✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Construction
Breach intelligence, attack campaigns, and threat reports targeting the Construction sector.
Explore Other Sectors
Construction Threat Reports
NetSPI's Social Engineering Assessment: Reporter Impersonation Phishing Attack
In a recent social engineering assessment, NetSPI's team simulated a targeted phishing attack against a client's executive leadership. By impersonating a journalist inquiring about alleged environmental violations, the team crafted a compelling pretext that led an executive to engage with a malicious link. This engagement not only compromised the executive but also extended to external contractors, highlighting the cascading risks of such attacks. The incident underscores the effectiveness of sophisticated social engineering tactics in bypassing traditional security measures and the critical need for comprehensive employee training and clear protocols for handling unsolicited inquiries. As social engineering attacks become increasingly sophisticated, organizations must prioritize regular security awareness training and establish clear procedures for verifying external communications to mitigate the risk of such breaches.
1 week ago
Kill Chain
'Lorem Ipsum' Malware Shifts to ClickFix Delivery in 2026
In May 2026, the operators of the 'Lorem Ipsum' malware campaign transitioned from using Trojanized Microsoft Teams installers to employing ClickFix lures hosted on compromised WordPress sites. This shift followed Microsoft's takedown of the Fox Tempest infrastructure, which had previously supplied the attackers with fraudulent Microsoft Trusted Signing certificates. The new delivery method involves fake browser update notifications that prompt users to execute malicious PowerShell commands, leading to the silent installation of the malware. This change significantly broadens the potential victim pool, as any visitor to the compromised sites is now at risk. The 'Lorem Ipsum' campaign is now believed to be linked to the Vice Society ransomware group, also known as Rapid Brigantine or Vanilla Tempest. Vice Society has a history of targeting sectors such as education, healthcare, and manufacturing, employing double extortion tactics by encrypting data and threatening to leak it unless a ransom is paid. The group's ability to rapidly adapt its delivery methods in response to disruptions underscores the evolving nature of cyber threats and the importance of robust, adaptive cybersecurity measures.
1 week ago
Kill Chain
Yarbo Mobile App Vulnerabilities Expose Robot Fleet to Remote Control
In June 2026, critical vulnerabilities were identified in Yarbo's Android and iOS mobile applications and cloud infrastructure. These flaws included hard-coded MQTT broker credentials and inadequate authorization controls, allowing unauthorized access to telemetry data and remote command execution on Yarbo's robotic devices. Exploitation of these vulnerabilities could lead to unauthorized control over the robot fleet and exposure of sensitive user information. Yarbo has since released updates to address these issues, urging users to update their applications to version 3.17.4 or later. This incident underscores the persistent risks associated with hard-coded credentials and misconfigured cloud services in IoT devices. As the adoption of connected devices continues to rise, ensuring robust security measures and regular updates is crucial to prevent unauthorized access and potential exploitation.
1 week ago
Kill Chain
OceanLotus Targets Vietnamese Investors via FireAnt Metakit Supply Chain Attack
Between mid-2024 and March 2026, the Vietnam-aligned threat actor OceanLotus (APT32) conducted cyber espionage campaigns targeting domestic entities. Notably, from October 2025 to March 2026, they executed a supply chain attack by compromising the update mechanism of FireAnt Metakit, a widely used stock investment platform in Vietnam. This allowed them to distribute the SPECTRALVIPER backdoor to a select group of investors, facilitating unauthorized access and data exfiltration. This incident underscores a strategic shift by OceanLotus towards domestic targets, highlighting the evolving threat landscape where nation-state actors exploit trusted software supply chains to infiltrate critical sectors. Organizations must enhance their software supply chain security and implement robust monitoring to detect such sophisticated attacks.
2 weeks ago
Kill Chain
Critical Vulnerability in ABB EIBPORT Devices Disclosed
In May 2026, ABB disclosed a critical vulnerability in its EIBPORT V3 KNX and KNX GSM devices, versions prior to 3.9.2. The flaw, identified as CVE-2021-22291, is a cross-site scripting (XSS) vulnerability that could allow attackers to access sensitive information and alter device configurations. ABB has released firmware updates to address this issue and recommends immediate application to mitigate potential risks. This incident underscores the persistent threat of web-based vulnerabilities in industrial control systems, emphasizing the need for continuous monitoring and timely patch management to protect critical infrastructure from evolving cyber threats.
3 weeks ago
Kill Chain
Anodot Data Breach 2026: A Case Study in Supply Chain Vulnerabilities
In April 2026, Anodot, a business monitoring software provider, experienced a significant data breach when attackers exploited authentication tokens to access customer cloud data. The cybercriminal group ShinyHunters claimed responsibility, leading to data theft from at least a dozen companies, including Rockstar Games. This incident underscores the vulnerabilities in third-party service providers and the cascading risks to their clients. The breach highlights a growing trend where threat actors target software vendors to gain access to multiple organizations simultaneously. Such supply chain attacks necessitate enhanced security measures and vigilance among businesses relying on external service providers.
4 weeks ago
Kill Chain
Cybercriminals Exploit Government Data in Latin America: The 2026 Antel Breach
In May 2026, the cybercriminal group La Pampa Leaks claimed to have breached Uruguay's government-sponsored identity service, TuID, managed by the state-owned telecommunications company Antel. The attackers alleged prolonged access to the platform's infrastructure, potentially exposing sensitive personal data of Uruguayan citizens, including identification numbers, full names, birth dates, email addresses, phone numbers, residential addresses, biometric information, and digital signature data. Antel confirmed the cyberattack but stated that authentication credentials and highly sensitive data remained uncompromised. Immediate containment measures were implemented, and the incident was reported to the relevant authorities. This incident underscores a growing trend in Latin America, where cybercriminals increasingly target government agencies to monetize citizen data. The public-administration sector in the region has become the most-breached industry in the past year, highlighting the urgent need for enhanced cybersecurity measures and regulatory compliance to protect sensitive information.
4 weeks ago
Kill Chain
Critical Vulnerability in Carlson VASCO-B GNSS Receiver (CVE-2026-3893)
In April 2026, a critical vulnerability (CVE-2026-3893) was identified in Carlson Software's VASCO-B GNSS Receiver versions prior to 1.4.0. This flaw, due to missing authentication mechanisms, allows remote attackers to alter system configurations and disrupt device operations without requiring credentials. The vulnerability has a CVSS score of 9.4, indicating its severity, and primarily affects the Critical Manufacturing sector globally. ([socdefenders.ai](https://www.socdefenders.ai/item/3f9fa938-de90-494a-99b5-bc0ba05499a8?utm_source=openai)) The incident underscores the importance of securing GNSS receivers, which are integral to infrastructure operations. Organizations are advised to update to version 1.4.0 or later, minimize network exposure of control systems, implement firewalls, and use secure remote access methods like VPNs to mitigate potential risks. ([socdefenders.ai](https://www.socdefenders.ai/item/3f9fa938-de90-494a-99b5-bc0ba05499a8?utm_source=openai))
2 months ago
Kill Chain
Unveiling 'fast16': The Earliest Known Cyber Sabotage Tool
In April 2026, SentinelOne researchers uncovered 'fast16,' a previously undocumented malware framework dating back to 2005. This sophisticated tool was designed to subtly corrupt high-precision mathematical computations in engineering and scientific software by introducing near-imperceptible errors. The malware employed a 'cluster munition' delivery mechanism, deploying multiple 'wormlets' to propagate the main payload across target environments by exploiting vulnerabilities. This discovery predates the infamous Stuxnet by at least five years, marking 'fast16' as the earliest known cyber weapon aimed at sabotaging critical infrastructure through data integrity manipulation. The revelation of 'fast16' underscores the longstanding and evolving nature of state-sponsored cyber sabotage. It highlights the necessity for organizations, especially those handling sensitive and high-precision computations, to implement robust security measures and maintain vigilance against sophisticated threats that may have been active undetected for extended periods.
1 month ago
Kill Chain
Black Basta Affiliates Resurface with Targeted Social Engineering Attacks in 2026
In April 2026, a group of former Black Basta affiliates initiated a sophisticated social engineering campaign targeting over 100 employees across multiple organizations. The attackers employed mass email bombing and impersonated IT support via Microsoft Teams to gain unauthorized access to networks, aiming for data theft, ransomware deployment, and extortion. Notably, approximately 75% of the targets were senior executives, directors, and managers, indicating a strategic focus on high-privilege accounts. ([cyberscoop.com](https://cyberscoop.com/black-basta-affiliates-senior-executives-reliaquest/?utm_source=openai)) This resurgence underscores the persistent threat posed by disbanded cybercriminal groups reassembling or reusing effective tactics. The campaign's rapid execution and automation highlight the evolving sophistication of social engineering attacks, emphasizing the need for organizations to bolster their cybersecurity defenses and employee awareness programs. ([cyberscoop.com](https://cyberscoop.com/black-basta-affiliates-senior-executives-reliaquest/?utm_source=openai))
2 months ago
Kill Chain
FBI Issues Warning on Phishing Attacks Impersonating Local Government Officials
In March 2026, the FBI issued a warning about a phishing campaign where criminals impersonated U.S. city and county officials to target individuals and businesses applying for land-use permits. The attackers used publicly available information to craft convincing emails, instructing victims to pay fraudulent fees via wire transfer, peer-to-peer payment, or cryptocurrency. This scheme exploited the victims' trust in official communications, leading to financial losses and potential exposure of sensitive information. This incident underscores a growing trend of cybercriminals leveraging publicly accessible data to enhance the credibility of their phishing attacks. The increasing sophistication of such schemes highlights the urgent need for heightened vigilance and robust verification processes in all interactions involving sensitive transactions.
3 months ago
Kill Chain
ManoMano Data Breach 2026: Lessons in Third-Party Risk Management
In January 2026, French DIY e-commerce giant ManoMano experienced a significant data breach affecting approximately 38 million customers. The breach occurred when hackers compromised a third-party customer service provider, leading to unauthorized access to personal data, including full names, email addresses, phone numbers, and customer service communications. Notably, account passwords and financial information remained secure, as they were not stored with the subcontractor. Upon discovery, ManoMano promptly disabled the compromised account, initiated an internal investigation, and notified relevant authorities, including CNIL and ANSSI. The company also established a dedicated helpline for affected customers and issued warnings about potential phishing attempts leveraging the stolen data. This incident underscores the critical importance of securing third-party service providers, as supply chain vulnerabilities can lead to substantial data breaches. Organizations must rigorously assess and monitor the security practices of their subcontractors to prevent similar incidents. Additionally, customers are advised to remain vigilant against phishing attempts and verify the authenticity of communications purportedly from ManoMano or its partners.
3 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports