The IT Nerd

he SOCRadar threat intelligence team over the weekend identified a publicly accessible Elasticsearch instance containing over 676 million indexed U.S. identity records, including full SSNs, and complete identity profiles. 

The dataset was exposed to the internet without authentication, enabling unrestricted access to full identity attributes, including SSNs, dates of birth, historical address records, and phone numbers.

The exposed instance contained highly sensitive personal data at a scale exceeding the current U.S. population. This finding represents an extreme-scale identity risk.

Even if duplicate or historical entries exist, the presence of searchable government-issued identifiers in an unauthenticated database places this case in the Critical severity category.

More details can be found here: https://socradar.io/blog/us-elasticsearch-leak-676m-identity-records-ssn-exposure

According to new SOCRadar threat intel, the U.S. financial sector now stands squarely at the center of the global cybercrime economy, enduring roughly half of all financial phishing attacks and nearly a quarter of all dark web threat activity.

Adversaries are now pivoting from basic software exploits to highly sophisticated, AI-driven crime waves, relentless BEC campaigns, and stealthy third-party supply chain infiltrations. 

In an analysis that can be read here, the SOCRadar research team has broken down how the U.S. financial sector is uniquely in the crosshairs for cyber criminals, what the dominate attack vectors are, and some key steps that financial leaders should use to fortify their defenses. 

Key findings include: 

1. The U.S. financial sector accounts for 23.52% of all finance-related dark web threat activity and 48.02% of global phishing activity. 
2. Over 80% of dark web threat types are centered on exposing data and databases, with 74.49% of dark web posts involving selling these assets. 
3. Dominant attack vectors targeting U.S. financial institutions include social engineering, BE, and more increasingly AI-powered exploits. 
4. Third-party vendors remain critical vectors for systemic risk.

For full details, here is the analysis: https://socradar.io/blog/finance-industry-us-institutions-2026/

SOCRadar researchers announced the identification of three publicly accessible and misconfigured Elasticsearch instances leaking highly sensitive data, including infostealer logs, credit card information, and millions of personal identity records.

The exposed databases contained more than 43 million records, including over 5 million valid credentials, thousands of credit cards, and large-scale PII and commercial transaction data. All three cases demonstrate how misconfigured Elasticsearch services continue to create immediate and exploitation-ready risks for organizations and individuals.

Key findings include: 

1. Incident 1: 7.2 million infostealer logs and 24, 000 credit cards exposed
2. Incident 2: 35 million Italian PII records publicly accessible
3. Incident 3: 1.5 million customer records and commercial data exposed

The security team analyzed the exposed instances, notified relevant parties, and assessed the potential impact. The full details of this can be read here: https://socradar.io/blog/elasticsearch-instances-43m-records-data/

SOCRadar threat researchers have publishing an in-depth analysis of an ongoing cyber campaign against Fortune 500 companies including names such as Wells Fargo and USAA, by the threat actor known as GS7. 

GS7 has been active for years, rotating its infrastructure and impersonating legitimate portals, and has amassed hundreds of malicious domains tied to its modus operandi. Its campaigns include operations targeting banking institutions, technology companies, payment platforms, and other entities.

The elements that distinguish this actor and its campaigns are the creation of highly similar portals used in phishing operations to redirect victims toward credential theft.

The research dives into: 

How GS7 has quietly operated for years by rotating infrastructure and impersonating trusted Fortune 500 brands

Hundreds of malicious domains tied to GS7’s phishing ecosystem and how they’re deployed at scale

The use of near-identical, brand-spoofed portals designed to convincingly harvest credentials

Active campaigns targeting banks, financial institutions, technology companies, and payment platforms

The actor’s infrastructure rotation tactics and evasion techniques

Which industries, regions, and countries are being targeted most heavily

What makes this campaign distinct from typical phishing operations — and why it continues to succeed

You can read the research here: https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access

In a threat landscape where 60% of underground discussions directly reference security vendors and their products, the question is no longer whether a company’s defenses are good enough; it’s whether they’re being actively monitored, adapted, and evolved.

A just-published MSSP Threat Landscape Report by threat intel company SOCRadar examines how threat actors systematically study, test, and bypass widely deployed security products, and why partnering with a Managed Security Service Provider is essential for true operational resilience. Have a look and consider what adjustments you need to do as an organization to keep yourself safe.

SOCRadar’s just released its U.S. Threat Landscape Report 2026 which highlights the most targeted industries, how threat actors monetize stolen data and access, and how ransomware, phishing, and DDoS attacks continue to pressure U.S. organizations.

Key highlights include: 

• Top Targeted Sectors: Finance and Insurance leads dark web targeting at 14.39%, followed by Information Services (10.19%) and Public Administration (9.79%), showing sustained focus on high-trust and high-value data sectors.
• U.S.-Only Targeting Dominates: 88.3% of threats focus exclusively on U.S. entities, while cross-border campaigns remain limited.
• Monetization Drives Underground Activity: Selling accounts for 70.76% of posts and sharing adds 23.56%, confirming a strong underground market dynamic.
• Data and Access Are the Main Commodities: Data-related threats represent 61.53%, while access sales reach 29.31%, reinforcing the role of initial access brokers.
• Ransomware Remains Fragmented: Qilin, Akira, and PLAY together represent 33% of ransomware activity, while smaller groups make up the majority.
• Phishing Hits High-Trust Targets: Public Administration accounts for 24.08% of phishing attacks, followed by Information Services at 19.45%.
• HTTPS Makes Phishing Harder to Spot: 77.9% of phishing pages use HTTPS, reducing users’ ability to identify malicious sites.
• DDoS Volume and Scale Are Severe: 1,036,378 DDoS attacks were recorded, with peak bandwidth reaching 1,475.67 Gbps and average attack duration around 59 minutes.

You can read the report here: https://socradar.io/resources/report/u-s-threat-landscape-report-2026/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=reportspage&utm_term=countryreports&utm_content=US26

Today, SOCRadar threat researchers published their findings on the identification of an intensive coordinated DDoS campaign conducted by pro-Russian threat actor, NoName057(16). Between the period of January 19 to 25, there were 5,095 recorded attack entries, overwhelmingly against Czech infrastructure. 

During the seven-day analysis period, the campaign demonstrated unprecedented scale and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s primary geographic focus on Czechia represents an escalation in NoName057(16)’s strategy of applying sustained pressure on NATO’s eastern flank members and key supporters of Ukraine.

Key findings include: 

1. More than half of the attacks hit government services (53%).
2. Critical infrastructure targeted included aviation, railways, and public transport (19.7% of attacks).
3. Czechia saw 3,803 of the 5,095 attacks. 
4. NoName057(16) deployed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks. 
5. The findings indicate that there was a deliberate targeting of encrypted web services including government citizen portals. 
6. The most targeted host domain was for the Czech National Police. 

For full details, the analysis can be found here: https://socradar.io/blog/ddos-threat-intelligence-czechia-26-jan26/

The SOCRadar threat research team will publish its Annual Dark Web Report, a structured view of illicit activity observed across major underground markets during 2025.

This includes the most impacted industries, U.S. targeting trends, the economy behind the dark web, the scale of stealer impacts, as well as AI democratization. 

Some key findings include: 

• The U.S. is the primary target across multiple threat types, accounting for 41.42% of ransomware attacks which is a drop from 53.30% in 2024.

• Public Administration is the most exposed industry on the Dark Web, indicating sustained pressure on government institutions through data leaks.

• In 2025, Akira took the first place in terms of activity with 8.35% of ransomware attacks.

• Deepfake, voice manipulation, and pentesting tools now openly available without dark web access, eliminating vetting barriers previously limiting access to well-resourced actors.

Furthermore, this research breaks down the value of regional credit cards, the market behind vulnerability exploits (the costs for low-end and mid-tier vulns increased, but high-end ones decreased), as well as the impact of stolen data (Facebook seeing 93.2M accounts among stolen logs). 

The report is here: SOCRadar Annual Dark Web Report 2025

According to a just-released report by threat intelligence company SOCRadar, 2025 saw:

• New highs for credential theft with a total of 388 million credentials were stolen from the ten most affected platforms. Facebook accounted for 93 million records, followed by Google with 67 million and Roblox with 66 million.
  • Gaming platforms were hit especially hard. Roblox, Twitch, and Epic Games together accounted for around 100 million accounts.
• Dark Web activity centered on commercial exchange with sales accounting for 59% of observed activity, while 33% involved sharing stolen data and Hack announcements are around 5%.
  • The US appeared in nearly 20% of all forum discussions, making it the most referenced country. Public Administration led sector discussions at 13%, followed by Information and Finance at around 10% each.
• Ransomware Activity Spread Across Groups – Akira led with 8.4% of incidents, followed by Qilin at 7.3% and Cl0p at 5.8%. No group controlled a large share of the landscape.
  • The US saw 41% of all ransomware attacks, while the United Kingdom followed with 18%. Australia, Japan, and Canada completed the top five. English-speaking countries together accounted for more than 60% of reported cases.

What Do These Numbers Mean?

These developments form a connected chain. Credentials are stolen through malware. That access is sold on Dark Web forums. Ransomware groups purchase it and use it to launch attacks. This process creates various risks for organizations on multiple fronts. Employees are targeted first through personal or work accounts. Compromised credentials then become gateways to larger incidents.

The 388 million stolen credentials represent more than isolated breaches. They serve as entry points that enable broader and more damaging attacks.

The full report covers:

The 2025 End of Year Report expands on these findings, including:

• Stealer log distribution
• Dark Web activity
• Ransomware threats
• Global phishing activity
• And a summary of the threat landscape in 2025

To view the full report, see this link End of The Year 2025 Cyber Analysis

In a fresh dark web sweep, SOCRadar researchers have discovered three new issues worth immediate attention:

First, there’s a major auction of roughly 413,000 stolen credit cards, mainly from the U.S. and Canada. The seller is bundling cards from multiple leaks and offering a validity-checking service, indicating an organized marketplace rather than a simple dump.

Second, analysts identified a new malware framework called Weapon Bot. It’s delivered via MSI installers, built on Node.js/Rust/PowerShell, and designed to evade detection. It steals browser data, wallet seeds and session tokens, while also functioning as a botnet platform.

Lastly, threat actors are actively seeking a working exploit for CVE-2024-38077 (“MadLicense”), a critical remote code execution vulnerability in Windows Remote Desktop Licensing Service. The demand suggests potential weaponization and real-world attacks.

For full details, the analysis can be found here: https://socradar.io/blog/weapon-bot-toolkit-madlicense-413k-credit-cards/