
Ransomware recovery is widely misunderstood as a simple technical restoration exercise. Five common misconceptions are examined: that backups alone equal cyber resilience, that the latest backup is the safest restore point, that absence of malware or IoCs means a snapshot is clean, that fast recovery is always good recovery, and that recovery is purely an IT problem. The core argument is that true recovery means restoring to a trusted state — addressing identity, persistence, attack pathways, and control gaps — not just getting systems back online quickly. A governance-driven model with defined recovery conditions, cross-team decision rights, and evidence-led confidence criteria is advocated over speed-first approaches.
Nguồn: https://securityboulevard.com/2026/07/the-top-5-misconceptions-about-ransomware-recovery. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
RSK đã fork IdentityServer4 thành Open.IdentityServer, phiên bản miễn phí và mã nguồn mở cho OpenID Connect và OAuth 2.0 trên .NET, nhằm thay thế phiên bản thương mại của Duende Software. Open.IdentityServer 1.0.0 ra mắt tháng 6/2025 với giấy phép Apache 2.0, hỗ trợ di chuyển dễ dàng từ Duende chỉ bằng thay đổi NuGet package.
Nếu bạn đang phát triển ứng dụng .NET sử dụng OAuth 2.0/OpenID Connect và muốn có một giải pháp mã nguồn mở, hỗ trợ lâu dài mà không phụ thuộc vào các giải pháp thương mại, thì Open.IdentityServer là lựa chọn thay thế đáng tin cậy và dễ triển khai ngay hôm nay.
Vercel Flags giờ đây tự động xác thực thông qua OIDC tokens ngắn hạn mà không cần SDK Keys hay biến môi trường FLAGS cho các triển khai trên Vercel. Chỉ cần vercel link và vercel env pull là đủ cho phát triển local, trong khi các dự án cũ vẫn giữ nguyên yêu cầu SDK Keys cho các trường hợp đặc biệt.
Lập trình viên cần đọc bài này để hiểu cách tối ưu hóa quản lý tính năng động (flags) trong dự án Vercel mới nhất, giảm thiểu rủi ro về bảo mật khi sử dụng SDK Keys và khám phá giải pháp tự động hóa cho phát triển và triển khai.
A large-scale password-spraying campaign targeted Microsoft 365 environments, generating over 81 million login attempts across a two-week period. Attackers used previously breached credentials and authenticated via Azure CLI using the ROPC OAuth flow, which bypasses MFA because it sends passwords directly to the token endpoint without triggering interactive MFA prompts. Huntress observed the campaign between June 12–26, confirming 78 compromised accounts across 64 organizations. Key vulnerabilities exploited included MFA Conditional Access Policies scoped only to specific apps or user groups, location-based MFA exclusions, and policies left in report-only mode. Huntress recorded a 155-fold increase in password-spraying activity, with organizations averaging nearly 2,000 failed login attempts per tenant monthly. The attack traffic originates from an IPv6 range owned by LSHIY LLC.
CISA has updated its Known Exploited Vulnerabilities catalog to confirm that CVE-2026-33825, a Microsoft Defender privilege escalation flaw dubbed BlueHammer, has been actively exploited in ransomware attacks. The vulnerability was publicly disclosed on April 2 before Microsoft released patches on April 14, and security firm Huntress observed zero-day exploitation in the wild. CISOs are advised to verify patch deployment, monitor KEV catalog updates for ransomware-use designations (not just new entries), and hunt for post-compromise privilege escalation activity in endpoint telemetry.
Huntress research on the EvilTokens phishing-as-a-service (PhaaS) campaign reveals a 1,380% surge in device code phishing between H2 2025 and early 2026. The campaign abuses legitimate Microsoft 365 authentication flows via Railway.com PaaS to steal tokens at scale, with no malware or fake login pages involved. AI is central to the threat: across 344 victim organizations, no two phishing lures were identical, breaking pattern-based defenses. Security experts warn that AI has collapsed attacker timelines from weeks to hours and that MFA alone is insufficient when legitimate auth flows are exploited. Recommended defenses include restricting device code authentication, monitoring for suspicious sign-ins, revoking tokens quickly, and treating non-human identity management as a growing priority.

Check Point Research discovered a browser-native ransomware technique in a DeepSeek-attributed malicious sample. The attack abuses the File System Access API — a legitimate browser feature — to enumerate, exfiltrate, and encrypt local files entirely within the browser, requiring no native payload, no exploit, and no installation. The original sample was AI-generated and incomplete, but researchers confirmed that a working proof-of-concept could be built with minimal effort using modern LLMs. The technique is especially dangerous on Android (Chrome 132+), where a fake AI photo-enhancer lure can trick users into granting write access to their DCIM/photo directory. The research highlights how LLM hallucinations can inadvertently surface practical attack techniques by mapping malicious goals to real browser APIs, lowering the expertise barrier for operationalizing novel attack chains.

A ransomware campaign is targeting small and medium-sized businesses (SMBs) globally using phishing emails impersonating Interpol's cybercrime unit. The emails create urgency by claiming the recipient's company is under investigation, then direct victims to a Proton Drive link containing a password-protected archive. Inside is an executable disguised as a video file that, when opened, encrypts files on available drives. The malware appears custom-built rather than from a known ransomware-as-a-service operation, lacking sophisticated features like hardcoded encryption passwords and dedicated dark web negotiation portals. Victims are directed to contact attackers via Tox messaging. Researchers from Bitdefender note the campaign's strength lies in its social engineering rather than technical sophistication, exploiting fear and authority to trick victims into launching the malware themselves. SMBs are particularly vulnerable due to limited IT staff, security budgets, and lack of formal verification processes.
A ransomware group called World Leaks has published files stolen from Tata Electronics, Apple's manufacturing partner in India, exposing iPhone 18 Pro component lists, supplier names, and photographs from drop tests. The leaked bill of materials reveals Apple's supplier architecture — including where it sources from multiple vendors for bargaining leverage and where single-source dependencies create supply chain vulnerabilities. The breach is the second ransomware incident involving Tata, following an earlier claim of stolen Apple and Tesla trade secrets. Apple is investigating alongside Tata, but the supplier maps are already public, posing competitive and strategic risks beyond a typical privacy incident.