins often evade detection, allowing adversaries to dump additional passwords, move laterally, and persist. The author warns that AI is accelerating these techniques and advocates a DAIR (Dynamic Approach to Incident Response) loop, plus clear communication and hands-on training to contain and remediate identity-based intrusions.

🔐 Microsoft Deputy CISO Ilya Grebnov outlines practical steps to make opportunistic cyberattacks harder by design. He emphasizes credential elimination using managed identities and federated tokens, paired with endpoint reduction to move services off the public internet. The article further advocates platform engineering—paved paths, policy-as-code, and centralized core services—to enforce consistent secure defaults and reduce the attack surface at scale.

🔒 This weekly recap highlights a recurring attack pattern: compromise of trusted third-party tools and update paths to gain internal access and persist. Incidents include a Vercel breach originating from a compromised Context.ai account that led to takeover of a Google Workspace identity, hijacked download pages serving trojanized installers, malicious Chrome extensions, and plugin abuse. The report emphasizes multi-stage, in-memory payloads and attackers leveraging legitimate workflows to evade detection. Organizations should reassess trust boundaries, monitor OAuth tokens and environment variables, and prioritize patching of actively exploited CVEs.

🛡️CERT-UA has disclosed a campaign, dubbed UAC-0247, that between March and April 2026 targeted government and municipal healthcare organizations — primarily clinics and emergency hospitals — to deliver credential-stealing malware. Attacks begin with spear-phishing links leading to compromised or AI-generated sites that drop a Windows Shortcut (LNK) executing an HTA via mshta.exe, which loads multi-stage loaders and payloads such as RAVENSHELL, AGINGFLY, and the PowerShell-based SILENTLOOP. The intrusions enable reconnaissance, lateral movement, and theft of data from Chromium-based browsers and WhatsApp; CERT-UA advises restricting execution of LNK/HTA/JS, limiting use of abused utilities, and blocking suspicious connections.

⚠️ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔒 Booking.com confirmed that unauthorized parties accessed booking information associated with some reservations. The company says it immediately forced PIN resets for affected current and past bookings and directly emailed impacted users with updated reservation PINs and guidance. Compromised fields may include full names, email and postal addresses, phone numbers, and communications with property providers. Booking.com warned customers to be vigilant for phishing and noted that app notifications were not sent, which has caused confusion.

🔒 Modern manufacturing is increasingly targeted by fast, high-impact cyberattacks: Clorox production lines went dark in 2023 and a global automaker halted factories across five countries in 2025 from stolen credentials. Ransomware incidents against manufacturers rose 56% in 2025, with average European demands exceeding $1.16 million. The analysis highlights structural weaknesses—legacy OT, credential sprawl, and inadequate segmentation—and recommends pragmatic, non-disruptive defenses to protect operations without causing downtime.

🔐An analysis by Bellingcat found passwords for almost 800 Hungarian government email accounts circulating online, many tied to national-security roles. The exposure affected 12 of 13 government departments and involved weak, easily guessed credentials such as variations of "Password", sequences like "1234567", and simple surnames. The leaks reflect poor email hygiene rather than a sophisticated intrusion, and experts urge stronger credential practices including password managers and passkeys. Security teams are urged to deploy enterprise controls and regular training to prevent similar exposures.

🔒 Bitcoin Depot detected unauthorized access to parts of its corporate IT environment on March 23, which allowed attackers to use compromised credentials tied to digital asset settlement accounts. Threat actors transferred 50.903 Bitcoin (approximately $3.66m) out of company-controlled wallets before the activity was blocked. The company says customer-facing platforms and customer data were not affected, and operations have not been materially disrupted. External cybersecurity specialists and law enforcement are assisting the ongoing investigation.

🔎 Access Now, Lookout, and SMEX report a coordinated hack-for-hire campaign that targeted journalists, activists, and officials across the MENA region from 2023–2025. The operation used spear-phishing, OAuth consent-based pages, and messaging-platform lures to harvest credentials and two-factor codes. Observed domains impersonated Apple, Signal, Telegram, and Android services, and infrastructure overlaps link activity to a cluster known as Bitter. One Apple account was compromised while other intrusion attempts were blocked.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🛡️ The Hacker News highlights that while headline breaches attract investment, recurring credential incidents—account lockouts, reused or exposed passwords, and frequent resets—impose persistent operational costs. Forrester estimates resets can account for up to 30% of helpdesk tickets, at roughly $70 each, and IBM’s 2025 report cites a $4.4M average breach cost. Poorly designed password policies and mandatory periodic resets often make the problem worse by prompting insecure user behavior. Practical measures include user-friendly, robust policies, breached-password screening, and shifting away from arbitrary expiration windows; vendors such as Specops Password Policy are presented as tools that detect exposed credentials and reduce incident volume.

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.

🔍 Check Point Research reports that cyber criminals systematically prepared for Tax Season 2026, registering hundreds of tax‑related domains each month from September 2025 through February 2026. These prebuilt infrastructures fueled phishing campaigns, fraudulent tax portals and malware designed to harvest credentials and financial data. Organizations and individuals should prioritize domain monitoring, DNS filtering, email authentication and targeted employee training to reduce exposure.

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.