All news with #mfa tag

⚠️ FortiGuard Labs reports a surge of regional cyber activity in the 24–48 hours following U.S.-Israeli strikes on Iranian targets, including defacements, broadcast intrusions, Telegram claims, and internet disruptions, but no confirmed large-scale destructive campaign tied directly to the strikes. Many observed events appear to be psychological operations, hacktivist signaling, or opportunistic exploitation of geopolitical noise rather than coordinated state-level retaliation. The report warns that access is often pre-positioned and that activations can be delayed, so organizations should harden basic controls and preparedness now. Recommended actions include enabling MFA, automating patching, isolated backups, segmentation, active monitoring, and exercising incident response playbooks.

🔒 Cloudflare announced mandatory authentication for the Cloudflare One Client and a new independent multi-factor authentication (MFA) capability to strengthen remote access. When enabled via MDM, the client blocks all Internet traffic until the user authenticates, allowing only the authentication flow and prompting users to sign in. The separate MFA acts as a network-edge, step-up second root of trust, supporting biometrics, WebAuthn/FIDO2 keys, PIV for SSH, and TOTP. Mandatory authentication starts on Windows, and the independent MFA is available in closed beta.

🔒 Cybersecurity researchers disclosed Starkiller, a commercial phishing suite marketed by a group calling itself Jinkusu that proxies legitimate login pages to bypass multi-factor authentication. The platform launches a headless Chrome instance inside a Docker container and acts as an AitM reverse proxy, relaying keystrokes, form submissions and session tokens. Abnormal warns the toolkit centralizes deployment, URL masking and session monitoring to give low-skill criminals effective MFA-bypass capabilities at scale.

🔐 FalconID is now generally available, delivering phishing‑resistant, FIDO2-based authentication built into the Falcon sensor and delivered via the Falcon for Mobile app. It replaces passwords, push notifications and one‑time codes with biometric, device‑bound verification and cryptographic domain binding. Authentication decisions are driven by real‑time identity, endpoint and SaaS telemetry to minimize friction while blocking credential abuse. For legacy apps, FalconID offers secure indirect authentication, and when paired with SGNL it enables continuous, risk‑based authorization across environments.

🔒Business email compromise (BEC) is a high-impact social engineering threat that targets organizations' financial and identity workflows. The article outlines pragmatic defenses: enforce MFA, validate DMARC/DKIM/SPF, deploy advanced phishing and spoofing filters, and maintain continuous security awareness training with simulated attacks. It also recommends dual-approval for large transfers, stricter help-desk verification, and monitoring for anomalies such as mailbox forwarding rules, impossible-travel logins, and last-minute bank-detail changes to accelerate detection and response.

🔐 PayPal announced it will begin removing unencrypted SMS for login MFA starting March 2026 but provided no firm timeline and said SMS will remain in use for fraud-related security checks. The company urged customers to adopt authenticator apps or FIDO2 security keys, though its email contained confusing setup instructions and account pages initially lacked direct update flows. Analysts say the move reflects security pressure, potential cost savings, and adoption friction between business and security teams.

🔒 In December 2025 npm completed a major credential overhaul, revoking long‑lived classic tokens and moving to short‑lived session tokens and OIDC Trusted Publishing to reduce supply‑chain risk. While MFA by default and ephemeral per‑run CI credentials limit exposure, optional 90‑day tokens that bypass MFA and successful MFA phishing still permit rapid malicious publishes. Developers should favor OIDC, avoid long‑lived bypassable tokens, and enforce MFA-on-publish where possible to further harden the ecosystem.

🔒 The Netherlands Police arrested a 21-year-old man from Dordrecht accused of selling access to the JokerOTP phishing-as-a-service platform that captures one-time passwords to enable account takeover. Investigators say this is the third arrest after a three-year probe that dismantled the operation in April 2025 and previously identified a developer and a co-developer. The seller advertised license keys on Telegram, allowing subscribers to automate calls that tricked victims into revealing OTPs, PINs, and card data, leading to fraud and unauthorized transfers.

⚠️ The NCSC has issued an urgent alert to critical national infrastructure (CNI) providers after December's coordinated malware attacks against Poland's energy sector, urging operators to act now to defend UK assets. Director Jonathan Ellison stressed the need to follow recent NCSC guidance on monitoring, situational awareness and hardening network defences. Recommended measures include patching, access controls and MFA, secure-by-design management and robust resilience and recovery plans.

🔍Tax season 2026 brings a renewed surge in IRS-related scams as fraudsters exploit email, text and phone channels to steal refunds and personal data. Scammers impersonate the IRS, tax preparers or software vendors with spoofed logos, domains and caller IDs, and may demand unusual payments or coax victims into filing fraudulent returns. Watch for phishing/smishing/vishing, W-2 fraud, fake tax credits and dishonest preparers. Protect accounts with MFA, consider an IP PIN, file early and report suspicious messages to phishing@irs.gov.

🔒 Microsoft is supporting Operation Winter SHIELD, a nine-week FBI-led effort beginning February 2, 2026, that shifts focus from guidance to practical implementation so organizations can operationalize controls that actually reduce risk. Microsoft will provide technical resources and platform-backed guardrails — including Baseline Security Mode — to enforce phish-resistant MFA, block legacy authentication, and surface unsupported systems. The initiative emphasizes secure-by-default configurations and automation to turn recommendations into enforceable protections and narrow the execution gap attackers exploit.

🔐 AWS announced that AWS Multi-Party Approval now requires approvers to verify voting actions with a one-time password sent to their registered AWS Identity Center email address. The OTP is a six-digit code that must be entered within 10 minutes of receipt, with up to three attempts allowed. Verification occurs when the approver submits their vote, after they have reviewed request details. Administrators cannot bypass this control via credential resets or authentication endpoint changes.

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.

🏥The NHS has issued an open letter (22 January) signaling more proactive engagement with suppliers to bolster cyber resilience across health and social care. The initiative builds on last year’s voluntary cybersecurity supply chain charter and responds to persistent ransomware and supply-chain threats. NHS England stresses this is not an audit but a partnership to identify risks and agree proportionate remediation. Expectations include MFA, patched systems, effective logging and immutable backups with tested recovery plans.

🔔 Okta warns of bespoke vishing phishing kits sold as a service that enable live adversary-in-the-middle attacks to steal Okta SSO credentials. These kits include a C2 panel that lets callers control the victim's authentication flow in real time and synchronize fraudulent MFA dialogs to bypass push-based protections. Okta urges adoption of phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys and recommends user education and vendor notifications.

🔒 A critical two-factor authentication bypass (CVE-2026-0723) in GitLab Community and Enterprise editions allows an attacker who knows a user’s credentials to submit forged device responses and bypass MFA. GitLab released patches in versions 18.8.2, 18.7.2 and 18.6.4 and strongly recommends that all self-managed instances upgrade immediately. Additional fixes address several denial-of-service and authorization flaws; GitLab.com and Dedicated tenants are already protected.

🔒 GitLab has patched a high-severity two-factor authentication bypass (CVE-2026-0723) that could allow attackers who know a target's account ID to submit forged device responses and bypass 2FA. The release also addresses two high-severity denial-of-service flaws (CVE-2025-13927, CVE-2025-13928) and two medium-severity DoS issues affecting Wiki rendering and SSH authentication. Administrators should upgrade to 18.8.2, 18.7.2, or 18.6.4 immediately; GitLab.com is already patched.

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.