Poland’s CERT reported a Russia-linked attack on the national power grid that compromised communication and control systems at about 30 sites, allowing attackers to access ICS, upload malicious firmware, deploy wipers, and permanently damage some devices without causing electrical outages. The initial vector was internet-exposed Fortinet FortiGate devices using default credentials,…
Tag: SSO
CEOs and other leaders are increasingly targeted through public profiles, travel disclosures, deepfakes, impersonation accounts, and leaked credentials—threats that can trigger multi‑million dollar losses and long‑lasting reputational damage. Executive monitoring solutions like Cyble deliver real‑time detection across surface, deep, and dark web sources, plus deepfake identification and contextualized alerts to protect…
NationStates confirmed a data breach after a player who reported a critical Dispatch Search vulnerability exceeded testing bounds, achieved remote code execution on the production server, and copied application code and user data. Exposed information likely includes email addresses, MD5 password hashes, IP addresses, UserAgent strings, and portions of telegrams; the site is rebuilding servers, upgrading security, and has reported the incident to authorities. #NationStates #DispatchSearch #MaxBarry #MD5 #RCE
Microsoft will disable NTLM by default in the next Windows Server and associated Windows client releases as part of a multi-phase plan to eliminate the legacy protocol. Organizations should use enhanced NTLM auditing in Windows Server 2025 and Windows 11 24H2+, map dependencies, migrate to Kerberos, and test NTLM-off configurations to…
Japan and Britain have agreed to expand cooperation through a new cyber strategic partnership aimed at strengthening cybersecurity and protecting critical mineral supply chains amid rising geopolitical and technological pressures. The agreement, confirmed during Keir Starmer’s visit to Tokyo with Prime Minister Sanae Takaichi, links digital resilience to economic and defense…
Mandiant describes an expansion of ShinyHunters-branded extortion operations that leverage vishing and victim-branded credential harvesting to compromise single sign‑on (SSO) credentials and enroll unauthorized devices into victim MFA, enabling access to cloud SaaS environments. Immediate containment (revoke sessions, pause MFA registration, restrict password resets) plus long‑term hardening (phishing‑resistant MFA, IdP/SaaS logging and detections) are recommended to stop exfiltration and persistence. #ShinyHunters #Okta
Qilin claims to have compromised Jcm Agricola and deployed ransomware across its network. The claim ties the operation to Spain. #Spain
Researchers disclosed a supply chain attack on the Open VSX Registry where attackers used a compromised developer account (oorzc) to publish four malicious extension updates that delivered the GlassWorm loader. The loader uses EtherHiding, runtime decryption, and Solana memos to fetch C2 and exfiltrate macOS credentials, browser data, and cryptocurrency wallet…
Ransomware operations are increasingly enabled by infostealers that harvest and sell credentials and session tokens to Initial Access Brokers, enabling validated enterprise access and rapid ransomware deployment often within 48 hours. This convergence compresses attacker dwell time, elevates credential-driven extortion risk, and demands stronger credential hygiene, endpoint visibility, and identity-focused defenses. #RedLine #Lumma
ESET researchers detailed DynoWiper, a new data-wiping malware deployed against an energy company in Poland that was prevented from fully executing by ESET PROTECT. The activity shows strong TTP overlap with previous Sandworm operations (including similarities to the ZOV wiper and AD/GPO deployment scripts), and ESET attributes DynoWiper to Sandworm with medium confidence. #DynoWiper #Sandworm
![Cybersecurity News | Daily Recap [31 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [31 Jan 2026]")
Daily Recap, a December 2025 campaign used default credentials to expose FortiGate VPNs and misconfigured OT devices, compromising about 30 Polish wind and solar sites, exfiltrating credentials, and deploying wipers linked to Static Tundra and DynoWiper with ties to Electrum and Sandworm. The recap also covers Ivanti EPMM zero-days (including CVE-2026-1281) exploited in the wild, SolarWinds Web Help Desk patches, Windows 11 boot failures after the December 2025 update, exposure of Ollama hosts and Hugging Face abuse, and notable disruptions and breaches such as IPIDEA takedown, the Match Group leak, the Marquis/SonicWall incident, and CNIL’s €5 million fine. #FortiGate #StaticTundra #DynoWiper #Electrum #Sandworm #Ivanti #CVE-2026-1281 #WebHelpDesk #Windows11 #Ollama #HuggingFace #IPIDEA #MatchGroup #SonicWall #Marquis #CNIL
Socket researchers identified a developer-account compromise in the Open VSX Registry that published malicious updates to four oorzc extensions embedding the GlassWorm loader, using staged AES-encrypted loaders and Solana transaction memos as a dynamic dead drop. The macOS-focused follow-on payload steals browser cookies, wallet files, keychain, AWS and SSH credentials and establishes persistence via a LaunchAgent; remove affected extensions, check for persistence, and rotate exposed tokens and keys. #GlassWorm #OpenVSX
Threat actors are automatically compromising exposed MongoDB instances and leaving ransom notes demanding roughly 0.005 BTC (about $500) to restore data. Flare researchers discovered over 208,500 publicly exposed MongoDB servers — 3,100 without authentication — and found nearly half of those had already been wiped and left with ransom notes. #MongoDB #Flare
Mandiant and Google Threat Intelligence report that ShinyHunters and affiliated clusters are running vishing campaigns that use company-branded phishing sites to steal SSO credentials and MFA codes, allowing attackers to enroll their own devices and maintain access. Compromised accounts provide attackers with centralized access to SaaS dashboards (Okta, Microsoft Entra, Google SSO) to exfiltrate data from services like Salesforce and enable extortion. #ShinyHunters #Okta
CERT Polska reported coordinated destructive cyber attacks on December 29, 2025 that targeted more than 30 wind and photovoltaic farms, a manufacturing company, and a large combined heat and power (CHP) plant serving nearly half a million customers. The intrusions involved wiper malware (notably DynoWiper and LazyWiper), exploitation of vulnerable Fortinet/FortiGate…