Arctic Wolf Labs details the tools and techniques used by Anubis ransomware affiliates across multiple 2026 intrusions. Initial access involved exploitation of CitrixBleed 2 (CVE-2025-5777), a pre-authentication memory disclosure vulnerability in Citrix NetScaler, as well as valid VPN credential abuse. Post-access tradecraft included lateral movement via RDP and PsExec, deployment of legitimate RMM tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC) to blend with normal IT activity, credential theft via Mimikatz and browser password exports, ntds.dit extraction, and data exfiltration using S3 Browser, rclone, and s5cmd. Threat actors also attempted to establish covert egress paths using cloudflared tunnels, authenticated HTTP proxies, and SSH-based SOCKS tunneling. Defense evasion included disabling Windows Defender, uninstalling endpoint protection, and clearing event logs. The report provides IOCs, MITRE ATT&CK mappings, and defensive guidance including patching CVE-2025-5777, auditing RMM installations, and segmenting hypervisor and NAS infrastructure.
Nguồn: https://arcticwolf.com/resources/blog/citrixbleed-2-to-cloudflared-the-tools-and-techniques-behind-anubis-ransomware-attacks. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
CISA has updated its Known Exploited Vulnerabilities catalog to confirm that CVE-2026-33825, a Microsoft Defender privilege escalation flaw dubbed BlueHammer, has been actively exploited in ransomware attacks. The vulnerability was publicly disclosed on April 2 before Microsoft released patches on April 14, and security firm Huntress observed zero-day exploitation in the wild. CISOs are advised to verify patch deployment, monitor KEV catalog updates for ransomware-use designations (not just new entries), and hunt for post-compromise privilege escalation activity in endpoint telemetry.

Check Point Research discovered a browser-native ransomware technique in a DeepSeek-attributed malicious sample. The attack abuses the File System Access API — a legitimate browser feature — to enumerate, exfiltrate, and encrypt local files entirely within the browser, requiring no native payload, no exploit, and no installation. The original sample was AI-generated and incomplete, but researchers confirmed that a working proof-of-concept could be built with minimal effort using modern LLMs. The technique is especially dangerous on Android (Chrome 132+), where a fake AI photo-enhancer lure can trick users into granting write access to their DCIM/photo directory. The research highlights how LLM hallucinations can inadvertently surface practical attack techniques by mapping malicious goals to real browser APIs, lowering the expertise barrier for operationalizing novel attack chains.
Sysdig's Threat Research Team has documented JADEPUFFER, assessed to be the first known agentic ransomware operation driven end-to-end by an LLM. The attacker exploited CVE-2025-3248, an unauthenticated RCE in Langflow, to gain initial access, then autonomously performed reconnaissance, credential harvesting from MinIO and Postgres, lateral movement to a production MySQL/Nacos server, and finally encrypted 1,342 Nacos configuration items and dropped entire database schemas. Key evidence of LLM autonomy includes self-narrating payloads with natural-language reasoning, machine-speed failure diagnosis and correction (a 31-second fix cycle), and adaptive behavior across 600+ distinct payloads. The AES encryption key was ephemeral and never stored, making victim data unrecoverable even with payment. Defenders are advised to patch Langflow, harden Nacos defaults, restrict database admin access, and apply egress controls.
CISA vừa cập nhật danh mục lỗ hổng bị khai thác (KEV) với CVE-2026-33825 (BlueHammer) – lỗ hổng leo thang đặc quyền cục bộ nghiêm trọng trong Microsoft Defender, hiện đang bị các nhóm ransomware lợi dụng. Microsoft đã vá lỗ hổng này trong bản vá tháng 4/2026, nhưng vẫn bị khai thác dưới dạng zero-day trước đó.
Là lập trình viên bảo mật, bạn nên đọc bài này để hiểu cách ransomware exploit lỗ hổng BlueHammer (CVE-2026-33825) để tấn công hệ thống Windows, từ đó tìm hiểu cách bảo vệ ứng dụng của mình trước các cuộc tấn công privilege escalation mới.
A ransomware group has leaked sensitive Apple iPhone 18 Pro files on the dark web after stealing data from Tata Electronics, Apple's Indian manufacturing partner. The leaked files include component lists, supplier mappings, and drop-test photos of unreleased iPhone 18 Pro models marked 'confidential.' The breach exposes Apple's supplier relationships and bargaining vulnerabilities, coming at a sensitive time as India now accounts for 26% of global iPhone production and Apple is expected to raise iPhone prices. Tata has restricted internal system access and hired a forensic auditor in response.
The Blackfield ransomware gang has claimed a ransomware attack on Nidec Chaun Choung Technology, a Taiwanese subsidiary of Japanese electronics giant Nidec Corporation, and is demanding $2 million to delete stolen data. The attack was confirmed on June 22, 2026, prompting Nidec to shut down affected servers and networks. Blackfield has given Nidec over 15 days to negotiate, with options to extend the deadline for $5,000/day or purchase the stolen data outright for $400,000. This is Nidec's second ransomware incident in under two years, following a 2024 breach of its Vietnam-based Nidec Precision division by the 8Base and Everest gangs.
A profile of five CISOs leading cybersecurity programs at major retail and consumer brands including Levi Strauss, Topgolf Callaway, Burlington Stores, Family Dollar, and New Balance. Each leader brings cross-sector experience spanning healthcare, financial services, and hospitality. Key themes include protecting payment card data, loyalty program records, e-commerce platforms, and supply chain data. The piece frames retail security as fundamentally a consumer trust problem, where breaches damage brand relationships beyond just regulatory exposure.
A ransomware group called World Leaks has published files stolen from Tata Electronics, Apple's manufacturing partner in India, exposing iPhone 18 Pro component lists, supplier names, and photographs from drop tests. The leaked bill of materials reveals Apple's supplier architecture — including where it sources from multiple vendors for bargaining leverage and where single-source dependencies create supply chain vulnerabilities. The breach is the second ransomware incident involving Tata, following an earlier claim of stolen Apple and Tesla trade secrets. Apple is investigating alongside Tata, but the supplier maps are already public, posing competitive and strategic risks beyond a typical privacy incident.