Connect with us

CyberSecurity

The Verification Step Is the New ATO Battleground in 2026

Published

on

ATO battleground

The Old Playbook Is Dying

For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood.

That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in.

Passkeys are now mainstream. Major platforms like Apple, Google, and Microsoft have rolled out passwordless authentication at scale. The old credential-stuffing attack — hammering login forms with reused passwords — no longer works against passkey-protected accounts. So attackers adapted.

Where the ATO Battleground Shifted

The new ATO battleground in 2026 is the verification step itself. Attackers realized that even if they can’t steal a passkey, they can still intercept or bypass the verification process — the SMS code, the email link, the push notification, or the biometric check. That’s where the real action is now.

This isn’t theoretical. In early 2025, a coordinated campaign targeted SIM swapping at three major US carriers, netting access to thousands of accounts protected by SMS-based two-factor authentication. The attackers didn’t break the passkey; they intercepted the verification code sent to the compromised phone number.

Why Verification Became the Weak Link

Passkeys eliminate password theft, but they don’t eliminate the verification step. Every authentication flow still needs to confirm the user is who they claim to be. That confirmation — the one-time code, the biometric scan, the device prompt — is now the primary target.

  • SMS-based codes are vulnerable to SIM swapping and SS7 attacks.
  • Email-based verification is only as strong as the email account’s security.
  • Push notifications can be intercepted by malware on the device.
  • Biometric checks are harder to bypass but not impossible with deepfake technology or stolen biometric data.

Each method has its own weaknesses. Attackers are now specializing in exploiting those specific cracks rather than trying to crack the passkey itself.

Real-World Examples of the New Attack Pattern

In late 2025, researchers at Kaspersky documented a phishing campaign that didn’t target passwords at all. Instead, it tricked users into approving a fraudulent push notification on their authenticator app. The attackers sent a fake login alert, the user approved it thinking it was legitimate, and the attacker gained access — bypassing the passkey entirely.

Another case: a financial services firm in London saw a spike in ATO attempts in Q1 2026. The attackers had obtained phone numbers through a data broker breach and were systematically requesting password resets. The verification code went to the attacker’s SIM, not the user’s. The passkey never came into play.

These aren’t isolated incidents. They represent a structural shift in the threat landscape. The ATO battleground has moved from the password field to the verification step.

What This Means for Defenders in 2026

Organizations that invested heavily in passkey adoption may feel a false sense of security. Passkeys are excellent at preventing credential stuffing, but they don’t protect the verification channel. Defenders need to rethink their authentication architecture with this new reality in mind.

Here are three practical steps to harden the verification step:

  1. Eliminate SMS-based verification where possible. Move to app-based authenticators or hardware security keys. SMS is convenient but increasingly risky.
  2. Add behavioral signals to the verification flow. Check for unusual device fingerprints, location anomalies, or time-of-day mismatches before sending a verification code. If something feels off, require a second verification method.
  3. Implement step-up authentication for sensitive actions. A simple verification code might be fine for logging into a news site, but changing a password or initiating a money transfer should require a separate, stronger verification.

The verification step is the new front line. Treat it that way.

The Bigger Picture: Authentication in 2026

Passkeys solved one problem — password theft — but created a new one: the verification step became the single point of failure. Attackers follow the path of least resistance. When the front door gets harder, they check the side windows.

This doesn’t mean passkeys were a mistake. Far from it. They’ve eliminated the most common and cheapest attack vector. But cybersecurity is a game of whack-a-mole. Close one hole, and attackers find another.

The verification step is that next hole. It’s the ATO battleground in 2026, and defenders who ignore it will find themselves playing catch-up. The passkey era is here. The verification era is just beginning.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Fresh SharePoint Vulnerability Exploited Within Days of Disclosure – CISA Adds to KEV Catalog

Published

on

SharePoint vulnerability exploited

Attackers Waste No Time Exploiting Critical SharePoint Flaw

Threat actors have already started exploiting a freshly patched, critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, prompting urgent action from the US cybersecurity agency CISA. The flaw, tracked as CVE-2026-58644, carries a CVSS score of 9.8 and was fixed as part of Microsoft’s July 2026 Patch Tuesday updates.

Microsoft describes the issue as a deserialization of untrusted data vulnerability. In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server.

CISA Adds SharePoint Vulnerability to KEV Catalog

On Thursday, just two days after Microsoft warned about the risk, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog. This move triggers a mandatory three-day patching deadline for all US federal agencies under Binding Operational Directive (BOD) 26-04.

Microsoft had not initially flagged the flaw as exploited. However, the company later updated its advisory to confirm that exploitation was detected in the wild and revised the CVSS score accordingly.

Other SharePoint Bugs and Fortinet Flaws Also Under Fire

The July 2026 Patch Tuesday release also addressed several other SharePoint defects. Among them was CVE-2026-56164, which Microsoft had previously marked as exploited as a zero-day. Another critical weakness, CVE-2026-55040, is a security bypass that could allow attackers to disclose files and modify data.

Alongside the SharePoint vulnerability, CISA added two OS command injection flaws in Fortinet FortiSandbox to the KEV list: CVE-2026-25089 and CVE-2026-39808. Both were patched in June and April, respectively. These bugs allow attackers to execute arbitrary code or commands on vulnerable appliances. Exploit intelligence company Defused flagged both as exploited in the wild in mid-June.

Federal Agencies on the Clock

Under BOD 26-04, federal agencies are required to patch all three exploited vulnerabilities within three days. The directive aims to reduce the attack surface of government networks by mandating rapid remediation of known exploited flaws.

What This Means for Enterprise Security Teams

The speed of exploitation — within days of disclosure — underscores a troubling trend. Attackers are increasingly scanning for and weaponizing newly patched vulnerabilities before many organizations can apply updates. For security teams, this means the window for patching critical flaws is shrinking.

Enterprises that use SharePoint Online may be less at risk if Microsoft applies patches automatically. However, organizations running on-premises SharePoint Server instances should prioritize testing and deploying the July 2026 security updates immediately.

Broader Context: A Busy Patch Cycle

Microsoft’s July 2026 Patch Tuesday was unusually heavy, addressing a record number of vulnerabilities. The company patched 622 flaws, including two exploited zero-days. The SharePoint RCE bug was one of several critical issues that demanded immediate attention.

Beyond SharePoint and Fortinet, other vendors also pushed critical fixes. Splunk and Zoom patched critical vulnerabilities in their products, while F5 addressed multiple flaws in NGINX and BIG-IP. The pace of disclosures and exploits shows no signs of slowing.

Recommendations for CISOs and IT Admins

  • Patch immediately: Apply the July 2026 SharePoint security update across all on-premises servers. Treat CVE-2026-58644 as an active threat.
  • Check FortiSandbox appliances: Ensure that firmware updates for CVE-2026-25089 and CVE-2026-39808 are installed. These flaws are already being exploited.
  • Monitor CISA’s KEV catalog: Bookmark the list and integrate it into your vulnerability management process. BOD 26-04 may not apply to your organization, but the catalog is a reliable indicator of active threats.
  • Review access controls: The SharePoint flaw requires Site Owner-level authentication. Review who holds such privileges and consider tightening them where possible.

As the gap between disclosure and exploitation narrows, proactive patching is no longer just best practice — it’s survival. The attackers are watching the same Patch Tuesday announcements you are. The difference is they act faster.

Continue Reading

CyberSecurity

Signed Microsoft Driver Weaponized: ‘GodDamn’ Ransomware Unleashes BYOVD Attacks on US Firms

Published

on

GodDamn ransomware BYOVD

A Signed Driver Turns Into a Weapon

A new ransomware strain dubbed GodDamn is making headlines for a particularly nasty trick: it leverages a Microsoft-signed kernel driver to disable endpoint security software before deploying its payload. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), isn’t new—but the use of a legitimately signed driver makes it far harder to detect.

Security researchers at Trend Micro first spotted the campaign in late February 2025. The attackers are zeroing in on US-based organizations, including manufacturing firms, healthcare providers, and logistics companies. The goal? Disable defenses, steal data, and demand ransoms in cryptocurrency.

How BYOVD Turns a Signed Driver Into a Liability

BYOVD attacks work by exploiting a legitimate, signed kernel driver that contains a known vulnerability. In this case, the attackers use a driver signed by Microsoft that has a flaw allowing arbitrary code execution in kernel mode. Once loaded, the driver grants the ransomware the highest level of system access—ring 0—which lets it kill antivirus processes, delete backup files, and disable monitoring tools without triggering alerts.

The signed driver bypasses many security checks because the operating system trusts it. The attackers don’t need to exploit a zero-day; they just repurpose a driver that Microsoft already approved. This is the core of the BYOVD threat: the very mechanism meant to ensure trust becomes the attack vector.

Why US Companies Are in the Crosshairs

Trend Micro’s telemetry shows that GodDamn ransomware has hit at least 12 US organizations in the past month. The attackers appear to prioritize firms with weak endpoint detection and response (EDR) deployments—often smaller manufacturers or mid-sized healthcare groups that can’t afford layered security. Ransom demands range from $50,000 to $500,000, with payments directed to Bitcoin wallets.

The ransomware doesn’t just encrypt files; it exfiltrates data first. If the victim doesn’t pay, the attackers threaten to leak sensitive information on dark web forums. This double-extortion tactic has become standard in the ransomware ecosystem, but the BYOVD component gives GodDamn an edge: it can disable even the most aggressive EDR tools before they react.

The Technical Breakdown: What Happens Inside

When GodDamn infects a system, it drops a legitimate signed driver (often a known utility like aswArPot.sys or a similar driver from a security vendor) along with a loader. The loader calls the Windows service control manager to load the driver, which then communicates with the kernel. From there, the ransomware enumerates running processes and terminates anything related to security software—including antivirus engines, firewalls, and backup agents.

After clearing the defenses, GodDamn downloads its encryption module from a remote server. It uses a hybrid encryption scheme: AES-256 for file encryption and RSA-2048 for key protection. The ransomware targets over 400 file extensions, including databases, documents, and virtual machine images. It also deletes Volume Shadow Copies to prevent recovery without the decryption key.

Microsoft’s Response: A Patch and a Warning

Microsoft has since revoked the certificate used to sign the vulnerable driver and pushed a Windows Defender update that blocks the specific driver hash. The company also updated its Driver Blocklist policy to prevent the driver from loading on fully patched systems. However, the broader issue remains: any signed driver with a known vulnerability can be weaponized.

Security experts at Mandiant have urged organizations to implement driver blocklist policies proactively. They recommend using tools like Microsoft’s Driver Blocklist Policy or third-party solutions that monitor for unauthorized kernel driver loads. The key is to treat kernel-level access as a critical threat surface—even if the driver comes with a Microsoft stamp of approval.

Defending Against BYOVD Ransomware

Protecting against attacks like GodDamn requires a multi-layered approach. Here are the most effective steps security teams can take right now:

  • Enable driver blocklisting: Use Microsoft’s recommended blocklist or a third-party tool to prevent known vulnerable drivers from loading. Update the list regularly as new vulnerabilities are disclosed.
  • Deploy EDR with behavioral detection: Traditional signature-based antivirus won’t catch BYOVD. Endpoint detection and response tools that monitor for abnormal kernel driver loading can flag the attack early.
  • Restrict driver installation: Configure Windows Group Policy to only allow signed drivers from approved publishers. This won’t stop the attack entirely, but it adds friction.
  • Implement the principle of least privilege: Limit administrative rights on endpoints. BYOVD attacks often require admin-level access to load the driver, so reducing the number of privileged users reduces the attack surface.
  • Use application control: Tools like Windows Defender Application Control (WDAC) can block unauthorized executables, including driver loaders, from running.

The Bigger Picture: Trust but Verify

The GodDamn ransomware campaign is a stark reminder that digital signatures are not a guarantee of safety. Attackers are increasingly weaponizing signed drivers, and the security community is playing catch-up. Microsoft has improved its driver submission process in recent years, but the sheer volume of signed drivers makes it impossible to vet every one for latent vulnerabilities.

For now, the best defense is a healthy dose of skepticism. Treat every kernel driver—signed or not—as a potential threat. Monitor for unusual driver loading, keep blocklists updated, and assume that a signed driver can be turned against you. The attackers certainly are.

Continue Reading

CyberSecurity

GitHub ‘Verified’ Commits Aren’t as Trustworthy as You Think — Here’s the Proof

Published

on

GitHub verified commits

The ‘Verified’ Badge You Trust May Be Fooling You

That little green “Verified” badge next to a GitHub commit? It’s supposed to mean the code came from a specific person and hasn’t been tampered with. New research shatters that assumption.

A security researcher has demonstrated that a signed Git commit’s hash — the unique fingerprint that identifies every commit — is not the one-of-a-kind name the software world assumes. Given any signed commit, someone without access to the signing key can mint a second commit with the same files, same author, same timestamp, and a valid signature. GitHub still stamps it “Verified.”

Everything a reviewer would check matches. The commit’s hash does not. And that matters a lot.

How the Attack Works: Colliding Commit Hashes

Git relies on SHA-1 hashes to uniquely identify each commit. The hash is computed from the commit’s contents: the tree (file structure), parent commits, author, date, and message. When you sign a commit with GPG or SSH, Git signs that hash.

Here’s the catch: the signature covers the hash, but the hash itself isn’t bound to the commit data in a cryptographically tamper-proof way. An attacker can craft a second commit that produces the same hash — a collision — with entirely different content. Because the signature validates the hash, not the content, the signature remains valid.

The researcher demonstrated this by taking a legitimate signed commit and creating a new commit with a completely different tree (different files, different code) that produces the exact same SHA-1 hash. The signature from the original commit still verifies. GitHub’s interface shows “Verified.” A human reviewing the commit sees a green checkmark and moves on.

What the Attacker Can (and Cannot) Do

This isn’t a theoretical paper exercise. The researcher published a working proof-of-concept tool. Here’s what the attack enables:

  • Swap code silently: An attacker can replace the files in a signed commit with malicious code while keeping the signature valid.
  • Impersonate trusted developers: If you’ve ever signed a commit, someone could take that signature and attach it to a different commit that looks like it came from you.
  • Bypass code review: A reviewer checks the signature badge, sees “Verified,” and approves the pull request. The actual code could be anything.

But there are limits. The attacker cannot change the commit author, date, or message — those are part of the hash computation. They can only swap the tree (the actual file contents). For many supply-chain attacks, that’s more than enough.

Why GitHub’s ‘Verified’ Badge Is Misleading

GitHub’s interface treats a valid signature as proof of integrity. The badge says “This commit was signed with a verified signature.” Most developers interpret that as: “This code is exactly what the author wrote and hasn’t been modified.”

That interpretation is wrong. The signature proves the hash is authentic. It does not prove the commit’s content matches what was signed. Git itself has no mechanism to bind the signature to the full commit data — only to the hash.

The researcher reported the issue to GitHub’s security team. GitHub acknowledged the behavior but classified it as working as designed, not a security vulnerability. The company noted that the attack requires an attacker to already have write access to the repository, and that repository administrators can enforce signed-commit requirements. But those mitigations don’t address the core problem: the signature badge is misleading.

What This Means for Software Supply Chain Security

This flaw matters most in automated supply-chain pipelines. Tools like Dependabot and Renovate check commit signatures as part of their trust model. A bot sees “Verified” and merges. An attacker with write access could inject malicious code through a signed commit that looks legitimate.

The same applies to CI/CD systems that validate signatures before deploying. If your pipeline trusts “Verified” as proof of integrity, you’re vulnerable.

How to Protect Yourself (Without Waiting for GitHub)

GitHub isn’t likely to change this behavior soon. In the meantime, here’s what you can do:

  • Don’t rely on the badge alone: Verify the actual commit content. Use git log --show-signature and compare the hash with the commit data.
  • Use signed tags instead of signed commits: Tags sign the full commit object, not just the hash. This attack doesn’t work against signed tags.
  • Pin exact commit hashes: In your dependency files, pin to specific commit hashes, not branches or tags. Verify the hash matches the expected content.
  • Audit your supply chain: Review which commits are signed and by whom. Look for commits with valid signatures but unexpected content.
  • Consider GitHub’s artifact attestations: GitHub’s newer attestation system binds signatures to the full repository state, not just the commit hash.

The green badge is convenient. It’s also a false sense of security. The hash is not the content, and a valid signature on a hash is not a valid signature on the code. Until Git or GitHub changes how signatures work, the “Verified” badge means less than you think.

Continue Reading

Trending