Security news aggregator

Latest cybersecurity reporting from selected sources.

Yasna brings together recent headlines from selected sources and makes them easier to sort with tags, filters, and search.

18 headlines in this view

Refine the feed

Search across headline titles and summaries.

Volume over time

Weekly headline count for the current query.

Showing 18 most recent headlines Filtered view
Bank Info Security 3 days, 21 hours ago

Phishing Toolkits Harvest Entra Tokens in Real Time

Jalisco Device Code Phishing Tool Use Also Tied to EvilTokens and Kali365 CustomersSophisticated phishing-as-a-service toolkits are driving a surge in phishing attack volume, experts warn, by giving users highly automated tools for personalizing lures and accessing previously niche tactics for generating valid authentication tokens for persistent access.

Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password

CISA published an advisory on endpoint management hardening after the Stryker wipe. Their Multi Admin Approval recommendation is a speed bump, not a wall. Here is what actually stops a Global Admin compromise: no standing privileges, PIM with Authentication Context, FIDO2 hardware keys, and automated session revocation.

Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. The ShinyHunters extortion group claims responsibility for these additional Salesforce attacks. [...]

Bank Info Security 1 year, 2 months ago

Zero Trust and Automation Crucial for Securing IoT Devices

Device Authority's Antill on Secure-by-Design and Continuous AuthenticationMany IoT devices were never designed with modern authentication - making them easy targets. Even when certificates are used for authentication, Darron Antill, CEO of Device Authority, points out that frequent expiration and limited visibility create operational and security risks over time.

Krebs on Security 1 year, 10 months ago

Owners of 1-Time Passcode Theft Service Plead Guilty

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers would enter the target’s phone number and name, and the service would initiate an automated phone call to the target that alerts them about unauthorized activity on their account.