CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 16:45 12/03/2026 UTC
  • Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858, CVE-2026-25049, CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-68613 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch n8n instances by March 25, 2026, due to active exploitation of this critical remote code execution (RCE) flaw. Meanwhile, Pillar Security has disclosed two new critical vulnerabilities (CVE-2026-27577 and CVE-2026-27493), with the latter being a zero-click, unauthenticated flaw that allows full server compromise via public form endpoints (e.g., a "Contact Us" form) without requiring authentication or user interaction. Over 40,000 unpatched instances remain exposed globally, with 18,000+ in North America and 14,000+ in Europe, per Shadowserver data. This development follows a series of critical n8n vulnerabilities disclosed since late 2025, including CVE-2026-21877 (CVSS 10.0), CVE-2026-21858 (unauthenticated RCE), and four March 2026 flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497) enabling sandbox escapes, credential theft, and unauthenticated expression injection. Affected versions span <1.123.22, >=2.0.0 <2.9.3, and >=2.10.0 <2.10.1, with patches available in 1.123.22, 2.9.3, and 2.10.1. The platform’s widespread use in AI orchestration and enterprise automation—coupled with its storage of API keys, database credentials, and cloud secrets—makes it a prime target for attackers seeking full server compromise or lateral movement into connected systems. Read
  • Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack The UNC6426 threat actor has weaponized credentials stolen during the August 2025 nx npm supply-chain attack to execute a rapid cloud breach, escalating from a compromised GitHub token to full AWS administrator access in under 72 hours. By abusing GitHub-to-AWS OpenID Connect (OIDC) trust, the attacker deployed a new IAM role with `AdministratorAccess`, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and publicly exposed the victim’s private repositories under the `/s1ngularity-repository-[randomcharacters]` naming scheme. This follows the broader Shai-Hulud and SANDWORM_MODE campaigns, which collectively compromised over 400,000 secrets via trojanized npm packages, GitHub Actions abuse, and AI-assisted credential harvesting (e.g., QUIETVAULT malware leveraging LLM tools). The attack chain began with the Pwn Request exploitation of a vulnerable `pull_request_target` workflow in nx, leading to trojanized package publication and theft of GitHub Personal Access Tokens (PATs). UNC6426 later used tools like Nord Stream to extract CI/CD secrets, highlighting the risks of overprivileged OIDC roles and standing cloud permissions. Researchers warn of escalating supply chain risks, including self-propagating worms (Shai-Hulud), PackageGate vulnerabilities bypassing npm defenses, and AI-assisted prompt injection targeting developer workflows. Mitigations include disabling postinstall scripts, enforcing least-privilege access, and rotating all credentials tied to npm, GitHub, and cloud providers. Read
  • Microsoft March 2026 Patch Tuesday Addresses 2 Zero-Days and 84 Flaws Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update. Read
  • SocksEscort Proxy Network Disrupted by Law Enforcement Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. Read
  • Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module. Read
  • Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns. Additionally, the INC ransomware operation has been targeting healthcare organizations in Oceania, including Australia, New Zealand, and Tonga. The Australian Cyber Security Centre (ACSC), CERT Tonga, and New Zealand's National Cyber Security Centre (NCSC) issued a joint advisory on March 6, 2026, about INC's targeting of critical networks in the region. INC initially focused on the US and the UK but expanded to Australia in the summer of 2024, targeting professional services and healthcare industries. The ACSC responded to 11 INC ransomware attacks in Australia between July 2024 and December 2025, predominantly affecting healthcare or professional services companies. Read
  • Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks. Read
Last updated: 16:15 12/03/2026 UTC
  • Windows 11 KB5070311 Update Addresses File Explorer and Search Issues Microsoft has released the KB5070311 optional preview cumulative update for Windows 11, addressing File Explorer freezes, search issues, and other bugs. The update includes 49 changes and is part of the monthly preview updates that precede Patch Tuesday releases. It fixes issues with explorer.exe process responsiveness, SMB share search problems, and LSASS instability. However, the update also introduced a new bug causing bright white flashes when launching File Explorer in dark mode. Microsoft has since fixed this issue with the December KB5072033 Patch Tuesday cumulative update. The update is available for manual installation and updates Windows 11 25H2 and 24H2 devices to builds 26200.7309 and 26100.7309, respectively. Additionally, Microsoft announced there will be no preview update in December 2025 due to minimal operations during the Western holidays, with normal updates resuming in January 2026. Microsoft is still working to fully address the File Explorer white flash issue in dark mode, with the bug fix rolling out to all Windows Insiders in the Beta and Dev channels who install the Windows 11 Build 26220.7961 (KB5079382) and Windows 11 Build 26300.7965 (KB5079385) preview builds. The latest Windows 11 preview builds also add support for voice typing (Windows key plus H) when renaming files in File Explorer and improve reliability when unblocking files downloaded from the internet to preview them in File Explorer. Starting in November, Microsoft began testing an optional Windows 11 feature that preloads File Explorer in the background to improve performance and speed up launch times. Read
  • U.S. Secret Service Seizes SIM Servers and Cards Near UN General Assembly The U.S. Secret Service has seized 300 SIM servers and 100,000 SIM cards in the New York tri-state area, which were used to threaten U.S. government officials and posed an imminent threat to national security. The seizure occurred near the United Nations General Assembly, and the devices could be weaponized for various attacks on telecommunications infrastructure. The FBI is also investigating a breach affecting systems used to manage surveillance and wiretap warrants, which was addressed but details on scope and impact remain undisclosed. Early evidence suggests involvement of nation-state threat actors, including the Chinese hacker group Salt Typhoon, which compromised U.S. federal government systems for court-authorized network wiretapping requests in 2024. The FBI began investigating abnormal log information related to a system on its network on February 17, 2026, and the affected system contains law enforcement sensitive information, including returns from legal process such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations. Read
  • Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data Salesforce is warning customers of an escalating mass-scanning campaign targeting misconfigured Experience Cloud instances, now linked to ShinyHunters (UNC6240), which claims to have breached hundreds of companies—including 100 high-profile organizations—by exploiting overly permissive guest user permissions. The attackers are using a modified AuraInspector tool to extract data directly via the /s/sfsites/aura API endpoint, bypassing authentication for CRM objects. Salesforce emphasizes that this stems from customer misconfigurations, not a platform flaw, and urges immediate mitigation: auditing guest user permissions, setting org-wide defaults to Private, disabling public API access for guests, and reviewing Aura Event Monitoring logs for anomalies. This follows the August 2025 Salesloft Drift OAuth breach, where UNC6395/GRUB1 stole tokens to access Salesforce customer data, impacting over 700 organizations (e.g., Zscaler, Palo Alto Networks, Cloudflare). While earlier waves relied on stolen OAuth tokens, the latest campaign marks a shift to exploiting misconfigured guest access—though ShinyHunters is implicated in both. Salesforce and partners have revoked compromised tokens and disabled vulnerable integrations, but the new Aura/Experience Cloud attacks highlight persistent risks from improperly secured public-facing portals. The harvested data (e.g., names, phone numbers) is repurposed for follow-on vishing and social engineering, aligning with broader identity-based targeting trends. Read
  • Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns. Additionally, the INC ransomware operation has been targeting healthcare organizations in Oceania, including Australia, New Zealand, and Tonga. The Australian Cyber Security Centre (ACSC), CERT Tonga, and New Zealand's National Cyber Security Centre (NCSC) issued a joint advisory on March 6, 2026, about INC's targeting of critical networks in the region. INC initially focused on the US and the UK but expanded to Australia in the summer of 2024, targeting professional services and healthcare industries. The ACSC responded to 11 INC ransomware attacks in Australia between July 2024 and December 2025, predominantly affecting healthcare or professional services companies. Read
  • Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks. Read
  • QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Users are advised to remove the extension, scan their devices for malware, and reset passwords. Read
  • OpenAI's Aardvark agent for automated code vulnerability detection and patching OpenAI has introduced Aardvark, an agentic security researcher powered by GPT-5, designed to automatically detect, assess, and patch security vulnerabilities in code repositories. The agent integrates into the software development pipeline to continuously monitor code changes and propose fixes. Aardvark has already identified at least 10 CVEs in open-source projects during its beta testing phase. The agent uses GPT-5's advanced reasoning capabilities and a sandboxed environment to validate and patch vulnerabilities. OpenAI envisions Aardvark as a tool to enhance security without hindering innovation. OpenAI has rolled out Codex Security, an evolution of Aardvark, which is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers. Codex Security has scanned over 1.2 million commits, identifying 792 critical and 10,561 high-severity findings. The tool leverages advanced models and automated validation to minimize false positives and propose actionable fixes. Read

Latest updates

Browse →

VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays

Updated: · First: 12.03.2026 19:31 · 📰 1 src / 1 articles

A new Rust-based malware, codenamed VENON, targets 33 Brazilian banks and digital asset platforms. The malware uses credential-stealing overlays and shares behaviors with known Latin American banking trojans. It employs sophisticated evasion techniques and is distributed via social engineering ploys, including DLL side-loading and a complex infection chain. The malware's developer appears to have used generative AI to rewrite and expand functionalities in Rust, indicating significant technical expertise.

Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

Updated: · First: 12.03.2026 19:02 · 📰 1 src / 1 articles

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations.

Veeam Patches Multiple Critical RCE Vulnerabilities in Backup & Replication

Updated: 12.03.2026 18:59 · First: 07.01.2026 12:41 · 📰 3 src / 5 articles

Veeam has released security updates to address multiple vulnerabilities in its Backup & Replication software, including critical remote code execution (RCE) flaws. The latest updates patch four new RCE vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.

SocksEscort Proxy Network Disrupted by Law Enforcement

Updated: · First: 12.03.2026 18:19 · 📰 1 src / 1 articles

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business.

Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

Updated: 12.03.2026 18:00 · First: 12.03.2026 09:56 · 📰 2 src / 2 articles

Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858, CVE-2026-25049, CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)

Updated: 12.03.2026 17:28 · First: 23.12.2025 09:34 · 📰 15 src / 26 articles

The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added **CVE-2025-68613** to its **Known Exploited Vulnerabilities (KEV) catalog**, mandating federal agencies to patch n8n instances by **March 25, 2026**, due to **active exploitation** of this critical remote code execution (RCE) flaw. Meanwhile, **Pillar Security** has disclosed two new critical vulnerabilities (**CVE-2026-27577** and **CVE-2026-27493**), with the latter being a **zero-click, unauthenticated flaw** that allows **full server compromise** via public form endpoints (e.g., a "Contact Us" form) without requiring authentication or user interaction. Over **40,000 unpatched instances** remain exposed globally, with **18,000+ in North America and 14,000+ in Europe**, per Shadowserver data. This development follows a series of **critical n8n vulnerabilities** disclosed since late 2025, including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (unauthenticated RCE)**, and **four March 2026 flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)** enabling **sandbox escapes, credential theft, and unauthenticated expression injection**. Affected versions span **<1.123.22, >=2.0.0 <2.9.3, and >=2.10.0 <2.10.1**, with patches available in **1.123.22, 2.9.3, and 2.10.1**. The platform’s widespread use in **AI orchestration and enterprise automation**—coupled with its storage of **API keys, database credentials, and cloud secrets**—makes it a prime target for attackers seeking **full server compromise** or **lateral movement into connected systems**.

Google's 2025 Vulnerability Reward Program Payouts Reach Record $17.1 Million

Updated: · First: 12.03.2026 17:22 · 📰 1 src / 1 articles

Google paid $17.1 million to 747 security researchers in 2025 through its Vulnerability Reward Program (VRP), marking the highest payout in the program's history. The total payouts since 2010 have surpassed $81.6 million. The program expanded in 2025 with new initiatives, including the AI Vulnerability Rewards Program and rewards for OSV-SCALIBR, an open-source tool for finding security flaws in software dependencies. The highest reward in 2025 was $250,000, while the highest reward in 2024 was $100,115 for a MiraclePtr Bypass.

Telus Digital Breach by ShinyHunters

Updated: · First: 12.03.2026 16:40 · 📰 1 src / 1 articles

Telus Digital, the business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, has confirmed a security breach after threat actors known as ShinyHunters claimed to have stolen nearly 1 petabyte of data. The breach, which involved unauthorized access to a limited number of Telus Digital's systems, is currently under investigation. ShinyHunters claims to have accessed a wide range of customer data related to Telus' BPO operations and call records for Telus' consumer telecommunications division. The threat actors reportedly used Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach to gain initial access. Telus has engaged cyber forensics experts and is working with law enforcement to manage the situation.

Underground Trade in Compromised Travel Rewards

Updated: · First: 12.03.2026 16:05 · 📰 1 src / 1 articles

Cybercriminals are actively trading compromised airline and hotel loyalty accounts in underground markets, converting stolen miles into real-world travel commodities. The process involves credential compromise, inventory listing, redemption, and resale at discounted rates. This fraudulent activity is structured, with repeated sellers and a focus on major brands like United, American Airlines, Delta, Marriott, and Hilton. The monetization model follows four stages: gaining control over loyalty accounts, identifying valid miles, redeeming miles for travel, and reselling the bookings. The fraud is challenging to detect and recover from due to the conversion of points into tangible assets.

Coruna iOS Exploit Kit Targets iOS 13–17.2.1 with 23 Exploits

Updated: 12.03.2026 15:43 · First: 04.03.2026 15:28 · 📰 6 src / 6 articles

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks. Apple has backported fixes for CVE-2023-43010 to older iOS versions to address vulnerabilities used in the Coruna exploit kit. The vulnerability relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The fix was originally shipped in iOS 17.2 on December 11th, 2023, and the latest round of fixes brings the patch to older versions of iOS and iPadOS, including iOS 15.8.7 and iPadOS 15.8.7, and iOS 16.7.15 and iPadOS 16.7.15. Additionally, iOS 15.8.7 and iPadOS 15.8.7 incorporate patches for three more vulnerabilities associated with the Coruna exploit: CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222. Coruna may have been designed by U.S. military contractor L3Harris and passed to Russian exploit broker Operation Zero by Peter Williams. The exploit kit uses two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign dubbed Operation Triangulation targeting users in Russia in 2023. Apple has released security updates to patch older iPhones and iPads against vulnerabilities targeted by the Coruna exploit kit. The patches address vulnerabilities CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The affected devices include a wide range of older models running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15. CISA added three of the 23 vulnerabilities targeted by Coruna to its catalog of Known Exploited Vulnerabilities, including CVE-2023-43010. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to patch their iOS devices by March 26, 2026, as mandated by the Binding Operational Directive (BOD) 22-01. Apple has also fixed a zero-day vulnerability (CVE-2026-20700) exploited in an "extremely sophisticated attack" targeting specific individuals and allowing threat actors to execute arbitrary code on compromised devices.

Scaling Phishing Detection in SOCs

Updated: · First: 12.03.2026 15:30 · 📰 1 src / 1 articles

Modern phishing attacks increasingly use trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic to evade traditional detection methods. This poses significant challenges for Security Operations Centers (SOCs), as they struggle to handle the volume and sophistication of these attacks. The consequences include stolen corporate identities, account takeovers, lateral movement through SaaS and cloud platforms, delayed incident detection, operational disruption, financial impact, and regulatory consequences. To address these issues, CISOs are prioritizing the scaling of phishing detection to operate at the same speed and scale as the attacks themselves.

Meta Enhances Scam Protection for Messenger and WhatsApp

Updated: 12.03.2026 15:17 · First: 21.10.2025 18:03 · 📰 4 src / 6 articles

Meta has introduced new tools to protect users of Messenger and WhatsApp from scams. The tools include warnings for screen sharing during video calls on WhatsApp, a scam detection feature on Messenger, and a new security feature to help users spot potential scams when being added to a group chat by unknown contacts. Meta also reported actions taken against fraudulent accounts and scam centers. Meta's efforts are part of ongoing measures to combat scams, including romance baiting schemes operated by cybercrime syndicates in Southeast Asia. These scams often involve psychological manipulation and financial fraud. In 2025, Meta removed over 159 million scam ads and took down over 10.9 million accounts on Facebook and Instagram linked to criminal scam operations. Meta also participated in a global law enforcement operation that led to the arrest of 21 suspects and the shutdown of more than 150,000 accounts linked to scam networks in Southeast Asia. Meta collaborated with the FBI, the DOJ Scam Center Strike Force, and Thai police to disrupt scam centers in Southeast Asia. The operation targeted scam centers that targeted users in the US, UK, and the APAC region. Thai Police arrested 21 suspects and Meta shut down more than 150,000 accounts linked to the scam centers. In a similar operation conducted in December, Meta removed 59,000 accounts, pages, and groups across its platforms.

OAuth Consent Abuse Campaign Targets Multiple Organizations

Updated: · First: 12.03.2026 15:14 · 📰 1 src / 1 articles

A large-scale OAuth consent abuse campaign, active in early 2025, involved 19 malicious applications impersonating well-known brands like Adobe, DocuSign, and OneDrive. The campaign targeted multiple organizations, exploiting 'consent fatigue' to gain access to users' sensitive data without needing their passwords. The access token obtained through this method was sent to the attacker's redirect URL, granting them unauthorized access to files or emails. The campaign was documented by Proofpoint in August 2025, highlighting the ongoing threat posed by malicious OAuth applications.

CISA Issues Emergency Directive for Cisco SD-WAN Vulnerabilities

Updated: 12.03.2026 14:45 · First: 25.02.2026 14:00 · 📰 2 src / 2 articles

CISA has issued Emergency Directive (ED) 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems, which pose an unacceptable risk to federal networks. The directive requires immediate action from Federal Civilian Executive Branch (FCEB) agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities. Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, with a critical authentication bypass vulnerability (CVE-2026-20127) allowing unauthenticated attackers to obtain administrative access.

Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports

Updated: 12.03.2026 13:31 · First: 08.12.2025 23:07 · 📰 2 src / 3 articles

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks.

Adversarial Phishing Campaigns Exploit SOC Workloads

Updated: · First: 12.03.2026 13:30 · 📰 1 src / 1 articles

Attackers are increasingly designing phishing campaigns to overwhelm Security Operations Centers (SOCs) by flooding them with low-sophistication emails, creating an informational denial-of-service (IDoS) condition. This tactic exploits the predictable failure modes of SOCs under high workload, leading to degraded investigation quality and increased risk of missing targeted spear-phishing attacks. The asymmetry in cost between attacker and defender favors attackers, as they can generate thousands of decoy emails at near-zero cost, while defenders incur significant analyst time and cognitive bandwidth. Organizations are now focusing on decision-ready AI triage to maintain investigation quality and speed regardless of volume, flipping the strategic advantage back to defenders.

Police Scotland Fined for Unauthorized Disclosure of Victim's Sensitive Data

Updated: · First: 12.03.2026 12:30 · 📰 1 src / 1 articles

Police Scotland was fined £66,000 after sharing the entire contents of a female officer's phone with a colleague she accused of rape. The incident, which occurred in early 2021, involved the unauthorized disclosure of medical records, intimate photos, and personal contact details. The Information Commissioner’s Office (ICO) found that the force failed to implement appropriate security measures, minimize data sharing, and report the breach within the required 72-hour timeframe. The victim, a detective constable, was diagnosed with PTSD as a result of the incident.

Iranian Hacktivist Group Claims Wiper Attack on Stryker

Updated: 12.03.2026 11:30 · First: 11.03.2026 18:20 · 📰 3 src / 3 articles

The Iranian hacktivist group Handala (a.k.a. Handala Hack Team) has claimed responsibility for a data-wiping attack against Stryker, a global medical technology company. The attack reportedly affected over 200,000 systems, servers, and mobile devices across Stryker’s offices in 79 countries. Handala claims to have stolen 50 terabytes of data before wiping tens of thousands of systems and servers. The group cited retaliation for a U.S. missile strike that killed 175 people, including children, as the motive. Stryker’s operations, particularly in Ireland, have been severely disrupted, with over 5,000 workers sent home. The attack utilized Microsoft Intune to issue remote wipe commands, causing significant operational downtime. Stryker confirmed the attack in an 8-K filing with the SEC, noting global disruption to the company’s Microsoft environment. The timeline for a full restoration of affected functions and systems access is not yet known, but Stryker has business continuity measures in place to support its customers and partners. Experts suggest Handala is more than a hacktivist group, with tactics and targeting consistent with Iranian state actors.

Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage

Updated: 12.03.2026 00:00 · First: 20.08.2025 18:59 · 📰 4 src / 5 articles

Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns. Additionally, the INC ransomware operation has been targeting healthcare organizations in Oceania, including Australia, New Zealand, and Tonga. The Australian Cyber Security Centre (ACSC), CERT Tonga, and New Zealand's National Cyber Security Centre (NCSC) issued a joint advisory on March 6, 2026, about INC's targeting of critical networks in the region. INC initially focused on the US and the UK but expanded to Australia in the summer of 2024, targeting professional services and healthcare industries. The ACSC responded to 11 INC ransomware attacks in Australia between July 2024 and December 2025, predominantly affecting healthcare or professional services companies.

WhatsApp Launches Parent-Managed Accounts for Pre-Teens

Updated: · First: 11.03.2026 22:06 · 📰 1 src / 1 articles

WhatsApp has introduced parent-managed accounts for pre-teens, allowing parents to control who can contact their children and which groups they can join. These accounts are restricted to messaging and calling, with end-to-end encryption ensuring privacy. Parents must set up the account by verifying the child's phone number and linking devices via a QR code. Parents can manage privacy settings and activity alerts with a 6-digit PIN. The child can transition to a standard account upon turning 13.

SQL Injection Vulnerability in Elementor Ally Plugin

Updated: · First: 11.03.2026 21:38 · 📰 1 src / 1 articles

An SQL injection vulnerability (CVE-2026-2313) in the Elementor Ally WordPress plugin, with over 400,000 installations, allows unauthenticated attackers to inject SQL queries via the URL path. The flaw affects versions up to 4.0.3 and can be exploited to steal sensitive data. Only 36% of users have updated to the patched version 4.1.0, leaving over 250,000 sites vulnerable. The vulnerability arises from insufficient escaping of user-supplied URL parameters in the `get_global_remediations()` method, enabling time-based blind SQL injection attacks. Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active. WordPress 6.9.2, released recently, addresses multiple vulnerabilities, including XSS, authorization bypass, and SSRF flaws, and is recommended for immediate installation.

PhantomRaven npm credential harvesting campaign leverages invisible dependencies

Updated: 11.03.2026 19:09 · First: 29.10.2025 16:00 · 📰 5 src / 5 articles

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. New attack waves occurred between November 2025 and February 2026, distributing 88 packages via 50 disposable accounts. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

Ransomware Attacks Decline in France in 2025, ANSSI Reports

Updated: · First: 11.03.2026 18:50 · 📰 1 src / 1 articles

France's National Cybersecurity Agency (ANSSI) reported a decline in ransomware attacks in 2025, attributing the drop to successful preventive interventions and law enforcement operations. Despite the decrease, ransomware remains a significant threat, particularly targeting SMBs, healthcare, and education sectors. The most prevalent ransomware strains observed were Qilin, Akira, and LockBit 3.0/LockBit Black. ANSSI also noted a rise in data exfiltration incidents and a drop in DDoS attacks. The agency highlighted the increasing overlap between nation-state groups and cybercriminals, complicating attribution efforts. Vincent Strubel, ANSSI’s director general, warned of potential hybrid attacks on critical infrastructure by 2030.

AI Browsers Vulnerable to PromptFix Exploit for Malicious Prompts

Updated: 11.03.2026 18:38 · First: 20.08.2025 16:01 · 📰 4 src / 4 articles

AI-driven browsers are vulnerable to a new prompt injection technique called PromptFix, which tricks them into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. This vulnerability affects AI browsers like Perplexity's Comet, which can be manipulated into performing actions such as purchasing items on fake websites or entering credentials on phishing pages. Researchers have demonstrated that AI browsers can be tricked into phishing scams in under four minutes by exploiting agentic blabbering. The attack leverages the AI browser's tendency to reason its actions and use it against the model to lower security guardrails. By intercepting traffic between the browser and AI services and feeding it to a Generative Adversarial Network (GAN), researchers made Perplexity's Comet AI browser fall victim to a phishing scam. The technique builds on prior methods like VibeScamming and Scamlexity, which exploit hidden prompt injections to carry out malicious actions. The attack involves building a 'scamming machine' that iteratively optimizes and regenerates a phishing page until the AI browser stops complaining and proceeds with the threat actor's actions. Once a fraudster iterates on a web page until it works against a specific AI browser, it works on all users relying on the same agent. The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users' private information. Zenity Labs detailed two zero-click attacks affecting Perplexity's Comet, using indirect prompt injection to exfiltrate local files or hijack a user's 1Password account. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and their integration into organizational workflows. OpenAI noted that prompt injection vulnerabilities in agentic browsers are unlikely to be fully resolved, but risks can be reduced through automated attack discovery and adversarial training.

Infosecurity Europe 2026 Keynote Lineup Announced

Updated: · First: 11.03.2026 18:20 · 📰 1 src / 1 articles

Infosecurity Europe 2026 has announced its keynote lineup, featuring industry leaders and experts in cybersecurity. The event will include keynotes from Shlomo Kramer, Cynthia Kaiser, Maggie Alphonsi, and Jason Fox, covering topics such as technology trends, ransomware tactics, leadership, and cyber resilience. Additionally, technical sessions will delve into AI-driven cloud threats and post-quantum security. The conference is scheduled for June 2-4, 2026, with free registration available until May 5.

LeakyLooker Vulnerabilities in Google Looker Studio

Updated: 11.03.2026 18:00 · First: 10.03.2026 15:20 · 📰 2 src / 2 articles

Nine cross-tenant vulnerabilities, collectively named LeakyLooker, were discovered in Google Looker Studio. These flaws could allow attackers to execute arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. The vulnerabilities affected connectors to multiple cloud services, including BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Two distinct attack paths were identified: 0-click attacks targeting owner credentials and 1-click attacks targeting viewer credentials. The vulnerabilities were disclosed responsibly and have been addressed by Google. No evidence of exploitation in the wild has been found.

Global Infostealer Campaign Exploits Compromised WordPress Sites

Updated: · First: 11.03.2026 16:45 · 📰 1 src / 1 articles

A widespread cybercriminal campaign has compromised over 250 legitimate WordPress websites across 12 countries to deliver infostealer malware. The attackers exploit user trust in these sites to infect visitors with malware such as Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut. The campaign, active since December 2025, uses fake Cloudflare Captcha pages and ClickFix social engineering techniques to trick users into running malicious code, ultimately stealing sensitive data including login credentials and financial information.

BlackSanta EDR Killer Targets HR Departments with Stealthy Malware Campaign

Updated: 11.03.2026 16:30 · First: 11.03.2026 00:57 · 📰 2 src / 2 articles

A Russian-speaking threat actor has been targeting HR departments with a sophisticated malware campaign that delivers a new EDR killer named BlackSanta. The campaign employs social engineering and advanced evasion techniques to steal sensitive information from compromised systems. The malware is suspected to be distributed via spear-phishing emails containing ISO image files disguised as resumes, hosted on cloud storage services like Dropbox. The attack chain involves steganography, DLL sideloading, and process hollowing to execute malicious payloads while evading detection. BlackSanta specifically targets and disables endpoint security solutions, including antivirus, EDR, SIEM, and forensic tools, by terminating their processes at the kernel level. The campaign has been active for over a year, utilizing Bring Your Own Driver (BYOD) components to gain elevated privileges and suppress security tools. The malware performs checks on system language, hostnames, and running processes before carrying out further actions. The campaign's ability to exfiltrate sensitive information while maintaining encrypted communications underscores both its persistence and the risk posed to targeted organizations.

Security vulnerabilities in LLM guardrails exploited via prompt injection

Updated: · First: 11.03.2026 15:35 · 📰 1 src / 1 articles

Researchers at Unit 42, Palo Alto Networks’ research lab, discovered that security guardrails in generative AI tools can be bypassed through prompt injection attacks. These guardrails, implemented as 'AI Judges' to enforce safety policies and evaluate output quality, can be manipulated into authorizing policy violations using stealthy input sequences. The attack method, demonstrated in a report published on March 10, 2026, involves an automated fuzzer called AdvJudge-Zero, which identifies trigger sequences that exploit the LLM’s decision-making logic to bypass security controls. The technique achieves a 99% success rate in bypassing controls across various widely used architectures, including open-weight enterprise LLMs and specialized reward models.

Meta Disables 150K Accounts Linked to Southeast Asian Scam Centers

Updated: · First: 11.03.2026 15:15 · 📰 1 src / 1 articles

Meta has disabled over 150,000 accounts linked to scam centers in Southeast Asia, in collaboration with authorities from multiple countries. This action follows a pilot initiative in December 2025 and includes new tools to detect and prevent scams. The U.K. government has also launched an Online Crime Centre to combat cybercrime, including scam operations across various regions. The coordinated effort resulted in 21 arrests by the Royal Thai Police. Meta highlighted the sophistication and industrialization of online scams, which often operate as full-scale business operations in countries like Cambodia, Myanmar, and Laos. The company introduced new tools to warn users about suspicious activities on Facebook, WhatsApp, and Messenger. In 2025, Meta removed 159 million scam ads and 10.9 million accounts associated with criminal scam centers. The U.K.'s new Online Crime Centre aims to disrupt scam operations using AI and specialized teams.