All news with #mfa tag

🔒 Modern security must treat identity as the perimeter rather than the network. As remote work and cloud adoption dissolved traditional edges, attackers increasingly target credentials — a trend underscored by reports from Verizon, Microsoft and Okta — making identity the primary attack surface. Organizations must adopt Zero Trust identity controls such as MFA, SSO, RBAC, PAM, device trust and continuous, adaptive monitoring, and treat identity lifecycle and privilege management as core infrastructure.

🔒 LinkedIn's vast professional network provides abundant intelligence that threat actors exploit to support spear-phishing, business email compromise and direct recruitment efforts. Profiles and connections help attackers craft highly credible lures, while messages sent within the platform can bypass corporate email controls. To reduce risk, users should limit public detail, enable MFA, maintain patched devices and complete targeted security awareness training focused on fake profiles and malicious DMs.

🔒 Cybercriminals are increasingly using browser-in-the-browser (BitB) attacks to harvest Facebook credentials, researchers at Trellix report. Attackers distribute phishing emails with spoofed, shortened links and present a fake in-browser pop-up that mimics the Facebook login — even hardcoding the real Facebook URL and displaying a bogus CAPTCHA to boost credibility. Victims are prompted for personal details and then asked to confirm their password; enabling two-factor authentication and avoiding embedded links can mitigate these scams.

🔒 If you learn your personal or financial data is on the dark web, act quickly: cybercriminals use stolen PII, credentials, session cookies and payment details to commit account takeover, identity theft and fraud. Immediately change compromised passwords, enable MFA (prefer authenticator apps or hardware keys), sign out of all devices, scan for infostealer malware and contact your bank to freeze or reissue cards. For longer-term protection, freeze credit, tighten privacy settings, use email aliasing and a password manager, and enroll in monitoring services such as HaveIBeenPwned.

🔐 Meta says it patched a bug that allowed an external party to mass-request Instagram password reset emails and denies any systems breach after claims that data from more than 17 million accounts was posted online. Malwarebytes warned customers of a 17.5M-account dump containing phone numbers, emails, addresses and Instagram IDs, though not every record includes all fields. Meta told reporters it is not aware of an API incident in 2022 or 2024, and Instagram accounts remain secure. Users should ignore unsolicited reset emails, enable two-factor authentication, and stay alert to phishing and smishing attempts.

📧 Microsoft Threat Intelligence warns attackers are increasingly abusing complex email routing and misconfigured DMARC and SPF policies to make phishing messages appear internal. Campaigns exploit MX records that do not point directly to Microsoft 365, allowing messages with the recipient's address in both To and From fields to bypass filters. Lures include password resets and shared-document notices, and some attacks use Phishing-as-a-Service platforms such as Tycoon 2FA to perform Adversary-in-the-Middle attacks that can defeat MFA. Microsoft recommends strict DMARC reject policies, SPF hard-fails, correct connector configuration, and phishing-resistant MFA like FIDO2.

📧 Microsoft Threat Intelligence warns of a surge in phishing campaigns that exploit misconfigured mail routing and domain spoofing protections to make malicious messages appear internal to Microsoft 365 tenants. Attackers target users with HR- and IT-themed lures to steal credentials, often pairing the technique with phishing-as-a-service kits like Typhoon2FA. The vector depends on tenants whose MX records are not pointed directly at Office 365, bypassing built-in spoof detection. Organizations should correct MX configuration, enforce DMARC and deploy phishing-resistant MFA for privileged roles.

🛡️ This week's ThreatsDay highlights a critical RustFS gRPC authentication flaw with a hard-coded token (CVSS 9.8) that allowed network attackers to perform privileged operations and was patched in 1.0.0-alpha.78. Other notable stories include GeoServer-based XMRig miners, an evolution in Iran-linked MuddyWater custom backdoors, a surge in Taiwanese infrastructure attacks, and CISA's KEV catalog expansion. Organizations should apply patches, enable MFA, and monitor credentials and exposed services.

🔐 Microsoft will require MFA for all users signing into the Microsoft 365 admin center and will block accounts that do not have MFA enabled starting February 9, 2026. The enforcement covers portal.office.com/adminportal/home, admin.cloud.microsoft, and admin.microsoft.com and follows an initial rollout that began in February 2025. Administrators are urged to enable MFA using Microsoft's setup wizard or official documentation to avoid service interruptions; Microsoft notes that MFA significantly reduces the risk of account compromise.

🔐 Credential stuffing exploits reused login credentials harvested from breaches or captured by infostealer malware, then systematically automates login attempts across services. Attackers increasingly use bots, IP rotation and AI-assisted scripts to mimic human behavior and evade basic defenses, enabling stealthier and larger-scale attacks. Because it uses valid credentials, it often bypasses alarms that detect brute-force failures. Protect yourself with a password manager, enable 2FA/MFA, and monitor for exposed credentials.

🔒 ownCloud has urged users to enable multi-factor authentication (MFA) after reports that threat actors used credentials stolen via infostealer malware to access self-hosted file-sharing instances. The company said the platform was not breached via a zero-day or vulnerability; attackers reused credentials harvested by malware such as RedLine, Lumma, and Vidar. ownCloud recommends enabling MFA, resetting passwords, invalidating sessions, and reviewing access logs to protect data.

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.

⚠️ Fortinet warned on December 24, 2025 that attackers are actively abusing a five‑year‑old FortiOS SSL VPN flaw, CVE-2020-12812 (CVSS 5.2), to bypass two‑factor authentication under specific configurations. The issue stems from inconsistent case sensitivity between FortiGate local users and LDAP directories: if a username's case does not exactly match the local entry, FortiGate may fall back to LDAP and accept credentials without 2FA. Fortinet reiterated prior patches and published configuration mitigations and commands to disable username case sensitivity, and advised customers to contact support and reset credentials if unauthorized 2FA bypass is detected.

🔒 CERN manages cybersecurity across a globally distributed research community by prioritizing risk adaptation over one-size-fits-all controls. CISO Stefan Lüders frames security as a sociological challenge—measures must be explained and adapted so academic freedom and research workflows remain viable while defending against threats from script kiddies to ransomware and espionage. With roughly 200,000 devices and extensive BYOD, CERN relies on defense-in-depth, network monitoring, segmentation for legacy and IoT systems, and mandated protections such as MFA. Governance is being formalized through audits and standards while preserving operational flexibility.

🔐 Small and medium-sized businesses became the primary target of data breaches in 2025, as attackers shifted focus from well-defended large enterprises to higher-volume attacks against smaller organizations. High-profile incidents at Tracelo, PhoneMondo, and SkilloVilla exposed millions of customer records—predominantly names and contact information—raising the risk of follow-on phishing and fraud. To reduce breach risk in 2026, adopt two-factor authentication, enforce the principle of least privilege for access control, and centralize credentials with a secure password manager. These steps are practical, cost-effective, and scalable for SMBs.

🔐 Fortinet has observed active abuse of FG-IR-19-283 (CVE-2020-12812) in environments where FortiGate and LDAP username case handling differ. In these configurations, a username entered with any case variation that does not exactly match the local FortiGate entry can bypass local 2FA and instead authenticate via an LDAP group fallback. Administrators should enable the appropriate username sensitivity setting or remove unnecessary secondary LDAP groups to block this bypass.

🔒 Amazon WorkSpaces Secure Browser now supports Web Authentication (WebAuthn) redirection, enabling users to authenticate to websites from within remote browser sessions using local FIDO2 security keys, passkeys, and platform authenticators like Windows Hello or Touch ID. This capability works with Chromium‑based local browsers such as Google Chrome 136+ and Microsoft Edge 137+, but not with Safari or Firefox. Administrators must enable WebAuthn redirection in the Secure Browser portal and configure the WebAuthenticationRemoteDesktopAllowedOrigins policy on local browsers to allow secure token forwarding. The feature is available at no additional cost in all supported regions.

🔒 Security researchers observed a coordinated credential-stuffing campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a two-day span in mid-December. GreyNoise reported millions of automated login sessions from more than 10,000 unique IPs, using a consistent TCP fingerprint and a Firefox-like user agent. The activity did not exploit software flaws but instead relied on large-scale username/password probes. Analysts urged enforcing strong passwords and MFA, auditing exposed edge devices, and leveraging threat-intel blocklists to filter malicious traffic.

🔐 An automated password-spraying campaign is targeting multiple VPN platforms, with credential-based attacks observed against Palo Alto Networks GlobalProtect portals and Cisco SSL VPN gateways. GreyNoise recorded login attempts peaking at 1.7 million over 16 hours from more than 10,000 unique IPs, largely originating from the 3xK GmbH hosting space. The actor reused common username/password combinations and used an unusual Firefox user agent, indicating scripted credential probing rather than exploitation. Administrators are advised to enforce strong passwords, enable MFA, audit appliances, and block known malicious IPs.