Federal cyber authorities issued an emergency directive Wednesday requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.

The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.

F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.

CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.

Many federal agencies and private organizations could be impacted. CISA said there are thousands of F5 product types in use across executive branch agencies. 

These attacks on widely used vendors and their customers are part of a broader campaign targeting key elements of America’s technology supply chain, extending the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at CISA, said during a media briefing. 

CISA declined to name the country or specific threat groups behind the attack on F5’s systems. Generally, the broader goal of nation-state attackers is to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack,  or gather sensitive information, Andersen said.

CISA’s order requires federal agencies to apply security patches F5 released in response to the attack, disconnect non-supported devices or services, and provide CISA a report including a detailed inventory of all instances of F5 products within scope of the directive.

Officials referred questions about the effectiveness of F5’s security patches back to the vendor and declined to independently verify if the software updates have fixed the vulnerabilities attackers gained information on during the breach. 

Neither CISA nor F5 have explained how the attackers gained access to F5’s internal systems. 

Officials repeatedly insisted that the government shutdown and multiple waves of reductions to CISA’s workforce did not negatively affect or delay the government’s ability to coordinate with partners, respond to this threat and issue the emergency directive. Andersen declined to say how many CISA employees have been dismissed with reduction-in-force orders since the federal government shut down two weeks ago. 

“This is really part of getting CISA back on mission,” Andersen said.

“While, yes, this may be the third emergency directive that’s been issued since the beginning of the Trump administration, this is the core operational mission for CISA,” Andersen said. “That’s really what we should be doing, and we’re able to continue to perform that mission in collaboration with our asset partners right now.”

The post CISA warns of imminent risk posed by thousands of F5 products in federal agencies appeared first on CyberScoop.

GreyNoise has discovered that attacks exploiting Cisco, Fortinet, and Palo Alto Networks vulnerabilities are launched from the same infrastructure.

The post Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign appeared first on SecurityWeek.

An elusive, persistent, newly confirmed China espionage group has hit almost 10 victims of geopolitical importance in the Middle East, Africa and Asia using specific tactics and extreme stealth to avoid detection, according to Palo Alto Networks’ Unit 42. 

Phantom Taurus uses tools and a distinct homegrown set of malware and backdoors that sets them apart from other China threat groups, said Assaf Dahan, who’s led an investigation into the group since 2022 as director of threat research at Palo Alto Networks’ Cortex unit. 

The discovery of an undocumented threat group conducting long-term intelligence-gathering operations aligned with Beijing’s interests underscores the spread of China’s offensive espionage operations globally. Roughly 3 in 4 nation-state threats originate from or are operating on behalf of the Chinese government’s interests, Dahan told CyberScoop.

Unit 42 did not name Phantom Taurus’ victims but said the group has infiltrated networks operated by ministries of foreign affairs, embassies, diplomats and telecom networks to steal sensitive and timely data around major summits between government leaders or political and economic events.

Phantom Taurus seeks sustained access to highly targeted networks so it can periodically and opportunistically steal data they want at any time. Unit 42 researchers responded to one case involving access going back almost two years, Dahan said. 

The threat group remains active and has expanded its scope over time by targeting more organizations. “The latest activity was just a couple of months ago when we saw them highly active in at least two regions of the world,” Dahan said.

Unit 42 expects more victims to be identified as a result of its report, which includes details about the group’s specialized malware, indicators of compromise and tactics, techniques and procedures. 

Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors. These backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads, and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments, according to Unit 42.

“These pieces of malware are designed for extreme stealth, allowing them to operate clandestinely, under the radar, and infiltrate into really sensitive organizations,” Dahan said. While Phantom Taurus uses some infrastructure and tools that are commonly shared among multiple Chinese espionage groups, Unit 42 isn’t aware of any other groups using the suite of specialized malware.

The group most often breaks into networks by locating internet-facing devices that can be exploited via known vulnerabilities, Dahan said. “The level of sophistication that we’ve seen from this group is really off the charts. But when it comes to how they actually put a foot in the door, it’s as basic as exploiting an unpatched server most of the time,” he added.

Phantom Taurus’ tools, capabilities, targets and other fingerprints left behind by its activities gives Unit 42 confidence the group is unique and does not overlap with a group previously identified by other research firms. 

“Their entire playbook seems distinct and quite apart from other Chinese threat actors,” Dahan said. “It’s not something that you can mistake for another group.”

The post Palo Alto Networks spots new China espionage group showcasing advanced skills appeared first on CyberScoop.

Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 

Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances  — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 

The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action. 

Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.

Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities. 

The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said. 

CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.

The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days. 

Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical. 

When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.

“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”

The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.

F5, a Seattle-based application delivery and security company, announced Thursday it will acquire Dublin-based CalypsoAI for $180 million in cash, highlighting the mounting security challenges enterprises face as they rapidly integrate artificial intelligence into their operations.

The acquisition comes as companies across industries rush to deploy generative AI systems while grappling with new categories of cybersecurity threats that traditional security tools struggle to address. CalypsoAI, founded in 2018, specializes in protecting AI systems against emerging attack methods, including prompt injection and jailbreak attacks.

“AI is redefining enterprise architecture and the attack surface companies must defend,” said François Locoh-Donou, F5’s president and CEO. The company plans to integrate CalypsoAI’s capabilities into its Application Delivery and Security Platform to create what it describes as a comprehensive AI security solution.

Companies are embedding AI into products and operations at an unprecedented pace, but this rapid adoption has created compliance gaps and heightened regulatory scrutiny. CalypsoAI addresses these challenges through what the company calls “model-agnostic” security, providing protection regardless of which AI models or cloud providers enterprises use. 

The platform conducts automated red-team testing against thousands of attack scenarios monthly, generating risk assessments and implementing real-time guardrails to prevent data leakage and policy violations.

“Enterprises want to move fast with AI while reducing the risk of data leaks, unsafe outputs, or compliance failures,” said CalypsoAI CEO Donnchadh Casey. The company’s approach focuses on the inference layer where AI models process requests, rather than securing the models themselves.

The acquisition comes during a flurry of similar moves by established companies in the cybersecurity space that are looking to add AI-powered offerings to their customers. 

F5 has also been active this year with what it considers strategic purchases. The company acquired San Francisco-based Fletch in June and observability firm MantisNet in August, demonstrating a pattern of building capabilities through acquisition rather than internal development.

The deal is expected to close by Sept. 30. 

The post F5 to acquire AI security firm CalypsoAI for $180 million appeared first on CyberScoop.

Industrial conglomerate Mitsubishi Electric has agreed to acquire OT and IoT cybersecurity specialist Nozomi Networks in a transaction that values the San Francisco-based firm near the $1 billion mark. The deal, slated to close in the fourth quarter of 2025, will see Nozomi Networks become a wholly owned subsidiary while continuing to operate independently.

The acquisition represents Mitsubishi Electric’s largest to date, with the company set to purchase the 93% of Nozomi shares it does not already own for $883 million in cash. Mitsubishi Electric previously acquired a 7% stake through Nozomi’s $100 million Series E funding round in early 2024, a relationship that laid the foundation for the takeover.

Following the transaction’s closure, Nozomi Networks will retain its brand, leadership, and personnel, maintaining its headquarters in San Francisco and its research and development hub in Switzerland. Both parties have indicated there will be no disruption to operations, roadmaps, or external partnerships.

Nozomi Networks focuses on security in operational technology (OT), Internet of Things (IoT), and cyber-physical systems (CPS). Its platform, designed for critical infrastructure and industrial organizations, focuses on asset discovery, continuous monitoring, anomaly detection, and vulnerability management. The company generated $75 million in revenue in 2024, an increase from $62 million the previous year.

The integration of Nozomi’s cloud-first, AI-powered solutions into Mitsubishi Electric’s portfolio grants the Japanese industrial giant a stake in advanced industrial cybersecurity at a time when OT and IoT environments are seeing increased attention due to rising threats of cyberattacks and operational disruptions. 

“By becoming part of Mitsubishi Electric, we will combine our strengths to drive the next generation of industrial security and innovation to bring additional value for customers around the world,” said Edgard Capdevielle, president and CEO of Nozomi Networks. “With the combined global reach and resources of both companies, we can supercharge our innovation engine, helping industrial organizations secure and accelerate their own digital transformations.”

Mitsubishi Electric, which brings more than a century of experience in industrial technology, sees the purchase as a way to accelerate the digital transformation of critical infrastructure clients globally. Combining its operational expertise with Nozomi’s technology is expected to result in the development of new AI-powered solutions tailored for OT and IoT use cases.

“This acquisition will enable us to co-create valuable new services while supporting Nozomi’s commitment to innovation and customer flexibility,” said Satoshi Takeda, Mitsubishi Electric’s senior vice president. “Together, we can help our customers achieve their digital transformation goals while enhancing security, efficiency, and resilience.”

The transaction is expected to receive all necessary regulatory approvals and is anticipated to close by the end of 2025. 

The post Mitsubishi Electric to acquire Nozomi Networks in $1 billion deal appeared first on CyberScoop.

The industrial cybersecurity firm will become a wholly owned subsidiary of Mitsubishi Electric.

The post Mitsubishi Electric to Acquire Nozomi Networks for Nearly $1 Billion appeared first on SecurityWeek.

Israeli cybersecurity company Cato Networks has acquired AI security startup Aim Security in its first ever acquisition, reflecting the broader industry rush to address security challenges posed by artificial intelligence adoption.

The deal combines Cato’s Secure Access Service Edge (SASE) networking platform with Aim’s AI security capabilities, allowing the company to protect customers from threats associated with generative AI tools and applications. Financial terms were not disclosed. 

The acquisition underscores how cybersecurity companies are scrambling to develop solutions for AI-related risks as enterprises rapidly adopt AI tools without fully understanding potential vulnerabilities. Aim’s technology addresses three key areas: securing employee use of public AI applications, protecting private AI systems, and managing security throughout AI development lifecycles.

“AI transformation will eclipse digital transformation as the main force that will shape enterprises over the next decade,” said Shlomo Kramer, CEO and co-founder of Cato Networks. “With the acquisition of Aim Security, we’re turbo-charging our SASE platform with advanced AI security capabilities to secure our customers’ journey into the new and exciting AI era.”  

Cato’s move comes as the company also extended its Series G funding round with an additional $50 million from Acrew Capital, bringing the total round to $409 million.

The acquisition reflects broader consolidation in the cybersecurity sector as companies seek to expand their capabilities to address evolving threats. Palo Alto Networks agreed in June to acquire CyberArk Software for approximately $25 billion, primarily to gain identity security tools that can be integrated with AI programs. Earlier this week, Varonis announced it has acquired SlashNext, an AI-driven email security company, for $150 million.

Aim Security, founded in 2022 and backed by YL Ventures and Canaan Partners, has positioned itself at the forefront of enterprise AI security. The company’s research team recently identified the first reported zero-click AI vulnerability in Microsoft 365 Copilot, dubbed “EchoLeak,” demonstrating the emerging nature of AI-specific security threats.

Cato plans to offer Aim’s capabilities as part of its SASE platform beginning in early 2026, providing existing customers with a migration path from standalone AI security solutions to integrated platform capabilities.

The post Cato Networks acquires AI security startup Aim Security appeared first on CyberScoop.

Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler. 

Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations. 

Salesloft initially claimed exposure was limited to customers integrated with Salesforce. Yet, Google Threat Intelligence Group and Mandiant Consulting — Google’s incident response firm which is now working with Salesloft — said any platform integrated with Drift is potentially compromised. 

The root cause of the attacks, specifically how the threat group that Google tracks as UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. “There is no evidence of any unusual or malicious activity with the Salesloft platform,” Salesloft said in an update Saturday.

On Monday, the company said “Drift will be taken offline in the very near future,” rendering the platform inaccessible and the Drift chatbot unavailable on customer websites. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company added.

Salesloft, which acquired Drift in February 2024, has not responded to requests for comment since news of the attacks first surfaced last week. 

The company announced an agreement to merge with Clari, a competitor in the customer-relationship management space, one day before the attacks started Aug. 8. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries.

The exposure caused by the attacks has cast widespread concern, as customers seek clarity about the unfolding disaster. Salesloft customers are assessing if they were impacted, and then sifting through data to determine the extent to which they or their customers were compromised. 

The attacks did not hit every Salesloft Drift customer. Some Salesloft Drift customers, when contacted by CyberScoop, confirmed they were not implicated by the attacks and found no evidence that corporate or customer data was compromised. 

Okta said it was not impacted by the incident, but confirmed it was a target based on indicators of compromise Google Threat Intelligence Group shared last week. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said in a blog post Tuesday.

Many other businesses were less fortunate.

Sam Curry, chief information security officer at Zscaler, said the company’s Salesloft Drift integration with Salesforce was the point of unauthorized access. The company was using Salesloft Drift integrated with other platforms, but they were not impacted, he added. 

Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

“No product, service, or infrastructure was affected,” Curry said. “We are looking to hear from Salesloft Drift and from Salesforce if there are any other findings since this happened in their infrastructure.”

Curry said Zscaler was already in the process of ending its relationship with Salesloft Drift for unrelated reasons. 

Palo Alto Networks on Tuesday confirmed that it, too, was one of hundreds of organizations impacted by the supply chain attack. The company’s incident response business Unit 42 confirmed the incident was limited to its Salesforce environment, adding that no Palo Alto Networks products or services were impacted. 

“Most of the exfiltrated data was business contact information,” a Palo Alto Networks spokesperson told CyberScoop in an email. “However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised.”

Cloudflare said any information customers shared with the company’s support system — including logs, tokens or passwords — should be considered compromised. The company said it found 104 Cloudflare API tokens in the compromised data and, while it found no evidence of abuse, rotated the tokens out of an abundance of caution.

The company also maintained that no Cloudflare services or infrastructure were compromised. 

“We are responsible for the choice of tools we use in support of our business,” a group of Cloudflare security leaders said in a blog post Tuesday. “This breach has let our customers down. For that, we sincerely apologize.”

Former Salesloft Drift customers were impacted as well. In a blog post announcing some data contained in its Salesforce environment was exposed, SpyCloud said it was previously a customer of Salesloft and Drift, but not currently.

Google previously said the data theft campaign occurred over a 10-day period last month, potentially impacting more than 700 organizations.

The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.

Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 

More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report. 

Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data. 

Scattered Spider, a threat group Unit 42 tracks as Muddled Libra, has infiltrated more than 100 businesses since 2022 — including more than a dozen this year — to extort victims for ransom payments. “We’re constantly engaged with them. It’s just been one after another is what it feels like to us,” Michael Sikorski, chief technology officer and VP of engineering at Unit 42, told CyberScoop.

Attacks and intrusions linked to Scattered Spider and the vast North Korean tech worker scheme composed a high percentage of the incident response cases Unit 42 worked on last year, accounting for roughly an equal number of attacks, Sikorski said.

North Korean nationals have gained employment at hundreds of Fortune 500 companies, earning money to send their salaries back to Pyongyang.

While the North Korean insider threat is linked to a nation state, it is a financially motivated social engineering attack, he said. This forked attribution and objective underscores how boundaries between geopolitical and financial motivations are blurring.

Other nation-state threat groups are using social engineering, too, but a financial payout was the primary driver in 93% of social engineering attacks in the past year, Unit 42 said in the report.

Social engineering attacks are also the most likely to put data at risk. These attacks exposed data in 60% of Unit 42 incident response cases, 16 percentage points higher than other initial access vectors, the report found.

Attackers are focused on accessing the data they want, and oftentimes this makes help desk staff, administrators and employees with system-wide access a key target. “Those people often have the privileges to everything that the attacker wants — the cloud environment, the data, the ability to reset someone’s multifactor so they can reset it and register a new phone,” Sikorski said.

Scattered Spider has consistently engaged in “high-touch social engineering attacks against those specific individuals,” he said.

Unit 42’s annual study includes data from more than 700 attacks that the incident response firm responded to in the one-year period ending in May, spanning small organizations and Fortune 500 companies. Nearly three-quarters of the attacks targeted organizations in North America.

The post Social engineering attacks surged this past year, Palo Alto Networks report finds appeared first on CyberScoop.

A Russian nation-state threat group has been spying on foreign diplomats, managing continuous access to their  communications and data in Moscow since at least 2024, according to Microsoft Threat Intelligence.

Secret Blizzard is gaining “adversary-in-the-middle” positions on Russian internet service providers and telecom networks by likely leveraging surveillance tools and deploying malware on targeted devices, researchers said in a report released Thursday. 

Microsoft’s discovery marks the first time its researchers have confirmed with high confidence that Secret Blizzard has capabilities at the ISP level, a degree of access that combines passive surveillance and an active intrusion. 

“It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop. 

Secret Blizzard — also known as Turla, Pensive Ursa or Waterbug — is affiliated with Center 16 of Russia’s Federal Security Service (FSB) and has been active for decades.

The Russian nation-state group is “the classic definition of what you think of when you think of advanced persistent threat: creative, persistent, well resourced, highly organized, able to execute projects, able to execute actions on objectives,” DeGrippo said. “Ultimately, I think that the key word is creative.”

Secret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error after targeted victims access a state-aligned network through a captive portal, according to Microsoft.

The error prompts and tricks embassy employees into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploy ApolloShadow malware. The custom malware turns off traffic encryption, tricks the devices to recognize malicious sites as legitimate and enables Secret Blizzard to maintain persistent access to diplomatic devices for espionage. 

“This is an excellent piece of social engineering because it plays on habit, it plays on urgency, it plays on emotions, which are the three holy trinity of social engineering,” DeGrippo said. 

“You see this pop-up that’s telling you you have a security issue, and it’s branded as a security vendor. We’ve been seeing that capability for decades,” she said. “Simply clicking through and not examining and thinking about that, especially when on a state-aligned, state-owned network in one of these surveillance-heavy countries where the government has deep technical and legal controls over those ISPs — that infrastructure is now part of your attack surface.”

Microsoft declined to say how many embassies have been impacted, but noted the group is active. Intrusions linked to this politically motivated espionage campaign allow Secret Blizzard to view the majority of the target’s browsing in plain text, including certain tokens and credentials, researchers said in the report.

“This seems relatively simple, but it’s only made so simple by the likely leveraging of a lawful intercept capability,” DeGrippo said. “Relying on local infrastructure in these high-risk environments — China, Russia, North Korea, Iran — in these surveillance-heavy countries, is of concern.” 

Microsoft previously observed Secret Blizzard using tools from other cybercriminal groups to compromise targets in Ukraine, showing how the group uses various attack vectors and means to infiltrate networks of geopolitical interest to Russia.

The post Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow appeared first on CyberScoop.

Palo Alto Networks has agreed to acquire identity security firm CyberArk for approximately $25 billion, marking the cybersecurity giant’s largest acquisition and its formal entry into the identity security market as the industry continues consolidating amid rising cyber threats.

The transaction ranks among the largest technology acquisitions this year and underscores the market’s focus on identity security in an era of increasing artificial intelligence adoption.

CyberArk, founded over two decades ago, specializes in privileged access management technology that helps organizations control and monitor access to critical systems and accounts. The company’s customers include major corporations such as Carnival Corp., Panasonic, and Aflac. Its technology addresses what security experts consider one of the most vulnerable aspects of enterprise security: managing privileged credentials for both human users and machine identities.

The acquisition comes as cybersecurity companies face pressure to offer comprehensive solutions rather than point products, with customers seeking to streamline their vendor relationships following high-profile breaches. Recent cyberattacks, including Microsoft’s SharePoint vulnerabilities that affected over 100 organizations including U.S. government agencies, have heightened focus on identity protection and privileged access management.

For Palo Alto Networks, the acquisition represents a strategic expansion beyond its traditional network security roots. The company has evolved from a next-generation firewall provider into a multi-platform cybersecurity leader, and identity security represents what CEO Nikesh Arora describes as an inflection point in the market.

“The rise of AI and the explosion of machine identities have made it clear that the future of security must be built on the vision that every identity requires the right level of privilege controls,” Arora stated in a release.

The timing reflects broader industry dynamics driven by artificial intelligence adoption. As organizations deploy autonomous AI agents and systems, these technologies require sophisticated privileged access controls similar to human users, but at machine scale. The combined companies position themselves to address what they term “agentic AI” security, applying just-in-time access and least privilege principles to AI systems.

Industry analysts view the acquisition as addressing a gap in Palo Alto Networks’ portfolio while potentially accelerating growth in areas where the company has seen some deceleration. 

“Over the past several years, Palo Alto Networks has been on a mission to become a huge platform player in the security market,” said Allie Mellen, a principal analyst with Forrester. “Given its product portfolio as it stands today, identity security capabilities are a missing piece of that puzzle. This acquisition rounds out its approach, given its existing cloud, network, and endpoint security products.” 

The transaction follows other major cybersecurity consolidations, including Google’s $32 billion acquisition of Israeli startup Wiz earlier this year. This consolidation trend reflects customer preferences for integrated security platforms over managing multiple specialized vendors, particularly as cyber threats have grown more sophisticated and frequent.

Both companies’ boards have unanimously approved the transaction, which remains subject to regulatory clearances and CyberArk shareholder approval. The deal is expected to close during the second half of Palo Alto Networks’ fiscal 2026.

The post Palo Alto Networks to acquire CyberArk for $25 billion appeared first on CyberScoop.

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — roomservice801@gmail.com — is tied to many such phishing domains. Indeed, a search on this email address at DomainTools.com finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware[.]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

JUSTY JOHN

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz reference the technical contact of “Justy John” and the email address justyjohn50@yahoo.com.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain axisupdate[.]net — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one point included the email address rsmith60646@gmail.com.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala[.]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address michsmith59@gmail.com.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain seltrock[.]com, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address sebastinekelly69@gmail.com, including 26i3[.]net, costamere[.]com, danagruop[.]us, and dividrilling[.]com. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by Palo Alto Networks‘ Unit 42 research team.

SILVERTERRIER

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “SilverTerrier” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “business e-mail compromise” or BEC scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s Internet Crime Complaint Center (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with nearly $2.8 billion in claimed losses. In its 2025 Fraud and Control Survey Report, the Association for Financial Professionals found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

FINANCIAL FRAUD KILL CHAIN

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “financial fraud kill chain” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.

Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.

John talked about how we’d attack, here’s how you can defend against those attacks. Grab the slides here: https://blackhillsinformationsecurity.shootproof.com/gallery/6843799/

The post PODCAST: Attack Tactics Part 2 appeared first on Black Hills Information Security, Inc..

💾

Jordan Drysdale & Kent Ickler// Jordan and Kent are back with more blue team madness! The shameless duo continue their efforts to wrangle decades old attacks against wireless networks. The […]

The post WEBCAST: Stop Sucking at Wireless appeared first on Black Hills Information Security, Inc..

Ethan Robish // In this series of posts, I’ll discuss how I segmented my home network using VLANs and how I moved away from using a risky consumer-grade router at […]

The post Home Network Design – Part 1 appeared first on Black Hills Information Security, Inc..

Christine Sorensen // Let’s talk about Mary. Mary Watson is a girl in her twenties and just graduated from Midtown University with her bachelors in Fashion Merchandising. Mary is now […]

The post Mining Mary’s Social Media Antics for Social Engineering appeared first on Black Hills Information Security, Inc..

John Strand // AV is Dead Long Live Whitelisting. We have been discovering more and more of our tests bypass AV controls with ease.  We have yet to see any iteration or […]

The post The New Security Fundamentals – Kill Your AV appeared first on Black Hills Information Security, Inc..