// Articles
389 articles — page 15 of 17
CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN
CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 — a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.
NSA's January 2027 PQC Deadline Is Nine Months Away — Enterprise Migration Is Now Mandatory
With NIST's post-quantum cryptography standards finalised and the NSA's CNSA 2.0 deadline requiring all new National Security System acquisitions to be quantum-resistant by January 2027, the migration window for enterprise and federal contractor environments is closing fast. Most organisations have yet to inventory their cryptographic assets, let alone begin migration.
AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations
A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.
DPRK's Contagious Interview Campaign Spreads 1,700+ Malicious Packages Across Five Ecosystems
North Korea's UNC1069 (BlueNoroff) threat group has expanded its Contagious Interview supply chain operation to five package registries — npm, PyPI, Go Modules, crates.io, and Packagist — publishing more than 1,700 malicious packages that deliver a cross-platform infostealer and RAT. The operation is the largest coordinated open-source supply chain attack attributed to a nation-state actor.
World Leaks Exposes 7.7TB of LAPD Records After City Attorney's Discovery Tool Breach
Extortion group World Leaks has published more than 337,000 sensitive LAPD files — including officer personnel records, Internal Affairs investigations, and witness medical information — after breaching a third-party legal discovery transfer tool used by the Los Angeles City Attorney's Office. The incident illustrates how legal and compliance workflows that touch sensitive data are increasingly targeted as a softer entry point than agency systems themselves.
Palo Alto PAN-OS CVE-2026-3197: SAML Auth Bypass Under Mass Exploitation by Nation-State Actors
A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.
Secure Boot Certificates Expire June 2026 — Enterprise Action Window Is Now
Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.
ShinyHunters Breach Anodot SaaS Integrator, Steal Snowflake Customer Data via Harvested Tokens
The ShinyHunters threat group breached Anodot, an AI analytics platform used to integrate with Snowflake cloud data warehouses, and stole authentication tokens that enabled downstream data theft from over a dozen Snowflake customer environments. The attack is a textbook fourth-party risk incident: the direct target was not the victim organisations' systems but a trusted third-party integration layer.
Citrix NetScaler CVE-2026-3055 Actively Exploited — CISA Orders Patch by 2 April
A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.
Iranian-Affiliated Hackers Target US Water, Energy and Government Facilities via Internet-Exposed PLCs
A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.
Progress ShareFile Pre-Auth RCE Chain Puts 30,000 Exposed Servers at Risk — Patch to 5.12.4
Researchers at watchTowr Labs have disclosed a two-vulnerability chain in Progress ShareFile Storage Zones Controller that enables unauthenticated remote code execution via webshell upload. Approximately 30,000 Storage Zone Controller instances are internet-exposed and remain at risk if not patched to version 5.12.4, which was released on 10 March 2026 before full public disclosure of the attack path.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.
April Windows Update Enforces AES-Only Kerberos — RC4 Fallback Blocked Across Active Directory
Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.
ChipSoft Ransomware Attack Takes Down Patient Records Across 80% of Dutch Hospitals
Dutch healthcare IT vendor ChipSoft, whose HiX electronic patient record system is used by approximately 80% of hospitals in the Netherlands, was struck by a ransomware attack on 7 April. Eleven hospitals have disconnected from ChipSoft systems and reverted to emergency paper procedures. ChipSoft has confirmed a 'data incident' with possible unauthorised access to patient records, and Z-CERT has advised all connected healthcare institutions to disconnect VPN links to the vendor.
Storm-1175 Deploys Medusa Ransomware Within 24 Hours Using Zero-Day Exploits
Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.
CVSS 10.0 Flowise RCE Actively Exploited Across 12,000 Exposed Instances
CVE-2025-59528, a maximum-severity remote code execution vulnerability in the Flowise AI workflow platform, is being actively exploited in the wild. Over 12,000 internet-exposed instances remain unpatched, allowing attackers to execute arbitrary JavaScript on host machines and extract API keys, credentials, and configuration secrets.
Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances
A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.
Handala Ransomware Surges to 23 Victims in March — Geopolitically-Motivated Wiper Threat Expands Beyond Israel
Handala ransomware claimed 23 victims in March 2026 — the group's most active month, accounting for more than half of its total 2026 activity to date. While predominantly targeting Israeli organisations with suspected IRGC ties, Handala has begun extending its reach into European financial services, healthcare, and utilities. The group deploys wiper functionality alongside ransomware, meaning recovery from an attack is frequently impossible even without a ransom payment.
Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption
Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.
Linux Kernel AP VLAN Flaw CVE-2026-31394 Allows Privilege Escalation in Virtualised and Cloud Environments
CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.
March 2026 Patch Cycle: The Governance and Risk Metrics That CISOs Should Be Reporting
March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.
Windows Kerberos Security Feature Bypass CVE-2026-24297 — Race Condition Enables Unauthenticated Network Attack
CVE-2026-24297 is a security feature bypass in the Windows Kerberos implementation caused by a race condition that can be triggered remotely without credentials or user interaction. Patched in the March 2026 Patch Tuesday, the vulnerability allows an attacker with network access to a Kerberos-speaking service to bypass security validation in the authentication flow. No active exploitation has been confirmed but the attack vector requires no credentials, increasing urgency.