Watch out, as Microsoft has uncovered a Storm-2561 campaign using SEO poisoning to push fake Fortinet and Ivanti VPN sites that deliver #Hyrax infostealer malware.

Read: https://hackread.com/storm-2561-fake-fortinet-ivanti-vpn-sites-hyrax-infostealer/

#CyberSecurity #Malware #Infostealer #VPN #Fortinet #Ivanti

CISA: Recently patched #Ivanti #EPM flaw now actively exploited

https://www.bleepingcomputer.com/news/security/cisa-recently-patched-ivanti-epm-flaw-now-actively-exploited/

#cybersecurity

For the month of #March 2026, #Ivanti is disclosing #vulnerabilities in Ivanti Desktop and Server Management (#DSM).

https://www.ivanti.com/blog/march-2026-security-update

CISA flips the switch: Ivanti EPM (CVE-2026-1603) is under active exploit. A low-complexity XSS allows total authentication bypass with zero user interaction. If your EPM is internet-facing, the "Master Key" is compromised. Get the Strategic Arsenal now. #CyberSecurity #Ivanti #KEV

https://thecybermind.co/2026/03/11/deconstructing-ivanti-epm-authentication-bypass/?utm_source=mastodon&utm_medium=jetpack_social

CVE Alert: CVE-2026-1603 - Ivanti - Endpoint Manager - https://www.redpacketsecurity.com/cve-alert-cve-2026-1603-ivanti-endpoint-manager/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-1603 #ivanti #endpoint-manager

Nice... sitting in a customer meeting and hunting IOCs. If you are using #Ivanti EPMM, you might want to take a look at this:

Mass exploitation of #CVE-2026-1281 and #CVE-2026-1340 in Ivanti EPMM

https://github.security.telekom.com/2026/03/ivanti-CVE-2026-1281-exploitation.html

#ivanti_backdoors

#CISA warns that #RESURGE #malware can be dormant on #Ivanti devices

https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/

#cybersecurity

It's been a busy 24 hours in the cyber world with significant updates on recent breaches, new malware and APT activity, critical vulnerabilities, and shifts in the threat landscape. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

- Dutch telco Odido is facing a second wave of leaks from ShinyHunters, who claim to have stolen 21 million records. The latest leak added another 1 million records, including bank account numbers, PII, passport numbers, and driving licenses. Odido, backed by Dutch police, is refusing to pay the ransom, advising other organisations to do the same.
- French online marketplace ManoMano confirmed a data breach via a compromised customer support subcontractor (unconfirmed reports suggest Zendesk), exposing names, emails, phone numbers, and customer service exchanges. An actor named "Indra" on BreachForums claims responsibility for 37.8 million user accounts across multiple European markets.
- Europol's "Project Compass" has made significant strides against "The Com," a network of thousands of minors and young adults involved in cybercrime, violence, and extortion. The operation, supported by 28 countries, has led to 30 arrests and the identification of 179 perpetrators, with The Com previously linked to high-profile attacks against Marks & Spencer, Harrods, and Las Vegas casinos.
- Meta is taking legal action against deceptive advertisers in Brazil, China, and Vietnam for "celeb-bait" scams and cloaking techniques, which misuse celebrity images for fraudulent healthcare products, fake investments, and subscription fraud. This highlights the industrial scale of scam operations, often originating from China and Hong Kong, and the rise of "pig butchering-as-a-service."
- Fintech company Marquis is suing its firewall vendor, SonicWall, for damages following a ransomware attack that impacted over 780,000 people. Marquis alleges the breach was a direct result of SonicWall's own compromise, where customer firewall configuration backups were stolen, raising critical questions about vendor liability in third-party breaches.
- A former US Air Force officer, Gerald Eddie Brown, has been arrested for conspiring with a convicted Chinese hacker, Stephen Su Bin, to provide combat aircraft training to Chinese military pilots. This highlights ongoing efforts by foreign adversaries to exploit the expertise of former US military personnel, violating International Traffic in Arms Regulations.
- Yurii Nazarenko, a Ukrainian man, pleaded guilty to operating OnlyFake, an AI-powered website that generated and sold over 10,000 fake identification documents, including passports and driving licenses for 50+ countries. These fake IDs were primarily used to bypass Know Your Customer (KYC) verification at banks and cryptocurrency exchanges, with Nazarenko agreeing to forfeit $1.2 million.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/27/odido_shinyhunters_leaks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/27/manomano_breach/
🤫 CyberScoop | https://cyberscoop.com/project-compass-the-com-europol/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-crackdown-on-the-com-cybercrime-gang-leads-to-30-arrests/
📰 The Hacker News | https://thehackernews.com/2026/02/meta-files-lawsuits-against-brazil.html
⚫ Dark Reading | https://www.darkreading.com/cloud-security/marquis-sonicwall-lawsuit-breach-blame-game
🗞️ The Record | https://therecord.media/former-air-force-officer-arrested-for-working-with-hacker-flight-training-china
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ukrainian-man-pleads-guilty-to-running-ai-powered-fake-id-site/

New Threat Research on Threat Actors, Malware, and Tradecraft 🛡️

- North Korean APT ScarCruft (APT37) is employing a new toolkit in its "Ruby Jumper" campaign to breach air-gapped networks. This includes a backdoor (RESTLEAF) using Zoho WorkDrive for C2 and USB-based malware (THUMBSBD, VIRUSTASK) that turns removable media into a covert C2 relay for data exfiltration and command delivery. Other tools like FOOTWINE provide keylogging and audio/video capture.
- Cisco Talos has identified a new backdoor, "Dohdoor," used by a group tracked as UAT-10027 (with low confidence linked to North Korea's Lazarus Group) targeting US healthcare and education sectors. The multi-stage infection uses social engineering, PowerShell downloaders, DLL sideloading, Cloudflare DNS-over-HTTPS for C2, process hollowing, and EDR bypass techniques by unhooking system calls in ntdll.dll.
- Threat actors are distributing a Java-based Remote Access Trojan (RAT) via trojanised gaming utilities spread through browsers and chat platforms. The attack chain uses PowerShell and LOLBins (cmstp.exe) for stealth, deletes initial downloaders, and configures Microsoft Defender exclusions. Persistence is achieved via scheduled tasks and startup scripts.
- Chainalysis' 2026 Crypto Crime Report reveals that while ransomware payments decreased by 8% in 2025 to $820 million, and the percentage of victims paying dropped to 28%, the number of claimed ransomware attacks surged by 50% year-over-year. The median ransom demand also jumped significantly to $59,556, indicating a shift towards more frequent, smaller-scale attacks and a thriving market for Initial Access Brokers (IABs).

📰 The Hacker News | https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/27/suspected_nork_digital_intruders_caught/
📰 The Hacker News | https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/27/ransomware_chainalysis/

Vulnerabilities Under Active Exploitation 🚨

- CISA has issued an updated warning about RESURGE, a malicious implant found on Ivanti Connect Secure devices, which can remain dormant and undetected after zero-day exploitation of CVE-2025-0282. RESURGE is a passive C2 implant that uses sophisticated network-level evasion, hooking the `accept()` function to inspect TLS packets for a specific CRC32 fingerprint and employing a fake Ivanti certificate for authentication.
- Over 900 Sangoma FreePBX instances remain infected with web shells following attacks exploiting CVE-2025-64328 (CVSS 8.6), a post-authentication command injection vulnerability. This flaw allows attackers to execute arbitrary shell commands as the 'asterisk' user. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, with the INJ3CTOR3 threat actor actively leveraging it to deploy the EncystPHP web shell.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html

Threat Landscape Commentary 🌍

- With the FIFA World Cup 2026 approaching, cybersecurity experts are warning host cities about rising risks from drones and wireless surveillance. Major events create complex radio-frequency environments, making them prime targets for threat actors to hijack/jam C2 signals, compromise OT systems via wireless, and conduct surveillance using drones. Effective defence requires layered detection (RF, radar, acoustic, optical) and trained personnel.
- Anthropic's new Claude Code Security, an AI coding tool designed to scan for vulnerabilities and suggest fixes, has generated significant market reaction. While it shows promise in identifying complex bugs and generating patches, it's still early days, with issues like false positives and the importance of securing the AI tools themselves being highlighted. It's not yet a comprehensive application security solution, and ongoing scanning costs could be a factor.

⚫ Dark Reading | https://www.darkreading.com/mobile-security/cities-major-events-wireless-drone-defense
⚫ Dark Reading | https://www.darkreading.com/application-security/claude-code-security-shows-promise-not-perfection

Data Privacy 🔒

- Samsung has agreed to update its Automated Content Recognition (ACR) privacy practices after a lawsuit from the Texas Attorney General, Ken Paxton. Samsung will now implement clear and conspicuous disclosure and consent screens on its smart TVs before collecting and processing ACR viewing data, which captures real-time viewing habits for advertisers. Lawsuits against other smart TV manufacturers (Sony, LG, Hisense, TCL) are ongoing.

🗞️ The Record | https://therecord.media/samsung-updates-acr-privacy-practices-texas

Government Staffing and Program Changes 🏛️

- Senator Ron Wyden has pledged to block the confirmation of Lt. Gen. Joshua Rudd as the new head of both U.S. Cyber Command and the National Security Agency. Wyden cited Rudd's lack of digital warfare and intelligence experience, as well as vague answers regarding NSA's surveillance authorities, stating that the urgent threat landscape leaves no room for "on-the-job learning."
- Madhu Gottumukkala has been replaced by Nick Andersen as the acting director of the Cybersecurity and Infrastructure Security Agency (CISA). Gottumukkala's departure follows widespread dismay and criticism regarding CISA's performance during the first year of the Trump administration, while Andersen has received more favourable reviews from industry professionals.

🗞️ The Record | https://therecord.media/wyden-blocks-rudd-confirmation-nsa-cyber-command
🤫 CyberScoop | https://cyberscoop.com/cisa-leadership-change-madhu-gottumukkala-nick-andersen/

#CyberSecurity #ThreatIntelligence #Ransomware #APT #Malware #Vulnerability #ZeroDay #Ivanti #FreePBX #DataBreach #Privacy #AI #Drones #Cybercrime #InfoSec #IncidentResponse

CISA aktualisiert Analysebericht zu RESURGE-Malware auf Ivanti-Geräten

Die aktualisierte Fassung vom 26. Februar 2026 liefert Netzwerkadministratoren detailliertere technische Einblicke sowie erweiterte Werkzeuge zur Erkennung und Abwehr dieser Bedrohung.

https://www.all-about-security.de/cisa-aktualisiert-analysebericht-zu-resurge-malware-auf-ivanti-geraeten/

#malware #ivanti