Aggregator
11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
Attackers Distribute Password Attacks Across Fictional OAuth Apps to Evade SOC Alerts
Attackers are increasingly abusing spoofed OAuth application identifiers to enumerate Microsoft Entra ID accounts, test credentials, and fragment authentication activity across hundreds of thousands or millions of fictional applications. The technique exploits how Entra ID processes the client_id parameter in OAuth authentication requests. Every registered OAuth application is assigned a globally unique application identifier, and […]
The post Attackers Distribute Password Attacks Across Fictional OAuth Apps to Evade SOC Alerts appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Один трюк с алгеброй может ускорить все вычисления в мире: от шифрования до искусственного интеллекта
DragonForce
You must login to view this content
DragonForce
You must login to view this content
Cybercriminals Target Turkish Banks With 8,400 Phishing Domains and 6,600 Scam Ads
Cybercriminals are operating an industrial-scale fraud ecosystem targeting Turkey’s financial sector, using more than 8,400 phishing domains, thousands of social media advertisements, fake loan offers, illicit gambling services, and money-mule recruitment to steal credentials. Group-IB’s investigation links these operations into five interconnected schemes targeting dozens of Turkish banking brands. Group-IB recorded more than 6,600 scam […]
The post Cybercriminals Target Turkish Banks With 8,400 Phishing Domains and 6,600 Scam Ads appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
两道初二分式方程练习题
Telegram’s t.me Links Go Offline After Registry Places Domain on serverHold
Почему 90% людей — правши, а не 50 на 50? Учёные подобрались к разгадке ближе, чем когда-либо
CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
- CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
- CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability
- CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
- CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.
CISA Urges SharePoint Hardening After New Exploitations
Update July 16, 2026:
CISA has updated this Alert to reflect the addition of CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) Catalog on July 16, 2026.
CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity.
Additionally, the following newly disclosed CVE is not yet known to have been exploited, but Microsoft has identified it as posing a potential risk if left unpatched:
CISA urges organizations to detect and remediate a potential compromise by implementing the following recommendations:
- Apply the latest patches and security updates from Microsoft, verify that installation completes successfully, and shorten patching cycles when possible.
- Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Follow Microsoft’s Configure AMSI integration with SharePoint Server guidance to ensure proper configuration and select the “Full Mode” option for the Request Body Scan Mode, where feasible. When compromise is expected, use the following AMSI and Microsoft Defender Antivirus (MDAV) detections, and implement your organization’s incident response plan for any positive detections:
- AMSI: Exploit:Script/SuspSignoutReqBody.A – request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts.
- AMSI: Exploit:Script/ToolPaneAuthBypass.A – request header scanning; SharePoint Server 2016, 2019, and Subscription Edition.
- AMSI: Exploit:Script/ToolPaneAuthBypass.C – RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition.
- MDAV: Backdoor:MSIL/LeakFang.A!dha – post-exploitation activity alert involving IIS-protected secrets.
In addition, CISA recommends that organizations implement the following SharePoint Server hardening measures:
- Before rotating IIS machine keys, hunt for and remediate any intrusion artifacts, including machine-key harvesters, that could allow for the keys to be stolen again. Review Microsoft’s Improved ASP.NET view state security and key management for best practices.
- Establish tailored logging mechanisms to detect and monitor exploitation activities. Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
- Avoid exposing SharePoint Servers directly to the internet unless necessary; and if necessary, only configure a SharePoint Server behind a Layer 7 reverse proxy or equivalent application-layer security control that requires authentication and can inspect and filter requests.
- Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings.
CISA urges users and administrators to review the Alert UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities and apply necessary updates.
CISA added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-32201 on April 14, 2026; CVE-2026-45659 on July 1, 2026; CVE-2026-56164 on July 14, 2026; and CVE-2026-58644 on July 16, 2026.
Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties.
Organizations should report incidents or anomalous activity to CISA via CISA’s 24/7 Operations Center at [email protected] or 1-844-Say-CISA (1-844-729-2472).
DisclaimerThe information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
AcknowledgementsMicrosoft contributed to this Alert.
New MacOS Malware Exploits Legitimate Developer ID to Pose as Apple Crash Reporter
NIST Receives New Patent for Microbe-Killing Water Heater
Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks
A Guide to the Convergence of Electronic Warfare and Cyber Operations
SAP warns of critical flaws in NetWeaver and Commerce Cloud
How Pentera Turns AI Security Workflows into Validation Engines
Шесть недель без работы — и 37 лет истории коту под хвост. Кибератака обанкротила немецкую текстильную компанию
ANY.RUN Integrates Threat Intelligence and Interactive Sandbox to Streamline SOC Workflows
Security Operations Centers (SOCs) often encounter challenges that go beyond just managing alert volume. Each alert necessitates that analysts validate indicators, investigate behaviors, assess scope, decide on escalation paths, and create detections to prevent future occurrences. When these tasks rely on separate tools, crucial evidence can be lost during transitions, leading analysts to enrich the […]
The post ANY.RUN Integrates Threat Intelligence and Interactive Sandbox to Streamline SOC Workflows appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.