
Google Threat Intelligence Group (GTIG) and DomainTools researchers warn that Russian state-sponsored threat actors and pro-Kremlin hacktivists are pivoting their cyber operations back toward the U.S., EU, and NATO after four years focused on Ukraine. Tactics include Signal Backup Recovery Key phishing campaigns targeting government officials and journalists, expanded use of generative AI for influence operations, and infrastructure attacks on water systems. The State Department has offered $10 million for information on two FSB-linked groups, UNC5792 and UNC4221. Russia's approach combines low-cost disruptive access, public fear generation, and covert influence operations at unprecedented scale.
Nguồn: https://securityboulevard.com/2026/07/russia-pivots-its-cyberthreats-back-to-the-u-s-and-the-west. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
Manufacturing has been the most-attacked industry globally for five consecutive years, accounting for 27.7% of incidents per IBM's 2026 X-Force report. The three dominant attack types are credential harvesting, vendor email compromise/supplier impersonation, and invoice fraud. A key delivery technique is Microsoft 365 Direct Send abuse, which lets attackers send spoofed email from a target's own domain without compromising any account — and without triggering content-based filters. Critically, many of these attacks pass SPF, DKIM, and DMARC checks because they originate from legitimate ESP accounts or compromised vendor mailboxes. Recommended defenses include enabling Microsoft's RejectDirectSend setting, enforcing DMARC on owned and supplier domains, and evaluating security tools against authenticated, payload-free mail.

Fragmented security tooling creates dangerous blind spots that sophisticated threat actors exploit. Using a realistic Scattered Spider scenario, the post illustrates how three separate teams — Brand, SecOps, and Fraud — each close their own tickets without realizing they are all responding to the same coordinated multi-channel attack. The root cause is siloed tools that cannot share intelligence across channels. The proposed solution is a unified intelligence layer that automatically correlates signals across brand monitoring, email security, and fraud detection, enabling compound defense that disrupts entire campaigns rather than isolated symptoms. The post concludes with a pitch for Doppel's AI-native social engineering defense platform.
Cơ quan FBI và CISA cảnh báo hacker tình báo Nga (UNC5792, UNC4221) đang lừa đảo người dùng Signal để chiếm đoạt recovery key, cho phép truy cập toàn bộ tin nhắn ngay cả khi đổi thiết bị. Tin nhắn giả mạo hỗ trợ Signal, dụ nạn nhân tiết lộ key thông qua các thủ đoạn xã hội kỹ thuật.
Lập trình viên nên đọc bài này để hiểu cách các nhóm hacker lợi dụng lỗ hổng xã hội trong ứng dụng giao tiếp phổ biến để trộm dữ liệu quan trọng, từ đó nâng cao kiến thức bảo mật cho các ứng dụng web/mobile của riêng mình.
Huntress research on the EvilTokens phishing-as-a-service (PhaaS) campaign reveals a 1,380% surge in device code phishing between H2 2025 and early 2026. The campaign abuses legitimate Microsoft 365 authentication flows via Railway.com PaaS to steal tokens at scale, with no malware or fake login pages involved. AI is central to the threat: across 344 victim organizations, no two phishing lures were identical, breaking pattern-based defenses. Security experts warn that AI has collapsed attacker timelines from weeks to hours and that MFA alone is insufficient when legitimate auth flows are exploited. Recommended defenses include restricting device code authentication, monitoring for suspicious sign-ins, revoking tokens quickly, and treating non-human identity management as a growing priority.
Security awareness training as a phishing defense is obsolete in the AI era, where attacks are fluent and surface-level tells no longer exist. Drawing on Kahneman's System 1/2 framework applied at the organizational level, the argument is that companies should stop relying on human vigilance and instead audit their operational 'fast lanes' — processes where trust was granted and friction removed. Using the analogy of trusted-traveler programs like Nexus, the piece advocates for risk-tiered process design: identifying which fast paths were built on outdated assumptions and re-tiering them. It also calls out the trust inversion where employees face constant authentication while suppliers receive long-lived access based on a SOC 2 report, a gap attackers routinely exploit.

A ransomware campaign is targeting small and medium-sized businesses (SMBs) globally using phishing emails impersonating Interpol's cybercrime unit. The emails create urgency by claiming the recipient's company is under investigation, then direct victims to a Proton Drive link containing a password-protected archive. Inside is an executable disguised as a video file that, when opened, encrypts files on available drives. The malware appears custom-built rather than from a known ransomware-as-a-service operation, lacking sophisticated features like hardcoded encryption passwords and dedicated dark web negotiation portals. Victims are directed to contact attackers via Tox messaging. Researchers from Bitdefender note the campaign's strength lies in its social engineering rather than technical sophistication, exploiting fear and authority to trick victims into launching the malware themselves. SMBs are particularly vulnerable due to limited IT staff, security budgets, and lack of formal verification processes.
FortiGuard Labs details an active Ousaban banking Trojan campaign targeting users in Spain and Portugal. The attack chain begins with a phishing PDF disguised as a corrupted file, directing victims to a geofenced malicious webpage that performs server-side environment checks (IP, language, timezone, VPN detection, browser fingerprinting) before delivering a VBS downloader. The VBS script retrieves a steganographic image containing a hidden ZIP archive with the Ousaban payload. Once executed, Ousaban establishes persistence via a registry Run key, monitors browser access to specific banks, and resolves its C2 address through daily-rotating DDNS hostnames derived from an MD5 hash of a hard-coded string and the current date — using Google's Automated Queries page to obtain the date. A Pastebin link containing a private IP serves as a decoy. The malware supports screenshot capture, keylogging, clipboard injection, and remote control. The post includes full IOCs (domains, IPs, file hashes) and details the custom XOR-based encryption algorithm shared with other Latin American banking Trojans like Casbaneiro.
A weekly security roundup covering: LG smart TV app store apps secretly enrolling TVs into proxy botnets; Microsoft extending Windows 10 security updates to October 2027; Russian hacker groups phishing Signal users to steal backup authentication tokens; a researcher demonstrating payload injection via WiFi SSIDs, TLS certificates, and LoRa node names leading to RCE and XSS on RIPE NCC; a new CitrixBleed memory leak vulnerability (CVE-2026-8451) in Citrix Netscaler; a LastPass marketing partner breach exposing customer contact data; a PeerTube emergency security update; and denial-of-service vulnerabilities in Apple AirDrop and Google Quick Share.