Kirsten Doyle

A botnet made up of more than 130,000 compromised devices is conducting large-scale password-spraying attacks against M365 accounts, exploiting non-interactive sign-ins with Basic Authentication. This method lets malicious actors bypass modern login protections, evade multi-factor authentication (MFA) enforcement, and remain undetected by security teams. Leveraging Purloined Credentials Malefactors are leveraging stolen credentials from infostealer logs to systematically target M365 accounts on a global scale. These attacks are recorded in Non-Interactive Sign-In logs, an area frequently overlooked by security teams. They exploit this gap to launch high-volume password spraying attempts without triggering security alerts. Non-interactive sign-ins are often used for service-to-service…

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a joint Cybersecurity Advisory on Ghost (Cring) ransomware. The advisory, titled #StopRansomware: Ghost (Cring) Ransomware, provides network defenders with key indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods identified through FBI investigations. Ghost ransomware actors target firms with outdated software and firmware in their internet-facing services. The advisory warns that these bad actors exploit known vulnerabilities where patches have not been applied to gain unauthorized access. The identified Common…

Cisco Talos has been actively tracking reports of extensive intrusion attempts targeting multiple major U.S. telecommunications companies. First identified in late 2024 and subsequently confirmed by the US government, this activity is attributed to a highly advanced threat actor known as Salt Typhoon. According to public reports, Salt Typhoon successfully infiltrated core networking infrastructure in multiple instances, leveraging these systems to collect sensitive information. While one case suggested exploitation of a known Cisco vulnerability (CVE-2018-0171), Cisco Talos’ investigations indicate that most incidents stemmed from the use of legitimate victim login credentials rather than newly discovered vulnerabilities. The findings reveal that…

In a newly seen phishing campaign, malicious actors have exploited URL manipulation techniques to obfuscate their malicious links, compromising businesses and individuals worldwide.   Check Point researchers identified a whopping 200,000 phishing emails abusing URL information to hide phishing links, with the first instance recorded on 21 January. The campaign is still active but has shown a gradual decline in the volume of daily threats.  Who’s in the Crosshairs? The US has been the favored target of these attacks, making up three-quarters (75%) of the email distribution. EMEA region follows with 17%, and Canada has 5% of the total attack volume. …

A recent analysis by cybersecurity firm Hudson Rock on its Infostealers site has uncovered alarming vulnerabilities within the US military and its defense contractors due to widespread info stealer malware infections.   According to the company, these infections have compromised sensitive data across several high-profile entities, including Lockheed Martin, Boeing, Honeywell, the US Army, Navy, FBI, and the Government Accountability Office (GAO). The compromised data encompasses VPN credentials, email systems, and access to classified procurement portals, raising significant concerns about national security. Oops, I Did It Again “Each one of these infected employees is a real person — it could be an engineer working…

Cybercrime-as-a-Service (CaaS) is more than just a trend—it’s here to stay. As sophisticated attack tools become widely (and easily) available, even less experienced cybercriminals can now carry out highly disruptive campaigns. In fact, Malware-as-a-Service (MaaS) now makes up 57% of detected threats—a 17% increase from the first half of last nyear. This surge makes it clear that CaaS models, particularly Ransomware-as-a-Service (RaaS) and MaaS, continue to fuel cybercrime at scale, arming adversaries with the tools they need to launch more frequent and complex attacks with minimal effort. This was one of the findings of Darktrace’s 2024 Annual Threat Report, which…

Researchers from Trend Micro’s Threat Hunting team have uncovered a new technique employed by the advanced persistent threat (APT) group dubbed Mustang Panda or Earth Preta. The cyberespionage group has been abusing the Microsoft Application Virtualization Injector (MAVInject.exe) to stealthily inject malicious payloads into waitfor.exe when it detects an ESET antivirus application running. This discovery is a sign of the group’s evolving tactics to bypass security defenses and maintain a foothold in compromised systems. Sophisticated Evasion Tactics Earth Preta’s latest campaign uses Setup Factory, an installer builder, to drop and execute malicious payloads while evading detection. The attack chain starts…

The Qualys Threat Research Unit (TRU) has uncovered two significant vulnerabilities in OpenSSH, a widely used open-source implementation of the Secure Shell (SSH) protocol. These flaws, tracked as CVE-2025-26465 and CVE-2025-26466, pose substantial security risks to enterprise infrastructure and encrypted communications. Details of the Vulnerabilities CVE-2025-26465: The researhers said the OpenSSH client is vulnerable to an active machine-in-the-middle (MITM) attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can mimic the server by fully bypassing the client’s checks of the server’s identity. The issue was introduced…

South Korea has formally suspended new downloads of the Chinese AI chatbot DeepSeek, citing concerns over data privacy and compliance with domestic regulations. The suspension took effect on 15  February, according to the Personal Information Protection Commission (PIPC).   While downloads are currently restricted in domestic app marketplaces, the web-based service remains accessible. The decision follows PIPC’s analysis of DeepSeek’s data handling practices, which revealed deficiencies in communication functions and personal information processing procedures with third-party service providers. Shortly after its launch, DeepSeek was found to have inadequately addressed South Korea’s data protection laws, which saw regulators issue a formal order…

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects. While the latest variant has only been observed in limited attacks, security researchers warn that its enhanced capabilities make it a significant threat to macOS users and developers. A Persistent Threat Since 2020 First identified by Trend Micro in 2020, XCSSET initially gained infamy as it was able to compromise Xcode projects, which allowed it to execute malicious code whenever a developer built an infected project. The malware leveraged zero-day vulnerabilities to slip past macOS security protections, steal…