Marquis Software Solutions says the August 2025 ransomware attack that affected dozens of U.S. banks and credit unions was enabled by firewall configuration data stolen from SonicWall’s MySonicWall cloud backup rather than by exploiting an unpatched firewall. SonicWall later confirmed all cloud backup customers were impacted, Mandiant linked the breach to state-sponsored actors, and Marquis is evaluating options to seek recoupment for response costs. #MarquisSoftwareSolutions #SonicWall
Tag: SSO
Match Group confirmed a cybersecurity incident after the ShinyHunters threat group leaked 1.7 GB of files allegedly containing user records and internal documents from Hinge, Match, and OkCupid. The company says a limited amount of user data was accessed via a compromised Okta SSO account but that there is no indication of stolen log-in credentials, financial information, or private communications. #ShinyHunters #MatchGroup
Google Threat Intelligence Group (GTIG), together with industry partners, disrupted IPIDEA by taking down domains and sharing intelligence on its proxy SDKs, infected-device management, and traffic routing infrastructure. IPIDEA covertly enrolled millions of devices through trojanized Android apps and Windows binaries to sell proxy access to over 550 threat groups and support botnets like Aisuru and Kimwolf. #IPIDEA #BadBox2_0
SolarWinds released patches for six vulnerabilities in its Web Help Desk product, including four critical flaws that could enable unauthenticated remote code execution via untrusted data deserialization and AjaxProxy bypasses. The defects, discovered by Horizon3.ai and WatchTowr, are fixed in Web Help Desk version 2026.1 and organizations are urged to update…
Pillar Security reports Operation Bizarre Bazaar, a large-scale LLMjacking campaign that scans for and hijacks exposed LLM and MCP endpoints to monetize resources, resell API access, exfiltrate data, and move laterally. The operation uses a scanner, a validator tied to silver.inc, and a marketplace called The Unified LLM API Gateway, with…
A DLA Piper report finds EU data breach notifications rose 22% year‑on‑year, averaging 443 notifications per day, while GDPR fines remained high at about €1.2 billion in 2025. The report warns that the EU Digital Omnibus proposals to raise the incident‑notification threshold, alongside laws like NIS2 and DORA, could reshape enforcement…
IClickFix is a widespread malicious JavaScript framework that has been injected into over 3,800 compromised WordPress sites since at least December 2024 to display a fake Cloudflare Turnstile (ClickFix) lure and deliver downstream payloads. The framework uses a YOURLS-based Traffic Distribution System, multi-stage obfuscated JavaScript, and clipboard-based social engineering to install NetSupport RAT via a PowerShell dropper. #IClickFix #NetSupportRAT
This report analyzes a cross‑platform Python‑based Remote Access Trojan (RAT) packaged as an ELF that performs system fingerprinting, generates a semi‑persistent UID, communicates with an unencrypted HTTP C2 (/api/{uid}/hello), supports threaded remote command execution, unrestricted file transfer, screenshot capture, ZIP bundling, and persistence via XDG autostart and the Windows Run key. K7 Labs observed high detection rates for the sample (MD5: 0fed60850aa38127095f21182cc2c85d) and recommends keeping protections like K7 Total Security up to date. #PythonRAT #K7Labs
FortiGuard Labs discovered a Base64-encoded PHP web shell named EncystPHP deployed by exploiting FreePBX Endpoint Manager vulnerability CVE-2025-64328, enabling remote command execution, persistence, and telephony abuse. The campaign, attributed to INJ3CTOR3, delivered droppers from 45[.]234[.]176[.]202 (crm[.]razatelefonia[.]pro), created a root-level user and SSH backdoor, and maintained persistence via cron jobs and widespread web shell copies. #EncystPHP #FreePBX
RedKitten is a January 2026 campaign targeting Iranian interests that uses weaponized XLSM documents to deploy a C# implant (SloppyMIO) which retrieves configuration via steganographic images on GitHub, modules on Google Drive, and communicates with operators via Telegram. The campaign demonstrates AppDomainManager injection for execution, scheduled-task persistence, and likely AI-assisted development;…
ESET researchers uncovered an Android spyware campaign called GhostChat that uses fake dating/chat profiles and romance-scam tactics to trick users in Pakistan into installing a malicious app disguised as a chat service. The app runs silent surveillance—exfiltrating images and documents—while the wider infrastructure uses ClickFix social engineering and WhatsApp QR device-linking…
SecurityWeek’s Cyber Insights 2026 aggregates dozens of expert perspectives that frame zero trust as an ongoing, identity-first journey complicated by AI, non-human identities, OT/IT convergence, and legacy perimeters. Experts emphasize continuous verification, microsegmentation, and measured incremental progress—while warning that AI, regulation, and insurance will both accelerate adoption and introduce new risks….
Russian and Chinese state-backed groups and financially motivated actors have been exploiting CVE-2025-8088 in WinRAR to drop malware into Windows Startup folders using a path traversal vulnerability combined with Alternate Data Streams. The flaw remained widely abused months after RARLAB released WinRAR 7.13, with actors like UNC4895 (RomCom), APT44 (FROZENBARENTS), Turla,…
Google dismantled a global IPIDEA residential proxy network that had covertly enrolled millions of consumer devices as proxy exit nodes, seizing domains and coordinating with providers and law enforcement to disrupt the infrastructure. The network enabled large-scale espionage and cybercrime through SDKs embedded in benign apps and a two-tier command-and-control system…
A wave of cyberattacks hit Bumble, Panera Bread, Match Group, and CrunchBase, with companies reporting limited data exposure and some contractor account compromises. The hacking group ShinyHunters has claimed responsibility and reportedly used vishing and extortion techniques while law enforcement and investigators continue to examine the incidents. #ShinyHunters #Bumble…