r/SecOpsDaily

CISA adds Linux kernel zero-day CVE-2026-43456 to KEV after active exploitation
▲ 209 r/SecOpsDaily+8 crossposts

CISA adds Linux kernel zero-day CVE-2026-43456 to KEV after active exploitation

CISA has added CVE-2026-43456, a Linux kernel local privilege escalation vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation. Here's everything covering the affected kernel versions, the vulnerability itself, which distributions have shipped fixes, and the available mitigations. If you're maintaining Linux systems, it may be worth checking whether your kernel has already been updated by your distro. Patch Now.

thecybersecguru.com
u/KingdomOfAngel — 12 hours ago
▲ 95 r/SecOpsDaily+4 crossposts

India investigating Tata data leak that exposed Apple iPhone secrets

India is investigating a data breach at Tata Electronics that exposed documents linked to Apple's unreleased iPhone ‌18 Pro, the country's IT secretary said on Thursday in the government's first public comments on the incident.

Sensitive lists of components and suppliers as well as photos of iPhone 18 Pro models are among files that were ⁠posted on the dark web by a ransomware group that stole data from Tata Electronics, Apple's Indian supplier, Reuters reported.

reuters.com
u/chota-kaka — 2 days ago
▲ 7 r/SecOpsDaily+1 crossposts

Klue OAuth supply-chain breach hits LastPass, Huntress, Recorded Future, and others

The Icarus threat group exploited a compromise of Klue's Salesforce integration, stealing OAuth tokens that were then used to access customer Salesforce environments. Victims disclosed so far include LastPass, Huntress, Recorded Future, Tanium, Jamf, and others. Exposed data primarily consists of CRM information, customer contacts, support records, and sales communications—not passwords or production systems. The incident is another reminder that OAuth tokens and third-party SaaS integrations are high-value attack paths that often outlive the integrations they're meant to support.

thecybersecguru.com
u/NapierPalm — 1 day ago

European Parliament Member Investigating Spyware Was Hacked With Pegasus

A former Member of the European Parliament, Stelios Kouloglou, was repeatedly hacked with Pegasus spyware while serving on a committee investigating the abuse of commercial surveillance tools. This compromise, confirmed by Citizen Lab's forensic analysis, highlights the persistent threat posed by sophisticated state-grade malware against high-value targets, even those directly engaged in anti-surveillance efforts.

  • Threat: Sophisticated mobile device compromise via Pegasus spyware (likely zero-click exploits).
  • Target: High-value individual (Member of the European Parliament) with sensitive roles.
  • TTPs: Persistent and repeated compromise of the target's mobile device, indicating a determined adversary and the use of advanced initial access vectors. Attackers potentially gained full access to the device's data and communications.
  • Attribution (Implied): Commercial spyware typically sold to government agencies, suggesting state-sponsored or a powerful entity behind the attack.

Defense: Organizations with high-risk individuals should deploy robust Mobile Threat Defense (MTD) solutions and emphasize regular device security audits and strong operational security practices.

Source: https://thehackernews.com/2026/07/european-parliament-member.html

u/falconupkid — 3 days ago

Hackers target Microsoft 365 accounts with 81 million login attempts

An aggressive password-spraying campaign has targeted Microsoft 365 environments, generating over 81 million login attempts in a two-week period.

Technical Breakdown

  • TTPs: This campaign employs password spraying (MITRE T1110.003), leveraging common passwords against a vast number of Microsoft 365 accounts. This tactic is designed to evade typical brute-force protections that lock accounts after several failed attempts by distributing attempts across many accounts.
  • Scope: The observed activity involved millions of distinct user accounts, indicating a broad targeting approach rather than a focused attack on a few organizations. Attackers are aiming for "low-hanging fruit" — accounts without strong protections.
  • Affected: Any organization using Microsoft 365 without robust preventative controls is vulnerable to credential compromise via this method.

Defense

Enforce Multi-Factor Authentication (MFA) for all accounts. Implement Conditional Access policies to block or challenge suspicious login attempts, and actively monitor for unusual login patterns or high failed login rates from specific IPs or geographies.

Source: https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-365-accounts-with-81-million-login-attempts/

u/falconupkid — 4 days ago
▲ 14 r/SecOpsDaily+5 crossposts

Introducing FortiBleed!

The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.

Here is the damage report:

🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.

🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.

🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.

⚠️ Status: STILL active as of this publication.

Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.

Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/

#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar

u/socradario — 6 days ago
▲ 84 r/SecOpsDaily+2 crossposts

FortiBleed Update

86,644 Fortinet firewalls hit across 194 countries. Active campaign, verified credentials, victims spanning critical infrastructure globally: banks, hospitals, governments. India and the US account for nearly a third of affected assets. Russian-speaking operators, NATO-focused targeting. Critical severity.

Fortinet users: rotate creds, enable 2FA, audit logins, restrict admin access, patch firmware now.

u/No-Suggestion-4083 — 13 days ago

Clean GitHub repo tricks AI coding agents into running malware

AI Coding Agents Vulnerable to Stealthy GitHub Repo Malware

Security researchers have demonstrated a novel method where AI coding agents can be tricked into executing malware from seemingly benign GitHub repositories, with the malicious payload remaining invisible to security scanners and human reviewers.

Technical Breakdown:

  • TTPs: The attack leverages standard Git features, specifically:
    • git config url.<base>.insteadOf rewrites: These can trick Git into fetching content from a malicious server when a legitimate URL is requested, effectively performing a supply chain attack.
    • git submodule functionality combined with post-checkout hooks: Malicious commands are embedded within Git hooks that are automatically triggered during submodule initialization (git submodule update --init --recursive) or after a checkout.
  • Execution Flow: An AI agent tasked with cloning and setting up a repo executes these Git commands, inadvertently triggering the hidden malicious code within the .git/config or hook scripts.
  • Evasion: The malicious logic is contained within Git's configuration and hooks, not in typical executable files, allowing it to bypass most static analysis and security scanning tools.
  • Impact: This technique enables remote code execution on the system hosting the AI agent or developer environment, establishing persistence or further exploiting the environment.

Defense: Exercise extreme caution when cloning and initializing GitHub repositories, especially with automated tooling or AI agents. Manually inspect all Git configuration (.git/config) and hook scripts (.git/hooks/*) before allowing automatic execution. Consider disabling Git hooks in untrusted environments.

Source: https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/

u/falconupkid — 9 days ago

Embedding Forbidden Text in Spyware to Discourage AI Analysis

A novel malware evasion technique is emerging: threat actors are embedding "forbidden" text within spyware payloads to disrupt AI-driven analysis. This strategy aims to confuse security tools and analyst copilots that rely on language models.

Technical Breakdown:

  • TTPs:
    • Malware payloads, often observed in _index.js files, start with a large JavaScript block comment.
    • This comment contains fake system instructions and policy-triggering content, such as keywords related to nuclear or biological weapons.
    • While the JavaScript runtime ignores these comments, they are specifically designed to be ingested by AI-mediated analysis pipelines.
    • The intent is to cause refusal behavior, prompt confusion, context pollution, or premature classification within AI scanners or LLM-powered security tools, preventing them from reaching the actual malware.
    • The real malware code typically follows this comment block, often obfuscated within a try{eval(...)} wrapper around character-code arrays and ROT-style substitution functions.

Defense: Security teams should ensure AI analysis pipelines are designed to clearly isolate untrusted input and implement robust prompt engineering to prevent contextual hijacking or misclassification from such evasion tactics.

Source: https://www.schneier.com/blog/archives/2026/06/embedding-forbidden-text-in-spyware-to-discourage-ai-analysis-2.html

reddit.com
u/falconupkid — 12 days ago
▲ 17 r/SecOpsDaily+7 crossposts

Dismantling FortiBleed: We found the Russian operation turning FortiGate firewalls into passive credential vacuums (110M+ creds harvested) 🚨

If you manage Fortinet gear, grab a coffee. You're going to need it. ☕

Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.

There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:

  1. The Weapon: A custom Golang tool called "FortigateSniffer". It literally turns compromised firewalls into passive collectors, sniffing traffic across 24 different authentication protocols.
  2. The Scale: Over 430,000 FortiGate firewalls targeted. They ran 659+ harvest cycles, exposing over 110 million credentials (including RADIUS, NTLM, and Kerberos material).
  3. The Infrastructure:They aren't playing around. We mapped an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, and rented vast(.)ai capacity used to crack hashes at scale.
  4. The Victims: The dominant profile is IT services and SMBs (under 200 employees), but they also successfully breached and exfiltrated DFS data from a NATO-aligned defense contractor.

We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.

We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.

Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0

Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇

reddit.com
u/socradario — 13 days ago