My information Resource (blog.mir.net)

The NJCCIC observed multiple Telephone-Oriented Attack Delivery (TOAD) emails targeting New Jersey State employees. Threat actors use email spoofing to make the email appear to come from the legitimate robinhood[.]com. The email header information reveals the sender’s hostname as v[number][.]megaserve[.]de, a domain used by netcup. This legitimate German web hosting provider assigns default names to their Virtual Private Servers (VPS). In this TOAD campaign, threat actors utilize an inexpensive VPS to spoof Robinhood in the “From” field to send thousands of emails. Although they successfully spoofed the Robinhood domain, the threat actors cannot hide the server that sent the emails. The threat actors rely on their targets to see “Robinhood” and not the megaserv[.]de server name hidden in the background.

These urgent emails impersonate Robinhood and claim that a new login attempt has been detected on the target’s account. They include a phone number to call Customer Support if the login is not recognized. If called, threat actors trick their targets into divulging sensitive information or downloading remote access software to commit further malicious activity.

Legitimate Robinhood phone support is only available through a callback request made inside the official app or website. They will send a push notification when you are next in line, with the exact phone number a representative will call you from, to ensure security and verify it on your caller ID. Robinhood will never ask you to call a phone number to “authorize” a new device, ask for your password or multi-factor authentication (MFA) code, or request that you download software or transfer funds.

Recommendations

Exercise caution with communications from known senders or legitimate platforms. Navigate directly to legitimate apps or websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable MFA and keep systems and browsers up to date. If threat actors gain remote access, disconnect from the internet and run anti-virus/anti-malware scans. If sensitive information was entered, change passwords for compromised accounts, use the “Log out of all other sessions” feature in the real Robinhood app, monitor for unauthorized activity, and review the Identity Theft and Compromised PII  NJCCIC Informational Report for additional recommendations and resources. Forward the entire email (including headers) to report this phishing scam to Robinhood (reportphishing@robinhood.com) and report abuse to the hosting provider (abuse@netcup.de). Report malicious cyber activity to the NJCCIC and the FBI’s  IC3.

The NJCCIC observed a significant increase in phishing campaigns impersonating security alerts about unusual account activity, including warnings about credential loss and account access. These emails use a subject line of “No Reply” and spoofed addresses, which makes the message appear to be sent from the recipient’s email address. Two links are provided in the body of the email, prompting the user to either verify their identity or change their password.

When a link is clicked, users are directed to a phishing website that resembles a Microsoft support page and displays pop-up notifications mimicking a Microsoft Defender security alert. This “security alert” claims that infected files were found on the system and cannot be removed due to group policy permissions. The pop-up notification offers the option to scan the system now or call the provided phone number. Calling the number connects the user with the threat actors behind the campaign. They may attempt to persuade the user to install malicious software, provide their credentials, or grant remote access. The social engineering tactics used in this phishing campaign are a common way for attackers to gain their targets’ trust.

Recommendations

Exercise caution with unsolicited communications from known senders. Confirm requests from senders by verifying their contact information obtained from trusted and official sources before taking action, such as opening attachments or clicking links. Hover over links in emails or attachments to view the actual destination URL before clicking. Type official website URLs into browsers manually and only submit sensitive information on official websites. If you suspect an account has been compromised, change the account’s password immediately and add a secondary authentication method. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

A vulnerability has been discovered in Dell RecoverPoint for Virtual Machines which could allow for arbitrary code execution. Dell RecoverPoint for Virtual Machines is an enterprise-grade solution for VMware Virtual Machines (VMs) enabling local, remote, and concurrent local and remote replication with continuous cyber resilience for on premises recovery to any point-in time (PiT).

Successful exploitation of the vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
Dell has received a report from Google/Mandiant of limited active exploitation of this vulnerability.

SYSTEMS AFFECTED:

• RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in Dell RecoverPoint for Virtual Machines which could allow for arbitrary code execution. Details of the vulnerability are as follows:

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):

• Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. (CVE-2026-22769)

Successful exploitation of the vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Dell to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft? Data Execution Prevention (DEP), Windows? Defender Exploit Guard (WDEG), or Apple? System Integrity Protection (SIP) and Gatekeeper™.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030:Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft? Data Execution Prevention (DEP), Windows? Defender Exploit Guard (WDEG), or Apple? System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:Dell:
https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079

Google/Mandiant:
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22769

The NJCCIC has observed a phishing campaign using multiple lures to capture Google credentials. These emails claim to be hotel reservations, job opportunities, or invitations to digital workspaces, and have subjects such as:

Reservation Confirmed Mountain Time Vacation Rentals You Have Been Granted Access to the CW Digital Marketing Workspace Opportunity Social Media Manager at Samsung Electronics Confirmation of Your Reservation at Deep Creek Hotels

The messages include a link that, after completing a CAPTCHA, directs users to a Google Sites page displaying a fake Google login prompt. Credentials entered on this page are stolen, along with 2FA tokens and session cookies. It uses the Adversary-in-the-Middle (AiTM) technique, leveraging the synchronous relay capabilities of the Tycoon Phishing-as-a-Service (PhaaS) platform to capture credentials in real time.

Recommendations

Exercise caution with communications from known senders or legitimate platforms. Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments. Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII  NJCCIC Informational Report for additional recommendations and resources, including credit freezes. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH)  to disseminate indicators of compromise (IOCs) and technical details associated with malware enabled ATM jackpotting.

Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction. The FBI has observed an increase in ATM jackpotting incidents across the United States. Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone.

This FBI FLASH provides technical details, IOCs, recommended mitigations, and is being provided to encourage organizations to implement the recommended mitigation steps, outline the information requested from the public, and to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Administrative Note The information in this document is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cybersecurity professionals and system administrators guard against the persistent malicious actions of cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI.

Today marks two years since the publication of the Cybersecurity Framework (CSF) 2.0!

Published in 2024, the CSF 2.0 included the addition of a Govern Function, increased emphasis on cybersecurity supply chain risk management, updated categories and subcategories to address current threat and technology shifts, and expansion into a suite of resources designed to make the CSF 2.0 easier to consume and put into practice—enabling organizations to better manage and reduce their cybersecurity risk.

The CSF 2.0 has been widely embraced by millions of organizations of all sizes and sectors around the globe and continues to be the most downloaded NIST technical publication (with over 3 million views and downloads, to date). The team has been hard at work the last two years…

Read the Blog

The Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert and Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems  in response to cyber threat actors’ observed exploitation of Cisco Software-Defined Wide-Area Networking (SD‑WAN) systems. While only federal agencies are required to implement CISA Emergency Directives (EDs), the risks extend to every organization and sector using these systems. All organizations are strongly urged to review and adopt the actions outlined in the ED and associated resources.

CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These threat actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems. CISA has added both of these CVEs to its Known Exploited Vulnerabilities (KEV) Catalog.

In addition to the Alert and ED, CISA is also sharing additional resources to support mitigation efforts:

Cisco SD-WAN Threat Hunt Guide : Developed in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre, the US National Security Agency, and global partners, this guide supports network defenders in detecting and responding to malicious activity targeting SD-WAN systems.   Cisco Catalyst SD-WAN Hardening Guidance: This guidance, developed by Cisco, provides actionable mitigations for network defenders to strengthen and secure SD-WAN networks.

CISA and partners strongly urge network defenders to immediately:

inventory all in-scope Cisco SD-WAN systems, collect artifacts, including virtual snapshots and logs off of SD-WAN systems to support threat hunt activities, fully patch Cisco SD-WAN systems with available updates, hunt for evidence of compromise, and concurrently review Cisco’s latest security advisories, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and  Cisco Catalyst SD-WAN Vulnerabilities, and implement Cisco’s SD-WAN Hardening Guidance.

The NJCCIC observed a phishing campaign that impersonates several brands, claiming to be invitations to a feedback survey with an exclusive prize for completing it. These phishing emails contain links that use URL shorteners to obfuscate the true malicious destinations, and have subjects such as:

Marriott Luxury Pillows 2-piece set from Marriott Car emergency kit Winner Announcement! Claim Your Free Stanley Tool Set from Harbor Freight Claim Your Free Nespresso Vertuo Next Deluxe with Aeroccino 3 and 32 Capsules

Upon clicking the provided link, users are redirected to a feedback survey. If completed, they are given the option to claim a reward for their time. The site alleges that a prize is available for free, provided shipping costs are paid. The page also includes comments that appear to be from others who have already claimed this deal. The campaign asks for address information and payment details to complete the order. It also states that there is limited stock available and that only a few minutes remain before the offer is gone, creating a sense of urgency to act.

Recommendations

Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Users should only submit payment and personal information on official websites. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Users who submitted payment information to these webpages are advised to contact their banking institutions to report the fraudulent purchases. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Threat actors continue to impersonate recruiters and employers to target potential job seekers with fake or unrealistic remote job offers. They often send unsolicited emails or text messages that promise high pay for little work, require payment to get a job or training, lure targets with bad checks to buy fake work equipment or supplies, involve repackaging or shipping items often purchased with stolen credit cards, or request personal data, leading to financial loss and identity theft. Over the past month, the NJCCIC has observed an increase in remote job scams targeting New Jersey State employees and residents

Threat actors are targeting New Jersey State employees in this latest job scam. They claim to represent Human Resources for an organization that is not the same as the sender’s domain. Another red flag is that the reply-to email address is in the body of the email and does not match the sender’s email address. They offer an unrealistic part-time remote job opportunity targeting US and Canadian residents and use a generic “Dear Applicant” greeting

In another campaign, threat actors impersonate an educational institution to encourage their targets to apply for a remote job. Instead of using the official educational institution’s domain, the emails are sent from a Gmail account to multiple New Jersey State employees in the BCC field and use a generic “Dear Students” greeting. Threat actors claim a quick turnaround to convince their targets to act quickly and apply by stating that applications will be reviewed within two to 24 hours. If the “CLICK HERE TO APPLY” link is clicked, targets are directed to a Microsoft Forms page to capture sensitive information. Additionally, the copyright symbol at the bottom of the email is hyperlinked to a Microsoft phishing page to steal account credentials.

In the above campaign, threat actors claim to be recruiters expressing interest in the target’s resume for an interview for the purported remote position. The email is sent to multiple recipients and claims to be an Indeed interview invitation. Legitimate Indeed communications are more customized and formal and sent directly through the Indeed account. The threat actors request that the target contacts Human Resources for more information about the interview process via Signal by clicking on the link. Legitimate companies or recruiters typically do not conduct interviews through such instant messaging platforms.

Threat actors continue to target unsuspecting job seekers via text messages, initiating unsolicited conversations about potential job opportunities. The message outlines the position’s benefits, including flexible hours, competitive earnings, remote work opportunities, training, and requirements. If the target responds with “Yes,” the threat actors send a phishing link or attempt to persuade them to continue the conversation on a different platform to disclose their personal information, such as a Social Security number (SSN), a photo of their driver’s license, and banking information, supposedly to set up direct deposit.

The NJCCIC also received reports of threat actors impersonating a recruiter from hire-desk[.]com. The malicious email contains a Calendly scheduling link and a Google Meet invitation link. Calendly links are used in phishing campaigns to direct targets to malicious websites that request sensitive information or account credentials. Google Meet users can join meetings on mobile phones or tablets via the Google Meet app, or they can connect from their computer browser, as the software does not require installation. The red flag in this campaign is the Google Meet link that prompts the target to install a “GoogleMeetSetup[.]exe” file, disguised as a remote monitoring and management (RMM) tool. This trojanized installer is used for initial access and persistence to commit further malicious activity.

Recommendations

Exercise caution with unsolicited communications from unknown senders or legitimate organizations and platforms. Confirm requests from senders using contact information obtained from verified and official sources before taking action, such as clicking links or opening attachments or files. Consider contacting the company’s human resources department to verify if the job offer is legitimate and if the person is indeed employed there. Type official website URLs into browsers manually and only submit sensitive information on official websites. Be careful when posting your resume publicly, as this information can be misused to exploit you. Refrain from job offers that do not involve a phone or video interview, lack specific duties and company information, and create a sense of urgency and pressure to provide personal information quickly. Keep systems and browsers up to date. Ignore and block suspicious emails and phone numbers. Report malicious cyber activity to the NJCCIC, the FBI’s IC3, and the FTC.

Public Webinar: NIST IR 8587, Protecting Tokens and Assertions from Forgery, Theft, and Misuse (Initial Public Draft)

Date: January 23, 2026
Time: 12:00 – 1:00 PM ET

This free live webinar, hosted by the NIST and the Cybersecurity and Infrastructure Security Agency (CISA), introduces the recently released initial public draft of NIST Interagency Report 8587, “Protecting Tokens and Assertions from Forgery, Theft, and Misuse. During the webinar, the Report’s authors will walk through key implementation guidance aimed at federal agencies and cloud service providers (CSPs) to secure identity tokens and assertions against forgery, theft, and misuse.

This information is especially relevant for identity and access management professionals, federal IT teams, and CSPs serving government clients, as it addresses critical vulnerabilities in modern cloud and federated identity systems.

Feedback Sought

During this event, we will familiarize the audience with the draft Report and encourage written feedback during the open comment period (closing on January 30, 2026). We encourage broad input from government and industry stakeholders and are specifically hoping for feedback on:

• Signing Key Validity Periods
• Token Validity Periods
• Key Protection and Isolation
• Key Scoping
• Emerging Standards

Attending the webinar is a great opportunity to prepare informed comments before the deadline. We look forward to seeing you there!

Learn More & Register