Security Domain
Security Operations
Incident response, forensics, threat intelligence, SIEM, and operational security.
RSS feed →80 Articles · page 2 of 4
← All domainsGlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update
CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Windows 11 Yielded Four Independent LPE Paths at Pwn2Own Berlin — Kernel Attack Surface Analysis
By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
REMUS Infostealer Deep-Dive: Session Token Theft Evolves into MaaS Platform Targeting Browser Credentials and SaaS Sessions
Security researchers published a technical analysis of REMUS, an infostealer-as-a-service platform that has rapidly evolved from simple credential harvesting to session token theft targeting enterprise SaaS applications. REMUS specifically targets Salesforce, Workday, ServiceNow, and Microsoft 365 session cookies to bypass MFA, and has been observed in initial access broker sales followed by ransomware deployments.
KongTuke Initial Access Broker Pivots to Microsoft Teams Social Engineering — Five-Minute Corporate Compromise via ModeloRAT
Initial access broker KongTuke has updated its tradecraft to use Microsoft Teams as the primary social engineering vector, impersonating IT helpdesk personas to deliver ModeloRAT via Teams file transfers to targeted employees. The group achieves credential theft and establishes persistence within five minutes of initial Teams contact, then sells access to ransomware affiliates within 24 hours.
Linux 'Fragnesia' Kernel Privilege Escalation CVE-2026-46300 — New Dirty Frag Class Bug Exploits XFRM ESP-in-TCP for Unprivileged Root
Security researchers disclosed 'Fragnesia,' a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM framework's ESP-in-TCP fragmentation handling. The flaw follows the Dirty Frag class of fragmentation-layer bugs and enables an unprivileged local user to gain root on any affected kernel version. A proof-of-concept exploit is available. Kernel patches are being distributed through Linux distribution channels.
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories — 8 TB of Customer Data Stolen
Electronics manufacturing giant Foxconn confirmed a Nitrogen ransomware attack on its North American operations that encrypted factory systems and exfiltrated approximately 8 TB of data including Apple, NVIDIA, and Intel supply chain documentation. Production lines at multiple facilities were disrupted before recovery procedures were activated.
MuddyWater Spent a Week Undetected Inside South Korean Electronics Giant's Network — Nine Organisations Compromised
Iranian state-sponsored threat group MuddyWater (Seedworm) conducted a sustained intrusion campaign against a major South Korean electronics manufacturer, maintaining persistence for over a week before detection. Nine connected organisations were compromised through the electronics firm's supplier and partner network. Lateral movement used living-off-the-land techniques to evade endpoint detection.
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities — No Zero-Days but Wormable RCEs Demand Immediate Action
Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.
Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer — Fake CAPTCHA Bypass Technique Targeting Enterprise Users
The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration
ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.
Calendly-Themed AiTM Phishing Kits Rise with Real-Time Socket.IO and Telegram Exfiltration
urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.
CallPhantom: 28 Fake Android Apps with 7.3M Play Store Downloads Charged for Fabricated Call Data
ESET researchers have identified 28 Android applications — collectively downloaded 7.3 million times from the Google Play Store — that charged users for access to fabricated call history, SMS logs, and WhatsApp message records that the apps could not actually retrieve. The CodedCallPhantom campaign, active primarily in India and South-East Asia, combines financial fraud (charging for non-existent data) with personal data collection used for follow-on targeting.
PamDOORa: Linux Post-Exploitation PAM Module Backdoor Sold on Dark Web for $1,600
Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.
TCLBanker Banking Trojan Spreads via WhatsApp and Outlook Worm Modules, Targets 59 Financial Platforms
Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
Microsoft Threat Intelligence: AiTM Phishing Campaign Hit 35,000 Users Across 26 Countries in Two Days
Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.