Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fbi (7 articles)Clear

FBI warns TeamPCP poisons trusted developer tools to steal cloud credentials

The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.

Check
Check whether your build pipelines pulled trojanized versions of tools like Trivy, KICS, or LiteLLM, review the FBI's indicators, and audit whether any package maintainer accounts use expired recovery email domains.
Affected
Organizations whose CI/CD pipelines automatically pull developer and security tools, and maintainers whose npm recovery email domains have lapsed; TeamPCP uses these paths to steal cloud, Kubernetes, and registry credentials.
Fix
Pin GitHub Actions to commit hashes, rotate CI/CD secrets and cloud credentials, scope publishing tokens and enforce least privilege, require phishing-resistant MFA on publishing accounts, and delay installing brand-new package versions.

FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts

The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.

Check
High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
Affected
Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
Fix
Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.

FBI warns of fake FIFA World Cup 2026 sites (fiffa.com, alt-TLDs) collecting payment data ahead of June 11 kickoff

The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.

Check
Add FIFA-themed lookalike domains (fiffa.com, fifa-*[.]com, fifa with alt-TLDs) to email and web filters. Brief staff that the only official site is fifa.com - any other is suspicious.
Affected
Anyone considering buying World Cup tickets, hospitality packages, or FIFA-related employment ahead of June 11. Chinese-speaking gangs and Russian-speaking operations target English, Spanish, and Portuguese speakers.
Fix
Source tickets only via fifa.com or authorized partner sites. Pay via credit card or escrow for chargeback protection. Report fake FIFA sites to FBI IC3. Apply Group-IB and Bitdefender IoCs.

FBI flash alert: Silent Ransom Group (Luna Moth/UNC3753) sends operatives in person to plug USB drives into US law firm computers

The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.

Check
Brief reception and staff at law/finance firms: verify any in-person 'IT support' visit through a known internal channel before granting access. Alert SOC to unexpected USB-storage mounts.
Affected
US law firms and financial-services organizations. SRG poses as internal IT via phone/phishing, escalating to physical USB-drive theft if remote-access social engineering fails.
Fix
Enforce device-control policy blocking unauthorized USB mass storage. Require multi-channel verification for IT-support remote-access requests. Lock workstations and restrict physical access. Run callback-phishing awareness training.

FBI warns of Kali365 phishing-as-a-service: OAuth device-code consent abuse against Microsoft 365 since April, $250-$2,000/year

The FBI has issued a warning about Kali365, a phishing-as-a-service platform that fueled large Microsoft 365 attacks in April. Instead of stealing passwords, Kali365 customers trigger Microsoft device-login requests and trick victims into completing the authorization, capturing OAuth access and refresh tokens that grant immediate mailbox access. Arctic Wolf, which infiltrated the system, says Kali365 sells in three tiers from $250 for 30 days to $2,000 for the year and generates branded phishing lures impersonating Adobe, DocuSign, and SharePoint in dozens of languages. Threat actors set malicious inbox rules to suppress security notifications and extend dwell time.

Check
Search Microsoft 365 audit logs for unfamiliar device-login completions and OAuth consent grants since April 1. Hunt for inbox rules that auto-delete or hide security-team email addresses.
Affected
Any Microsoft 365 tenant where users can complete device-login flows initiated by an attacker. Adobe, DocuSign, and SharePoint-themed lures are the primary social engineering vector.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify the device-login codes they approve. Audit OAuth-granted apps quarterly.

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

Check
Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected
Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix
Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.