Der „Ändere‑dein‑Passwort‑Tag“ braucht ein Update! Das BSI stellt klar: Ein routinemäßiger Passwortwechsel erhöht die Sicherheit nicht automatisch – im Gegenteil, er verführt häufig zu schwachen und vorhersehbaren Passwörtern. Was wirklich schützt:
• Starke, einzigartige Passwörter – für jedes Konto eines.
• Passwortmanager
• MFA
• Passkeys
#CyberSecurity #Passwortsicherheit #ITSecurity #Passkeys #ZweiFaktorAuthentisierung #BSI #MFA #IdentitySecurity #Passwort
#mfa
🔎 ShinyHunters abuses MFA trust ShinyHunters is using social engineering and MFA fatigue to trick employees into approving login requests, bypass multi-factor authentication, and steal data from targeted organizations. #ransomNews #MFA #ShinyHunters
ShinyHunters is bypassing MFA with sharp social engineering — when humans are tricked, strong auth can still fall. Identity defense must cover people, not just tech. 🎭🔐 #MFA #SocialEngineering
https://www.helpnetsecurity.com/2026/02/02/shinyhunters-mfa-social-engineering/
Security keeps getting framed as "add more MFA." That is necessary, but incomplete.
What actually breaks people is recovery. Device verification. Authenticator lock-in. The moment your phone is missing and you discover that your "secure" setup assumed permanent smartphone availability.
A secure system that you cannot operate under stress is not secure
It is fragile, and fragility creates shortcuts.
#Security #MFA #Identity #Resilience #TechReality #SystemsThinking #ByernNotes
Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.
Pulse ID: 697dc01e979a31197f296e38
Pulse Link: https://otx.alienvault.com/pulse/697dc01e979a31197f296e38
Pulse Author: AlienVault
Created: 2026-01-31 08:41:02
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Cloud #CredentialHarvesting #CyberSecurity #DDoS #DataTheft #DoS #Extortion #ICS #InfoSec #MFA #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #bot #AlienVault
⚠️ Mandiant: vishing steals MFA to breach SaaS #ShinyHunters-style crews impersonate IT, harvest SSO+MFA, enroll their own devices, loot SaaS, then extort. #ransomNews #Vishing #MFA
Heute ist „Ändere-dein-#Passwort-Tag“! Welche Maßnahmen aber sind tatsächlich wirksam, um Online-Konten vor unberechtigtem Zugriff zu schützen? Zur Antwort auf diese Frage habe ich am Vormittag für ProSiebenSat.1 meine Empfehlungen für Verbraucher:innen zusammengestellt:
Es kommt nicht unbedingt darauf an, das Passwort regelmäßig zu wechseln, sondern vor allem ein starkes Passwort mit #MFA zu kombinieren, dieses sicher zu speichern und für jeden Dienst ein individuelles Passwort zu verwenden.
It's been a busy 24 hours in the cyber world with significant updates on actively exploited zero-days, nation-state attacks on critical infrastructure, sophisticated vishing campaigns, and the evolving threat landscape of AI. Let's dive in:
Ivanti EPMM Zero-Days Under Active Exploitation ⚠️
- Ivanti has patched two critical zero-day vulnerabilities (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) product, both rated CVSS 9.8 for unauthenticated remote code execution (RCE).
- These flaws are actively being exploited in a limited number of customer environments, allowing threat actors to gain administrative access, move laterally, and potentially access sensitive data like phone numbers and GPS locations.
- While specific IOCs are scarce, defenders should scrutinise Apache access logs for unusual GET requests with bash commands in In-House Application Distribution and Android File Transfer Configuration features, and look for unexpected web shells or WAR/JAR files. If compromised, a full restore from backup or migration to a new EPMM instance is recommended.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/ivanti_epmm_zero_days/
Coordinated Cyber Attacks on Polish Critical Infrastructure 🚨
- CERT Polska has detailed coordinated destructive cyber attacks on over 30 wind and solar farms, a manufacturing company, and a combined heat and power (CHP) plant in Poland on December 29, 2025.
- The attacks, attributed to Russia's FSB-linked Static Tundra (aka Berserk Bear, Ghost Blizzard), involved reconnaissance, firmware damage, file deletion, and deployment of custom wiper malware like DynoWiper and LazyWiper.
- Initial access was gained via vulnerable Fortinet perimeter devices and statically defined accounts lacking two-factor authentication, with attackers also exfiltrating data related to OT network modernisation and SCADA systems from M365 services.
📰 The Hacker News | https://thehackernews.com/2026/01/poland-attributes-december-cyber.html
ShinyHunters-Style Vishing Bypasses MFA for SaaS Data Theft 🔒
- Mandiant has observed an expansion of financially motivated ShinyHunters-style (UNC6240) activity, tracked as UNC6661 and UNC6671, using advanced vishing and fake credential harvesting sites.
- These groups impersonate IT staff to trick employees into providing SSO credentials and MFA codes, then register their own devices for MFA to access cloud SaaS platforms, exfiltrate sensitive data, and extort victims.
- Organisations should enhance help desk verification processes, enforce strong passwords, remove SMS/phone/email as MFA options, restrict management access, and implement robust logging and detection for MFA lifecycle changes and SaaS export behaviours, moving towards phishing-resistant MFA like FIDO2.
📰 The Hacker News | https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html
Iran-Linked RedKitten Uses AI for Human Rights NGO Targeting 🐱
- A Farsi-speaking threat actor, RedKitten, linked to Iranian state interests, is targeting human rights NGOs and activists, likely leveraging large language models (LLMs) for tooling development.
- The campaign uses macro-laced Excel documents (fabricated protestor death details) in 7-Zip archives as lures, dropping a C#-based SloppyMIO implant via AppDomainManager injection.
- SloppyMIO uses GitHub as a dead drop resolver for Google Drive URLs, steganographically retrieving configuration for its Telegram Bot API-based command-and-control, enabling command execution, file exfiltration, and persistence.
📰 The Hacker News | https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html
Agentic AI: The Next Big Attack Surface 🤖
- A Dark Reading poll indicates that agentic AI is widely expected to become the top attack vector by the end of 2026, due to the expanded attack surface from agents' high access and autonomy, especially with insecure code and "shadow AI."
- Experts highlight that the primary vulnerability lies in what compromised AI agents can access, stressing that authentication and access control, rather than AI safety features, are the critical battleground for securing autonomous systems.
- Deepfakes are also rising as a major social engineering vector for high-value targets, while the adoption of phishing-resistant passkeys is lagging, leaving organisations vulnerable as agentic systems proliferate.
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child
#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #Ivanti #NationState #APT #CriticalInfrastructure #Poland #Russia #Wiper #ShinyHunters #Vishing #MFA #SaaS #Extortion #Iran #RedKitten #LLM #AI #Deepfakes #ThreatLandscape #InfoSec #CyberAttack #Malware #IncidentResponse
Mandiant reports expanded vishing-led identity compromise targeting SaaS platforms, involving IT impersonation, MFA enrollment abuse, and post-access extortion.
No vendor vulnerability identified - reinforces the need for phishing-resistant MFA, stronger help desk verification, and improved identity telemetry.
What detection signals have proven most reliable for MFA abuse in cloud environments?
Source: https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html
Follow @technadu for threat research coverage.
#ThreatIntel #IdentitySecurity #MFA #SaaSRisk #SocialEngineering #TechNadu
如果使用Beszel的OAuth登录,建议关闭MFA
Google / Github 授权成功后,Beszel 检测到账号开启了 MFA,因此在后台要求输入验证码,OAuth 登录流程有时无法正确跳转到“输入验证码”的界面,导致黑屏。
将MFA关闭,其他保持开启,可以正常使用Github、Google、一次性密码、邮箱账户登录。
“多因素认证(MFA)要求用户使用任意两种不同的身份验证 在发放认证令牌之前,先处理方法(OTP、身份/密码、OUs2),功能仍属实验性,未来可能会有所调整。”
Match Group confirmed a security incident involving limited user data exposure following unauthorized access via a compromised SSO account.
The company reports no evidence of credential theft, financial data exposure, or private message access. Researchers note this incident aligns with a broader trend of social-engineering-driven access rather than exploitation of technical vulnerabilities.
How are organizations hardening identity systems against vishing and phishing?
Follow TechNadu for unbiased InfoSec reporting.
#InfoSec #IdentitySecurity #PhishingResistance #SSO #MFA #CyberRisk #DataProtection
Morocco's Foreign Minister Nasser Bourita in Brussels for 15th EU Association Council meeting http://newsfeed.facilit8.network/TQfmgz #Morocco #EUAfricaRelations #ForeignAffairs #MFA #EUAssociationCouncil
So, our library is adopting a #PasswordManager. Not only for our own stuff, (though more and more of that is falling into our SSO,) but also for system or branch wide things so we don't need them written in drawers. This will also (hopefully,) end having to redo our passwords every 6 months. Between SSO and MFA, we're finally starting to modernize.
Maybe I'll be able to stop using Firefox Synch entirely!
I have my own password manager on my work computer that isn't web based for my own accounts, figuring that would be harder to get into than Firefox Synch. Still going to keep that.
They did say they'd also pay for personal accounts with the password manager company for us while we're employees. While a nice perk, the though of having to change or pay after I quit/retire sounds like a pain in the butt, and also, I don't know if this gives them any privilege into looking at my personal logins. That's why I went away from everything in FfS.
Jour 28 : Aegis
En complément à votre coffre-fort de mots de passe (cf Jour 6), optez pour Aegis qui génère vos mots de passe à usage unique sur téléphone portable. 🔒
GPL-3.0
#CalendrierDeLApresInfini #LibreJanuary #FOSS #Libre #Aegis #OTP #TOTP #MFA
It's been a busy 24 hours in the cyber world with significant updates on active exploitation of zero-days, widespread cyberattacks from sophisticated threat actors, and important discussions around data privacy and government initiatives. Let's dive in:
Recent Cyber attacks or breaches
ShinyHunters' SSO Vishing Spree Continues ⚠️
- The ShinyHunters group is actively targeting around 100 organisations, including major players like Canva, Atlassian, Epic Games, and Panera Bread, using evolved voice-phishing (vishing) techniques to compromise Okta, Microsoft, and Google SSO credentials.
- These attacks involve real-time phishing kits that mimic legitimate login pages and MFA requests, tricking employees into providing credentials and enrolling threat actor-controlled devices into MFA solutions.
- The group has claimed data theft from SoundCloud (29.8 million accounts), Betterment, Crunchbase, Panera Bread (14 million records), CarMax (500k+), and Edmunds (millions), often followed by extortion demands.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
🤫 CyberScoop | https://cyberscoop.com/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft/
Russian Security Firm Delta Hit by Cyberattack 🚨
- Delta, a major Russian provider of alarm and security systems for homes, businesses, and vehicles, suffered a "large-scale, coordinated" cyberattack attributed to an unspecified "hostile foreign state."
- The attack caused widespread service outages, with customers reporting issues like car alarms not deactivating, vehicles locking unexpectedly, and home systems switching to emergency mode.
- While Delta denies personal data compromise, an unidentified Telegram channel claiming responsibility has published an archive of alleged stolen data, the authenticity of which is unverified.
🗞️ The Record | https://therecord.media/russia-delta-security-alarm-company-cyberattack
Nike Investigates 1.4TB Data Leak by WorldLeaks 👟
- Sportswear giant Nike is investigating a potential cyber incident after the WorldLeaks extortion group claimed to have leaked over 1.4 terabytes of internal company data.
- The alleged stolen data includes internal documents, archives from 2020-2026, R&D assets, product creation details (technical packs, prototypes), supply chain information, and internal business presentations.
- WorldLeaks, believed to be a rebrand of the Hunters International ransomware group, briefly listed Nike on its leak site before removing the entry, suggesting potential negotiations or payment.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nike-investigates-data-breach-after-extortion-gang-leaks-files/
🗞️ The Record | https://therecord.media/nike-probes-alleged-cyber-incident
🕶️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/worldeaks-extortion-group-stole-1.4tb-nike-data
Ploutus ATM Jackpotting Ring Busted 💸
- US authorities have charged an additional 31 individuals, bringing the total to 87 members of the Venezuelan gang Tren de Aragua (TdA), for their involvement in a multi-million dollar ATM jackpotting scheme.
- The gang allegedly stole at least $5.4 million from 63 ATMs by physically accessing machines to replace hard drives or connect USBs, deploying Ploutus malware to force cash dispensing.
- TdA has been designated a Foreign Terrorist Organization by the U.S. Department of the Treasury, highlighting the increasing convergence of transnational organised crime and cyber-enabled financial fraud.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/
🗞️ The Record | https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm
China-linked Hackers Accused of Years-Long UK Government Espionage 🇨🇳
- Chinese state-linked hackers, identified as Salt Typhoon, are accused of years-long access to the phones of senior Downing Street officials, potentially exposing private communications.
- The espionage focused on aides to former UK Prime Ministers and leveraged intrusions into telecommunications providers to skim metadata and communications without direct handset installation.
- This incident, discovered in 2024, underscores the persistent threat of nation-state espionage targeting critical government infrastructure and sensitive communications.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft
ClickFix Attacks Evolve with App-V and Steganography 🎣
- A new ClickFix campaign is using fake CAPTCHA prompts to trick users into executing a command that abuses the signed Microsoft App-V script, SyncAppvPublishingServer.vbs, as a living-off-the-land (LoL) binary.
- This method proxies PowerShell execution through a trusted Microsoft component, making detection harder, and delivers the Amatera infostealer, which retrieves configuration from a public Google Calendar file and uses steganography to hide payloads in PNG images.
- The campaign is highly evasive, with checks for sandbox environments and a focus on enterprise-managed systems, reflecting a broader trend of ClickFix evolution into variants like GlitchFix and ClearFake, leveraging trusted web infrastructure for malware delivery.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-clickfix-attacks-abuse-windows-app-v-scripts-to-push-malware/
📰 The Hacker News | https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html
'Stanley' MaaS Guarantees Malicious Chrome Extensions 😈
- A new malware-as-a-service (MaaS) called 'Stanley' is being advertised, promising to bypass Google's review process and publish malicious phishing extensions to the Chrome Web Store.
- These extensions can overlay full-screen iframes with phishing content over legitimate webpages, silently auto-install on Chrome, Edge, and Brave, and support custom tweaks, C2 polling, and geographic targeting.
- This offering highlights the ongoing challenge of securing browser extension platforms and the commoditisation of sophisticated phishing techniques, urging users to be vigilant about extension installations and publishers.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/
Chinese Networks Dominate Illicit Crypto Laundering 💰
- Chinese money laundering networks processed an estimated $16.1 billion in illicit cryptocurrency in 2025, accounting for 20% of all laundered funds globally.
- These operations are highly professionalised, using Telegram groups, "guarantee" platforms for escrow protection, and offering services like "Black U" for hacking proceeds and crypto swapping.
- The continued resilience of these networks, despite crackdowns, underscores the global challenge of combating crypto-enabled financial crime and its links to transnational organised crime groups.
🗞️ The Record | https://therecord.media/chinese-money-launderers-moved-more-crypto-2025
Vulnerabilities, especially any mentioning Remote Code Exploitation (RCE), Active Exploitation, or Zero-Days
Microsoft Office Zero-Day Under Active Exploitation (CVE-2026-21509) 🚨
- Microsoft has issued an emergency out-of-band patch for CVE-2026-21509, a high-severity security feature bypass zero-day in Microsoft Office that is actively being exploited in the wild.
- The flaw bypasses OLE mitigations, allowing attackers to execute arbitrary code by convincing a user to open a specially crafted Office file; the preview pane is not an attack vector.
- CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches or implement registry-based mitigations for older Office versions by February 16.
📰 The Hacker News | https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/office_zeroday_exploited_in_the/
SmarterMail Servers Vulnerable to RCE via Auth Bypass (CVE-2026-23760) 🛡️
- Over 6,000 SmarterMail servers remain exposed online and are likely vulnerable to automated attacks exploiting CVE-2026-23760, a critical authentication bypass flaw.
- This vulnerability in the password reset API allows unauthenticated attackers to hijack admin accounts and achieve remote code execution (RCE) on affected servers.
- CISA has added CVE-2026-23760 to its KEV catalog, urging federal agencies to patch by February 16, as mass exploitation attempts have already been observed in the wild.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/
Critical Sandbox Escape in vm2 Node.js Library (CVE-2026-22709) 💻
- A critical sandbox escape vulnerability, CVE-2026-22709, has been discovered in the popular vm2 Node.js library, allowing arbitrary code execution on the host system.
- The flaw stems from improper sanitisation of Promise callbacks, enabling attackers to bypass the secure context designed to isolate untrusted JavaScript code.
- Despite the project being previously discontinued due to similar issues, vm2 remains widely used, and users are strongly advised to upgrade to version 3.10.3 immediately due to the trivial nature of exploitation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/
WinRAR Path Traversal Flaw Actively Exploited (CVE-2025-8088) 📦
- The high-severity WinRAR path traversal vulnerability, CVE-2025-8088, continues to be actively exploited by both state-sponsored and financially motivated threat actors since July 2025.
- Attackers leverage Alternate Data Streams (ADS) to conceal malicious files within decoy archives, dropping payloads like LNK, HTA, or script files into Windows Startup folders for persistence.
- Google Threat Intelligence reports observing groups like RomCom, APT44, TEMP.Armageddon, Turla, and China-linked actors using this flaw to deliver various malware, highlighting the commoditisation of such exploits.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
Data Privacy
Google Settles Voice Recording Lawsuit for $68 Million 🎤
- Google has agreed to a $68 million settlement in a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared private conversations with third parties for targeted advertising.
- Plaintiffs claimed Google Assistant improperly triggered and recorded their words, leading to unwanted targeted ads, with the settlement funds to be distributed to Google device purchasers since May 2016.
- While Google settled without admitting wrongdoing, the case underscores ongoing concerns about privacy in voice-activated technologies and the use of personal data.
🗞️ The Record | https://therecord.media/google-settles-millions-privacy-recording
WhatsApp Introduces 'Strict Account Settings' for Spyware Protection 🔒
- WhatsApp is rolling out a new "Strict Account Settings" feature designed to combat sophisticated spyware attacks by allowing users to block attachments and media from non-contacts.
- This "lockdown-style" feature is specifically aimed at high-risk users like journalists and public figures, drawing parallels with similar protections offered by Apple and Google.
- The move follows WhatsApp's legal battles against NSO Group over Pegasus spyware, reinforcing the platform's commitment to user privacy and defence against advanced surveillance tools.
🤫 CyberScoop | https://cyberscoop.com/whatsapp-strict-account-settings-lockdown-style-spyware-protection/
🗞️ The Record | https://therecord.media/whatsapp-spyware-anti-lockdown
#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #ActiveExploitation #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #SSO #MFA #Phishing #Vishing #PQC #DigitalSovereignty
Bitwarden upgrades its Premium & Families plans with new tools for proactive security 🛡️
Vault health alerts flag weak or exposed passwords 🔍
Password coaching & more 2FA key options enhance protection 🔑
Prices rise slightly, but free plan remains unchanged 🌐
🔗 https://bitwarden.com/blog/bitwarden-launches-enhanced-premium-plan/
#TechNews #Cybersecurity #Privacy #OpenSource #Infosec #DataSecurity #Encryption #Security #Password #Software #DigitalSafety #Cloud #Tech #Bitwarden #KeePass #PasswordManager #Passwords #2FA #MFA
📰 'SilentVoice' Phishing Campaign Weaponizes AI Deepfake Audio to Bypass MFA
New 'SilentVoice' phishing campaign uses AI deepfake audio of executives to trick employees into approving MFA prompts. This vishing attack bypasses common MFA methods, leading to account takeover. 🤖 #Phishing #Deepfake #MFA #CyberSecurity
Hello les mastopotes,
j'ai reçu un message de monidenum.fr qui informe de la mise en place d'une authentification multifacteur. Ils conseillent d'utiliser Microsoft Authenticator ou Google Authenticator (!)
Du coup, je leur ai écrit, et je me suis rendue compte en cherchant que FreeOTP (que j'utilise) est également aux USA.
Vous connaissez des alternatives européennes fiables ?
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst