Parliamo del fonte cyber Iran-USA: Handala contro Stryker

https://insicurezzadigitale.com/parliamo-del-fonte-cyber-iran-usa-handala-contro-stryker/

The Stryker outage confirms a shift in Handala’s tactics: moving from regional hacktivism to destructive global operations. By abusing Microsoft Intune, they bypassed traditional EDR to wipe 200k devices. Identity, not malware, was the vector.

Read More: https://www.security.land/stryker-cyberattack-handala-wiper/

#SecurityLand #News #Stryker #Handala #Wiper #MicrosoftIntune #Cybersecurity

Iran-linked hackers claim wiper attack on Stryker—200K systems wiped across 79 countries. No ransom, just destruction. Medical tech firm targeted over Israeli acquisition. Infrastructure warfare, not cybercrime. 🏥💥

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#cybersecurity #wiper #iran

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

It's been a busy 24 hours in the cyber world with significant updates on actively exploited zero-days, nation-state attacks on critical infrastructure, sophisticated vishing campaigns, and the evolving threat landscape of AI. Let's dive in:

Ivanti EPMM Zero-Days Under Active Exploitation ⚠️

- Ivanti has patched two critical zero-day vulnerabilities (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) product, both rated CVSS 9.8 for unauthenticated remote code execution (RCE).
- These flaws are actively being exploited in a limited number of customer environments, allowing threat actors to gain administrative access, move laterally, and potentially access sensitive data like phone numbers and GPS locations.
- While specific IOCs are scarce, defenders should scrutinise Apache access logs for unusual GET requests with bash commands in In-House Application Distribution and Android File Transfer Configuration features, and look for unexpected web shells or WAR/JAR files. If compromised, a full restore from backup or migration to a new EPMM instance is recommended.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/ivanti_epmm_zero_days/

Coordinated Cyber Attacks on Polish Critical Infrastructure 🚨

- CERT Polska has detailed coordinated destructive cyber attacks on over 30 wind and solar farms, a manufacturing company, and a combined heat and power (CHP) plant in Poland on December 29, 2025.
- The attacks, attributed to Russia's FSB-linked Static Tundra (aka Berserk Bear, Ghost Blizzard), involved reconnaissance, firmware damage, file deletion, and deployment of custom wiper malware like DynoWiper and LazyWiper.
- Initial access was gained via vulnerable Fortinet perimeter devices and statically defined accounts lacking two-factor authentication, with attackers also exfiltrating data related to OT network modernisation and SCADA systems from M365 services.

📰 The Hacker News | https://thehackernews.com/2026/01/poland-attributes-december-cyber.html

ShinyHunters-Style Vishing Bypasses MFA for SaaS Data Theft 🔒

- Mandiant has observed an expansion of financially motivated ShinyHunters-style (UNC6240) activity, tracked as UNC6661 and UNC6671, using advanced vishing and fake credential harvesting sites.
- These groups impersonate IT staff to trick employees into providing SSO credentials and MFA codes, then register their own devices for MFA to access cloud SaaS platforms, exfiltrate sensitive data, and extort victims.
- Organisations should enhance help desk verification processes, enforce strong passwords, remove SMS/phone/email as MFA options, restrict management access, and implement robust logging and detection for MFA lifecycle changes and SaaS export behaviours, moving towards phishing-resistant MFA like FIDO2.

📰 The Hacker News | https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html

Iran-Linked RedKitten Uses AI for Human Rights NGO Targeting 🐱

- A Farsi-speaking threat actor, RedKitten, linked to Iranian state interests, is targeting human rights NGOs and activists, likely leveraging large language models (LLMs) for tooling development.
- The campaign uses macro-laced Excel documents (fabricated protestor death details) in 7-Zip archives as lures, dropping a C#-based SloppyMIO implant via AppDomainManager injection.
- SloppyMIO uses GitHub as a dead drop resolver for Google Drive URLs, steganographically retrieving configuration for its Telegram Bot API-based command-and-control, enabling command execution, file exfiltration, and persistence.

📰 The Hacker News | https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html

Agentic AI: The Next Big Attack Surface 🤖

- A Dark Reading poll indicates that agentic AI is widely expected to become the top attack vector by the end of 2026, due to the expanded attack surface from agents' high access and autonomy, especially with insecure code and "shadow AI."
- Experts highlight that the primary vulnerability lies in what compromised AI agents can access, stressing that authentication and access control, rather than AI safety features, are the critical battleground for securing autonomous systems.
- Deepfakes are also rising as a major social engineering vector for high-value targets, while the adoption of phishing-resistant passkeys is lagging, leaving organisations vulnerable as agentic systems proliferate.

🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #Ivanti #NationState #APT #CriticalInfrastructure #Poland #Russia #Wiper #ShinyHunters #Vishing #MFA #SaaS #Extortion #Iran #RedKitten #LLM #AI #Deepfakes #ThreatLandscape #InfoSec #CyberAttack #Malware #IncidentResponse

Russia is Trying To Destroy National Infrastructure... and not their own.

#News #TechNews #Cyberwarfare #Russia #Poland #Ukraine #Malware #Wiper

https://youtu.be/adnnCeNzaqU

Daily podcast: Russia is Trying To Destroy National Infrastructure... and not their own.

#News #TechNews #Cyberwarfare #Russia #Poland #Ukraine #Malware #Wiper #podcast

https://soundcloud.com/nickaesp/rdp

#Wiper malware targeted #Poland energy grid, but failed to knock out electricity

https://arstechnica.com/security/2026/01/wiper-malware-targeted-poland-energy-grid-but-failed-to-knock-out-electricity/

📰 Sandworm Deploys New 'DynoWiper' Malware in Failed Attack on Polish Power Grid

Russia's Sandworm group deployed new 'DynoWiper' malware in a failed cyberattack on Poland's power grid. ⚡️ The attack, described as the largest in years, highlights the ongoing threat to critical infrastructure. #Sandworm #CyberAttack #Wiper #Poland

🔗 https://cyber.netsecops.io/articles/sandworm-deploys-new-dynowiper-malware-in-attack-on-polish-power-grid/?utm_source=mastodon&utm_medium=…

It's been a bit light on news over the last 24 hours, but we've got a couple of noteworthy updates: a failed nation-state attack on critical infrastructure and a new feature from a popular password manager to help combat phishing. Let's dive in:

Sandworm's Failed Wiper Attack on Poland's Energy Grid ⚠️

- The Russian state-sponsored group Sandworm (also known as APT44, UAC-0113, or Seashell Blizzard) has been linked to a failed cyberattack on Poland's energy infrastructure in late December 2025.
- The group attempted to deploy a new destructive data-wiping malware, dubbed DynoWiper (detected as Win32/KillFiles.NMO), targeting combined heat and power plants and renewable energy management systems.
- Polish officials confirmed the attacks were stopped, highlighting the ongoing threat from nation-state actors to critical infrastructure and the importance of robust defensive measures.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/

1Password Boosts Phishing Protection 🔒

- 1Password has rolled out new pop-up warnings for suspected phishing sites, aiming to prevent users from manually entering credentials on malicious or typosquatted domains.
- This feature adds an extra layer of defence beyond the existing URL matching, which prevents auto-filling, by explicitly alerting users who might otherwise overlook subtle domain discrepancies.
- Available automatically for individual and family plans, and configurable for enterprise admins, this update addresses the growing threat of sophisticated, AI-enhanced phishing scams.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/1password-adds-pop-pup-warnings-for-suspected-phishing-sites/

#CyberSecurity #ThreatIntelligence #NationState #Sandworm #CriticalInfrastructure #Wiper #Phishing #PasswordManager #InfoSec #CyberAttack #IncidentResponse