All news with #credential access tag

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.

🔐 Blackpoint Cyber's 2026 Annual Threat Report finds that routine, legitimate access paths — not software exploits — increasingly enable intrusions. Across thousands of 2025 investigations, SSL VPN abuse (32.8%) and misuse of legitimate RMM tools (30.3%) were dominant initial access vectors, with ScreenConnect implicated in most rogue RMM cases. Social-engineering campaigns such as fake CAPTCHA and ClickFix-style prompts drove 57.5% of incidents, while Adversary-in-the-Middle phishing facilitated session reuse after MFA in about 16% of cloud compromises. The report urges treating remote access as high-risk and strengthening inventories, installation controls, and conditional access to reduce these blended, legitimate-looking intrusions.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.

🔒 APIs are increasingly the enterprise perimeter, and recent breaches show traditional protections often miss API-layer abuse. Security teams report attacks that exploit business logic or use stolen credentials, which EDR and WAF tools can treat as legitimate traffic. CISOs are adopting API governance, centralized inventories, identity-aware access controls, and API gateways integrated into CI/CD to enforce least-privilege and reduce misconfiguration risk. As agentic AI and automated agents proliferate, stronger token handling, credential rotation, and real-time behavioral monitoring are becoming essential.

🔒 Infinite Campus warned customers of a data breach following an extortion claim from a threat actor who said they accessed an employee's Salesforce account. The company says the exposed information appears to be primarily public directory data for school staff and that no customer databases were accessed. Infinite Campus declined to engage with the attacker and has disabled certain customer-facing services while scanning potentially affected records and notifying impacted districts.

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.

🧛 Cisco Talos highlights a growing trend in 2025: attackers increasingly seek to be authorised as legitimate users rather than relying solely on loud exploits. Telemetry shows nearly a third of MFA spray attacks targeted IAM applications and fraudulent device registrations surged 178%, indicating adversaries focus on the mechanisms that grant access. Talos urges organisations to harden authentication, prioritise patching, manage EOS/EOL devices, and adopt phishing-resistant controls as part of a broader defensive posture.

🛡️ Bitrefill says a cyberattack in early March was likely carried out by North Korea’s Lazarus/BlueNoroff cluster, citing reused IPs, emails, malware, and on-chain tracing as linking indicators. The company traced the intrusion to a compromised employee laptop and stolen legacy credentials that exposed a snapshot containing production secrets and some cryptocurrency wallets. Bitrefill reports about 18,500 exposed purchase records (including 1,000 with names), believes losses were limited and will be covered from capital, and is strengthening security controls and monitoring.

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.

🔒 APT28 actors are exploiting a Zimbra Collaboration Suite stored XSS (tracked as CVE-2025-66376) in targeted attacks against Ukrainian government entities. The campaign delivers obfuscated JavaScript in phishing emails that executes when messages are opened in vulnerable Zimbra webmail, enabling remote code execution and server compromise. Researchers report the script harvests credentials, session tokens, 2FA backup codes, and 90 days of mailbox content, exfiltrating data over DNS and HTTPS. CISA has added the flaw to its catalog and ordered federal agencies to remediate affected servers under BOD 22-01.

🔒 SpyCloud's 2026 Identity Exposure Report details a structural shift in credential theft, reporting a 23% increase in its recaptured datalake to 65.7B distinct identity records. Attackers are increasingly targeting non-human identities — exposed API keys, session tokens and AI-linked credentials — which often lack MFA and rotate infrequently. The report also flags large volumes of phished records, session artifacts, and malware-exfiltrated data that enable persistent, scalable access across cloud and enterprise environments.

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.

🔒 Microsoft disclosed a credential-theft campaign that uses SEO poisoning to push trojanized VPN clients impersonating legitimate enterprise software. Attackers hosted ZIPs on GitHub containing MSI installers that sideload malicious DLLs and deploy a Hyrax variant, presenting a fake sign-in dialog to harvest VPN credentials. Microsoft removed the repositories and revoked the signing certificate; organizations should enable MFA and verify software sources.

🔒 A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.

🔍 Microsoft warns that the cybercriminal group Storm-2561 is poisoning search results to distribute trojanized VPN clients that harvest corporate credentials. The campaign redirects victims to digitally signed malware hosted on GitHub and then opens legitimate vendor sites to minimize detection. The installer side-loads malicious DLLs — including a variant of the Hyrax infostealer — to extract VPN credentials and achieve persistence via the RunOnce registry key. Microsoft recommends enforcing multifactor authentication, disabling browser password syncing on managed devices, and running endpoint detection and response in block mode with network and web protections enabled.

🔒 Security researchers warn of a campaign abusing FortiGate Next-Generation Firewall appliances to extract service account credentials and network configuration files. Attackers exploited disclosed vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials to create persistent admin accounts and loosen firewall policies. Compromised service accounts were used to authenticate to Active Directory, enroll rogue workstations, and enable lateral movement prior to detection.

🔐 Password audits commonly validate complexity, length and rotation but frequently miss the accounts attackers prefer. Many organizations overlook reused or breached credentials, orphaned and dormant accounts, and high‑value service accounts with non‑expiring passwords. Point-in-time checks also fail to catch continuous threats like credential stuffing. Modern audits should add breached-password screening, risk-based prioritization, and continuous monitoring using tools such as Specops Password Policy.

🔎 The Huntress Tactical Response Team describes how a seemingly routine RDP brute-force alert exposed a larger ransomware-as-a-service ecosystem. Investigators found one successful login used from multiple geographically distributed IPs, domain enumeration activity, and unusual manual searches for credential files rather than typical credential dumping tools. Further pivots on TLS certificates and domains tied the activity to a privacy-focused VPN service and related infrastructure, and the report provides specific IOCs for defenders.

🔒 Browser-in-the-browser (BitB) phishing renders convincing fake login pop-ups inside malicious pages, and Kaspersky reports attackers are now using this technique in real campaigns to steal Facebook credentials. Threat actors create counterfeit authentication dialogs and even fake address bars so visual inspection is unreliable. Use a password manager — it checks the actual origin before auto-filling — and enable 2FA, adopt passkeys, and use unique passwords to reduce risk.