Security & IT News

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. [...]

A California man was sentenced to more than 26 years in federal prison for trafficking fentanyl and methamphetamine through Nemesis Market, one of the world's largest dark web marketplaces. [...]

Phishing, shadow AI, malicious extensions, and credential theft increasingly happen inside the browser. Keep Aware explains what the 2026 Verizon DBIR reveals about browser-layer security gaps and modern attacks. [...]

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. "OP-512 was highly likely conducting espionage through a

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-28318" target="_blank" CVE-2026-28318 /a SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/reducing_the_significant_risk_of_known_exploited_vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" specified criteria /a . nbsp; /p

Eighteen months ago, the AI SOC was a marketing line. Today it's a budget item. The category has crossed over from interesting to inevitable, with billions of dollars now flowing into AI-powered security operations platforms, agentic SOC tools, and AI co-pilots built into every layer of the security stack. The data shows SOCs are buying, deploying, and standing up AI capabilities at the fastest

A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[ 1 ]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail containing a WeTransfer link. Often, the WeTransfer brand is abused in phishing emails. Here, it's was an official link: hxxps://we[.]tl/t-R4Wv1JkvFfC4Awus The thread-actor shared the initial file via this platform. The file is a piece of Javascript called Remittance Advice.js (SHA256:8a83de81fbac4eb0961f3d58982f299664a5fa4c874c7469e69f85f3fc5bd33f). The contains a lot of junk code that will just do nothing: Every for-loop will just move to the next line. In the middle of the file ( 2MB), we have the interesting code that will perform the following tasks: It will decode the next payload in an environment variable: [Environment]::SetEnvironmentVariable( INTERNAL_DB_CACHE , encoded_payload ) The obfuscation technique used is ROT13, old but still very efficient: cbjrefuryy.rkr -RkrphgvbaCbyvpl Olcnff -AbCebsvyr -JvaqbjFglyr Uvqqra -Pbzznaq Decoded, it becomes: powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command PowerShell is executed throug WMI: winmgmts:root\cimv2: connect to WMI Win32_ProcessStartup: configure process startup (hidden window) Win32_Process.Create(): spawn the process The full command is: powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command [ScriptBlock]::Create(${env:INTERNAL_DB_CACHE}) This code will fetch an MSI background JPEG file from this location: hxxp://icy-lab-0431[.]guilherme-telecomunicacoes2024[.]workers[.]dev/mCSlB Note that the threat-actor likes to use well-known services to store his/her payloads. workers.dev is the default, free subdomain provided by Cloudflare for deploying serverless applications[ 2 ]. The technique to hide the next payload is the same as my previous diary. The Base64-encode payload is delimited here with IN- and -in1 . To defeat simple Base64 lookups, all A characters have been replaced by # . Once decoded, the payload is a .Net DLL (SHA256:184a3008adff54cb345a599b4f3ca0c7bde29d8ac8379783ff40cd4e7ecc931b). It's a modified version of the Microsoft.Win32.TaskScheduler, an open-source .NET library for managing Windows Task Scheduler[ 3 ]. The PowerShell payload will also fetch another file that will be passed to the loaded malicious DLL: hxxps://pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/snake.png Here again, a legit online service is used. r2.dev is the default domain used by Cloudflare R2 to serve files and assets stored in public cloud-native buckets. It is a globally distributed, S3-compatible object storage service that allows developers to store large amounts of unstructured data[ 4 ]. The file looks to be another background and contains probably another payload protected by steganograpy (very common with the .Net loaders): I'm now reversing the .Net loader. Stay tuned for

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network. "Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes," Hunt.io said in

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Critical Everest Forms Pro RCE flaw exploited to create rogue WordPress admin accounts

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO

Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic's Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was

Not all managed detection and response (MDR) solutions are equal. Finding the differences between vendors can be quite hard, and then understanding how those differences impact your business can be even harder. For instance, you may come across an MDR provider whose pricing is based on how much data you ingest rather than the number of assets you protect. Ingestion-based solutions have the potential to be more cost effective if you're selective about what security telemetry you ingest – but then who analyzes the impact of the logs you're leaving out until they're needed? Or, consider an MDR solution that's more EDR with just a few additional log sources. For some organizations this is a perfectly optimal fit. But, how often are logging blind spots reviewed and accepted as a risk? In my experience, very rarely. I like to spend time educating customers on the importance of defense in depth, and partners on how to clearly demonstrate its importance when it comes to catching and stopping attacks. The Swiss Cheese model One of my favorite ways of explaining defense in depth is the “ Swiss Cheese model .” Figure 1: The Swiss Cheese model ⠀ It's a risk model successfully used across industries like aviation safety, engineering and other domains. Its guiding principle is that a single safeguard is not fool-proof when it comes to mitigating accidents, and that true resilience is dependent upon multiple layers of monitoring and control. The great thing about this model is that it translates really well when it comes to security operations and the technologies (SIEM) and services (MDR) that underpin it. In the case of these solutions, each slice of “cheese” is a combination of log source and detection rules across multiple attack surface domains - think endpoint, identity, cloud, or network – each reinforced by multiple log sources and detection rules that ladder up to those domains. The log source is half of the “cheese layer,” providing the raw information. The detection rules that help us spot attackers’ actions are the other half of the “cheese layer.” The logs and detection rules working in combination is what represents the whole slice of cheese. For example, let’s say you have an agent capturing activity on all of your servers and endpoints. But, an attacker has managed to steal some VPN credentials to log in to your corporate environment like a normal user. There is no agent on the attacker’s machine, only on corporate users’ machines. Their next step is to enumerate the environment, which can be a combination of passive monitoring and active scanning. Their task? Finding that next stepping stone so they can ultimately make their way to gaining domain admin credentials or exfiltrating data from the environment as an example. There are lots of activities the attacker can implement to achieve this without alerting any agents.. But, what if we have some log sources monitoring active directory, firewall/VPN access, and even a network-based sensor monito

A Bugcrowd researcher has unveiled ExploitBench, an independent benchmark of AI models for vulnerability exploitation

French and Spanish authorities took down an online marketplace selling fake identity documents to migrant smuggling rings operating within the European Union. [...]

A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-03.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong B amp;R is aware of a vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploits this vulnerability could make the OPC-UA server of the product inaccessible. /strong /p p The following versions of B amp;R PPT30 Operating System are affected: /p ul li PPT30 Operating System lt;1.8.0, 1.8.0 (CVE-2025-11482) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td B amp;R Industrial Automation GmbH /td td B amp;R PPT30 Operating System /td td Allocation of Resources Without Limits or Throttling /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-11482 /a /h3 div class="csaf-accordion-content" p An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based at-tacker to permanently prevent legitimate users from interacting with the service. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-11482" View CVE Details /a /p hr h4 Affected Products /h4 h5 B amp;R PPT30 Operating System /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br B amp;R Industrial Automation GmbH /div div class="ics-version" strong Product Version: /strong br B amp;R Industrial Automation GmbH PPT30 Operating System lt;1.8.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in the following product versions: PPT30 Operating System 1.8.0. The OPC-UA server is not activated by default. B amp;R recommends that customers with the OPC-UA Server enabled to install the update at their earliest opportunity. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. /p p strong Mitigation /strong br The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, if required. PPT30 products are i

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-02.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Hitachi Energy is aware of vulnerabilities that affect ITT600 Explorer product versions listed in this document. These vulnerabilities can be exploited to carry out Denial of Service (DoS) attack on the product. The vulnerabilities only affect Hitachi Energy Integrated Testing Tool ITT600 SA Explorer without affecting IEC 61850 system endpoints. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. /strong /p p The following versions of Hitachi Energy ITT600 Explorer are affected: /p ul li ITT600 Explorer vers:ITT600_Explorer/ lt;2.1_SP6, vers:ITT600_Explorer/ lt;=2.1_SP6, 2.1_SP6 (CVE-2024-8176, CVE-2025-59375) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td Hitachi Energy /td td Hitachi Energy ITT600 Explorer /td td Uncontrolled Recursion, Allocation of Resources Without Limits or Throttling /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2024-8176 /a /h3 div class="csaf-accordion-content" p A stack overflow vulnerability exists in the libexpat library used by the IEC61850 functionality supported by the product. A malicious user with local access could use a crafted IEC61850 message to exploit the vulnerability in the libexpat library. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. Product is only affected if IEC61850 server simulation is used. /p p a href="https://www.cve.org/CVERecord?id=CVE-2024-8176" View CVE Details /a /p hr h4 Affected Products /h4 h5 Hitachi Energy ITT600 Explorer /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Hitachi Energy /div div class="ics-version" strong Product Version: /strong br ITT600 Explorer before version 2.1 SP6 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Update to version 2.1 SP6 HF1 /p p strong Vendor fix /strong br Upgrade to version 2.2 when available /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/674.html" CWE-674 Uncontrolled

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Hitachi Energy is aware of a buffer overflow vulnerability that affects MACH HiDraw product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. /strong /p p The following versions of Hitachi Energy MACH HiDraw are affected: /p ul li MACH HiDraw vers:MACH_HiDraw/ lt;=9.22 (CVE-2026-7310) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 5.5 /td td Hitachi Energy /td td Hitachi Energy MACH HiDraw /td td Heap-based Buffer Overflow /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Dams, Energy, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-7310 /a /h3 div class="csaf-accordion-content" p A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-7310" View CVE Details /a /p hr h4 Affected Products /h4 h5 Hitachi Energy MACH HiDraw /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Hitachi Energy /div div class="ics-version" strong Product Version: /strong br MACH HiDraw version 9.22 and prior /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Fixed in version 9.23. Due to the complexity of individual implementation of the project, contact local account team for further information on possible upgrades. /p p strong Mitigation /strong br Hitachi's General Mitigation Factors/Workarounds: Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from o

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow a local attacker to gain unauthorized access to SOAP methods, resulting in a disruption of operations. /strong /p p The following versions of NAVTOR NavBox are affected: /p ul li NavBox 4.16.1.20 (CVE-2026-21404) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 6.3 /td td NAVTOR /td td NAVTOR NavBox /td td Use of Hard-coded Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Information Technology /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Norway /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-21404 /a /h3 div class="csaf-accordion-content" p NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-21404" View CVE Details /a /p hr h4 Affected Products /h4 h5 NAVTOR NavBox /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br NAVTOR /div div class="ics-version" strong Product Version: /strong br NAVTOR NavBox: 4.16.1.20 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br NAVTOR has released a patch for NavBox in April 2026. Version 4.17.2.6 and later includes the fix. Users that have an active NavBox connection will automatically be kept up to date with the latest version. No user action required. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/798.html" CWE-798 Use of Hard-coded Credentials /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th role="columnheader" Vector String /th /tr /thead tbody tr td