All news with #credential stuffing wave tag

Pro-Russia Hacktivists Exploit OT Exposures in US Now

🚨 A joint advisory from CISA, the FBI, the NSA and partners warns of a surge in pro‑Russia hacktivist activity exploiting exposed VNC and other internet-facing OT interfaces to breach systems across US water, food production and energy sectors. Low-skilled groups such as CARR, NoName057(16), Z-Pentest and Sector16 employ port scans, brute-force password guessing and simple reconnaissance tools to capture screenshots, alter parameters, disable alarms and force costly manual recoveries.

Preparing Retailers for Holiday Credential Threats

🔒 Retailers face concentrated credential risk during holiday peaks as bot-driven fraud, credential stuffing and pre-staged automated attacks target logins, payment tokens and loyalty balances. Effective defenses combine adaptive MFA, bot management, rate limiting and credential-stuffing detection to stop automation without harming checkout conversion. Strong controls for staff and third parties, plus tested failovers and tools like Specops Password Policy to block compromised passwords, reduce blast radius and protect revenue.

New Wave of VPN Login Attempts Targets GlobalProtect

🔐 Beginning December 2, a campaign using more than 7,000 IPs from German host 3xK GmbH (AS200373) carried out brute-force login attempts against Palo Alto GlobalProtect portals and soon pivoted to scanning SonicWall SonicOS API endpoints. GreyNoise links the activity to three recurring client fingerprints seen in prior scans and to earlier campaigns that generated millions of HTTP sessions. Organizations should monitor authentication velocity and failures, block implicated IPs and fingerprints, and enforce MFA to reduce credential abuse.

FBI: $262M Lost to ATO Fraud as AI Phishing Escalates

🔐 The FBI warns that cybercriminals impersonating banks and payment services have caused over $262 million in losses this year through account takeover (ATO) fraud and more than 5,100 complaints. Attackers use phishing, SEO poisoning, calls and SMS to harvest credentials and MFA/OTP codes, then transfer funds to intermediary accounts and convert proceeds to cryptocurrency. The advisory highlights growing use of AI-generated phishing and holiday-themed scams and urges vigilance, unique passwords, URL checks and stronger authentication.

Holiday Cyberthreat Surge 2025: What CISOs Must Know

🛡️ FortiGuard Labs' 2025 holiday analysis documents a marked increase in malicious infrastructure, credential theft, and targeted exploitation of e-commerce systems during the pre-holiday period. Attackers registered tens of thousands of holiday- and retail-themed domains and sold over 1.57 million account records from stealer logs, fueling credential stuffing and account takeover. The report highlights active exploitation of critical flaws in platforms such as Magento, Oracle EBS, and WooCommerce, and emphasizes urgent mitigations: patching, MFA, bot management, domain monitoring, and payment-page integrity checks to reduce fraud and protect customers.

Influencers Targeted by Cybercriminals: Account Risks

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

Superbox Android TV Boxes Found Relaying Malicious Traffic

⚠️ Superbox media streaming boxes sold through retailers like BestBuy and Walmart have been found running intrusive, unofficial apps that can enlist buyers' Internet connections into distributed residential proxy networks and botnets. Censys researchers observed devices phoning home to Tencent QQ and a proxy service called Grass IO, and installing tools such as tcpdump and netcat while performing DNS hijacking and ARP spoofing. The boxes require removing Google Play and installing a third-party app store, increasing the risk of unauthorized relays, advertising fraud, and account takeovers. Consumers are advised to avoid uncertified Android TV devices and follow FBI and EFF guidance on suspicious app marketplaces.

Hijacked VPN Credentials Drive Half of Ransomware Access

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.

Half a Million FTSE 100 Credentials Discovered Online

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.

Password managers under attack: risks, examples, defenses

🔐 Password managers centralize credentials but are attractive targets for attackers who exploit phishing, malware, vendor breaches, fake apps and software vulnerabilities. Recent incidents — including a 2022 LastPass compromise and an ESET‑reported North Korean campaign — demonstrate how adversaries can exfiltrate vault data or trick users into surrendering master passwords. To reduce risk, use a long unique master passphrase, enable 2FA, keep software and browsers updated, install reputable endpoint security, and only download official apps from trusted stores.

5 Reasons Attackers Prefer Phishing via LinkedIn Channels

🔒 Phishing is moving beyond email to platforms like LinkedIn, where direct messages sidestep traditional email defenses and evade many web-based controls. Attackers exploit account takeovers, weak MFA adoption, and AI-driven outreach to scale targeted campaigns against executives and cloud identity services. Because LinkedIn messages are accessed on corporate devices but outside email channels, organizations often rely on user reporting and URL blocking—measures that are slow and ineffective. Vendor Push Security recommends browser-level protections that analyze page code and behavior in real time to block in-browser phishing and SSO-based compromises.

Defending Digital Identity from Computer-Using Agents (CUAs)

🔐 Computer-using agents (CUAs) — AI systems that perceive screens and act like humans — are poised to scale phishing and credential-stuffing attacks by automating UI interactions, adapting to layout changes, and bypassing anti-bot defenses. Organizations should move beyond passwords and shared-secret MFA to device-bound, cryptographic authentication such as FIDO2 passkeys and PKI-based certificates to reduce large-scale compromise. SaaS vendors must integrate with identity platforms that support phishing-resistant credentials to strengthen overall security.

Enterprise Credentials at Risk: Same Old Compromise Cycle

🔐 The article outlines how everyday credential reuse and phishing feed a persistent compromise lifecycle: credentials are created, stolen, aggregated, tested, and ultimately exploited. It details common vectors — phishing, credential stuffing, third-party breaches, and leaked API keys — and describes criminal marketplaces, botnets, opportunistic fraudsters, and organized crime as distinct actors. Consequences include account takeover, lateral movement, data theft, resource abuse, and ransomware, and the piece urges immediate action such as scanning for leaked credentials with tools like Outpost24's Credential Checker.

Stolen Credentials and Remote Access Abuse in 2025

🔒 FortiGuard Incident Response observed that in H1 2025 financially motivated actors frequently used stolen credentials and legitimate remote-access software to gain and extend access across environments. Adversaries relied on compromised VPN logins, password reuse, or purchased credentials, deploying tools like AnyDesk, Splashtop, Atera and ScreenConnect to move laterally and exfiltrate data manually. These intrusions often bypass endpoint-focused defenses because activity mimics normal user behavior, so FortiGuard emphasizes identity- and behavior-driven detection, broad MFA enforcement, and monitoring of remote access tooling.

Spike in Automated Botnet Attacks Targeting PHP, IoT

🔍 Cybersecurity researchers warn of a sharp rise in automated botnet campaigns targeting PHP servers, IoT devices, and cloud gateways. The Qualys Threat Research Unit says Mirai, Gafgyt, Mozi and similar botnets are exploiting known CVEs, misconfigurations and exposed secrets to recruit vulnerable systems. Attackers leverage active debug interfaces (for example using '/?XDEBUG_SESSION_START=phpstorm'), scan from cloud providers to mask origin, and turn compromised routers and DVRs into residential proxies. Recommended mitigations include prompt patching, removing development tools from production, securing secrets with AWS Secrets Manager or HashiCorp Vault, and restricting public cloud access.

Rise in Attacks on PHP Servers, IoT and Cloud Gateways

🔒 Qualys' Threat Research Unit reports a sharp rise in attacks targeting PHP servers, IoT devices and cloud gateways, driven by botnets such as Mirai, Gafgyt and Mozi exploiting known CVEs and misconfigurations. Researchers highlight active exploitation of flaws like CVE-2022-47945 (ThinkPHP RCE), CVE-2021-3129 (Laravel Ignition) and aging test/debug artifacts such as CVE-2017-9841, while attackers also harvest exposed AWS credentials. Qualys urges continuous visibility, timely patching, removal of debugging tools in production and managed secret stores to reduce risk.

Google Refutes False Claims of Massive Gmail Breach

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.

Passwordless Authentication: Clearing Common Myths

🔐 Passwordless authentication reduces reliance on passwords by using device-bound keys and local verification. The post explains that passwordless is inherently multi-factor: a device factor plus a local secret such as a PIN or biometric. Biometrics and PINs unlock a private key stored on the device and are not transmitted or centralized, reducing theft and replay risks. It also describes protections that make this approach highly phishing-resistant.

AI-Enhanced Reconnaissance: Risks for Web Applications

🛡️ Alex Spivakovsky (VP of Research & Cybersecurity at Pentera) argues that AI is accelerating reconnaissance by extracting actionable insight from external-facing artifacts—site content, JavaScript, error messages, APIs, and public repos. AI enhances credential guessing, context-aware fuzzing, and payload adaptation while reducing false positives by evaluating surrounding context. Defenders must treat exposure as what can be inferred, not just what is directly reachable.

New SonicWall SSLVPN Compromises Linked to Credentials

🔒 Huntress reports a fresh wave of compromises targeting SonicWall SSLVPN appliances in early October, affecting at least 16 organizations and more than 100 accounts. Attackers are authenticating with valid credentials rather than brute forcing, often from recurring attacker-controlled IPs. Some sessions involved internal reconnaissance and attempts against Windows administrative accounts, but Huntress says it has no evidence linking the activity to September’s MySonicWall cloud backup disclosure. It urges administrators to reset credentials, restrict remote management, review SSLVPN logs, and enable MFA.