Dark Web News

The opening week of 2026 has already highlighted the complexity of global cyber threats, with incidents affecting governments, educational institutions, and corporations alike. From school closures to corporate breaches and international policy shifts, cybersecurity news demonstrates that attacks are no longer confined to technical systems; they have real-world consequences for operations, public trust, and the protection of sensitive data.  This week, digital risks have shown their reach across multiple sectors: schools are grappling with ransomware and system outages that disrupt learning, corporations face data breaches due to human error and weak authentication practices, and governments are reevaluating international cooperation in cybersecurity.  The early events of 2026 underline that managing cyber risk requires not just technology, but coordinated response, regulatory oversight, and awareness at every level, from individual users to global policymakers.  The Cyber Express Weekly Roundup  Higham Lane School Cyberattack Forces Temporary Closure  Higham Lane School in Nuneaton, England, closed temporarily after a cyberattack disrupted IT systems, affecting 1,500 students. Staff and students must avoid platforms like Google Classroom while cybersecurity experts and the Department for Education investigate. Read more…  Hacktivist Takes Down White Supremacist Websites Live at Conference  Hacktivist Martha Root gained attention by deleting white supremacist websites live at the Chaos Communication Congress in Hamburg. Targeted platforms included WhiteDate, WhiteChild, and WhiteDeal. Root also exposed partial data from over 6,000 WhiteDate profiles, sharing it with controlled-access platforms DDoSecrets and HaveIBeenPwned. Read more…  UK Announces £210 Million Cybersecurity Overhaul  The UK government announced a £210 million cybersecurity initiative to address “critically high” risks across public sector systems, many of which rely on vulnerable legacy platforms. The plan includes creating a Government Cyber Unit for cross-department coordination and accountability, establishing the Government Cyber Coordination Centre (GC3) for strategic defense, and launching the first Government Cyber Profession to tackle skills shortages, supported by a Cyber Resourcing Hub. Read more…  Australian Insurer Prosura Suffers Cyber Incident  In Australia, Prosura temporarily shut down online policy management and claim portals following unauthorized access to internal systems on January 3, 2026. Customer names, emails, phone numbers, and policy details may have been exposed, though payment information remained secure. Read more…  U.S. Withdraws from International Cyber Coalitions  The United States announced its withdrawal from 66 international organizations related to cybersecurity, digital rights, and hybrid threat cooperation. These include the Hybrid CoE, GFCE, and Freedom Online Coalition. Officials cited misalignment with U.S. interests, raising concerns over reduced intelligence sharing and potential gaps in global cyber defense. Read more…  Weekly Takeaway  This week’s cybersecurity news from The Cyber Express shows that 2026 is already marked by complex threats. From school closures and corporate breaches to government reforms and international policy shifts, data breaches impact education, public services, and businesses. Protecting digital systems now requires vigilance, technical skill, and proactive governance, making strong cybersecurity strategies essential to protect operations, trust, and public safety worldwide. 

The European Space Agency (ESA) has confirmed a cybersecurity breach involving servers located outside its corporate network. This confirmation comes following threat actor claim that they had compromised ESA systems and stolen a large volume of internal data. While ESA maintains that only unclassified information was affected. In an official statement shared on social media, the European Space Agency said it is aware of the cybersecurity issue and has already launched a forensic security investigation, which remains ongoing. According to ESA, preliminary findings indicate that only a very small number of external servers were impacted. “These servers support unclassified collaborative engineering activities within the scientific community,” ESA stated, emphasizing that the affected infrastructure does not belong to its internal corporate network. The agency added that containment measures have been implemented to secure potentially affected devices and that all relevant stakeholders have been informed. Source: ESA Twitter Handle ESA said it will provide further updates as additional details become available. Threat Actor Claims Data Theft The confirmation follows claims posted on BreachForums and DarkForums, where a hacker using the alias “888” alleges responsibility for the cybersecurity breach. According to the posts, the attack occurred on December 18, 2025, and resulted in the full exfiltration of internal ESA development assets. The threat actor claims to have stolen over 200 GB of data, including private Bitbucket repositories, source code, CI/CD pipelines, API tokens, access tokens, configuration files, Terraform files, SQL files, confidential documents, and hardcoded credentials. “I’ve been connecting to some of their services for about a week now and have stolen over 200GB of data, including dumping all their private Bitbucket repositories,” the actor wrote in one forum post. The stolen data is reportedly being offered as a one-time sale, with payment requested exclusively in Monero (XMR), a cryptocurrency commonly associated with underground cybercrime marketplaces. Source: Data Breach Fourm ESA has not verified the authenticity or scope of the claims made by the threat actor. So far, ESA has not disclosed which specific external servers were compromised or whether any credentials or development assets referenced by the threat actor were confirmed to be exposed. Founded 50 years ago and headquartered in Paris, the European Space Agency is an intergovernmental organization that coordinates space activities across 23 member states. Given ESA’s role in space exploration, satellite systems, and scientific research, cybersecurity incidents involving the agency carry heightened strategic and reputational significance. Previous European Space Agency Cybersecurity Incidents  This is not the first cybersecurity breach involving ESA in recent years. In December 2024, the agency’s official web shop was compromised after attackers injected malicious JavaScript code designed to steal customer information and payment card data during checkout. That incident raised concerns around third-party systems and external-facing infrastructure, an issue that appears relevant again in the current breach involving non-corporate servers. What Happens Next While ESA insists the compromised systems hosted only unclassified data, the ongoing forensic investigation will be critical in determining the true scope and impact of the breach. As threat actors continue to publish claims on hacking forums, the incident highlights the growing cybersecurity risks facing large scientific and governmental organizations that rely heavily on collaborative and distributed digital environments. ESA has said further updates will be shared once more information becomes available.

A large-scale cyber espionage operation known as Operation PCPcat has shaken the modern web infrastructure, compromising more than 59,000 servers in just 48 hours. The campaign targets systems built on React frameworks, including widely deployed Next.js and React Servers, and has already resulted in the theft of hundreds of thousands of credentials.  Security researchers uncovered the campaign after observing unusual activity across multiple honeypot environments. Further investigation revealed a highly automated attack chain linked to a centralized command-and-control (C2) server hosted in Singapore. The attackers appear to be exploiting previously undocumented or recently disclosed vulnerabilities to achieve remote code execution (RCE) at scale.  According to the data observed, Operation PCPcat has scanned 91,505 IP addresses globally and successfully compromised 59,128 servers, yielding a 64.6% success rate. At its peak, the campaign was compromising approximately 41,000 servers per day, making it one of the fastest-moving attacks ever observed against React-based deployments.  Exploited Vulnerabilities and Initial Access  The attackers behind PCPcat are exploiting two critical vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. Both flaws reportedly impact Next.js deployments and allow attackers to execute arbitrary code remotely.  The attack begins with a mass scanning of publicly exposed domains running vulnerable React frameworks. Once a susceptible server is identified, the attackers use a technique known as prototype pollution, a well-known JavaScript vulnerability class. By injecting malicious payloads through crafted JSON data, the attackers manipulate JavaScript object prototypes, ultimately tricking the server into executing unauthorized commands.  This approach allows the attackers to bypass traditional authentication mechanisms and gain full control of the affected React Servers without needing valid credentials. Credential Theft and Post-Exploitation Activity  Once access is achieved, the malware deployed by Operation PCPcat behaves as a highly efficient credential stealer. It immediately searches for sensitive data stored on the system, including:  .env configuration files  SSH private keys  Cloud service credentials  System environment variables  The stolen data potentially grants attackers access to broader infrastructure components, such as AWS accounts, Docker environments, and internal networks. Researchers estimate that the campaign has already exfiltrated between 300,000 and 590,000 credential sets, increasing the risk of follow-on attacks.  Centralized Command-and-Control Infrastructure  The compromised servers are managed through a centralized C2 server located at 67.217.57.240, hosted in Singapore. This server coordinates the operation by assigning new scanning targets and collecting stolen data from infected machines.  Notably, the attackers left an internal statistics dashboard publicly accessible, allowing researchers to directly observe the scope of the operation in real time. The dashboard confirmed the scale of the campaign and revealed how efficiently PCPcat was spreading across vulnerable React Servers.  Persistence and Self-Sustaining Propagation  To maintain long-term access, the malware installs proxy tools such as GOST and Fast Reverse Proxy on infected systems. These tools are configured as systemd services, ensuring that the malware automatically restarts whenever the server reboots.  Each compromised machine is also programmed to request 2,000 new target IPs every 45 minutes from the C2 server. This design creates a self-sustaining infection loop, allowing Operation PCPcat to expand rapidly without direct operator involvement. This level of automation suggests a highly organized and well-resourced threat actor rather than an opportunistic attack.  Detection and Defensive Measures  As Operation PCPcat evolves, organizations running React frameworks and React Servers should assume potential exposure and act quickly by auditing .env files, rotating credentials, reviewing logs for suspicious activity, monitoring outbound traffic to known C2 infrastructure, and using YARA signatures to detect the PCPcat credential stealer. The campaign highlights the growing risk to modern JavaScript ecosystems, where widespread React and Next.js adoption, combined with misconfigurations or unpatched flaws, enables large-scale compromise, with possible long-term impacts on cloud and enterprise environments.   To stay ahead as attackers adapt their tactics, security teams can strengthen detection and response with Cyble’s AI-powered threat intelligence and book a free demo with Cyble to gain real-time visibility into new cyber threats and protect their infrastructure proactively. 

A renewed RTO scam campaign targeting Indian vehicle owners is gaining momentum. This follows a sharp rise in browser-based e-challan phishing operations that rely on shared and reusable fraud infrastructure. The latest findings indicate that attackers are exploiting trust in government transport services, continuing a pattern of RTO-themed threats that have persisted over recent years. Unlike earlier campaigns that depended heavily on Android malware delivery, this new e-challan phishing campaign has shifted entirely to the internet browser. This change lowers the technical barrier for attackers while increasing the pool of potential victims. Any user with a smartphone and a web browser can now be targeted, without requiring the installation of a malicious app. Cyble Research and Intelligence Labs (CRIL) investigation also aligns with coverage from mainstream Indian media outlets, including Hindustan Times, which have highlighted similar fake e-challan scams.  How the e-Challan Phishing Campaign Operates  e-Challan Phishing Chain (Source: Cyble) The e-challan phishing campaign primarily targets Indian vehicle owners through unsolicited SMS messages. These messages claim that a traffic violation fine is overdue and must be paid immediately to avoid legal consequences. The SMS typically contains threatening language referencing court action, license suspension, or additional penalties.   A shortened or deceptive URL, crafted to resemble an official e-challan domain, is embedded in the message. Notably, the messages lack personalization, allowing attackers to distribute them at scale. The sender appears as a regular mobile number rather than an identifiable shortcode, which increases delivery success and reduces immediate suspicion.  Deceptive traffic fine SMS carrying a malicious e-Challan payment link (Source: Cyble) Clicking the link redirects the victim to a fraudulent e-challan portal hosted on the IP address 101[.]33[.]78[.]145. The phishing page closely mimics the branding and structure of legitimate government services, visually replicating official insignia, references to the Ministry of Road Transport and Highways (MoRTH), and National Informatics Centre (NIC) branding. Fake e-Challan landing page (Source: Cyble) Technical analysis revealed that the page content was originally authored in Spanish and later translated into English via browser prompts, suggesting that attackers are reusing phishing templates across regions.  Fabricated Challans and Psychological Manipulation  Once on the fake portal, users are prompted to enter basic details such as a vehicle number, challan number, or driving license number. Regardless of what information is entered, the system generates a convincing-looking challan record.  Fraudulent e-Challan record generated (Source: Cyble) The fabricated record typically displays a modest fine amount, such as INR 590, along with a near-term expiration date. Prominent warnings about license suspension, court summons, or legal proceedings are displayed to heighten urgency.  This step is purely psychological. No real backend verification occurs. The goal is to convince victims that the challan is legitimate and time-sensitive, a hallmark of effective e-challan phishing and other RTO-themed threats.  Card Data Harvesting and Payment Abuse  When victims click “Pay Now,” they are taken to a payment page that claims to offer secure processing through an Indian bank. Fake e-Challan payment page limited to credit and debit card payments (Source: Cyble) However, the page only accepts credit or debit card payments, deliberately excluding UPI or net banking options that might leave clearer transaction trails. No redirection to an official payment gateway occurs. Instead, victims are asked to enter full card details, including card number, expiry date, CVV, and cardholder name.  Testing showed that the page accepts repeated card submissions without error, regardless of transaction outcome. This behavior indicates that all entered card data is transmitted directly to attacker-controlled servers, confirming the campaign’s focus on financial theft rather than legitimate payment processing.  Shared Infrastructure and Campaign Expansion  CRIL’s infrastructure analysis revealed that the same hosting environment is being used to support multiple phishing lures beyond e-challan scams. Another attacker-controlled IP address, 43[.]130[.]12[.]41, was found hosting domains impersonating India’s e-Challan and Parivahan services. Additional phishing infrastructure backing fraudulent e-Challan portals (Source: Cyble) Several domains closely resemble legitimate branding, including lookalikes such as parizvaihen[.]icu. These domains appear to be automatically generated and rotated, suggesting the use of domain generation techniques to evade takedowns and blocklists.  Further investigation into IP address 101[.]33[.]78[.]145 uncovered more than 36 phishing domains impersonating e-challan services alone. The same infrastructure also hosted phishing pages targeting the BFSI sector, including HSBC-themed payment lures, as well as logistics companies such as DTDC and Delhivery. Phishing page mimicking a DTDC failed delivery alert (Source: Cyble) Consistent user interface patterns and identical payment-harvesting logic across these campaigns confirm the existence of a shared phishing backend supporting multiple fraud verticals.  SMS Origin and Localized Credibility  The localized nature of this RTO scam, using Indian mobile numbers on domestic telecom networks and links to a State Bank of India account, shows how attackers deliberately exploit trust in familiar institutions to increase the success of e-challan phishing. Combined with realistic portal cloning, fabricated challan data, and urgency-driven messaging, this campaign reflects a mature and scalable fraud operation rather than an isolated activity.   The shift from malware-based attacks to browser-driven financial theft notes a digital world where awareness alone is not enough. As highlighted by Cyble and its research arm, CRIL, effective mitigation now depends on continuous threat intelligence, infrastructure tracking, rapid takedowns, and coordinated action across telecoms, banks, and security teams.   To stay protected from such RTO-themed threats and other large-scale fraud campaigns, organizations can leverage Cyble’s AI-powered threat intelligence capabilities. Book a free demo to see how Cyble helps detect, disrupt, and prevent cybercrime at scale. 

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs. DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement. What Information Was Accessed in DoorDash Data Breach DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included: First and last name Phone number Email address Physical address The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information. DoorDash Response and Security Enhancements Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include: Deploying new security system enhancements to detect and block similar malicious activities Increasing employee security awareness training focused on social engineering threats Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance Coordinating with law enforcement for ongoing inquiry DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements. User Notifications and Support The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

Federal prosecutors in the United States have charged three individuals for allegedly carrying out a series of ransomware attacks targeting five U.S. companies using BlackCat ransomware, also known as ALPHV, between May and November 2023. The attacks reportedly aimed to extort large sums from the victims, including medical, engineering, pharmaceutical, and technology organizations. Insiders Accused of Orchestrating Ransomware Attacks Kevin Tyler Martin and another accomplice, referred to in court documents as “Co-Conspirator 1,” were employed at the time as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks. Ryan Clifford Goldberg, an incident response manager at Sygnia Cybersecurity Services, was also indicted in the scheme.  The Chicago Sun-Times first reported the charges, highlighting the unusual circumstances in which employees of a firm tasked with resolving ransomware attacks allegedly engaged in their own cybercrimes. “Employees of DigitalMint, a company that specializes in negotiating ransoms in cyberattacks, were part of a small crew, the feds say conducted five hacks that scored more than $1 million,” the outlet reported.  Timeline and Targets of BlackCat Ransomware Attacks Prosecutors claim the group began deploying BlackCat ransomware in May 2023. The first target was a medical company in Florida, whose servers were locked with a ransom demand of $10 million. Court records indicate that the attack ultimately netted $1.2 million, which was routed through cryptocurrency mixers to conceal the transaction. Subsequent targets included a Maryland-based pharmaceutical company, a California doctor’s office with a $5 million demand, an engineering company in California with a $1 million demand, and a Virginia drone manufacturer with a $300,000 demand.  According to FBI documents, Goldberg initially denied involvement when interviewed in June 2025 but later admitted that the unnamed co-conspirator had recruited him. He stated his motivation stemmed from personal debt and fears of federal prison, and he described how the illicit funds were transferred through multiple cryptocurrency wallets to hide the digital trail.  Both DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. DigitalMint confirmed it terminated the employees involved, emphasizing that the alleged attacks occurred outside its systems and did not compromise client data. Sygnia noted that Goldberg was no longer employed by the firm.  Legal Proceedings and Potential Consequences Martin and Goldberg were indicted on October 2, 2025, on multiple charges, including conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to protected computers. Goldberg has been taken into custody, while Martin was released on a $400,000 bond. Both face a potential maximum sentence of 50 years in federal prison.  The timeline of attacks, according to court documents, includes:  May 13, 2023: Attack on the Florida medical device company; $1.274 million paid in cryptocurrency.  May 2023: Attack on an unspecified firm, ransom demand unknown.  July 2023: Attack on the California doctor’s office; $5 million ransom demand.  October 2023: Attack on the California engineering company; $1 million ransom demand.  November 2023: Attack on the Virginia drone manufacturer; $300,000 ransom demand.  While Martin has pleaded not guilty, Goldberg allegedly admitted to participating in the attacks in coordination with the co-conspirator to “ransom some companies.” The third individual involved has not been indicted.  The FBI warns that malicious software like BlackCat ransomware can encrypt files on local drives, networked computers, and attached devices, with victims often coerced into paying ransoms to regain access to critical systems. 

Cyble Research and Intelligence Labs (CRIL) have uncovered a cyber-espionage operation that used a weaponized ZIP archive to infiltrate defense-sector systems. The malicious file—disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for departure for retraining.pdf”)—delivered a highly advanced backdoor capable of establishing covert access through SSH and Tor.  The campaign specifically leveraged the Belarusian military theme to deceive personnel linked to Special Operations Command and those specializing in UAV or drone operations. CRIL’s findings suggest the attack aimed to gather intelligence about the region’s unmanned aerial capabilities or possibly mask the attacker’s true identity through a false-flag narrative.  This operation builds on methods first observed in the December 2024 “Army+” campaign, previously attributed to the Sandworm group (APT44/UAC-0125). The October 2025 version shows notable technical evolution, employing improved obfuscation, operational security, and anonymization measures.  Infection Chain and Anti-Detection Measures  The malicious ZIP archive was carefully constructed to evade both human suspicion and automated detection. Inside the ZIP archive, the victim would find an LNK shortcut masquerading as a PDF file and a hidden folder named “FOUND.000” containing another compressed file, persistentHandlerHashingEncodingScalable.zip. When executed, the LNK shortcut launched an obfuscated PowerShell script instead of opening a legitimate document.  The PowerShell payload extracted files to the %appdata%\logicpro directory and ran additional code that maintained stealth through obfuscation and environmental awareness. Before executing, it checked that the infected system contained at least ten recent shortcut files and fifty or more running processes—conditions typical of real user environments but not sandboxes. If these checks fail, the script terminates, effectively bypassing automated malware analysis systems.  While the decoy PDF was opened to distract the victim, the malware silently proceeded to install persistent services in the background.  Scheduled Tasks, Persistence, and Backdoor Setup  Persistence was achieved through scheduled tasks created using XML templates extracted from the ZIP archive. Two tasks were registered: one to deploy OpenSSH for Windows (renamed as githubdesktop.exe) and another to run a modified Tor client (renamed as pinterest.exe).  The OpenSSH binary established a local SSH service on port 20321 using only RSA key-based authentication, disabling passwords entirely. The authorized keys and configuration files were stored in hidden directories under AppData\Roaming\logicpro. In parallel, the Tor service created a hidden .onion address and forwarded several critical ports:  SSH (20322 → 127.0.0.1:20321)  SMB (11435 → 127.0.0.1:445)  RDP (13893 → 127.0.0.1:3389)  To conceal traffic, the malware employed the obfs4 protocol, disguising Tor communications as legitimate network traffic. Two bridge relays—77.20.116.133:8080 and 156.67.24.239:33333—served as entry points into the Tor network.  Once connected, the malware generated a unique .onion hostname and sent it to the attacker’s command-and-control server via a curl command routed through the Tor SOCKS5 proxy. The command used 1,000 retries with three-second intervals to ensure successful data delivery. This process gave the attacker continuous, anonymous access to the compromised host.  Attribution, Impact, and Defensive Measures  CRIL’s analysis confirmed that the backdoor allowed full remote access through SSH, RDP, SFTP, and SMB channels, all tunneled through Tor for anonymity. Analysts verified the backdoor’s functionality by establishing a controlled SSH session using the embedded RSA keys and proxy configuration. No secondary payloads or lateral movements were detected, suggesting the attackers were in the reconnaissance phase.  The October 2025 sample closely resembles techniques used in the December 2024 Army+ campaign attributed to Sandworm (APT44). The overlap includes double-extension lures, scheduled task persistence, and the integration of OpenSSH and Tor for covert tunneling. Sandworm, associated with Russia’s GRU Unit 74455, has a long history of targeting Ukraine’s infrastructure, including the BlackEnergy attacks in 2015, the NotPetya outbreak in 2017, and a 2023 breach of Kyivstar.  Despite these similarities, CRIL maintains moderate confidence in linking this operation directly to Sandworm. The Belarusian military focus could reflect either an intelligence-gathering mission or a deliberate misdirection tactic.  To mitigate such threats, CRIL recommends that defense organizations:  Strengthen email filtering to detect nested or double-extension ZIP archives.  Train personnel to verify document authenticity through secondary channels.  Deploy a behavioral endpoint detection capable of flagging suspicious PowerShell activity and unauthorized scheduled tasks.  Block or monitor Tor and obfs4 traffic at the network level.  Audit SSH key usage and identify any OpenSSH instances running on non-standard ports. 

The Asia-Pacific (APAC) region is seeing a rapid surge in number of cyberattacks aimed at its enterprises’, a new report suggests. According to Barracuda’s SOC Threat Radar report, threat actors are intensifying their efforts against vulnerable VPN infrastructure and Microsoft 365 accounts, and using Python scripts to launch attacks stealthily.   The Akira ransomware group, in particular, has accelerated its growth, exploiting outdated or improperly patched systems with speed and precision.  Akira Exploits SonicWall VPN Vulnerability  The Akira group is reportedly leveraging a known vulnerability, CVE-2024-40766, in SonicWall VPN devices. Though this security flaw was patched months ago, many organizations have failed to apply the update or reset credentials for post-patching. This oversight is proving costly.  In several incidents, attackers have used stolen credentials (likely harvested before patches were applied) to intercept one-time passwords (OTPs), enabling them to bypass multi-factor authentication (MFA), even on patched systems. The attackers generate valid login tokens, which allow them to sidestep MFA protections entirely.  Barracuda first issued a security advisory regarding this threat in August 2020. Despite awareness, attacks continue at a steady pace, particularly in Australia and other APAC nations. Researchers stress that Akira can quickly escalate from initial infection to file encryption. They have also observed Akira using legitimate remote monitoring and management (RMM) tools to disable security software and backup systems, effectively sabotaging recovery efforts.  Conditions That Increase Risk  Organizations are particularly vulnerable if they:  Have not applied the latest SonicWall VPN patch  Failed to reset passwords after patching  Maintain old, unused, or legacy accounts  Use high-access service accounts with non-rotated credentials  Recommended countermeasures include:  Running vulnerability scans to detect unpatched VPNs  Upgrading to SonicOS 7.3.0 or later  Resetting all VPN-related credentials  Removing unused or legacy accounts  Restricting VPN access by IP address  Monitoring for unusual login activity, particularly from unfamiliar countries or service providers  “If you think there is any chance that your credentials or OTPs have been exposed, act fast,” the report warns. “Reset all passwords, switch to phishing-resistant MFA like FIDO2 security keys, and check VPN logs for irregular access patterns.”  Malicious Python Scripts Evade Detection  Another worrying trend highlighted in the report is the growing use of Python scripts to deploy hacking tools under the radar. Barracuda’s security operations center (SOC) analysts have seen attackers automate credential stuffing, use Mimikatz (a tool to steal passwords), and abuse PowerShell, all orchestrated via Python programs.  The use of Python allows threat actors to:  Automate attacks, increasing their speed and efficiency  Disguise malicious processes as legitimate activity  Execute multiple operations simultaneously, such as data exfiltration while scanning for vulnerabilities  This level of automation reduces the need for manual execution, making it harder for conventional security tools to detect malicious actions in time.  Recommendations to Mitigate Script-Based Attacks  Organizations are urged to:  Deploy endpoint protection tools capable of detecting Python-based threats  Regularly update software and operating systems  Enforce strict password policies and consistent MFA usage  Provide ongoing cybersecurity awareness training to staff  Microsoft 365 Accounts Targeted  A third major concern identified is the spike in unusual login activity targeting Microsoft 365 accounts, particularly in Australia, where nearly 150,000 organizations use the platform. These suspicious logins typically originate from unexpected locations, devices, or time zones, clear indicators of compromised credentials.  The appeal of Microsoft 365 lies in its widespread use and deep integration into business workflows. Once attackers gain access to a user account, they can:  Sell credentials to other cybercriminals (e.g., initial access brokers)  Move laterally within the organization’s network  Steal sensitive data such as emails, files, and communications  Send malicious emails from compromised accounts to carry out further attacks  Signs of Vulnerability and Mitigation Steps  Organizations face heightened risk if they:  Publicly list staff from finance, HR, or IT on websites  Don’t enforce strong password policies or MFA  Lack of monitoring for anomalous login behavior  Fail to educate employees about phishing and credential theft  To defend against Microsoft 365 account compromises, Barracuda recommends:  Enabling MFA for all users  Limiting permissions and access levels  Blocking access from high-risk locations or unknown devices  Installing cloud security monitoring tools  Conducting regular security training and login pattern analysis