Password Spraying | Breaking Cybersecurity News | The Hacker News

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.," the Israeli cybersecurity company said . "Activity associated with the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia." The campaign is assessed to have targeted the cloud environments of government entities, municipalities, technology, transportation, energy sector organizations, and private-sector companies in the region. Password spraying is a form of brute-force attack where a...

Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 ( AS211736 ), per French cybersecurity company Intrinsec. "We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS ( AS61432 ) and ERISHENNYA-ASN ( AS210950 ), and a Seychelles-based autonomous system named TK-NET ( AS210848 )," according to a report published last week. "Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities." AS61432 currently announces a single prefix 185.156.72[.]0/24, while AS210950 has announced two prefixes 45.143.201[.]0/24 and 185.193.89[.]0/24. The two autonomous systems were allocated in May an...

Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts. The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations' cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers. "Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts," the enterprise security company said . "Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others." TeamFiltration, publicly released by researcher Melvin "Flangvik" Langvik in August 2022 at the DEF CON security conference...

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. " TheMoon , which  emerged  in  2014 , has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen Technologies  said . Faceless,  detailed  by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that's offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day. In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins. The Faceless-backed infrastructure has been assessed to be used by operators of malware such as  SolarMarker  and  Ic...

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as  APT29 . The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation. Previously attributed to the  supply chain compromise  of SolarWinds software, the cyber espionage group  attracted attention  in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives. "As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment," according to the  security bulletin . These include - Obtaining access to cloud infrastructure via service a...