Security & IT News

p CISA has added one new vulnerability to its a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href= https://www.cve.org/CVERecord?id=CVE-2026-5281 target= _blank CVE-2026-5281 /a Google Dawn Use-After-Free Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href= /known-exploited-vulnerabilities data-entity-type= node data-entity-uuid= f2adba9a-0404-494c-a90c-4363a4a5c934 data-entity-substitution= canonical title= Reducing the Significant Risk of Known Exploited Vulnerabilities specified criteria /a . nbsp; /p

The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers. [...]

For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next. Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most

Today, most malware are called fileless because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something think about persistence. They can use the registry as an alternative storage location. But some scripts still rely on files that are executed at boot time. For example, via a Run key: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csgh4Pbzclmp /t REG_SZ /d \ %APPDATA%\Microsoft\Windows\Templates\dwm.cmd\ /f nul 2 1 The file located in %APPDATA% will be executed at boot time. From the attacker s point of view, there is a problem: The original script copies itself: copy /Y %~f0 %APPDATA%\Microsoft\Windows\Templates\dwm.cmd nul 2 1 Just after the copy operation, a PowerShell one-liner is executed: powershell -w h -c try{Remove-Item -Path '%APPDATA%\Microsoft\Windows\Templates\dwm.cmd :Zone.Identifier ' -Force -ErrorAction SilentlyContinue}catch{} nul 2 1 PowerShell will try to remove the alternate-data-stream (ADS) :Zone.Identifier that Windows adds during file operations. The :Zone.Identifier indicates the source of the file (1 = My Computer, 2 = Local intranet, 3 = Trusted sites, 4 = Internet, 5 = Restricted sites). It's not clear if a copy will drop or conserver the ADS. I did not find an official Microsoft documentation but, if you ask to a LLM, it will tell you that they are not preserved. They are wrong! In my Windows 10 lab, I downloaded a copy of BinaryNinja. An ADS was added to the file. After a copy to test.ext , the new file has still the ADS! By removing the ADS, the malicious script makes the file look less suspicious if the system is scanned to search for downloaded files (a classic operation performed in DFIR investigations). For the story, the script will later invoke another PowerShell that will drop a DonutLoader on the victim's computer. Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.

Google is rolling out a new feature in the U.S. that allows users to change their @gmail address or create a new alias. [...]

The GIGABYTE Control Center is vulnerable to an arbitrary file-write flaw that could allow a remote, unauthenticated attacker to access files on vulnerable hosts. [...]

Vulnerabilities in the Vim and GNU Emacs text editors, discovered using simple prompts with the Claude assistant, allow remote code execution simply by opening a file. [...]

Google on Monday said it's officially rolling out Android developer verification to all developers to combat the problem of bad actors distributing harmful apps while "hiding behind anonymity." The development comes ahead of a planned verification mandate that goes into effect in Brazil, Indonesia, Singapore, and Thailand this September, before it expands globally next year. As part of this

Critical infrastructure (CI) organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure environments right now is not a forecast. It is already happening. Threat actors are no longer focused solely on data theft or opportunistic disruption. They are establishing persistent access, footholds they can sit in quietly, undetected, and activate at the moment of maximum disruption. That is the threat CI leaders need to be preparing for today. Not someday. Now. Given these rising threats, governments worldwide are advancing policies and regulations to require critical infrastructure organizations to prioritize continuous readiness and proactive defense. The regulatory trajectory is clear. The U.S. National Cybersecurity Strategy published in March 2023 explicitly frames cybersecurity of critical infrastructure as a national security imperative. Japan issued a basic policy to implement the Active Cyber Defense legislation in 2025 . Europe continues to implement the NIS2 Directive across the essential sectors. And Canada is advancing a more prescriptive approach to critical infrastructure security through Bill C8 . What Microsoft Threat Intelligence hears from law enforcement agencies reinforces what we observe in our own telemetry. For example, Operation Winter SHIELD is a joint initiative led by the FBI Cyber Division focused on helping CI organizations move from awareness to verified readiness. Implementation not just awareness, not just policy. It is what closes the gap between knowing you are a target and being ready when it matters. The water sector offers a clear illustration of what that implementation gap looks like in practice and what it takes to close it. The findings from Microsoft, released on March 19, 2026, in collaboration with the Cyber Readiness Institute and the Center on Cyber Technology and Innovation show that hands-on coaching paired with practical training materially improves cyber readiness in water and wastewater utilities in ways that guidance alone does not. When attacks succeed, communities face safety concerns, loss of trust, and service disruptions. That is not an abstraction. That is what is at stake across every CI sector. To say that environments CI organizations are defending today were not designed for the threat they are facing is an understatement. Legacy systems now operate within hybrid IT–OT environments connected by cloud-based identity, remote access, and complex vendor ecosystems that did not exist when those systems were built. Identity has become the central control layer across all of it. Microsoft Threat Intelligence and Incident Response investigations show a convergence of identity-driven intrusion, living-off-the-land (LOTL) persistence, and nation-state prepositioning across CI. Against this backdr

AI agent risk isn't equal, it scales with access to systems and level of autonomy. Token Security explains how CISOs should categorize agents and prioritize what to secure first. [...]

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused

Initial Access Brokers (IABs) are a key component of the cybercrime ecosystem, offering hassle-free building blocks for ransomware, data theft, and extortion. Rapid7’s analysis of H2 2025 activity across five major forums grants fresh insight into a power balance shift toward initial access sales from newer marketplaces, such as RAMP and DarkForums. Higher asking prices and more focus on high-value sectors and large organizations, such as Government, Retail, and IT, reveal a mature and profit-focused IAB market. This blog highlights key access trends and pricing, pinpoints the most targeted industries and regions, and gives actionable recommendations for identifying and isolating potential breaches via popular IAB offerings. Key findings Our detailed analysis of six months of data from Exploit, XSS, BreachForums, DarkForums, and RAMP reveals the following key findings: Access prices and target organization size increased dramatically: The average alleged victim revenue and offering base price have increased significantly compared to the previous year, indicating that IABs are targeting larger, higher-value enterprises and charging premium prices for quality access. Primary access vectors haven’t changed: RDP, VPN, and RDWeb remain the top access vectors being offered for sale, which means that remote access infrastructure is still the primary attack surface for initial access sales. High-privilege access is increasingly prioritized: Most common privilege levels being offered by IABs are Domain User (42.9%), Domain Admin (32.1%), and Local Admin (12.5%), with a visible decline in lower-privilege offerings, such as Local User privileges. It seems the market is shifting from volume to high-impact access that enables faster and more efficient malicious operations, such as ransomware and extortion attacks. Certain underground marketplaces have become favored over others: DarkForums (221 threads) and RAMP (208 threads) were the most active forums for initial access sales in H2 2025, accounting together for 81% of the observed threads. At the same time, older, historically dominant forums such as XSS and Exploit saw significant declines in IAB activity. IABs target specific industries: IAB activity is primarily concentrated on sectors offering the highest potential for financial gain or intelligence acquisition: Government, Retail, and Information Technology (IT). Focus on government access: The Government sector is the most frequently targeted industry vertical, at 14.2% (Retail and Information Technology follow with 13.1% and 10.8%, respectively). 'Admin panel' access is the most commonly observed type offered for this sector, with DarkForums serving as the principal platform for its sale. IAB and cybercrime forum landscape in 2026 Just as in 2025, cybercriminal forums continue to serve as the primary marketplaces for the promotion and sale of pirated network access. Platforms such as Exploit, BreachForums, XSS, DarkForums, and RAMP have remained cent

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow attackers with network access to alter operational settings, obtain sensitive signal data, or disrupt device availability. /strong /p p The following versions of Anritsu Remote Spectrum Monitor are affected: /p ul li Remote Spectrum Monitor MS27100A vers:all/* (CVE-2026-3356) /li li Remote Spectrum Monitor MS27101A vers:all/* (CVE-2026-3356) /li li Remote Spectrum Monitor MS27102A vers:all/* (CVE-2026-3356) /li li Remote Spectrum Monitor MS27103A vers:all/* (CVE-2026-3356) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Anritsu /td td Anritsu Remote Spectrum Monitor /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Communications, Defense Industrial Base, Emergency Services, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Japan /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-3356 /a /h3 div class= csaf-accordion-content p The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-3356 View CVE Details /a /p hr h4 Affected Products /h4 h5 Anritsu Remote Spectrum Monitor /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Anritsu /div div class= ics-version strong Product Version: /strong br Anritsu Remote Spectrum Monitor MS27100A: vers:all/*, Anritsu Remote Spectrum Monitor MS27101A: vers:all/*, Anritsu Remote Spectrum Monitor MS27102A: vers:all/*, Anritsu Remote Spectrum Monitor MS27103A: vers:all/* /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks. /p p strong Mitigation /strong br Users can contact Anritsu Technical Support (1-800-267-4878) for more information. /p /div p strong Relevant CWE: /strong a hre

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication. /strong /p p The following versions of PX4 Autopilot are affected: /p ul li Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td PX4 /td td PX4 Autopilot /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems, Emergency Services, Defense Industrial Base /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-1579 /a /h3 div class= csaf-accordion-content p The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-1579 View CVE Details /a /p hr h4 Affected Products /h4 h5 PX4 Autopilot /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br PX4 /div div class= ics-version strong Product Version: /strong br PX4 Autopilot: v1.16.0_SITL_latest_stable /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening. br a href= https://docs.px4.io/main/en/mavlink/security_hardening https://docs.px4.io/main/en/mavlink/security_hardening /a /p p strong Mitigation /strong br Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing. br a href= https://docs.px4.io/main/en/mavlink/message_si

The cybersecurity landscape is accelerating at an unprecedented rate. What is emerging is not simply a rise in the number of vulnerabilities or tools, but a dramatic increase in speed. Speed of attack, speed of exploitation, and speed of change across modern environments. This is the defining challenge of the new era of digital warfare: the weaponization of Artificial Intelligence. Threat actors

Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. "The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating

F5 BIG-IP APM flaw CVE-2025-53521 escalates to critical 9.8 RCE, actively exploited. Patch now, check IoCs, and secure vulnerable systems immediately.