https://security-feed.tooling.k8s.neterium.cloud/ Merged security feed https://ccb.belgium.be/fr/news/nis2-echeance-du-18-avril-2026-ce-que-les-entites-essentielles-doivent-avoir-mis-en-place Cette échéance marque une étape cruciale pour les entités essentielles opérant dans le cadre de la directive NIS2 en Belgique https://ccb.belgium.be/fr/news/nis2-echeance-du-18-avril-2026-ce-que-les-entites-essentielles-doivent-avoir-mis-en-place 16 Apr 26 13:44 +0000 https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/ Your biggest risk may be a vendor you trust. How can SMBs map their third-party blind spots and build operational resilience? https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/ 16 Apr 26 12:00 +0000 https://www.welivesecurity.com/en/scams/recovery-scammers-hit-when-down-avoid-second-strike/ If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse. https://www.welivesecurity.com/en/scams/recovery-scammers-hit-when-down-avoid-second-strike/ 10 Apr 26 09:00 +0000 https://www.welivesecurity.com/en/business-security/breakout-time-accelerates-prevention-first-cybersecurity-center-stage/ Threat actors are using AI to supercharge tried-and-tested TTPs. When attacks move this fast, cyber-defenders need to rethink their own strategy. https://www.welivesecurity.com/en/business-security/breakout-time-accelerates-prevention-first-cybersecurity-center-stage/ 07 Apr 26 09:00 +0000 https://ccb.belgium.be/fr/news/dans-quelle-mesure-votre-organisation-est-elle-prete-face-aux-cybermenaces-faites-entendre Partagez votre expérience. Renforcez la cyber‑résilience de la Belgique.  https://ccb.belgium.be/fr/news/dans-quelle-mesure-votre-organisation-est-elle-prete-face-aux-cybermenaces-faites-entendre 02 Apr 26 16:19 +0000 https://www.welivesecurity.com/en/cybersecurity/digital-assets-death-managing-risks-your-loved-ones-digital-estate/ Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay. https://www.welivesecurity.com/en/cybersecurity/digital-assets-death-managing-risks-your-loved-ones-digital-estate/ 01 Apr 26 09:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-march-2026/ The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience plan https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-march-2026/ 31 Mar 26 08:27 +0000 https://threats.wiz.io/all-incidents/axios-supply-chain-attack The malicious versions of axios differed from legitimate releases by including a dependency on plain-crypto-js, a trojanized package. These versions were published directly via a compromised maintainer account and later removed from npm following disclosure. Due to the short e... https://threats.wiz.io/all-incidents/axios-supply-chain-attack 31 Mar 26 00:00 +0000 https://ccb.belgium.be/fr/news/le-cyber-security-challenge-belgium-attire-plus-de-1000-jeunes-talents-en-cybersecurite Cette année encore, le CSCBE a rassemblé plus de 1000 étudiants et de jeunes talents venus de tout le pays https://ccb.belgium.be/fr/news/le-cyber-security-challenge-belgium-attire-plus-de-1000-jeunes-talents-en-cybersecurite 30 Mar 26 11:00 +0000 https://www.welivesecurity.com/en/videos/rsac-2026-wrap-up-week-security-tony-anscombe/ This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up with https://www.welivesecurity.com/en/videos/rsac-2026-wrap-up-week-security-tony-anscombe/ 27 Mar 26 10:38 +0000 https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/ Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/ 27 Mar 26 07:00 +0000 https://threats.wiz.io/all-incidents/apifox-supply-chain-attack The Apifox incident is a client-side supply chain attack in which attackers compromised an official CDN-hosted JavaScript resource (apifox-app-event-tracking.min.js) and injected heavily obfuscated malicious code into a trusted analytics script. Because the Apifox desktop clie... https://threats.wiz.io/all-incidents/apifox-supply-chain-attack 26 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/business-security/virtual-machines-virtually-everywhere-real-security-gaps/ Cloud VMs offer unmatched speed, scale and flexibility – all of which could eventually count for little if they’re left to fend for themselves https://www.welivesecurity.com/en/business-security/virtual-machines-virtually-everywhere-real-security-gaps/ 25 Mar 26 10:00 +0000 https://threats.wiz.io/all-incidents/buddyboss-supply-chain-attack The BuddyBoss campaign (Parts 1 & 2) represents a full-spectrum software supply chain attack against the WordPress ecosystem, where the threat actor compromised the BuddyBoss plugin/theme distribution pipeline and leveraged it to infect hundreds of downstream websites. The ini... https://threats.wiz.io/all-incidents/buddyboss-supply-chain-attack 25 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/business-security/cloud-workload-security-mind-gaps/ As IT infrastructure expands, visibility and control often lag behind – until an incident forces a reckoning https://www.welivesecurity.com/en/business-security/cloud-workload-security-mind-gaps/ 24 Mar 26 10:00 +0000 https://threats.wiz.io/all-incidents/litellm-supply-chain-attack Malicious versions of the LiteLLM python package (1.82.7 and 1.82.8) were published on the morning of 24 March 2026. The compromised packages employed two different methods to deliver their payload. The packages were published at approximately 8:30 UTC and quarantined by PyPI ... https://threats.wiz.io/all-incidents/litellm-supply-chain-attack 24 Mar 26 00:00 +0000 https://threats.wiz.io/all-incidents/kics-supply-chain-attack The Checkmarx KICS GitHub Action was compromised by TeamPCP between 12:58 and 16:50 UTC on March 23, during which users pinning to affected tags were served credential-stealing malware before the repository was taken down. This marks the second major open source security scann... https://threats.wiz.io/all-incidents/kics-supply-chain-attack 23 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/cybersecurity/move-fast-save-things-quick-guide-recovering-hacked-account/ What you do – and how fast – after an account is compromised often matters more than it may seem https://www.welivesecurity.com/en/cybersecurity/move-fast-save-things-quick-guide-recovering-hacked-account/ 20 Mar 26 10:00 +0000 https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/ ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/ 19 Mar 26 09:55 +0000 https://ccb.belgium.be/fr/news/une-collaboration-accrue-avec-la-police-judiciaire-federale-pour-lutter-contre-le-phishing Ce modèle est unique en Europe et il a permis en 2025 de prévenir près de 200 millions de clics vers des sites malveillants et de nombreuses victimes grâce à une redirection vers une page d'avertissement. https://ccb.belgium.be/fr/news/une-collaboration-accrue-avec-la-police-judiciaire-federale-pour-lutter-contre-le-phishing 18 Mar 26 09:42 +0000 https://www.welivesecurity.com/en/privacy/face-value-what-takes-fool-facial-recognition/ ESET’s Jake Moore used smart glasses, deepfakes and face swaps to ‘hack’ widely-used facial recognition systems – and he'll demo it all at RSAC 2026 https://www.welivesecurity.com/en/privacy/face-value-what-takes-fool-facial-recognition/ 13 Mar 26 10:00 +0000 https://www.welivesecurity.com/en/business-security/cyber-fallout-iran-war-what-have-radar/ The cybersecurity implications of the war in the Middle East extend far beyond the region. Here’s where to focus your defenses. https://www.welivesecurity.com/en/business-security/cyber-fallout-iran-war-what-have-radar/ 12 Mar 26 14:17 +0000 https://threats.wiz.io/all-incidents/exploitation-of-s1ngularity-exposed-cloud-keys-for-lateral-movement The UNC6426 campaign demonstrates a multi-stage supply chain intrusion that transitioned from developer environment compromise to full cloud takeover within ~72 hours. The attack originated from a prior compromise of the nx npm package, where a malicious postinstall script dep... https://threats.wiz.io/all-incidents/exploitation-of-s1ngularity-exposed-cloud-keys-for-lateral-movement 11 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/ The resurgence of one of Russia’s most notorious APT groups https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/ 10 Mar 26 09:58 +0000 https://threats.wiz.io/all-incidents/xygeni-action-repository-hijack The compromise of the xygeni-action represents a CI/CD supply chain attack in which a threat actor leveraged tag poisoning to distribute a backdoored GitHub Action at scale. The attacker first gained access to the repository via compromised maintainer credentials and a GitHub ... https://threats.wiz.io/all-incidents/xygeni-action-repository-hijack 09 Mar 26 00:00 +0000 https://threats.wiz.io/all-incidents/polinrider-supply-chain-attack The PolinRider campaign represents a highly automated software supply chain attack in which a threat actor—assessed to be DPRK-linked—leveraged a compromised developer environment to achieve large-scale propagation across GitHub repositories. The initial access vector was a tr... https://threats.wiz.io/all-incidents/polinrider-supply-chain-attack 08 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/business-security/what-cybersecurity-actually-does-for-your-business/ The ability to continue operating safely in an unsafe environment where competitors cannot is a competitive advantage that is rarely measured or discussed https://www.welivesecurity.com/en/business-security/what-cybersecurity-actually-does-for-your-business/ 06 Mar 26 10:00 +0000 https://www.welivesecurity.com/en/business-security/how-smbs-use-threat-research-mdr-build-defensive-edge/ We speak to Director of ESET Threat Research Jean-Ian Boutin about where solutions that blend advanced technology with human expertise provide the most practical value for businesses https://www.welivesecurity.com/en/business-security/how-smbs-use-threat-research-mdr-build-defensive-edge/ 05 Mar 26 10:00 +0000 https://www.welivesecurity.com/en/business-security/protecting-education-how-mdr-can-tip-balance-favor-schools/ The education sector is notoriously short on cash, but rich in assets for threat actors to target. How can managed detection and response (MDR) help learning institutions regain the initiative? https://www.welivesecurity.com/en/business-security/protecting-education-how-mdr-can-tip-balance-favor-schools/ 04 Mar 26 10:00 +0000 https://threats.wiz.io/all-incidents/lexisnexis-breach LexisNexis confirmed a cloud-based data breach after threat actor FulcrumSec leaked ~2GB of stolen data. The attacker exploited an unpatched React2Shell vulnerability in a frontend application to gain access to the company’s AWS environment, leading to large-scale data exfiltr... https://threats.wiz.io/all-incidents/lexisnexis-breach 03 Mar 26 00:00 +0000 https://threats.wiz.io/all-incidents/trivy-supply-chain-attack On March 19, 2026, Aqua Security’s Trivy was compromised in a follow-on incident attributed to unrotated credentials from a prior breach. Attackers pushed spoofed commits to both actions/checkout and aquasecurity/trivy, triggering the release of a malicious v0.69.4 version tha... https://threats.wiz.io/all-incidents/trivy-supply-chain-attack 01 Mar 26 00:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-february-2026/ In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI tools https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-february-2026/ 28 Feb 26 10:00 +0000 https://www.welivesecurity.com/en/mobile-security/mobile-app-permissions-still-matter-more-think/ Start using a new app and you’ll often be asked to grant it permissions. But blindly accepting them could expose you to serious privacy and security risks. https://www.welivesecurity.com/en/mobile-security/mobile-app-permissions-still-matter-more-think/ 27 Feb 26 10:00 +0000 https://ccb.belgium.be/fr/news/chiffres-cles-2025 En 2025, le CCB a joué de nouveau un rôle central dans la protection des citoyens, des organisations et des autorités publiques contre les cybermenaces https://ccb.belgium.be/fr/news/chiffres-cles-2025 25 Feb 26 08:27 +0000 https://ccb.belgium.be/fr/news/quarterly-cyber-threat-report-qctr-event-ce-que-le-4eme-trimestre-revele-sur-2026 La session a réuni des experts des secteurs public et privé afin d’analyser les tendances qui façonnent le paysage des cybermenaces en Belgique https://ccb.belgium.be/fr/news/quarterly-cyber-threat-report-qctr-event-ce-que-le-4eme-trimestre-revele-sur-2026 24 Feb 26 14:28 +0000 https://ccb.belgium.be/fr/news/enquete-de-leccc-sur-la-communaute-europeenne-de-cybersecurite-contribution-demandee CCB News https://ccb.belgium.be/fr/news/enquete-de-leccc-sur-la-communaute-europeenne-de-cybersecurite-contribution-demandee 23 Feb 26 14:30 +0000 https://www.welivesecurity.com/en/business-security/faking-it-phone-how-tell-voice-call-ai/ Can you believe your ears? Increasingly, the answer is no. Here’s what’s at stake for your business, and how to beat the deepfakers. https://www.welivesecurity.com/en/business-security/faking-it-phone-how-tell-voice-call-ai/ 23 Feb 26 10:00 +0000 https://threats.wiz.io/all-incidents/sandwormmode-typosquatted-npm-packages-used-to-hijack-ci-workflows According to Socket, the campaign operates as a typosquatting worm: the attacker publishes malicious packages that mimic trusted names (e.g., look-alikes of common utilities and AI coding tools). When one of these malicious packages is installed and imported, it executes a sta... https://threats.wiz.io/all-incidents/sandwormmode-typosquatted-npm-packages-used-to-hijack-ci-workflows 20 Feb 26 00:00 +0000 https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/ ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/ 19 Feb 26 10:30 +0000 https://www.welivesecurity.com/en/scams/poshmark-safe-buy-sell-scammed/ Like any other marketplace, the social commerce platform has its share of red flags. It pays to know what to look for so you can shop or sell without headaches. https://www.welivesecurity.com/en/scams/poshmark-safe-buy-sell-scammed/ 19 Feb 26 07:21 +0000 https://www.welivesecurity.com/en/kids-online/children-selfies-online/ When it comes to our children’s digital lives, prohibition rarely works. It’s our responsibility to help them build a healthy relationship with tech. https://www.welivesecurity.com/en/kids-online/children-selfies-online/ 17 Feb 26 10:00 +0000 https://www.welivesecurity.com/en/ransomware/naming-shaming-ransomware-groups-tighten-screws-victims/ When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle https://www.welivesecurity.com/en/ransomware/naming-shaming-ransomware-groups-tighten-screws-victims/ 12 Feb 26 10:00 +0000 https://www.welivesecurity.com/en/scams/taxing-times-top-irs-scams-look-out-2026/ It’s time to file your tax return. And cybercriminals are lurking to make an already stressful period even more edgy. https://www.welivesecurity.com/en/scams/taxing-times-top-irs-scams-look-out-2026/ 10 Feb 26 10:00 +0000 https://threats.wiz.io/all-incidents/sshstalker-linux-botnet-campaign On 2026-02-09, a campaign was reported, involving SSHStalker, gaining initial access via Password attack, to achieve Resource hijacking, Data exfiltration. https://threats.wiz.io/all-incidents/sshstalker-linux-botnet-campaign 09 Feb 26 00:00 +0000 https://threats.wiz.io/all-incidents/teampcp-cloud-native-campaign-targeting-exposed-control-planes TeamPCP’s operations center on abusing unauthenticated or weakly protected orchestration and management interfaces rather than exploiting traditional endpoints. Initial access is achieved via exposed Docker and Kubernetes APIs, vulnerable React/Next.js applications (CVE-2025-2... https://threats.wiz.io/all-incidents/teampcp-cloud-native-campaign-targeting-exposed-control-planes 05 Feb 26 00:00 +0000 https://www.welivesecurity.com/en/scams/offerup-scammers-out-force-heres-what-you-should-know/ The mobile marketplace app has a growing number of users, but not all of them are genuine. Watch out for these common scams. https://www.welivesecurity.com/en/scams/offerup-scammers-out-force-heres-what-you-should-know/ 04 Feb 26 10:00 +0000 https://www.welivesecurity.com/en/cybersecurity/slippery-slope-winter-olympics-scams-cyberthreats/ It’s snow joke – sporting events are a big draw for cybercriminals. Make sure you’re not on the losing side by following these best practices. https://www.welivesecurity.com/en/cybersecurity/slippery-slope-winter-olympics-scams-cyberthreats/ 02 Feb 26 10:00 +0000 https://threats.wiz.io/all-incidents/supply-chain-hijacking-of-notepad-updates-via-hosting-provider-compromise Between June and late 2025, threat actors compromised the shared hosting infrastructure used by Notepad++ and selectively hijacked update traffic destined for notepad-plus-plus.org. Rather than exploiting a vulnerability in Notepad++ code, the attackers abused access at the ho... https://threats.wiz.io/all-incidents/supply-chain-hijacking-of-notepad-updates-via-hosting-provider-compromise 02 Feb 26 00:00 +0000 https://threats.wiz.io/all-incidents/supply-chain-attack-via-force-pushes-on-plone-github-repositories In January 2026, the Plone security team disclosed a security incident affecting the Plone GitHub organization, in which an attacker used force pushes to insert malicious JavaScript code into multiple repositories. The activity was traced back to a compromised contributor acco... https://threats.wiz.io/all-incidents/supply-chain-attack-via-force-pushes-on-plone-github-repositories 31 Jan 26 00:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-january-2026-edition/ The trends from January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the year https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-january-2026-edition/ 30 Jan 26 15:20 +0000 https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/ ESET researchers present technical details on a recent data destruction incident affecting a company in Poland’s energy sector https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/ 30 Jan 26 10:28 +0000 https://ccb.belgium.be/fr/news/fraudes-linvestissement-des-pertes-toujours-plus-importantes-au-second-semestre-2025 La FSMA a récemment publié les chiffres relatifs aux fraudes à l’investissement pour le deuxième semestre 2025. Ceux-ci confirment une tendance préoccupante, tant par l’ampleur des pertes financières que par l’émergence de nouveaux modes opératoires… https://ccb.belgium.be/fr/news/fraudes-linvestissement-des-pertes-toujours-plus-importantes-au-second-semestre-2025 30 Jan 26 08:36 +0000 https://ccb.belgium.be/fr/news/la-commission-europeenne-propose-un-paquet-de-revision-du-cybersecurity-act La Commission européenne a publié le 20 janvier 2026 un paquet de révision du Cybersecurity Act https://ccb.belgium.be/fr/news/la-commission-europeenne-propose-un-paquet-de-revision-du-cybersecurity-act 28 Jan 26 16:14 +0000 https://ccb.belgium.be/fr/news/lancement-du-1er-appel-candidatures-secure-le-28-janvier-pour-soutenir-les-pme-dans-leur Le projet SECURE – Strengthening EU SMEs Cyber Resilience, financé par l’Union européenne et auquel le Centre pour la Cybersécurité Belgique participe en tant que partenaire du consortium, lancera son premier appel à candidatures le 28 janvier 2026… https://ccb.belgium.be/fr/news/lancement-du-1er-appel-candidatures-secure-le-28-janvier-pour-soutenir-les-pme-dans-leur 28 Jan 26 10:39 +0000 https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/ ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/ 28 Jan 26 09:59 +0000 https://threats.wiz.io/all-incidents/operation-bizarre-bazaar-commercialized-llmjacking Between December 2025 and January 2026, researchers uncovered a large-scale, systematic campaign targeting exposed large language model (LLM) and Model Context Protocol (MCP) infrastructure. Dubbed Operation Bizarre Bazaar, the activity represents the first publicly documented... https://threats.wiz.io/all-incidents/operation-bizarre-bazaar-commercialized-llmjacking 28 Jan 26 00:00 +0000 https://www.welivesecurity.com/en/cybersecurity/drowning-spam-scam-emails-why/ Has your inbox recently been deluged with unwanted and even outright malicious messages? Here are 10 possible reasons – and how to stem the tide. https://www.welivesecurity.com/en/cybersecurity/drowning-spam-scam-emails-why/ 27 Jan 26 10:00 +0000 https://threats.wiz.io/all-incidents/cloud-native-phishing-infrastructure-via-abused-aws-workmail Threat actors abused native AWS email services to build phishing and spam infrastructure inside a compromised cloud environment. After obtaining exposed long-term AWS credentials, the attackers conducted IAM and service reconnaissance to assess email-sending capabilities. Whil... https://threats.wiz.io/all-incidents/cloud-native-phishing-infrastructure-via-abused-aws-workmail 27 Jan 26 00:00 +0000 https://ccb.belgium.be/fr/news/alerte-escroqueries-utilisant-lidentite-de-sa-majeste-le-roi-et-dautres-personnalites Depuis début 2025, des dignitaires étrangers, des familles belges et des chefs d’entreprise sont contactés par téléphone, via WhatsApp ou par e-mail dans le but de leur soutirer de l’argent frauduleusement https://ccb.belgium.be/fr/news/alerte-escroqueries-utilisant-lidentite-de-sa-majeste-le-roi-et-dautres-personnalites 24 Jan 26 09:15 +0000 https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/ The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiper https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/ 23 Jan 26 16:58 +0000 https://www.welivesecurity.com/en/kids-online/children-chatbots-what-parents-should-know/ As children turn to AI chatbots for answers, advice, and companionship, questions emerge about their safety, privacy, and emotional development https://www.welivesecurity.com/en/kids-online/children-chatbots-what-parents-should-know/ 23 Jan 26 10:00 +0000 https://www.welivesecurity.com/en/scams/common-apple-pay-scams-how-stay-safe/ Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step ahead https://www.welivesecurity.com/en/scams/common-apple-pay-scams-how-stay-safe/ 22 Jan 26 10:00 +0000 https://ccb.belgium.be/fr/news/prolongation-des-mandats-du-directeur-general-et-de-la-directrice-generale-adjointe-du-ccb Le mandat de Miguel De Bruycker et celui de Phédra Clouner ont été prolongés pour une durée de cinq ans https://ccb.belgium.be/fr/news/prolongation-des-mandats-du-directeur-general-et-de-la-directrice-generale-adjointe-du-ccb 21 Jan 26 08:36 +0000 https://www.welivesecurity.com/en/cybersecurity/old-habits-die-hard-2025-most-common-passwords/ Once again, data shows an uncomfortable truth: the habit of choosing eminently hackable passwords is alive and well https://www.welivesecurity.com/en/cybersecurity/old-habits-die-hard-2025-most-common-passwords/ 20 Jan 26 10:00 +0000 https://threats.wiz.io/all-incidents/canonical-snap-store-hijacking-campaign On 2026-01-17, a campaign was reported, involving an unknown actor, gaining initial access via Dangling resource,. https://threats.wiz.io/all-incidents/canonical-snap-store-hijacking-campaign 17 Jan 26 00:00 +0000 https://www.welivesecurity.com/en/social-media/linkedin-hunting-ground-threat-actors-how-protect-yourself/ The business social networking site is a vast, publicly accessible database of corporate information. Don’t believe everyone on the site is who they say they are. https://www.welivesecurity.com/en/social-media/linkedin-hunting-ground-threat-actors-how-protect-yourself/ 16 Jan 26 10:00 +0000 https://www.welivesecurity.com/en/social-media/time-internet-services-adopt-identity-verification/ Should verified identities become the standard online? Australia’s social media ban for under-16s shows why the question matters. https://www.welivesecurity.com/en/social-media/time-internet-services-adopt-identity-verification/ 14 Jan 26 10:00 +0000 https://ccb.belgium.be/fr/news/10-ans-de-campagnes-de-prevention-safeonweb-la-loupe-take-back-internet CCB News https://ccb.belgium.be/fr/news/10-ans-de-campagnes-de-prevention-safeonweb-la-loupe-take-back-internet 13 Jan 26 14:54 +0000 https://www.welivesecurity.com/en/privacy/information-dark-web-what-happens-next/ If your data is on the dark web, it’s probably only a matter of time before it’s abused for fraud or account hijacking. Here’s what to do. https://www.welivesecurity.com/en/privacy/information-dark-web-what-happens-next/ 13 Jan 26 10:00 +0000 https://threats.wiz.io/all-incidents/voidlink-a-cloud-native-linux-malware-framework Researchers have uncovered VoidLink, a highly modular and cloud-native Linux malware framework featuring custom loaders, implants, kernel-level rootkits, and more than 30 in-memory plugins. Built in Zig and engineered for modern cloud and containerized environments, VoidLink a... https://threats.wiz.io/all-incidents/voidlink-a-cloud-native-linux-malware-framework 13 Jan 26 00:00 +0000 https://www.welivesecurity.com/en/cybersecurity/credential-stuffing-what-it-is-how-protect-yourself/ Reusing passwords may feel like a harmless shortcut – until a single breach opens the door to multiple accounts https://www.welivesecurity.com/en/cybersecurity/credential-stuffing-what-it-is-how-protect-yourself/ 08 Jan 26 10:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-december-2025/ As 2025 draws to a close, Tony looks back at the cybersecurity stories that stood out both in December and across the whole of this year https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-december-2025/ 29 Dec 25 10:00 +0000 https://threats.wiz.io/all-incidents/geoserver-rce-exploited-in-coinminer-campaigns The activity centers on CVE-2024-36401, a remote code execution vulnerability disclosed in 2024 that allows unauthenticated attackers to execute arbitrary commands on vulnerable GeoServer instances. Since disclosure, multiple threat actors have systematically scanned for expos... https://threats.wiz.io/all-incidents/geoserver-rce-exploited-in-coinminer-campaigns 26 Dec 25 00:00 +0000 https://ccb.belgium.be/fr/news/le-phishing-continue-daffecter-les-internautes-belges-pres-de-10-millions-de-messages-suspects Les Belges ont signalé près de 10 millions de messages suspects à suspect@safeonweb.be en 2025 https://ccb.belgium.be/fr/news/le-phishing-continue-daffecter-les-internautes-belges-pres-de-10-millions-de-messages-suspects 23 Dec 25 16:43 +0000 https://www.welivesecurity.com/en/scams/brush-online-fraud-what-are-brushing-scams-how-do-i-stay-safe/ Have you ever received a package you never ordered? It could be a warning sign that your data has been compromised, with more fraud to follow. https://www.welivesecurity.com/en/scams/brush-online-fraud-what-are-brushing-scams-how-do-i-stay-safe/ 23 Dec 25 10:00 +0000 https://ccb.belgium.be/fr/news/la-campagne-safeonweb-nest-pas-passee-inapercue Deux mois après son lancement, la campagne Safeonweb consacrée à la fraude à l’investissement démontre son succès.  https://ccb.belgium.be/fr/news/la-campagne-safeonweb-nest-pas-passee-inapercue 22 Dec 25 11:31 +0000 https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/ A comprehensive analysis and assessment of a critical severity vulnerability with low likelihood of mass exploitation https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/ 22 Dec 25 09:55 +0000 https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ ESET researchers discovered a China-aligned APT group, LongNosedGoblin, which uses Group Policy to deploy cyberespionage tools across networks of governmental institutions https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ 18 Dec 25 10:00 +0000 https://threats.wiz.io/all-incidents/amadey-loader-abuses-compromised-self-hosted-gitlab-to-deliver-stealc-infostealer Amadey, an established malware loader active since at least 2018, was observed downloading second-stage payloads from a hijacked self-hosted GitLab instance hosted on gitlab[.]bzctoons[.]net. The infrastructure appears to belong to a legitimate organization, with evidence sugg... https://threats.wiz.io/all-incidents/amadey-loader-abuses-compromised-self-hosted-gitlab-to-deliver-stealc-infostealer 18 Dec 25 00:00 +0000 https://threats.wiz.io/all-incidents/china-nexus-campaign-exploits-cve-2025-20393-in-cisco-email-security-devices On December 17, 2025 Cisco announced that they had detected a campaign exploiting a zero day in their email security devices. The vulnerability affects the physical and virtual versions of Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and ... https://threats.wiz.io/all-incidents/china-nexus-campaign-exploits-cve-2025-20393-in-cisco-email-security-devices 17 Dec 25 00:00 +0000 https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/ A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/ 16 Dec 25 09:50 +0000 https://www.welivesecurity.com/en/internet-of-things/black-hat-europe-2025-device-designed-internet/ Behind the polished exterior of many modern buildings sit outdated systems with vulnerabilities waiting to be found https://www.welivesecurity.com/en/internet-of-things/black-hat-europe-2025-device-designed-internet/ 12 Dec 25 15:22 +0000 https://www.welivesecurity.com/en/business-security/black-hat-europe-2025-reputation-ransomware/ Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victims https://www.welivesecurity.com/en/business-security/black-hat-europe-2025-reputation-ransomware/ 11 Dec 25 16:04 +0000 https://ccb.belgium.be/fr/news/le-ccb-celebre-10-ans-de-cybersecurite-en-belgique Le CCB fête son 10e anniversaire cette année, une décennie qui a vu la Belgique devenir l'un des pays européens les plus avancés en matière de protection numérique. https://ccb.belgium.be/fr/news/le-ccb-celebre-10-ans-de-cybersecurite-en-belgique 11 Dec 25 10:40 +0000 https://www.welivesecurity.com/en/business-security/locks-socs-cat-box-what-schrodinger-can-teach-us-about-cybersecurity/ If you don’t look inside your environment, you can’t know its true state – and attackers count on that https://www.welivesecurity.com/en/business-security/locks-socs-cat-box-what-schrodinger-can-teach-us-about-cybersecurity/ 11 Dec 25 10:00 +0000 https://www.welivesecurity.com/en/business-security/seeking-symmetry-attck-season-harness-todays-diverse-analyst-tester-landscape-paint-security-masterpiece/ Interpreting the vast cybersecurity vendor landscape through the lens of industry analysts and testing authorities can immensely enhance your cyber-resilience. https://www.welivesecurity.com/en/business-security/seeking-symmetry-attck-season-harness-todays-diverse-analyst-tester-landscape-paint-security-masterpiece/ 10 Dec 25 15:03 +0000 https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/ Is your organization’s senior leadership vulnerable to a cyber-harpooning? Learn how to keep them safe. https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/ 09 Dec 25 10:00 +0000 https://ccb.belgium.be/fr/news/le-projet-europeen-secure-renforce-la-cyber-resilience-des-pme En 2025, the CCB joined the EU-funded SECURE project, an initiative helping Small and Medium-sized Enterprises (SME) across Europe enhance their cybersecurity resilience. https://ccb.belgium.be/fr/news/le-projet-europeen-secure-renforce-la-cyber-resilience-des-pme 08 Dec 25 15:49 +0000 https://www.welivesecurity.com/en/business-security/phishing-privileges-passwords-identity-cybersecurity-posture/ Identity is effectively the new network boundary. It must be protected at all costs. https://www.welivesecurity.com/en/business-security/phishing-privileges-passwords-identity-cybersecurity-posture/ 04 Dec 25 10:00 +0000 https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ 02 Dec 25 10:00 +0000 https://ccb.belgium.be/fr/news/nis2-en-belgique-bilan-et-perspectives-apres-une-annee-de-mise-en-oeuvre En tant que premier pays de l'UE à avoir mis en place la directive dans sa loi nationale, la Belgique a montré l’exemple pour renforcer la résilience dans les secteurs clés et les chaînes d'approvisionnement numériques importantes https://ccb.belgium.be/fr/news/nis2-en-belgique-bilan-et-perspectives-apres-une-annee-de-mise-en-oeuvre 01 Dec 25 10:43 +0000 https://www.welivesecurity.com/en/business-security/oversharing-is-not-caring-stake-employees-post-too-much-online/ From LinkedIn to X, GitHub to Instagram, there are plenty of opportunities to share work-related information. But posting could also get your company into trouble. https://www.welivesecurity.com/en/business-security/oversharing-is-not-caring-stake-employees-post-too-much-online/ 01 Dec 25 10:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-november-2025/ Data exposure by top AI companies, the Akira ransomware haul, Operation Endgame against major malware families, and more of this month's cybersecurity news https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-november-2025/ 28 Nov 25 13:46 +0000 https://www.welivesecurity.com/en/kids-online/parents-protect-children-doxxing/ Online disagreements among young people can easily spiral out of control. Parents need to understand what’s at stake. https://www.welivesecurity.com/en/kids-online/parents-protect-children-doxxing/ 27 Nov 25 10:00 +0000 https://ccb.belgium.be/fr/news/mise-lhonneur-des-hackers-ethiques-belges-loccasion-de-htg2025 Le CCB organise aujourd’hui l'événement de clôture de #HackTheGovernment2025, une initiative nationale de hacking éthique https://ccb.belgium.be/fr/news/mise-lhonneur-des-hackers-ethiques-belges-loccasion-de-htg2025 26 Nov 25 09:28 +0000 https://www.welivesecurity.com/en/social-media/influencers-crosshairs-cybercriminals-targeting-content-creators/ Social media influencers can provide reach and trust for scams and malware distribution. Robust account protection is key to stopping the fraudsters. https://www.welivesecurity.com/en/social-media/influencers-crosshairs-cybercriminals-targeting-content-creators/ 25 Nov 25 10:00 +0000 https://ccb.belgium.be/fr/news/le-nouveau-paquet-digital-omnibus-de-lue-harmoniser-les-regles-sur-la-cybersecurite-lia-et-les Le paquet « Digital Omnibus » vise à simplifier et mettre à jour plusieurs réglementations européennes existantes dans les domaines de la cybersécurité, de l’IA et de la gouvernance des données https://ccb.belgium.be/fr/news/le-nouveau-paquet-digital-omnibus-de-lue-harmoniser-les-regles-sur-la-cybersecurite-lia-et-les 25 Nov 25 09:57 +0000 https://www.welivesecurity.com/en/business-security/mdr-answer-now-whats-question/ Why your business needs the best-of-breed combination of technology and human expertise https://www.welivesecurity.com/en/business-security/mdr-answer-now-whats-question/ 24 Nov 25 10:00 +0000 https://threats.wiz.io/all-incidents/shai-hulud-20-supply-chain-attack A new wave of the Shai-Hulud–style supply-chain attack has trojanized hundreds of npm packages—including widely used components from Zapier, ENS Domains, PostHog, and Postman—resulting in more than 25,000 GitHub repositories populated with stolen secrets. Beginning on November... https://threats.wiz.io/all-incidents/shai-hulud-20-supply-chain-attack 24 Nov 25 00:00 +0000 https://www.welivesecurity.com/en/privacy/osint-playbook-find-weak-spots-attackers-do/ Here’s how open-source intelligence helps trace your digital footprint and uncover your weak points, plus a few essential tools to connect the dots https://www.welivesecurity.com/en/privacy/osint-playbook-find-weak-spots-attackers-do/ 20 Nov 25 10:00 +0000 https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/ ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/ 19 Nov 25 09:55 +0000 https://threats.wiz.io/all-incidents/cryptomining-campaign-exploiting-exposed-ray-ai-infrastructure ShadowRay 2.0 targets Ray clusters whose dashboard / Jobs API is exposed without authentication. Attackers first use interact.sh (oast.fun) for out-of-band discovery, posting test jobs to /api/jobs/ that trigger HTTP/DNS callbacks to identify exploitable Ray dashboards. Once a... https://threats.wiz.io/all-incidents/cryptomining-campaign-exploiting-exposed-ray-ai-infrastructure 19 Nov 25 00:00 +0000 https://www.welivesecurity.com/en/privacy/romantic-ai-chatbot-keep-secret/ Does your chatbot know too much? Here's why you should think twice before you tell your AI companion everything. https://www.welivesecurity.com/en/privacy/romantic-ai-chatbot-keep-secret/ 17 Nov 25 10:00 +0000 https://ccb.belgium.be/fr/news/les-hackers-ethiques-belges-au-service-de-la-securite-numerique-publique La deuxième édition de HTG a été lancée hier. Les hackers éthiques contribuent à la protection de l’infrastructure informatique des services publics fédéraux belges. https://ccb.belgium.be/fr/news/les-hackers-ethiques-belges-au-service-de-la-securite-numerique-publique 13 Nov 25 12:58 +0000 https://www.welivesecurity.com/en/cybersecurity/password-managers-under-attack-what-you-should-know/ Look no further to learn how cybercriminals could try to crack your vault and how you can keep your logins safe https://www.welivesecurity.com/en/cybersecurity/password-managers-under-attack-what-you-should-know/ 13 Nov 25 10:00 +0000 https://threats.wiz.io/all-incidents/cisco-ise-vulnerability-exploited-as-0day-by-apt Researchers uncovered an advanced persistent threat (APT) exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems (CitrixBleed2). The vulnerabilities, tracked as CVE-2025-20337 and CVE-2025-5777, were leveraged by the attackers to deploy ... https://threats.wiz.io/all-incidents/cisco-ise-vulnerability-exploited-as-0day-by-apt 13 Nov 25 00:00 +0000 https://threats.wiz.io/all-incidents/unauthenticated-remote-access-via-triofox-vulnerability-exploited-by-unc6485 Researchers uncovered active exploitation of an unauthenticated access vulnerability (CVE-2025-12480) in Gladinet’s Triofox remote access platform by the threat cluster UNC6485. The flaw, present in versions before 16.7.10368.56560, allowed attackers to bypass authentication u... https://threats.wiz.io/all-incidents/unauthenticated-remote-access-via-triofox-vulnerability-exploited-by-unc6485 12 Nov 25 00:00 +0000 https://www.welivesecurity.com/en/business-security/shadow-ai-security-blind-spot/ From unintentional data leakage to buggy code, here’s why you should care about unsanctioned AI use in your company https://www.welivesecurity.com/en/business-security/shadow-ai-security-blind-spot/ 11 Nov 25 10:00 +0000 https://threats.wiz.io/all-incidents/gambling-network-exploits-abandoned-subdomains A routine asset scan for a major entertainment company uncovered a massive gambling operation hiding behind legitimate e-commerce infrastructure. The discovery began with a simple subdomain takeover on Shopify-an abandoned DNS mapping that had been left active after decommissi... https://threats.wiz.io/all-incidents/gambling-network-exploits-abandoned-subdomains 11 Nov 25 00:00 +0000 https://ccb.belgium.be/fr/news/la-campagne-safeonweb-contre-la-fraude-linvestissement-rencontre-un-franc-succes Protéger les citoyens contre les fraudes à l’investissement demeure une priorité du CCB. https://ccb.belgium.be/fr/news/la-campagne-safeonweb-contre-la-fraude-linvestissement-rencontre-un-franc-succes 10 Nov 25 15:03 +0000 https://www.welivesecurity.com/en/cybersecurity/in-memoriam-david-harley/ Former colleagues and friends remember the cybersecurity researcher, author, and mentor whose work bridged the human and technical sides of security https://www.welivesecurity.com/en/cybersecurity/in-memoriam-david-harley/ 07 Nov 25 13:46 +0000 https://www.welivesecurity.com/en/videos/who-where-how-apt-attacks-q2-2025-q3-2025/ ESET Chief Security Evangelist Tony Anscombe highlights some of the key findings from the latest issue of the ESET APT Activity Report https://www.welivesecurity.com/en/videos/who-where-how-apt-attacks-q2-2025-q3-2025/ 07 Nov 25 12:34 +0000 https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2025-q3-2025/ An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025 https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2025-q3-2025/ 06 Nov 25 09:45 +0000 https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-sharing-scam/ How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-sharing-scam/ 05 Nov 25 10:00 +0000 https://threats.wiz.io/all-incidents/china-linked-actors-target-us-policy-oriented-non-profit-organisations A China-linked espionage campaign targeted a U.S. non-profit organization engaged in influencing government policy, maintaining weeks of access in April 2025. The intrusion leveraged legitimate binaries for DLL sideloading and persistence, consistent with techniques observed i... https://threats.wiz.io/all-incidents/china-linked-actors-target-us-policy-oriented-non-profit-organisations 05 Nov 25 00:00 +0000 https://www.welivesecurity.com/en/videos/how-social-engineering-works-unlocked-403-cybersecurity-podcast-s2e6/ Think you could never fall for an online scam? Think again. Here's how scammers could exploit psychology to deceive you – and what you can do to stay one step ahead https://www.welivesecurity.com/en/videos/how-social-engineering-works-unlocked-403-cybersecurity-podcast-s2e6/ 04 Nov 25 10:00 +0000 https://www.welivesecurity.com/en/business-security/ground-zero-5-things-discovering-cyberattack/ When every minute counts, preparation and precision can mean the difference between disruption and disaster https://www.welivesecurity.com/en/business-security/ground-zero-5-things-discovering-cyberattack/ 03 Nov 25 10:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-october-2025/ From the end of Windows 10 support to scams on TikTok and state-aligned hackers wielding AI, October's headlines offer a glimpse of what's shaping cybersecurity right now https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-october-2025/ 31 Oct 25 10:00 +0000 https://threats.wiz.io/all-incidents/trufflenet-campaign-exploits-aws-ses-for-large-scale-cloud-abuse-and-bec-fraud Researchers uncovered a coordinated campaign leveraging stolen AWS credentials to automate reconnaissance and abuse Amazon Simple Email Service (SES) for Business Email Compromise (BEC) operations. The attackers used a custom infrastructure dubbed TruffleNet, built around the ... https://threats.wiz.io/all-incidents/trufflenet-campaign-exploits-aws-ses-for-large-scale-cloud-abuse-and-bec-fraud 31 Oct 25 00:00 +0000 https://www.welivesecurity.com/en/scams/fraud-prevention-how-help-older-family-members-avoid-scams/ Families that combine open communication with effective behavioral and technical safeguards can cut the risk dramatically https://www.welivesecurity.com/en/scams/fraud-prevention-how-help-older-family-members-avoid-scams/ 30 Oct 25 10:00 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-when-seeing-isnt-believing/ Deepfakes are blurring the line between real and fake and fraudsters are cashing in, using synthetic media for all manner of scams https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-when-seeing-isnt-believing/ 29 Oct 25 10:00 +0000 https://ccb.belgium.be/fr/news/votre-avis-compte-comment-simplifier-les-regles-cyber-de-lue CCB News https://ccb.belgium.be/fr/news/votre-avis-compte-comment-simplifier-les-regles-cyber-de-lue 29 Oct 25 09:14 +0000 https://www.welivesecurity.com/en/business-security/recruitment-spot-spy-job-seeker/ Here’s what to know about a recent spin on an insider threat – fake North Korean IT workers infiltrating western firms https://www.welivesecurity.com/en/business-security/recruitment-spot-spy-job-seeker/ 28 Oct 25 10:00 +0000 https://threats.wiz.io/all-incidents/tata-motors-hardcoded-aws-keys-and-api-tokens-exposed- Security researcher Eaton Zveare disclosed that in 2023 multiple public-facing Tata Motors applications (notably the E-Dukaan marketplace and the FleetEdge fleet product) contained hardcoded or client-recoverable cloud credentials and API tokens that allowed access to hundreds... https://threats.wiz.io/all-incidents/tata-motors-hardcoded-aws-keys-and-api-tokens-exposed- 28 Oct 25 00:00 +0000 https://ccb.belgium.be/fr/news/un-exercice-national-de-cybercrise-teste-la-cooperation-la-communication-et-la-reponse Le 23 octobre 2025, le Centre pour la cybersécurité Belgique (CCB) et le Centre national de crise (NCCN) ont organisé un exercice de cybercrise à grande échelle. Cet exercice avait pour objectif de tester et d'affiner le plan d'urgence national en… https://ccb.belgium.be/fr/news/un-exercice-national-de-cybercrise-teste-la-cooperation-la-communication-et-la-reponse 27 Oct 25 13:19 +0000 https://ccb.belgium.be/fr/news/lancement-de-cyfunr-2025 Découvrez CyFun® 2025, la dernière édition du CyberFundamentals Framework. Cette version marque une avancée significative dans le renforcement des pratiques de cybersécurité et leur harmonisation avec l'environnement numérique en constante évolution. https://ccb.belgium.be/fr/news/lancement-de-cyfunr-2025 27 Oct 25 13:10 +0000 https://www.welivesecurity.com/en/business-security/mdr-msps-edge-competitive-market/ With cybersecurity talent in short supply and threats evolving fast, managed detection and response is emerging as a strategic necessity for MSPs https://www.welivesecurity.com/en/business-security/mdr-msps-edge-competitive-market/ 27 Oct 25 10:00 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-cyber-risk-thrives-shadows/ Shadow IT leaves organizations exposed to cyberattacks and raises the risk of data loss and compliance failures https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-cyber-risk-thrives-shadows/ 24 Oct 25 11:53 +0000 https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/ ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/ 23 Oct 25 04:00 +0000 https://www.welivesecurity.com/en/malware/snakestealer-personal-data-stay-safe/ Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts https://www.welivesecurity.com/en/malware/snakestealer-personal-data-stay-safe/ 22 Oct 25 09:00 +0000 https://threats.wiz.io/all-incidents/iis-backdoor-exploiting-exposed-aspnet-machine-keys Initial access leverages IIS apps configured with reused/public machineKey (ValidationKey/DecryptionKey) values, enabling __VIEWSTATE deserialization to run arbitrary commands. Following foothold, REF3927 deploys Godzilla-family webshells (e.g., 1.aspx) and GotoHTTP for GUI ac... https://threats.wiz.io/all-incidents/iis-backdoor-exploiting-exposed-aspnet-machine-keys 22 Oct 25 00:00 +0000 https://threats.wiz.io/all-incidents/passiveneuron-campaign-espionage-campaign-targeting-windows-server-environments Attackers obtain remote code execution through abuse of SQL-server environments (exploitation, SQL injection, or credential compromise) and attempt to install web shells. When detection (e.g., endpoint AV) blocks the web-shell stage they escalate to a multi-stage DLL loader ch... https://threats.wiz.io/all-incidents/passiveneuron-campaign-espionage-campaign-targeting-windows-server-environments 21 Oct 25 00:00 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-resilience-ransomware/ Ransomware rages on and no organization is too small to be targeted by cyber-extortionists. How can your business protect itself against the threat? https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-resilience-ransomware/ 20 Oct 25 14:11 +0000 https://ccb.belgium.be/fr/news/appel-candidatures-funding-cyber-soutien-aux-solutions-de-cybersecurite-des-pme-belges CCB News https://ccb.belgium.be/fr/news/appel-candidatures-funding-cyber-soutien-aux-solutions-de-cybersecurite-des-pme-belges 20 Oct 25 06:49 +0000 https://www.welivesecurity.com/en/kids-online/minecraft-mods-minefield-risks/ Some Minecraft mods don’t help build worlds – they break them. Here’s how malware can masquerade as a Minecraft mod. https://www.welivesecurity.com/en/kids-online/minecraft-mods-minefield-risks/ 16 Oct 25 09:00 +0000 https://www.welivesecurity.com/en/business-security/it-service-desks-security-blind-spot-business/ Could a simple call to the helpdesk enable threat actors to bypass your security controls? Here’s how your team can close a growing security gap. https://www.welivesecurity.com/en/business-security/it-service-desks-security-blind-spot-business/ 15 Oct 25 09:00 +0000 https://threats.wiz.io/all-incidents/f5-incident F5 disclosed a security incident in which a nation-state threat actor maintained persistent access to the company’s internal systems, including its BIG-IP product development and engineering knowledge management environments. The actor exfiltrated source code and information a... https://threats.wiz.io/all-incidents/f5-incident 15 Oct 25 00:00 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-software-patching-matters/ As the number of software vulnerabilities continues to increase, delaying or skipping security updates could cost your business dearly. https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-software-patching-matters/ 14 Oct 25 14:21 +0000 https://threats.wiz.io/all-incidents/ebpf-rootkit-targeting-aws-and-linux-environments The infection began with the exploitation of a vulnerable Jenkins server (CVE-2024-238976), which enabled lateral movement into AWS EKS clusters. The threat actor deployed a malicious Docker image (kvlnt/vv) containing a Rust-based downloader (vGet) that retrieved an encrypted... https://threats.wiz.io/all-incidents/ebpf-rootkit-targeting-aws-and-linux-environments 14 Oct 25 00:00 +0000 https://ccb.belgium.be/fr/news/la-ccb-met-en-garde-contre-une-campagne-visant-linstallation-dapplications-pdf-infectees-par Le CCB recommande vivement de prendre rapidement des mesures préventives https://ccb.belgium.be/fr/news/la-ccb-met-en-garde-contre-une-campagne-visant-linstallation-dapplications-pdf-infectees-par 13 Oct 25 14:00 +0000 https://www.welivesecurity.com/en/social-media/ai-aided-malvertising-chatbot-scams/ Cybercriminals have tricked X’s AI chatbot into promoting phishing scams in a technique that has been nicknamed “Grokking”. Here’s what to know about it. https://www.welivesecurity.com/en/social-media/ai-aided-malvertising-chatbot-scams/ 13 Oct 25 09:00 +0000 https://www.welivesecurity.com/en/privacy/how-uber-seems-know-where-you-are-restricted-location-permissions/ Is the ride-hailing app secretly tracking you? Not really, but this iOS feature may make it feel that way. https://www.welivesecurity.com/en/privacy/how-uber-seems-know-where-you-are-restricted-location-permissions/ 09 Oct 25 09:00 +0000 https://ccb.belgium.be/fr/news/se-preparer-lere-quantique-un-imperatif-strategique-pour-les-organisations-belges L’informatique quantique n’est plus une possibilité lointaine ; elle devient rapidement une réalité. Ce changement technologique représente un défi majeur pour les fondations cryptographiques qui sécurisent aujourd’hui les communications numériques… https://ccb.belgium.be/fr/news/se-preparer-lere-quantique-un-imperatif-strategique-pour-les-organisations-belges 08 Oct 25 15:06 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-passwords-alone-are-not-enough/ Never rely on just a password, however strong it may be. Multi-factor authentication is essential for anyone who wants to protect their online accounts from intruders. https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-passwords-alone-are-not-enough/ 08 Oct 25 10:08 +0000 https://threats.wiz.io/all-incidents/supply-chain-risk-in-axis-autodesk-revit-plugin-due-to-exposed-azure-storage-credentials-and-revit-rce-vulnerabilities researchers uncovered exposed Azure Storage Account credentials embedded in Axis Communications’ Autodesk Revit plugin, enabling unauthorized read/write access to cloud-hosted installers and RFA model files. When combined with multiple remote-code-execution (RCE) vulnerabiliti... https://threats.wiz.io/all-incidents/supply-chain-risk-in-axis-autodesk-revit-plugin-due-to-exposed-azure-storage-credentials-and-revit-rce-vulnerabilities 08 Oct 25 00:00 +0000 https://www.welivesecurity.com/en/business-security/case-cybersecurity-successful-businesses-built-protection/ Company leaders need to recognize the gravity of cyber risk, turn awareness into action, and put security front and center https://www.welivesecurity.com/en/business-security/case-cybersecurity-successful-businesses-built-protection/ 07 Oct 25 09:00 +0000 https://ccb.belgium.be/fr/news/les-belgian-red-daemons-au-championnat-europeen-de-cybersecurite-de-jeunes-talents De 17 à 25 ans : l’équipe nationale belge de cybersécurité affronte l’élite européenne lors de l’ECSC, sous la direction d’experts du Centre pour la Cybersécurité Belgique. https://ccb.belgium.be/fr/news/les-belgian-red-daemons-au-championnat-europeen-de-cybersecurite-de-jeunes-talents 06 Oct 25 09:24 +0000 https://www.welivesecurity.com/en/malware/threats-lurking-pdf-files/ Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money. https://www.welivesecurity.com/en/malware/threats-lurking-pdf-files/ 06 Oct 25 09:00 +0000 https://ccb.belgium.be/fr/news/safeonweb-lance-aujourdhui-une-campagne-nationale-de-prevention-contre-la-fraude Au cours du premier semestre 2025, la fraude en matière d'investissement en ligne a déjà coûté près de 15 millions d'euros aux Belges. C'est ce qui ressort des nouveaux chiffres publiés par la FSMA. Ce sont surtout les fausses plateformes de trading… https://ccb.belgium.be/fr/news/safeonweb-lance-aujourdhui-une-campagne-nationale-de-prevention-contre-la-fraude 03 Oct 25 10:24 +0000 https://www.welivesecurity.com/en/business-security/manufacturing-fire-strengthening-cyber-defenses-surging-threats/ Manufacturers operate in one of the most unforgiving threat environments and face a unique set of pressures that make attacks particularly damaging https://www.welivesecurity.com/en/business-security/manufacturing-fire-strengthening-cyber-defenses-surging-threats/ 03 Oct 25 09:00 +0000 https://ccb.belgium.be/fr/news/des-pirates-informatiques-crimson-collective-utilisent-des-tokens-dauthentification-fuites Red Hat confirme une violation de données qui présente un risque élevé pour les organisations belges. https://ccb.belgium.be/fr/news/des-pirates-informatiques-crimson-collective-utilisent-des-tokens-dauthentification-fuites 03 Oct 25 08:00 +0000 https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/ ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/ 02 Oct 25 08:55 +0000 https://threats.wiz.io/all-incidents/crimson-collective-claims-theft-of-customer-data-from-red-hat An extortion group calling themselves "Crimson Collective" has claimed to have stolen nearly 570 GB of data from Red Hat's private GitLab repositories. Red Hat confirmed a security incident to BleepingComputer, saying "Red Hat is aware of reports regarding a security incident ... https://threats.wiz.io/all-incidents/crimson-collective-claims-theft-of-customer-data-from-red-hat 02 Oct 25 00:00 +0000 https://threats.wiz.io/all-incidents/cl0p-extortion-campaign-claims-theft-via-oracle-e-business-suite In an October 1st Bloomberg article, Halcyon, a cybersecurity company responding to a related incident, has stated that the attackers gained access to the data by compromising user emails and abusing the default password-reset function. On October 2nd, Oracle posted a statemen... https://threats.wiz.io/all-incidents/cl0p-extortion-campaign-claims-theft-via-oracle-e-business-suite 02 Oct 25 00:00 +0000 https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-knowledge-power/ We're kicking off the month with a focus on the human element: the first line of defense, but also the path of least resistance for many cybercriminals https://www.welivesecurity.com/en/videos/cybersecurity-awareness-month-2025-knowledge-power/ 01 Oct 25 14:49 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-september-2025-edition/ The past 30 days have seen no shortage of new threats and incidents that brought into sharp relief the need for well-thought-out cyber-resilience plans https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-september-2025-edition/ 29 Sep 25 10:00 +0000 https://www.welivesecurity.com/en/kids-online/roblox-executors-fun-games-someone-gets-hacked/ You could be getting more than you bargained for when you download that cheat tool promising quick wins https://www.welivesecurity.com/en/kids-online/roblox-executors-fun-games-someone-gets-hacked/ 26 Sep 25 09:00 +0000 https://ccb.belgium.be/fr/news/le-ccb-envoie-un-message-fort-brucon-cette-annee Le CCB présente une nouvelle fois son « safe harbour » pour les chercheurs en cybersécurité https://ccb.belgium.be/fr/news/le-ccb-envoie-un-message-fort-brucon-cette-annee 26 Sep 25 08:36 +0000 https://threats.wiz.io/all-incidents/renewed-arcanedoor-campaign-targeting-0-day-vulnerabilities-in-cisco-asa Cisco has reported exploitation in the wild of two 0-day vulnerabilities affecting Cisco Adaptive Security Appliance (ASA), CVE-2025-20333 and CVE-2025-20362, allowing RCE and local privilege escalation, respectively. NCSC and CISA have corroborated these reports, noting the u... https://threats.wiz.io/all-incidents/renewed-arcanedoor-campaign-targeting-0-day-vulnerabilities-in-cisco-asa 26 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/ Malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/ 25 Sep 25 08:59 +0000 https://threats.wiz.io/all-incidents/sonicwall-mysonicwall-cloud-backup-file-security-incident SonicWall has disclosed a security incident affecting its MySonicWall cloud backup service. Threat actors conducted brute force attacks on the MySonicWall.com portal and gained unauthorized access to a subset of firewall preference files. While fewer than 5% of firewall instal... https://threats.wiz.io/all-incidents/sonicwall-mysonicwall-cloud-backup-file-security-incident 25 Sep 25 00:00 +0000 https://threats.wiz.io/all-incidents/brickstorm-espionage-backdoor-targeting-us-tech-and-legal-sectors BRICKSTORM is a Go backdoor (with SOCKS proxying) deployed preferentially on Linux/BSD network and edge appliances that often lack EDR coverage. Attackers favor devices like VMware vCenter/ESXi as pivot points, using valid credentials harvested from appliances to move laterall... https://threats.wiz.io/all-incidents/brickstorm-espionage-backdoor-targeting-us-tech-and-legal-sectors 25 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/malware/svg-files-spreading-malware/ What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware https://www.welivesecurity.com/en/malware/svg-files-spreading-malware/ 22 Sep 25 10:24 +0000 https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/ Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/ 19 Sep 25 08:55 +0000 https://www.welivesecurity.com/en/business-security/small-businesses-big-targets-protecting-business-ransomware/ Long known to be a sweet spot for cybercriminals, small businesses are more likely to be victimized by ransomware than large enterprises https://www.welivesecurity.com/en/business-security/small-businesses-big-targets-protecting-business-ransomware/ 18 Sep 25 09:00 +0000 https://www.welivesecurity.com/en/videos/hybridpetya-petya-notpetya-copycat-twist/ HybridPetya is the fourth publicly known real or proof-of-concept bootkit with UEFI Secure Boot bypass functionality https://www.welivesecurity.com/en/videos/hybridpetya-petya-notpetya-copycat-twist/ 16 Sep 25 11:33 +0000 https://threats.wiz.io/all-incidents/shai-hulud-ongoing-package-supply-chain-compromise-delivering-data-stealing-malware On September 15, 2025, malicious versions of multiple popular packages were published to npm with a post-install script that harvested sensitive developer assets and exfiltrated data to attacker-created public GitHub repos named Shai-Hulud. Wiz Research estimates that this act... https://threats.wiz.io/all-incidents/shai-hulud-ongoing-package-supply-chain-compromise-delivering-data-stealing-malware 15 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/ UEFI copycat of Petya/NotPetya exploiting CVE-2024-7344 discovered on VirusTotal https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/ 12 Sep 25 09:00 +0000 https://www.welivesecurity.com/en/business-security/cybercriminals-hacking-systems-logging-in/ As bad actors often simply waltz through companies’ digital front doors with a key, here’s how to keep your own door locked tight https://www.welivesecurity.com/en/business-security/cybercriminals-hacking-systems-logging-in/ 11 Sep 25 08:55 +0000 https://www.welivesecurity.com/en/business-security/preventing-business-disruption-building-cyber-resilience-mdr/ Given the serious financial and reputational risks of incidents that grind business to a halt, organizations need to prioritize a prevention-first cybersecurity strategy https://www.welivesecurity.com/en/business-security/preventing-business-disruption-building-cyber-resilience-mdr/ 09 Sep 25 09:00 +0000 https://ccb.belgium.be/fr/news/le-ccb-et-le-spf-economie-unissent-leurs-forces-contre-la-fraude-en-ligne Cette approche a déjà été utilisée pour 30 sites web, ce qui a permis d’alerter près de 25.000 personnes à temps https://ccb.belgium.be/fr/news/le-ccb-et-le-spf-economie-unissent-leurs-forces-contre-la-fraude-en-ligne 09 Sep 25 04:27 +0000 https://threats.wiz.io/all-incidents/qix-npm-package-supply-chain-compromise On September 8, 2025, malicious new versions of 18 popular npm packages maintained by a developer known as Qix (incl. debug@4.4.2, chalk@5.6.1) were published to npm. If those versions were pulled into a frontend build and served to users, the injected code runs in the browser... https://threats.wiz.io/all-incidents/qix-npm-package-supply-chain-compromise 08 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/business-security/under-lock-key-safeguarding-business-data-encryption/ As the attack surface expands and the threat landscape grows more complex, it’s time to consider whether your data protection strategy is fit for purpose https://www.welivesecurity.com/en/business-security/under-lock-key-safeguarding-business-data-encryption/ 05 Sep 25 08:53 +0000 https://threats.wiz.io/all-incidents/ghostaction-campaign On September 5, 2025, GitGuardian reported a campaign titled "GhostAction": attackers with write access to GitHub repositories - gained by an unknown initial access vector - added a malicious GitHub Actions workflow that exfiltrates CI/CD secrets via HTTP POST to an attacker-c... https://threats.wiz.io/all-incidents/ghostaction-campaign 05 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/ ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/ 04 Sep 25 08:55 +0000 https://ccb.belgium.be/fr/news/dns-belgium-et-ccb-renforcent-leur-collaboration La CCB et DNS Belgium ont mis au point des guides techniques sur les protocoles de sécurité des e-mails https://ccb.belgium.be/fr/news/dns-belgium-et-ccb-renforcent-leur-collaboration 03 Sep 25 08:30 +0000 https://threats.wiz.io/all-incidents/compromised-salesloft-drift-tokens-enable-data-theft-across-integrations Google Threat Intelligence Group report a widespread data-theft campaign abusing OAuth tokens tied to Salesloft Drift. Initially observed against Salesforce orgs (Aug 8–18, 2025), the scope now includes other Drift integrations: on Aug 9, a small number of Google Workspace mai... https://threats.wiz.io/all-incidents/compromised-salesloft-drift-tokens-enable-data-theft-across-integrations 02 Sep 25 00:00 +0000 https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-august-2025/ From Meta shutting down millions of WhatsApp accounts linked to scam centers all the way to attacks at water facilities in Europe, August 2025 saw no shortage of impactful cybersecurity news https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-august-2025/ 28 Aug 25 09:00 +0000 https://ccb.belgium.be/fr/news/nouvelles-possibilites-de-financement-de-lue-dans-le-domaine-de-la-cybersecurite-les-appels CCB News https://ccb.belgium.be/fr/news/nouvelles-possibilites-de-financement-de-lue-dans-le-domaine-de-la-cybersecurite-les-appels 28 Aug 25 08:47 +0000 https://threats.wiz.io/all-incidents/storm-0501-deploys-cloud-based-ransomware After attaining domain admin on-prem, Storm-0501 evaded visibility gaps (checking Defender services), moved laterally with Evil-WinRM, and performed DCSync. They compromised Entra Connect Sync servers, used the Directory Synchronization Account (DSA) to enumerate identities/re... https://threats.wiz.io/all-incidents/storm-0501-deploys-cloud-based-ransomware 28 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/nx-package-supply-chain-compromise-delivers-data-stealing-malware The compromise introduced a malicious telemetry.js file triggered via a post-install script in the npm package. The payload executed only on Linux and macOS systems, systematically searching for sensitive files (wallets, keystores, .env, SSH keys) and extracting credentials (g... https://threats.wiz.io/all-incidents/nx-package-supply-chain-compromise-delivers-data-stealing-malware 27 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/genesis-pandas-cloud-intrusions-persistent-control-plane-exploitation-and-access-brokerage GENESIS PANDA begins attacks by exploiting exposed services (e.g., Jenkins) and querying Instance Metadata Services (IMDS) on compromised cloud-hosted VMs to harvest credentials. With this access, the actor pivots into the cloud control plane, enabling actions like SSH access ... https://threats.wiz.io/all-incidents/genesis-pandas-cloud-intrusions-persistent-control-plane-exploitation-and-access-brokerage 24 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/silk-typhoon-exploiting-trusted-relationships-for-cloud-environments-compromise Silk Typhoon (a.k.a Murky Panda) achieves initial access primarily through exploiting internet-facing appliances (e.g., Citrix NetScaler ADC, CVE-2023-3519) and has also been observed compromising SOHO devices to mask activity. Once inside, the adversary deploys web shells suc... https://threats.wiz.io/all-incidents/silk-typhoon-exploiting-trusted-relationships-for-cloud-environments-compromise 24 Aug 25 00:00 +0000 https://ccb.belgium.be/fr/news/moins-de-la-moitie-des-entreprises-belges-utilisent-les-mesures-de-securite-les-plus Une étude récente du CCB révèle que les entreprises belges n’utilisent pas suffisamment la double authentification (2FA)  https://ccb.belgium.be/fr/news/moins-de-la-moitie-des-entreprises-belges-utilisent-les-mesures-de-securite-les-plus 22 Aug 25 08:23 +0000 https://threats.wiz.io/all-incidents/salesloft-drift-supply-chain-compromise On 2025-08-21, an incident was reported, involving UNC6395, gaining initial access via Unknown, to achieve Supply chain attack. https://threats.wiz.io/all-incidents/salesloft-drift-supply-chain-compromise 21 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/warlock-ransomware-exploiting-sharepoint-vulnerabilities- Warlock ransomware is exploiting Microsoft SharePoint vulnerabilities to infiltrate enterprise environments. Attackers gain initial access by uploading web shells through targeted HTTP POST requests, then escalate privileges via Group Policy abuse and compromised accounts. The... https://threats.wiz.io/all-incidents/warlock-ransomware-exploiting-sharepoint-vulnerabilities- 20 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/dripdropper-malware-exploits-patched-apache-activemq-for-persistence-on-cloud-linux-systems The attack chain begins with exploitation of the Apache ActiveMQ RCE vulnerability (CVE-2023-46604) on cloud Linux hosts. Upon gaining access, the attacker installs the Sliver C2 implant and modifies sshd settings to permit root login over SSH, then downloads and executes the ... https://threats.wiz.io/all-incidents/dripdropper-malware-exploits-patched-apache-activemq-for-persistence-on-cloud-linux-systems 19 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/uat-7237-targets-taiwanese-web-infrastructure-using-customized-open-source-tools Researchers uncovered a sophisticated intrusion by UAT-7237, a Chinese-speaking APT group active since at least 2022 and likely a subgroup of UAT-5918. The group recently compromised a Taiwanese web hosting provider, targeting its VPN and cloud infrastructure. Unlike its paren... https://threats.wiz.io/all-incidents/uat-7237-targets-taiwanese-web-infrastructure-using-customized-open-source-tools 18 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/akira-ransomware-targeting-critical-vulnerability-in-sonicwall-sslvpn Researchers identified active exploitation of CVE-2024-40766 in SonicWall's seventh-generation firewalls, specifically impacting SSL VPN functionality. Threat actors are bypassing multi-factor authentication (MFA), gaining privileged access, and deploying Akira ransomware. The... https://threats.wiz.io/all-incidents/akira-ransomware-targeting-critical-vulnerability-in-sonicwall-sslvpn 06 Aug 25 00:00 +0000 https://threats.wiz.io/all-incidents/plague-pam-based-backdoor-for-linux A newly discovered Linux backdoor, dubbed Plague, was embedded as a malicious PAM (Pluggable Authentication Module) component. Designed to silently bypass system authentication, Plague grants attackers persistent SSH access while evading all known antivirus detection and leavi... https://threats.wiz.io/all-incidents/plague-pam-based-backdoor-for-linux 04 Aug 25 00:00 +0000 https://ccb.belgium.be/fr/news/vulnerabilite-critique-de-sharepoint-les-organisations-belges-sont-invitees-agir-immediatement Le Centre pour la Cybersécurité Belgique (CCB) met en garde les organisations contre de graves vulnérabilités dans Microsoft SharePoint Server. Cette vulnérabilité permet à des pirates d'exécuter du code à distance sur des serveurs SharePoint non… https://ccb.belgium.be/fr/news/vulnerabilite-critique-de-sharepoint-les-organisations-belges-sont-invitees-agir-immediatement 31 Jul 25 08:07 +0000 https://ccb.belgium.be/fr/news/vulnerabilite-critique-de-sharepoint-les-organisations-belges-ont-reagi-rapidement-et-de CCB News https://ccb.belgium.be/fr/news/vulnerabilite-critique-de-sharepoint-les-organisations-belges-ont-reagi-rapidement-et-de 31 Jul 25 08:07 +0000 https://threats.wiz.io/all-incidents/auto-color-malware-exploits-sap-vulnerability-for--linux-backdoor In April 2025, a threat actor exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the Auto-Color backdoor malware on a US-based chemical company's network. The intrusion began with suspicious ZIP file downloads and DNS tunneling to test exploitabilit... https://threats.wiz.io/all-incidents/auto-color-malware-exploits-sap-vulnerability-for--linux-backdoor 29 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/aws-codebuild-vulnerability-allows-build-process-secrets-extraction The vulnerability in AWS CodeBuild arises when a source code repository is configured to trigger builds based on pull requests or other actions from untrusted contributors. In such cases, an attacker can submit a pull request containing arbitrary code, which is then executed i... https://threats.wiz.io/all-incidents/aws-codebuild-vulnerability-allows-build-process-secrets-extraction 23 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/soco404-cryptomining-campaign-exploits-postgresql-and-cloud-misconfigurations Wiz Research has uncovered an ongoing, sophisticated cryptomining campaign dubbed Soco404, which targets both Linux and Windows systems in cloud environments. The campaign exploits exposed PostgreSQL instances and vulnerable Apache Tomcat servers to achieve initial access, the... https://threats.wiz.io/all-incidents/soco404-cryptomining-campaign-exploits-postgresql-and-cloud-misconfigurations 23 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/mimo-targets-magento-docker-and-cloud-environments The threat actor known as Mimo (or Mimo’lette) has expanded its intrusion operations from Craft CMS to the Magento ecommerce platform, Docker environments, and cloud instances. Mimo exploits PHP-FPM vulnerabilities in Magento to gain initial access, establishes persistence usi... https://threats.wiz.io/all-incidents/mimo-targets-magento-docker-and-cloud-environments 21 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/supply-chain-attack-on-npm-packages-via-maintainer-phishing A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it ... https://threats.wiz.io/all-incidents/supply-chain-attack-on-npm-packages-via-maintainer-phishing 20 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/0day-vulnerability-in-microsoft-sharepoint-exploited-in-the-wild Microsoft has disclosed two actively exploited zero-day vulnerabilities in on-premises SharePoint Server—CVE-2025-53770 (RCE via unsafe deserialization) and CVE-2025-53771 (authentication bypass via Referer header spoofing). These flaws form a chained exploit known as ToolShel... https://threats.wiz.io/all-incidents/0day-vulnerability-in-microsoft-sharepoint-exploited-in-the-wild 20 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/linuxsys-cryptominer-campaign The Linuxsys cryptominer is part of a long-running campaign active since at least 2021, consistently exploiting multiple web application vulnerabilities to deploy the Linuxsys coinminer on compromised systems. The attacker utilizes a stable methodology: exploiting n-day vulner... https://threats.wiz.io/all-incidents/linuxsys-cryptominer-campaign 17 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/in-memory-iis-attacks-via-view-state-deserialization Unit 42 researchers uncovered a campaign by a threat actor they call TGR-CRI-0045—assessed with medium confidence to be part of the Gold Melody (UNC961/Prophet Spider) group—targeting ASP.NET IIS servers using compromised Machine Keys. This group, acting as an Initial Access B... https://threats.wiz.io/all-incidents/in-memory-iis-attacks-via-view-state-deserialization 08 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/aws-data-exfiltration-and-attempted-ransomware In February 2025, a UK-based AWS environment was infiltrated using compromised VPN credentials. The threat actor conducted internal reconnaissance with Nmap and staged data exfiltration using the Rclone tool, transferring sensitive files from AWS file servers, particularly fin... https://threats.wiz.io/all-incidents/aws-data-exfiltration-and-attempted-ransomware 08 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/aws-network-exploitation-and-ransomware-detonation AWS customer faced a compromise through a SonicWall SMA 500v EC2 instance that was improperly exposed to the internet. The attacker connected via multiple Vultr VPS endpoints, performed network scans, and moved laterally between EC2 instances using RDP. Over 700 GB of data was... https://threats.wiz.io/all-incidents/aws-network-exploitation-and-ransomware-detonation 08 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/azure-account-hijack-via-stolen-tokens In early 2024, a Darktrace customer’s Azure environment was compromised after attackers stole access tokens linked to an external consultant’s account, obtained via cracked software. Using these tokens, the attacker authenticated into the Azure environment, modified security r... https://threats.wiz.io/all-incidents/azure-account-hijack-via-stolen-tokens 08 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/unc5174-exploits-ivanti-csa-zero-days-in-houken-campaign The attacker chained Ivanti CSA zero-days to execute a base64-encoded Python script, which extracted the admin password from a local PostgreSQL database. Using this access, the attacker created or modified PHP scripts to serve as webshells and sometimes deployed a custom Linux... https://threats.wiz.io/all-incidents/unc5174-exploits-ivanti-csa-zero-days-in-houken-campaign 03 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/jdwp-exploited-in-the-wild On 2025-07-02, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting JDWP, TeamCity to achieve Resource hijacking. The following tools were observed: XMRig. https://threats.wiz.io/all-incidents/jdwp-exploited-in-the-wild 02 Jul 25 00:00 +0000 https://threats.wiz.io/all-incidents/linux-ssh-servers-compromised-to-deploy-proxies In one attack chain, a Bash script retrieved from 0x0[.]st was used to install TinyProxy via common package managers like apt, yum, or dnf. The script then modified configuration files to allow unrestricted external access (Allow 0.0.0.0/0), exposing the proxy service on port ... https://threats.wiz.io/all-incidents/linux-ssh-servers-compromised-to-deploy-proxies 30 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/attacks-on-korean-iis--linux-servers In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery ... https://threats.wiz.io/all-incidents/attacks-on-korean-iis--linux-servers 25 Jun 25 00:00 +0000 https://ccb.belgium.be/fr/news/cybersecurite-europeenne-donnez-votre-avis-sur-les-enjeux-de-demain CCB News https://ccb.belgium.be/fr/news/cybersecurite-europeenne-donnez-votre-avis-sur-les-enjeux-de-demain 19 Jun 25 09:44 +0000 https://threats.wiz.io/all-incidents/langflow-vulnerability-exploited-to-deliver-flodrix-botnet CVE-2025-3248 is an unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular Python-based framework for building AI applications. The flaw lies in the code validation endpoint, which fails to enforce authentication or sandboxing when parsing and executi... https://threats.wiz.io/all-incidents/langflow-vulnerability-exploited-to-deliver-flodrix-botnet 17 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/sfiretruck-malicious-javascript-campaign-using-obfuscation Researchers uncovered a large-scale malvertising campaign, active primarily between March 26 and April 25, 2025, during which over 269,000 legitimate websites were compromised with highly obfuscated JavaScript code dubbed “JSFireTruck” (a euphemism for JSF*ck). Using only six ... https://threats.wiz.io/all-incidents/sfiretruck-malicious-javascript-campaign-using-obfuscation 12 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/teamfiltration-account-takeover-campaign On 2025-06-11, a campaign was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Password spraying, Resource enumeration, targeting Microsoft OneDrive, Microsoft Outlook, Microsoft Teams to achieve Data exfiltration. The following tools were observed: TeamFiltration. https://threats.wiz.io/all-incidents/teamfiltration-account-takeover-campaign 11 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/npm-supply-chain-attack-compromises-16-popular-react-native-and-gluestack-packages A threat actor compromised 16 highly popular React Native and GlueStack packages, collectively downloaded over a million times weekly. The attackers inserted a stealthy backdoor into these packages using whitespace obfuscation to hide malicious code. The payload is a Remote Ac... https://threats.wiz.io/all-incidents/npm-supply-chain-attack-compromises-16-popular-react-native-and-gluestack-packages 07 Jun 25 00:00 +0000 https://ccb.belgium.be/fr/news/le-conseil-de-lunion-europeenne-adopte-un-nouveau-plan-daction-en-matiere-de-cybersecurite Le 24 février 2025, sur proposition de la Commission européenne, le Conseil de l’Union européenne a entamé des discussions sur un nouveau plan d’action en matière de cybersécurité.  https://ccb.belgium.be/fr/news/le-conseil-de-lunion-europeenne-adopte-un-nouveau-plan-daction-en-matiere-de-cybersecurite 06 Jun 25 10:12 +0000 https://threats.wiz.io/all-incidents/open-webui-misconfiguration-exploited-for-cryptojacking Researchers discovered an active exploitation of a misconfigured Open WebUI instance—a self-hosted interface for large language models (LLMs)—that was exposed to the internet with administrator access enabled and no authentication. A threat actor leveraged this misconfiguratio... https://threats.wiz.io/all-incidents/open-webui-misconfiguration-exploited-for-cryptojacking 03 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/cryptojacking-campaign-targets-misconfigured-devops-tools JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining remote code execution. These jobs download and run the XMRig miner from public GitHub releases, bypassing traditional IOC-based detection. Gitea in... https://threats.wiz.io/all-incidents/cryptojacking-campaign-targets-misconfigured-devops-tools 02 Jun 25 00:00 +0000 https://threats.wiz.io/all-incidents/earth-lamia-custom-toolkit-targets-multiple-sectors-via-web-vulnerabilities Earth Lamia, a suspected China-nexus APT group active since at least 2023, has expanded its cyber espionage campaigns across Brazil, India, and Southeast Asia. The group targets multiple industries — shifting from financial services to logistics, online retail, and currently I... https://threats.wiz.io/all-incidents/earth-lamia-custom-toolkit-targets-multiple-sectors-via-web-vulnerabilities 29 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/dragonforce-exploits-simplehelp-vulnerabilities-in-ransomware-campaign DragonForce gained access to an MSP’s SimpleHelp instance and weaponized its remote management capabilities to deliver a malicious installer to client environments. Once executed, the installer enabled credential harvesting, network reconnaissance, and ransomware deployment. T... https://threats.wiz.io/all-incidents/dragonforce-exploits-simplehelp-vulnerabilities-in-ransomware-campaign 28 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/coordinated-one-day-cloud-scanning-operation-targets-75-exposure-points On May 8, 2025, GreyNoise observed a tightly coordinated and large-scale reconnaissance campaign launched from 251 malicious IP addresses, all hosted on Amazon AWS and geolocated in Japan. These IPs were active for only one day and collectively triggered 75 distinct scanning b... https://threats.wiz.io/all-incidents/coordinated-one-day-cloud-scanning-operation-targets-75-exposure-points 28 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/mimo-exploits-craft-cms-rce-to-deploy-cryptominer-and-proxyware-in-coordinated-campaign Between February and May 2025, the intrusion set known as Mimo exploited CVE-2025-32432, a critical unauthenticated RCE in Craft CMS, to deploy a multi-stage infection chain observed via honeypots. The attack began by injecting a PHP webshell through a crafted GET request, fol... https://threats.wiz.io/all-incidents/mimo-exploits-craft-cms-rce-to-deploy-cryptominer-and-proxyware-in-coordinated-campaign 27 May 25 00:00 +0000 https://ccb.belgium.be/fr/news/locked-shields-le-plus-grand-et-complexe-exercice-cyber-en-conditions-reelles-au-monde Le CCB a été invité par le Cyber Command belge de la Défense à faire partie de l'équipe Locked Shields, un exercice à grande échelle organisé par l'OTAN. https://ccb.belgium.be/fr/news/locked-shields-le-plus-grand-et-complexe-exercice-cyber-en-conditions-reelles-au-monde 22 May 25 15:04 +0000 https://threats.wiz.io/all-incidents/ivanti-epmm-rce-vulnerability-chain-exploited-in-the-wild Wiz Threat Research has confirmed active in-the-wild exploitation of a vulnerability chain in Ivanti Endpoint Manager Mobile (EPMM), comprising CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth RCE). Exploited together, these flaws enable unauthenticated remot... https://threats.wiz.io/all-incidents/ivanti-epmm-rce-vulnerability-chain-exploited-in-the-wild 20 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/utg-q-015-exploits-0-days-for-espionage-in-asia UTG-Q-015, a Southeast Asia-based threat actor, escalated its operations in early 2025 by shifting to more aggressive tactics. Initially exposed in December 2024 for mounting attacks on Chinese developer forums, UTG-Q-015 evolved to exploit both 0-day and N-day vulnerabilities... https://threats.wiz.io/all-incidents/utg-q-015-exploits-0-days-for-espionage-in-asia 19 May 25 00:00 +0000 https://ccb.belgium.be/fr/news/wall-fame-les-autorites-belges-celebrent-lexcellence-des-hackers-ethiques Ce Belgian Wall of Fame est une initiative visant à mettre en valeur la contribution exceptionnelle des hackers éthiques pour la protection de l’infrastructure numérique nationale. https://ccb.belgium.be/fr/news/wall-fame-les-autorites-belges-celebrent-lexcellence-des-hackers-ethiques 16 May 25 10:29 +0000 https://ccb.belgium.be/fr/news/avertissement-exploitation-active-des-peripheriques-ivanti-connect-secure-eol La vulnérabilité Ivanti est actuellement exploitée activement, avec des conséquences très graves pour les organisations concernées. https://ccb.belgium.be/fr/news/avertissement-exploitation-active-des-peripheriques-ivanti-connect-secure-eol 16 May 25 09:54 +0000 https://ccb.belgium.be/fr/news/la-commission-lance-un-appel-candidatures-pour-la-selection-des-membres-du-nouveau-comite Appel à candidatures pour devenir membres du nouveau conseil consultatif sur la cybersécurité dans le domaine de la santé https://ccb.belgium.be/fr/news/la-commission-lance-un-appel-candidatures-pour-la-selection-des-membres-du-nouveau-comite 16 May 25 09:51 +0000 https://ccb.belgium.be/fr/news/reflexion-sur-2024-centre-pour-la-cybersecurite-belgique-etapes-importantes CCB News https://ccb.belgium.be/fr/news/reflexion-sur-2024-centre-pour-la-cybersecurite-belgique-etapes-importantes 13 May 25 09:21 +0000 https://threats.wiz.io/all-incidents/from-stolen-cloud-key-to-persistence-as-a-service A recent incident revealed attacker activity stemming from a leaked long-term AWS access key (AKIA*) belonging to a user in an organization’s AWS management account. Over a 150-minute period, five IP addresses abused the credentials to perform both well-known and novel cloud a... https://threats.wiz.io/all-incidents/from-stolen-cloud-key-to-persistence-as-a-service 13 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/redisraider-linux-cryptojacking-campaign-targets-redis-servers RedisRaider begins by indiscriminately scanning the IPv4 space for Redis servers open on port 6379. Upon identifying a target, the malware checks the server OS and uses Redis commands to inject a base64-encoded shell script as a cron job. It writes this payload to disk by reco... https://threats.wiz.io/all-incidents/redisraider-linux-cryptojacking-campaign-targets-redis-servers 08 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/comfyui-exploitation-campaign-- Baidu reports an exploitation campaign targeting publicly-exposed instances of ComfyUI. ComfyUI provides a GUI for AI image generation workflows. By default, it does not implement authentication. A popular extension, ComfyUI-Manager, allows an attacker to execute remote code v... https://threats.wiz.io/all-incidents/comfyui-exploitation-campaign-- 06 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/supply-chain-compromise-of- Researchers detected a malicious update to the popular npm package rand-user-agent, used for generating randomized user-agent strings. The attacker published multiple unauthorized versions (1.0.110, 2.0.83, 2.0.84) containing heavily obfuscated code designed to covertly instal... https://threats.wiz.io/all-incidents/supply-chain-compromise-of- 05 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/xai-leaked-api-key A security lapse at xAI, led to the exposure of a private API key on GitHub by a company employee. The leaked credential, discovered by Philippe Caturegli and validated by GitGuardian, provided access to at least 60 private and unreleased large language models (LLMs), includin... https://threats.wiz.io/all-incidents/xai-leaked-api-key 01 May 25 00:00 +0000 https://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks In early 2025, AhnLab Security Intelligence Center (ASEC) discovered a targeted attack campaign dubbed Larva-25003, believed to be operated by Chinese-speaking threat actors. The attackers gained access to poorly secured Microsoft IIS web servers in South Korea and deployed a ... https://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks 30 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/nodejs-repository-cicd-vulnerable-to-rce A security researcher uncovered a critical vulnerability in the Node.js CI/CD pipeline that allowed for remote code execution on internal Jenkins agents and posed a significant supply chain risk. The attack stemmed from how Node.js orchestrated workflows using GitHub Actions, ... https://threats.wiz.io/all-incidents/nodejs-repository-cicd-vulnerable-to-rce 30 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/grafana-github-action-attempted-supply-chain-attack Grafana Labs detected suspicious activity via a triggered canary token, leading to the discovery of unauthorized access enabled by a misconfigured GitHub Action. An attacker exploited the workflow by forking a Grafana repository, injecting a malicious curl command to extract e... https://threats.wiz.io/all-incidents/grafana-github-action-attempted-supply-chain-attack 27 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/apache-druid-cryptojacking ARMO’s research team uncovered two cryptojacking campaigns targeting a deliberately exposed Kubernetes honeypot running Apache Druid, leveraging the known CVE-2021-25646 vulnerability for unauthenticated remote code execution. The first campaign, linked to the RUDEDEVIL/LUCIFE... https://threats.wiz.io/all-incidents/apache-druid-cryptojacking 23 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/password-spray-attack-leads-to-containers-being-used-for-cryptomining In the past year Microsoft observed AzureChecker(Storm-1977) launching password spray attacks, against cloud tenants in the education sector. The actor used AzureChecker.exe (CLI tool that is being used by a wide range of actors) https://threats.wiz.io/all-incidents/password-spray-attack-leads-to-containers-being-used-for-cryptomining 23 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/hybrid-attack-discovered-by-mandiant During an investigation, Mandiant identified evidence that a threat actor had discovered cloud access keys stored in plain text on a compromised on-premises network. The threat actor was able to use the keys to access and steal data from the client’s cloud storage buckets. Whe... https://threats.wiz.io/all-incidents/hybrid-attack-discovered-by-mandiant 23 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/apache-druid-cryptojacking ARMO’s research team uncovered two cryptojacking campaigns targeting a deliberately exposed Kubernetes honeypot running Apache Druid, leveraging the known CVE-2021-25646 vulnerability for unauthenticated remote code execution. The first campaign, linked to the RUDEDEVIL/LUCIFE... https://threats.wiz.io/all-incidents/apache-druid-cryptojacking 23 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/sap-netweaver-visual-composer-exploitation-campaign CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component (CVSS 10.0) that enables unauthenticated remote code execution (RCE). The flaw, caused by missing authorization checks in the Metadata Uploader interface, allows attackers to upl... https://threats.wiz.io/all-incidents/sap-netweaver-visual-composer-exploitation-campaign 22 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/multi-layered-cryptojacking-via-docker A recent malware campaign targeting Docker showcases a novel form of cryptojacking that abuses legitimate Web3 services for profit while employing heavy layers of obfuscation to evade detection. By leveraging publicly hosted Docker images, the attackers deploy Python scripts t... https://threats.wiz.io/all-incidents/multi-layered-cryptojacking-via-docker 22 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/rspack-supply-chain-attack Researchers uncovered a supply chain attack carried out by a threat actor labeled MUT-1692. Initially detected via a suspicious npm package (argus3-test) mimicking a legitimate tool, the investigation revealed a postinstall script that attempted to connect to a remote C2 serve... https://threats.wiz.io/all-incidents/rspack-supply-chain-attack 17 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/unc5174-linux-espionage-campaign UNC5174, a suspected Chinese state-sponsored threat actor, has resurfaced in a stealthy espionage campaign targeting Linux systems across research institutions, government agencies, NGOs, and critical infrastructure sectors in Western and APAC countries. The campaign, active s... https://threats.wiz.io/all-incidents/unc5174-linux-espionage-campaign 16 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/crazyhunter-ransomware-group-targets-critical-sectors-in-taiwan CrazyHunter is a newly emerged ransomware group that has rapidly gained attention for its focused attacks on Taiwan’s critical sectors, particularly healthcare, education, and manufacturing. The group’s operations demonstrate a high level of sophistication, leveraging both adv... https://threats.wiz.io/all-incidents/crazyhunter-ransomware-group-targets-critical-sectors-in-taiwan 16 Apr 25 00:00 +0000 https://ccb.belgium.be/fr/news/lenregistrement-du-webinaire-cyber-tips-ransomware-insights-est-maintenant-disponible Nous avons mis en ligne l'enregistrement de l'événement. https://ccb.belgium.be/fr/news/lenregistrement-du-webinaire-cyber-tips-ransomware-insights-est-maintenant-disponible 15 Apr 25 19:31 +0000 https://threats.wiz.io/all-incidents/aws-breach-at-a-saas-company an AWS security breach that severely impacted a growing SaaS company. An attacker gained access to administrator-level credentials and exploited architectural flaws to compromise both staging and production environments. The incident led to data exfiltration, deletion of criti... https://threats.wiz.io/all-incidents/aws-breach-at-a-saas-company 15 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/bpfdoors-hidden-controller-targets-amea-sectors Trend Micro uncovered a previously unseen controller used in BPFDoor campaigns, attributing it to Earth Bluecrow (also known as Red Menshen), a state-sponsored APT group. BPFDoor is a stealthy Linux backdoor leveraging Berkeley Packet Filtering (BPF) to silently activate via "... https://threats.wiz.io/all-incidents/bpfdoors-hidden-controller-targets-amea-sectors 14 Apr 25 00:00 +0000 https://ccb.belgium.be/fr/news/renforcez-la-resilience-numerique-du-secteur-de-la-sante Le 15 janvier 2025, la Commission européenne a adopté le Plan d'action sur la cybersécurité des hôpitaux et des prestataires de soins de santé. Une consultation publique a été lancée auprès de toutes les parties prenantes dans ce domaine. https://ccb.belgium.be/fr/news/renforcez-la-resilience-numerique-du-secteur-de-la-sante 11 Apr 25 09:29 +0000 https://ccb.belgium.be/fr/news/un-nouveau-site-web-qui-trace-la-voie-vers-un-environnement-numerique-sur-ou-vivre-et Le Centre pour la Cybersécurité Belgique (CCB) fête cette année son 10e anniversaire et lance un tout nouveau site web. Il est conçu pour mieux informer et soutenir les citoyens, les entreprises, les écoles et les autorités dans leur lutte contre… https://ccb.belgium.be/fr/news/un-nouveau-site-web-qui-trace-la-voie-vers-un-environnement-numerique-sur-ou-vivre-et 10 Apr 25 13:36 +0000 https://threats.wiz.io/all-incidents/atlas-lion-campaign-exploits-device-enrollment-and-mfa-for-persistence The initial intrusion vector was an SMS phishing campaign that spoofed internal IT notifications to harvest user credentials and MFA codes. Atlas Lion then enrolled a VM from their Azure tenant into the organization’s domain by mimicking the legitimate Windows device setup pro... https://threats.wiz.io/all-incidents/atlas-lion-campaign-exploits-device-enrollment-and-mfa-for-persistence 10 Apr 25 00:00 +0000 https://ccb.belgium.be/fr/news/prochains-evenements-sur-le-financement-de-la-cybersecurite-par-lue CCB News https://ccb.belgium.be/fr/news/prochains-evenements-sur-le-financement-de-la-cybersecurite-par-lue 09 Apr 25 08:34 +0000 https://ccb.belgium.be/fr/news/la-belgique-est-le-premier-etat-membre-de-lunion-europeenne-mettre-completement-en-oeuvre-0 CCB News https://ccb.belgium.be/fr/news/la-belgique-est-le-premier-etat-membre-de-lunion-europeenne-mettre-completement-en-oeuvre-0 09 Apr 25 08:26 +0000 https://threats.wiz.io/all-incidents/long-term-email-breach-at-occ-exposes-sensitive-bank-oversight-data Hackers infiltrated the Office of the Comptroller of the Currency (OCC) and monitored email accounts of approximately 103 bank regulators for over a year, accessing around 150,000 sensitive messages. The attackers gained entry via an administrative account, allowing them to ob... https://threats.wiz.io/all-incidents/long-term-email-breach-at-occ-exposes-sensitive-bank-oversight-data 08 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/europecar-gitlab-breach A hacker breached the GitLab repositories of Europcar Mobility Group and stole source code for Android and iOS apps, along with SQL backups and configuration files that included personal data. The attacker, using Europcar’s name as an alias, claimed to have extracted over 9,00... https://threats.wiz.io/all-incidents/europecar-gitlab-breach 04 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/critical-ivanti-connect-secure-vulnerability-exploited-by-china-linked-actor On April 3, 2025, Ivanti disclosed a critical vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier. The flaw, initially underestimated as a denial-of-service risk, was later found to be a buffer overflow that allows r... https://threats.wiz.io/all-incidents/critical-ivanti-connect-secure-vulnerability-exploited-by-china-linked-actor 03 Apr 25 00:00 +0000 https://threats.wiz.io/all-incidents/weaver-ant-data-exfiltration-campaign Sygnia uncovered a prolonged cyber-espionage campaign targeting a major Asian telecom provider, orchestrated by a China-nexus APT group dubbed Weaver Ant. The group maintained stealthy, long-term access to the network for over four years using advanced techniques centered arou... https://threats.wiz.io/all-incidents/weaver-ant-data-exfiltration-campaign 24 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/albabat-ransomware-targets-windows-linux-and-macos-using-github-infrastructure Researchers have uncovered new and evolving versions of the Albabat ransomware, which now target Windows, Linux, and macOS systems. These updated variants (v2.0.0 and v2.5) show a notable expansion from the ransomware’s initial Windows-only focus and use GitHub for storing and... https://threats.wiz.io/all-incidents/albabat-ransomware-targets-windows-linux-and-macos-using-github-infrastructure 21 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/oracle-cloud-potential-supply-chain-breach On March 21, 2025, CloudSEK reported that a threat actor using the alias "rose87168" is claiming to have exfiltrated over 6 million records from Oracle Cloud’s SSO and LDAP systems. According to CloudSEK’s assessment, the leaked data includes sensitive authentication materials... https://threats.wiz.io/all-incidents/oracle-cloud-potential-supply-chain-breach 21 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/exposed-jupyter-notebooks-targeted-for-cryptomining Cado Security Labs has uncovered a cryptomining campaign exploiting misconfigured Jupyter Notebooks, affecting both Windows and Linux environments. The attackers use Jupyter as an entry point to deploy a cryptominer through a series of evasive techniques. On Windows, the attac... https://threats.wiz.io/all-incidents/exposed-jupyter-notebooks-targeted-for-cryptomining 16 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/tj-actionschanged-files-supply-chain-attack The compromised version of tj-actions/changed-files injects malicious code into CI workflows, potentially capturing and exposing secrets from affected repositories. On public repositories, the secrets would then be visible to everyone as part of the workflow logs, though obfus... https://threats.wiz.io/all-incidents/tj-actionschanged-files-supply-chain-attack 15 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/cdc-dangling-domain-hijack Attackers exploited poor DNS hygiene at the U.S. Centers for Disease Control and Prevention (CDC) to deliver malicious content disguised under the CDC’s trusted domain. The attack was discovered when users searching for English Premier League match streams encountered links th... https://threats.wiz.io/all-incidents/cdc-dangling-domain-hijack 10 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/php-cgi-vulnerability-exploited-in-attacks-targeting-japan Researchers identified an ongoing attack campaign targeting organizations in Japan across sectors like technology, telecommunications, education, entertainment, and e-commerce. Active since at least January 2025, the attacker exploits CVE-2024-4577, a critical PHP-CGI remote c... https://threats.wiz.io/all-incidents/php-cgi-vulnerability-exploited-in-attacks-targeting-japan 06 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/silk-typhoon-targeting-it-and-cloud-applications Microsoft Threat Intelligence has identified an evolution in the tactics of Silk Typhoon, a Chinese state-sponsored espionage group, now increasingly focusing on compromising IT solutions, remote management tools, and cloud applications to gain initial access. By exploiting un... https://threats.wiz.io/all-incidents/silk-typhoon-targeting-it-and-cloud-applications 05 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/zapier-data-breach On February 27, 2025, Zapier detected that an unauthorized user had accessed some of its internal code repositories due to a two-factor authentication (2FA) misconfiguration on an employee’s account. While the breach did not affect production systems, databases, or payment inf... https://threats.wiz.io/all-incidents/zapier-data-breach 01 Mar 25 00:00 +0000 https://threats.wiz.io/all-incidents/javaghost-ses-abuse The threat group JavaGhost has evolved from website defacement to persistent phishing operations targeting cloud environments, particularly AWS. Between 2022 and 2024, JavaGhost leveraged exposed long-term AWS access keys due to customer misconfigurations. These keys allowed t... https://threats.wiz.io/all-incidents/javaghost-ses-abuse 28 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/cpuhu-malicious-campaign-targeting-misconfigured-postgresql-servers-for-cryptomining Wiz Threat Research identified a malicious campaign targeting weakly configured and publicly exposed PostgreSQL servers to deploy a XMRig-C3 cryptominer. In observed attacks, the threat actor exploited exposed PostgreSQL instances, abused the COPY FROM PROGRAM function to exec... https://threats.wiz.io/all-incidents/cpuhu-malicious-campaign-targeting-misconfigured-postgresql-servers-for-cryptomining 27 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/bybit-hack On February 21, 2025, Safe{Wallet} suffered a state-sponsored attack, attributed to TraderTraitor (UNC4899), a DPRK-affiliated group. The attackers compromised a developer’s laptop, hijacked AWS session tokens, and bypassed MFA to gain unauthorized access to Safe{Wallet} serve... https://threats.wiz.io/all-incidents/bybit-hack 26 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/krpano-xss-exploitation-campaign The "360XSS" campaign is a widespread exploitation of a reflected cross-site scripting (XSS) vulnerability in the popular virtual tour framework Krpano, which allows external XML content to be injected via the xml query parameter. The vulnerability, known as CVE-2020-24901, st... https://threats.wiz.io/all-incidents/krpano-xss-exploitation-campaign 26 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/teammate-app-exposed-mongodb A researcher discovered that Teammate App had an exposed database containing nearly 3 million records, including user credentials, employee details, and confidential documents, accessible without authentication. The researcher flagged this issue in December 2024 and formally n... https://threats.wiz.io/all-incidents/teammate-app-exposed-mongodb 24 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/revivalstone-campaign-by-winnti The China-linked APT group Winnti (APT41) has been linked to a new cyber espionage campaign, RevivalStone, targeting Japanese manufacturing, materials, and energy companies in March 2024. The attack, detailed by LAC, exploited an SQL injection vulnerability in an unspecified E... https://threats.wiz.io/all-incidents/revivalstone-campaign-by-winnti 18 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/earth-pretas-campaign-abusing-mavinject-to-bypass-detection Earth Preta (Mustang Panda), a known APT group targeting government entities in the Asia-Pacific region, has been observed using a new technique to evade detection and maintain persistence. Researchers from Trend Micro discovered that the group leverages Microsoft Application ... https://threats.wiz.io/all-incidents/earth-pretas-campaign-abusing-mavinject-to-bypass-detection 18 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/seashell-blizzard-subgroups-campaign-exploiting-vulnerabilities-for-data-exfiltration The BadPilot campaign operates as a horizontally scalable cyber operation, compromising a wide range of internet-facing systems using publicly available exploits. The subgroup conducts broad scanning for vulnerable systems and leverages commodity exploits to infiltrate network... https://threats.wiz.io/all-incidents/seashell-blizzard-subgroups-campaign-exploiting-vulnerabilities-for-data-exfiltration 13 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/code-injection-attacks-exploiting-publicly-disclosed-aspnet-keys Microsoft Threat Intelligence identified a threat actor exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks. This technique enables attackers to inject malicious code into web applications, leading to remote code execution on IIS serv... https://threats.wiz.io/all-incidents/code-injection-attacks-exploiting-publicly-disclosed-aspnet-keys 12 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/black-basta-exploiting-vulnerabilities-in-multiple-products A major leak of Black Basta’s internal chat logs on February 11, 2025, has exposed significant internal conflicts, leadership instability, and financial fraud within the ransomware group. The leak, allegedly triggered by their attacks on Russian banks, has led to a decline in ... https://threats.wiz.io/all-incidents/black-basta-exploiting-vulnerabilities-in-multiple-products 11 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/malicious-ai-models-bypass-picklescan-detection The nullifAI attack exploits Pickle file serialization, an insecure method for storing ML models, to distribute malware-laced PyTorch models on Hugging Face. Instead of using PyTorch’s default ZIP compression, the attackers compressed the models using 7z, preventing automatic ... https://threats.wiz.io/all-incidents/malicious-ai-models-bypass-picklescan-detection 09 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/from-social-engineering-to-lambda-modification Researchers discovered a sophisticated attack initiated through social engineering on LinkedIn and WhatsApp, leading to credential theft via seemingly benign code downloads. With stolen session tokens and cloud access keys, the attackers authenticated into Microsoft 365 and AW... https://threats.wiz.io/all-incidents/from-social-engineering-to-lambda-modification 03 Feb 25 00:00 +0000 https://threats.wiz.io/all-incidents/usaid-cryptojacking-incident The U.S. Agency for International Development (USAID) was hit by a cryptojacking attack. A global administrator account in a test environment within their Azure subscription was compromised as a result of a password spray attack. The attackers then leveraged the compromised ac... https://threats.wiz.io/all-incidents/usaid-cryptojacking-incident 31 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/dogwiftool-supply-chain-attack Hackers compromised the Windows version of DogWifTools, a platform for promoting meme coins on the Solana blockchain, through a supply-chain attack that led to the theft of users' cryptocurrency wallets.The attack occurred after a threat actor reverse-engineered the software a... https://threats.wiz.io/all-incidents/dogwiftool-supply-chain-attack 29 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/operation-longfang Operation LongFang is a cyber-espionage campaign, attributed to a Chinese threat actor, targeting Latin American government entities. First detected in December 2024, it has been active for at least two years. The campaign's initial access was achieved by exploiting vulnerabil... https://threats.wiz.io/all-incidents/operation-longfang 24 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/mastercard-fixes-five-year-old-dns-typo-misconfiguration MasterCard recently corrected a significant DNS misconfiguration that had persisted for nearly five years, potentially allowing cybercriminals to intercept or divert its Internet traffic. While all MasterCard's DNS server names were supposed to end with "akam.net," one contain... https://threats.wiz.io/all-incidents/mastercard-fixes-five-year-old-dns-typo-misconfiguration 22 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/triplestrength-cloud-account-hijacking-and-cryptocurrency-mining-via-stolen-credentials The threat actor TRIPLESTRENGTH uses stolen credentials and cookies, partially sourced from Racoon infostealer logs, to gain unauthorized access to victim cloud environments. Initially, they exploited legitimate compromised accounts to create compute resources for cryptocurren... https://threats.wiz.io/all-incidents/triplestrength-cloud-account-hijacking-and-cryptocurrency-mining-via-stolen-credentials 21 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/unc2165-targets-hybrid-environments-with-ransomware In 2024, UNC2165 exploited a victim's environment by a UNC1543 FAKEUPDATES infection to gain initial access. They deployed their Python tunneler, VIPERTUNNEL, for persistent access and used utility scripts for reconnaissance and disabling anti-virus protection. UNC2165 then ac... https://threats.wiz.io/all-incidents/unc2165-targets-hybrid-environments-with-ransomware 21 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/otelier-data-breach An Otelier employee's workstation was infected with an infostealer, leading to compromise of their Jira credentials. The threat actor abused these to gain access to the Jira server, which contained additional credentials granting access to S3 buckets, which contained various d... https://threats.wiz.io/all-incidents/otelier-data-breach 17 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/bapak-exploiting-stolen-cloud-access-keys Wiz Threat Research discovered a malicious campaign where attackers are using leaked or stolen cloud access keys to access cloud environments and deploy ECS clusters. The attacker was observed abusing accidentally exposed AWS access keys and trying to gain a permanent foothold... https://threats.wiz.io/all-incidents/bapak-exploiting-stolen-cloud-access-keys 15 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/codefinger-ransomware-campaign-targeting-s3-buckets Researchers discovered a ransomware campaign leveraging AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attack, orchestrated by the threat actor "Codefinger," uses compromised AWS credentials to encrypt files securely. V... https://threats.wiz.io/all-incidents/codefinger-ransomware-campaign-targeting-s3-buckets 13 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/exploitation-in-the-wild-of-aviatrix-controller-rce The vulnerability CVE-2024-50603 was disclosed on 2025-01-07, with a detailed blog and proof-of-concept exploit released by researchers soon after. Evidence of exploitation in cloud environments were observed by Wiz Research, targeting publicly exposed, vulnerable machines. At... https://threats.wiz.io/all-incidents/exploitation-in-the-wild-of-aviatrix-controller-rce 11 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/campaign-targeting-publicly-exposed-management-interfaces-on-fortinet-fortigate-firewalls Threat actors recently targeted Fortinet FortiGate firewall devices with exposed management interfaces in a suspected zero-day campaign. Arctic Wolf observed unauthorized admin logins via the jsconsole interface, new account creation, SSL VPN configurations, and other system c... https://threats.wiz.io/all-incidents/campaign-targeting-publicly-exposed-management-interfaces-on-fortinet-fortigate-firewalls 10 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/gravy-analytics-data-breach On 2025-01-10, an incident was reported, involving an unknown actor, gaining initial access via Exposed secret, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/gravy-analytics-data-breach 10 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/kong-image-compromise Kong Ingress Controller is a popular ingress controller for Kubernetes. The Kong Ingress Controller version 3.4 instances have been experiencing a significant performance regression causing excessive CPU utilization of approximately 4 cores, even with minimal Gateway API reso... https://threats.wiz.io/all-incidents/kong-image-compromise 02 Jan 25 00:00 +0000 https://threats.wiz.io/all-incidents/us-treasury-breach In December 2024, the U.S. Department of the Treasury experienced a cybersecurity breach due to a compromised API key from BeyondTrust’s Remote Support SaaS. A Chinese state-sponsored Advanced Persistent Threat (APT) actor exploited the stolen key to bypass security measures, ... https://threats.wiz.io/all-incidents/us-treasury-breach 31 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/volkswagen-massive-data-leak-through-spring-boot-actuator-misconfiguration Researchers found a data exposure issue within Volkswagen’s environment by leveraging tools such as Subfinder, GoBuster, and Spring. Using these tools, they found a Java Spring application exposing its Heap dump file. Heap dumps, which list various objects within a Java Virtua... https://threats.wiz.io/all-incidents/volkswagen-massive-data-leak-through-spring-boot-actuator-misconfiguration 30 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/ec2-grouper-campaign The "EC2 Grouper" threat actor is a prolific group frequently detected in cloud environments. They are known for using consistent user agents and a specific security group naming convention (e.g., ec2group, ec2group12345) during attacks, making them easier to identify. However... https://threats.wiz.io/all-incidents/ec2-grouper-campaign 30 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/zagg-customer-data-compromised-via-hijacked-freshclicks-bigcommerce-app On 2024-12-28, an incident was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/zagg-customer-data-compromised-via-hijacked-freshclicks-bigcommerce-app 28 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/phishing-campaign-leading-to-azure-account-takeover In June 2024, Unit 42 researchers identified a phishing campaign targeting approximately 20,000 users in European automotive, chemical, and industrial compound manufacturing sectors, particularly in Germany and the UK. The attackers employed fake forms created with HubSpot's F... https://threats.wiz.io/all-incidents/phishing-campaign-leading-to-azure-account-takeover 18 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/diicot-campaign-targeting-linux-environments Wiz Research uncovered a sophisticated malware campaign by the Romanian-speaking Diicot threat group targeting Linux systems, especially in cloud environments. This campaign demonstrates notable advancements over previous iterations, such as corrupted UPX headers, cloud-specif... https://threats.wiz.io/all-incidents/diicot-campaign-targeting-linux-environments 17 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/rce-vulnerability-in-apache-struts-targeted-by-attackers CVE-2024-53677 is a critical vulnerability in Apache Struts 2 with a CVSS score of 9.5. This flaw in the file upload logic allows path traversal and uploading of malicious files, enabling remote code execution (RCE). Exploitation has been observed in the wild using public proo... https://threats.wiz.io/all-incidents/rce-vulnerability-in-apache-struts-targeted-by-attackers 17 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/php-targeted-with-glutton-backdoor The Glutton backdoor, a modular PHP-based malware framework, has been observed targeting systems in China, the U.S., Cambodia, Pakistan, and South Africa. The malware, linked with moderate confidence to the Chinese nation-state group Winnti, showcases unique behavior by target... https://threats.wiz.io/all-incidents/php-targeted-with-glutton-backdoor 16 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/llm-hijacking-targeting-aws On November 26, 2024, Wiz Threat Research identified JINX-2401, a threat actor attempting to hijack LLM models in multiple AWS environments using compromised IAM credentials. The attackers leveraged compromised IAM user keys to gain access, perform privilege escalation, and es... https://threats.wiz.io/all-incidents/llm-hijacking-targeting-aws 15 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/cleo-vulnerabilities-targeted-by-cl0p-ransomware Two critical vulnerabilities in Cleo file transfer software—CVE-2024-50623 and CVE-2024-55956—have been actively exploited, leading to unauthorized data access and system compromise. The Clop ransomware gang has claimed responsibility for these attacks, leveraging zero-day exp... https://threats.wiz.io/all-incidents/cleo-vulnerabilities-targeted-by-cl0p-ransomware 15 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/byte-federal-data-breach-via-gitlab-vulnerability Byte Federal, the largest US Bitcoin ATM operator, experienced a data breach in November 2024, exposing the sensitive data of 58,000 customers. Hackers exploited an unspecified GitLab vulnerability to gain unauthorized access to Byte Federal's servers. The compromised informat... https://threats.wiz.io/all-incidents/byte-federal-data-breach-via-gitlab-vulnerability 12 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/attacks-abusing-amazon-ses Datadog researchers identified an intrusion targeting Amazon Simple Email Service (SES) in an AWS environment, where attackers employed advanced persistence techniques. The attack was notable for leveraging an external AWS account to assume roles within the victim's environmen... https://threats.wiz.io/all-incidents/attacks-abusing-amazon-ses 11 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/ultralytics-compromise Ultralytics is a popular AI image prediction library with over 33k stars on GitHub and a dependency for many packages. On December 5, 2024 security researchers have identified a supply chain attack targeting deployment versions of the Ultralytics Python package. The compromise... https://threats.wiz.io/all-incidents/ultralytics-compromise 05 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/state-sponsored-apt-abuse-visual-studio-code-in-attacks Operation Digital Eye, a suspected China-nexus cyberespionage campaign, targeted business-to-business IT service providers in Southern Europe from late June to mid-July 2024. The attacks aimed to establish strategic footholds for further compromise of downstream entities. Thre... https://threats.wiz.io/all-incidents/state-sponsored-apt-abuse-visual-studio-code-in-attacks 05 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/solana-web3js-supply-chain-attack On December 3, 2024, a critical supply chain attack was uncovered targeting versions 1.95.6 and 1.95.7 of the widely-used @solana/web3.js JavaScript library. The attack involved a malicious backdoor injected via a compromised npm publish account. Once deployed, the backdoor ca... https://threats.wiz.io/all-incidents/solana-web3js-supply-chain-attack 04 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/gafgyt-malware-targeting-misconfigured-docker-servers Researchers identified threat actors leveraging misconfigured Docker Remote API servers to deploy the Gafgyt malware, traditionally targeting IoT devices, to perform DDoS attacks. Attackers exploit these misconfigurations to create Docker containers, elevate privileges, and ex... https://threats.wiz.io/all-incidents/gafgyt-malware-targeting-misconfigured-docker-servers 03 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/mauri-ransomware-exploiting-apache-activemq CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ. This vulnerability may allow a remote attacker with network access to a broker to run arbitrary commands due to an insecure deserialization in the OpenWire protocol.The vulnerability is ... https://threats.wiz.io/all-incidents/mauri-ransomware-exploiting-apache-activemq 02 Dec 24 00:00 +0000 https://threats.wiz.io/all-incidents/gelsemiums-shift-to-linux-malware-with-wolfsbane-and-firewood ESET researchers have identified two Linux backdoors, WolfsBane and FireWood, linked to the China-aligned Gelsemium APT group. WolfsBane is the Linux counterpart of Gelsevirine, a Windows backdoor, and is attributed to Gelsemium with high confidence due to shared features like... https://threats.wiz.io/all-incidents/gelsemiums-shift-to-linux-malware-with-wolfsbane-and-firewood 21 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/sports-piracy-exploiting-misconfigured-jupyter-servers Threat actors have developed an attack leveraging misconfigured JupyterLab and Jupyter Notebook servers to conduct illegal live streaming of sports events. By exploiting unauthenticated access to these environments, attackers deploy the open-source tool ffmpeg to capture and r... https://threats.wiz.io/all-incidents/sports-piracy-exploiting-misconfigured-jupyter-servers 19 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/earth-kashas-campaign-exploiting-fortinet-vulnerability Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023... https://threats.wiz.io/all-incidents/earth-kashas-campaign-exploiting-fortinet-vulnerability 19 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-credentials A zero-day vulnerability in Fortinet's Windows VPN client, FortiClient, was discovered by Volexity, allowing user credentials to remain in process memory after authentication. This vulnerability was exploited by BrazenBamboo, a Chinese state-affiliated threat actor, using a pl... https://threats.wiz.io/all-incidents/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-credentials 15 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/rce-vulnerability-in-pan-os-exploited-in-the-wild Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability (CVE-2024-0012) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authen... https://threats.wiz.io/all-incidents/rce-vulnerability-in-pan-os-exploited-in-the-wild 08 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/silent-skimmer-attacks-exploiting-telerik-ui-to-steal-payment-data In May 2024, researchers observed an attack by the Silent Skimmer threat actor, targeting a multinational organization’s payment infrastructure. This attack exploited known vulnerabilities in Telerik UI to gain unauthorized access and deploy various malicious tools, including ... https://threats.wiz.io/all-incidents/silent-skimmer-attacks-exploiting-telerik-ui-to-steal-payment-data 07 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/mozi-botnet-using-androxgh0st-toolkit-to-target-cloud-environments Researchers at CloudSEK’s Threat Research team identified major developments in the Androxgh0st toolkit, expanding its arsenal of vulnerabilities, and noticed a potential operational integration with the Mozi botnet. First observed in early 2024, Androxgh0st integrates Mozi’s ... https://threats.wiz.io/all-incidents/mozi-botnet-using-androxgh0st-toolkit-to-target-cloud-environments 06 Nov 24 00:00 +0000 https://threats.wiz.io/all-incidents/supply-chain-attack-on-lottie-player On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platf... https://threats.wiz.io/all-incidents/supply-chain-attack-on-lottie-player 31 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/cyberoam-breach-2018 On 2024-10-31, an incident was reported, involving Volt Typhoon, APT31, APT41, gaining initial access via Unknown, while using SSM misconfiguration abuse, to achieve Data exfiltration. The following tools were observed: CloudSnooper, Onderon, Gh0st RAT. https://threats.wiz.io/all-incidents/cyberoam-breach-2018 31 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/sharepoint-vulnerability-exploited-in-the-wild Researchers observed an attacker exploiting CVE-2024-38094—a vulnerability in Microsoft SharePoint. The attacker gained unauthorized access, escalated privileges, and moved laterally across the network to gain control over the entire domain. Through various techniques, includi... https://threats.wiz.io/all-incidents/sharepoint-vulnerability-exploited-in-the-wild 30 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/emeraldwhale-attacks-targeting-exposed-git-config-files Research uncovered an operation named EMERALDWHALE that compromised over 15,000 cloud service credentials by exploiting exposed Git configurations and other misconfigured web services. The attack aimed to steal credentials from private Git repositories and cloud environments, ... https://threats.wiz.io/all-incidents/emeraldwhale-attacks-targeting-exposed-git-config-files 30 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/amazon-db-exposed-with-prime-video-viewing-habits Security researcher Anurag Sen discovered an unprotected Amazon Prime database containing pseudonymized viewing data, accessible from the internet without a password. Named "Sauron," the Elasticsearch database held approximately 215 million records, including information on st... https://threats.wiz.io/all-incidents/amazon-db-exposed-with-prime-video-viewing-habits 27 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/teamtnts-docker-gatling-gun-campaign Researchers observed TeamTNT, a threat group known to target cloud environments, in a campaign targeting cloud-native environments by compromising exposed Docker daemons. Using Docker Hub to distribute malware, the group employs cryptominers and the Sliver malware, enhancing t... https://threats.wiz.io/all-incidents/teamtnts-docker-gatling-gun-campaign 25 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/unc5820-exploiting-fortimanager-flaw Researchers identified a zero-day vulnerability, CVE-2024-47575, impacting FortiManager, exploited by the UNC5820 group. This flaw allows unauthorized access, enabling threat actors to exfiltrate critical configuration data. The vulnerability has been actively exploited, with ... https://threats.wiz.io/all-incidents/unc5820-exploiting-fortimanager-flaw 24 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/prometei-campaign The Prometei botnet attempted to infiltrate a company’s network using a brute-force attack. Researchers from Trend Micro identified and mitigated the threat by tracing Prometei’s stealthy, modular structure. Prometei, primarily aimed at cryptocurrency mining and credential the... https://threats.wiz.io/all-incidents/prometei-campaign 23 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/triad-nexus-funnull-malicious-campaign Silent Push’s investigation into FUNNULL, a Chinese CDN, reveals its role in hosting extensive malicious infrastructure dubbed "Triad Nexus." This includes over 200,000 algorithmically generated domains connected to gambling, investment scams, phishing, and a supply chain atta... https://threats.wiz.io/all-incidents/triad-nexus-funnull-malicious-campaign 22 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/perfctl-campaign-targeting-docker-api Attackers are exploiting exposed Docker Remote API servers to deploy a new malware strain named "perfctl." This malware is designed to mine cryptocurrency and can evade detection by disabling security features and establishing persistence on compromised systems. The attackers ... https://threats.wiz.io/all-incidents/perfctl-campaign-targeting-docker-api 21 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/ea-cross-user-access-via-api On 2024-10-18, a research was reported, involving , gaining initial access via API vulnerability, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/ea-cross-user-access-via-api 18 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/earth-simnavaz-apt34-targeting-uae-and-gulf-regions Researchers at Trend Micro identified cyberattacks by Earth Simnavaz (also known as APT34 or OilRig), targeting UAE and Gulf region entities. The group exploits vulnerabilities, including CVE-2024-30088, to escalate privileges and deploy backdoors via Microsoft Exchange server... https://threats.wiz.io/all-incidents/earth-simnavaz-apt34-targeting-uae-and-gulf-regions 11 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/veeam-vulnerability-exploited-by-akira-and-fog-ransomware CVE-2024-40711 arises from the deserialization of untrusted data in the Veeam Backup & Replication software. This vulnerability can be exploited with low-complexity attacks, making it a threat to organizations relying on Veeam’s platform for backup, disaster recovery, and data... https://threats.wiz.io/all-incidents/veeam-vulnerability-exploited-by-akira-and-fog-ransomware 10 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/game-freak-data-leak On 2024-10-10, an incident was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Exposed git config files abuse, targeting GitLab to achieve Data exfiltration. https://threats.wiz.io/all-incidents/game-freak-data-leak 10 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/apt29-targeting-zimbra-and-teamcity-servers The U.S. and U.K. cyber agencies have issued a joint advisory warning about Russian Foreign Intelligence Service (SVR)-linked attackers, tracked as APT29 (a.k.a Cozy Bear or Midnight Blizzard). These actors are exploiting vulnerabilities in Zimbra and JetBrains TeamCity server... https://threats.wiz.io/all-incidents/apt29-targeting-zimbra-and-teamcity-servers 10 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/llmjacking-for-roleplaying-campaign In September 2024, threat actors conducted a campaign exploiting exposed AWS access keys to hijack AWS Bedrock services for operating illicit AI-powered roleplay chatbots. The attackers leverage compromised long-lived credentials (AKIA keys) discovered primarily through GitHub... https://threats.wiz.io/all-incidents/llmjacking-for-roleplaying-campaign 03 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/perfctl-malware-targeting-linux Researchers investigated the "perfctl malware," a Linux malware targeting misconfigurations and vulnerabilities on Linux servers. Perfctl employs rootkits, privilege escalation exploits, and cryptomining activities. It also uses tactics such as process masquerading and deletin... https://threats.wiz.io/all-incidents/perfctl-malware-targeting-linux 03 Oct 24 00:00 +0000 https://threats.wiz.io/all-incidents/rackspace-incident-2024 On 2024-09-30, an incident was reported, involving an unknown actor, gaining initial access via 0-day vulnerability, targeting ScienceLogic SL1 to achieve Data exfiltration. https://threats.wiz.io/all-incidents/rackspace-incident-2024 30 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/ref6138-campaign Elastic Security Labs uncovered a Linux malware campaign that began in March 2024, targeting vulnerable servers via an Apache2 web server exploit. The attackers gained access and deployed a variety of tools and malware families, including KAIJI, known for its DDoS capabilities... https://threats.wiz.io/all-incidents/ref6138-campaign 27 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/storm-0501-targeting-hybrid-environments-with-ransomware Storm-0501 has been observed conducting multi-staged attacks targeting hybrid cloud environments across various U.S. sectors, including government and manufacturing. These attacks involve lateral movement from on-premises environments to the cloud, leading to data exfiltration... https://threats.wiz.io/all-incidents/storm-0501-targeting-hybrid-environments-with-ransomware 26 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/storm-0501-attacking-hybrid-environments-with-ransomware Microsoft sheds light on the activities of Storm-0501, a threat actor known for deploying ransomware attacks in hybrid cloud environments. The group has expanded its operations to target both on-premises and cloud resources, posing significant risks to organizations utilizing ... https://threats.wiz.io/all-incidents/storm-0501-attacking-hybrid-environments-with-ransomware 26 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/docker-swarm-and-k8s-cryptojacking-campaign Datadog Security Research has uncovered a sophisticated cryptojacking campaign targeting microservice technologies, specifically Docker and Kubernetes. The threat actors exploit exposed Docker Engine APIs to gain initial access, deploying cryptocurrency miners on compromised c... https://threats.wiz.io/all-incidents/docker-swarm-and-k8s-cryptojacking-campaign 23 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/unc1860-attacks-targeting-the-middle-east UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). This group specializes in gaining persistent access to high-priority networks, especially in the government and telecommunications sectors in the Mid... https://threats.wiz.io/all-incidents/unc1860-attacks-targeting-the-middle-east 20 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/github-pat-leakage-leading-to-rds-database-exfiltration On 2024-09-17, an incident was reported, involving an unknown actor, gaining initial access via Exposed secret, targeting GitHub to achieve Data exfiltration. https://threats.wiz.io/all-incidents/github-pat-leakage-leading-to-rds-database-exfiltration 17 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/scattered-spider-targeting-gcp-environment On 2024-09-17, an incident was reported, involving 0ktapus, gaining initial access via Unknown, while using Create or modify firewall or security group rules, OS password reset, Create SSH backdoor, Modify compute startup script, Launch new cloud resources, Delete compute snapshot, to achieve RansomOp. https://threats.wiz.io/all-incidents/scattered-spider-targeting-gcp-environment 17 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/scattered-spider-targeting-azure-environment On 2024-09-17, an incident was reported, involving 0ktapus, gaining initial access via End-user compromise, while using Vishing, MFA enrollment, Cloud API e, to achieve RansomOp. https://threats.wiz.io/all-incidents/scattered-spider-targeting-azure-environment 17 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/campaign-targeting-selenium-grid-for-cryptomining Cado Security Labs discovered two campaigns exploiting misconfigured Selenium Grid instances to deploy malware, including an exploit kit, cryptominer, and proxyjacker. Selenium Grid is widely used for browser automation and testing, but its default configuration lacks authenti... https://threats.wiz.io/all-incidents/campaign-targeting-selenium-grid-for-cryptomining 12 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/fortinet-sharepoint-data-leak Fortinet confirmed a data breach where a threat actor, "Fortibitch," claimed to have stolen 440GB of data from the company's Microsoft Sharepoint server. The threat actor reportedly shared access credentials to an S3 bucket containing the stolen data and attempted to extort Fo... https://threats.wiz.io/all-incidents/fortinet-sharepoint-data-leak 12 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/hadooken-malware-targeting-weblogic-servers Researchers discovered a new Linux malware named "Hadooken" that specifically targets Oracle WebLogic servers. The malware exploits weak passwords to gain access and then deploys both Tsunami malware and a cryptominer. The attack flow involves using a combination of shell and ... https://threats.wiz.io/all-incidents/hadooken-malware-targeting-weblogic-servers 12 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/dragonrank-targeting-iis-web-servers Researchers identified a "DragonRank" campaign targeting countries in Asia and Europe. This group exploits web application services to deploy web shells and malware like PlugX and BadIIS, primarily for manipulating search engine rankings. The campaign has affected more than 35... https://threats.wiz.io/all-incidents/dragonrank-targeting-iis-web-servers 10 Sep 24 00:00 +0000 https://threats.wiz.io/all-incidents/godzilla-backdoor-exploiting-confluence-vulnerability Researchers discovered a new attack exploiting the CVE-2023-22527. The attack uses an in-memory fileless backdoor, known as the Godzilla webshell. The Godzilla backdoor uses AES encryption for communication and remains in memory, making it difficult to identify. It is recommen... https://threats.wiz.io/all-incidents/godzilla-backdoor-exploiting-confluence-vulnerability 30 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/confluence-exploited-for-cryptojacking The critical vulnerability CVE-2023-22527 is being actively exploited for cryptojacking activities, turning affected Confluence Data Center and Server instances into cryptomining networks. Attackers exploit this vulnerability through methods like deploying shell scripts and XM... https://threats.wiz.io/all-incidents/confluence-exploited-for-cryptojacking 28 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/shinyhunters-ransomware-targeting-cloud-environments The threat actor group Bling Libra (behind ShinyHunters ransomware) has been observed infiltrating an organization's Amazon Web Services (AWS) environment, focusing on extortion rather than selling stolen data. Using legitimate credentials sourced from public repositories, the... https://threats.wiz.io/all-incidents/shinyhunters-ransomware-targeting-cloud-environments 23 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/msupedge-backdoor-targeting-taiwanese-university A newly discovered backdoor, dubbed Backdoor.Msupedge, was used in an attack on a Taiwanese university, leveraging an unusual communication method through DNS traffic to reach its command-and-control (C&C) server. While DNS-based communication is known among threat actors, its... https://threats.wiz.io/all-incidents/msupedge-backdoor-targeting-taiwanese-university 19 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/pgmem-malware-exploiting-misconfigured-postresql-instances Researchers have discovered a new PostgreSQL malware called PG_MEM, which uses brute force attacks to access databases, hide its operations, and mine cryptocurrency. The attack involves creating a superuser role, delivering two malware payloads, and evading detection while eli... https://threats.wiz.io/all-incidents/pgmem-malware-exploiting-misconfigured-postresql-instances 19 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/extortion-campaign-exploiting-exposed-environment-variable Researchers uncovered an extortion campaign that exploited exposed environment variable files (.env) in cloud environments. These files, which contained sensitive credentials, were accessed and leveraged by attackers to ransom data from victim organizations. The attackers used... https://threats.wiz.io/all-incidents/extortion-campaign-exploiting-exposed-environment-variable 15 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/gafgyt-malware-targeting-cloud-environments Researchers identified a new variant of the Gafgyt botnet targeting cloud-native environments by exploiting weak SSH passwords. This variant integrates cryptomining with traditional botnet activities, using GPU power to mine cryptocurrency. The attack flow includes brute-forci... https://threats.wiz.io/all-incidents/gafgyt-malware-targeting-cloud-environments 14 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/earth-baku-campaign Earth Baku, a threat actor linked to APT41, has extended its operations beyond the Indo-Pacific, targeting regions across Europe, the Middle East, and Africa, including countries such as Italy, Germany, the UAE, and Qatar, with suspected activities in Georgia and Romania. The ... https://threats.wiz.io/all-incidents/earth-baku-campaign 09 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/horde-panda-targeting-south-asian-telecommunications-provider- Between late June 2023 and early August 2023, CrowdStrike detected suspicious activity at a South Asian telecommunications provider linked to the China-based threat group Horde Panda. The adversary used multiple compromised identities to try to embed themselves deeper into the... https://threats.wiz.io/all-incidents/horde-panda-targeting-south-asian-telecommunications-provider- 09 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/scattered-spider-abuses-cloud-management-agent In May 2024, CrowdStrike observed the cyber threat group Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) using a cloud service VM management agent. The attackers compromised existing credentials through a phishing campaign to authenticate to the cl... https://threats.wiz.io/all-incidents/scattered-spider-abuses-cloud-management-agent 09 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/panamorfi-campaign On 2024-08-02, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Jupyter Notebook misconfig abuse, targeting Jupyter Notebook to achieve Denial of service. The following tools were observed: Mineping. https://threats.wiz.io/all-incidents/panamorfi-campaign 02 Aug 24 00:00 +0000 https://threats.wiz.io/all-incidents/mirai-botnet-exploiting-apache-ofbiz-vulnerability The Apache Foundation's OFBiz, an open-source Java-based ERP framework, addressed in May 2024 a critical security vulnerability (CVE-2024-32113) involving path traversal that could lead to remote command execution. Despite its lesser prevalence compared to commercial ERP syste... https://threats.wiz.io/all-incidents/mirai-botnet-exploiting-apache-ofbiz-vulnerability 31 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/ransomware-operators-exploit-esxi-vulnerability Microsoft researchers have discovered a vulnerability in ESXi hypervisors, identified as CVE-2024-37085. This flaw is being exploited by ransomware operators to gain full administrative access to domain-joined ESXi hypervisors, enabling them to encrypt file systems, access hos... https://threats.wiz.io/all-incidents/ransomware-operators-exploit-esxi-vulnerability 29 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/seleniumgreed-threat-actors-exploit-exposed-selenium-grid-services-for-cryptomining Wiz Research has detected an ongoing threat campaign dubbed “SeleniumGreed” that exploits exposed Selenium Grid services to deploy cryptominers. Selenium is a popular open-source suite used for testing web applications, allowing users to write tests that simulate user interact... https://threats.wiz.io/all-incidents/seleniumgreed-threat-actors-exploit-exposed-selenium-grid-services-for-cryptomining 25 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/born-group-supply-chain-attack On 2024-07-25, an incident was reported, involving IntelBroker, gaining initial access via 1-day vulnerability, while using Network lateral movement, SSH key compromise, Local privilege escalation via vulnerability exploitation, targeting Jenkins, GitHub to achieve Supply chain attack. https://threats.wiz.io/all-incidents/born-group-supply-chain-attack 25 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/disney-slack-breach On 2024-07-15, an incident was reported, involving NullBulge, gaining initial access via End-user compromise, targeting Slack to achieve Data exfiltration. https://threats.wiz.io/all-incidents/disney-slack-breach 15 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/crystalray The Sysdig Threat Research Team (TRT) identified a threat actor named CRYSTALRAY, who has significantly expanded its operations since its initial detection in February 2024. CRYSTALRAY exploits multiple vulnerabilities and uses various open source security tools, such as SSH-S... https://threats.wiz.io/all-incidents/crystalray 11 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/python-infrastructure-leaked-access-token On 2024-07-08, a research was reported, involving , gaining initial access via Exposed secret, while using Registry secret scanning, targeting GitHub to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/python-infrastructure-leaked-access-token 08 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/misconfigured-jenkins-servers-used-for-cryptomining Researchers discovered attackers targeting misconfigurations in the Jenkins Script Console to execute malicious Groovy scripts, leading to activities such as deploying cryptocurrency miners. By leveraging vulnerabilities and misconfigurations, such as improperly set authentica... https://threats.wiz.io/all-incidents/misconfigured-jenkins-servers-used-for-cryptomining 05 Jul 24 00:00 +0000 https://threats.wiz.io/all-incidents/8220-gang-exploiting-weblogic-vulnerabilities-for-cryptojacking Water Sigbin exploits CVE-2017-3506 to gain initial access, deploying a PowerShell script on the compromised machine. This script decodes and executes the first stage payload, named wireguard2-3.exe, in the temporary directory. The malware masquerades as a legitimate VPN appli... https://threats.wiz.io/all-incidents/8220-gang-exploiting-weblogic-vulnerabilities-for-cryptojacking 30 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/funnull-polyfill-supply-chain-attack A Chinese company named Funnull acquired the Polyfill domain and GitHub repo, and inserted malware into polyfill.js that redirected users to gambling websites. Further pivoting revealed that Funnull had exposed a CloudFlare API key that linked the company to several CDN provid... https://threats.wiz.io/all-incidents/funnull-polyfill-supply-chain-attack 25 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/rabbit-ai-exposed-keys-in-code Rabbit AI's codebase included several hardcoded API keys for ElevenLabs, Azure, Yelp, Google Maps, and SendGrid. According to the researchers who discovered this, this access would have allowed an attacker to read Rabbit customers' data, make customer devices inoperable, and t... https://threats.wiz.io/all-incidents/rabbit-ai-exposed-keys-in-code 25 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/chinese-threat-actor-redjuliett-exploiting-vpn-and-firewall-vulnerabilities Between November 2023 and April 2024, researchers observed RedJuliett, a likely Chinese state-sponsored cyber-espionage group, targeting entities primarily in Taiwan but also across Asia, Africa, and the US. The focus was on sectors such as government, education, technology, a... https://threats.wiz.io/all-incidents/chinese-threat-actor-redjuliett-exploiting-vpn-and-firewall-vulnerabilities 24 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/boolka-campaign On 2024-06-21, a campaign was reported, involving Boolka, gaining initial access via Web vulnerability, while using SQL injection, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/boolka-campaign 21 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/scattered-spider-saas-targeting-2024 UNC3944, a financially motivated threat group linked to "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," has evolved its tactics to include data theft from SaaS applications, persistence mechanisms in virtualization platforms, and lateral movement via SaaS p... https://threats.wiz.io/all-incidents/scattered-spider-saas-targeting-2024 14 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/ncs-mass-server-deletion On 2024-06-13, an incident was reported, involving , gaining initial access via Insider threat, to achieve Data destruction. https://threats.wiz.io/all-incidents/ncs-mass-server-deletion 13 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/rce-vulnerability-in-php-cgi-exploited-by-tellyouthepass The TellYouThePass ransomware gang has been exploiting the recently patched vulnerability (CVE-2024-4577) in PHP to deploy webshells and execute their encryptor payload on target systems. Attacks started on June 8, just after the release of security updates, using publicly ava... https://threats.wiz.io/all-incidents/rce-vulnerability-in-php-cgi-exploited-by-tellyouthepass 10 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/nyt-source-code-theft On 2024-06-08, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, targeting GitHub to achieve Data exfiltration. https://threats.wiz.io/all-incidents/nyt-source-code-theft 08 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/dero-cryptojacking-campaign-2024 Wiz Threat Research discovered a new variant of a cryptojacking campaign targeting misconfigured Kubernetes clusters in cloud environments. The threat actor abuses cluster anonymous access to deploy malicious container images from Docker Hub that contain a DERO miner. The thre... https://threats.wiz.io/all-incidents/dero-cryptojacking-campaign-2024 07 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/scylla-llmjacking-campaign On 2024-06-06, a campaign was reported, involving an unknown actor, gaining initial access via End-user compromise, while using LLMjacking, Cloud key compromise, Cloud API e, targeting Amazon Bedrock to achieve Resource hijacking. https://threats.wiz.io/all-incidents/scylla-llmjacking-campaign 06 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/gitloker-campaign On 2024-06-05, a campaign was reported, involving Gitloker, gaining initial access via End-user compromise, while using Repo encryption for extortion, targeting GitHub to achieve RansomOp. https://threats.wiz.io/all-incidents/gitloker-campaign 05 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/club-penguin-data-theft-via-confluence Club Penguin fans hacked a Disney Confluence server to obtain information about their favorite game, but ended up with 2.5 GB of internal corporate data. Club Penguin, a popular MMO from 2005 to 2018, continues to exist on private servers run by fans, despite Disney shutting i... https://threats.wiz.io/all-incidents/club-penguin-data-theft-via-confluence 05 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/dama-webshell-deployment-via-thinkphp-exploitation On 2024-06-05, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting ThinkPHP to achieve Resource hijacking. The following tools were observed: Dama. https://threats.wiz.io/all-incidents/dama-webshell-deployment-via-thinkphp-exploitation 05 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/muhstik Researchers uncovered a new campaign using Muhstik malware to target Apache RocketMQ, a distributed messaging platform, exploiting a remote code execution vulnerability (CVE-2023-33246). Attackers use this vulnerability to download and execute Muhstik malware on compromised in... https://threats.wiz.io/all-incidents/muhstik 04 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/operation-veles On 2024-06-04, a campaign was reported, involving UTG-Q-008, gaining initial access via Password attack, while using SSH bruteforcing, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/operation-veles 04 Jun 24 00:00 +0000 https://threats.wiz.io/all-incidents/bytedance-rspack-github-misconfiguration On 2024-05-31, a research was reported, involving , gaining initial access via Software misconfig, targeting GitHub to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/bytedance-rspack-github-misconfiguration 31 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/redtail-cryptomining-campaign- The RedTail cryptomining malware has been updated to exploit CVE-2024-3400, a vulnerability in PAN-OS. The attackers are using private cryptomining pools for greater control, and the malware now includes advanced antiresearch techniques. It spreads through multiple web exploit... https://threats.wiz.io/all-incidents/redtail-cryptomining-campaign- 30 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/snowflake-compromised-creds-abuse-campaign On May 30, 2024, researchers published a report concerning activity by a threat actor dubbed UNC5537, involving abuse of stolen credentials to gain illicit access to Snowflake accounts unprotected by MFA by using a toolkit known as rapeflake.On May 31, 2024, Snowflake publishe... https://threats.wiz.io/all-incidents/snowflake-compromised-creds-abuse-campaign 29 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/kinsing-targeting-cloud-servers Researchers observed recent activities surrounding the Kinsing malware, which primarily targets Linux-based cloud infrastructure. Kinsing exploits various vulnerabilities to gain unauthorized access and deploys backdoors and cryptominers. Recent findings show that Kinsing also... https://threats.wiz.io/all-incidents/kinsing-targeting-cloud-servers 16 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/mirai-campaign-targeting-ivanti-products On 2024-05-07, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Ivanti Connect Secure VPN to achieve Resource hijacking. The following tools were observed: Mirai. https://threats.wiz.io/all-incidents/mirai-campaign-targeting-ivanti-products 07 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/atlas-lion-phishing-campaign Microsoft has identified a Morocco-based cybercrime group, Storm-0539, known for sophisticated phishing attacks to steal and sell gift cards. Active since 2021, the group targets large retailers by compromising gift card services and bypassing multi-factor authentication. Thei... https://threats.wiz.io/all-incidents/atlas-lion-phishing-campaign 06 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/llmjacking-via-laravel-exploitation Threat actors are attempting to monetize their illicit access to LLMs while the cloud account owner bears the costs. The attackers target a variety of LLM services across AWS, Azure, and GCP. In some instances, they employ a script to automate checking the validity of the stol... https://threats.wiz.io/all-incidents/llmjacking-via-laravel-exploitation 06 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/utah-bathroom-bill-open-database On 2024-05-03, a research was reported, involving , gaining initial access via Cloud native misconfig, targeting Google Cloud Storage to achieve Data exfiltration. https://threats.wiz.io/all-incidents/utah-bathroom-bill-open-database 03 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/targetcompany-abusing-mssql-servers-for-ransomware Researchers investigated a series of ransomware attacks targeting poorly managed MS-SQL servers by the TargetCompany ransomware group. This group primarily installs Mallox ransomware, with recent analysis linking these incidents to earlier attacks involving Tor2Mine CoinMiner ... https://threats.wiz.io/all-incidents/targetcompany-abusing-mssql-servers-for-ransomware 02 May 24 00:00 +0000 https://threats.wiz.io/all-incidents/arcanedoor-campaign-targeting-cisco-adaptive-security-appliance-0day Cisco reported two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls that have been exploited by a state-backed hacking group known as UAT4356 or STORM-1849. These vulnerabilities have been under attack since Novembe... https://threats.wiz.io/all-incidents/arcanedoor-campaign-targeting-cisco-adaptive-security-appliance-0day 24 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/mitre-breach-via-ivanti-connect-secure On 2024-04-19, an incident was reported, involving UNC5221, gaining initial access via 1-day vulnerability, while using Session hijacking, Webshell deployment, targeting Ivanti Connect Secure VPN to achieve Data exfiltration. https://threats.wiz.io/all-incidents/mitre-breach-via-ivanti-connect-secure 19 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/kubernetes-clusters-targeted-in-openmetadata-exploits Researchers observed attackers exploiting critical vulnerabilities in the OpenMetadata platform to infiltrate Kubernetes environments for cryptomining. OpenMetadata, an open-source platform for managing data source metadata, was found to have several vulnerabilities (CVE-2024-... https://threats.wiz.io/all-incidents/kubernetes-clusters-targeted-in-openmetadata-exploits 17 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/delinea-breach On 2024-04-14, an incident was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, with unknown impact. https://threats.wiz.io/all-incidents/delinea-breach 14 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/from-password-reset-to-data-exfiltration On 2024-04-11, an incident was reported, involving an unknown actor, gaining initial access via Cloud native misconfig, while using Launch new cloud resources, Create or modify firewall or security group rules, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/from-password-reset-to-data-exfiltration 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/smishing-into-entra-onto-vmware-ransomware On 2024-04-11, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Password spraying, Launch new cloud resources, MFA enrollment, Credential theft, Cloud to on-prem lateral movement, Smishing (SMS phishing), EDR whitelisting, to achieve RansomOp. https://threats.wiz.io/all-incidents/smishing-into-entra-onto-vmware-ransomware 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/third-party-to-cloud-compromise On 2024-04-11, an incident was reported, involving an unknown actor, gaining initial access via Supply chain vector, while using Cloud key compromise, Cloud to on-prem lateral movement, to achieve RansomOp. https://threats.wiz.io/all-incidents/third-party-to-cloud-compromise 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/personal-local-drive-to-aws-ransomware On 2024-04-11, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Cloud key compromise, Phishing, to achieve RansomOp. https://threats.wiz.io/all-incidents/personal-local-drive-to-aws-ransomware 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/abusing-management-tooling-for-cloud-access On 2024-04-11, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Cloud key compromise, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/abusing-management-tooling-for-cloud-access 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/sisense-breach An unknown threat actor gained access to a self-hosted Gitlab instance used by Sisense, which stored credentials for an S3 bucket containing customer access tokens, passwords and SSL certificates. https://threats.wiz.io/all-incidents/sisense-breach 11 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/microsoft-exposed-storage-with-credentials On 2024-04-09, a research was reported, involving , gaining initial access via Cloud native misconfig, targeting Azure Storage to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/microsoft-exposed-storage-with-credentials 09 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/rubycarp-botnet-exploiting-vulnerabilities-for-crypto Researchers has uncovered a decade-long botnet operation by a Romanian group dubbed RUBYCARP. This group focuses on financial gain through cryptomining, phishing, and DDoS attacks, utilizing public exploits and brute force for deployment.Pinpointing their exact origin is chall... https://threats.wiz.io/all-incidents/rubycarp-botnet-exploiting-vulnerabilities-for-crypto 09 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/muddled-libra-campaigns-2024 On 2024-04-09, a campaign was reported, involving 0ktapus, gaining initial access via End-user compromise, while using Exfiltration via AWS Transfer, Exfiltration via AWS DataSync, Cloud API e, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/muddled-libra-campaigns-2024 09 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/hugging-face-cross-tenant-access Wiz found two critical security risks that were present in Hugging Face’s environment:Specifically, Wiz Research showed that an attacker targeting Hugging Face could have achieved the following:Wiz Research were able to achieve remote code execution through a specially-crafted... https://threats.wiz.io/all-incidents/hugging-face-cross-tenant-access 04 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/affirmed-networks-breach In April 2020, Microsoft acquired Affirmed Networks. Sometime prior to that, Storm-0558 likely gained access to a device used by one of the company’s engineer, and retained that access following the acquisition, which allowed the threat actor to move laterally into Microsoft’s... https://threats.wiz.io/all-incidents/affirmed-networks-breach 02 Apr 24 00:00 +0000 https://threats.wiz.io/all-incidents/xz-utils-backdoor-incident A backdoor has been identified in versions 5.6.0 and 5.6.1 of XZ Utils (assigned CVE-2024-3094), which under some conditions may allow SSH authentication bypass in specific versions of certain Linux distributions.According to Wiz data, while XZ Utils itself is highly prevalent... https://threats.wiz.io/all-incidents/xz-utils-backdoor-incident 29 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/agenda-ransomware-targets-esxi-and-vcenter-servers Researchers observed the Agenda Ransomware group, identified as Qilin or Water Galura, has been spreading through VMware vCenter and ESXi servers. The group has been actively evolving and targeting entities globally, particularly in the US, Argentina, Australia, and Thailand, ... https://threats.wiz.io/all-incidents/agenda-ransomware-targets-esxi-and-vcenter-servers 26 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/compromise-of-topgg-repo On 2024-03-25, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, targeting GitHub to achieve Supply chain attack. https://threats.wiz.io/all-incidents/compromise-of-topgg-repo 25 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/unc5174-screenconnect-and-f5-big-ip-exploitation On 2024-03-22, a campaign was reported, involving UNC5174, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting ConnectWise ScreenConnect, F5 BIG IP, Confluence Server to achieve Data exfiltration. The following tools were observed: SUPERSHELL, SNOWLIGHT, GOHEAVY. https://threats.wiz.io/all-incidents/unc5174-screenconnect-and-f5-big-ip-exploitation 22 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/fujitsu-exposed-bucket On 2024-03-21, a research was reported, involving , gaining initial access via Cloud native misconfig, targeting S3 Bucket to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/fujitsu-exposed-bucket 21 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/teamcity-exploitation On 2024-03-19, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using LOLBin abuse, targeting TeamCity to achieve Resource hijacking, RansomOp. The following tools were observed: Jasmin, XMRig, Cobalt Strike, SparkRAT. https://threats.wiz.io/all-incidents/teamcity-exploitation 19 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/vulnerability-in-aiohttp-targeted-by-shadowsyndicate Aiohttp is a widely used open-source library for handling concurrent HTTP requests in Python applications. The ransomware group ShadowSyndicate, has been scanning for servers vulnerable to CVE-2024-23334. The flaw means that improperly configuring static resource resolution in... https://threats.wiz.io/all-incidents/vulnerability-in-aiohttp-targeted-by-shadowsyndicate 15 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/meson-network-cryptojacking-campaign Researchers uncovered a malicious campaign targeting the Meson Network, a decentralized content delivery network (CDN) that leverages blockchain for bandwidth marketplace operations. This campaign aimed to exploit the crypto token unlock event around March 15th, attempting to ... https://threats.wiz.io/all-incidents/meson-network-cryptojacking-campaign 11 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/from-writable-bucket-to-credential-theft On 2024-03-08, a research was reported, involving , gaining initial access via Cloud native misconfig, targeting S3 Bucket to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/from-writable-bucket-to-credential-theft 08 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/magnet-goblin-campaign-2024 On 2024-03-08, a campaign was reported, involving Magnet Goblin, gaining initial access via 1-day vulnerability, targeting Ivanti Connect Secure VPN, Apache ActiveMQ, Magento, Qlink Sense with unknown impact. The following tools were observed: NerbianRAT, AnyDesk, WARPWIRE, MiniNerbian, ScreenConnect, Ligolo. https://threats.wiz.io/all-incidents/magnet-goblin-campaign-2024 08 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/malware-campaign-targeting-misconfigured-servers Researchers observed threat actors exploiting misconfiguration in servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware, which uses worm-like behavior to automate host discovery and compromise. After gaining access to misconfigured serv... https://threats.wiz.io/all-incidents/malware-campaign-targeting-misconfigured-servers 06 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/z0miner-targeting-weblogic-servers Researchers observed threat actor z0Miner targeting Korean WebLogic servers as download servers for distributing malware, including miners and network tools. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files... https://threats.wiz.io/all-incidents/z0miner-targeting-weblogic-servers 06 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/from-social-engineering-to-cryptocurrency-theft On 2024-03-06, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Cloud key compromise, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/from-social-engineering-to-cryptocurrency-theft 06 Mar 24 00:00 +0000 https://threats.wiz.io/all-incidents/cutoutpro-breach The Singapore-based company, which provides AI-powered tools for designing image and video content, has suffered a massive data breach that compromised the personal information of nearly 20 million users.Unauthorized access to Cutout.Pro’s user data-base was disclosed on the a... https://threats.wiz.io/all-incidents/cutoutpro-breach 28 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/pure-incubation-demandscience-breach Pure Incubation was founded in 2012, and the company later rebranded to DemandScience.Back in March 2024, an actor named KryptonZambie posted a thread on Breach Forums selling a database belonging to Pure Incubation.Furthermore, within their group of businesses, they reportedl... https://threats.wiz.io/all-incidents/pure-incubation-demandscience-breach 28 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/from-refresh-token-theft-to-global-admin On 2024-02-23, a research was reported, involving , gaining initial access via Unknown, while using Refresh token compromise, Attach administrative role to account, Create or modify cloud key, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/from-refresh-token-theft-to-global-admin 23 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/lucifer-botnet-targeting-apache-hadoop Researchers identified a malicious campaign focusing on Apache big-data solutions, particularly Apache Hadoop and Apache Druid. This campaign leverages the Lucifer DDoS botnet, infecting Linux machines to mine the Monero cryptocurrency.The attackers target misconfigurations an... https://threats.wiz.io/all-incidents/lucifer-botnet-targeting-apache-hadoop 22 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/us-doi-pii-exfiltration-pentest On 2024-02-21, a research was reported, involving , gaining initial access via Insider threat, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/us-doi-pii-exfiltration-pentest 21 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/s3-ransomware-scam On 2024-02-21, an incident was reported, involving an unknown actor, gaining initial access via Unknown, while using Data exfiltration from cloud storage, targeting S3 Bucket to achieve Data exfiltration, Data destruction. https://threats.wiz.io/all-incidents/s3-ransomware-scam 21 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/migo-cryptominer-targeting-redis A new campaign named Migo targeting Redis servers running on Linux hosts to mine cryptocurrency. The campaign was identified following suspicious activities on a Redis honeypot, where a malicious node disabled several Redis configuration options to weaken security and facilita... https://threats.wiz.io/all-incidents/migo-cryptominer-targeting-redis 20 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/ssh-snake-confluence-targeting-campaign On 2024-02-20, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using SSH propagation, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: SSH-Snake. https://threats.wiz.io/all-incidents/ssh-snake-confluence-targeting-campaign 20 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/winstar-exposed-app-database On 2024-02-18, a research was reported, involving , gaining initial access via Software misconfig, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/winstar-exposed-app-database 18 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/sliver-deployment-via-confluence--vulnerability On 2024-02-15, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: XMRig, Sliver. https://threats.wiz.io/all-incidents/sliver-deployment-via-confluence--vulnerability 15 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/bmw-exposed-cloud-storage On 2024-02-14, a research was reported, involving , gaining initial access via Cloud native misconfig, while using Cloud key compromise, targeting Azure Storage to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/bmw-exposed-cloud-storage 14 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/us-internet-exposed-email-server On 2024-02-14, a research was reported, involving , gaining initial access via Software misconfig, targeting Ansible, NGINX to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/us-internet-exposed-email-server 14 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/microsoft-smartscreen-vulnerability-exploited-by-water-hydra Water Hydra group (AKA DarkCasino), whose activity was first detected in 2021, is known for their cyberattacks targeting the financial industry globally, including banks, cryptocurrency platforms, and gambling sites. Initially confused with the Evilnum APT group, Water Hydra w... https://threats.wiz.io/all-incidents/microsoft-smartscreen-vulnerability-exploited-by-water-hydra 13 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/cgi-federal-incident On 2024-02-13, an incident was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Confluence Server to achieve Data exfiltration. https://threats.wiz.io/all-incidents/cgi-federal-incident 13 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/zenlayer-exposed-database On 2024-02-13, a research was reported, involving , gaining initial access via Software misconfig, while using Cloud key compromise, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/zenlayer-exposed-database 13 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/wrk-exposed-database On 2024-02-09, a research was reported, involving , gaining initial access via Software misconfig, targeting MongoDB to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/wrk-exposed-database 09 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/juniper-support-portal-exposure On 2024-02-09, a research was reported, involving , gaining initial access via Software misconfig, targeting Salesforce to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/juniper-support-portal-exposure 09 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/almerys-incident On 2024-02-08, an incident was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/almerys-incident 08 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/viamedis-incident On 2024-02-08, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/viamedis-incident 08 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/c3pool-mining-via-confluence-vulnerability On 2024-02-08, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: C3Pool. https://threats.wiz.io/all-incidents/c3pool-mining-via-confluence-vulnerability 08 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/cryptojacking-via-azure-batch On 2024-02-06, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Azure Batch abuse, targeting Azure Batch to achieve Resource hijacking. The following tools were observed: XMRig. https://threats.wiz.io/all-incidents/cryptojacking-via-azure-batch 06 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/windows-smartscreen-vulnerability-exploited-by-mispadu-trojan Mispadu Stealer, a banking Trojan first reported in November 2019, has been observed exploiting the Windows SmartScreen bypass vulnerability, CVE-2023-36025. This variant of Mispadu spreads through phishing emails and primarily affects victims in Latin America. The malware is ... https://threats.wiz.io/all-incidents/windows-smartscreen-vulnerability-exploited-by-mispadu-trojan 02 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/football-australia-exposed-cloud-key On 2024-02-01, a research was reported, involving , gaining initial access via Exposed secret, Cloud native misconfig, while using Cloud key compromise, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/football-australia-exposed-cloud-key 01 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/cloudflare-incident-following-okta-breach On November 23, 2023, Cloudflare detected activity in their network related to the Okta support system supply chain attack. https://threats.wiz.io/all-incidents/cloudflare-incident-following-okta-breach 01 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/commando-cat-campaign This campaign, active since the beginning of 2024, deploys a benign container through the Commando project, escaping it to run multiple payloads on the Docker host. Docker is used as an initial access vector to deliver payloads that register persistence, create backdoors, exfi... https://threats.wiz.io/all-incidents/commando-cat-campaign 01 Feb 24 00:00 +0000 https://threats.wiz.io/all-incidents/new-relic-incident-november-2023 On 2024-01-31, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Credential stuffing, VPN anonymization, Email C2, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/new-relic-incident-november-2023 31 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/dangerdev-ses-abuse-incident On 2024-01-31, an incident was reported, involving an unknown actor, gaining initial access via Exposed secret, while using Cloud API e, Create new cloud user, Create or modify firewall or security group rules, Launch new cloud resources, Evasive username patterns, Domain registration abuse, SES abuse for spam or phishing, Attach administrative role to account, Share compromised resources to an external account, Policy simulation, Modify existing IAM user or role, Cloud compute cryptojacking, targeting Amazon SES to achieve Resource hijacking. https://threats.wiz.io/all-incidents/dangerdev-ses-abuse-incident 31 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/trigona-ransomware-infecting-misconfigured-mssql-servers Trigona ransomware has been active since at least June 2022, targeting MSSQL servers. Mimic ransomware was first identified in June 2022, with a January 2024 attack by a Turkish-speaking threat actor on poorly managed MSSQL servers. Researchers believe the same Trigona threat ... https://threats.wiz.io/all-incidents/trigona-ransomware-infecting-misconfigured-mssql-servers 28 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/mercedes-benz-source-code-exposure In January 2024, researchers at RedHunt Labs discovered that Mercedes-Benz accidentally included an access token in a one of their public GitHub repositories that granted access to an internal GitHub Enterprise server. This server contained intellectual property as well as cre... https://threats.wiz.io/all-incidents/mercedes-benz-source-code-exposure 26 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/s3-data-exfiltration Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they checked SES quotes and enumerated cloud identities. The threat actor proceeded to create a new admin user. The above was quick and theref... https://threats.wiz.io/all-incidents/s3-data-exfiltration 19 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/ecs-fargate-cryptojacking Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they immediately began spinning up hundreds of ECS Fargate clusters, within which they created ECS task definitions to launch containers based... https://threats.wiz.io/all-incidents/ecs-fargate-cryptojacking 19 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/microsoft-email-exfiltration-by-nobelium On January 19, 2023, Microsoft disclosed that email accounts of multiple employees had been compromised by Nobelium (which overlaps with APT29).According to Microsoft, beginning in late November 2023, Nobelium used a Password spraying attack to compromise a "legacy non-product... https://threats.wiz.io/all-incidents/microsoft-email-exfiltration-by-nobelium 19 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/from-activemq-to-godzilla-webshell On 2024-01-18, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Apache ActiveMQ to achieve Resource hijacking. The following tools were observed: Godzilla. https://threats.wiz.io/all-incidents/from-activemq-to-godzilla-webshell 18 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/mimo-cryptomining-campaign On 2024-01-18, a campaign was reported, involving Mimo operator, gaining initial access via 1-day vulnerability, targeting VMware Horizon, Confluence Server, WSO2, Apache ActiveMQ, PaperCut to achieve Resource hijacking, RansomOp. The following tools were observed: Mimo, NHAS reverse_ssh, XMRig, Mimus, Peer2Profit. https://threats.wiz.io/all-incidents/mimo-cryptomining-campaign 18 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/9hits-docker-campaign On 2024-01-18, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Proxyjacking, targeting Docker to achieve Resource hijacking. The following tools were observed: 9hits, XMRig. https://threats.wiz.io/all-incidents/9hits-docker-campaign 18 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/androxgh0st-usage-2024 On 2024-01-16, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, Software misconfig, while using Exposed environment config abuse, targeting PHP, Apache HTTP Server, Laravel to achieve Resource hijacking. The following tools were observed: AndroxGh0st. https://threats.wiz.io/all-incidents/androxgh0st-usage-2024 16 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/tensorflow-github-misconfiguration On 2024-01-15, a research was reported, involving , gaining initial access via Software misconfig, targeting GitHub to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/tensorflow-github-misconfiguration 15 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/pytorch-github-misconfiguration On 2024-01-11, a research was reported, involving , gaining initial access via Software misconfig, targeting GitHub to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/pytorch-github-misconfiguration 11 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/s3-ransomop-following-long-term-key-exposure On 2024-01-11, an incident was reported, involving an unknown actor, gaining initial access via Exposed secret, while using Cloud API e, Create new cloud user, targeting S3 Bucket to achieve RansomOp, Data exfiltration. https://threats.wiz.io/all-incidents/s3-ransomop-following-long-term-key-exposure 11 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/dreambus-campaign-2023 On 2024-01-11, a campaign was reported, involving Dreambus operator, gaining initial access via Software misconfig, 1-day vulnerability, targeting Apache RocketMQ, Metabase to achieve Resource hijacking. The following tools were observed: XMRig. https://threats.wiz.io/all-incidents/dreambus-campaign-2023 11 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/fbot-toolkit-targets-cloud-environments FBot is a Python-based hacking toolkit, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio. FBot's primary purpose is to enable actors to hijack cloud, SaaS, and web services, with a secondary focus on acquiring accounts... https://threats.wiz.io/all-incidents/fbot-toolkit-targets-cloud-environments 11 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/ivanti-connect-secure-targeting-campaign On 2024-01-10, a campaign was reported, involving UNC5221, gaining initial access via 0-day vulnerability, targeting Ivanti Connect Secure VPN with unknown impact. The following tools were observed: PySoxy, LIGHTWIRE, THINSPOOL, WARPWIRE, WIREFIRE, enum4Linux, ZIPLINE, BUSHWALK, CHAINLINE, FRAMESTING, Impacket, CrackMapExec, iodine, DSLog. https://threats.wiz.io/all-incidents/ivanti-connect-secure-targeting-campaign 10 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/returgence-campaign-targeting-mssql-servers-with-ransomware Researchers identified attacks targeting Microsoft SQL (MSSQL) servers to encrypt the victims' files with Mimic (N3ww4v3) ransomware. The attacks are tracked as RE#TURGENCE and have been observed targeting Europe, the United States, and Latin America.Threat actors targeted pub... https://threats.wiz.io/all-incidents/returgence-campaign-targeting-mssql-servers-with-ransomware 10 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/apache-app-cryptojacking-campaign On 2024-01-10, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, Software misconfig, targeting Apache Flink, Apache Hadoop, Spring Framework, Redis to achieve Resource hijacking. https://threats.wiz.io/all-incidents/apache-app-cryptojacking-campaign 10 Jan 24 00:00 +0000 https://threats.wiz.io/all-incidents/cyber-toufan-linux-destruction On 2023-12-28, a campaign was reported, involving Cyber Toufan, gaining initial access via Supply chain vector, while using TOR anonymization, Email server hijacking, to achieve Data exfiltration, Data destruction. https://threats.wiz.io/all-incidents/cyber-toufan-linux-destruction 28 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/cloud-lateral-movement-via-citrix-cookie On 2023-12-15, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Erase logs, Disable logging, Reverse shell, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/cloud-lateral-movement-via-citrix-cookie 15 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/gambleforce-sql-injection-campaign On 2023-12-14, a campaign was reported, involving GambleForce, gaining initial access via Web vulnerability, 1-day vulnerability, while using SQL injection, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/gambleforce-sql-injection-campaign 14 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/apt29-teamcity-campaign On 2023-12-13, a campaign was reported, involving APT29, gaining initial access via 1-day vulnerability, targeting TeamCity to achieve Data exfiltration. https://threats.wiz.io/all-incidents/apt29-teamcity-campaign 13 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/first-republic-bank-incident On 2023-12-12, an incident was reported, involving an unknown actor, gaining initial access via Insider threat, to achieve Data destruction. https://threats.wiz.io/all-incidents/first-republic-bank-incident 12 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/oauth-applications-to-deploy-vms-for-cryptomining On 2023-12-12, a campaign was reported, involving Storm-1283, gaining initial access via End-user compromise, while using OAuth app creation, OAuth app hijack, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/oauth-applications-to-deploy-vms-for-cryptomining 12 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/krasue-thailand-campaign On 2023-12-07, a campaign was reported, involving Krasue operator, gaining initial access via Unknown, to achieve Data exfiltration. The following tools were observed: Krasue. https://threats.wiz.io/all-incidents/krasue-thailand-campaign 07 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/package-hijacking-redteam-op On 2023-12-06, a research was reported, involving , gaining initial access via End-user compromise, while using Package hijacking, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/package-hijacking-redteam-op 06 Dec 23 00:00 +0000 https://threats.wiz.io/all-incidents/gotitan-activemq-campaign Fortiguard Labs detected numerous threat actors exploiting CVE-2023-46604 to disseminate diverse strains of malware. Their analysis unveiled the emergence of a newly discovered Golang-based botnet named GoTitan and a .NET program called "PrCtrl Rat," equipped with remote contr... https://threats.wiz.io/all-incidents/gotitan-activemq-campaign 28 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/line-and-naver-cloud-incident On 2023-11-27, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/line-and-naver-cloud-incident 27 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/andariel-exploiting-apache-activemq On 2023-11-27, a campaign was reported, involving Andariel, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting Apache ActiveMQ with unknown impact. The following tools were observed: NukeSped, Metasploit. https://threats.wiz.io/all-incidents/andariel-exploiting-apache-activemq 27 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/cryptojacking-against-apache-servers-with-cobalt-strike Researchers detected a cyber attack campaign that installs the XMRig CoinMiner on Windows web servers operating Apache. The threat actor employed Cobalt Strike to manage the compromised system. Cobalt Strike, a commercial penetration testing tool, has recently become a common ... https://threats.wiz.io/all-incidents/cryptojacking-against-apache-servers-with-cobalt-strike 20 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/confluence-targeting-by-c3rb3r On 2023-11-14, a campaign was reported, involving C3RB3R operator, gaining initial access via 1-day vulnerability, targeting Confluence Server to achieve RansomOp. The following tools were observed: C3RB3R Ransomware. https://threats.wiz.io/all-incidents/confluence-targeting-by-c3rb3r 14 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/oracleiv-campaign On 2023-11-13, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Abusing exposed Docker socket, targeting Docker to achieve Resource hijacking. The following tools were observed: OracleIV. https://threats.wiz.io/all-incidents/oracleiv-campaign 13 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/sumologic-breach On 2023-11-07, an incident was reported, involving an unknown actor, gaining initial access via Unknown, with unknown impact. https://threats.wiz.io/all-incidents/sumologic-breach 07 Nov 23 00:00 +0000 https://threats.wiz.io/all-incidents/elektra-leak Unit 42 researchers identified a campaign dubbed EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. https://threats.wiz.io/all-incidents/elektra-leak 30 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/okta-support-system-supply-chain-attack The threat actor gained access to Okta’s environment, and figured out that Okta was storing unsanitized HAR files (recordings of browser activity) that customers were sharing with the Okta support team to help with troubleshooting. These HAR files sometimes contained customer ... https://threats.wiz.io/all-incidents/okta-support-system-supply-chain-attack 20 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/qubitstrike-crypto-mining-and-rootkit-campaign Qubitstrike is a cryptojacking campaing targeting exposed Jupyter Notebooks, as they may allow to execute commands remotely. After obtaining a shell on the remote host, the shell script executes a cryptocurrency miner and establishes persistence using a cron job that inserts a... https://threats.wiz.io/all-incidents/qubitstrike-crypto-mining-and-rootkit-campaign 18 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/cloud-tools-imitation-campaign On 2023-10-10, a campaign was reported, involving an unknown actor, gaining initial access via Supply chain vector, while using Package typosquatting, Package Starjacking, with unknown impact. https://threats.wiz.io/all-incidents/cloud-tools-imitation-campaign 10 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/sql-server-to-cloud-lateral-movement On 2023-10-03, a campaign was reported, involving an unknown actor, gaining initial access via Web vulnerability, while using SQL injection, Use DNS for exfiltration, IMDS abuse, SQL commands, targeting Microsoft SQL Server to achieve Data exfiltration. https://threats.wiz.io/all-incidents/sql-server-to-cloud-lateral-movement 03 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/darkbeam-data-exposure Cyber risk management company DarkBeam has leaked more than 3.8 billion records after it left an Elasticsearch server unprotected on the internet. The database contained information from older breaches that DarkBeam was using to send alerts to customers. While the leaked data ... https://threats.wiz.io/all-incidents/darkbeam-data-exposure 02 Oct 23 00:00 +0000 https://threats.wiz.io/all-incidents/scattered-spider-saas-targeting On 2023-09-20, a campaign was reported, involving 0ktapus, gaining initial access via End-user compromise, while using Smishing (SMS phishing), Serial port abuse, MFA enrollment, Create new cloud user, SIM swap scam, Phishing, to achieve Data exfiltration, RansomOp. https://threats.wiz.io/all-incidents/scattered-spider-saas-targeting 20 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/prophet-spider-campaign On 2023-09-20, a campaign was reported, involving Prophet Spider, gaining initial access via , while using Vulnerability exploitation,. https://threats.wiz.io/all-incidents/prophet-spider-campaign 20 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/microsoft-ai-data-exposure On 2023-09-18, a research was reported, involving , gaining initial access via Software misconfig, targeting Azure Storage to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/microsoft-ai-data-exposure 18 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/ambersquid-campaign Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. The timeline of this operation spans from May 2022 to March 2023. Initially, the attackers used Docker Hub accounts to distribu... https://threats.wiz.io/all-incidents/ambersquid-campaign 18 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/peach-sandstorm-cloud-activity According to Microsoft Threat Research, during a campaign by Iranian state-sponsored actor Peach Sandstorm, they were observed utilizing password spray attacks to gain unauthorized access to target environments. Active since February 2023, the campaign successfully targeted sa... https://threats.wiz.io/all-incidents/peach-sandstorm-cloud-activity 14 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/blackcat-azure-storage-account-ransomop The threat actors gained access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines bel... https://threats.wiz.io/all-incidents/blackcat-azure-storage-account-ransomop 13 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/rollbar-hack The security breach was discovered by Rollbar on September 6 when reviewing data warehouse logs showing that a service account was used to log into the cloud-based bug monitoring platform.Once inside Rollbar's systems, the threat actors searched the company's data for cloud cr... https://threats.wiz.io/all-incidents/rollbar-hack 13 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/from-ssh-bruteforce-to-cryptojacking The researchers observed a malicious IP address, previously flagged for conducting SSH brute force attempts, communicating with a malicious shell script named hoze. This script downloads xrx.tar, an archive that contains more scripts that uninstall security software and enable... https://threats.wiz.io/all-incidents/from-ssh-bruteforce-to-cryptojacking 08 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/evilminio-campaign On 2023-09-04, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting MinIO with unknown impact. https://threats.wiz.io/all-incidents/evilminio-campaign 04 Sep 23 00:00 +0000 https://threats.wiz.io/all-incidents/unc4841-barracuda-esg-campaign On 2023-08-29, a campaign was reported, involving UNC4841, gaining initial access via 0-day vulnerability, targeting Barracuda ESG to achieve Data exfiltration. https://threats.wiz.io/all-incidents/unc4841-barracuda-esg-campaign 29 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/kinsing-campaigns-2023-2024 On 2023-08-29, a campaign was reported, involving Kinsing operator, gaining initial access via 1-day vulnerability, Software misconfig, while using Misconfigured PostgreSQL abuse, targeting Openfire, PostgreSQL, WebLogic, WordPress, Liferay, PHPUnit, Apache RocketMQ to achieve Resource hijacking. https://threats.wiz.io/all-incidents/kinsing-campaigns-2023-2024 29 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/retool-hack On 2023-08-29, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Spearphishing, to achieve Supply chain attack. https://threats.wiz.io/all-incidents/retool-hack 29 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/fatal-model-exposed-database A security researcher discovered an exposed cloud database that contained sensitive log records with references to Fatal Model, an escort service in Brazil. Additionally, the database contained access keys for an AWS storage account associated with Fatal Model, which wasn't pa... https://threats.wiz.io/all-incidents/fatal-model-exposed-database 25 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/labrat-gitlab-campaign On 2023-08-17, a campaign was reported, involving Labrat operator, gaining initial access via 1-day vulnerability, while using Proxyjacking, Cloud compute cryptojacking, targeting GitLab to achieve Resource hijacking. The following tools were observed: Gsocket, ProxyLite, IPRoyal. https://threats.wiz.io/all-incidents/labrat-gitlab-campaign 17 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/from-php-exploitation-to-aws-lateral-movement On 2023-08-15, an incident was reported, involving an unknown actor, gaining initial access via 0-day vulnerability, while using SSM orchestration abuse, Cron persistence, IMDS abuse, targeting PHP with unknown impact. The following tools were observed: Sliver. https://threats.wiz.io/all-incidents/from-php-exploitation-to-aws-lateral-movement 15 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/use-of-azure-run-commands On 2023-08-15, a campaign was reported, involving 0ktapus, gaining initial access via Unknown, while using Azure Run Commands abuse, with unknown impact. https://threats.wiz.io/all-incidents/use-of-azure-run-commands 15 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/use-of-linpeas-for-cloud-enumeration On 2023-08-15, an incident was reported, involving an unknown actor, gaining initial access via ,. The following tools were observed: linPEAS. https://threats.wiz.io/all-incidents/use-of-linpeas-for-cloud-enumeration 15 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/sugarcrm-as-initial-access-to-aws-envs On 2023-08-10, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting SugarCRM. The following tools were observed: Pacu, ScoutSuite. https://threats.wiz.io/all-incidents/sugarcrm-as-initial-access-to-aws-envs 10 Aug 23 00:00 +0000 https://threats.wiz.io/all-incidents/p2pinfect-campaign A campaign targeting misconfigured Redis servers with a peer-to-peer self-replicating worm named P2Pinfect. The campaign exploits a critical vulnerability and makes use of the SLAVEOF feature to install malware that acts as a botnet agent. P2Pinfect is written in Rust and empl... https://threats.wiz.io/all-incidents/p2pinfect-campaign 31 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/meow-jupyter-notebook-campaign On 2023-07-31, a campaign was reported, involving Meow, gaining initial access via Software misconfig, while using Jupyter Notebook misconfig abuse, targeting Jupyter Notebook to achieve Data destruction. https://threats.wiz.io/all-incidents/meow-jupyter-notebook-campaign 31 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/skidmap-targeting-redis On 2023-07-30, a campaign was reported, involving SkidMap operator, gaining initial access via Software misconfig, while using Misconfigured Redis abuse, targeting Redis with unknown impact. The following tools were observed: SkidMap. https://threats.wiz.io/all-incidents/skidmap-targeting-redis 30 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/depositfiles-exposed-config-file The Cybernews research team discovered DepositFiles’ publicly hosted environment configuration (config) file, which exposed: https://threats.wiz.io/all-incidents/depositfiles-exposed-config-file 27 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/jumpcloud-supply-chain-attack On 2023-07-14, an incident was reported, involving TraderTraitor, gaining initial access via End-user compromise, to achieve Supply chain attack. https://threats.wiz.io/all-incidents/jumpcloud-supply-chain-attack 14 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/silentbob-cryptomining-campaign A cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy Tsunami malware, hijack cloud credentials, and execute resource hijacking.On July 13, ... https://threats.wiz.io/all-incidents/silentbob-cryptomining-campaign 13 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/storm-0558-phishing-campaigns On 2023-07-11, a campaign was reported, involving Storm-0558, gaining initial access via End-user compromise, while using Phishing, LSASS dumping, with unknown impact. The following tools were observed: Cigril, China Chopper. https://threats.wiz.io/all-incidents/storm-0558-phishing-campaigns 11 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/pyloose-campaign In mid-2023, an unknown financially-motivated threat actor began targeting publicly exposed Jupyter Notebook instances to hijack them for running cryptomining operations. The threat actor deployed a fileless Python tool (dubbed “PyLoose”) that loaded an XMRig miner directly in... https://threats.wiz.io/all-incidents/pyloose-campaign 11 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/apt31-rekoobe-campaign On 2023-07-11, a campaign was reported, involving APT31, gaining initial access via ,. The following tools were observed: Rekoobe. https://threats.wiz.io/all-incidents/apt31-rekoobe-campaign 11 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/storm-0558-signing-key-compromise In July 2023, Microsoft disclosed that Storm-0558, a threat actor attributed to China, managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. The threat actor utilized this key in order to exfiltrate emails from multiple org... https://threats.wiz.io/all-incidents/storm-0558-signing-key-compromise 11 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/scarleteel20 In July 2023, details of recent activities related to ScarletEel were published, showing the advancement of the attacker over time. The threat actors expanded their arsenal to include new tools and a C2 infrastructure, making it more difficult to detect their activity. They ty... https://threats.wiz.io/all-incidents/scarleteel20 11 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/romcom-exploiting-word-vulnerability-in-campaign-targeting-government-entities In June 2023, Storm-0978 launched a campaign exploiting the CVE-2023-36884 vulnerability, a remote code execution flaw in Microsoft Word documents. This campaign targeted defense and government entities in Europe and North America, using phishing emails with lures related to t... https://threats.wiz.io/all-incidents/romcom-exploiting-word-vulnerability-in-campaign-targeting-government-entities 03 Jul 23 00:00 +0000 https://threats.wiz.io/all-incidents/diicot-campaign-targeting-exposed-ssh On 2023-06-15, a campaign was reported, involving Diicot, gaining initial access via Password attack, while using SSH bruteforcing, UPX packing, Cron persistence, to achieve Resource hijacking. The following tools were observed: XMRig, zmap. https://threats.wiz.io/all-incidents/diicot-campaign-targeting-exposed-ssh 15 Jun 23 00:00 +0000 https://threats.wiz.io/all-incidents/from-wso2-rce-to-ssh-lateral-movement According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a vulnerability affecting an Internet-facing web app and gaining command shell access. The actor used Chisel for C2 purposes (specifica... https://threats.wiz.io/all-incidents/from-wso2-rce-to-ssh-lateral-movement 05 Jun 23 00:00 +0000 https://threats.wiz.io/all-incidents/from-php-vuln-to-silver-execution-via-cron According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment using an RCE vulnerability affecting PHP applications on multiple Linux machines. The actor enumerated the environment and attempted to query the IMD... https://threats.wiz.io/all-incidents/from-php-vuln-to-silver-execution-via-cron 05 Jun 23 00:00 +0000 https://threats.wiz.io/all-incidents/cosmic-wolf-cloud-activity According to CrowdStrike research, in a certain incident Cosmic Wolf compromised a target organization’s cloud environment using a stolen credential. They used this to authenticate using a CLI and modified security group settings to allow shell access to machines in the enviro... https://threats.wiz.io/all-incidents/cosmic-wolf-cloud-activity 05 Jun 23 00:00 +0000 https://threats.wiz.io/all-incidents/poisoned-image-to-k8s-to-cloud […] a real example of an AWS Kubernetes cluster infection through a software development supply chain compromise. The attackers were able to get AWS credentials from a DevOps workstation and use them to introduce a poisoned docker image into a Kubernetes cluster. It allowed th... https://threats.wiz.io/all-incidents/poisoned-image-to-k8s-to-cloud 25 May 23 00:00 +0000 https://threats.wiz.io/all-incidents/8820-gang-targeting-oracle-weblogic 8220 Gang, a financially-motivated Chinese threat actor known for their cryptojacking activity, has been observed by researchers to be exploiting CVE-2020-14883, a remote code execution (RCE) vulnerability in Oracle WebLogic Server. The attackers seem to be exploiting the vuln... https://threats.wiz.io/all-incidents/8820-gang-targeting-oracle-weblogic 16 May 23 00:00 +0000 https://threats.wiz.io/all-incidents/sim-swapping-to-serial-port-abuse In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote managem... https://threats.wiz.io/all-incidents/sim-swapping-to-serial-port-abuse 16 May 23 00:00 +0000 https://threats.wiz.io/all-incidents/optimeyes-data-leak Optimeyes's Jenkins instance was publicly exposed, albeit with few viewable workspaces and locked down admin permissions. However, the build information for each past build contained a link to the corrosponding git repository, including the bitbucket credentials in the url. Th... https://threats.wiz.io/all-incidents/optimeyes-data-leak 09 May 23 00:00 +0000 https://threats.wiz.io/all-incidents/capita-data-leak UK outsourcing company Capita exposed sensitive data in a public S3 bucket with no password protection for seven years (since 2016). The bucket contained approximately 3,000 files totaling 655GB - including documents, software, cleartext secrets, server images and more - and w... https://threats.wiz.io/all-incidents/capita-data-leak 05 May 23 00:00 +0000 https://threats.wiz.io/all-incidents/fsevents-supply-chain-attack The fsevents npm package previously pulled certain remote binaries from a public S3 bucket (fsevents-binaries.s3-us-west-2.amazonaws.com). At some point the bucket expired and the domain became dangling, and in April 2023 it was hijacked by an unknown actor (reportedly a secur... https://threats.wiz.io/all-incidents/fsevents-supply-chain-attack 27 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/8220-gang-exploiting-log4shell8220-gang-targeting-confluence On 2023-04-21, a campaign was reported, involving 8220 Gang, gaining initial access via 1-day vulnerability, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/8220-gang-exploiting-log4shell8220-gang-targeting-confluence 21 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/misconfigured-fw-to-cryptojacking-botnet According to Unit42, a medium-sized e-commerce company was attacked by a threat actor with cryptojacking attack which performed large-scale crypto-mining and botnet operations in the company’s cloud environment. The attacked discovered by the cloud provider which alerted the c... https://threats.wiz.io/all-incidents/misconfigured-fw-to-cryptojacking-botnet 18 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/sim-swap-to-data-leak-on-dark-web According to Unit42, a financial firm was attacked by an adversary that manipulated, and compromised it’s cloud workloads. The threat actor was able to drop storage components such as buckets and tables, threatened the firm to leak data if ransom will not paid and eventually t... https://threats.wiz.io/all-incidents/sim-swap-to-data-leak-on-dark-web 18 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/trigona-targeting-mssql-servers Microsoft SQL servers were observed being attacked through brute-force or dictionary attacks that exploit weak account credentials. The servers were then used as entry points to deploy Trigona ransomware and encrypt all filesOnce the attackers gain access to a server, they dep... https://threats.wiz.io/all-incidents/trigona-targeting-mssql-servers 17 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/mexals-cryptojacking-campaign On 2023-04-12, a campaign was reported, involving Diicot, gaining initial access via Password attack, while using SSH bruteforcing, Cron persistence, UPX packing, to achieve Resource hijacking. The following tools were observed: XMRig. https://threats.wiz.io/all-incidents/mexals-cryptojacking-campaign 12 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/muddywater-cloud-destruction-operation Microsoft identified a destructive operation executed by MuddyWater (also known as MERCURY or Mango Sandstorm), a threat actor attributed to the Iranian government, in partnership with “DarkBit” (who gained notoriety for attacking the Technion, an Israeli university, in Februa... https://threats.wiz.io/all-incidents/muddywater-cloud-destruction-operation 07 Apr 23 00:00 +0000 https://threats.wiz.io/all-incidents/alienfox-campaign On 2023-03-30, a campaign was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration. The following tools were observed: AlienFox. https://threats.wiz.io/all-incidents/alienfox-campaign 30 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/3cx-and-trading-technologies-supply-chain-attack In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX thems... https://threats.wiz.io/all-incidents/3cx-and-trading-technologies-supply-chain-attack 29 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/chinaz-campaigns On 2023-03-24, a campaign was reported, involving ChinaZ, gaining initial access via , while using Misconfigured SSH abuse,. https://threats.wiz.io/all-incidents/chinaz-campaigns 24 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/javascript-injection-via-vulnerable-cms On 2023-03-23, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/javascript-injection-via-vulnerable-cms 23 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/unc3886-campaigns On 2023-03-16, a campaign was reported, involving UNC3886, gaining initial access via 1-day vulnerability, targeting ESXi Server, Fortinet Fortigate to achieve Data exfiltration. The following tools were observed: Reptile. https://threats.wiz.io/all-incidents/unc3886-campaigns 16 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/dero-cryptojacking-targeting-k8s On 2023-03-15, a campaign was reported, involving an unknown actor, gaining initial access via Cloud native misconfig, while using Cloud compute cryptojacking, K8s anonymous auth abuse, targeting Kubernetes to achieve Resource hijacking. The following tools were observed: DERO miner. https://threats.wiz.io/all-incidents/dero-cryptojacking-targeting-k8s 15 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/gobruteforcer-campaign GoBruteforcer is a new kind of botnet malware that is written in Golang, and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The following information is based on samples discovered by researchers in March 2023.The GoBruteforcer ma... https://threats.wiz.io/all-incidents/gobruteforcer-campaign 10 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/icefire-aspera-faspex-campaign On 2023-03-09, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Aspera Faspex to achieve RansomOp. The following tools were observed: IceFire. https://threats.wiz.io/all-incidents/icefire-aspera-faspex-campaign 09 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/stealing-the-lightshow On 2023-03-09, a campaign was reported, involving UNC2970, gaining initial access via , while using Azure AD abuse, Intune abuse,. https://threats.wiz.io/all-incidents/stealing-the-lightshow 09 Mar 23 00:00 +0000 https://threats.wiz.io/all-incidents/scarleteel In early 2023, Sysdig researchers discovered a cyber operation targeting public-facing containerized web apps running in a self-hosted K8s cluster, in order to mine for cryptocurrency and infiltrate the larger cloud environment. The operation, dubbed "SCARLETEEL", involved ret... https://threats.wiz.io/all-incidents/scarleteel 28 Feb 23 00:00 +0000 https://threats.wiz.io/all-incidents/fayvo-exposed-database Security researchers discovered a database containing sensitive data operated by Fayvo, a Saudi Arabia-based social media app. The server hosting the database also leaked its staging environment file, which led to another unprotected environment file with MySQL credentials, AW... https://threats.wiz.io/all-incidents/fayvo-exposed-database 23 Feb 23 00:00 +0000 https://threats.wiz.io/all-incidents/us-military-email-server-exposure On 2023-02-18, a research was reported, involving , gaining initial access via Software misconfig, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/us-military-email-server-exposure 18 Feb 23 00:00 +0000 https://threats.wiz.io/all-incidents/esxiargs-attack On 2023-02-03, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, to achieve RansomOp. The following tools were observed: Babuk. https://threats.wiz.io/all-incidents/esxiargs-attack 03 Feb 23 00:00 +0000 https://threats.wiz.io/all-incidents/headcrab-campaign On 2023-02-01, a campaign was reported, involving HeadCrab operator, gaining initial access via Software misconfig, while using Misconfigured Redis abuse, targeting Redis to achieve Resource hijacking. The following tools were observed: HeadCrab. https://threats.wiz.io/all-incidents/headcrab-campaign 01 Feb 23 00:00 +0000 https://threats.wiz.io/all-incidents/github-certificate-theft-incident On 2023-01-30, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Phishing, targeting GitHub to achieve Data exfiltration. https://threats.wiz.io/all-incidents/github-certificate-theft-incident 30 Jan 23 00:00 +0000 https://threats.wiz.io/all-incidents/commuteair-exposed-jenkins On 2023-01-19, a research was reported, involving , gaining initial access via Software misconfig, targeting Jenkins to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/commuteair-exposed-jenkins 19 Jan 23 00:00 +0000 https://threats.wiz.io/all-incidents/circleci-breach On December 29, 2022, CircleCI's security team were alerted to suspicious activity on one of their customer's GitHub OAuth tokens. The team then rotated all GitHub OAuth tokens on December 31, 2022 as a precautionary measure. By January 4, 2023, CircleCI's internal investigati... https://threats.wiz.io/all-incidents/circleci-breach 04 Jan 23 00:00 +0000 https://threats.wiz.io/all-incidents/pytorch-nightly-torchtriton-dependency-compromise PyTorch-nightly Linux packages installed via pip between December 25th and December 30th, 2022 ran a malicious binary. The malicious binary was introduced by a dependency, torchtriton, that was vulnerable to dependency confusion. The malicious payload gathered system informati... https://threats.wiz.io/all-incidents/pytorch-nightly-torchtriton-dependency-compromise 31 Dec 22 00:00 +0000 https://threats.wiz.io/all-incidents/jupyter-notebook-cred-harvesting-campaign Permiso identified a credential harvesting campaign targeting cloud infrastructure for the purpose of harvesting credentials. The majority of the victim system were running public facing Juptyer Notebooks. At the time of writing there were about 50 compromised systems. The ini... https://threats.wiz.io/all-incidents/jupyter-notebook-cred-harvesting-campaign 28 Dec 22 00:00 +0000 https://threats.wiz.io/all-incidents/okta-source-code-theft On 2022-12-21, an incident was reported, involving an unknown actor, gaining initial access via Unknown, targeting GitHub to achieve Data exfiltration. https://threats.wiz.io/all-incidents/okta-source-code-theft 21 Dec 22 00:00 +0000 https://threats.wiz.io/all-incidents/redigo-campaign On 2022-12-01, a campaign was reported, involving Redigo operator, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting Redis with unknown impact. The following tools were observed: Redigo. https://threats.wiz.io/all-incidents/redigo-campaign 01 Dec 22 00:00 +0000 https://threats.wiz.io/all-incidents/lastpass-goto-breach In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a cloud storage service used by them and LastPass (their affiliate).The investigation determined that the threat actor gained access to the development environment using ... https://threats.wiz.io/all-incidents/lastpass-goto-breach 30 Nov 22 00:00 +0000 https://threats.wiz.io/all-incidents/watchdog-east-asian-csp-campaign On 2022-11-16, a campaign was reported, involving WatchDog, gaining initial access via ,. https://threats.wiz.io/all-incidents/watchdog-east-asian-csp-campaign 16 Nov 22 00:00 +0000 https://threats.wiz.io/all-incidents/dropbox-github-breach Dropbox disclosed a security breach where attackers stole 130 code repositories from one of its GitHub accounts by using credentials obtained from phishing Dropbox employees. The breach was discovered on October 14, following a GitHub alert. Attackers impersonated CircleCI in ... https://threats.wiz.io/all-incidents/dropbox-github-breach 01 Nov 22 00:00 +0000 https://threats.wiz.io/all-incidents/dropbox-breach On 2022-11-01, an incident was reported, involving an unknown actor, gaining initial access via End-user compromise, targeting GitHub to achieve Data exfiltration. https://threats.wiz.io/all-incidents/dropbox-breach 01 Nov 22 00:00 +0000 https://threats.wiz.io/all-incidents/backdooring-self-hosted-github-runner On 2022-10-26, a research was reported, involving , gaining initial access via Software misconfig, while using Misconfigured GitHub Runner abuse, targeting GitHub to achieve None. https://threats.wiz.io/all-incidents/backdooring-self-hosted-github-runner 26 Oct 22 00:00 +0000 https://threats.wiz.io/all-incidents/reuters-leaky-elasticsearch-dbs On 2022-10-26, a research was reported, involving , gaining initial access via Software misconfig, while using Public exposure abuse, targeting Elasticsearch to achieve Data exfiltration. https://threats.wiz.io/all-incidents/reuters-leaky-elasticsearch-dbs 26 Oct 22 00:00 +0000 https://threats.wiz.io/all-incidents/leaked-long-lived-aws-creds Impacted organization discovered that long-lived AWS creds had leaked. Initially alerted to the following suspicious activity:Follow-up investigation into CloudTrail logs showed compromise of multiple IAM accounts and evidence of leakage of long-lived access keys. https://threats.wiz.io/all-incidents/leaked-long-lived-aws-creds 07 Oct 22 00:00 +0000 https://threats.wiz.io/all-incidents/auth0-source-code-theft On 2022-09-26, an incident was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/auth0-source-code-theft 26 Sep 22 00:00 +0000 https://threats.wiz.io/all-incidents/fast-company-breach Fast Company took its website offline after its content management system (CMS) was hacked to display stories and push out Apple News notifications containing obscene and racist comments.A “Breached” hacking forum member named 'Thrax' published a database dump with 6,737 emplo... https://threats.wiz.io/all-incidents/fast-company-breach 25 Sep 22 00:00 +0000 https://threats.wiz.io/all-incidents/optus-breach A hacker reportedly stole ~11mil records of customer PII (dated 2017) from Optus, an Australian telco company. The data was disclosed and put on sale in late September 22’. According to information obtained by a reporter who claimed to be in contact with the hacker, the root c... https://threats.wiz.io/all-incidents/optus-breach 21 Sep 22 00:00 +0000 https://threats.wiz.io/all-incidents/redirection-roulette Beginning in early September 2022, an unknown threat actor successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content. In several cases, the threat actor connected to the... https://threats.wiz.io/all-incidents/redirection-roulette 01 Sep 22 00:00 +0000 https://threats.wiz.io/all-incidents/kiss-a-dog-campaign CrowdStrike uncovered a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog”-themed mining pool domains.Nicknamed “Kiss-a-dog,” the campaign used multiple comman... https://threats.wiz.io/all-incidents/kiss-a-dog-campaign 01 Sep 22 00:00 +0000 https://threats.wiz.io/all-incidents/apt29-targeting-microsoft-365 On 2022-08-22, a campaign was reported, involving APT29, gaining initial access via , while using Add attacker-controlled IdP via ADFS access, Disable logging, MFA enrollment, Auth token signing via Golden SAML, Auth token signing via ADFS access,. https://threats.wiz.io/all-incidents/apt29-targeting-microsoft-365 22 Aug 22 00:00 +0000 https://threats.wiz.io/all-incidents/microsoft-credential-exposure-on-github On 2022-08-16, a research was reported, involving , gaining initial access via Exposed secret, targeting GitHub to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/microsoft-credential-exposure-on-github 16 Aug 22 00:00 +0000 https://threats.wiz.io/all-incidents/twilio-breach A threat actor dubbed “Oktapus” / “ScatterSwine” conducted a widespread SMishing campaign against 136 organizations, and in some cases (Such as MailChimp, DoorDash and Digital Ocean) was successful in gaining initial access to their systems and exfiltrating customer data. One ... https://threats.wiz.io/all-incidents/twilio-breach 08 Aug 22 00:00 +0000 https://threats.wiz.io/all-incidents/premint-hack On 2022-07-18, an incident was reported, involving an unknown actor, gaining initial access via Cloud native misconfig, to achieve Supply chain attack, Denial of wallet. https://threats.wiz.io/all-incidents/premint-hack 18 Jul 22 00:00 +0000 https://threats.wiz.io/all-incidents/bondnet-campaign-2022 On 2022-07-11, a campaign was reported, involving Bondnet, gaining initial access via Password attack, targeting Microsoft SQL Server to achieve Resource hijacking. https://threats.wiz.io/all-incidents/bondnet-campaign-2022 11 Jul 22 00:00 +0000 https://threats.wiz.io/all-incidents/8220-gang-targeting-confluence On 2022-07-07, a campaign was reported, involving 8220 Gang, gaining initial access via 1-day vulnerability, to achieve Resource hijacking. https://threats.wiz.io/all-incidents/8220-gang-targeting-confluence 07 Jul 22 00:00 +0000 https://threats.wiz.io/all-incidents/darkradiation-container-ransomwarewiper On 2022-06-21, a campaign was reported, involving DarkRadiation operator, gaining initial access via Unknown, while using Database ransomware, Disk Wipe, Remotely execute commands or scripts on a VM , Rootkit - LD_PRELOAD, targeting Docker to achieve RansomOp. https://threats.wiz.io/all-incidents/darkradiation-container-ransomwarewiper 21 Jun 22 00:00 +0000 https://threats.wiz.io/all-incidents/incident-report-spotting-an-attacker-in-gcp https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/ https://threats.wiz.io/all-incidents/incident-report-spotting-an-attacker-in-gcp 09 Jun 22 00:00 +0000 https://threats.wiz.io/all-incidents/javascript-injection-via-wordpress-exploitation On 2022-05-11, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting WordPress to achieve Resource hijacking. https://threats.wiz.io/all-incidents/javascript-injection-via-wordpress-exploitation 11 May 22 00:00 +0000 https://threats.wiz.io/all-incidents/unc2903-campaigns On 2022-05-04, a campaign was reported, involving UNC2903, gaining initial access via , while using IMDS abuse, SSRF,. https://threats.wiz.io/all-incidents/unc2903-campaigns 04 May 22 00:00 +0000 https://threats.wiz.io/all-incidents/lemonduck-docker-campaign On 2022-04-21, a campaign was reported, involving LemonDuck, gaining initial access via ,. https://threats.wiz.io/all-incidents/lemonduck-docker-campaign 21 Apr 22 00:00 +0000 https://threats.wiz.io/all-incidents/github-npm-breach On April 12, 2022, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.According to GitHu... https://threats.wiz.io/all-incidents/github-npm-breach 15 Apr 22 00:00 +0000 https://threats.wiz.io/all-incidents/denonia-campaign Denonia is a newly discovered type of malware targeting AWS Lambda environments. It was recently exposed by Cado Security, who named it after the domain it communicates with. Once the malware is executed on the victim's host, it launches XMRig cryptominer.Denonia's delivery an... https://threats.wiz.io/all-incidents/denonia-campaign 06 Apr 22 00:00 +0000 https://threats.wiz.io/all-incidents/incident-report-from-cli-to-console-chasing-an-attacker-in-aws Expel’s SOC detected unauthorized access into one of their customer’s Amazon Web Services (AWS) environments. The attacker used a long-term access key to gain initial access. Once they got in, they were able to abuse the AWS Identity and Access Management (IAM) service to esca... https://threats.wiz.io/all-incidents/incident-report-from-cli-to-console-chasing-an-attacker-in-aws 05 Apr 22 00:00 +0000 https://threats.wiz.io/all-incidents/muhstick-redis-campaign On 2022-03-28, a campaign was reported, involving Muhstik operator, gaining initial access via ,. https://threats.wiz.io/all-incidents/muhstick-redis-campaign 28 Mar 22 00:00 +0000 https://threats.wiz.io/all-incidents/lapsus-campaigns According to Microsoft Threat Research, as part of LAPSUS$’s large-scale social engineering and extortion campaigns, they also gained access to several of their targets’ cloud environments.LAPSUS$ initially targeted organizations in the UK and South America, and then expanded ... https://threats.wiz.io/all-incidents/lapsus-campaigns 22 Mar 22 00:00 +0000 https://threats.wiz.io/all-incidents/coinstomp-campaign On 2022-02-02, a campaign was reported, involving CoinStomp operator, gaining initial access via , while using Timestomping, Reverse shell, Cron persistence,. The following tools were observed: CoinStomp. https://threats.wiz.io/all-incidents/coinstomp-campaign 02 Feb 22 00:00 +0000 https://threats.wiz.io/all-incidents/from-code-commit-to-production-takeover NCC Group performed a pentest in which they had (notionally) compromised a developer's laptop who could commit code to a certain Java library. The researchers set a pre-requirement file to one that provided a Meterpreter shell from within the target build environment. They fou... https://threats.wiz.io/all-incidents/from-code-commit-to-production-takeover 13 Jan 22 00:00 +0000 https://threats.wiz.io/all-incidents/from-s3-bucket-to-jenkins-credential-dump NCC Group performed a pentest against a web application, in which they leveraged anonymous access to discover a sitemap folder that turned out to be an S3 bucket with directory listing enabled. NCC identified a bash script containing a hardcoded Git credential, which granted a... https://threats.wiz.io/all-incidents/from-s3-bucket-to-jenkins-credential-dump 13 Jan 22 00:00 +0000 https://threats.wiz.io/all-incidents/unc3379-npm-supply-chain-attacks Mandiant has attributed supply chain attacks which compromised ua-parser-js , coa, and rc to UNC3379. The malicious packages would download and execute both a Monero cryptocurrency miner, and the DANABOT banking trojan, depending on the OS. https://threats.wiz.io/all-incidents/unc3379-npm-supply-chain-attacks 15 Dec 21 00:00 +0000 https://threats.wiz.io/all-incidents/ivanti-supply-chain On 2021-12-02, an incident was reported, involving an unknown actor, gaining initial access via Supply chain vector, while using Package dependency confusion, to achieve Supply chain attack. https://threats.wiz.io/all-incidents/ivanti-supply-chain 02 Dec 21 00:00 +0000 https://threats.wiz.io/all-incidents/tsunami-targeting-jenkins-and-weblogic On 2021-10-26, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, 1-day vulnerability, targeting Jenkins, WebLogic to achieve Resource hijacking. The following tools were observed: Tsunami. https://threats.wiz.io/all-incidents/tsunami-targeting-jenkins-and-weblogic 26 Oct 21 00:00 +0000 https://threats.wiz.io/all-incidents/abcbot-huawei-cloud-targeting-campaign On 2021-10-08, a campaign was reported, involving Abcbot operator, gaining initial access via Cloud native misconfig, to achieve Resource hijacking. The following tools were observed: Kunpeng. https://threats.wiz.io/all-incidents/abcbot-huawei-cloud-targeting-campaign 08 Oct 21 00:00 +0000 https://threats.wiz.io/all-incidents/siloscape-campaign On 2021-06-07, a campaign was reported, involving Siloscape operator, gaining initial access via 1-day vulnerability, Web vulnerability, while using TOR anonymization, Thread impersonation to escape to host, targeting Kubernetes with unknown impact. The following tools were observed: Siloscape. https://threats.wiz.io/all-incidents/siloscape-campaign 07 Jun 21 00:00 +0000 https://threats.wiz.io/all-incidents/codecov-incident On April 2021, Codecov was compromised by an unknown threat actor who abused their access to the company's cloud environment to conduct a supply chain attack. The threat actor gained initial access to Codecov's GCP environment by extracting an HMAC key for a service account fr... https://threats.wiz.io/all-incidents/codecov-incident 15 Apr 21 00:00 +0000 https://threats.wiz.io/all-incidents/multiple-organizations-vulnerable-to-dependency-confusion On 2021-02-09, a research was reported, involving , gaining initial access via Supply chain vector, while using Package dependency confusion, to achieve None. https://threats.wiz.io/all-incidents/multiple-organizations-vulnerable-to-dependency-confusion 09 Feb 21 00:00 +0000 https://threats.wiz.io/all-incidents/gin-docker-cryptojacking-campaign On 2021-02-09, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Escape to host via cgroups release_agent, targeting Docker to achieve Resource hijacking. https://threats.wiz.io/all-incidents/gin-docker-cryptojacking-campaign 09 Feb 21 00:00 +0000 https://threats.wiz.io/all-incidents/teamtnt-campaigns On 2021-02-03, a campaign was reported, involving TeamTNT, gaining initial access via ,. The following tools were observed: Peirates, Hildegard. https://threats.wiz.io/all-incidents/teamtnt-campaigns 03 Feb 21 00:00 +0000 https://threats.wiz.io/all-incidents/dreambus-campaign See Dreambus operator for more information. https://threats.wiz.io/all-incidents/dreambus-campaign 22 Jan 21 00:00 +0000 https://threats.wiz.io/all-incidents/solarwinds-supply-chain-attack What seemed to be at first a targeted attack against FireEye, turned out to be a much worse espionage campaign associated with APT29 that the United State has suffered from.The SolarWinds attackers, linked to a Mimecast attack on Jan 13th, executed a sophisticated supply chain... https://threats.wiz.io/all-incidents/solarwinds-supply-chain-attack 13 Dec 20 00:00 +0000 https://threats.wiz.io/all-incidents/loggerminer-campaign On 2020-11-16, a campaign was reported, involving Abcbot operator, gaining initial access via , to achieve Resource hijacking. The following tools were observed: Loggerminer. https://threats.wiz.io/all-incidents/loggerminer-campaign 16 Nov 20 00:00 +0000 https://threats.wiz.io/all-incidents/apple-cloud-key-exposure Between July and October 2020, researchers discovered multiple web vulnerabilities affecting Apple’s network, some of which could have allowed exfiltration of AWS access keys. https://threats.wiz.io/all-incidents/apple-cloud-key-exposure 07 Oct 20 00:00 +0000 https://threats.wiz.io/all-incidents/cetus-campaign On 2020-08-27, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting Docker to achieve Resource hijacking. The following tools were observed: Cetus. https://threats.wiz.io/all-incidents/cetus-campaign 27 Aug 20 00:00 +0000 https://threats.wiz.io/all-incidents/doki-cryptojacking-campaign On 2020-07-28, a campaign was reported, involving Doki operator, gaining initial access via Software misconfig, while using Exploiting host mount to escape to host, targeting Docker to achieve Resource hijacking. https://threats.wiz.io/all-incidents/doki-cryptojacking-campaign 28 Jul 20 00:00 +0000 https://threats.wiz.io/all-incidents/drizly-data-breach Drizly, an online alcohol delivery service, recently notified customers of a data breach in which a hacker accessed customer information. This breach reportedly affected up to 2.5 million accounts, exposing email addresses, dates of birth, and bcrypt-hashed passwords. In some ... https://threats.wiz.io/all-incidents/drizly-data-breach 28 Jul 20 00:00 +0000 https://threats.wiz.io/all-incidents/behind-the-scenes-in-the-expel-soc-alert-to-fix-in-aws Over the July 4th holiday weekend Expel’s SOC spotted a coin-mining attack in a customer’s Amazon Web Services (AWS) environment. The attacker compromised the root IAM user access key and used it to enumerate the environment and spin up ten (10) c5.4xlarge EC2s to mine Monero.... https://threats.wiz.io/all-incidents/behind-the-scenes-in-the-expel-soc-alert-to-fix-in-aws 28 Jul 20 00:00 +0000 https://threats.wiz.io/all-incidents/meow-database-server-campaign On 2020-07-25, a campaign was reported, involving Meow, gaining initial access via Software misconfig, while using FTP access, Misconfigured DB abuse, targeting MongoDB, Elasticsearch, Apache Cassandra, Apache CouchDB, Jenkins, Apache Hadoop to achieve Data destruction. https://threats.wiz.io/all-incidents/meow-database-server-campaign 25 Jul 20 00:00 +0000 https://threats.wiz.io/all-incidents/bluekai-exposed-database On 2020-06-19, a research was reported, involving , gaining initial access via Software misconfig, to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/bluekai-exposed-database 19 Jun 20 00:00 +0000 https://threats.wiz.io/all-incidents/exim-exploitation-by-sandworm On May 28, 2020, the NSA released a cybersecurity advisory on Russian APT group Sandworm exploiting CVE-2019-10149, a vulnerability in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to ex... https://threats.wiz.io/all-incidents/exim-exploitation-by-sandworm 28 May 20 00:00 +0000 https://threats.wiz.io/all-incidents/large-scale-cryptomining-attack-against-k8s-clusters-detected-by-azure On 2020-04-08, a campaign was reported, involving an unknown actor, gaining initial access via , targeting Kubernetes to achieve Resource hijacking. https://threats.wiz.io/all-incidents/large-scale-cryptomining-attack-against-k8s-clusters-detected-by-azure 08 Apr 20 00:00 +0000 https://threats.wiz.io/all-incidents/kinsing-campaign-2020 On 2020-01-16, a campaign was reported, involving Kinsing operator, gaining initial access via Software misconfig, 1-day vulnerability, while using Vulnerability exploitation, Misconfigured Docker abuse, targeting Redis, Confluence Server, Docker, Apache Hadoop, Solr, ThinkPHP to achieve Resource hijacking. The following tools were observed: Kinsing. https://threats.wiz.io/all-incidents/kinsing-campaign-2020 16 Jan 20 00:00 +0000 https://threats.wiz.io/all-incidents/ubiquiti-breach In 2020, Ubiquiti, a company that manufactures and sells wireless data communication and wired products, suffered a data breach and an extortion attempt of nearly $2 million at the hands of a senior developer working for the company. The attacker set a 1-day retention policy o... https://threats.wiz.io/all-incidents/ubiquiti-breach 01 Jan 20 00:00 +0000 https://threats.wiz.io/all-incidents/graboid-campaign On 2019-10-16, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting Docker to achieve Resource hijacking. The following tools were observed: Graboid. https://threats.wiz.io/all-incidents/graboid-campaign 16 Oct 19 00:00 +0000 https://threats.wiz.io/all-incidents/imperva-data-leak Imperva identified an unknown threat actor using an administrative AWS API key in one of their production AWS accounts, which led to the exposure of an RDS database snapshot from September 2017 containing email addresses of Imperva Cloud WAF customers, hashed & salted password... https://threats.wiz.io/all-incidents/imperva-data-leak 10 Oct 19 00:00 +0000 https://threats.wiz.io/all-incidents/webmin-supply-chain-attack-2018 An unknown threat actor compromised the Webmin build server, and inserted a backdoor RCE vulnerability into the Webmin source code that anyone could exploit if they were aware of its existence. This backdoor persisted for over 15 months, likely being exploited as a 0day by the... https://threats.wiz.io/all-incidents/webmin-supply-chain-attack-2018 15 Aug 19 00:00 +0000 https://threats.wiz.io/all-incidents/capital-one-breach In 2019, Capital One had over 100 million consumer credit applications exfiltrated from their AWS environment. The root cause was a combination of two main factors: first, a Server Side Request Forgery (SSRF) vulnerability in a Web Application Firewall (WAF) named “ModSecurity... https://threats.wiz.io/all-incidents/capital-one-breach 19 Jul 19 00:00 +0000 https://threats.wiz.io/all-incidents/ngrok-cryptojacking-campaign On 2018-09-12, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Redis, Apache CouchDB, Docker, Jenkins, Drupal, MODX to achieve Resource hijacking. The following tools were observed: ngrok. https://threats.wiz.io/all-incidents/ngrok-cryptojacking-campaign 12 Sep 18 00:00 +0000 https://threats.wiz.io/all-incidents/us-dod-niprnet-access-via-atlassian-ssrf On 2018-04-09, a research was reported, involving , gaining initial access via 1-day vulnerability, while using SSRF, IMDS abuse, targeting Confluence Server, Jira Server to achieve Resp. disclosure. https://threats.wiz.io/all-incidents/us-dod-niprnet-access-via-atlassian-ssrf 09 Apr 18 00:00 +0000 https://threats.wiz.io/all-incidents/the-los-angeles-times-cryptomining-attack The Los Angeles Times website was covertly mining cryptocurrency on visitors' devices after hackers injected CoinHive's Monero-mining code. This happened due to an unprotected Amazon S3 storage bucket, which allowed unrestricted public access, letting hackers modify site files... https://threats.wiz.io/all-incidents/the-los-angeles-times-cryptomining-attack 22 Feb 18 00:00 +0000 https://threats.wiz.io/all-incidents/browserstack-data-breach On November 9, 2014, BrowserStack suffered a breach when a hacker accessed an old, unpatched prototype server via the shellshock vulnerability. The server contained AWS credentials, allowing the attacker to create an instance, access a backup, and partially copy user data (ema... https://threats.wiz.io/all-incidents/browserstack-data-breach 09 Nov 14 00:00 +0000 https://threats.wiz.io/all-incidents/operation-windigo On 2014-03-18, a campaign was reported, involving Windigo operator, gaining initial access via Supply chain vector, while using Create SSH backdoor, to achieve Resource hijacking. The following tools were observed: Ebury. https://threats.wiz.io/all-incidents/operation-windigo 18 Mar 14 00:00 +0000 https://threats.wiz.io/all-incidents/cdorked-campaign On 2013-05-07, a campaign was reported, involving an unknown actor, gaining initial access via Unknown, targeting Apache HTTP Server, NGINX, Lighttpd to achieve Resource hijacking. The following tools were observed: Cdorked. https://threats.wiz.io/all-incidents/cdorked-campaign 07 May 13 00:00 +0000 https://threats.wiz.io/all-incidents/kernelorg-supply-chain-attack On 2011-08-31, an incident was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Supply chain attack. https://threats.wiz.io/all-incidents/kernelorg-supply-chain-attack 31 Aug 11 00:00 +0000 https://threats.wiz.io/all-incidents/operation-aurora On 2010-01-12, an incident was reported, involving Storm-0558, gaining initial access via Unknown, to achieve Data exfiltration. https://threats.wiz.io/all-incidents/operation-aurora 12 Jan 10 00:00 +0000