RSS Feeds
Microsoft Intune is used by many organisation as a security/admin tool to manage endpoints, ensure they have the correct security controls, the right level of patches, only certain authorised applications, etc.
And, as well, when an endpoint/device may get lost, it allows the company/an admin, to remotely wipe the device for security reason.
So what could go wrong?
In March 2026, Stryker Corporation learned a hard lesson: attackers don't always need malware.
By compromising admin credentials, the threat actors leveraged Microsoft Intune to remotely wipe tens of thousands of devices across the organization: laptops, servers, and mobile endpoints.
The attack caused widespread disruption to operations, from order processing to shipping.
Who would ever need to mass wipe out all endpoints in an organisation besides a hacker?
It looks like Microsoft never asked themselves that question...
Because not only is that option there by defau...
>>[READ MORE]
{elysiumsecurity} 
Cyber Protection & Response
-
News Links
Hacking News (34 Posts)
When Microsoft Turns Against You: Hackers Wipe Thousands of Devices
Notepad++ and the joy of shadow IT application procurement
Last month the maintainer of Notepad++ published a disclosure that will make any developer or sysadmin uncomfortable.
For about six months, from June through December 2025, the software's update mechanism had been hijacked by a Chinese state-sponsored threat actor.
Every time a targeted user hit "Check for Updates", they were potentially downloading malware instead of a legitimate new version, and the installer looked and behaved exactly like the real thing.
Notepad++ is not a niche tool. It is one of the most widely installed text editors in the world, used daily by developers, system administrators, network engineers, and security professionals.
That demographic is precisely why it was targeted. In enterprise environments, these are often the most privileged users on the network. Compromise their workstation through a trusted update and you have bypassed the perimeter entirely.
The attackers did not touch a single line of Notepad++ source code. They...
>>[READ MORE]
Apple's Spyware Alerts and 2025 closing thoughts!
On 2 December 2025, Apple sent threat notifications to users in 84 countries - one of the largest single waves since the programme launched.
Not a security tip.
A direct, personal warning: your device may have been targeted by state-sponsored attackers. Apple reserves these alerts for situations where it believes a user is being hunted by well-resourced, sophisticated operators. Custom operations. Expensive. Almost always government-connected.
The alerts landed in the middle of a coordinated disclosure by Google, Amnesty International, and a consortium of investigative journalists focused on Intellexa - the company behind the Predator spyware platform. Already sanctioned twice by the US government, Intellexa had simply adapted: setting up shell companies to infiltrate advertising networks, and deploying a new infection method called "Aladdin" that silently compromises a device through a targeted banner ad.
There was no link to click, no file to open. Just an...
>>[READ MORE]
What the Salesfoce breach can teach us on Cloud/SaaS Security?
What Happened?
The attack ran on two front simultaneously.
- On the first, attackers quietly compromised Salesloft's GitHub repositories between March and June 2025, stealing Drift OAuth refresh tokens. Those tokens gave them persistent, legitimate-looking API access to the Salesforce environments of every company using their integration. Thousands of database queries were run in the background, pulling contact records, case data, and critically embedded credentials like AWS keys and tokens that had been pasted into support tickets.
- On the second, attackers impersonated Salesforce support staff in targeted phone calls, tricking employees into installing a malicious app that granted OAuth access and bypassed MFA entirely. This campaign hit consumer brands directly.
Once they had accumulated enough data, the group went public. On 3 October 2025, they launched a dark web site called: Trinity of Chaos, published samples of...
>>[READ MORE]
Oracle in Denial
On 20 March 2025, a previously unknown threat actor posting under the handle "rose87168" listed six million records for sale on BreachForums, claiming they had been stolen directly from Oracle Cloud's authentication infrastructure.
The data included Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) passwords, LDAP credentials, OAuth2 keys, and Enterprise Manager JPS keys - the kind of data that sits at the very core of how cloud environments authenticate users and systems.
Oracle's initial response was a flat denial. The company told BleepingComputer: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
That statement did not hold.
Within days, independent researchers confirmed the breach. By early April 2025, Oracle had quietly begun notifying affected customers directly. The incident is estimated to impact over 140,000 cloud tenants acros...
>>[READ MORE]
How to secure your mobile phone and check for spyware?
To effectively detect if your mobile phone has been compromised or infected with spyware, as well as to secure it from potential future attacks, it is important to follow some security best practices.
Below, we will cover a thorough guide aimed at personal and work phones, which are often unprotected compared to corporate laptops with more advanced security tools (EDR/XDR) which are not often found on mobile phones.
- Detecting potential compromise on your Mobile device
- Review device configuration: Regularly inspect your phone's system settings and installed apps. Look for any configurations or applications that seem unfamiliar or that you did not intentionally set up.
- Installed Apps: Unrecognized applications, especially those in foreign languages or from unknown developers, could indicate potential spyware. If you discover suspicious apps, consider a full device reset.
>>[READ MORE]
Can a pen and paper really save you from a Cyber Incident?
We all know the adage:
It is not a question of "IF" you will be hacked, but "WHEN".
This is true for all companies in all industries.
The ultimate answer to this problem is, to quote a famous French film:
"What is important is not the fall, but the landing." (*)
However, when speaking to upper management about cyber risks and the cost to implement remediation or prevention security controls, the answer we often get is a "Don't worry, we will be fine. We can just operate manually with pen and paper until we fix everything again”.
It might be true for (very few) companies, but the reality is unfortunately often much more complicated than that.
A recent example is a cyber-attack that occurred in the Indian Ocean region this week:
Leal Réunion, a car dealership on the Réunion island, got attacked by a hacker group.
This attack is impacting their ability to use their IT systems and some sensitive financial informati...
>>[READ MORE]
HOW TO PROTECT AGAINST THE NEW PHISHING ATTACKS GETTING AROUND MFA (CONSENT PHISHING)
There is a growing type of phishing attack which has been quite successful since the beginning of 2020, it is called a "Consent Phishing"
Traditional email phishing attacks will try to get the victim's credentials through a dangerous URL with a fake login webpage, a malware attachment or some other clever social engineering tactics.
Hopefully companies have some anti-phishing tools/technology to detect and protect them against most of those type of emails (some always manage to get through, no matter what technology you use and what vendors promise you!)
However, there is a new type of phishing attacks that leverages the OAuth authorisation framework used by some applications to access your account. Basically, there are a lot of legitimate applications that will request access to your O365 account (it could also be another type of Cloud app provider) through the generation of an OAuth token, so they don't need to know (and store) your O365 password.
...
>>[READ MORE]
How to build a Red Team and Why?
I recently gave a talk at the Rant Forum in London on the topic of
"RedTeam, why this is more than a buzz word?".
It was an interesting experience and whilst different from traditional security events, as the crowd can and will interrupt you at any time, it was very enjoyable.
Many attendees asked if I could produce some "slides" after the talk. As no slides were used, below is a collection of notes from wich the talk was based on.
In this post we will explain what RedTeam is, how does it fit with other similar security services and what advantages does it bring to an organisation.
We will also look into what works? what doesn’t? And where is this “new” type of service going?
1. DEFINITION
A Red Team is part of a trio of services which increases in sophistication: Vulnerability Assessment, Penetration Testing and then Red Teaming.
We will d...
>>[READ MORE]
RANT FORUM - Red Team Recipes Presentation
I will be giving a talk tomorrow evening, the 28th of November at around 6pm, in London at the Risk and Network Threat (RANT) Forum .
The topic is:
Why RedTeam is more than just a buzz word? What works? What doesn't? And where is this "new" type of service might be going? All those questions answered by someone who is actually delivering Red Team activities.
Registration is free, you get free drinks and food... plus you get to hear me talk, so what is not to like?! :)
You can register HERE
The RANT Forum is quite different from your typical free security briefing, for a start it is not a sales forum. However, the company behind it is a recruitment agency, so they are still interested in taping the UK Security professional community!
...
>>[READ MORE]