General CTI Archives - Bulwark Black LLC

Virtual machine infrastructure being abused by ransomware operators

Ransomware Gangs Abuse ISPsystem VMmanager to Hide Malicious Infrastructure at Scale

acint18 hours ago03 mins

Ransomware operators are increasingly exploiting legitimate virtual infrastructure management platforms to host and deliver malicious payloads at scale, effectively hiding their command-and-control infrastructure among thousands of innocuous systems. The Discovery Researchers at cybersecurity firm Sophos uncovered this concerning trend while investigating recent WantToCry ransomware incidents. They discovered that attackers were using Windows virtual machines with…

EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach

acint2 days ago03 mins

Security researchers at Huntress have documented a sophisticated intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to deploy a custom EDR killer that abuses a legitimate forensic driver from Guidance Software’s EnCase to terminate security processes from kernel mode. Attack Overview The attack, disrupted in early February 2026 before ransomware deployment, demonstrates a growing…

AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions

acint3 days ago04 mins

In a stark demonstration of how artificial intelligence is transforming the cybersecurity threat landscape, the Sysdig Threat Research Team (TRT) has documented a sophisticated cloud intrusion where attackers achieved full administrative control of an AWS environment in less than 10 minutes — with strong evidence that large language models (LLMs) were used to automate the…

Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach

acint4 days ago4 days ago04 mins

Google-owned Wiz discovers 4.75 million exposed records in AI social network Moltbook, including 1.5M API tokens and plaintext OpenAI keys—all because Row Level Security was never enabled on the “vibe-coded” platform.

BreachForums Breach Exposes 324,000 Cybercriminal Identities in Unprecedented Dark Web Leak

acint5 days ago03 mins

The tables have turned: BreachForums, one of the largest dark web marketplaces for stolen data, has been breached. A disgruntled insider leaked the real identities of nearly 324,000 cybercriminals, including email addresses, IP addresses, and connections to notorious groups like ShinyHunters.

SonicWall Cloud Breach Enables Ransomware Attack on 74 US Banks and Credit Unions

acint5 days ago02 mins

State-sponsored hackers exploited SonicWall’s MySonicWall cloud breach to launch a ransomware attack affecting 74 US banks and credit unions, compromising data of over 400,000 individuals. The attack demonstrates how third-party security breaches can cascade into devastating downstream attacks.

Nike Investigates 1.4 TB Data Leak After World Leaks Ransomware Gang Posts Stolen Files

acint6 days ago02 mins

Nike confirms it is investigating a potential breach after the World Leaks ransomware gang claimed to have stolen 1.4 TB of corporate data. The group, a rebrand of Hunters International, has targeted major organizations including the U.S. Marshals Service and Tata Technologies.

WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw

acint7 days ago02 mins

Google Threat Intelligence reveals widespread exploitation of CVE-2025-8088 by Russian APT groups, Chinese actors, and cybercriminals. The WinRAR path traversal flaw enables payload delivery via the Windows Startup folder, with active campaigns targeting Ukraine, LATAM, and financial sectors.

Microsoft to Disable 30-Year-Old NTLM Authentication Protocol by Default

acint1 week ago1 week ago02 mins

Microsoft announces NTLM will be disabled by default in upcoming Windows releases, marking the end of the 30-year-old authentication protocol that has been a persistent security vulnerability.

Mobile device security concept with digital vulnerabilities

Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation

acint1 week ago02 mins

Two critical CVSS 9.8 vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340) are under active exploitation, allowing unauthenticated remote code execution. CISA has added them to the KEV catalog with a February 1 federal deadline.