Tag: identity
All items tagged identity.
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory
- Klue / Icarus — one dormant integration credential cascades into multi-tenant Salesforce CRM theft
- The third-party breach as the week's dominant entry vector
- UPDATE: Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed
- UPDATE: FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
- Icarus extortion group turns a dormant Klue credential into bulk Salesforce CRM theft across customers
- FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory
- 15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys on "Apply"
- Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation
- Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption
- UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale
- PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule
- WordPress supply-chain compromise via Awesome Motive's CDN backdoors ~1.2M sites
- Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched
- UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
- Public administration — the week's centre of gravity
- France's Tchap government messenger — account-takeover scrapes 73,467 civil servants' metadata
- Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion
- Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]
- South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key held by a former employee
- ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch
- UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007
- France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified
- "Ghost-Sender": Exchange Online accepts spoofed inbound mail bypassing SPF/DKIM/DMARC when a third-party MX fronts the tenant — no vendor patch
- NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery
- Meta discloses 20,225 Instagram account takeovers via an AI support-tool logic flaw; Maine AG notification filed 8 June
- CVE-2026-44748 — SAP June Patch Day: SAML XML Signature Wrapping in NetWeaver AS ABAP (CVSS 9.9) plus an unauth RFC kernel memory-corruption (CVSS 9.8)
- Unit 42 catalogues cloud-logging defense-evasion across AWS CloudTrail and Google Cloud Logging — with concrete detection mappings [SINGLE-SOURCE]
- Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender [SINGLE-SOURCE]
- Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692
- Miasma / TeamPCP supply-chain worm: from npm credential theft to AI coding-agent config injection across the week
- Keycloak 26.6.3 — 16 CVEs in the EU public sector's reference IAM, led by token-exchange privilege escalation and SSRF [SINGLE-SOURCE vendor advisory]
- CVE-2026-10868 — MISP: mass-assignment account-takeover (CVSS 9.0) in the EU threat-sharing platform
- Technology / software supply chain — four concurrent worm/supply-chain threats in one week
- Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation [SINGLE-SOURCE]
- CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform
- NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
- CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
- Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch
- Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft
- One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June
- Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange
- Dashlane discloses TOTP brute-force that downloaded encrypted vaults of fewer than 20 users
- ANNUAL REPORT — Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause [SINGLE-SOURCE]
- "Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
- Attackers social-engineer Meta's AI support chatbot into resetting Instagram passwords
- CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client
- UPDATE: ShinyHunters publishes the Charter Communications dataset after ransom refusal
- "Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users
- California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences
- [SINGLE-SOURCE] Red Canary: detecting Entra Agent ID privilege escalation — credential injection into agent blueprints enables lateral movement across the entire tenant
- Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654
- Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
- TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike
- CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration
- Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
- Dutch National Police arrest 35-year-old over AFC Ajax fan-data breach — misconfigured API access-control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records
- SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR [SINGLE-SOURCE]
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- UPDATE: ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
- CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
- Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage [SINGLE-SOURCE]
- UPDATE: ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
- ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure
- AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
- Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure
- AFC Ajax — 300,000+ fan accounts exposed via misconfigured API access control; Dutch suspect arrested
- UK Visa Portal — ~100,000 passport scans and selfies on a public-read S3 bucket behind a government-lookalike site
- The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
- Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
- ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
- UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable
- Deleted Google Cloud API keys keep authenticating for up to 23 minutes
- UPDATE: npm ships 2FA-gated "staged publishing" GA in response to the 2026 supply-chain worm waves
- Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens
- FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims
- SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
- Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630)
- UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause
- Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
- Nx Console VS Code extension (2.2 M installs) compromised via stolen publisher credentials — 11-minute window 2026-05-18 12:36–12:47 UTC
- CISA contractor (Nightwing) exposed AWS GovCloud admin keys and internal credentials in public GitHub repo for ~6 months
- 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
- TeamPCP / Mini Shai-Hulud supply-chain worm — CI/CD credential theft running all week; GitHub itself among claimed victims
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
- TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
- CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR
- Technology / developer toolchain — CI/CD supply chain remains the week's highest-volume attack surface
- 7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
- Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed
- Webworm (China-aligned; FishMonger / Aquatic Panda) — pivots to EU government targets
- Midnight Blizzard and others operationalise ROADtools for Entra ID abuse
- Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira
- npm ships 2FA-gated "staged publishing" GA — platform-governance response to the worm waves
- Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture
- Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain
- CVE-2026-44088 — CERT-PL SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- Public administration and government
- Sophos 2026 State of Identity Security — 71% of orgs breached via identity, 41% root-caused to non-human-identity mismanagement, Switzerland records highest incidence
- SentinelOne — Living Off the Pipeline: CI/CD subversion taxonomy
- CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]
- GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]
- `node-ipc` npm package backdoored via expired-domain account takeover — 90+ credential categories exfiltrated, three malicious versions, ~3-minute window to detection
- Unit 42: Gremlin Stealer evolved with .NET-resource XOR obfuscation, real-time crypto-clipper, and WebSocket browser-process session-hijack module [SINGLE-SOURCE]
- SentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious Interview) [SINGLE-SOURCE]
- CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse
- Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]
- UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub
- BWH Hotels (Best Western, WorldHotels, Sure Hotels) — 181-day unauthorised access to a guest-reservation web application, six EU brands in scope
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)
- UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
- UPDATE: Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
- Audit Jenkins pipelines for Checkmarx AST plugin auto-update window 2026-05-09 → 2026-05-10 and treat any match as full secrets compromise
- Treat the Instructure Canvas "shred logs" as legally unverifiable; align with EU university IR teams on per-institution deadline today
- Implement egress controls on LLM API endpoints for production server workloads
- ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
- DigiCert support portal compromise — Salesforce-based support-chat social engineering yielded 60 fraudulent EV code-signing certificates
- German LG Berlin II ruling — Apobank liable for €218,000+ phishing loss; PSD2 IP-analytics obligation clarified
- MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC
- German LG Berlin II — Apobank ruling sets PSD2 IP-analytics obligation as case law
- EDPB Coordinated Enforcement Framework 2026 — 25 DPAs target GDPR transparency obligations (Articles 12–14)
- PamDOORa — malicious PAM module with credential interception, magic-password SSH access, and anti-forensic log manipulation, sold on Rehub cybercrime forum
- German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarified
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams