Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet β a legitimate no-code application platform β to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Two Former Cybersecurity Professionals Sentenced to Four Years for BlackCat/ALPHV Ransomware Operations
A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters β Cordial Spider (UNC6671) and Snarky Spider (UNC6661) β are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel β Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
Three Critical Buffer Overflow Vulnerabilities Disclosed in Hashcat β Penetration Testing Toolchain at Risk
Security researchers have disclosed three buffer overflow vulnerabilities (CVE-2026-42482, CVE-2026-42483, CVE-2026-42484) in Hashcat, the widely-used open-source password recovery and penetration testing tool. The flaws can be triggered via maliciously crafted hash files or wordlists and may allow code execution in environments where Hashcat processes untrusted input β including shared red team infrastructure and automated password auditing pipelines.
Instructure (Canvas LMS) Discloses Cybersecurity Incident β Scope of Student and Faculty Data Exposure Under Investigation
Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia β and one NATO member state's foreign affairs ministry β to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
ConsentFix v3 Automates Azure OAuth Abuse at Scale β MFA-Bypassing Phishing Platform Circulating on Forums
The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.
Opinion & Analysis
Commentary
Defenders Can't Block Google. That's Why Attackers Are Routing Through It.
AccountDumpling abuses Google AppSheet to deliver phishing. EtherRAT uses Cloudflare and Ethereum nodes for C2. DEEP#DOOR tunnels over Cloudflare. The pattern is consistent: sophisticated attackers have discovered that the fastest route past enterprise security controls is through infrastructure defenders cannot block. The defence posture that assumes blocking bad infrastructure will stop bad traffic is being systematically rendered obsolete.
CipherWatch Editorial
Security Intelligence Platform
The Patch-to-Exploit Window Has Collapsed β cPanel in 48 Hours Is Not an Anomaly, It's the New Baseline
The 'Sorry' ransomware group compromised 44,000 cPanel servers within 48 hours of a critical patch release. The industry still plans patch cycles in weeks. These two realities are incompatible, and the gap between them is where organisations keep getting destroyed.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
New Multi-Sector Identity Attack Campaign Bypasses MFA via Vishing and SSO Hijacking β Finance, Technology, Logistics Targeted
Two coordinated threat actor clusters are conducting large-scale campaigns combining voice phishing against IT help desks and adversary-in-the-middle SSO attacks to gain persistent, MFA-bypassing access to enterprise Microsoft 365, Okta, and Entra ID environments. Active campaigns span finance, technology, and logistics sectors. Standard MFA provides no protection β only phishing-resistant authentication (FIDO2/passkeys) stops the SSO interception technique.
'Sorry' Ransomware Mass-Exploits Patched Web Server Vulnerability β 44,000 Servers Compromised in 48 Hours
A ransomware group called 'Sorry' has compromised at least 44,000 web hosting servers globally by exploiting a recently-patched critical vulnerability in cPanel/WHM web server management software. The attack began within hours of the official patch release, encrypting customer websites, databases, and email systems. Organisations running cPanel should confirm patch status immediately β unpatched servers face near-certain compromise.
Trellix Security Vendor Source Code Breached β Enterprise Customers Face Elevated Risk of Targeted Zero-Days
Trellix β a major enterprise cybersecurity vendor protecting thousands of organisations' endpoints, networks, and email systems β has confirmed that an attacker accessed and exfiltrated code from an internal source code repository. Security vendor breaches create a distinct risk profile: attackers with knowledge of how a security product works can use that knowledge to bypass its detections or identify undisclosed vulnerabilities. Customers should activate secondary detection controls while the investigation is ongoing.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β