⚡ NGINX CVE-2026-42945 Under Active Exploitation
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
🔍 Grafana Discloses GitHub Token Compromise and Extortion Attempt
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports
🎭 Samsung Weather App Triggers Diplomatic Incident Over Disputed Islands
Samsung issued an emergency update to its pre-installed weather application after it incorrectly labeled Dokdo—a group of volcanic islets disputed by South Korea, North Korea, and Japan—as North Korean territory. The tech giant blamed The Weather Channel for the mapping error, but according to The Register, the incident sparked outrage among South Korean netizens who viewed it as a national champion surrendering territory to adversaries.
The rapid response underscores how seemingly minor data errors in consumer applications can trigger significant diplomatic sensitivities in regions with active territorial disputes. The incident highlights supply chain risks in third-party geospatial data integration.
🛰️ Open sources - closed narratives
@sitreports
Samsung issued an emergency update to its pre-installed weather application after it incorrectly labeled Dokdo—a group of volcanic islets disputed by South Korea, North Korea, and Japan—as North Korean territory. The tech giant blamed The Weather Channel for the mapping error, but according to The Register, the incident sparked outrage among South Korean netizens who viewed it as a national champion surrendering territory to adversaries.
The rapid response underscores how seemingly minor data errors in consumer applications can trigger significant diplomatic sensitivities in regions with active territorial disputes. The incident highlights supply chain risks in third-party geospatial data integration.
🛰️ Open sources - closed narratives
@sitreports
🤖 Linux Security List Overwhelmed by Duplicate AI Bug Reports
Linus Torvalds declared the Linux kernel security mailing list "almost entirely unmanageable" due to multiple researchers deploying identical AI tools to find vulnerabilities, creating massive report duplication. Maintainers now spend time forwarding duplicates and noting previously patched issues rather than addressing actual security work, according to his weekly kernel update.
Torvalds urged researchers to add value beyond automated detection by creating patches and understanding code context, noting AI-detected bugs are inherently non-secret and treating them on private lists creates counterproductive churn.
🛰️ Open sources - closed narratives
@sitreports
Linus Torvalds declared the Linux kernel security mailing list "almost entirely unmanageable" due to multiple researchers deploying identical AI tools to find vulnerabilities, creating massive report duplication. Maintainers now spend time forwarding duplicates and noting previously patched issues rather than addressing actual security work, according to his weekly kernel update.
Torvalds urged researchers to add value beyond automated detection by creating patches and understanding code context, noting AI-detected bugs are inherently non-secret and treating them on private lists creates counterproductive churn.
🛰️ Open sources - closed narratives
@sitreports
📡 Iran threatens submarine cable disruption in Strait of Hormuz
Iranian military-linked social media accounts have threatened to impose unspecified "fees" on submarine internet cables passing through the Strait of Hormuz. Iran operates torpedo-capable submarines in the strategically shallow waterway, through which multiple subsea cables terminate in Gulf nations. According to reporting, some cables have dual paths with landing points in Oman east of the Strait, providing redundancy.
While kinetic action could reduce bandwidth between the Gulf and global networks, complete disruption remains unlikely given existing redundancies. The threat coincides with a new maritime insurance scheme requiring cryptocurrency payment, as traditional insurers refuse coverage for Strait transit.
🛰️ Open sources - closed narratives
@sitreports
Iranian military-linked social media accounts have threatened to impose unspecified "fees" on submarine internet cables passing through the Strait of Hormuz. Iran operates torpedo-capable submarines in the strategically shallow waterway, through which multiple subsea cables terminate in Gulf nations. According to reporting, some cables have dual paths with landing points in Oman east of the Strait, providing redundancy.
While kinetic action could reduce bandwidth between the Gulf and global networks, complete disruption remains unlikely given existing redundancies. The threat coincides with a new maritime insurance scheme requiring cryptocurrency payment, as traditional insurers refuse coverage for Strait transit.
🛰️ Open sources - closed narratives
@sitreports
🔫 Reaper Infostealer Targets macOS via Script Editor Bypass
A new macOS infostealer named Reaper exploits Apple's Script Editor to steal credentials, cryptocurrency wallets, and business documents while bypassing Terminal-based defenses in macOS Tahoe 26.4. The malware spreads via fake WeChat and Miro installers on typosquatted Microsoft domains, according to SentinelOne research, and uses persistence mechanisms disguised as Google Software Update components.
Reaper adds document theft and wallet injection capabilities, establishing a 60-second beacon for remote code execution and persistent access to enable continued data exfiltration and secondary payload deployment.
🛰️ Open sources - closed narratives
@sitreports
A new macOS infostealer named Reaper exploits Apple's Script Editor to steal credentials, cryptocurrency wallets, and business documents while bypassing Terminal-based defenses in macOS Tahoe 26.4. The malware spreads via fake WeChat and Miro installers on typosquatted Microsoft domains, according to SentinelOne research, and uses persistence mechanisms disguised as Google Software Update components.
Reaper adds document theft and wallet injection capabilities, establishing a 60-second beacon for remote code execution and persistent access to enable continued data exfiltration and secondary payload deployment.
🛰️ Open sources - closed narratives
@sitreports
🔫 INTERPOL Operation Ramz: 201 Arrests, 53 Servers Seized Across MENA Region
INTERPOL's first regional cybercrime operation in the Middle East and North Africa resulted in 201 arrests and identification of 382 additional suspects across 13 countries. Authorities seized 53 servers hosting phishing, malware, and fraud infrastructure affecting at least 3,867 confirmed victims, with nearly 8,000 intelligence packages recovered from seized equipment.
The operation dismantled multiple criminal networks including a Jordan-based investment scam using trafficked Asian workers, a phishing-as-a-service platform in Algeria, and compromised infrastructure across Qatar, Oman, and Morocco.
🛰️ Open sources - closed narratives
@sitreports
INTERPOL's first regional cybercrime operation in the Middle East and North Africa resulted in 201 arrests and identification of 382 additional suspects across 13 countries. Authorities seized 53 servers hosting phishing, malware, and fraud infrastructure affecting at least 3,867 confirmed victims, with nearly 8,000 intelligence packages recovered from seized equipment.
The operation dismantled multiple criminal networks including a Jordan-based investment scam using trafficked Asian workers, a phishing-as-a-service platform in Algeria, and compromised infrastructure across Qatar, Oman, and Morocco.
🛰️ Open sources - closed narratives
@sitreports
🔫 SHub Reaper Targets macOS Users With Fake Apple Security Updates
A new SHub infostealer variant dubbed Reaper exploits macOS Script Editor via applescript:// URL schemes to bypass Terminal protections Apple introduced in March. The malware uses fake WeChat and Miro installers on spoofed domains, displays bogus security update prompts, and steals browser data, crypto wallets, password managers, and Telegram sessions while avoiding Russian-language systems.
Reaper hijacks wallet applications by replacing legitimate core files and establishes persistence through fake Google update scripts executing every 60 seconds. SentinelOne's analysis reveals the malware exfiltrates up to 150MB of targeted files and maintains backdoor access via LaunchAgent registration.
🛰️ Open sources - closed narratives
@sitreports
A new SHub infostealer variant dubbed Reaper exploits macOS Script Editor via applescript:// URL schemes to bypass Terminal protections Apple introduced in March. The malware uses fake WeChat and Miro installers on spoofed domains, displays bogus security update prompts, and steals browser data, crypto wallets, password managers, and Telegram sessions while avoiding Russian-language systems.
Reaper hijacks wallet applications by replacing legitimate core files and establishes persistence through fake Google update scripts executing every 60 seconds. SentinelOne's analysis reveals the malware exfiltrates up to 150MB of targeted files and maintains backdoor access via LaunchAgent registration.
🛰️ Open sources - closed narratives
@sitreports
🤖 SOCOM flags lag in cross-platform autonomous integration
U.S. Special Operations Command's deputy acquisition director stated that development of collaborative autonomy—enabling multiple autonomous systems to operate and share data across domains without platform-specific software—is moving too slowly. Speaking at SOF Week, David Breede cited the need for rapid integration of autonomous behaviors across different platforms, noting current efforts remain hindered by manual, bespoke integrations.
The concern mirrors broader DOD struggles with interoperability. The Army recently launched a hackathon to connect legacy equipment with new systems under common architecture, acknowledging Ukraine's integrated counter-drone networks as a model for shared sensor-weapon communication that U.S. forces lack at scale.
🛰️ Open sources - closed narratives
@sitreports
U.S. Special Operations Command's deputy acquisition director stated that development of collaborative autonomy—enabling multiple autonomous systems to operate and share data across domains without platform-specific software—is moving too slowly. Speaking at SOF Week, David Breede cited the need for rapid integration of autonomous behaviors across different platforms, noting current efforts remain hindered by manual, bespoke integrations.
The concern mirrors broader DOD struggles with interoperability. The Army recently launched a hackathon to connect legacy equipment with new systems under common architecture, acknowledging Ukraine's integrated counter-drone networks as a model for shared sensor-weapon communication that U.S. forces lack at scale.
🛰️ Open sources - closed narratives
@sitreports
📄 Pentagon's FY27 Cyber Budget Falls 92% Short of Internal Requirements
The Pentagon's FY2027 budget allocates under $75 million to U.S. Cyber Command for its CYBERCOM 2.0 force generation plan—just 8% of the $956 million officials requested in March 2025. The initiative, approved in November, aims to create three new organizations for talent management, training, and capability development, with total projected costs of $3.7 billion.
🛰️ Open sources - closed narratives
@sitreports
The Pentagon's FY2027 budget allocates under $75 million to U.S. Cyber Command for its CYBERCOM 2.0 force generation plan—just 8% of the $956 million officials requested in March 2025. The initiative, approved in November, aims to create three new organizations for talent management, training, and capability development, with total projected costs of $3.7 billion.
🛰️ Open sources - closed narratives
@sitreports
📡 FBI Seeks Nationwide License Plate Surveillance Access
The FBI is pursuing procurement of nationwide automated license plate reader (ALPR) access, which would enable warrantless tracking of vehicle movements across the United States, according to procurement records reviewed by 404 Media. Only two vendors—Flock and Motorola—are positioned to fulfill the requirement.
The procurement signals federal expansion of ALPR capabilities beyond local police deployments, coming amid growing civil liberties concerns and public resistance to mass vehicle surveillance systems in multiple jurisdictions nationwide.
🛰️ Open sources - closed narratives
@sitreports
The FBI is pursuing procurement of nationwide automated license plate reader (ALPR) access, which would enable warrantless tracking of vehicle movements across the United States, according to procurement records reviewed by 404 Media. Only two vendors—Flock and Motorola—are positioned to fulfill the requirement.
The procurement signals federal expansion of ALPR capabilities beyond local police deployments, coming amid growing civil liberties concerns and public resistance to mass vehicle surveillance systems in multiple jurisdictions nationwide.
🛰️ Open sources - closed narratives
@sitreports
🔫 TanStack Considers Invitation-Only PRs After Supply Chain Breach
The TanStack team is weighing drastic measures including invitation-only pull requests following a supply chain attack that exploited GitHub Actions misconfiguration. The Shai-Hulud worm extracted secrets from memory during automated workflows triggered by pull_request_target, poisoning a shared cache across the repository. TanStack has removed all use of pull_request_target, disabled caches, and pinned actions to commit SHA hashes.
The proposal to close external contributions represents a potential break from open-source norms, highlighting tensions between supply chain security and contribution models.
🛰️ Open sources - closed narratives
@sitreports
The TanStack team is weighing drastic measures including invitation-only pull requests following a supply chain attack that exploited GitHub Actions misconfiguration. The Shai-Hulud worm extracted secrets from memory during automated workflows triggered by pull_request_target, poisoning a shared cache across the repository. TanStack has removed all use of pull_request_target, disabled caches, and pinned actions to commit SHA hashes.
The proposal to close external contributions represents a potential break from open-source norms, highlighting tensions between supply chain security and contribution models.
🛰️ Open sources - closed narratives
@sitreports
⚡ 18-Year-Old NGINX Flaw Under Active Exploitation Days After Disclosure
CVE-2026-42945, dubbed "NGINX Rift," is already being exploited in the wild just days after researchers disclosed the vulnerability. The heap buffer overflow flaw affects both NGINX Open Source and NGINX Plus, dormant since 2008 in the rewrite module. VulnCheck observed exploitation attempts on canary systems shortly after the CVE publication, with a public PoC appearing the same day patches dropped.
While rated CVSS 9.2, practical RCE requires specific server configurations and disabled ASLR—unlikely on modern Linux systems. Censys scans identified roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, creating significant patching burden despite limited real-world exploitation risk.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-42945, dubbed "NGINX Rift," is already being exploited in the wild just days after researchers disclosed the vulnerability. The heap buffer overflow flaw affects both NGINX Open Source and NGINX Plus, dormant since 2008 in the rewrite module. VulnCheck observed exploitation attempts on canary systems shortly after the CVE publication, with a public PoC appearing the same day patches dropped.
While rated CVSS 9.2, practical RCE requires specific server configurations and disabled ASLR—unlikely on modern Linux systems. Censys scans identified roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, creating significant patching burden despite limited real-world exploitation risk.
🛰️ Open sources - closed narratives
@sitreports
🔫 UK F-35s to carry US glide bombs amid software delays
The UK Ministry of Defence has approved procurement of the US-made GBU-53/B StormBreaker glide bomb as an interim stand-off weapon for its F-35 fleet. The move follows continued delays to Lockheed Martin's Block 4 software update, now expected in 2031—five years behind schedule—which is required to integrate the domestically-developed SPEAR 3 mini-cruise missile. The Register reports the SPEAR 3 passed test firings in 2024 but remains unusable on F-35s.
The decision highlights critical capability gaps in the UK's stealth fighter program. During Operation Highmast, HMS Prince of Wales deployed with 24 F-35s but lacked adequate spare parts, forcing the MoD to cannibalize land-based stocks.
🛰️ Open sources - closed narratives
@sitreports
The UK Ministry of Defence has approved procurement of the US-made GBU-53/B StormBreaker glide bomb as an interim stand-off weapon for its F-35 fleet. The move follows continued delays to Lockheed Martin's Block 4 software update, now expected in 2031—five years behind schedule—which is required to integrate the domestically-developed SPEAR 3 mini-cruise missile. The Register reports the SPEAR 3 passed test firings in 2024 but remains unusable on F-35s.
The decision highlights critical capability gaps in the UK's stealth fighter program. During Operation Highmast, HMS Prince of Wales deployed with 24 F-35s but lacked adequate spare parts, forcing the MoD to cannibalize land-based stocks.
🛰️ Open sources - closed narratives
@sitreports
🔍 GitHub Investigating TeamPCP Breach Claim Targeting Internal Repositories
GitHub is investigating claims by threat actor TeamPCP of unauthorized access to approximately 4,000 internal repositories. The alleged breach surfaced on May 20, 2026, with the actor claiming to have accessed proprietary code and internal project data, according to reporting from cybersecurity sources.
If verified, the incident would represent significant supply chain exposure, potentially affecting downstream users of GitHub-hosted code and enterprise dependencies. The scope and authentication vector remain under investigation, with no official breach confirmation from GitHub at this time.
🛰️ Open sources - closed narratives
@sitreports
GitHub is investigating claims by threat actor TeamPCP of unauthorized access to approximately 4,000 internal repositories. The alleged breach surfaced on May 20, 2026, with the actor claiming to have accessed proprietary code and internal project data, according to reporting from cybersecurity sources.
If verified, the incident would represent significant supply chain exposure, potentially affecting downstream users of GitHub-hosted code and enterprise dependencies. The scope and authentication vector remain under investigation, with no official breach confirmation from GitHub at this time.
🛰️ Open sources - closed narratives
@sitreports
🔫 ChromaDB Zero-Day Enables Pre-Auth RCE on AI Vector Databases
CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server, allows unauthenticated attackers to execute arbitrary code by exploiting misplaced authentication checks. Attackers can inject malicious Hugging Face models that execute before credentials are validated. Affecting versions 1.0.0 through 1.5.8 of the open-source vector database with 14 million monthly PyPI downloads, the flaw remains unpatched despite February disclosure.
Shodan data shows 73% of internet-exposed instances run vulnerable versions. Maintainers have not responded to HiddenLayer researchers. Mitigation requires switching to Rust frontends, restricting HTTP exposure, or implementing network-level API port controls.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server, allows unauthenticated attackers to execute arbitrary code by exploiting misplaced authentication checks. Attackers can inject malicious Hugging Face models that execute before credentials are validated. Affecting versions 1.0.0 through 1.5.8 of the open-source vector database with 14 million monthly PyPI downloads, the flaw remains unpatched despite February disclosure.
Shodan data shows 73% of internet-exposed instances run vulnerable versions. Maintainers have not responded to HiddenLayer researchers. Mitigation requires switching to Rust frontends, restricting HTTP exposure, or implementing network-level API port controls.
🛰️ Open sources - closed narratives
@sitreports
🔫 Pentagon Awards $500M Counter-Drone Contract to Ukraine-Tested Developer
The Department of Defense's Joint Interagency Task Force 401 awarded a three-year, $500 million contract to Perennial Autonomy for AI-enabled counter-UAS systems. The company's Merops interceptor has downed over 4,000 Russian drones in Ukraine since mid-2024 and is currently deployed with U.S. forces in Central Command during the Iran conflict, according to Defense Scoop reporting.
The award reflects accelerated procurement of cost-effective interception against mass-produced Shahed variants. The Army previously purchased 13,000 Merops units at approximately $15,000 each, addressing the economic asymmetry of engaging cheap drones with expensive traditional systems.
🛰️ Open sources - closed narratives
@sitreports
The Department of Defense's Joint Interagency Task Force 401 awarded a three-year, $500 million contract to Perennial Autonomy for AI-enabled counter-UAS systems. The company's Merops interceptor has downed over 4,000 Russian drones in Ukraine since mid-2024 and is currently deployed with U.S. forces in Central Command during the Iran conflict, according to Defense Scoop reporting.
The award reflects accelerated procurement of cost-effective interception against mass-produced Shahed variants. The Army previously purchased 13,000 Merops units at approximately $15,000 each, addressing the economic asymmetry of engaging cheap drones with expensive traditional systems.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Disrupts Malware-Signing Service Used by Ransomware Groups
Microsoft's Digital Crimes Unit seized infrastructure linked to Fox Tempest, a malware-signing operation that sold fraudulent code-signing certificates to ransomware gangs since May 2025. The service abused Microsoft's Artifact Signing platform through 580+ fake accounts, enabling criminals to digitally sign malware—including Rhysida ransomware and Lumma infostealer—making it appear legitimate to Windows systems. Thousands of US machines were compromised, including over a dozen owned by Microsoft itself.
The operation charged $5,000-$9,500 per certificate and supplied groups like Vanilla Tempest, INC, Qilin, and Akira.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's Digital Crimes Unit seized infrastructure linked to Fox Tempest, a malware-signing operation that sold fraudulent code-signing certificates to ransomware gangs since May 2025. The service abused Microsoft's Artifact Signing platform through 580+ fake accounts, enabling criminals to digitally sign malware—including Rhysida ransomware and Lumma infostealer—making it appear legitimate to Windows systems. Thousands of US machines were compromised, including over a dozen owned by Microsoft itself.
The operation charged $5,000-$9,500 per certificate and supplied groups like Vanilla Tempest, INC, Qilin, and Akira.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft Disrupts Malware Signing Service Abusing Internal Platform
Microsoft has shut down a malware-signing-as-a-service operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates. The service enabled ransomware gangs and cybercriminals to sign malicious payloads with legitimate certificates, bypassing security controls that trust Microsoft-signed code.
The disruption highlights ongoing vulnerabilities in certificate authority ecosystems where attackers exploit trusted infrastructure to weaponize supply chain trust. While Microsoft's intervention removes one avenue for threat actors, the incident underscores the need for enhanced verification processes within internal signing platforms used by major technology providers.
🛰️ Open sources - closed narratives
@sitreports
Microsoft has shut down a malware-signing-as-a-service operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates. The service enabled ransomware gangs and cybercriminals to sign malicious payloads with legitimate certificates, bypassing security controls that trust Microsoft-signed code.
The disruption highlights ongoing vulnerabilities in certificate authority ecosystems where attackers exploit trusted infrastructure to weaponize supply chain trust. While Microsoft's intervention removes one avenue for threat actors, the incident underscores the need for enhanced verification processes within internal signing platforms used by major technology providers.
🛰️ Open sources - closed narratives
@sitreports
🔫 Storm-2949 exploits Microsoft SSPR to hijack Azure environments
Microsoft reports threat actor Storm-2949 is targeting Microsoft 365 and Azure environments by impersonating IT support to trick privileged users into approving MFA prompts during password resets. Attackers then remove existing MFA controls, enroll their own devices, and use custom Python scripts via Graph API to enumerate environments and exfiltrate data from OneDrive, SharePoint, Key Vaults, and Azure SQL databases.
The campaign demonstrates advanced cloud persistence through Azure RBAC abuse, FTP and Kudu console deployment, and firewall manipulation. Defenders should implement phishing-resistant MFA for privileged roles and apply least-privilege principles.
🛰️ Open sources - closed narratives
@sitreports
Microsoft reports threat actor Storm-2949 is targeting Microsoft 365 and Azure environments by impersonating IT support to trick privileged users into approving MFA prompts during password resets. Attackers then remove existing MFA controls, enroll their own devices, and use custom Python scripts via Graph API to enumerate environments and exfiltrate data from OneDrive, SharePoint, Key Vaults, and Azure SQL databases.
The campaign demonstrates advanced cloud persistence through Azure RBAC abuse, FTP and Kudu console deployment, and firewall manipulation. Defenders should implement phishing-resistant MFA for privileged roles and apply least-privilege principles.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Disrupts Malware-Signing Service Fox Tempest
Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that issued over 1,000 fraudulent certificates to cybercriminals. The service charged $5,000–$9,000 for plans allowing threat actors to sign malware with legitimate-looking Microsoft certificates, supporting ransomware families including Rhysida, INC, Qilin, and Akira across healthcare, education, and government sectors globally.
The operation abused Microsoft Artifact Signing through Azure tenants and ran customer portals via Telegram. Microsoft filed legal action enabling infrastructure seizure and certificate revocation, while collaborating with Resecurity, Europol's EC3, and the FBI to counter downstream attacks.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that issued over 1,000 fraudulent certificates to cybercriminals. The service charged $5,000–$9,000 for plans allowing threat actors to sign malware with legitimate-looking Microsoft certificates, supporting ransomware families including Rhysida, INC, Qilin, and Akira across healthcare, education, and government sectors globally.
The operation abused Microsoft Artifact Signing through Azure tenants and ran customer portals via Telegram. Microsoft filed legal action enabling infrastructure seizure and certificate revocation, while collaborating with Resecurity, Europol's EC3, and the FBI to counter downstream attacks.
🛰️ Open sources - closed narratives
@sitreports