Tag: mandiant
-
Mandiant details how ShinyHunters abuse SSO to steal cloud data
Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
-
WinRAR vulnerability still a go-to tool for hackers, Mandiant warns
State-sponsored hackers and financially motivated attackers continue leveraging a critical WinRAR vulnerability (CVE-2025-8088) that’s been fixed over half a year ago. … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/
-
Mandiant pushes organizations to dump insecure NTLMv1 by releasing a way to crack it
Tags: attack, authentication, computer, credentials, crypto, cve, data, data-breach, email, encryption, group, Hardware, international, mandiant, microsoft, network, ntlm, phishing, risk, service, supply-chain, theft, threat, vulnerability, windowspass-the-hash. The benefit is time and money saved: Mandiant reckons its rainbow table allows the recovery of an NTLMv1 key in 12 hours using a computer costing $600, rather than relying on third party services or expensive hardware to brute-force the keys.None of this makes NTLMv1 less secure or easier to target than it already…
-
Mandiant Publishes Rainbow Tables That Crack NTLMv1 Admin Passwords
Mandiant haspublicly releasedcomprehensive rainbow tables designed to crack Net-NTLMv1 authentication hashes, addressing a critical security gap that has persisted for over two decades, despite the protocol being deprecated and widely recognized as fundamentally insecure. The decision to release these tables underscores the urgency of migrating away from this outdated authentication mechanism, whichremainsprevalent in active environments…
-
AuraInspector: Open-Source Misconfiguration Detection for Salesforce Aura
Mandiant has released AuraInspector, an open-source command-line tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework that could expose sensitive data, including credit card numbers, identity documents, and health information. The tool addresses a critical gap in Salesforce Experience Cloud security, where complex sharing rules and multi-level…
-
AuraInspector: Open-source tool to audit Salesforce Aura access control misconfigurations
Google and its Mandiant threat intelligence unit have released AuraInspector, an open-source tool aimed at auditing data access paths in Salesforce Experience Cloud … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/01/13/aurainspector-open-source-tool-salesforce-aura/
-
Mandiant open sources tool to prevent leaky Salesforce misconfigs
AuraInspector automates the most common abuses and generates fixes for customers First seen on theregister.com Jump to article: www.theregister.com/2026/01/13/mandiant_salesforce_tool/
-
2025 Year in Review at Cloud Security Podcast by Google
Tags: 2fa, ai, automation, breach, cloud, compliance, computing, control, cybersecurity, data, defense, detection, edr, finance, google, hacking, incident response, infrastructure, linux, mandiant, metric, mitigation, offense, phone, privacy, risk, security-incident, siem, soc, technology, threat, vulnerability, vulnerability-management, zero-trust(written jointly with Tim Peacock) Five years. It’s enough time to fully launch a cloud migration, deploy a new SIEM, or”Š”, “Šif you’re a very large enterprise”Š”, “Šjust start thinking about doing the first two. It’s also how long Tim and I have been subjecting the world to our thoughts on Cloud Security Podcast by Google. We…
-
Security Advisory Regarding BRICKSTORM
Tags: advisory, backdoor, crowdstrike, cyber, cybersecurity, infrastructure, malware, mandiant, threat, vmware, windowsExecutive Summary On December 5th, 2025 the US’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canada’s Cyber Security Centre released a joint malware report on BRICKSTORM, a backdoor targeting VMware vSphere and Windows environments. The suspected threat actor(s), tracked as UNC5221 by Mandiant and WARP PANDA by CrowdStrike, are identified as […]…
-
Security Advisory Regarding BRICKSTORM
Tags: advisory, backdoor, crowdstrike, cyber, cybersecurity, infrastructure, malware, mandiant, threat, vmware, windowsExecutive Summary On December 5th, 2025 the US’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canada’s Cyber Security Centre released a joint malware report on BRICKSTORM, a backdoor targeting VMware vSphere and Windows environments. The suspected threat actor(s), tracked as UNC5221 by Mandiant and WARP PANDA by CrowdStrike, are identified as […]…
-
Security Advisory Regarding BRICKSTORM
Tags: advisory, backdoor, crowdstrike, cyber, cybersecurity, infrastructure, malware, mandiant, threat, vmware, windowsExecutive Summary On December 5th, 2025 the US’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canada’s Cyber Security Centre released a joint malware report on BRICKSTORM, a backdoor targeting VMware vSphere and Windows environments. The suspected threat actor(s), tracked as UNC5221 by Mandiant and WARP PANDA by CrowdStrike, are identified as […]…
-
What keeps CISOs awake at night, and why Zurich might hold the cure
Tags: access, ai, api, attack, breach, ciso, conference, control, cve, cyber, cybersecurity, deep-fake, detection, endpoint, exploit, finance, firmware, framework, group, incident response, injection, LLM, malware, mandiant, microsoft, mitre, network, phishing, phone, ransomware, resilience, risk, soc, strategy, supply-chain, threat, tool, training, update, zero-dayA safe space in the Alps: Over two days at Zurich’s stunning Dolder Grand, hosted by the Swiss Cyber Institute, I witnessed something I’ve seldom seen at cybersecurity events: real vulnerability. In a closed, attribution-free environment, leaders shared not just strategies, but doubts. And that made this event stand out, not as another conference, but…
-
What keeps CISOs awake at night, and why Zurich might hold the cure
Tags: access, ai, api, attack, breach, ciso, conference, control, cve, cyber, cybersecurity, deep-fake, detection, endpoint, exploit, finance, firmware, framework, group, incident response, injection, LLM, malware, mandiant, microsoft, mitre, network, phishing, phone, ransomware, resilience, risk, soc, strategy, supply-chain, threat, tool, training, update, zero-dayA safe space in the Alps: Over two days at Zurich’s stunning Dolder Grand, hosted by the Swiss Cyber Institute, I witnessed something I’ve seldom seen at cybersecurity events: real vulnerability. In a closed, attribution-free environment, leaders shared not just strategies, but doubts. And that made this event stand out, not as another conference, but…
-
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks
Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented…
-
Critical Triofox bug exploited to run malicious payloads via AV configuration
Hackers exploited Triofox flaw CVE-2025-12480 to bypass auth and install remote access tools via the platform’s antivirus feature. Google’s Mandiant researchers spotted threat actors exploiting a now-patched Triofox flaw, tracked as CVE-2025-12480 (CVSS score of 9.1) that allows them to bypass authentication to upload and run remote access tools via the platform’s antivirus feature. Mandiant…
-
Hackers Exploit Triofox 0-Day to Deploy Malicious Payloads Using Anti-Virus Feature
Tags: authentication, cyber, cybersecurity, defense, exploit, flaw, hacker, malicious, mandiant, threat, virus, vulnerability, zero-dayCybersecurity researchers from Mandiant Threat Defense have uncovered a critical zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allowed attackers to bypass authentication and execute malicious code with system-level privileges. The vulnerability, tracked as CVE-2025-12480, was actively exploited by the threat actor group UNC6485 as early as August 24, 2025. The flaw affected Triofox version 16.4.10317.56372 and has…
-
Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature
Google’s Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet’s Triofox file-sharing and remote access platform.The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads. The First seen…
-
SonicWall cloud backup hack was the work of a state actor
Incident responders from Mandiant have wrapped up their investigation into the SonicWall cloud backup service hack, and the verdict is in: the culprit is a state-sponsored … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/06/sonicwall-cloud-backup-hack-was-the-work-of-a-state-actor/
-
Oracle issues second emergency patch for E-Business Suite in two weeks
Tags: attack, business, cve, cybersecurity, data, exploit, google, governance, group, identity, infrastructure, intelligence, kev, least-privilege, malicious, mandiant, monitoring, network, oracle, strategy, threat, update, vulnerability, zero-trustImmediate actions for CVE-2025-61884: Oracle has provided patches for CVE-2025-61884 for all affected versions covered under Premier Support or Extended Support. However, security experts warned that patching alone may not be sufficient. The lessons from the recent CVE-2025-61882 attacks show that organizations need to hunt for signs of prior compromise even after applying fixes.In a…
-
Google, Mandiant expose malware and zero-day behind Oracle EBS extortion
Google and Mandiant link Oracle EBS extortion emails to known July-patched flaws and a likely zero-day, CVE-2025-61882. Google Threat Intelligence and Mandiant analyzed the Oracle E-Business Suite extortion campaign, revealing the use of malware. Attackers exploited July-patched EBS flaws and likely a zero-day (CVE-2025-61882), sending extortion emails to company executives. In early October, Google Mandiant…
-
CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday.”We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” John…
-
CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday.”We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” John…
-
Google Issues Alert on CL0P Ransomware Actively Exploiting Oracle E-Business Suite Zero-Day
Organizations using Oracle E-Business Suite must apply the October 4 emergency patches immediately to mitigate active, in-the-wild exploitation by CL0P extortion actors and hunt for malicious templates in their databases. Beginning September 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant identified a massive email campaign targeting executives at dozens of organizations, alleging theft of…
-
Google Says Oracle EBS Extortion Campaign Possibly Targeted Thousands, Could Date Back To July
Google Threat Intelligence Group and Mandiant share new details on the Oracle E-Business Suite extortion campaign by a threat actor possibly tied to ShinyHunters. First seen on crn.com Jump to article: www.crn.com/news/security/2025/google-says-oracle-ebs-extortion-campaign-possibly-targeted-thousands-could-date-back-to-july