Fortinet confirmed an actively exploited critical FortiCloud single sign-on (SSO) authentication bypass tracked as CVE-2026-24858 and mitigated attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware. Attackers abused FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices—creating rogue local admin accounts from accounts such as [email protected] and exfiltrating firewall configurations—while Fortinet disabled abusive FortiCloud accounts, globally restricted SSO, and is developing patches. #FortiCloud #FortiGate
Tag: SSO
New Chainalysis research finds Chinese-language money laundering networks processed roughly 20% of illicit cryptocurrency in 2025, averaging $44 million laundered per day (about $16.1 billion) and contributing to an estimated $82 billion laundered on-chain last year. These professionalized operations advertise on Telegram, use “guarantee” marketplaces, money mules, swapping and “Black U”…
Proofpoint tracked state-sponsored and financially motivated clusters using SquarePhish2 and Graphish to bypass the OAuth device code authorization process and gain access to victims’ Microsoft 365 accounts, leading to account takeover and data exfiltration. Researchers collated and analyzed 46 IoCs (21 subdomains including four variations, 22 domains, one IP, and two email addresses) and uncovered additional connected artifacts such as 91 email-connected domains and 23 more IPs. #SquarePhish2 #Graphish
Zscaler ThreatLabz analyzed the Sheet Attack campaign and identified three new backdoors—SHEETCREEP, FIREPOWER, and MAILCREEP—that abuse Google Sheets, Firebase, and Microsoft Graph API for C2 while using PDF and LNK lures to target Indian government entities. The report also documents signs of generative AI use in malware development and assesses with medium confidence a Pakistan-linked origin or connection to APT36. #SHEETCREEP #APT36
North Korea–aligned cyber spies are abusing Visual Studio Code tunnels to hide command-and-control traffic and maintain prolonged access to South Korean systems. The campaign uses spear-phishing JSE scripts disguised as Hangul documents that impersonate the Ministry of Personnel Management and coordinates via a compromised site (yespp[.]co[.]kr). #DPRK #VisualStudioCode…
Koi disclosed six “PackageGate” vulnerabilities in NPM, PNPM, VLT, and Bun that can bypass supply-chain protections and enable remote code execution via malicious dependencies. PNPM, VLT, and Bun have issued fixes while NPM/GitHub considers some behavior intentional, even as Koi warns threat actors are discussing PoC abuse of malicious .npmrc files….
Many major organizations appear to have been targeted in an Okta SSO vishing campaign tied to ShinyHunters that involved fake domains and leaked data listings. Security firms warn attackers used real-time client-side phishing kits to intercept credentials and bypass MFA, urging adoption of phishing-resistant methods like FIDO2 and tighter app and…
CloudSEK identified interconnected phishing campaigns impersonating Canadian government bodies and national brands (traffic-ticket portals, CRA, Canada Post, Air Canada) to harvest PII and financial data using SMS lures, typosquatted domains, and fake payment gateways. The activity aligns with the PayTool ecosystem and is being commoditized on underground forums by a seller advertising specialized phishing kits. #PayTool #theghostorder01
Socket’s Threat Research Team found that the Chrome extension “Amazon Ads Blocker” hides sponsored listings as advertised but secretly injects and replaces affiliate tags with the developer’s tag (10xprofit-20) on every Amazon product link. The extension’s Chrome Web Store disclosure is misleading and violates Google’s June 2025 affiliate policy by performing automatic, non-consensual tag replacement without providing direct user benefit or required user action. #AmazonAdsBlocker #10xprofit-20
Security research found multiple malicious or deceptive Chrome extensions that collectively reach over 100,000 users and perform undisclosed actions such as clipboard access, cookie exfiltration, command-and-control communication with a DGA fallback, search hijacking, ad injection, and an exploitable XSS vulnerability. Users are advised to uninstall affected extensions and the report highlights specific offenders like Good Tab and Children Protection for immediate action. #GoodTab #ChildrenProtection
Threat actor tengu claims to have compromised KSP TLM Indonesia, a large cooperative savings and loan association in Indonesia that focuses on empowering the community economy—especially small and medium-sized female entrepreneurs. The claim frames this as ransomware activity against the victim in Indonesia #Indonesia
Darktrace analysts identified a DPRK-aligned campaign targeting users in South Korea that delivered a JSE script disguised as a Hangul (HWPX) document to deploy a Visual Studio Code tunnel for prolonged remote access. The attacker downloaded legitimate VS Code binaries, launched a tunnel named “bizeugene”, authorized it via a GitHub device code, and exfiltrated the tunnel token to a compromised South Korean site. #VSCodeTunnel #DPRK
SecurityWeek’s Cyber Insights 2026 gathers expert views warning that powerful quantum computers threaten current public-key encryption and that AI could accelerate quantum development and automate its use. The report urges urgent migration to post-quantum cryptography and preparation for a potential convergence of quantum computing and AGI that could enable fast, autonomous…
The ransomware claim alleges that the threat actor ‘pear’ compromised MMD Insurance Law Advocates in the United States, targeting the firm that represents homeowners, business owners, and condominium associations in insurance disputes. The incident is described as impacting clients nationwide and highlighting ransomware risks facing US-based insurance defense practices. #UnitedStates
Researchers at SEC Consult discovered more than 20 vulnerabilities in Dormakaba’s Exos central management software and related access hardware that could have allowed attackers to remotely open doors and obtain access PINs. Dormakaba has issued patches and hardening guidance while working with affected customers, though SEC Consult found a few dozen…