- Home
- Cybercrime and Ransomware
- Emerging Tech
- Threat Intelligence
- Expert Insights
- Careers and Learning
- Compliance
Subscribe to Updates
Subscribe to our newsletter and never miss our latest news
Subscribe my Newsletter for New Posts & tips Let's stay updated!
Author: Staff Writer
John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.
Fast Facts Modern ransomware attacks strategically leverage legitimate Windows tools—originally meant for system management—to silently disable antivirus and endpoint detection, making detection difficult and enhancing their destructive potential. Attackers utilize a two-stage process: first, they neutralize security defenses by terminating antivirus processes and deleting related registry entries; second, they escalate privileges, steal credentials, and deploy ransomware at the kernel level. These campaigns target organizations of all sizes, exploiting trusted tools that appear as normal administrative activity, thereby creating a silent window for large-scale, unobstructed file encryption. To defend against these threats, organizations must implement multi-factor authentication, application whitelisting, monitor for…
Quick Takeaways Iranian state-sponsored cyber actors have evolved from traditional espionage to embedded roles within the criminal ecosystem, often acting as initial access brokers and collaborators with ransomware groups, blurring the lines between nation-state operations and cybercrime. The reemergence of Pay2Key as a professional RaaS platform operating on the I2P network exemplifies Iran’s shift toward scalable, politically motivated ransomware operations that target US and Israeli entities, risking legal penalties due to sanctions violations. Iranian groups like Pioneer Kitten exploit vulnerabilities in internet-facing devices and collaborate with ransomware affiliates to extract revenue while masking destructive intent, often disguising sabotage as extortion.…
Summary Points CareCloud experienced a cybersecurity breach on March 16, 2026, leading to unauthorized access and temporary disruption of its EHR systems, primarily involving patient health records. The company swiftly contained the incident within eight hours, restoring systems and data access, and notified law enforcement and cybersecurity insurers. A forensic investigation by external experts is ongoing to determine if sensitive patient data was accessed or exfiltrated during the breach. Despite no material financial impact so far, CareCloud has classified the incident as material, citing potential costs, regulatory obligations, and reputational risks. What’s the Problem? In March 2026, CareCloud, a healthcare…
Fast Facts EvilTokens is a new, AI-generated Phishing-as-a-Service platform exploiting Microsoft’s device code authentication flow to covertly steal Microsoft 365 accounts, impacting organizations worldwide. It hijacks the legitimate OAuth 2.0 device code process, tricking victims into authenticating on phishing pages that grant attackers long-term access via tokens, some lasting up to 90 days or more. The platform operates through Telegram bots, offering templates, AI automation, and is suspected to expand support to Gmail and Okta phishing schemes, targeting roles vulnerable to Business Email Compromise (BEC). Organizations should disable device code authentication flows, monitor suspicious sign-ins, and employ detection tools like…
Essential Insights The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2026-3055, a critical vulnerability in Citrix NetScaler products, actively exploited in the wild. This flaw involves an out-of-bounds read (CWE-125) that allows attackers to access sensitive memory data, compromising authentication tokens and user credentials when configured as a SAML IdP. CISA demands immediate action, with federal agencies facing a deadline of April 2, 2026, to secure their systems; private entities are equally urged to patch or disconnect vulnerable systems without delay. The vulnerability’s active exploitation underscores the need for organizations to prioritize updates via the…
Summary Points Zwei führende Verdächtige wurden nach jahrelangen Cyberattacken auf über 130 deutsche Unternehmen und Einrichtungen identifiziert, mit internationaler Fahndung eingeleitet. Die Hackergruppen forderten in 25 Fällen Lösegeld, was zu einem Gesamtschaden von etwa 1,8 Mio. Euro führte, während der wirtschaftliche Gesamtschaden auf rund 35 Mio. Euro geschätzt wird. Bei Ransomware-Angriffen verschlüsseln Täter Daten und fordern Zahlungen in Kryptowährungen, oft eingegangen auf Drohungen, öffentlich gestohlene Daten zu veröffentlichen. Bereits im Januar wurde ein Mitglied der “GandCrab”-Gruppe zu sieben Jahren Haft verurteilt, weil er Netzwerke von 22 deutschen Unternehmen und öffentlichen Einrichtungen lahmgelegt hatte. The Issue Following years of relentless cyberattacks,…
Summary Points GhostSocks is a stealthy malware that hijacks devices to act as residential proxies, enabling malicious traffic to appear as legitimate household activity and evade detection. It is marketed as Malware-as-a-Service on underground forums and uses TLS-encrypted SOCKS5 proxies with relay-based C2 architecture to maintain covert communication. Since 2024, GhostSocks has significantly increased in use, often partnered with Lumma Stealer, facilitating persistent, long-term access for cybercriminal groups like Black Basta. Detection requires monitoring rare SSL certificate connections and external endpoints, with emphasis on automated response and updated IOC data to quickly contain its evasive, proxy-based reinfections. What’s the Problem?…
Top Highlights A sophisticated supply chain attack targeted Axios, a widely used JavaScript HTTP client, by secretly injecting malicious dependencies via unauthorized npm package releases. Attackers published malicious Axios versions outside normal release channels, automatically including a harmful package, plain-crypto-js@4.2.1, detected by security tools shortly after release. The malicious package was associated with the npm user account jasonsaayman, suggesting a possible account compromise or credential hijack, enabling unauthorized publishing. Immediate action is required for users and maintainers to audit, remove, or rollback affected dependencies to contain the breach, with ongoing monitoring essential due to the incident’s active status. Underlying Problem…
Summary Points Fortinet’s management server (FortiClient EMS) is vulnerable to a critical SQL injection flaw (CVE-2026-21643), allowing unauthenticated attackers to execute arbitrary code and access sensitive data, with active exploitation reported as recently as four days ago. The vulnerability impacts FortiClient EMS version 7.4.4 when multi-tenant mode is enabled; organizations are urged to upgrade to version 7.4.5 or later immediately. Attackers exploit this flaw via crafted HTTP requests, gaining access to administrator credentials, endpoint inventories, security policies, and certificates, with the potential for remote code execution and data exfiltration. Despite ongoing breaches, Fortinet’s patching approach is criticized as reactive (“bug…
Fast Facts Cisco released security updates fixing six high-severity vulnerabilities in IOS and IOS XE to prevent DoS attacks, privilege escalation, and secure boot bypass. Medium-severity flaws, especially in Cisco Catalyst 9300 Switches, can be chained to escalate privileges and cause persistent DoS conditions. The updates address vulnerabilities allowing API manipulation, CLI exploits, cross-site scripting, log injection, and secure boot bypass, protecting device integrity. Despite no active exploits reported, prompt patching is crucial to safeguard enterprise networks, prevent disruptions, and maintain operational security. Addressing Critical Vulnerabilities in Cisco Devices Cisco has introduced new security patches to fix serious flaws in…