Security Domain
Security Operations
Incident response, forensics, threat intelligence, SIEM, and operational security.
RSS feed →80 Articles · page 3 of 4
← All domainsChina-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.
Wazuh SIEM/XDR Platform CVE-2026-30893 — CVSS 9.0 Remote Code Execution in Enterprise SOC Infrastructure
CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.
CISA KEV Additions: Windows Shell Spoofing CVE-2026-32202 and Cisco SD-WAN Sensitive File Exposure CVE-2026-20133
CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
Microsoft Issues Emergency Patch KB5091157 After April Updates Crash Domain Controllers
Microsoft's April 2026 Patch Tuesday updates triggered LSASS crash-reboot loops on non-Global Catalogue domain controllers in PAM-enabled deployments and forced some Windows Server 2025 systems into BitLocker recovery mode. Emergency out-of-band updates were released April 19 for all affected Server versions. Immediate installation is required — affected DCs cause complete authentication outages across their domains.
FIRESTARTER Backdoor Persists on Cisco Firepower Devices After Patching — Federal Agency Confirmed Victim
A joint CISA and NCSC advisory reveals FIRESTARTER, a sophisticated backdoor implanted on Cisco FTD and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Defenders must verify device integrity rather than assume patching closed the access.
Tropic Trooper APT Delivers AdaptixC2 via Trojanised SumatraPDF Installer and GitHub C2 Relay
The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.
UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing
Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.
Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants — Claims Post-Quantum Encryption
A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.
Two Unpatched Windows Defender Zero-Days (RedSun + UnDefend) Actively Exploited — No Fix Available
A security researcher released two additional Windows Defender zero-days — RedSun and UnDefend — after Microsoft failed to patch them. RedSun exploits Defender's cloud file rollback mechanism to achieve SYSTEM privileges on all supported Windows versions. UnDefend silently prevents Defender from updating its threat signatures. Both are confirmed exploited in the wild, and neither has a patch or assigned CVE.
Payouts King Ransomware Deploys Hidden QEMU VMs to Blind Endpoint Security — New EDR Evasion Technique
The Payouts King ransomware operation, linked to former BlackBasta affiliates, has introduced a novel EDR bypass: deploying a legitimate QEMU virtual machine running Alpine Linux on compromised Windows hosts. Because endpoint security agents cannot inspect inside the VM, attackers operate the full intrusion — credential theft, lateral movement, and data exfiltration — completely invisible to host-level detection.
April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers — No Fix Yet
KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.
Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Use-After-Free in WebGPU
Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.
Microsoft April 2026 Patch Tuesday: 167 Flaws Patched Including Two Zero-Days
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly disclosed Defender elevation-of-privilege flaw. Eight Critical-rated vulnerabilities include a CVSS 9.8 IKE RCE and a Critical Active Directory RCE assessed as exploitation more likely.
North Korea's UNC4736 Spent Six Months Infiltrating Drift Protocol Before Stealing $285 Million
North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.
Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Four Months Before Patch
Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that has been actively exploited since at least November 2025. Opening a crafted PDF triggers JavaScript execution that fingerprints the victim's system and can deploy RCE and sandbox escape payloads. CISA added the CVE to the KEV catalogue the same day, requiring federal agencies to patch by 27 April.
BlueHammer Windows LPE Zero-Day Gives Attackers SYSTEM Access — No Patch Available
A publicly disclosed zero-day local privilege escalation vulnerability in Windows Defender's signature-update mechanism allows any authenticated user to escalate to SYSTEM. Named BlueHammer by researchers at Cyderes, the flaw has a working public exploit and no Microsoft patch as of publication. Security teams should implement interim mitigations immediately.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Storm-1175 Deploys Medusa Ransomware Within 24 Hours Using Zero-Day Exploits
Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.
Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances
A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.
Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption
Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.