CISA Urges US Orgs to Secure Microsoft Intune Systems After Stryker Breach

Article Link: https://www.bleepingcomputer.com/news/security/cisa-warns-businesses-to-secure-microsoft-intune-systems-after-stryker-breach/

• CISA is warning organizations to improve Intune security, especially administrative accounts, after a recent attack on Stryker Corporation that wiped around 200,000 systems.
• A hacker group called Handala claimed to have used a compromised admin account to create a powerful Global Administrator account and carry out the attack.
• Weak administrative controls, such as poor privilege restrictions and lack of multifactor authentication allowed for attackers to create the account.
• Microsoft and CISA advise organizations to enforce least-privilege access on accounts, require MFA for all administrative and service accounts, implement conditional access policies, and require multi-admin approval for certain actions, such as device wipes.
• Additional information: https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization

The Industrialization of Identity Compromise: How Attackers Are Scaling Faster Than Defenders

Article Link: https://www.scworld.com/resource/the-industrialization-of-identity-compromise-how-attackers-are-scaling-faster-than-defenders

• Identity-based attacks have become more systematic, allowing for attackers to easily scale these attacks and perform them faster.
• Improvements in endpoint security have shifted attacker focus to easier targets, usually identity systems integrated with cloud or software-as-a-service applications.
• Stolen credentials, phishing-as-a-service, and social engineering allow low-skill attackers to bypass protections and gain access to systems. Instead of traditional hacking, many attacks now prefer a sign-in not break in approach.
• A single compromised account can allow creative attackers access to multiple systems, steal information, conduct financial fraud attacks, and establish a foothold to develop larger attacks.
• Organizations must adapt and strengthen their identity protections with means such as phish-resistant MFA, activity monitoring, and increase response capabilities to mitigate attacks when they occur.

‘Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft

Article Link: https://www.darkreading.com/vulnerabilities-threats/claudy-day-trio-flaws-claude-users-data-theft

• Researchers at Oasis Security identified an attack chain using 3 vulnerabilities in Claude that could allow attackers to send users malicious links, exfiltrate data, and potentially launch prompt injection attacks.
• Attackers create fake links that open Claude with a pre-filled prompt that contains hidden instructions. When the user begins their chat with Claude the hidden instructions and user instructions each execute.
• The vulnerability allows for chat history and sensitive data to be stolen. If Claude is integrated with other tools, it can also allow hackers to access additional files or systems.
• Additional information: https://pages.oasis.security/rs/106-PZV-596/images/claudyday-vulnerability.pdf?version=0

Aura Shows The Benefits of Defense in Depth Despite Data Breach

Article Link: https://cyberpress.org/aura-confirms-data-breach-impacting-900000-customer-records/

• Identity and privacy protection firm Aura has confirmed that a breach exposed about 900,000 records containing names and email addresses.
• The attacker used a vishing (voice phishing) attack to convince an employee to give them access to their account. The attacker maintained access for about an hour until their unusual behavior was detected by security teams.
• Most of the exposed data came from an older marketing database from a company Aura bought. About 35,000 current or past customers also had some of their information exposed.
• Aura’s defense-in-depth approach helped to minimize the impact of the event as the attacker was only able to access limited data due to strong role-based access controls, network segmentation, and encryption of highly sensitive data.
• Monitoring and alerting also allowed security teams to respond quickly and address the breach, further helping to reduce the damage.

Hundreds of Millions of iPhones Can Be Hacked with a New Tool Found in the Wild

Article Link: https://www.wired.com/story/hundreds-of-millions-of-iphones-can-be-hacked-with-a-new-tool-found-in-the-wild/

• Researchers at Google, iVerify, and Lookout collaboratively identified a powerful iPhone exploit known as DarkSword that utilizes infected websites to discretely hack devices.
• DarkSword exploits legacy iOS versions, iOS 18 and older, using fileless malware to steal data such as passwords and photos, messages from iMessage, WhatsApp, and Telegram, and data from Apple Health.
• While linked to Russian espionage groups, the researchers suspected the malware was not developed by Russians and was likely purchased through an illicit exploit black market where hacking tools are sold to multiple buyers.
• Apple confirmed that about a quarter of iPhones in use operate on iOS 18, meaning a significant number of devices are vulnerable to this exploit.
• Additional information: https://www.lookout.com/threat-intelligence/article/darksword

Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation

Article Link: https://www.securityweek.com/aisuru-and-kimwolf-ddos-botnets-disrupted-in-international-operation/

• The U.S. Justice Department, along with agencies in Canada and Germany, shut down servers, domains, and other systems used by the Aisuru, Kimwolf, JackSkid, and Mossad botnets.
• These botnets were used to launch large denial-of-service (DDoS) attacks by taking over more than 3 million devices. Cloudflare reported in February that Aisuru and Kimwolf were used as part of the largest DDoS attacks the company has recorded.
• The botnets leverage poorly secured IoT devices like cameras and routers along with proxy networks to grow rapidly. Aisuru alone controlled over 200,000 compromised systems.
• The operation significantly weakened global DDoS capabilities and shows the risk of insecure internet-connected devices for both organizations that deploy them and the wider internet.

FBI Links Signal Phishing Attacks to Russian Intelligence Services

Article Link: https://www.bleepingcomputer.com/news/security/fbi-links-signal-phishing-attacks-to-russian-intelligence-services/

• The Federal Bureau of Investigation (FBI) has linked large-scale phishing campaigns targeting messaging apps like Signal and WhatsApp to Russian Intelligence services.
• Instead of attempting to break the encryption of these messaging apps, the attackers impersonate application support staff to convince users to give them account access. They then link their accounts or use the stolen accounts for additional attacks.
• The phishing messages impersonate support accounts and convince users to give the attacker account access where they monitor chats, exploit contact information, and impersonate the user.
• The attacks focus on high-value accounts, such as government officials, military members, and political figures. The access can be difficult to detect as the accounts may just be used to monitor accounts, leaving few indicators of compromise.
• Users should be aware of the risks of unexpected messages, especially those requiring scanning QR codes or linking devices to accounts. Verification codes should also never be shared with anyone, including platform support personnel.

1 Billion Personal Records Exposed in Massive New Data Breach

Article Link: https://www.tomsguide.com/computing/online-security/1-billion-personal-records-from-26-countries-exposed-in-massive-new-data-leak-how-to-stay-safe

• Researchers found more than 1 billion personal records belonging to identity verification company IDMerit that were publicly accessible in an unsecured online database.
• This data leak was not tied to a breach, but to a database that was exposed to the internet without a password required for access.
• This database contained names, addresses, dates of birth, ID numbers, and contact details of customers from 26 counties, with over 200 million from the United States alone.
• The data puts customers at risk of phishing attacks, identity theft, SIM swaps, credit fraud, and compromised accounts.
• The unsecured database containing structured data, meaning that malicious actors could easily read or search for data, further increasing the ease of exploit.
• While use of the data for malicious activity has not been confirmed, the data could have been copied by malicious actors for later use, creating long term security risks for those exposed.