Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Google Confirms Sale ...

 Firewall Daily

Google has confirmed that a corporate Salesforce database it used to manage small and medium business (SMB) contacts was compromised by a known cybercriminal group. The attackers, identified as ShinyHunters, tracked internally by Google as UNC6040, gained unauthorized access to the database in June 2025. In a blog   show more ...

post released Tuesday by Google’s Threat Intelligence Group (GTIG), the company stated that attackers were able to retrieve “basic and largely publicly available business information, such as business names and contact details,” before the breach was contained. The data was stored within one of Google’s internal Salesforce instances used for managing SMB engagement. Attack Method: Voice Phishing and Data Loader Abuse  The breach did not stem from a technical vulnerability in the Salesforce platform but was enabled by voice phishing (vishing) tactics. The attackers impersonated IT personnel and called employees, persuading them to authorize a malicious connected application in their organization’s Salesforce environment. The malicious app, often a modified version of Salesforce’s official Data Loader tool, allowed the attackers to exfiltrate data. In several cases, the attackers disguised the application under misleading names like “My Ticket Portal” to align with the vishing pretext.  Once access was granted, the attackers used custom Python scripts, replacing earlier reliance on the official Data Loader, to automate the data collection process. These scripts mimicked legitimate Salesforce data tools and operated through TOR or VPN services such as Mullvad, making attribution more difficult. UNC6040 and the Emergence of UNC6240  GTIG identified the actors behind this campaign as UNC6040, a financially motivated group focused on compromising Salesforce environments through social engineering. After the initial data theft, another threat cluster, UNC6240, has been observed initiating extortion attempts targeting affected organizations. These extortion efforts typically begin weeks or months after the original breach.  Emails and calls from UNC6240 demand Bitcoin payments within 72 hours and threaten public disclosure of stolen data. These messages often claim affiliation with ShinyHunters, a name already linked to multiple high-profile data breaches over the past few years.  GTIG listed known extortion email addresses used by the group:  shinycorp@tuta[.]com  shinygroup@tuta[.]com  Additionally, evidence suggests the attackers are preparing a data leak site (DLS) to publish stolen information, a tactic commonly used by ransomware groups to pressure victims into paying.  Infrastructure and Tactics  The attackers used infrastructure that included phishing panels designed to mimic Okta login pages, which were used during the vishing calls. These panels targeted users' credentials and multi-factor authentication (MFA) codes in real time.  There was also evidence of the attackers using compromised third-party accounts, not trial Salesforce accounts, to register their malicious applications, indicating an evolution in tactics and a higher level of operational security. GTIG noted that the group appears to prioritize English-speaking employees at multinational companies and often targets IT staff, leveraging their elevated access levels.  In some cases, only partial data was extracted before detection. One actor retrieved only about 10% of the targeted records using small data chunks, while in other incidents, the attackers increased extraction volumes after conducting test queries.  Conclusion  This breach highlights a growing trend of attacks on cloud-based Salesforce systems, with threat groups such as ShinyHunters employing voice-based social engineering and delayed extortion tactics. GTIG has observed links between these actors and broader collectives like The Com, known for phishing and hacking.   The abuse of Salesforce integrations, particularly connected apps and OAuth tokens, demonstrates that technical defenses are insufficient without user vigilance. Organizations should tighten access controls, enhance MFA, and train staff to resist social engineering, while preparing for long-term risks even after initial breaches appear limited.

image for Microsoft to Pull Pl ...

 Firewall Daily

Organizations using Exchange hybrid deployments should prepare for new changes taking effect over the next few months. Microsoft has announced that beginning in August 2025, it will temporarily block Exchange Web Services (EWS) traffic that uses the Exchange Online shared service principal in certain hybrid   show more ...

environments.   The change primarily impacts organizations using "rich coexistence" features such as free/busy calendar lookups, MailTips, and profile picture sharing between on-premises Exchange Server and Exchange Online mailboxes. These features rely on EWS and have traditionally functioned through the shared service principal in Exchange Online.  However, Microsoft will permanently disable this method starting October 31, 2025. In preparation, temporary disruptions will occur throughout August, September, and October 2025 to prompt customers to make the necessary updates. These blocks are designed to ensure that affected organizations don’t overlook the October deadline.  The company stresses the security benefits of this shift. Moving away from the shared service principal reduces exposure to known risks, including CVE-2025-53786, a post-exploitation vulnerability that highlights the need for stronger authentication controls.  Who Will Be Affected by Exchange Web Services (EWS) Discontinuation?  Not all hybrid Exchange environments will be impacted by these disruptions. Only organizations meeting the following criteria will experience feature breaks during the temporary blocks:  Mailboxes are hosted both in Exchange on-premises and Exchange Online.  Rich coexistence features (free/busy, MailTips, profile pictures) are in use between on-prem and cloud users.  On-premises Exchange servers are not updated to a version that supports the dedicated hybrid app.  The dedicated Exchange hybrid app has not been created or properly enabled.  Organizations meeting these conditions should act immediately to avoid functionality loss. Microsoft has also issued Message Center notification MC1085578 to affected tenants. What Will Break and When?  The impact is limited but specific. During blocked periods, on-premises mailboxes will be unable to access rich coexistence features for Exchange Online mailboxes. These include:  Free/busy calendar lookups  MailTips  Profile picture sharing  It’s important to note that these disruptions are one-way only, they affect on-premises users accessing cloud data, not vice versa. All other hybrid features will continue to work.  Support teams will not grant exceptions for these blocks. Organizations needing assistance should consult the documentation or reach out to Microsoft support.  What Organizations Need to Do  For organizations using rich coexistence features, Microsoft recommends two primary actions:  Update Exchange Server to a version that supports the dedicated hybrid app.  Create and enable the dedicated Exchange hybrid application using the new Hybrid Configuration Wizard (HCW) or a provided configuration script.  Supported minimum Exchange versions include:  Exchange Server 2016 CU23 – Version 15.1.2507.55 or newer (April 2025 HU)  Exchange Server 2019 CU14 – Version 15.2.1544.25 or newer (April 2025 HU)  Exchange Server 2019 CU15 – Version 15.2.1748.24 or newer  Exchange Subscription Edition (SE) – Version 15.2.2562.17 or newer  The updated Hybrid Configuration Wizard simplifies the setup of the dedicated app. When selected during the HCW process (Classic Full, Modern Full, or Choose Exchange Hybrid Configuration), the wizard:  Registers a new application in Entra ID with a unique identifier.  Adds EWS permissions (to be replaced with Microsoft Graph permissions in the future).  Uploads current and future authentication certificates.  Removes expired certificates.  Requests tenant-wide admin consent.  However, HCW does not automatically enable the dedicated app within the on-premises Exchange environment. A separate Setting Override must be created to fully activate the feature. Instructions are available in the Deploy dedicated Exchange hybrid app documentation.  Conclusion  Even for organizations not using rich coexistence features, it's important to perform a security cleanup. Running the Exchange Hybrid Configuration Wizard or configuring OAuth may have left custom certificates on the shared service principal, which should be removed using the provided script in Service Principal Clean-Up Mode. This process can be carried out from any Windows machine and does not require a specific Exchange version or server.   As Microsoft moves toward permanently blocking Exchange Web Services (EWS) traffic via the shared service principal after October 31, 2025, transitioning to the dedicated Exchange hybrid app is a critical step in securing hybrid Exchange deployments. Administrators should act now to ensure their environments are fully updated and aligned with the latest guidance, using the updated Hybrid Configuration Wizard and official documentation to avoid any disruption. 

image for UEBA rules in Kasper ...

 Business

Todays cyberattackers are masters of disguise — working hard to make their malicious activities look like normal processes. They use legitimate tools, communicate with command-and-control servers through public services, and mask the launch of malicious code as regular user actions. This kind of activity is almost   show more ...

invisible to traditional security solutions; however, certain anomalies can be uncovered by analyzing the behavior of specific users, service accounts, or other entities. This is the core concept behind a threat detection method called UEBA, short for user and entity behavior analytics. And this is exactly what weve implemented in the latest version of our SIEM system — Kaspersky Unified Monitoring and Analysis Platform. How UEBA works within an SIEM system By definition, UEBA is a cybersecurity technology that identifies threats by analyzing the behavior of users, devices, applications, and other objects in an information system. While in principle this technology can be used with any security solution, we believe its most effective when integrated in an SIEM platform. By using machine learning to establish a normal baseline for a user or objects behavior (whether its a computer, service, or another entity), an SIEM system equipped with UEBA detection rules can analyze deviations from typical behavior. This allows for the timely detection of APTs, targeted attacks, and insider threats. This is why weve equipped our SIEM system with an UEBA rule package — designed specifically to detect anomalies in authentication processes, network activity, and the execution of processes on Windows-based workstations and servers. This makes our system smarter at finding novel attacks that are difficult to spot with regular correlation rules, signatures, or indicators of compromise. Every rule in the UEBA package is based on profiling the behavior of users and objects. The rules fall into two main categories: Statistical rules, which use the interquartile range to identify anomalies based on current behavior data. Rules that detect deviations from normal behavior, which is determined by analyzing an account or objects past activity. When a deviation from a historical norm or statistical expectation is found, the system generates an alert and increases the risk score of the relevant object (user or host). (Read this article to learn more about how our SIEM solution uses AI for risk scoring.) Structure of the UEBA rule package For this rule package, we focused on the areas where UEBA technology works best — such as account protection, network activity monitoring, and secure authentication. Our UEBA rule package currently features the following sections: Authentication and permission control These rules detect unusual login methods, sudden spikes in authentication errors, accounts being added to local groups on different computers, and authentication attempts outside normal business hours. Each of these deviations is flagged, and increases the users risk score. DNS profiling Dedicated to analysis of DNS queries made by computers on the corporate network. The rules in this section collect historical data to identify anomalies like queries for unknown record types, excessively long domain names, unusual zones, or atypical query frequencies. It also monitors the volume of data returned via DNS. Any such deviations are considered potential threats, and thus increase the hosts risk score. Network activity profiling Tracking connections between computers both within the network and to external resources. These rules flag first-time connections to new ports, contacts with previously unknown hosts, unusual volumes of outgoing traffic, and access to management services. All actions that deviate from normal behavior generate alerts and raise the risk score. Process profiling This section monitors programs launched from Windows system folders. If a new executable runs for the first time from the System32 or SysWOW64 directories on a specific computer, its flagged as an anomaly. This raises the risk score for the user who initiated the process. PowerShell profiling This section tracks the source of PowerShell script executions. If a script runs for the first time from a non-standard directory — one that isnt Program Files, Windows, or another common location — the action is marked as suspicious and increases the users risk score. VPN monitoring This flags a variety of events as risky — including logins from countries not previously associated with the users profile, geographically impossible travel, unusual traffic volumes over a VPN, VPN client changes, and multiple failed login attempts. Each of these events results in a higher risk score for the users account. Using these UEBA rules helps us detect sophisticated attacks and reduce false positives by analyzing behavioral context. This significantly improves the accuracy of our analysis and lowers the workload of security analysts. Using UEBA and AI to assign a risk score to an object speeds up and improves each analysts response time by allowing them to prioritize incidents more accurately. Combined with the automatic creation of typical behavioral baselines, this significantly boosts the overall efficiency of security teams. It frees them from routine tasks, and provides richer, more accurate behavioral context for threat detection and response. Were constantly improving the usability of our SIEM system. Stay tuned for updates to the Kaspersky Unified Monitoring and Analysis Platform on its official product page.

image for Citizen Lab Founder ...

 Feed

Citizen Lab director and founder Ron Deibert explained how civil society is locked in "vicious cycle," and human rights are being abused as a result, covering Israeli spyware, the Khashoggi killing, and an erosion of democratic norms in the US.

image for The Critical Flaw in ...

 Feed

With informed decision-making, organizations can strengthen their overall resilience and maintain the agility needed to adapt to emerging threats, without sacrificing innovation or productivity.

 Feed

Python is everywhere in modern software. From machine learning models to production microservices, chances are your code—and your business—depends on Python packages you didn’t write. But in 2025, that trust comes with a serious risk. Every few weeks, we’re seeing fresh headlines about malicious packages uploaded to the Python Package Index (PyPI)—many going undetected until after they’ve caused

 Feed

Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems. "At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory," Socket security

 Feed

Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden: Secure AI embedded in every part of the business. Use AI to defend faster and smarter. Fight AI-powered threats that execute in minutes—or seconds. Security

 Feed

Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions. The vulnerability, tracked as CVE-2025-53786, carries a CVSS score of 8.0. Dirk-jan Mollema with Outsider Security has been acknowledged for reporting the bug. "In an Exchange hybrid deployment, an

 Feed

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. "The attack results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view

 Feed

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said. "Instead, there is a significant correlation with threat activity related to CVE-2024-40766."

 Feed

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations," Silent Push

 Cyber Security News

Source: thehackernews.com – Author: . Cybersecurity researchers have demonstrated an “end-to-end privilege escalation chain” in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.   show more ...

The attack technique has been codenamed ECScape by Sweet Security researcher Naor Haziz, who […] La entrada Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Blocker

Source: thehackernews.com – Author: . The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google’s official app storefronts under the guise of seemingly useful applications. These apps masquerade as VPNs, device   show more ...

“monitoring” apps, RAM cleaners, dating services, and spam blockers, DNS […] La entrada Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud, Subscription Scams – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Blog

Source: socprime.com – Author: Veronika Telychko The UAC-0099 hacking collective, active in cyber-espionage campaigns against Ukraine since mid-2022, has reemerged in the cyber threat arena. The CERT-UA team has recently investigated a series of cyber-attacks linked to the UAC-0099 group targeting government   show more ...

authorities, defense forces, and enterprises within Ukraine’s defense industry sector, leveraging the MATCHBOIL […] La entrada UAC-0099 Attack Detection: Hackers Target Government and Defense Agencies in Ukraine Using MATCHBOIL, MATCHWOK, and DRAGSTARE Malware – Source: socprime.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI

Source: securityboulevard.com – Author: Alan Shimel From the floor at #BlackHat2025: Cybersecurity has the blinking lights, but this year it also has blood in the water, writes Alan. The post Has Cyber Been Infected With the Economic Malaise? appeared first on Security Boulevard. Original Post URL:   show more ...

https://securityboulevard.com/2025/08/has-cyber-been-infected-with-the-economic-malaise/?utm_source=rss&utm_medium=rss&utm_campaign=has-cyber-been-infected-with-the-economic-malaise Category & Tags: Cybersecurity,Featured,News,Security Awareness,Security Boulevard (Original),Security Operations,Social […] La entrada Has Cyber Been Infected With the Economic Malaise? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: securityboulevard.com – Author: cybernewswire Austin, TX, Aug. 6, 2025, CyberNewswire: SpyCloud, the leader in identity threat protection, today announced a significant enhancement to its SaaS Investigations solution: the integration of advanced AI-powered insights that mirror the tradecraft of   show more ...

SpyCloud’s seasoned investigators. Building on … (more…) The post News alert: SpyCloud’s AI-powered platform mimics veteran […] La entrada News alert: SpyCloud’s AI-powered platform mimics veteran analysts, speeds threat detection – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 China

Source: securityboulevard.com – Author: Gary Warner Project Red Hook is a Homeland Security Investigations operation examining how Chinese Organized Crime is committing wholesale Gift Card Fraud by using Chinese illegal immigrants to steal gift cards, reveal their PIN, reseal the cards, and return them to store   show more ...

racks.  When the card is later purchased and activated, […] La entrada Project Red Hook: Chinese Gift Card Fraud at Scale – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI

Source: securityboulevard.com – Author: Michael Vizard Palo Alto Networks this week revealed it is providing early access to an application security posture management (ASPM) module for its Cortex security platform as part of a larger effort to streamline cybersecurity workflows. The Cortex Cloud combines a   show more ...

cloud native application protection platform (CNAPP) and a set of […] La entrada Palo Alto Networks Previews ASPM Module for Cortex Cloud Platform – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI

Source: securityboulevard.com – Author: Michael Vizard This week at the Black Hat USA 2025 conference, Contrast Security added integrations with GitHub Copilot and the security information and event management (SIEM) platform from Sumo Logic to the Northstar edition of its application detection and response   show more ...

(ADR) platform. The ADR platform from Contrast Security maps live attack paths […] La entrada Contrast Security Adds GitHub Copilot and Sumo Logic Integrations to ADR Platform – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 9588693

Source: krebsonsecurity.com – Author: BrianKrebs On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has   show more ...

triggered an ongoing frenzy of speculation and panic among XSS denizens […] La entrada Who Got Arrested in the Raid on the XSS Crime Forum? – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Artificial Intelligence

Source: www.csoonline.com – Author: Guardrails just aren’t enough to lower risk for today’s AI systems, Black Hat attendees told. Many CSOs worry about their firm’s AI agents spitting out advice to users on how to build a bomb, or citing non-existent legal decisions. But those are the least of   show more ...

their worries, said a security expert […] La entrada Beef up AI security with zero trust principles – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Careers

Source: www.csoonline.com – Author: Eine Karriere im Bereich Cybersecurity verspricht ein hohes Gehalt und einen relativ sicheren Job. Allerdings zieht sie auch eine enorme Arbeitsbelastung nach sich. Viel Geld schützt nicht vor Burnout. Volodymyr TVERDOKHLIB | shutterstock.com Die Nachfrage nach   show more ...

Cybersecurity-Spezialisten ist ähnlich hoch wie deren Gehälter. Laut einem aktuellen, US-zentrischen Benchmark Report von IANS […] La entrada IT-Security-Jobs – 5 bittere Wahrheiten – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Ein aktueller IBM-Report zeigt: Nicht zuletzt dank schnellerer Erkennung durch KI-Systeme können die Kosten für Cyberattacken gedrückt werden. Durch KI unterstützte Angriffe wie Phishing und Deepfakes nehmen weiter zu, doch Unternehmen zögern in gleichem Maße   show more ...

nachzurüsten. karthik o – shutterstock.com Die gute Nachricht zuerst: Wie IBM in seinem jährlich erscheinenden Cost […] La entrada Durch Datenlecks verursachte Kosten sind gefallen – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Python is everywhere in modern software. From machine learning models to production microservices, chances are your code—and your business—depends on Python packages you didn’t write. But in 2025, that trust comes with a serious risk. Every few weeks, we’re seeing   show more ...

fresh headlines about malicious packages uploaded to the Python Package […] La entrada Webinar: How to Stop Python Supply Chain Attacks—and the Expert Tools You Need – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-08
Aggregator history
Thursday, August 07
FRI
SAT
SUN
MON
TUE
WED
THU
AugustSeptemberOctober