Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Voice Phishing Attack
Cloud Security Incident Data Breach Identity Access Attacks Optimizely Data Breach ShinyHunters Cyberattack Voice Phishing Attack

Optimizely Reports Data Breach Linked to Sophisticated Vishing Incident


 

In addition to serving as a crossroads of technology, marketing intelligence, and vast networks of corporate data, digital advertising platforms are becoming increasingly attractive targets for cybercriminals seeking an entry point into enterprise infrastructure.

Optimizely recently revealed that a security incident was initiated not by sophisticated malware, but rather by a social engineering scheme that was carefully orchestrated. A voice-phishing tactic was utilized by attackers linked to the threat group ShinyHunters to deceive a company employee earlier in February 2026 and gain access to some parts of the company's internal environment without authorization. 

Investigators determined that the attackers were able to extract limited business contact information from internal resources even though the intrusion was contained before it could reach sensitive customer databases or critical operational systems. 

Throughout this episode, we learn that even mature technology companies remain vulnerable to manipulation-based attacks aimed at bypassing technical defenses and targeting the human layer of security. 

Optimizely, a leading provider of digital experience infrastructure, develops tools that assist organizations in managing web properties, conducting marketing experiments, and refining online customer journeys based on data. 

Among its many capabilities are A/B experimentation frameworks, enterprise-grade content management systems, and integrated ecommerce tools that are designed to assist businesses in improving conversion performance and audience engagement across a variety of digital channels. 

Over 10,000 organizations worldwide use the company's technology stack, including H&M, PayPal, Toyota, Nike, and Salesforce, among others. A number of customers have recently received notifications detailing this incident. According to the company, the attackers gained access through what it described as a "sophisticated voice-phishing attack" on February 11. 

The internal investigation indicates that although the threat actors were able to penetrate a limited segment of the corporate environment, the intrusion did not result in privilege escalation and no malicious payloads or malware were deployed within the network during the intrusion. 

Therefore, the breach remained constrained within a narrow scope, confirming our assessment that the attackers were limited in their access and were not permitted to reach sensitive customer and operational data. Researchers have identified the intrusion as the work of the threat actor collective ShinyHunters, a financially motivated group involved in cybercrime since at least 2020. 

It is well known for orchestrating high-visibility data theft operations and subsequently distributing or monetizing compromised databases through dark web forums and underground marketplaces. A great deal of its campaign effort has been directed toward technology and telecommunications organizations, areas where internal access to corporate databases and partner information can prove to be very useful. 

According to analysts, this group has demonstrated a high degree of flexibility in its intrusion techniques, combining credential-based attacks, such as credential stuffing, with increasingly persuasive social engineering techniques, such as voice-based deception schemes, to achieve their objectives. 

Despite the fact that the precise geographical origins of the actors remain unknown, their operational footprint spans multiple regions, reflecting their focus on monetizing corporate information or using stolen data to exert reputational and financial pressure on targeted organizations through exploitation of stolen data. In the immediate case, organizations connected to the affected environment appear to be only exposed to basic business contact information, not sensitive customer information. 

Cybersecurity specialists caution, however, that even seemingly routine information can provide a foothold for follow-on attacks. By using contact directories, email addresses, and professional identifiers, attackers may be able to craft convincing phishing emails or conduct additional social engineering attempts in order to gather credentials or financial information. 

In addition to facilitating spam operations, this type of data can also facilitate fraudulent outreach that impersonates trusted partners or internal employees. A precautionary measure, security experts recommend that employees and partners be aware of unexpected communications, independently verify the legitimacy of telephone calls or e-mail requests, and maintain multi-factor authentication on all corporate accounts as a precautionary measure. 

A proactive approach to security hygiene and maintaining open communication with affected stakeholders are widely regarded as essential measures in order to minimize the impact of incidents of this nature on organizational operations and reputations. 

Optimizely did not disclose the exact number of customers whose information may have been exposed; however, it indicated in its breach notification that the activity closely resembles that of a network of attackers known for persistent social engineering campaigns involving loosely connected attackers. 

According to the firm, during the incident, communications were received that reflected patterns commonly associated with groups that utilize voice phishing to manipulate employees into providing access to corporate systems. 

As stated in the description, the operational style of ShinyHunters is commonly attributed to those responsible for a series of breaches affecting major online platforms and consumer brands recently, such as Canada Goose, Panera Bread, Betterment, SoundCloud, Pornhub, Figure, and Match Group, which operates Tinder, Hinge, Meetic, Match.com, and OkCupid, among others. 

It should be noted that not every incident has been related to a single coordinated campaign; however, numerous victims have reported a successful intrusion attempt related to voice phishing operations designed to compromise enterprise single sign-on environments. 

It has been reported that attackers have impersonated internal IT support staff and contacted employees directly, leading them to counterfeit authentication portals that mimic legitimate corporate logins. These interactions led to the attackers bypassing standard access controls by obtaining account credentials and one-time multi-factor authentication codes from victims. These techniques have also been observed to evolve, with threat actors using device-code phishing methods to obtain authentication tokens tied to enterprise identity services by exploiting the legitimate OAuth device authorization flow. 

Once a single sign-on account has been compromised, attackers can pivot among integrated corporate applications and cloud-based platforms using compromised employee accounts. The same access may be extended to enterprise tools such as Microsoft Entra ID, Microsoft 365, Google Workspace, Salesforce, Zendesk, Dropbox, SAP, Slack, Adobe, and Atlassian, enabling an intruder to move laterally across connected services and collect additional corporate information once an initial foothold has been established. 

Ultimately, this incident serves as a reminder that technical safeguards alone are rarely sufficient to prevent determined social engineering campaigns from gaining traction. It is not uncommon for attackers to exploit human trust and routine operational processes to breach the security architecture of organizations with mature security architectures. 

Identify-verification procedures should be strengthened for internal support interactions, voice-based fraud should be regularly discussed with employees and strong monitoring should be implemented around single sign-on activity and unusual authentication requests, according to security professionals. 

Taking measures such as implementing conditional access policies, enforcing multi-factor authentication strictly, and implementing rapid incident response protocols can greatly reduce an attacker's ability to attack after the initial attempt has been made. 

The development of voice-driven deception tactics is continuing to prompt companies across the technology sector to prioritize social engineering resilience as a core component of enterprise cybersecurity strategy, rather than as a peripheral issue.
Read more »
Vulnerabilities and Exploits
Artificial Intelligence ChatGPT Codex Security Open AI Vulnerabilities and Exploits

OpenAI’s Codex Security Flags Over 10,000 High-Risk Vulnerabilities in Code Scan

 



Artificial intelligence is increasingly being used to help developers identify security weaknesses in software, and a new tool from OpenAI reflects that shift.

The company has introduced Codex Security, an automated security assistant designed to examine software projects, detect vulnerabilities, confirm whether they can actually be exploited, and recommend ways to fix them.

The feature is currently being released as a research preview and can be accessed through the Codex interface by users subscribed to ChatGPT Pro, Enterprise, Business, and Edu plans. OpenAI said customers will be able to use the capability without cost during its first month of availability.

According to the company, the system studies how a codebase functions as a whole before attempting to locate security flaws. By building a detailed understanding of how the software operates, the tool aims to detect complicated vulnerabilities that may escape conventional automated scanners while filtering out minor or irrelevant issues that can overwhelm security teams.

The technology is an advancement of Aardvark, an internal project that entered private testing in October 2025 to help development and security teams locate and resolve weaknesses across large collections of source code.

During the last month of beta testing, Codex Security examined more than 1.2 million individual code commits across publicly accessible repositories. The analysis produced 792 critical vulnerabilities and 10,561 issues classified as high severity.

Several well-known open-source projects were affected, including OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium.

Some of the identified weaknesses were assigned official vulnerability identifiers. These included CVE-2026-24881 and CVE-2026-24882 linked to GnuPG, CVE-2025-32988 and CVE-2025-32989 affecting GnuTLS, and CVE-2025-64175 along with CVE-2026-25242 associated with GOGS. In the Thorium browser project, researchers also reported seven separate issues ranging from CVE-2025-35430 through CVE-2025-35436.

OpenAI explained that the system relies on advanced reasoning capabilities from its latest AI models together with automated verification techniques. This combination is intended to reduce the number of incorrect alerts while producing remediation guidance that developers can apply directly.

Repeated scans of the same repositories during testing also showed measurable improvements in accuracy. The company reported that the number of false alarms declined by more than 50 percent while the precision of vulnerability detection increased.

The platform operates through a multi-step process. It begins by examining a repository in order to understand the structure of the application and map areas where security risks are most likely to appear. From this analysis, the system produces an editable threat model describing the software’s behavior and potential attack surfaces.

Using that model as a reference point, the tool searches for weaknesses and evaluates how serious they could be in real-world scenarios. Suspected vulnerabilities are then executed in a sandbox environment to determine whether they can actually be exploited.

When configured with a project-specific runtime environment, the system can test potential vulnerabilities directly against a functioning version of the software. In some cases it can also generate proof-of-concept exploits, allowing security teams to confirm the problem before deploying a fix.

Once validation is complete, the tool suggests code changes designed to address the weakness while preserving the original behavior of the application. This approach is intended to reduce the risk that security patches introduce new software defects.

The launch of Codex Security follows the introduction of Claude Code Security by Anthropic, another system that analyzes software repositories to uncover vulnerabilities and propose remediation steps.

The emergence of these tools reflects a broader trend within cybersecurity: using artificial intelligence to review vast amounts of software code, detect vulnerabilities earlier in the development cycle, and assist developers in securing critical digital infrastructure.

Read more »
Technlogy
AI Cloud Data GenAI Microsoft phishing Technlogy

Microsoft Report Reveals Hackers Exploit AI In Cyberattacks


According to Microsoft, hackers are increasingly using AI in their work to increase attacks, scale cyberattack activity, and limit technical barriers throughout all aspects of a cyberattack. 

Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity. 

About the report

In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said. 

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.

AI in cyberattacks 

Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams. 

The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages. 

The impact

A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations. 

When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content. 

Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks. 

Read more »
malware
Android Anthropic Artificial Inteligence Firefox malware

Anthropic AI Model Finds 22 Security Flaws in Firefox

 

Anthropic said its artificial intelligence model Claude Opus 4.6 helped uncover 22 previously unknown security vulnerabilities in the Firefox web browser as part of a collaboration with the Mozilla. 

The company said the issues were discovered during a two week analysis conducted in January 2026. 

The findings include 14 vulnerabilities rated as high severity, seven categorized as moderate and one considered low severity. 

Most of the flaws were addressed in Firefox version 148, which was released late last month, while the remaining fixes are expected in upcoming updates. 

Anthropic said the number of high severity bugs discovered by its AI model represents a notable share of the browser’s serious vulnerabilities reported over the past year. 

During the research, Claude Opus 4.6 scanned roughly 6,000 C++ files in the Firefox codebase and generated 112 unique vulnerability reports. 

Human researchers reviewed the results to confirm the findings and rule out false positives before reporting them. One issue identified by the model involved a use-after-free vulnerability in Firefox’s JavaScript engine. 

According to Anthropic, the AI located the flaw within about 20 minutes of examining the code, after which a security researcher validated the finding in a controlled testing environment. 

Researchers also tested whether the AI model could go beyond identifying flaws and attempt to build exploits from them. Anthropic said it provided Claude access to the list of vulnerabilities reported to Mozilla and asked it to develop working exploits. 

After hundreds of test runs and about $4,000 worth of API usage, the model succeeded in producing a working exploit in only two cases. 

Anthropic said the results suggest that finding vulnerabilities may be easier for AI systems than turning those flaws into functioning exploits. 

“However, the fact that Claude could succeed at automatically developing a crude browser exploit, even if only in a few cases, is concerning,” the company said. 

It added that the exploit tests were performed in a restricted research environment where some protections, such as sandboxing, were deliberately removed. 

One exploit generated by the model targeted a vulnerability tracked as CVE-2026-2796, which involves a miscompilation issue in the JavaScript WebAssembly component of Firefox’s just-in-time compilation system. 

Anthropic said the testing process included a verification system designed to check whether the AI-generated exploit actually worked. 

The system provided real-time feedback, allowing the model to refine its attempts until it produced a functioning proof of concept. The research comes shortly after Anthropic introduced Claude Code Security in a limited preview. 

The tool is designed to help developers identify and fix software vulnerabilities with the assistance of AI agents. Mozilla said in a separate statement that the collaboration produced additional findings beyond the 22 vulnerabilities. 

According to the company, the AI-assisted analysis uncovered about 90 other bugs, including assertion failures typically identified through fuzzing as well as logic errors that traditional testing tools had missed. 

“The scale of findings reflects the power of combining rigorous engineering with new analysis tools for continuous improvement,” Mozilla said. 

“We view this as clear evidence that large-scale, AI-assisted analysis is a powerful new addition to security engineers’ toolbox.”
Read more »
Threat Intelligence
AI Summit AI Threat Cyber Security DeepMind Threat Intelligence

DeepMind Chief Sounds Alarm on AI's Dual Threats

 

Google DeepMind CEO Sir Demis Hassabis has issued a stark warning on the escalating threats posed by artificial intelligence, urging immediate action from governments and tech firms. In an exclusive BBC interview at the AI Impact Summit in Delhi, he emphasized that more research into AI risks "needs to be done urgently," rather than waiting years. Hassabis highlighted the industry's push for "smart regulation" targeting genuine dangers from increasingly autonomous systems.

The AI pioneer identified two primary threats: malicious exploitation by bad actors and the potential loss of human control over super-capable AI systems. He stressed that current fragmented efforts in safety research are insufficient, with massive investments in AI development far outpacing those in oversight and evaluation. As AI models grow more powerful, Hassabis warned of a "narrow window" to implement robust safeguards before existing institutions are overwhelmed.

Speaking at the summit, which concluded recently in India's capital, Hassabis called for scaled-up funding and talent in AI safety science. He compared the challenge to nuclear safety protocols, arguing that advanced AI now demands societal-level treatment with rigorous testing before widespread deployment. The event brought together global leaders to discuss AI's societal impacts amid rapid advancements.

Hassabis advocated for international cooperation, noting AI's borderless nature means it affects everyone worldwide. He praised forums like those in the UK, Paris, and Seoul for uniting technologists and policymakers, while pushing for minimum global standards on AI deployment.However, tensions exist, as the US delegation at the Delhi summit rejected global AI governance outright.

This comes as AI capabilities surge, with systems learning physical realities and approaching artificial general intelligence (AGI) in 5-10 years. Hassabis acknowledged natural constraints like hardware shortages may slow progress, providing time for safeguards, but stressed proactive measures are essential. Industry leaders must balance innovation with risk mitigation to harness AI's potential safely.

Safety recommendations 

To counter AI threats, organizations should prioritize independent safety evaluations and red-teaming exercises before deploying models. Governments must fund public AI safety research grants and enforce "smart regulations" focused on real risks like misuse and loss of control. Individuals can stay vigilant by verifying AI-generated content, using tools like watermark detectors, limiting data shared with AI systems, and supporting ethical AI policies through advocacy.
Read more »
Malware attacks
Airport WiFi Security Cyber Attacks cybersecurity threats FBI FBI FBI warning Hacker attack Internet Routers Malware attacks

FBI Warns Outdated Wi-Fi Routers Are Being Targeted in Malware and Botnet Attacks

 

Cybersecurity risks could rise when outdated home routers stop getting manufacturer support, federal agents say. Devices from the late 2000s into the early 2010s often fall out of update cycles, leaving networks open. Without patches, vulnerabilities stay unaddressed - making intrusion more likely over time. Older models reaching end-of-life lack protection upgrades once available. This gap draws attention from officials tracking digital threats to household systems. 

Older network equipment often loses support as makers discontinue update releases. Once patching ends, weaknesses found earlier stay open indefinitely. Such gaps let hackers break in more easily. Devices like obsolete routers now attract criminals who deploy malicious code. Access at admin level gets seized without owners noticing. Infected machines may join hidden networks controlled remotely. Evidence shows law enforcement warning about these risks repeatedly. 

Built from hijacked devices, botnets answer to remote operators. These collections of infected machines frequently enable massive digital assaults. Instead of serving legitimate users, they route harmful data across the web. Criminals rely on them to mask where attacks originate. Through hidden channels, wrongdoers stay anonymous during operations. 

Back in 2011, Linksys made several routers later flagged as weak by the FBI. Devices like the E1200, E2500, and E4200 came under scrutiny due to security flaws. Earlier models also appear on the list - take the WRT320N, launched in 2009. Then there is the M10, hitting shelves a year after that one. Some routers come equipped with remote setup options, letting people adjust settings using web-connected interfaces. 

Though useful, such access may lead to problems if flaws are left unfixed. Hackers regularly search online for devices running open management ports, particularly ones stuck on old software versions. Hackers start by spotting weak routers, then slip through software gaps to plant harmful programs straight onto the machine. Once inside, that hidden code opens the door wide - giving intruders complete control while setting up secret talks with remote hubs. 

Sometimes, these taken devices ping those distant centers each minute, just to say they’re still online and waiting. Opened network ports on routers might let malware turn devices into proxies. With such access, attackers send harmful data across infected networks instead of launching attacks directly. Some even trade entry rights to third parties wanting to mask where they operate from. What makes router-based infections tricky is how hard they are to spot for most people. 

Since standard antivirus tools target laptops and phones, routers often fall outside their scope. Running within the router's own software, the malware stays hidden even when everything seems to work fine. The network keeps running smoothly, masking the presence of harmful code tucked deep inside. Older routers without regular updates become weak spots over time. 

Because of this, specialists suggest swapping them out. A modern replacement brings continued protection through active maintenance. This shift lowers chances of intrusions via obsolete equipment found in personal setups.
Read more »
VR Protection
Browser VPN Security ExpressVPN Hybrid VPN Extension Meta Quest Security Post Quantum Security Privacy Smart Routing Technology VR Protection

ExpressVPN Expands Privacy Tools with Launch of Hybrid Browser Extension


 

Increasingly, immersive technologies are moving from being novel to being part of everyday digital infrastructure, which raises questions regarding privacy within virtual environments. Activities previously conducted on conventional screens now occur within headsets that process vast streams of personal data, such as browsing behavior, location signals, and device interactions, as well as process vast streams of personal data.

It has been announced that ExpressVPN has partnered with Meta in recognition of this emerging privacy frontier, which will allow its security tools to be integrated directly into Meta Quest. An application will be introduced by Meta through the Meta App Store, which will enable headset users to activate full-device VPN protection within the virtual reality environment. 

Additionally, ExpressVPN has released a hybrid browser extension that combines VPN and proxy functionality into an effective privacy tool, signaling an ongoing effort to adapt traditional internet security models to the increasingly complex environment of immersive computing. An integral part of the newly introduced extension is Smart Routing, which enables users to control how browser traffic interacts with the VPN network with granularity. 

By using the system, specific websites can be automatically linked to predefined VPN endpoints or routing preferences rather than requiring users to switch server locations multiple times when navigating between services hosted in various regions. In addition to streamlining the management of geographically sensitive connections, this approach also maintains a consistent level of privacy protection.

Additionally, additional safeguards have been implemented in order to increase protections at the browser-level. WebRTC leaks are a well-known method by which IP addresses can be uncovered despite the use of VPNs, and the extension incorporates mechanisms to block them. HTML5 geolocation data transmission is also restricted by controls in the extension. These measures are designed to prevent websites from inferring a user's physical location through browser-based signals by limiting the ability of websites to do so. 

In light of the fact that most digital activity now takes place within web environments, browser-centric protection has been focused as a way to address this reality. In order to facilitate streaming media, electronic commerce transactions, and collaborative work platforms, browser interfaces are increasingly replacing standalone software applications. 

It appears as though the company is positioning the hybrid extension as a flexible bridge between lightweight web privacy and comprehensive network protection by concentrating security controls at this layer while still providing a primary VPN application that can fully encrypt devices at the device level. At the same time, the company is expanding its privacy infrastructure beyond traditional computing devices to include immersive technology, which is rapidly gaining in popularity.

In addition to the Meta Quest platform support, we are introducing a dedicated VPN application which can be downloaded directly from the Meta App Store, enabling encrypted connectivity across the headset's system environment. Additionally, the hybrid extension is expected to be available on the platform in a browser-specific version, providing an additional level of security for virtual reality activities. 

It has historically been difficult to deploy conventional VPNs in VR ecosystems, requiring complex network workarounds or external device configuration. Native integration therefore indicates a significant change in how privacy tools are adapting to these environments. It is important to note that this development is part of a broader change that is occurring within the VPN industry as internet usage gradually expands into a variety of connected hardware categories. 

Increasingly, browsing occurs within headsets and other immersive devices, rather than just laptops or smartphones. The use of flexible routing and layered protection to safeguard user data across emerging digital interfaces may become more prominent as a result of the emergence of this technology. 

In addition to providing an encrypted connection directly to the Meta Quest headset through a dedicated application distributed through the Meta App Store as part of the company's collaboration with Meta, the company is introducing hybrid browser technology as well. As a result of this development, virtual reality headsets are increasingly regarded as more than entertainment devices; they are becoming full-featured computing platforms that facilitate various digital activities, including communication, content consumption, and collaboration. 

ExpressVPN utilizes a native VPN application that is deployed within the device environment to ensure that network traffic generated by the entire headset is routed through encrypted channels rather than limiting protection only to individual applications or browsing sessions. This type of system-wide coverage is especially useful for applications that consume large amounts of bandwidth, such as VR streaming and multiplayer gaming, where unprotected traffic can be subjected to network throttling. 

In addition, the company stated that its newly introduced hybrid extension will shortly be extended to the headset's native browsing environment in the near future. VR browser users will be able to secure web traffic via a streamlined protection mode once it is implemented, which will not require the user to remain active through a background VPN. 

In addition to providing additional privacy for browser-based activity, this lighter configuration also ensures that system resources are preserved during performance-sensitive applications, such as those that affect the immersive experience directly due to computational overhead and frame stability. 

As part of the extension architecture, the provider's proprietary Lightway Protocol has been updated to incorporate post-quantum cryptographic protections, as well as support for the extension architecture. By strengthening the protocol, we hope to address emerging concerns that future developments in quantum computing may undermine conventional encryption algorithms, positioning it as a forward-looking safeguard against decryption capabilities of the future.

It is currently available for popular browsers including Google Chrome and Mozilla Firefox, however it is expected that integration with Meta Quest in the near future will be available as soon as possible. Combined, the developments demonstrate how privacy infrastructure is gradually evolving in order to accommodate new digital interfaces, extending encrypted connectivity beyond traditional desktop and mobile ecosystems into immersive computing environments. 

The combination of these developments illustrates how privacy architectures are gradually being revised to accommodate the changing boundaries of the internet as digital interaction is increasingly centered on browsers, applications, and immersive devices. Security strategies that once focused on a single device or network layer are becoming more adaptable to meet changing requirements. 

Organizations and individual users should examine how data flows through emerging platforms and ensure that encryption and routing controls evolve simultaneously. With the internet continuing to extend beyond conventional computing interfaces, solutions that integrate flexible browser-level safeguards with device-wide encryption may represent a practical solution for maintaining consistent privacy standards.
Read more »
San Francisco
cyber attack Cyber Attacks Cybersecurity San Francisco

San Francisco Children’s Council Breach Exposes SSNs of 12,000+ People

 

The Children’s Council of San Francisco has notified more than 12,000 individuals that their personal information was compromised in a cyberattack discovered last year. 

According to breach notification letters, the incident occurred on August 3, 2025, when the organization experienced what it described as a network disruption. An investigation later found that an unauthorized actor had accessed and obtained certain data. 

“On August 3, 2025, ChCo experienced a network disruption,” the Council said in its notice to affected individuals. 

“The investigation determined that an unknown actor accessed and acquired certain data without authorization.” 

The compromised information includes names and Social Security numbers belonging to 12,655 people. 

The notice did not specify whether the affected data included information related to children served by the organization. About two weeks after the breach occurred, a ransomware group known as SafePay claimed responsibility for the attack on its data leak website. 

The group reportedly demanded payment within 24 hours in exchange for deleting the stolen data. The Children’s Council has not confirmed the claim made by SafePay, and it remains unclear how attackers gained access to the organization’s systems. 

The nonprofit has not disclosed whether a ransom demand was paid. The organization said it is offering individuals affected by the breach free identity protection services. 

Victims can enroll in 12 months of credit monitoring and receive identity theft insurance coverage of up to one million dollars through TransUnion. The offer is available for 90 days from the date of the notification letter. 

SafePay is a ransomware operation that began publicly listing its victims on a leak site in November 2024. The group uses ransomware based on the LockBit strain and typically employs a double extortion strategy, demanding payment both to restore encrypted systems and to prevent the release of stolen data. 

In 2025, SafePay claimed responsibility for 374 ransomware attacks. Of those, 46 organizations confirmed the incidents and reported data breaches affecting about 17 million people. One of the largest involved Conduent Business Services, which notified approximately 16.7 million individuals that their data had been exposed. 

 
The group continues to be active in 2026 and has already taken credit for more than a dozen additional attacks, although only one of those has been confirmed so far. Ransomware incidents targeting organizations in the United States remain widespread. 

Researchers tracked 653 confirmed ransomware attacks against U.S. organizations in 2025, exposing roughly 43.3 million personal records. 

Several nonprofit and social service organizations have been among the victims. Recent incidents have affected groups such as Bucks County Opportunity Council in Pennsylvania, Catholic Charities of the Diocese of Albany in New York, North American Family Institute in Massachusetts, Elmcrest Children’s Center in New York and Family and Community Services in Ohio.

The Children’s Council of San Francisco is a nonprofit that works with government agencies to support childcare and early education services. The organization helps families locate and pay for childcare while distributing public funding to childcare providers that serve infants and children up to age 13. 

According to its website, the nonprofit administers an annual budget of nearly 250 million dollars and partners with the California Department of Social Services as well as local government agencies in San Francisco.
Read more »
Pakistan threat group
AI cyber espionage Hackers malware Malware Campaign Pakistan threat group

Pakistan-Linked Hackers Use AI to Flood Targets With Malware in India Campaign

 

A Pakistan-aligned hacking group known as Transparent Tribe is using artificial intelligence coding tools to produce large numbers of malware implants in a campaign primarily targeting India, according to new research from cybersecurity firm Bitdefender. 

Security researchers say the activity reflects a shift in how some threat actors are developing malicious software. Instead of focusing on highly advanced malware, the group appears to be generating a large volume of implants written in multiple programming languages and distributed across different infrastructure. 

Researchers said the operation is designed to create a “high-volume, mediocre mass of implants” using less common languages such as Nim, Zig and Crystal while relying on legitimate platforms including Slack, Discord, Supabase and Google Sheets to help evade detection. 

“Rather than a breakthrough in technical sophistication, we are seeing a transition toward AI-assisted malware industrialization that allows the actor to flood target environments with disposable, polyglot binaries,” Bitdefender researchers said in a technical analysis of the campaign. 

The strategy involves creating numerous variations of malware rather than relying on a single sophisticated tool. Bitdefender described the approach as a form of “Distributed Denial of Detection,” where attackers overwhelm security systems with large volumes of different binaries that use various communication protocols and programming languages. 

Researchers say large language models have lowered the barrier for threat actors by allowing them to generate working code in unfamiliar languages or convert existing code into different formats. 

That capability makes it easier to produce large numbers of malware samples with minimal expertise. 

The campaign has primarily targeted Indian government organizations and diplomatic missions abroad. 

Investigators said the attackers also showed interest in Afghan government entities and some private businesses. According to the analysis, the attackers use LinkedIn to identify potential targets before launching phishing campaigns. 

Victims may receive emails containing ZIP archives or ISO images that include malicious Windows shortcut files. In other cases, victims are sent PDF documents that include a “Download Document” button directing them to attacker-controlled websites. 

These websites trigger the download of malicious archives. Once opened, the shortcut file launches PowerShell scripts that run in memory. 

The scripts download a backdoor and enable additional actions inside the compromised system. Researchers said attackers sometimes deploy well-known adversary simulation tools such as Cobalt Strike and Havoc to maintain access. 

Bitdefender identified a wide range of custom tools used in the campaign. These include Warcode, a shellcode loader written in Crystal designed to load a Havoc agent into memory, and NimShellcodeLoader, which deploys a Cobalt Strike beacon. 

Another tool called CreepDropper installs additional malware, including SHEETCREEP, a Go-based information stealer that communicates with command servers through Microsoft Graph API, and MAILCREEP, a backdoor written in C# that uses Google Sheets for command and control. 

Researchers also identified SupaServ, a Rust-based backdoor that communicates through the Supabase platform with Firebase acting as a fallback channel. The code includes Unicode emojis, which researchers said suggests it may have been generated with the help of AI. 

Additional malware used in the campaign includes CrystalShell and ZigShell, backdoors written in Crystal and Zig that can run commands, collect host information and communicate with command servers through platforms such as Slack or Discord. 

Other tools observed in the operation include LuminousStealer, a Rust-based information stealer that exfiltrates files to Firebase and Google Drive, and LuminousCookies, which extracts cookies, passwords and payment information from Chromium-based browsers. 

Bitdefender said the attackers are also using utilities such as BackupSpy to monitor file systems for sensitive data and ZigLoader to decrypt and execute shellcode directly in memory. Despite the large number of tools involved, researchers say the overall quality of the malware is often inconsistent. 

“The transition of APT36 toward vibeware represents a technical regression,” Bitdefender said, referring to the Transparent Tribe group. “While AI-assisted development increases sample volume, the resulting tools are often unstable and riddled with logical errors.” 

Still, the researchers warned that the broader trend could make cyberattacks easier to scale. By combining AI-generated code with trusted cloud services, attackers can hide malicious activity within normal network traffic. 

“We are seeing a convergence of two trends that have been developing for some time the adoption of exotic programming languages and the abuse of trusted services to hide in legitimate traffic,” the researchers said. 

They added that this combination allows even relatively simple malware to succeed by overwhelming traditional detection systems with sheer volume.
Read more »
regulatory policies
AI Risk Management Cyber Security MSP cybersecurity organizations regulatory policies

AI-Driven Risk Management Is Becoming a Key Growth Strategy for MSPs

 



Expanding cybersecurity services as a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) requires more than strong technical capabilities. Providers also need a sustainable business approach that can deliver clear and measurable value to clients while supporting growth at scale.

One approach gaining attention across the cybersecurity industry is risk-based security management. When implemented effectively, this model can strengthen trust with customers, create opportunities to offer additional services, and establish stable recurring revenue streams. However, maintaining such a strategy consistently requires structured workflows and the right supporting technologies.

To help providers adopt this approach, a new resource titled “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” outlines how organizations can transition toward scalable cybersecurity services centered on risk management. The guide provides insights into the operational difficulties many MSPs encounter, offers recommendations from industry experts, and explains how AI-driven risk management platforms can help build a more scalable and profitable service model.


Why Risk-Focused Security Enables Service Expansion

Many MSPs already deliver essential cybersecurity capabilities such as endpoint protection, regulatory compliance assistance, and other defensive tools. While these services remain critical, they are often delivered as separate engagements rather than as part of a unified strategy. As a result, the long-term strategic value of these services may remain limited, and opportunities to generate consistent recurring revenue may be reduced.

Adopting a risk-centered cybersecurity framework can shift this dynamic. Instead of addressing isolated technical issues, providers evaluate the complete threat environment facing a client organization. Security risks are then prioritized according to their potential impact on business operations.

This broader perspective allows MSPs to move away from reactive fixes and instead deliver continuous, proactive security management.

Organizations that implement this risk-first model can gain several advantages:

• Security teams can detect and address threats before they escalate into damaging incidents.

• Defensive measures can be continuously updated as the cyber threat landscape evolves.

• Critical assets, daily operations, and organizational reputation can be protected even when compliance regulations do not explicitly require certain safeguards.

Another major benefit is alignment with modern cybersecurity frameworks. Many current standards require companies to conduct formal and ongoing risk evaluations. By integrating risk management into their core service offerings, MSPs can position themselves to pursue higher-value contracts and offer additional services driven by regulatory compliance requirements.


Common Obstacles That Limit Risk Management Services

Although risk-focused security delivers substantial value, MSPs often encounter operational barriers that make these services difficult to scale or demonstrate clearly to clients.

Several recurring challenges affect service delivery and growth:

Manual assessment processes

Traditional risk evaluations often rely heavily on manual work. This approach can consume a vast majority of time, introduce inconsistencies, and make it difficult to expand services efficiently.

Lack of actionable remediation plans

Risk reports sometimes underline security weaknesses but fail to outline clear steps for resolving them. Without defined guidance, clients may struggle to understand how to address the issues that have been identified.

Complex regulatory alignment

Organizations frequently need to comply with multiple cybersecurity standards and regulatory frameworks. Managing these requirements manually can create inefficiencies and inconsistencies.

Limited business context in security reports

Many security assessments are written in highly technical language. As a result, business leaders and non-technical stakeholders may find it difficult to interpret the results or understand the real impact on their organization.

Shortage of specialized cybersecurity professionals

Skilled risk management experts remain in high demand across the industry, making it difficult for service providers to recruit and retain qualified personnel.

Third-party risk visibility gaps

Many cybersecurity platforms focus only on internal infrastructure and overlook risks introduced by external vendors and service providers.

These challenges can make it difficult for MSPs to transform risk management into a scalable and profitable cybersecurity offering.


How AI-Powered Platforms Help Address These Barriers

To overcome these operational difficulties, many providers are turning to artificial intelligence-driven risk management tools.

AI-based platforms can automate large portions of the risk management process. Tasks that previously required extensive manual effort, such as risk assessment, prioritization, and reporting, can be completed more quickly and consistently.

These systems are designed to streamline the entire risk management lifecycle while incorporating advanced security expertise into service delivery.


What Modern Risk Management Platforms Should Deliver

A well-designed AI-enabled risk management solution should do more than simply detect potential threats. It should also accelerate service delivery and support business growth for service providers.

Organizations adopting these platforms can expect several operational benefits:

• Faster onboarding and service deployment through automated and easy-to-use risk assessment tools

• More efficient compliance management supported by built-in mappings to cybersecurity frameworks and continuous monitoring capabilities

• Clearer reporting that presents cybersecurity risks in language business leaders can understand

• Demonstrable return on investment by reducing manual workloads and enabling more efficient service delivery

• Additional revenue opportunities by identifying new cybersecurity services clients may require based on their risk profile


Key Capabilities to Evaluate When Selecting a Platform

Selecting the right technology platform is critical for service providers that want to scale cybersecurity operations effectively.

Several capabilities are considered essential in modern risk management tools:

Automated risk assessment systems

Automation allows providers to generate assessment results within days rather than months, while minimizing human error and ensuring consistent outcomes.


Dynamic risk registers and visual risk mapping

Visualization tools such as heatmaps help security teams quickly identify which risks pose the greatest threat and should be addressed first.


Action-oriented remediation planning

Effective platforms convert risk findings into structured and prioritized tasks aligned with both compliance obligations and business objectives.


Customizable risk tolerance frameworks

Organizations can adapt risk scoring models to match each client’s specific operational priorities and appetite for risk.

The MSP Growth Guide provides additional details on the features providers should consider when evaluating potential solutions.


Building Long-Term Strategic Value with AI-Driven Risk Management

For MSPs and MSSPs seeking to expand their cybersecurity practices, AI-powered risk management offers a way to deliver consistent value while improving operational efficiency.

By automating risk assessments, prioritizing security issues based on business impact, and standardizing reporting processes, these platforms enable providers to deliver reliable cybersecurity services to a growing client base.

The guide “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” explains how service providers can integrate AI-driven risk management into their offerings to support long-term growth.

Organizations interested in strengthening customer relationships, expanding cybersecurity services, and building a competitive advantage may benefit from adopting risk-focused security strategies supported by AI-enabled platforms.


Read more »
Tropic Trooper
cyber attack malware Salt Typhoon Telco Tropic Trooper

China Based Hackers Attack Telco With New Malware


A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America since 2024. Threat actor attacks Linux, Windows, and network-edge devices. 

Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.

According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.

New malware attacking telco networks

The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).

About TernDoor

TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).

The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.

Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.

About PeerTime

PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.

Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.

About BruteEntry

Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.

The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.

Read more »
Malware Attack
AI Risks APT36 APT36 Cyber Espionage APT36 hackers Cloud Security cyber espionage Cyber Espionage Campaign Cyber Security Google Sheets API abuse Malware Attack

APT36 Uses AI-Generated “Vibeware” Malware and Google Sheets to Target Indian Government Networks

 

Researchers at Bitdefender have uncovered a new cyber campaign linked to the Pakistan-aligned threat group APT36, also known as Transparent Tribe. Unlike earlier operations that relied on carefully developed tools, this campaign focuses on mass-produced AI-generated malware. Instead of sophisticated code, the attackers are pushing large volumes of disposable malicious programs, suggesting a shift from precision attacks to broad, high-volume activity powered by artificial intelligence. Bitdefender describes the malware as “vibeware,” referring to cheap, short-lived tools generated rapidly with AI assistance. 

The strategy prioritizes quantity over accuracy, with attackers constantly releasing new variants to increase the chances that at least some will bypass security systems. Rather than targeting specific weaknesses, the campaign overwhelms defenses through continuous waves of new samples. To help evade detection, many of the programs are written in lesser-known programming languages such as Nim, Zig, and Crystal. Because most security tools are optimized to analyze malware written in more common languages, these alternatives can make detection more difficult. 

Despite the rapid development pace, researchers found that several tools were poorly built. In one case, a browser data-stealing script lacked the server address needed to send stolen information, leaving the malware effectively useless. Bitdefender’s analysis also revealed signs of deliberate misdirection. Some malicious files contained the common Indian name “Kumar” embedded within file paths, which researchers believe may have been placed to mislead investigators toward a domestic source. In addition, a Discord server named “Jinwoo’s Server,” referencing a popular anime character, was used as part of the infrastructure, likely to blend malicious activity into normal online environments. 

Although some tools appear sloppy, others demonstrate more advanced capabilities. One component known as LuminousCookies attempts to bypass App-Bound Encryption, the protection used by Google Chrome and Microsoft Edge to secure stored credentials. Instead of breaking the encryption externally, the malware injects itself into the browser’s memory and impersonates legitimate processes to access protected data. The campaign often begins with social engineering. Victims receive what appears to be a job application or resume in PDF format. Opening the document prompts them to click a download button, which silently installs malware on the system. 

Another tactic involves modifying desktop shortcuts for Chrome or Edge. When the browser is launched through the altered shortcut, malicious code runs in the background while normal browsing continues. To hide command-and-control activity, the attackers rely on trusted cloud platforms. Instructions for infected machines are stored in Google Sheets, while stolen data is transmitted through services such as Slack and Discord. Because these services are widely used in workplaces, the malicious traffic often blends in with routine network activity. 

Once inside a network, attackers deploy monitoring tools including BackupSpy. The program scans internal drives and USB storage for specific file types such as Word documents, spreadsheets, PDFs, images, and web files. It also creates a manifest listing every file that has been collected and exfiltrated. Bitdefender describes the overall strategy as a “Distributed Denial of Detection.” Instead of relying on a single advanced tool, the attackers release large numbers of AI-generated malware samples, many of which are flawed. However, the constant stream of variants increases the likelihood that some will evade security defenses. 

The campaign highlights how artificial intelligence may enable cyber groups to produce malware at scale. For defenders, the challenge is no longer limited to identifying sophisticated attacks, but also managing an ongoing flood of low-quality yet constantly evolving threats.
Read more »
Passaic County
IT Systems malware New Jersey Passaic County

Malware Attack Cripples Passaic County Phones and IT Systems

 

A malware attack has disrupted government services in Passaic County, New Jersey, knocking out key IT systems and phone lines that serve nearly 600,000 residents across the region. Officials say they are working with state and federal partners to investigate the incident and restore critical communications as quickly as possible.

The disruption began midweek, when county phones suddenly stopped working and a service alert warned that all lines were “currently down,” leaving residents unable to reach many government offices by telephone. The outage has extended beyond a brief glitch, with phone issues lingering into the following day as technical teams assess the scope of the compromise. In public statements, the county has confirmed that a malware attack is affecting its IT infrastructure and impacting phone lines but has released few technical details about the nature of the malicious software involved. 

Passaic County leaders emphasize that they are collaborating closely with both federal and state authorities to investigate and contain the attack, reflecting growing concern over cyber threats to local government systems. Agencies are working to determine how attackers gained access, what systems were affected, and whether any data was stolen, altered, or encrypted.Officials have not yet said whether emergency services such as 911 or dispatch operations were impacted, nor have they confirmed if any personal information of residents has been compromised.

This incident comes amid a broader wave of cyberattacks targeting smaller municipalities and public institutions, as criminals shift focus away from the larger metropolitan governments and corporations that hardened their defenses in recent years. Experts note that local governments often rely on aging infrastructure and limited cybersecurity resources, making them appealing targets for malware campaigns that can disrupt daily operations for thousands of residents. Recent attacks on other New Jersey jurisdictions and hospitals across the country have led to extended outages, raising alarms about the resilience of public services in the face of persistent digital threats.

For Passaic County residents, the immediate impact is practical and personal: difficulty reaching county offices, confusion about service availability, and uncertainty over potential exposure of sensitive data. Authorities have urged patience as investigations continue and pledged to share updates once systems are fully restored and more is known about the attack’s origin and impact.The episode underscores the need for stronger cybersecurity investments at the local level, from securing phone and network infrastructure to training staff against phishing and other common malware entry points.
Read more »
Wordpress Vulnerability
Cyber Security cyber threat Plugin Privilege Escalation Website Takeover Risk WordPress Security Flaw Wordpress Vulnerability

Newly Discovered WordPress Plugin Bug Enables Privilege Escalation to Admin


 

With WordPress, millions of websites depend on its convenience, but it also includes a complex web of extensions, which quietly handle everything from user onboarding to payment-based membership. In addition to simplifying site management and extending functionality, these plugins often work with deep integration into the platform's authentication and permission systems.

If any minor mistake is made within this layer, the consequences can extend far beyond a routine software malfunction. Having recently discovered a security flaw in a widely deployed membership management plugin, attention has been drawn to this fragile intersection between functionality and security, showing how external parties could bypass normal security safeguards by bypassing the user registration process and achieving the highest level of administrative privileges. 

An issue that affects affected sites is not simply one of technical misconfiguration, but also one that may allow unauthorized actors to take complete control of the website. In the past few years, WordPress has been powered by a robust ecosystem of plugins, enabling everything from membership portals to subscription-based services with minimal technical effort. 

Nevertheless, when input validation and access controls are not carefully applied, this same flexibility can pose subtle security risks. Recent disclosures of a vulnerability in a widely used membership plugin highlight this fragile balance, which opens the door to a possible takeover of tens of thousands of WordPress installations. 

It has been confirmed that malicious actors have already exploited the vulnerability, tracked as CVE-2026-1492, by manipulating account roles during the sign-up process, granting them administrator-level privileges without authentication and effectively gaining full control over affected sites through exploiting a flaw in the plugin's registration process.

It is estimated that the vulnerability affects more than 60,000 websites using WPEverest's User Registration & Membership plugin. As a result, the plugin fails to properly validate role parameters entered during registration, which leads to the issue. 

Unauthenticated attackers can tamper with this input to assign elevated privileges to newly created accounts, bypassing the intended permission restrictions, allowing them to register directly as site administrators. By obtaining such access, attackers can install malicious plugins, alter site content, extract sensitive information, such as user databases, embed hidden malware within the website infrastructure, or alter site content after obtaining such access.

Consequently, the consequences of privilege escalation are particularly severe within the WordPress permission framework, in which administrator accounts are granted unrestricted access to virtually all website functionality. Those who gain access to this level of the system can modify themes and plugins, modify PHP code, alter security settings, and even remove legitimate administrators.

In practical terms, a compromised website can become a controlled asset that can be used for further malicious activities, such as malware distribution or unauthorized data harvesting from registered users or visitors. After the vulnerability was publicly disclosed, Defiant researchers, the company behind the widely used Wordfence security plugin, reported observing attempts to exploit the vulnerability. 

Over two hundred malicious requests attempting to exploit CVE-2026-1492 were blocked within a 24-hour period by monitoring across protected environments, indicating that the flaw has been rapidly incorporated into automated attacks. As a result of the vulnerability, all versions of the plugin up to version 5.1.2. are vulnerable. 

Developers have since released a fix to address the issue, first in version 5.1.3 and then in version 5.1.4. This version also has additional stability and security improvements. Consequently, administrators are strongly advised to upgrade as soon as possible to the latest version, or temporarily disable the plugin if patch deployment cannot be completed promptly. 

It has been reported by Wordfence that CVE-2026-1492 is the most severe vulnerability to date in the plugin. Additionally, this incident reflects an ongoing trend in which attackers systematically scan the WordPress ecosystem for exploitable plugin vulnerabilities. In addition to distributing malware and hosting phishing campaigns, compromised websites are frequently used to operate command-and-control infrastructure, proxy malicious traffic, or store data stolen from others. 

Similar patterns were observed earlier in January 2026 when threat actors exploited another critical vulnerability, CVE-2026-23550, affecting the Modular DS WordPress plugin and allowing remote authentication bypass with administrator access. 

In incidents such as these, security risks remain prevalent in platforms powered by plugins such as WordPress, where a single mistake in access control can result in the compromise of thousands of websites. Since the vulnerability is so severe and exploitation attempts have already surfaced so quickly, security experts emphasize the importance of taking immediate defensive action.

Website operators are advised to review installed plugins, apply available security updates as soon as possible, and implement monitoring mechanisms that will detect any suspicious administrative activity or unauthorized account creation. By conducting regular security audits, following the principle of least privilege, and employing reputable security plugins, similar threats can be significantly reduced. 

In general, the incident illustrates the importance of maintaining continuous vigilance, timely patch management, and disciplined configuration practices to ensure that widely used plugins do not become entry points into large-scale attacks. It is crucial that the operational convenience offered by extensible platforms like WordPress is balanced with continuous vigilance and timely patch management.
Read more »
Vulnerabilities and Exploits
Cisco breach firewall management Security Flaws Vulnerabilities and Exploits

Hackers Exploit Two Vulnerabilities in Cisco SD-WAN Manager

 



Cisco Systems has confirmed that attackers are actively exploiting two security flaws affecting its Catalyst SD-WAN Manager platform, previously known as SD-WAN vManage. The company disclosed that both weaknesses are currently being abused in real-world attacks.

The vulnerabilities are tracked as CVE-2026-20122 and CVE-2026-20128, each presenting different security risks for organizations operating Cisco’s software-defined networking infrastructure.

The first flaw, CVE-2026-20122, carries a CVSS score of 7.1 and is described as an arbitrary file overwrite vulnerability. If successfully exploited, a remote attacker with authenticated access could overwrite files stored on the system’s local file structure. Exploitation requires the attacker to already possess valid read-only credentials with API access on the affected device.

The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and involves an information disclosure issue. This flaw could allow an authenticated local user to escalate privileges and obtain Data Collection Agent (DCA) user permissions on a targeted system. To exploit the vulnerability, the attacker must already have legitimate vManage credentials.

Cisco released fixes for these issues late last month. The patches also addressed additional vulnerabilities identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.

The company provided updates across multiple software releases. Systems running versions earlier than 20.9.1 should migrate to a patched release. Fixes are available in the following versions:

  • Version 20.9 → fixed in 20.9.8.2
  • Version 20.11 → fixed in 20.12.6.1
  • Version 20.12 → fixed in 20.12.5.3 and 20.12.6.1
  • Version 20.13 → fixed in 20.15.4.2
  • Version 20.14 → fixed in 20.15.4.2
  • Version 20.15 → fixed in 20.15.4.2
  • Version 20.16 → fixed in 20.18.2.1
  • Version 20.18 → fixed in 20.18.2.1

According to Cisco’s Product Security Incident Response Team, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited. Cisco did not disclose how widespread the attacks are or who may be responsible.

Additional insights were shared by researchers at watchTowr. Ryan Dewhurst, the firm’s head of proactive threat intelligence, reported that the company observed exploitation attempts originating from numerous unique IP addresses. Investigators also identified attackers deploying web shells, malicious scripts that allow remote command execution on compromised systems.

Dewhurst noted that the most significant surge in attack activity occurred on March 4, with attempts recorded across multiple global regions. Systems located in the United States experienced slightly higher levels of activity than other areas.

He also warned that exploitation attempts are likely to continue as additional threat actors begin targeting the vulnerabilities. Because both opportunistic and coordinated attacks appear to be occurring, Dewhurst said any exposed system should be treated as potentially compromised until proven otherwise.

Security experts emphasize that SD-WAN management platforms function as centralized control hubs for enterprise networks. As a result, vulnerabilities affecting these systems can carry heightened risk because they may allow attackers to manipulate network configurations or maintain persistent access across multiple connected sites.

In response to the ongoing attacks, Cisco advises organizations to update affected systems immediately and implement additional security precautions. Recommended actions include restricting administrative access from untrusted networks, placing devices behind properly configured firewalls, disabling the HTTP interface for the Catalyst SD-WAN Manager administrator portal, turning off unused services such as HTTP or FTP, changing default administrator passwords, and monitoring system logs for suspicious activity.

The disclosure follows a separate advisory issued a week earlier in which Cisco reported that another flaw affecting Catalyst SD-WAN Controller and SD-WAN Manager — CVE-2026-20127, rated 10.0 on the CVSS scale had been exploited by a sophisticated threat actor identified as UAT-8616 to establish persistent access within high-value organizations.

This week the company also released updates addressing two additional maximum-severity vulnerabilities in Secure Firewall Management Center. The flaws, tracked as CVE-2026-20079 and CVE-2026-20131, could allow an unauthenticated remote attacker to bypass authentication protections and execute arbitrary Java code with root-level privileges on affected systems.

Read more »
Subscribe to: Comments (Atom)