All news with #credential access tag

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

🐛 Researchers have found a renewed wave of the GlassWorm supply-chain worm targeting Visual Studio Code extensions and GitHub repositories after it was previously declared contained. The malware hides JavaScript payloads in undisplayable Unicode characters, making malicious code invisible in editors, and uses blockchain memos on Solana to publish remote C2 endpoints. Koi researchers identified three newly compromised OpenVSX extensions and observed credential theft and AI-styled commits used to propagate the worm.

🔒 Aleksey Olegovich Volkov, a Russian national who used aliases including chubaka.kor and nets, has agreed to plead guilty to acting as an initial access broker for the Yanluowang ransomware group. Between July 2021 and November 2022 he sold credentials that enabled intrusions at eight U.S. companies and facilitated ransom demands ranging from $300,000 to $15 million. FBI warrants seized server logs, stolen data, chat histories and iCloud records linking Volkov to the scheme and to partial Bitcoin payments. He faces up to 53 years in prison and must pay more than $9.1 million in restitution.

🔒 A Russian national has pleaded guilty to acting as an initial access broker for the Yanluowang ransomware group, admitting to selling corporate network access used in attacks on at least eight U.S. companies between July 2021 and November 2022. FBI searches of a server tied to the operation recovered chat logs, stolen files, and victim credentials that linked payments and access to the defendant. Investigators traced the suspect through Apple iCloud data, cryptocurrency exchange records, and social media accounts, and blockchain analysis tied portions of ransom payments to addresses he provided. He faces decades in prison and more than $9.1 million in restitution.

🔐 Nikkei confirmed a breach of employee Slack accounts that may have exposed names, email addresses and chat histories for 17,368 registered users. The company says malware on an employee’s personal computer stole Slack authentication credentials and session tokens, enabling unauthorized access. The incident was identified in September; Nikkei implemented password changes and voluntarily reported the matter to Japan’s Personal Information Protection Commission. No reporting-source leaks have been confirmed.

🔒 The University of Pennsylvania confirmed attackers used compromised credentials obtained via a sophisticated social engineering identity impersonation to access systems supporting development and alumni operations. The breach, discovered October 31, allowed exfiltration of approximately 1.71 GB of documents from SharePoint and Box and an alleged copy of a Salesforce donor marketing database of about 1.2 million records. Penn has engaged the FBI and CrowdStrike, revoked access, increased monitoring, and warned its community to be cautious of phishing and suspicious outreach while the investigation continues.

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

🚚 Proofpoint warns of a spear‑phishing campaign targeting North American freight firms that installs remote monitoring and access tools to enable cargo theft. Actors compromise broker load boards, insert themselves into carrier email threads, or pose as brokers to deliver signed installers that harvest credentials and establish persistent access. The attackers have deployed a range of RMM/RAS solutions (for example ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve) and use them to bid on or reroute high‑value loads; Proofpoint urges blocking unauthorized RMMs, enforcing endpoint/network detection and MFA, disallowing external executables, and expanding phishing awareness training.

🚚 Proofpoint researchers report that cybercriminals are compromising transportation firms to facilitate physical cargo theft by abusing remote management and access tools. Attackers use social engineering — including fake load-board listings, email thread hijacking and targeted phishing — to deliver installers that deploy RMM and RAS utilities. Once inside, they perform reconnaissance, harvest credentials with tools such as WebBrowserPassView, and expand access, enabling organized-crime partners to bid on and steal shipments.

🚚 Proofpoint warns that cybercriminals are increasingly deploying legitimate remote monitoring and management tools to compromise trucking and logistics firms, enabling cargo theft and financial gain. Working with organized crime, they target asset-based carriers, brokers and integrated providers—especially food and beverage shipments—using compromised emails, fraudulent load-board listings and booby-trapped MSI/EXE installers to deliver ScreenConnect, SimpleHelp and other RMMs. Once inside, attackers conduct reconnaissance, harvest credentials with tools like WebBrowserPassView, delete bookings, block dispatcher alerts and reassign loads to facilitate physical theft, often selling stolen cargo online or overseas.

🔐 A threat actor claims to have compromised University of Pennsylvania systems and exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, contact details, estimated net worth, donation histories, and sensitive demographic data. The attacker said they gained access via a compromised PennKey SSO account and accessed VPN, Salesforce Marketing Cloud, Qlik, SAP, SharePoint, and Box. After access was revoked on October 31 the actor used Marketing Cloud to send offensive emails to about 700,000 recipients and published a 1.7-GB archive of files. Penn says it is investigating; donors should watch for targeted phishing and verify solicitations directly with the university.

🔒 A Ukrainian man long accused of building and operating components of the Jabber Zeus banking trojan has been arrested in Italy and is now in U.S. custody. Prosecutors say 41-year-old Yuriy Igorevich Rybtsov, previously identified only by the handle MrICQ, was charged in a 2012 Nebraska indictment as a developer and notification handler for the group. Investigators allege Jabber Zeus used a custom ZeuS variant and a Leprechaun component to intercept credentials and bypass multi-factor protections, enabling large payroll thefts via recruited money mules.

🔒 In January 2024, Russian attackers bypassed layered defenses at Microsoft, underscoring that passwords remain a primary attack vector in complex IT environments. The article identifies frequent failure points such as forgotten legacy accounts and predictable user patterns, and recommends adaptive controls: advanced banned password lists, nuanced rotation policies, long memorable passphrases, and risk-based authentication. It also advises a staged rollout with user education, clear KPIs, and practical self-service resets, and highlights Specops Password Policy as a tool that scans Active Directory against billions of compromised passwords.

🔒 Hackers are exploiting LinkedIn direct messages to phish finance executives with messages claiming to invite recipients to an executive board and leading to credential-harvesting pages. Push Security says victims are redirected — including via a Google open redirect — to a Firebase-hosted 'LinkedIn Cloud Share' page that urges users to click a 'View with Microsoft' button. That flow then presents a Cloudflare Turnstile and a fake Microsoft sign-in used as an adversary-in-the-middle to capture credentials and session cookies; organizations should verify senders, avoid unsolicited links, and enforce MFA and conditional access.

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

🔒 The Microsoft Digital Defense Report 2025 warns that cyber threats are accelerating in speed, scale, and sophistication, driven by AI and coordinated, cross-border operations. Attack windows have shrunk—compromises can occur within 48 hours in cloud containers—while AI-powered phishing and credential theft have grown markedly more effective. For CISOs this requires reframing security as a business enabler, prioritizing resilience, automation, and modern identity controls such as phishing-resistant MFA. The Secure Future Initiative provides practitioner-tested patterns to operationalize these priorities.

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.