A history of credentials at rest

I've been hard at work on a NEW phishing technique I'm excited to share. I'm calling it "Vaultjacking" and the impact is honestly a bit sobering.

In my blog I demonstrate how a single AiTM landing page can spoof your Google passkey/password manager PIN and use that to access ALL of a victim's third-party credentials (yes, including passkeys). A simple phish on one site can lead to a total compromise of all Chrome-saved credentials.

After FIOD seized 800+ servers and arrested two operators on May 18, the ELLIO research team reports that scanning from the network's ASN ranges has continued largely uninterrupted - and that while roughly a third of the recently-active ranges (including the legacy Stark blocks 94.131.105.0/24 and 92.118.232.0/24) have since been withdrawn from global routing, the surviving ranges under AS209847 (WorkTitans / THE.Hosting) are still announced and still scanning, at the network's normal daily rate.

The sibling ASNs (AS213999 and the Moscow-based AS33993) remain routed and idle.

The recent activity skews toward database and ICS/SCADA discovery = MongoDB, Redis, PostgreSQL, Oracle, LDAP, plus DNP3 and EtherNet/IP - alongside known-exploit probes like CVE-2017-17215 and WinRM.

The Lithuanian Prosecutor General’s Office and the Criminal Police Bureau have initiated a joint investigation into a large-scale data exfiltration incident targeting the State Enterprise Centre of Registers. The incident involved the unauthorized copying of over 600,000 records from the country's national Real Estate and Legal Entities Registers.

Rather than exploiting an unpatched software vulnerability, the attack mechanics rely on a classic trust-boundary compromise.

The Entry Vector: Cross-Agency Credential Misuse (MITRE T1078)

Forensic tracking indicates that the threat actors executed a series of unauthorized connections originating from foreign infrastructure. The entry vector relied on valid, high-privilege B2B institutional login credentials assigned to external state departments authorized to query the central registry database.

Independent statements from legislative and defense officials suggest the specific access pathway was carved out by compromising authenticated accounts belonging to the Department of Migration under the Ministry of the Interior. By hijacking these valid inter-agency connection points, the threat actors bypassed perimeter barriers, allowing them to issue massive queries to the backend database without triggering immediate anomaly blocks.

Exfiltration Scope & Impact Profile

The breach was initially identified by internal monitoring in early April 2026, but public disclosure was delayed due to the ongoing criminal inquiry. The exfiltrated data schemas consist of:

• Full legal names, dates of birth, and unique national identification numbers.
• Registered physical addresses, corporate entity structures, and detailed cadastral/property registry extracts.

The Centre of Registers has confirmed that primary consumer-facing vectors - such as telephone contact details, email addresses, bank account numbers, or raw cadastral measurement files - were not part of the exfiltrated datasets.

The primary operational risk is tactical intelligence gathering. Security analysts have pointed out that bulk access to unlisted residential addresses linked to legal entities can be leveraged by foreign intelligence services for target profiling, spear-phishing orchestration, or coercion of state personnel, diplomats, and military figures.

Incident Response & Remediation

Following the identification of the unauthorized bulk queries, the Centre of Registers implemented the following controls:

1. Immediate revocation and blocking of all compromised inter-agency institutional accounts.
2. Mandatory credential rotation and strict query-volume throttling across all API and web self-service gateways linked to external state dependencies.
3. The director of the Centre of Registers, Adrijus Jusas, formally stepped down on May 25 following administrative scrutiny regarding legacy IT infrastructure and monitoring gaps.

While independent defense officials note the incident matches the operational signatures of state-aligned hybrid surveillance operations, official attribution from the Prosecutor General's Office remains open.

The security angle on encrypted DNS is often oversimplified. DoH prevents ISP-level snooping and basic DNS hijacking, but doesn't protect against a compromised resolver. DoT is easier to detect and block, which has real implications for threat actors trying to exfiltrate via DNS. DoQ is interesting from a security perspective because QUIC's connection ID migration makes traffic correlation harder. Article includes benchmark data and practical server config — but mostly written for the "which threat model does each protocol address" question.

I published a technical write-up on an old OLX account takeover issue.

The core bug was an OTP correctness leak inside the rate-limit state.

After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent.

Invalid codes during lockout still produced the invalid-code signal.

The valid code during lockout removed that signal while keeping the lockout message.

That made the lockout state act as an oracle for whether the OTP was correct.

The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change.

The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information.

The first sign wasn’t a security alert. It was a temperature reading.
A food plant’s cold rooms were warming up and the product was spoiling. The engineers expected a dead compressor. Instead, someone had been inside the controllers and rewritten them on purpose: setpoints, safety limits, valves pinned open, and the engineers’ own remote account locked out while the plant failed. Three compressors destroyed. No malware required, just an attacker who understood refrigerant physics.
On the same network, our team found a disk wiper hiding as a fake Microsoft update.
One IRGC-directed front. Two target sets, IT and OT. And it all ran under a ceasefire, when everyone had been told the fighting was over. That’s not a coincidence. It’s the doctrine.
Our IRT broke the whole thing down, with GRAT IOCs and a YARA rule:

Disclosure/write-up for CVE-2021-21735 affecting the ZTE ZXHN H168N V3.5.

The issue is cataloged as information disclosure, but the useful part is the authorization failure: wizard handlers under the setup surface exposed PPPoE and WLAN material that should have required authenticated configuration access. Firmware analysis points to a brittle whitelist decision around the QuickSetup flow, including routes such as wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua.

The write-up keeps secrets redacted and focuses on the route behavior, firmware logic, deployment-dependent admin compromise path, disclosure timeline, and the ZTE Low vs NVD Medium severity split.

Overview: On May 24, 2026, the data breach notification service Have I Been Pwned (HIBP) integrated a dataset originating from an April 2026 extortion campaign targeting 7-Eleven. The breach, attributed to the threat actor group ShinyHunters, compromised 185,300 unique accounts and resulted in a 9.4GB cleartext data dump following the organization's refusal to comply with ransom demands.

Attack Vector & Targeted Infrastructure

The initial compromise occurred on or around April 8, 2026. Forensic indicators and lateral movement tracking indicate the threat actors did not target point-of-sale (POS) networks or central customer-facing databases. Instead, the breach was localized to external cloud-managed systems - specifically infrastructure dedicated to corporate franchisee document management and onboarding portals.

The vector aligns with recent ShinyHunters operational methodology involving targeted credential harvesting, session hijacking, and the exploitation of permissive API keys within integrated third-party identity management providers.

Data Profile & Exfiltrated Schemas

Following a failed extortion deadline set by the actors between April 17 and April 21, the full 9.4GB archive was leaked to the public internet. The schema validation confirms that the compromised database contains:

• Primary PII: Full names, verified email addresses, mobile and landline telephone numbers, and residential physical addresses.
• Sensitive Administrative Records: Dates of birth and corporate filing metadata.
• Vetting Documentation: A subset of the leaked files contains sensitive background check documentation, including Social Security Numbers (SSNs) and state-issued identification numbers submitted during the franchise application phase.

Operational Timeline

• 2026-04-08: Detection of unauthorized access to the franchisee document storage cluster.
• 2026-04-17: ShinyHunters list 7-Eleven on their public Tor leak site, establishing a 4-day payment window.
• 2026-04-22: Following 7-Eleven's administrative refusal to negotiate or pay the extortion fee, the actors published the complete unencrypted archive.
• 2026-05-24: Complete data ingestion, de-duplication, and formal verification completed by HIBP.

Technical Analysis & Core Metrics

The incident highlights a persistent trend where threat actors deliberately target non-production, administrative, or third-party adjacent business environments to bypass hardened perimeter controls protecting primary consumer data.