Security & IT News

Automated pentesting tools deliver strong early results, then quickly plateau. Picus Security explains how the "PoC cliff" leaves major attack surfaces untested and creates a dangerous validation gap. [...]

GrafanaGhost chains AI prompt injection and URL flaws to exfiltrate sensitive Grafana data

The agenda for the Rapid7 2026 Global Cybersecurity Summit is starting to take shape, and with it, a clearer picture of the conversations security teams need to be having right now. Taking place May 12–13, this year’s summit brings together a mix of security leaders, practitioners, analysts, and industry voices to explore how organizations are moving from reactive defense to preemptive security operations. The focus is practical. What is changing, what is not working, and what teams need to do differently. Voices from across the industry This year’s lineup reflects that shift. Alongside Rapid7 experts and customer speakers, the summit will feature well-known voices from across the security community. Rachel Tobac, CEO of SocialProof Security, joins the keynote panel The Reality of Running a SOC in 2026 , bringing a perspective grounded in how modern attacks actually begin and how attackers adapt in real time. She is joined by cybersecurity speaker and “Smashing Security” podcast host Graham Cluley, whose work has long focused on translating complex threats into practical understanding for security teams. From an analyst perspective, Craig Robinson of IDC and Dave Gruber of Omdia add an external view on how the market is evolving, where organizations are investing, and how security programs are being measured. Their contributions help ground the discussion in broader industry trends, not just individual experiences. Customer voices also play a central role. Leaders from organizations such as Netscout Systems, Target RWE, and Miltenyi Biotecwill share how they are navigating complexity, validating decisions around MDR and platform consolidation, and focusing on outcomes rather than activity. What to expect during the show Across two days, the summit is structured to reflect how security teams actually operate. Day one focuses on shared context with sessions like Defense Starts Earlier Than You Think and The Reality of Running a SOC in 2026 examining how the threat landscape has shifted and why traditional approaches are struggling to keep pace. From there, sessions such as Inside the Modern SOC and Using Red Teaming to Power Preemptive MDR move into how detection, response, and validation work in practice. The goal is to connect the full picture: how attacks begin, how they progress, and how teams respond when it matters. Day two is more focused on the unique needs of particular security roles. The two dedicated tracks allow attendees to go deeper into the implications of modern security evolution based on their daily realities. For security leaders, sessions such as The CISO’s Role in Enterprise Transformation and A CISO’s Guide to MDR Accountability and Outcomes explore governance, accountability, and ways to measure effectiveness that reflect real business risk. For practitioners, sessions like Hunt or Be Hunted and IR in Practice focus on the mechanics of investigation, detection and response. These sessions look closely at how analysts triage

New research from Keeper Security, reveals non-human identities and automated system-to-system interactions are becoming the top security risk for businesses in 2026.

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-097-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system. /strong /p p The following versions of Mitsubishi Electric GENESIS64 and ICONICS Suite products are affected: /p ul li GENESIS64 lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li ICONICS Suite lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li MobileHMI lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li Hyper Historian lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li AnalytiX lt;=10.97.3 (CVE-2025-14815, CVE-2025-14816) /li li MC Works 64 vers:all/* (CVE-2025-14815, CVE-2025-14816) /li li GENESIS lt;=11.02 (CVE-2025-14815, CVE-2025-14816) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.8 /td td Mitsubishi Electric /td td Mitsubishi Electric GENESIS64 and ICONICS Suite products /td td Cleartext Storage of Sensitive Information, Cleartext Storage of Sensitive Information in GUI /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan. /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-14815 /a /h3 div class="csaf-accordion-content" p When the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication, the SQL Server credentials are stored in plaintext within the local SQLite file. This results in a vulnerability due to Cleartext Storage of Sensitive Information (CWE 312), which may lead to information disclosure, tampering, or denial of service (DoS). /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-14815" View CVE Details /a /p hr h4 Affected Products /h4 h5 Mitsubishi Electric GENESIS64 and ICONICS Suite products /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Mitsubishi Electric /div div class="ics-version" strong Product Version: /strong br Mitsubishi Electric GENESIS64: lt;=10.97.3, Mitsubishi Electric ICONICS Suite: lt;=10.97.3, Mitsubishi Electric MobileHMI: lt;=10.97.3, Mitsubishi Elec

h2 strong Advisory at a Glance /strong /h2 table tbody tr th Title /th td Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure /td /tr tr th Original Publication /th td April 7, 2026 /td /tr tr th Executive Summary /th td p Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss. nbsp; /p p U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the a href="#Mitigations" strong Mitigations /strong /a strong /strong section of this advisory to reduce the risk of compromise. /p /td /tr tr th Affected Products /th td ul li Rockwell Automation/Allen-Bradley manufactured PLCs /li li Potentially other branded PLCs /li /ul /td /tr tr th Key Actions /th td ul li Remove PLCs from direct internet exposure via secure gateway and firewall. /li li Query available logs for the provided IOCs in the corresponding time frames. /li li Check available logs for suspicious traffic on the ports associated with OT devices, including code 44818 /code , code 2222 /code , code 102 /code , and code 502 /code , especially traffic originating from overseas hosting providers. /li li For Rockwell Automation devices, place the physical mode switch on the controller into run position. nbsp;Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted. /li /ul /td /tr tr th Indicators of Compromise /th td p For a downloadable copy of IOCs, see: /p ul li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml" AA26-097A STIX XML /a (35KB) /li li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.json" AA26-097A STIX JSON /a (12 KB) br nbsp; /li /ul /td /tr tr th Intended Audience /th td p strong Organizations: /strong Critical Infrastructure /p p strong Sectors: /strong a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/government-services-facilities-sector" title="Government Services and Facilities" Government Services and Facilities /a , a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector" title="Water and Wastewater Systems" Water and Wastewater Systems /a (WWS), and a href="ht

When talking about credential security, the focus usually lands on breach prevention. This makes sense when IBM’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.4 million. Avoiding even one major incident is enough to justify most security investments, but that headline figure obscures the more persistent problems caused by recurring credential

Microsoft has released a new report about the Storm-1175 group and its connection to Medusa ransomware

According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc.—even if you are just transiting the airport. In a security alert dated March 26, the U.S. Consulate General said that, on March 23, 2026, Hong Kong authorities changed the rules governing enforcement of the National Security Law. Under the revised framework, police can require individuals to provide passwords or other assistance to access personal electronic devices, including cellphones and laptops. The consulate warned that refusal to comply is now a criminal offense. It also said authorities have expanded powers to take and keep personal electronic devices as evidence if they claim the devices are linked to national security offenses.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily

Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all in-support versions of Windows updates starting March 10. [...]

North Korean hackers pushed out malicious updates to a popular open source project by hacking a top developer's computer in a long-running campaign.

New Phishing scam uses fake missile alerts and the ongoing conflict involving Iran to target users with QR codes and fake government emails to steal Microsoft passwords.

The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]

Your attack surface no longer lives on one operating system, and neither do the campaigns targeting it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, taking advantage of the fact that many SOC workflows are still fragmented by platform. For security leaders, this creates a

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-35616" target="_blank" CVE-2026-35616 /a - Fortinet FortiClient EMS Improper Access Control Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on

In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors[ 1 ], which made me wonder about how commonly these mechanisms are actually misused Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing. The reason is quite straightforward links pointing to legitimate domains (such as google.com) included in phishing messages may appear benign to recipients and can also evade simpler e-mail scanners and other detection mechanisms. Even though open redirect has not been listed in OWASP Top 10 for quite some time, it is clear that attackers have never stopped looking for it or using it. If I look at traffic on almost any one of my own domains, hardly a month goes by when I don t see attempts to identify potentially vulnerable endpoints, such as: /out.php?link=https://domain.tld/ While these attempts are not particularly frequent, they are generally consistent. We also continue to see open redirect used in phishing campaigns. Last year, I wrote about a campaign using a half-open (i.e., easily abusable) redirect mechanism on Google [ 2 ], and similar cases still seem to appear regularly. But how regular are they, actually? To find out, I reviewed phishing e-mails collected through my own filters and spam traps, as well as samples sent to us here at the ISC (either by our professional colleagues, or by threat actors themselves), over the first quarter of this year. Although the total sample only consisted of slightly more than 350 individual messages (and is therefore far from statistically representative), it still provided quite interesting results. Redirect-based phishing accounted for a little over 21 % of all analyzed messages sent out over the first 3 months of 2026 specifically for 32 % in January, 18 % in February and 16.5 % in March. It should be noted that if a message contained multiple malicious links and at least one of them used a redirect, the entire message was counted exclusively as a redirect sample, and that not all redirect cases were classic open redirects . In fact, the abused redirect mechanisms varied widely. Some behaved similarly to the aforementioned Google-style half-open redirects (see details below), while others were fully open. In some cases, the redirectors were part of tracking or advertising systems, while in others, they were implemented as logout endpoints or similar mechanisms. It should be noted that URL shorteners were also counted as redirectors (although these were not particularly common). As we mentioned, the Google-style redirects are not fully open. They do require a specific valid token to work, however, since these tokens are typically reusable, have a very long lifetime, and are not tied to any specific context (such as IP address or session), they can be and

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.