Security & IT News

The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed

In the rapid evolution of the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security leaders: Identity programs are maturing, yet the risk is actually increasing. According to new research from the Ponemon Institute, hundreds of applications within the typical enterprise remain disconnected from centralized identity systems. These "dark

GrafanaGhost is a critical vulnerability in Grafana’s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data.

An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. [...]

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. "

Automated pentesting tools deliver strong early results, then quickly plateau. Picus Security explains how the "PoC cliff" leaves major attack surfaces untested and creates a dangerous validation gap. [...]

GrafanaGhost chains AI prompt injection and URL flaws to exfiltrate sensitive Grafana data

The agenda for the Rapid7 2026 Global Cybersecurity Summit is starting to take shape, and with it, a clearer picture of the conversations security teams need to be having right now. Taking place May 12–13, this year’s summit brings together a mix of security leaders, practitioners, analysts, and industry voices to explore how organizations are moving from reactive defense to preemptive security operations. The focus is practical. What is changing, what is not working, and what teams need to do differently. Voices from across the industry This year’s lineup reflects that shift. Alongside Rapid7 experts and customer speakers, the summit will feature well-known voices from across the security community. Rachel Tobac, CEO of SocialProof Security, joins the keynote panel The Reality of Running a SOC in 2026 , bringing a perspective grounded in how modern attacks actually begin and how attackers adapt in real time. She is joined by cybersecurity speaker and “Smashing Security” podcast host Graham Cluley, whose work has long focused on translating complex threats into practical understanding for security teams. From an analyst perspective, Craig Robinson of IDC and Dave Gruber of Omdia add an external view on how the market is evolving, where organizations are investing, and how security programs are being measured. Their contributions help ground the discussion in broader industry trends, not just individual experiences. Customer voices also play a central role. Leaders from organizations such as Netscout Systems, Target RWE, and Miltenyi Biotecwill share how they are navigating complexity, validating decisions around MDR and platform consolidation, and focusing on outcomes rather than activity. What to expect during the show Across two days, the summit is structured to reflect how security teams actually operate. Day one focuses on shared context with sessions like Defense Starts Earlier Than You Think and The Reality of Running a SOC in 2026 examining how the threat landscape has shifted and why traditional approaches are struggling to keep pace. From there, sessions such as Inside the Modern SOC and Using Red Teaming to Power Preemptive MDR move into how detection, response, and validation work in practice. The goal is to connect the full picture: how attacks begin, how they progress, and how teams respond when it matters. Day two is more focused on the unique needs of particular security roles. The two dedicated tracks allow attendees to go deeper into the implications of modern security evolution based on their daily realities. For security leaders, sessions such as The CISO’s Role in Enterprise Transformation and A CISO’s Guide to MDR Accountability and Outcomes explore governance, accountability, and ways to measure effectiveness that reflect real business risk. For practitioners, sessions like Hunt or Be Hunted and IR in Practice focus on the mechanics of investigation, detection and response. These sessions look closely at how analysts triage

New research from Keeper Security, reveals non-human identities and automated system-to-system interactions are becoming the top security risk for businesses in 2026.

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-097-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system. /strong /p p The following versions of Mitsubishi Electric GENESIS64 and ICONICS Suite products are affected: /p ul li GENESIS64 lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li ICONICS Suite lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li MobileHMI lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li Hyper Historian lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li AnalytiX lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li MC Works 64 vers:all/* (CVE-2025-14815, CVE-2025-14816) /li li GENESIS lt;=11.02 (CVE-2025-14815, CVE-2025-14816) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.8 /td td Mitsubishi Electric /td td Mitsubishi Electric GENESIS64 and ICONICS Suite products /td td Cleartext Storage of Sensitive Information, Cleartext Storage of Sensitive Information in GUI /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan. /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-14815 /a /h3 div class="csaf-accordion-content" p When the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication, the SQL Server credentials are stored in plaintext within the local SQLite file. This results in a vulnerability due to Cleartext Storage of Sensitive Information (CWE 312), which may lead to information disclosure, tampering, or denial of service (DoS). /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-14815" View CVE Details /a /p hr h4 Affected Products /h4 h5 Mitsubishi Electric GENESIS64 and ICONICS Suite products /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Mitsubishi Electric /div div class="ics-version" strong Product Version: /strong br Mitsubishi Electric GENESIS64: lt;=10.97.3, Mitsubishi Electric ICONICS Suite: lt;=10.97.3, Mitsubishi Electric MobileHMI: lt;=10.97.3, Mitsubishi Elec

h2 strong Advisory at a Glance /strong /h2 table tbody tr th Title /th td Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure /td /tr tr th Original Publication /th td April 7, 2026 /td /tr tr th Executive Summary /th td p Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss. nbsp; /p p U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the a href="#Mitigations" strong Mitigations /strong /a strong /strong section of this advisory to reduce the risk of compromise. /p /td /tr tr th Affected Products /th td ul li Rockwell Automation/Allen-Bradley manufactured PLCs /li li Potentially other branded PLCs /li /ul /td /tr tr th Key Actions /th td ul li Remove PLCs from direct internet exposure via secure gateway and firewall. /li li Query available logs for the provided IOCs in the corresponding time frames. /li li Check available logs for suspicious traffic on the ports associated with OT devices, including code 44818 /code , code 2222 /code , code 102 /code , and code 502 /code , especially traffic originating from overseas hosting providers. /li li For Rockwell Automation devices, place the physical mode switch on the controller into run position. nbsp;Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted. /li /ul /td /tr tr th Indicators of Compromise /th td p For a downloadable copy of IOCs, see: /p ul li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml" AA26-097A STIX XML /a (35KB) /li li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.json" AA26-097A STIX JSON /a (12 KB) br nbsp; /li /ul /td /tr tr th Intended Audience /th td p strong Organizations: /strong Critical Infrastructure /p p strong Sectors: /strong a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/government-services-facilities-sector" title="Government Services and Facilities" Government Services and Facilities /a , a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector" title="Water and Wastewater Systems" Water and Wastewater Systems /a (WWS), and a href="ht

When talking about credential security, the focus usually lands on breach prevention. This makes sense when IBM’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.4 million. Avoiding even one major incident is enough to justify most security investments, but that headline figure obscures the more persistent problems caused by recurring credential

Microsoft has released a new report about the Storm-1175 group and its connection to Medusa ransomware

According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc.—even if you are just transiting the airport. In a security alert dated March 26, the U.S. Consulate General said that, on March 23, 2026, Hong Kong authorities changed the rules governing enforcement of the National Security Law. Under the revised framework, police can require individuals to provide passwords or other assistance to access personal electronic devices, including cellphones and laptops. The consulate warned that refusal to comply is now a criminal offense. It also said authorities have expanded powers to take and keep personal electronic devices as evidence if they claim the devices are linked to national security offenses.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily

Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all in-support versions of Windows updates starting March 10. [...]

North Korean hackers pushed out malicious updates to a popular open source project by hacking a top developer's computer in a long-running campaign.

New Phishing scam uses fake missile alerts and the ongoing conflict involving Iran to target users with QR codes and fake government emails to steal Microsoft passwords.

The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]