Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

US Authorities Seize Infrastructure Tied to Huione Fraud Network

The U.S. government has taken another step in its ongoing campaign against large-scale cyber fraud operations, announcing the seizure of onl...

All the recent news you need to know
VPN Credential Theft
credential harvesting Cyber Threats enterprise cybersecurity FortiBleed Campaign FortiGate Firewall Security FortigateSniffer Initial Access Broker Network Security Breach VPN Credential Theft

FortigateSniffer Malware Harvests User Credentials From Infected Firewalls


The perimeter firewall has been used as a primary line of defense against external intrusions for years, but the newly uncovered campaign illustrates how these same security appliances can be weaponized against the organizations they are intended to safeguard. 

Researchers have discovered a large-scale attack involving a custom Golang-based tool known as FortigateSniffer that has been deployed systematically on compromised FortiGate firewalls since February 2026. Over 430,000 internet-facing devices have been impacted by the campaign, which is linked to an initial access broker (IAB) believed to be operating as a financial motivation threat actor. 

Over 110 million credentials have been collected under covert measures by the attackers. As trusted network gateways were transformed into silent credential-harvesting platforms, the operation illustrates one of the most significant paradigm shifts in attacker tradecraft, where compromised security infrastructures themselves serve as sources of intelligence and access. 

The scale, persistence, and operational sophistication observed throughout the campaign-tracked as FortiBleed-have raised concerns across the cybersecurity community. Particularly after evidence of the exfiltration of sensitive data by a NATO-aligned defense contractor, as well as the potential use of stolen credentials for ransomware, espionage, and post-compromise activities, are emerging. 

It is evident from a further analysis of the operation that it extends well beyond credential theft from FortiGate appliances, and demonstrates a highly automated initial-access ecosystem that can be scaled across multiple technological platforms.

CyberStrike, an open-source, artificial intelligence-native offensive security framework, could have been utilized by the threat actors to streamline portions of the attack workflow, emphasizing how automation has become increasingly important in large-scale intrusion campaigns. As part of the activity, a substantial emphasis was placed on small and medium-sized businesses, especially companies with fewer than 200 employees, with the United States and India emerging as the most heavily targeted regions. 

The potential for IT service providers to serve as entry points into broader customer networks likely prompted particular attention for them. Moreover, researchers observed parallel brute-force attacks on NAS systems, firewalls from Sophos, portals for RDWeb, SSL VPN gateways for Citrix, and Microsoft SQL servers, which suggests that the campaign was designed to acquire access opportunities across diverse enterprise environments. 

On May 31 and June 15, 2026 alone, the operators executed at least 659 automated credential-harvesting pipelines, which resulted in the discovery of more than 110 million authentication items. A total of 14.8 million RADIUS credentials were recovered, along with approximately 924,000 NTLM password hashes, 130,000 Kerberos hashes, and approximately 89 million MySQL authentication tokens, indicating the scale of the operation and the significant downstream risks associated with the reuse and monetization of stolen enterprise credentials. 

FortigateSniffer is a purpose-built credential intercept utility that is suited for Linux and Windows environments and was designed to leverage legitimate FortiOS functionality rather than rely on conventional malware. It has been demonstrated that using FortiGate appliances' native packet diagnostic capabilities, researchers are able to passively monitor authentication traffic moving through compromised devices to collect credentials and authentication artifacts across a wide range of enterprise protocols via the tool. 

The captured traffic is then converted into a packet-capture format and processed by a specially designed analysis framework which extracts cleartext usernames, passwords, NTLMv2 hashes, Kerberos tickets, and session cookies in addition to other authentication data. A structured, multi-stage attack chain is employed in the attack chain, beginning with large-scale internet reconnaissance, which involves the use of scanning utilities and customized filtering tools for the detection and categorization of FortiGate systems by location. 

In order to obtain privileged access to administrative interfaces and SSL-VPN services, attackers use credential validation, password spraying, and credential stuffing techniques. Using persistent SSH access, FortigateSniffer harvests authentication data while recovering hashed passwords are transferred to a dedicated cracking platform using distributed processing and automated task orchestration. 

Once successful credentials are recovered, they can be weaponized for lateral movement, Active Directory reconnaissance, Kerberos verification, SMB authentication, and further network expansion, as well as obtaining sensitive information from file shares accessible to the attacker and maintaining authenticated sessions using stolen cookies. 

A number of significant operational security measures, such as geofencing controls and time-based execution windows aligned with standard Moscow business hours, were incorporated to reduce detection risk, which appear highly deliberate, with targets prioritized based on perceived economic value before operational resources are committed. 

Separate telemetry also revealed an automated validation pipeline that is deployed in recurring five-hour cycles with up to 1,000 simultaneous verification threads, leading to exceptionally high early-stage success rates. Researchers also observed identical usernames and passwords recurring across thousands of different IP addresses, a phenomenon that has raised concerns about the possibility of some credentials being strategically seeded for covert re-entry into compromised environments. 

Throughout the course of the investigation, researchers began to gain a deeper understanding of the extent of credential exploitation enabled by the campaign. Analysis showed that once FortiGate appliances were compromised, attackers deployed FortigateSniffer to covertly collect authentication traffic traversing the devices, allowing them to acquire both cleartext credentials and password hashes that were subsequently cracked, validated, and reused against Active Directory environments, VPN gateways, and other externally accessible enterprise services. 

As a result of reviewing intelligence data collected by Hunt Intelligence on June 12, 2026, cybersecurity researcher Volodymyr "Bob" Diachenko identified indicators of this activity, which immediately sparked widespread interest in the operation. Upon examination of the stolen dataset, it was found that credentials were associated with approximately 74,000 firewall URLs covering 194 countries and impacting over 21,000 unique domains. 

In response, data from the incident was shared with national computer emergency response teams to facilitate coordination and dedicated exposure-checking portals were launched to assist organizations in determining whether their Fortinet infrastructure had been compromised. According to researchers, by mid-June, the attackers' database had grown to contain more than 86,000 authenticated and active credentials related to corporate firewalls and VPN services worldwide.

The largest concentration of exposed organizations is found in India and the United States. These findings are of significance not only due to the high volume of compromised accounts, but also due to their validity; investigators noted that the credentials were systematically tested and verified through an automated validation infrastructure rather than speculative password guessing. 

The information gathered from underground marketplaces confirmed suspicions that the campaign is linked to an initial access brokering operation, as the same threat actor previously advertised network access on darknet forums for substantial sums to organizations across a variety of industries, including healthcare, technology, and telecommunications. 

Even though it is not yet confirmed that these sales are directly related to the FortiGate harvesting campaign, the overlap indicates that access being collected has potential commercial value.  In response, Fortinet has initiated outreach to potentially affected customers and advised organizations to immediately terminate active administrative and VPN sessions, rotate credentials, enforcing multifactor authentication, and reviewing logs and configuration changes in detail. It has also encouraged customers to upgrade FortiOS to the latest versions of FortiOS, which are replacing legacy SHA256-based password storage with Password-Based Key Derivation Function 2 (PBKDF2). 

Security teams, however, are cautioned that firmware upgrades alone cannot eliminate this risk, as legacy SHA256 password entries must be manually removed from the system. After modernization efforts have been completed, attackers may still be able to recover administrative passwords through offline cracking techniques if credentials or configuration files were previously exposed, preserving an opportunity for unauthorized access even after modernization efforts have been completed. 

An increasingly common practice in cyber operations is to harvest access information from security infrastructure and gather credential information in large quantities. The FortiBleed campaign highlights this reality. In addition to the immediate impact on affected organizations, the operation illustrates the capability of combining automated tools, credential validation pipelines, and access brokerage activities in a highly efficient ecosystem to prevent downstream intrusions. 

It is important to remind defenders that perimeter devices require the same level of continuous monitoring, credential hygiene, and security review as any other critical asset for a defender. When organizations rely on internet-facing authentication services, this campaign is an excellent opportunity to reevaluate access control measures, identify security weaknesses, and investigate unauthorized activity proactively before harvested credentials are used to compromise a broader organization.
Read more »
Ransomware
Crypto Laundering Cyber Crime Bitcoin Fraud Europol Ransomware

Europol Dismantles AudiA6 Crypto Laundering Network Used by Ransomware Gangs

 

Europol has disrupted a major cryptocurrency laundering operation known as AudiA6, which investigators say acted as a financial backbone for ransomware gangs and other cybercriminal networks. According to the agency, the service laundered more than EUR 336 million between 2022 and 2025 by helping criminals hide stolen digital assets and break the money trail. The takedown is significant because it targets not just attackers, but the payment infrastructure that allows cybercrime to stay profitable. 

The operation was carried out by law enforcement partners including the United States Secret Service, IRS Criminal Investigation, Polish Police, Europol, Eurojust, and other international agencies. During the coordinated action on 10 June, authorities arrested two alleged administrators in Georgia, searched three properties, seized more than 30 servers, and took down 25 domains connected to the laundering network. Investigators also froze EUR 692,000 in cryptocurrency and seized more than EUR 86,000, while Telegram accounts used by the group were blocked. 

Europol describes AudiA6 as an industrial-scale laundering service built around thousands of fraudulent exchange accounts created with stolen or purchased identities. The platform allegedly offered criminals fast “cleaning” of stolen crypto, returning funds in about an hour after charging commissions of 3% to 10%. The network was also linked to the dark web forum Dark2Web, which prosecutors say was used to advertise illegal services and connect cybercriminals worldwide. 

One of the most important findings in the investigation was the scale of identity abuse behind the scheme. Europol says more than 6,000 Know Your Customer records tied to money-mule accounts were identified, showing how criminals exploited exchange verification systems to move funds across borders. Many of those accounts were reportedly linked to Russian-speaking intermediaries recruited specifically to move proceeds through cryptocurrency exchanges. Europol also linked the service to more than 15 investigations worldwide involving ransomware attacks and major crypto thefts. 

The AudiA6 case highlights how professionalized crypto laundering has become a core part of the cybercrime economy. Europol warns that criminal groups increasingly rely on mixing services, chain-hopping, and mule networks to move money quickly and avoid detection. By striking this service, law enforcement has not ended ransomware, but it has made it harder for criminals to turn stolen data and extortion into usable cash.
Read more »
Job Security
AI automation threats AI Jobs AI technology AI Threat AI workplace automation Cyber Security job displacement Job Security

Opendoor Shuts India Operations as AI Reshapes Offshore Work Economics

 

Surprisingly quiet since its launch, Opendoor's Indian venture now halts - barely twenty-four months after setting up hubs in Bengaluru and Chennai. Though framed as a digital frontier play, the retreat fuels debate: could smarter machines quietly reshape rules once favorable to offshoring? While cost gaps drove past expansions, algorithmic progress may erode those advantages faster than expected. Some argue efficiency gains from automation make remote labor pools less compelling over time. 

Notably, this shift does not unfold through sudden rupture - but by gradual recalibration behind corporate doors. Outlining the move, CEO Kaz Nejajtian explained efforts to align operations more closely with customers across the United States - using compact teams powered by artificial intelligence. While details remain limited on staff numbers or exactly how AI influenced choices, reactions followed fast from tech executives and investors alike. 

Seen by some as hinting at wider shifts, the news sparked discussion despite minimal data being shared. Nowhere else on Earth does such scale of operational support unfold quite like it does across India. Starting as a hub for routine administrative work, its role gradually shifted toward something far broader. 

Today, sprawling networks of Global Capability Centers operate within its cities, serving international firms through tech solutions, financial oversight, product innovation, while also shaping career paths for countless professionals. Revenue streams run deep each year, woven into the fabric of worldwide service delivery. Far from just an outsourcing destination, the nation holds a central position in how modern enterprises function abroad. 

Early in 2024, Opendoor moved into India by forming groups focused on handling daily operations through various platforms. Around then, close to 250 workers were on payroll at its local offices there. Despite that early growth, pulling out of India aligns with wider job cuts happening throughout the business. Records show a sharp drop in staff worldwide during the last twelve months, along with a steep decline in employees outside the home market. 

Even with broad internal reductions, experts warn it might be misleading to see the shutdown just as a move tied to shifting work overseas. Facing strain from downturns in American real estate - hit hard those who buy houses digitally - Opendoor needed ways to spend less. Still, its push toward artificial intelligence for smoother operations has sparked questions about what comes next for jobs handled abroad. 

One reason some investors saw it was because artificial intelligence might lower the need for jobs requiring heavy human effort. As machines take on repetitive tasks, companies could downsize - not due to location but ability. The shift suggests staffing needs may shrink when automation steps in. What stands out now isn’t a shift of roles from India to the U.S., yet a broader drop in workforce needs across operations. 

Because intelligent systems blend deeper into daily workflows, firms often rely on tighter groups supported by tools instead of people. Efficiency reshapes staffing - software handles tasks once managed by many. Structures shrink not due to location changes, but because technology reduces demand. Outcomes stay steady while headcount falls, driven by smart integration behind the scenes. 

Some researchers view this new framework as movement into "services-as-software," where firms lean on AI-driven processes rather than growing teams indefinitely. In practice, results follow more from blending tools with niche skills than cutting costs through workforce choices. Though Opendoor shut down operations in India, drawing attention amid talks on AI and jobs, experts stress it's not a straightforward story. 

Long before smart algorithms gained ground, job cuts were already underway at the firm. Market forces beyond technology played a role too. Still, the move sparked sharper conversation - what part might automation play in moving service tasks overseas? Could entire sectors shift as machines learn faster?
Read more »
WhatsApp
Cyberattack malware ManageEngine Endpoint Central remote access malware VBScript attack WhatsApp

WhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools

 

A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims' systems.

According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.

Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.

Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.

Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).

Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.

Despite these findings, researchers emphasized that the available evidence is not sufficient to confidently identify the group responsible for the attacks.

Security experts advise WhatsApp users to exercise caution when receiving files, even from known contacts, as compromised accounts can be used to spread malware.

Users should verify unexpected attachments through an alternative communication channel before opening them. Additionally, all downloaded files should be scanned with an updated antivirus solution to help detect and block potential threats before execution.

Read more »
malware
Crypto heist Cyber Scam Malicious Campaign malware

Crypto Heist Uses Fake Reputation Campaign to Spread Malware

 

Cybercriminals are increasingly borrowing the language and tactics of public relations, and a new campaign shows how effective that can be. According to researchers, attackers promoted malicious crypto-related tools by creating a polished online presence across GitHub, YouTube, VirusTotal, and other channels. The goal was not only to spread malware, but also to build an illusion of trust that would lower suspicion among users and researchers.

At the center of the operation was a Rust-based clipboard hijacker, a type of malware that watches for cryptocurrency wallet addresses copied into a victim’s clipboard. When it detects one, it swaps the address with one controlled by the attackers, causing funds to be sent to the wrong destination. This simple trick can be highly profitable because it targets users at the exact moment they think they are making a legitimate transfer. 

What makes the campaign notable is its layered distribution strategy. Researchers found dedicated phishing pages, fake GitHub and SourceForge projects, and even a YouTube channel designed to make the software look popular and credible. The channel reportedly used AI-generated narrators, suspicious view spikes, and enthusiastic comments that were likely coordinated to reinforce the appearance of real demand. Instead of relying on one channel, the attackers created a network of signals that seemed to validate one another. 

The operation also extended into reputation manipulation on security platforms. By using large numbers of fake accounts, sometimes described as “Ghost Networks,” the attackers attempted to influence systems such as VirusTotal and make their tools appear harmless or merely falsely flagged. That tactic matters because many users and even defenders glance at reputation data before deciding whether a file is safe. If the data is polluted, the warning signs become harder to trust. 

This campaign shows how malware distribution is evolving beyond obvious spam and sketchy downloads. Attackers now understand that credibility itself can be weaponized, especially when users rely on social proof, star ratings, comments, and public scans to judge safety. The result is a more convincing, more scalable deception that blends technical abuse with marketing-style manipulation. 

For users, the lesson is to treat polished packaging as a warning sign rather than reassurance. Check the source of any crypto tool carefully, verify wallet addresses before sending money, and avoid downloading software because it looks popular or well reviewed. For defenders, the case is a reminder that reputation systems can be gamed, so detection must look beyond surface-level trust signals.
Read more »
technology
Anthropic Artificial Intelligence Frontier AI open ai technology

Five Eyes Agencies Say AI-Powered Cyber Threats Are Closer Than Expected

 




Intelligence and cybersecurity agencies from five allied nations have issued a warning that advanced artificial intelligence systems capable of performing meticulously executed cybersecurity tasks may become widely accessible much sooner than many organizations expect.

In a joint statement, representatives from the Five Eyes intelligence alliance, comprising the United States, Canada, the United Kingdom, Australia, and New Zealand, cautioned that frontier AI models are progressing at a pace that could reshape how cyber operations are conducted on both sides of the security landscape. According to the agencies, capabilities that are currently associated with a small number of highly advanced AI systems may reach broader availability within months rather than years.

The warning instills a sense of concern among governments, security practitioners, and AI researchers who have spent the past year examining how rapidly improving language models can influence vulnerability discovery, exploit development, system reconnaissance, and defensive security operations.

Officials stated that frontier AI systems are expected to outperform current industry assumptions regarding cybersecurity-related tasks. As these systems continue to improve, they may alter how organizations identify weaknesses, respond to incidents, and defend critical infrastructure. At the same time, the same technological advances could provide malicious actors with new opportunities to automate portions of cyberattacks that previously required substantial technical expertise.

Notably, the agencies emphasized that their concern is not based solely on future developments. Many of the building blocks needed for AI-assisted cyber operations already exist today.

Security-focused AI models can currently be accessed through a variety of channels, including older commercial systems, open-source releases, and models developed outside Western technology companies. While some frontier AI developers have restricted access to their most capable systems, cybersecurity experts have repeatedly noted that advanced capabilities often spread beyond their original environments as newer generations of models are released.

The agencies argued that one of the most immediate concerns is not the creation of entirely new attack techniques, but the ability of AI systems to exploit weaknesses that organizations have failed to address for years.

Among the issues highlighted were aging technology environments, delayed software patching, unnecessary exposure of internal systems to the public internet, weak identity verification practices, inadequate access controls, and insufficient preparation for responding to security incidents. These weaknesses have contributed to countless breaches over the past decade, and officials believe increasingly capable AI systems could allow attackers to identify and exploit such gaps more efficiently and at greater scale.

The statement suggests that organizations should reassess assumptions about how much time they have to prepare. Traditional planning cycles often operate on the expectation that technological shifts unfold gradually. However, intelligence officials warned that AI-related cyber risks may evolve quickly enough to render existing security assumptions obsolete within a matter of months.

"The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years," the agencies wrote, urging organizations to prepare for changing threat conditions before they become operational realities.

The warning also comes amid growing debate surrounding the release and control of advanced AI systems. The statement references frontier models such as Anthropic's Fable 5 and the cybersecurity-focused Mythos model family, which have attracted attention because of their reported performance on security-related tasks.

While companies have attempted to limit access to some of their most advanced systems, researchers have repeatedly observed that the gap between proprietary frontier models and publicly available alternatives continues to narrow. Historically, open-source models have often trailed leading commercial systems by only several months. As a result, capabilities that are initially restricted to a limited group of users can eventually become available through other channels.

This pattern has intensified concerns among policymakers who worry that highly capable cyber-oriented AI tools may become accessible to a broader range of actors, including criminal groups and nation-state operators seeking to automate parts of their operations.

Government officials and AI developers have already begun exploring ways to use these technologies defensively before they become commonplace in offensive campaigns. Programs such as Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber Program are designed to provide vetted organizations with access to advanced AI systems for security testing, vulnerability identification, and defensive research.

The objective is straightforward: allow defenders to discover and remediate weaknesses before increasingly capable AI systems can routinely identify and exploit them.

Recent research has reinforced the view that AI is becoming increasingly effective at cybersecurity tasks. Studies conducted in controlled environments have shown that advanced models can assist with vulnerability analysis, code review, system enumeration, and portions of attack-chain development. Although these systems still require human oversight and are far from replacing experienced security professionals, their capabilities continue to improve with each generation.

Despite the attention surrounding frontier AI, the recommendations issued by the Five Eyes agencies are remarkably familiar. Rather than advocating entirely new security frameworks, officials argue that organizations should focus on practices that have long formed the foundation of effective cybersecurity programs.

These include maintaining timely patch management processes, reducing unnecessary internet-facing exposure, strengthening identity and access management controls, developing incident response plans, and treating cybersecurity as a strategic business responsibility rather than a compliance exercise delegated solely to technical teams.

For business leaders, the warning serves as a reminder that advances in artificial intelligence are unlikely to eliminate longstanding cybersecurity challenges. Instead, they may increase the speed at which those challenges can be exploited.

As frontier AI design systems continue to upgrade, organizations that maintain strong operational discipline, address known weaknesses promptly, and integrate cybersecurity considerations into decision-making processes will be better positioned to withstand a rapidly changing threat environment. Those that fail to do so may find that vulnerabilities once considered manageable can be identified, analyzed, and exploited far faster than before.

Read more »
Subscribe to: Posts (Atom)

Featured