Security intelligence covering Security Operations: Incident response, forensics, threat intelligence, SIEM, and operational security.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-16-velvet-ant-operation-highland-air-gap-decade-persistence/https://cipherwatch.io/articles/2026-06-16-velvet-ant-operation-highland-air-gap-decade-persistence/Sygnia researchers disclosed Operation Highland, a China-nexus espionage campaign in which the Velvet Ant threat group maintained persistent, undetected access to an air-gapped enterprise network from 2016 to 2026 by hijacking authentication infrastructure and bridging the isolation via a modified Nginx binary and GS-Netcat reverse shell. The case fundamentally challenges the security model of air-gapping as an isolation control.Tue, 16 Jun 2026 00:00:00 GMTaptchina-nexusvelvet-antair-gapespionagepersistencethreat-intelligencehttps://cipherwatch.io/articles/2026-06-15-mackay-sugar-gentlemen-ransomware-ot-shutdown/https://cipherwatch.io/articles/2026-06-15-mackay-sugar-gentlemen-ransomware-ot-shutdown/The Gentlemen ransomware group has claimed an attack on Mackay Sugar, Australia's second-largest sugar producer, causing the shutdown of mill crushing operations during the critical harvest season. The attack disrupted operational technology systems controlling sugar processing at two mills in Queensland, representing a significant escalation of The Gentlemen group's targeting of OT-dependent industrial operations.Mon, 15 Jun 2026 00:00:00 GMTransomwareoperational-technologyot-securitymackay-sugargentlemen-ransomwareaustraliafood-manufacturingicshttps://cipherwatch.io/articles/2026-06-14-shinyhunters-council-of-europe-297gb-hr-breach/https://cipherwatch.io/articles/2026-06-14-shinyhunters-council-of-europe-297gb-hr-breach/The ShinyHunters threat group has claimed responsibility for breaching the Council of Europe, exfiltrating 297 GB of internal HR and payroll records covering more than 10,000 employees. The breach raises significant concerns around diplomatic personnel data protection and the security posture of intergovernmental bodies operating outside EU regulatory oversight.Sun, 14 Jun 2026 00:00:00 GMTshinyhuntersdata-breachgovernmenthr-dataeuropean-institutionsthreat-actorhttps://cipherwatch.io/articles/2026-06-14-splunk-enterprise-cve-2026-20253-unauthenticated-rce/https://cipherwatch.io/articles/2026-06-14-splunk-enterprise-cve-2026-20253-unauthenticated-rce/A critical remote code execution vulnerability in Splunk Enterprise allows unauthenticated attackers to run arbitrary commands on SIEM servers by targeting an exposed PostgreSQL sidecar service that bypasses all application-level authentication. CVE-2026-20253, rated CVSS 9.8, affects Splunk Enterprise 9.2.x and earlier on both Windows and Linux — a particularly damaging target given SIEM's visibility across the entire security estate.Sun, 14 Jun 2026 00:00:00 GMTsplunksiemcve-2026-20253unauthenticated-rcepostgresqlsiem-compromisecritical-infrastructurehttps://cipherwatch.io/articles/2026-06-12-veeam-backup-infrastructure-ransomware-target/https://cipherwatch.io/articles/2026-06-12-veeam-backup-infrastructure-ransomware-target/CVE-2026-44963 in Veeam Backup & Replication is the third critical Veeam RCE vulnerability in three years, each exploited by ransomware operators to neutralise backup infrastructure before deploying encryption payloads. This article examines why backup systems have become the primary strategic target in ransomware operations and what structural security controls reduce exposure.Fri, 12 Jun 2026 00:00:00 GMTveeamransomwarebackup-securitycve-2026-44963incident-responseransomware-preventionbackup-strategyactive-directoryhttps://cipherwatch.io/articles/2026-06-11-gentlemen-ransomware-478-victims-worm-propagation/https://cipherwatch.io/articles/2026-06-11-gentlemen-ransomware-478-victims-worm-propagation/New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.Thu, 11 Jun 2026 00:00:00 GMTgentlemen-ransomwareransomwarewormlateral-movementsmbhealthcarethreat-intelligenceincident-response2026https://cipherwatch.io/articles/2026-06-10-ivanti-sentry-cve-2026-10520-cvss-10-pre-auth-rce/https://cipherwatch.io/articles/2026-06-10-ivanti-sentry-cve-2026-10520-cvss-10-pre-auth-rce/Ivanti has disclosed CVE-2026-10520, a CVSS 10.0 pre-authentication remote code execution vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that is being actively exploited following public proof-of-concept release. A companion OS command injection flaw CVE-2026-10523 (CVSS 9.4) affects the same platform. Both require immediate action for all organisations running Ivanti Sentry in their mobile device management infrastructure.Wed, 10 Jun 2026 00:00:00 GMTivantisentrymobileironcve-2026-10520cve-2026-10523cvss-10pre-auth-rcemdmactively-exploitedcisa-kevhttps://cipherwatch.io/articles/2026-06-09-chrome-v8-zero-day-cve-2026-11645-actively-exploited/https://cipherwatch.io/articles/2026-06-09-chrome-v8-zero-day-cve-2026-11645-actively-exploited/Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.Tue, 09 Jun 2026 00:00:00 GMTchromegooglev8cve-2026-11645zero-daybrowser-securitycisa-kevactively-exploitedjavascript-enginehttps://cipherwatch.io/articles/2026-06-09-microsoft-june-2026-patch-tuesday-198-cves-six-zero-days/https://cipherwatch.io/articles/2026-06-09-microsoft-june-2026-patch-tuesday-198-cves-six-zero-days/Microsoft's June 2026 Patch Tuesday addresses 198 vulnerabilities across Windows, Office, Azure, and server components — including three CVSS 9.8 critical remote code execution flaws and six publicly disclosed zero-days. HTTP.sys CVE-2026-47291 is wormable, requiring no authentication or user interaction against any Windows Server with IIS or HTTP API exposed.Tue, 09 Jun 2026 00:00:00 GMTmicrosoftpatch-tuesdaywindowshttp-syszero-daycve-2026-47291cve-2026-45657cve-2026-44815actively-exploitedwormablehttps://cipherwatch.io/articles/2026-06-08-meta-nso-group-whatsapp-contempt-spear-phishing/https://cipherwatch.io/articles/2026-06-08-meta-nso-group-whatsapp-contempt-spear-phishing/Meta has filed a federal contempt motion against NSO Group alleging the Israeli spyware vendor violated a 2021 court order by deploying new WhatsApp-based spear-phishing infrastructure targeting journalists and human rights defenders. The case highlights the persistent challenge of enforcement against commercial spyware vendors whose products operate outside regulatory frameworks.Mon, 08 Jun 2026 00:00:00 GMTnso-grouppegasuswhatsappspear-phishingcommercial-spywaremetazero-clickjournalistscourt-orderhttps://cipherwatch.io/articles/2026-06-08-unc3753-vishing-physical-intrusion-data-theft/https://cipherwatch.io/articles/2026-06-08-unc3753-vishing-physical-intrusion-data-theft/Threat group UNC3753 has been documented combining voice phishing (vishing) with physical office intrusions to conduct data theft and extortion against U.S. organisations. The group uses vishing to gather employee credentials and facility access information, then deploys operatives physically to compromise targets. The hybrid TTPs represent a significant escalation in social engineering attack sophistication.Mon, 08 Jun 2026 00:00:00 GMTunc3753vishingsocial-engineeringphysical-securityinsider-threatextortiondata-thefthybrid-attackhttps://cipherwatch.io/articles/2026-06-08-verdantbamboo-brickstorm-bsd-linux-appliance-backdoor/https://cipherwatch.io/articles/2026-06-08-verdantbamboo-brickstorm-bsd-linux-appliance-backdoor/China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.Mon, 08 Jun 2026 00:00:00 GMTverdantbamboobrickstormchina-nexusaptbsdlinuxnetwork-appliancesbackdoorthreat-intelligencehttps://cipherwatch.io/articles/2026-06-07-china-nexus-linux-bsd-appliance-targeting-threat-landscape/https://cipherwatch.io/articles/2026-06-07-china-nexus-linux-bsd-appliance-targeting-threat-landscape/A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.Sun, 07 Jun 2026 00:00:00 GMTchina-nexusaptlinuxbsdnetwork-appliancesthreat-intelligenceverdantbamboobrickstormunc3886https://cipherwatch.io/articles/2026-06-03-gentelman-ransomware-healthcare-professional-services-surge/https://cipherwatch.io/articles/2026-06-03-gentelman-ransomware-healthcare-professional-services-surge/The Gentelman ransomware group (tracked as Storm-2697) claimed 15 victims between 1–3 June with a heavy focus on healthcare providers and professional services firms in North America. The surge appears linked to exploitation of known vulnerabilities in remote management software. Healthcare organisations should review internet-exposed remote access and RMM tool exposure immediately.Wed, 03 Jun 2026 00:00:00 GMTransomwaregentelmanstorm-2697healthcareprofessional-servicesincident-responsermmconnectwisehttps://cipherwatch.io/articles/2026-06-02-android-june-2026-cve-2025-48595-zero-day-patch/https://cipherwatch.io/articles/2026-06-02-android-june-2026-cve-2025-48595-zero-day-patch/Google's June 2026 Android Security Bulletin patches 124 vulnerabilities including CVE-2025-48595, an integer overflow in the Android Framework with confirmed limited exploitation consistent with nation-state spyware deployment. Enterprise Android fleets should prioritise this update given the zero-day's targeted exploitation pattern.Tue, 02 Jun 2026 00:00:00 GMTandroidcve-2025-48595mobile-securityzero-daygooglejune-patchenterprise-mobilityspywarehttps://cipherwatch.io/articles/2026-06-02-servicenow-zero-auth-api-breach-customer-data-exposed/https://cipherwatch.io/articles/2026-06-02-servicenow-zero-auth-api-breach-customer-data-exposed/ServiceNow disclosed an active security incident beginning 2 June in which an unauthenticated API endpoint allowed attackers to query customer instance data including IT ticket contents, asset inventories, and stored credentials. Exploitation began 2 June; ServiceNow patched the endpoint by 5 June. No CVE was assigned at time of disclosure. Organisations should review ServiceNow access logs for the incident window.Tue, 02 Jun 2026 00:00:00 GMTservicenowapi-securityitsmdata-breachzero-authsaas-securityincident-responsehttps://cipherwatch.io/articles/2026-06-01-oracle-weblogic-cve-2024-21182-cisa-kev-active-exploitation/https://cipherwatch.io/articles/2026-06-01-oracle-weblogic-cve-2024-21182-cisa-kev-active-exploitation/CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.Mon, 01 Jun 2026 00:00:00 GMToracleweblogiccve-2024-21182cisa-kevransomwaret3-protocoliiopjava-deserializationactive-exploitationhttps://cipherwatch.io/articles/2026-05-31-netlogon-week-one-response-enterprise-lessons/https://cipherwatch.io/articles/2026-05-31-netlogon-week-one-response-enterprise-lessons/Seven days after Belgium's CCB confirmed active exploitation of the Netlogon CVSS 9.8 vulnerability, the picture of enterprise response is mixed. Domain controllers in well-governed environments are patched; a significant population of legacy and unmanaged DCs remain exposed. This review covers the response pattern and what it reveals about enterprise patch discipline.Sun, 31 May 2026 00:00:00 GMTnetlogoncve-2026-41089active-directorypatch-responsedomain-controllerenterprise-securitylessons-learnedhttps://cipherwatch.io/articles/2026-05-30-cisa-kev-may-2026-enterprise-response-guide/https://cipherwatch.io/articles/2026-05-30-cisa-kev-may-2026-enterprise-response-guide/CISA's Known Exploited Vulnerabilities catalogue received multiple additions in May 2026, including developer toolchain supply-chain compromises, network appliance vulnerabilities, and Microsoft Windows flaws. This guide consolidates the May 2026 KEV additions with enterprise response guidance for each category.Sat, 30 May 2026 00:00:00 GMTcisa-kevvulnerability-managementmay-2026enterprise-responsepatch-managementknown-exploitedhttps://cipherwatch.io/articles/2026-05-29-netlogon-cve-2026-41089-domain-controller-detection/https://cipherwatch.io/articles/2026-05-29-netlogon-cve-2026-41089-domain-controller-detection/With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation — the forensic indicators are specific and searchable.Fri, 29 May 2026 00:00:00 GMTnetlogoncve-2026-41089active-directoryforensicsthreat-huntinggolden-ticketdomain-controllerincident-responsehttps://cipherwatch.io/articles/2026-05-28-citrix-netscaler-cve-2026-3055-post-exploitation-forensics/https://cipherwatch.io/articles/2026-05-28-citrix-netscaler-cve-2026-3055-post-exploitation-forensics/With large-scale exploitation of CVE-2026-3055 confirmed as of 28 May, NetScaler ADC deployments that were internet-accessible while unpatched must be assessed for compromise. The SAML memory overread can leak session tokens and signing key material — understanding the forensic footprint helps determine whether compromise occurred.Thu, 28 May 2026 00:00:00 GMTcitrixnetscalercve-2026-3055forensicsincident-responsesamlcompromise-detectionthreat-huntinghttps://cipherwatch.io/articles/2026-05-26-qilin-sysco-ransomware-food-supply-chain/https://cipherwatch.io/articles/2026-05-26-qilin-sysco-ransomware-food-supply-chain/Qilin ransomware operators have listed Sysco Corporation — the world's largest foodservice distribution company — on their dark web extortion site, claiming to hold data extracted from the company's networks. Sysco has not confirmed a breach. The listing appears amid an 80 per cent rise in ransomware pressure against the food and beverage sector in Q2 2026.Tue, 26 May 2026 00:00:00 GMTqilinransomwaresyscofood-sectorcritical-infrastructuredata-extortionsupply-chainhttps://cipherwatch.io/articles/2026-05-25-linux-kernel-cve-2026-46333-ptrace-ssh-key-disclosure-root/https://cipherwatch.io/articles/2026-05-25-linux-kernel-cve-2026-46333-ptrace-ssh-key-disclosure-root/Qualys Threat Research Unit has disclosed CVE-2026-46333, a race condition in the Linux kernel ptrace subsystem affecting all major distributions since kernel 4.8 (2016). Four working privilege escalation exploits exist using SUID binaries; successful exploitation also discloses /etc/shadow and SSH host private keys. Patch immediately.Mon, 25 May 2026 00:00:00 GMTlinuxkernelcve-2026-46333ptraceprivilege-escalationsshcredential-disclosurequalyshttps://cipherwatch.io/articles/2026-05-24-unifi-os-bulletin-064-compromise-detection-forensics/https://cipherwatch.io/articles/2026-05-24-unifi-os-bulletin-064-compromise-detection-forensics/Two days after Ubiquiti published Security Bulletin 064 with three CVSS 10.0 vulnerabilities, security teams should be confirming that patches have applied and hunting for indicators of pre-patch compromise. This guide covers the specific log sources, indicators, and commands available on UniFi OS devices for detecting exploitation activity.Sun, 24 May 2026 00:00:00 GMTubiquitiunififorensicsthreat-huntingincident-responsenetwork-equipmentbulletin-064https://cipherwatch.io/articles/2026-05-21-globalprotect-cve-2026-0257-compromise-forensics-threat-hunting/https://cipherwatch.io/articles/2026-05-21-globalprotect-cve-2026-0257-compromise-forensics-threat-hunting/Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.Thu, 21 May 2026 00:00:00 GMTpalo-altopan-osglobalprotectthreat-huntingforensicscve-2026-0257incident-responsevpnhttps://cipherwatch.io/articles/2026-05-20-cisa-kev-microsoft-defender-zero-days-cve-2026-41091/https://cipherwatch.io/articles/2026-05-20-cisa-kev-microsoft-defender-zero-days-cve-2026-41091/CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.Wed, 20 May 2026 00:00:00 GMTmicrosoft-defendercisa-kevzero-dayendpoint-securityprivilege-escalationcve-2026-41091cve-2026-45498https://cipherwatch.io/articles/2026-05-19-exchange-cve-2026-42897-week-one-exploitation-update/https://cipherwatch.io/articles/2026-05-19-exchange-cve-2026-42897-week-one-exploitation-update/Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.Tue, 19 May 2026 00:00:00 GMTexchangecve-2026-42897zero-dayincident-responsethreat-huntingsession-hijackinghttps://cipherwatch.io/articles/2026-05-18-rhel-enterprise-linux-lpe-pwn2own-response-guide/https://cipherwatch.io/articles/2026-05-18-rhel-enterprise-linux-lpe-pwn2own-response-guide/Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.Mon, 18 May 2026 00:00:00 GMTrhelred-hatlinuxlpeprivilege-escalationpwn2ownenterprise-linuxpatch-managementhttps://cipherwatch.io/articles/2026-05-17-windows-11-four-lpe-paths-pwn2own-kernel-attack-surface/https://cipherwatch.io/articles/2026-05-17-windows-11-four-lpe-paths-pwn2own-kernel-attack-surface/By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.Sun, 17 May 2026 00:00:00 GMTwindows-11lpekernelpwn2ownprivilege-escalationendpoint-securityhttps://cipherwatch.io/articles/2026-05-16-exchange-cve-2026-42897-threat-hunting-guide/https://cipherwatch.io/articles/2026-05-16-exchange-cve-2026-42897-threat-hunting-guide/With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.Sat, 16 May 2026 00:00:00 GMTexchangecve-2026-42897threat-huntingincident-responsezero-daysession-hijackinglog-analysishttps://cipherwatch.io/articles/2026-05-15-remus-infostealer-session-token-maas-platform/https://cipherwatch.io/articles/2026-05-15-remus-infostealer-session-token-maas-platform/Security researchers published a technical analysis of REMUS, an infostealer-as-a-service platform that has rapidly evolved from simple credential harvesting to session token theft targeting enterprise SaaS applications. REMUS specifically targets Salesforce, Workday, ServiceNow, and Microsoft 365 session cookies to bypass MFA, and has been observed in initial access broker sales followed by ransomware deployments.Fri, 15 May 2026 00:00:00 GMTinfostealersession-hijackingmaasbrowser-credentialsremushttps://cipherwatch.io/articles/2026-05-14-kongtuke-microsoft-teams-social-engineering-modelorat/https://cipherwatch.io/articles/2026-05-14-kongtuke-microsoft-teams-social-engineering-modelorat/Initial access broker KongTuke has updated its tradecraft to use Microsoft Teams as the primary social engineering vector, impersonating IT helpdesk personas to deliver ModeloRAT via Teams file transfers to targeted employees. The group achieves credential theft and establishes persistence within five minutes of initial Teams contact, then sells access to ransomware affiliates within 24 hours.Thu, 14 May 2026 00:00:00 GMTkongtukemicrosoft-teamssocial-engineeringinitial-access-brokermodelorathttps://cipherwatch.io/articles/2026-05-14-linux-fragnesia-kernel-lpe-cve-2026-46300/https://cipherwatch.io/articles/2026-05-14-linux-fragnesia-kernel-lpe-cve-2026-46300/Security researchers disclosed 'Fragnesia,' a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM framework's ESP-in-TCP fragmentation handling. The flaw follows the Dirty Frag class of fragmentation-layer bugs and enables an unprivileged local user to gain root on any affected kernel version. A proof-of-concept exploit is available. Kernel patches are being distributed through Linux distribution channels.Thu, 14 May 2026 00:00:00 GMTlinuxkernelprivilege-escalationcve-2026-46300fragnesiahttps://cipherwatch.io/articles/2026-05-13-foxconn-nitrogen-ransomware-north-america-8tb/https://cipherwatch.io/articles/2026-05-13-foxconn-nitrogen-ransomware-north-america-8tb/Electronics manufacturing giant Foxconn confirmed a Nitrogen ransomware attack on its North American operations that encrypted factory systems and exfiltrated approximately 8 TB of data including Apple, NVIDIA, and Intel supply chain documentation. Production lines at multiple facilities were disrupted before recovery procedures were activated.Wed, 13 May 2026 00:00:00 GMTransomwarenitrogenmanufacturingsupply-chaindata-breachhttps://cipherwatch.io/articles/2026-05-13-muddywater-iran-apt-south-korea-electronics/https://cipherwatch.io/articles/2026-05-13-muddywater-iran-apt-south-korea-electronics/Iranian state-sponsored threat group MuddyWater (Seedworm) conducted a sustained intrusion campaign against a major South Korean electronics manufacturer, maintaining persistence for over a week before detection. Nine connected organisations were compromised through the electronics firm's supplier and partner network. Lateral movement used living-off-the-land techniques to evade endpoint detection.Wed, 13 May 2026 00:00:00 GMTmuddywateriranaptsouth-koreasupply-chainlateral-movementhttps://cipherwatch.io/articles/2026-05-12-microsoft-patch-tuesday-may-2026-120-vulnerabilities/https://cipherwatch.io/articles/2026-05-12-microsoft-patch-tuesday-may-2026-120-vulnerabilities/Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.Tue, 12 May 2026 00:00:00 GMTpatch-tuesdaymicrosoftrcewindowscvehttps://cipherwatch.io/articles/2026-05-11-acsc-australia-clickfix-vidar-stealer-advisory/https://cipherwatch.io/articles/2026-05-11-acsc-australia-clickfix-vidar-stealer-advisory/The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.Mon, 11 May 2026 00:00:00 GMTclickfixvidarinfostealersocial-engineeringpowershellacscaustraliaenterprise-threathttps://cipherwatch.io/articles/2026-05-11-ai-developed-zero-day-2fa-bypass-google-gtig/https://cipherwatch.io/articles/2026-05-11-ai-developed-zero-day-2fa-bypass-google-gtig/Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.Mon, 11 May 2026 00:00:00 GMTai-securityzero-daythreat-intelligenceexploitationgoogle-gtig2fa-bypasshttps://cipherwatch.io/articles/2026-05-10-microstealer-discord-exfil-education-telecom/https://cipherwatch.io/articles/2026-05-10-microstealer-discord-exfil-education-telecom/ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.Sun, 10 May 2026 00:00:00 GMTinfostealermicrostealerdiscord-abusecredential-thefteducation-sectortelecommalwarelow-detectionhttps://cipherwatch.io/articles/2026-05-09-calendly-phishing-kits-socketio-telegram-aitm/https://cipherwatch.io/articles/2026-05-09-calendly-phishing-kits-socketio-telegram-aitm/urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.Sat, 09 May 2026 00:00:00 GMTphishingaitmcalendlysocial-engineeringcredential-theftsocketiotelegrammfa-bypassenterprisehttps://cipherwatch.io/articles/2026-05-09-callphantom-android-fake-call-history-7m-downloads/https://cipherwatch.io/articles/2026-05-09-callphantom-android-fake-call-history-7m-downloads/ESET researchers have identified 28 Android applications — collectively downloaded 7.3 million times from the Google Play Store — that charged users for access to fabricated call history, SMS logs, and WhatsApp message records that the apps could not actually retrieve. The CodedCallPhantom campaign, active primarily in India and South-East Asia, combines financial fraud (charging for non-existent data) with personal data collection used for follow-on targeting.Sat, 09 May 2026 00:00:00 GMTandroidgoogle-playmobile-securityfraudfake-appsesetindiaapacmobile-malwarefinancial-fraudhttps://cipherwatch.io/articles/2026-05-08-pamdoora-linux-backdoor-pam-module-darkweb/https://cipherwatch.io/articles/2026-05-08-pamdoora-linux-backdoor-pam-module-darkweb/Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.Fri, 08 May 2026 00:00:00 GMTlinuxbackdoorpamsshpost-exploitationmalware-as-a-servicecredential-harvestingdark-webpersistencehttps://cipherwatch.io/articles/2026-05-08-tclbanker-banking-trojan-whatsapp-outlook-worm/https://cipherwatch.io/articles/2026-05-08-tclbanker-banking-trojan-whatsapp-outlook-worm/Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.Fri, 08 May 2026 00:00:00 GMTbanking-trojanmalwaretclbankerwhatsappoutlookwormcredential-theftfinancial-frauddll-sideloadinghttps://cipherwatch.io/articles/2026-05-06-linux-dirty-frag-kernel-lpe-zero-day-poc-public/https://cipherwatch.io/articles/2026-05-06-linux-dirty-frag-kernel-lpe-zero-day-poc-public/Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.Wed, 06 May 2026 00:00:00 GMTlinuxkernellpezero-daypoc-publicubunturhellocal-privilege-escalationunpatchedhttps://cipherwatch.io/articles/2026-05-05-microsoft-aitm-phishing-35000-users-26-countries/https://cipherwatch.io/articles/2026-05-05-microsoft-aitm-phishing-35000-users-26-countries/Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.Tue, 05 May 2026 00:00:00 GMTphishingaitmmicrosoft-365mfa-bypassthreat-intelligencehealthcarefinancial-servicessession-hijackinghttps://cipherwatch.io/articles/2026-05-04-five-eyes-volt-flax-typhoon-soho-botnet-cni/https://cipherwatch.io/articles/2026-05-04-five-eyes-volt-flax-typhoon-soho-botnet-cni/A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.Mon, 04 May 2026 00:00:00 GMTvolt-typhoonflax-typhoonchinasoho-routersbotnetcritical-infrastructurefive-eyesnation-statehttps://cipherwatch.io/articles/2026-05-04-macsync-stealer-homebrew-malvertising-macos/https://cipherwatch.io/articles/2026-05-04-macsync-stealer-homebrew-malvertising-macos/A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.Mon, 04 May 2026 00:00:00 GMTmacosmalvertisinginfostealerhomebrewdeveloper-securitycredential-theftapplehttps://cipherwatch.io/articles/2026-05-03-accountdumpling-google-appsheet-facebook-phishing/https://cipherwatch.io/articles/2026-05-03-accountdumpling-google-appsheet-facebook-phishing/The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.Sun, 03 May 2026 00:00:00 GMTphishingfacebookgoogle-appsheetbecsaas-abuseaccount-takeoverthreat-intelligencehttps://cipherwatch.io/articles/2026-05-03-shadow-earth-053-shadowpad-asian-governments/https://cipherwatch.io/articles/2026-05-03-shadow-earth-053-shadowpad-asian-governments/Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.Sun, 03 May 2026 00:00:00 GMTchinashadowpadaptgovernment-targetingexchange-serverthreat-intelligenceespionagehttps://cipherwatch.io/articles/2026-05-02-cpanel-sorry-ransomware-44k-hosts/https://cipherwatch.io/articles/2026-05-02-cpanel-sorry-ransomware-44k-hosts/A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.Sat, 02 May 2026 00:00:00 GMTransomwareactively-exploitedcpanel-whmmass-exploitationlinux-ransomwareincident-responsehttps://cipherwatch.io/articles/2026-05-01-vect-ransomware-destructive-cross-platform/https://cipherwatch.io/articles/2026-05-01-vect-ransomware-destructive-cross-platform/VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.Fri, 01 May 2026 00:00:00 GMTransomwaredestructive-malwarevectcross-platformesxiincident-responsebusiness-continuityhttps://cipherwatch.io/articles/2026-04-30-wazuh-cve-2026-30893-siem-rce/https://cipherwatch.io/articles/2026-04-30-wazuh-cve-2026-30893-siem-rce/CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.Thu, 30 Apr 2026 00:00:00 GMTwazuhsiemxdrcve-2026-30893rcesoc-infrastructuresecurity-monitoringhttps://cipherwatch.io/articles/2026-04-29-cisa-kev-windows-shell-cisco-sdwan-april-roundup/https://cipherwatch.io/articles/2026-04-29-cisa-kev-windows-shell-cisco-sdwan-april-roundup/CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.Wed, 29 Apr 2026 00:00:00 GMTcisa-kevwindowscisco-sd-wanactively-exploitedpatch-managementcve-2026-32202cve-2026-20133https://cipherwatch.io/articles/2026-04-28-silk-typhoon-xu-zewei-extradition-mss-exchange/https://cipherwatch.io/articles/2026-04-28-silk-typhoon-xu-zewei-extradition-mss-exchange/Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.Tue, 28 Apr 2026 00:00:00 GMTaptsilk-typhoonchinaextraditionmssexchange-serverthreat-intelligencehttps://cipherwatch.io/articles/2026-04-27-itron-smart-grid-breach-sec-filing/https://cipherwatch.io/articles/2026-04-27-itron-smart-grid-breach-sec-filing/Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.Mon, 27 Apr 2026 00:00:00 GMTbreachcritical-infrastructuresec-disclosuresmart-gridthird-party-riskhttps://cipherwatch.io/articles/2026-04-26-microsoft-oob-patch-kb5091157-domain-controller-crash/https://cipherwatch.io/articles/2026-04-26-microsoft-oob-patch-kb5091157-domain-controller-crash/Microsoft's April 2026 Patch Tuesday updates triggered LSASS crash-reboot loops on non-Global Catalogue domain controllers in PAM-enabled deployments and forced some Windows Server 2025 systems into BitLocker recovery mode. Emergency out-of-band updates were released April 19 for all affected Server versions. Immediate installation is required — affected DCs cause complete authentication outages across their domains.Sun, 26 Apr 2026 00:00:00 GMTmicrosoftwindows-serverdomain-controllerpatch-managementactive-directoryout-of-bandhttps://cipherwatch.io/articles/2026-04-25-firestarter-backdoor-cisco-firepower-ftd-asa/https://cipherwatch.io/articles/2026-04-25-firestarter-backdoor-cisco-firepower-ftd-asa/A joint CISA and NCSC advisory reveals FIRESTARTER, a sophisticated backdoor implanted on Cisco FTD and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Defenders must verify device integrity rather than assume patching closed the access.Sat, 25 Apr 2026 00:00:00 GMTciscofirepowerbackdoornation-stateactively-exploitedcisa-advisoryhttps://cipherwatch.io/articles/2026-04-25-tropic-trooper-adaptixc2-sumatrapdf-github-c2/https://cipherwatch.io/articles/2026-04-25-tropic-trooper-adaptixc2-sumatrapdf-github-c2/The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.Sat, 25 Apr 2026 00:00:00 GMTtropic-trooperaptchina-nexusgithub-c2adaptixc2threat-intelhttps://cipherwatch.io/articles/2026-04-24-unc6692-microsoft-teams-vishing-snow-malware/https://cipherwatch.io/articles/2026-04-24-unc6692-microsoft-teams-vishing-snow-malware/Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.Fri, 24 Apr 2026 00:00:00 GMTsocial-engineeringmicrosoft-teamsmalwarevishingthreat-intelligencehttps://cipherwatch.io/articles/2026-04-23-kyber-ransomware-windows-esxi-post-quantum/https://cipherwatch.io/articles/2026-04-23-kyber-ransomware-windows-esxi-post-quantum/A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.Thu, 23 Apr 2026 00:00:00 GMTransomwarekyberpost-quantumvmware-esxiwindowshyper-vrapid7https://cipherwatch.io/articles/2026-04-20-redsun-undefend-windows-defender-zero-days-unpatched/https://cipherwatch.io/articles/2026-04-20-redsun-undefend-windows-defender-zero-days-unpatched/A security researcher released two additional Windows Defender zero-days — RedSun and UnDefend — after Microsoft failed to patch them. RedSun exploits Defender's cloud file rollback mechanism to achieve SYSTEM privileges on all supported Windows versions. UnDefend silently prevents Defender from updating its threat signatures. Both are confirmed exploited in the wild, and neither has a patch or assigned CVE.Mon, 20 Apr 2026 00:00:00 GMTwindows-defenderzero-dayprivilege-escalationunpatchedredsunundefendlpebluehammeredr-bypassactively-exploitedhttps://cipherwatch.io/articles/2026-04-19-payouts-king-qemu-vm-edr-bypass-ransomware/https://cipherwatch.io/articles/2026-04-19-payouts-king-qemu-vm-edr-bypass-ransomware/The Payouts King ransomware operation, linked to former BlackBasta affiliates, has introduced a novel EDR bypass: deploying a legitimate QEMU virtual machine running Alpine Linux on compromised Windows hosts. Because endpoint security agents cannot inspect inside the VM, attackers operate the full intrusion — credential theft, lateral movement, and data exfiltration — completely invisible to host-level detection.Sun, 19 Apr 2026 00:00:00 GMTransomwareedr-bypassqemupayouts-kingstac4713gold-encounterblackbastavm-evasioncredential-thefthttps://cipherwatch.io/articles/2026-04-18-april-patch-kb5082063-dc-lsass-reboot-loop/https://cipherwatch.io/articles/2026-04-18-april-patch-kb5082063-dc-lsass-reboot-loop/KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.Sat, 18 Apr 2026 00:00:00 GMTpatch-tuesdaywindows-serveractive-directorylsassincident-responsemicrosofthttps://cipherwatch.io/articles/2026-04-15-chrome-cve-2026-5281-fourth-zero-day-2026/https://cipherwatch.io/articles/2026-04-15-chrome-cve-2026-5281-fourth-zero-day-2026/Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.Wed, 15 Apr 2026 00:00:00 GMTchromezero-daygooglebrowser-securitycisa-kevuse-after-freewebgpuhttps://cipherwatch.io/articles/2026-04-15-microsoft-april-patch-tuesday-167-flaws-two-zero-days/https://cipherwatch.io/articles/2026-04-15-microsoft-april-patch-tuesday-167-flaws-two-zero-days/Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly disclosed Defender elevation-of-privilege flaw. Eight Critical-rated vulnerabilities include a CVSS 9.8 IKE RCE and a Critical Active Directory RCE assessed as exploitation more likely.Wed, 15 Apr 2026 00:00:00 GMTpatch-tuesdaymicrosoftzero-daysharepointwindowsactive-directoryrcehttps://cipherwatch.io/articles/2026-04-15-north-korea-unc4736-drift-protocol-285m-defi-heist/https://cipherwatch.io/articles/2026-04-15-north-korea-unc4736-drift-protocol-285m-defi-heist/North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.Wed, 15 Apr 2026 00:00:00 GMTnorth-koreaunc4736deficryptosocial-engineeringsolanasupply-chainfinancial-crimehttps://cipherwatch.io/articles/2026-04-13-adobe-acrobat-cve-2026-34621-zero-day-pdf-exploit/https://cipherwatch.io/articles/2026-04-13-adobe-acrobat-cve-2026-34621-zero-day-pdf-exploit/Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that has been actively exploited since at least November 2025. Opening a crafted PDF triggers JavaScript execution that fingerprints the victim's system and can deploy RCE and sandbox escape payloads. CISA added the CVE to the KEV catalogue the same day, requiring federal agencies to patch by 27 April.Mon, 13 Apr 2026 00:00:00 GMTadobeacrobatpdfzero-dayprototype-pollutionrcecisa-kevendpointhttps://cipherwatch.io/articles/2026-04-10-bluehammer-windows-lpe-zero-day/https://cipherwatch.io/articles/2026-04-10-bluehammer-windows-lpe-zero-day/A publicly disclosed zero-day local privilege escalation vulnerability in Windows Defender's signature-update mechanism allows any authenticated user to escalate to SYSTEM. Named BlueHammer by researchers at Cyderes, the flaw has a working public exploit and no Microsoft patch as of publication. Security teams should implement interim mitigations immediately.Fri, 10 Apr 2026 00:00:00 GMTwindowszero-dayprivilege-escalationlpewindows-defendermicrosofttoctouunpatchedbluehammerhttps://cipherwatch.io/articles/2026-04-09-drift-285m-dprk-social-engineering/https://cipherwatch.io/articles/2026-04-09-drift-285m-dprk-social-engineering/North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.Thu, 09 Apr 2026 00:00:00 GMTnorth-koreadprkunc4736citrine-sleetsocial-engineeringdeficryptomultisigincident-responsethreat-intelligencehttps://cipherwatch.io/articles/2026-04-08-storm-1175-medusa-zero-day-rapid-ransomware/https://cipherwatch.io/articles/2026-04-08-storm-1175-medusa-zero-day-rapid-ransomware/Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.Wed, 08 Apr 2026 00:00:00 GMTransomwaremedusastorm-1175zero-daythreat-intelhealthcarechinasmartermailmfthttps://cipherwatch.io/articles/2026-04-07-signature-healthcare-anubis-ransomware/https://cipherwatch.io/articles/2026-04-07-signature-healthcare-anubis-ransomware/A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.Tue, 07 Apr 2026 00:00:00 GMTransomwarehealthcareanubisincident-responseoperational-impacthipaahttps://cipherwatch.io/articles/2026-04-06-qilin-warlock-byovd-edr-300-tools-disabled/https://cipherwatch.io/articles/2026-04-06-qilin-warlock-byovd-edr-300-tools-disabled/Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.Mon, 06 Apr 2026 00:00:00 GMTransomwareqilinwarlockbyovdedrendpoint-securitykernel-driverdefense-evasionhttps://cipherwatch.io/articles/2026-04-01-qilin-ransomware-131-victims-march-record/https://cipherwatch.io/articles/2026-04-01-qilin-ransomware-131-victims-march-record/Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.Wed, 01 Apr 2026 00:00:00 GMTransomwareqilinthreat-intelligencehealthcaremanufacturingrashttps://cipherwatch.io/articles/2026-03-31-cisa-ics-advisories-icsa-26-090-industrial-control/https://cipherwatch.io/articles/2026-03-31-cisa-ics-advisories-icsa-26-090-industrial-control/CISA released two industrial control system advisories on 31 March — ICSA-26-090-01 and ICSA-26-090-02 — covering critical and high-severity vulnerabilities in Rockwell Automation ControlLogix and Siemens SIMATIC S7 products. The advisories follow a pattern of stepped-up CISA ICS disclosure activity in March and arrive against a backdrop of active Iranian-affiliated targeting of operational technology environments.Tue, 31 Mar 2026 00:00:00 GMTicsotscadarockwellsiemenscisacritical-infrastructureplchttps://cipherwatch.io/articles/2026-03-28-european-commission-europa-platform-breach/https://cipherwatch.io/articles/2026-03-28-european-commission-europa-platform-breach/The European Commission confirmed on 27 March that a cyberattack struck the cloud infrastructure hosting the Europa web platform on 24 March 2026, with early forensic findings indicating data was exfiltrated from affected websites. The Commission operates hundreds of websites across the europa.eu domain hosting EU policy documents, consultation portals, and public databases. The incident is under investigation.Sat, 28 Mar 2026 00:00:00 GMTeuropean-commissioneuropabreachcloudeugovernmentdata-exfiltrationweb-platformhttps://cipherwatch.io/articles/2026-03-27-qilin-asb-saarland-72gb-data-theft/https://cipherwatch.io/articles/2026-03-27-qilin-asb-saarland-72gb-data-theft/Qilin ransomware claimed responsibility for a cyberattack against ASB Saarland, a German humanitarian and social services organisation, alleging theft of 72 GB of data including employee records, applicant data, health-related information, and client data. The attack continues Qilin's record-breaking March 2026 activity, during which the group claimed 131 victims — their highest monthly total — driven by wide deployment of BYOVD techniques to defeat endpoint detection.Fri, 27 Mar 2026 00:00:00 GMTqilinransomwaregermanydata-thefthumanitarianhealthcarebyovdedr-bypasssocial-serviceshttps://cipherwatch.io/articles/2026-03-26-uac-0255-cert-ua-phishing-ukraine-orgs/https://cipherwatch.io/articles/2026-03-26-uac-0255-cert-ua-phishing-ukraine-orgs/Russian-linked threat actor UAC-0255 launched a targeted phishing campaign on 26–27 March posing as CERT-UA, Ukraine's national computer emergency response team, to deliver malware to state organisations, medical centres, financial institutions, and software development companies. The campaign uses CERT-UA brand authority to lower recipient suspicion of archive attachments containing remote access implants.Thu, 26 Mar 2026 00:00:00 GMTukraineuac-0255phishingcert-uaspear-phishingrussiasocial-engineeringotgovernmenthealthcarehttps://cipherwatch.io/articles/2026-03-23-darksword-apple-exploit-chain-cisa-kev/https://cipherwatch.io/articles/2026-03-23-darksword-apple-exploit-chain-cisa-kev/CISA has added three vulnerabilities from the DarkSword iOS/macOS exploit chain to its Known Exploited Vulnerabilities catalogue, mandating federal agencies patch all Apple devices by 3 April. DarkSword is a multi-stage attack framework linking six chained vulnerabilities to achieve full kernel compromise across iOS, iPadOS, macOS, watchOS, and tvOS — with no user interaction required beyond visiting a malicious webpage.Mon, 23 Mar 2026 00:00:00 GMTappleiosmacoszero-daydarkswordcisa-kevwebkitkernelcve-2025-31277cve-2025-43510cve-2025-43520supply-chainhttps://cipherwatch.io/articles/2026-03-22-dell-recoverpoint-cve-2026-22769-unc6201-china-nexus/https://cipherwatch.io/articles/2026-03-22-dell-recoverpoint-cve-2026-22769-unc6201-china-nexus/A hardcoded credentials vulnerability in Dell RecoverPoint data replication appliances (CVE-2026-22769, CVSS 10.0) has been exploited since mid-2024 by the China-nexus threat cluster UNC6201, who use access to deploy BRICKSTORM and GRIMBOLT backdoors via a SLAYSTYLE web shell. CISA added the vulnerability to the KEV catalogue in February. Organisations running Dell RecoverPoint should patch immediately and hunt for indicators of compromise.Sun, 22 Mar 2026 00:00:00 GMTdellrecoverpointhardcoded-credentialschina-nexusunc6201aptbrickstormespionagecisa-kevdata-replicationhttps://cipherwatch.io/articles/2026-03-22-qualcomm-android-cve-2026-21385-targeted-exploitation/https://cipherwatch.io/articles/2026-03-22-qualcomm-android-cve-2026-21385-targeted-exploitation/A memory corruption vulnerability in Qualcomm mobile chipset firmware has been confirmed as exploited in limited, targeted attacks. The flaw is addressed in the March 2026 Android Security Bulletin, which patches 129 vulnerabilities across the Android ecosystem. CISA added CVE-2026-21385 to the Known Exploited Vulnerabilities catalogue on 3 March with a 24 March federal deadline.Sun, 22 Mar 2026 00:00:00 GMTandroidqualcommmobile-securitycisa-kevfirmwaretargeted-attackmemory-corruption