p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-08.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to gain administrator rights or execute code on the affected device. /strong /p p The following versions of XCharge C6 are affected: /p ul li C6 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td XCharge /td td XCharge C6 /td td Download of Code Without Integrity Check, Stack-based Buffer Overflow, Initialization of a Resource with an Insecure Default /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-9037 /a /h3 div class="csaf-accordion-content" p A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device, /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-9037" View CVE Details /a /p hr h4 Affected Products /h4 h5 XCharge C6 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br XCharge /div div class="ics-version" strong Product Version: /strong br XCharge C6: lt;May_22_2026 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact br a href="https://www.xcharge.com/contact" https://www.xcharge.com/contact /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/494.html" CWE-494 Download of Code Without Integrity Check /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th r
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability allows an attacker's malicious script to execute in the browser of any authenticated user or administrator who accesses the affected interface. This could lead to compromise of user sessions, execution of unauthorized actions with the victim's privileges, exposure or manipulation of sensitive data, and degradation of overall system integrity. /strong /p p The following versions of CP Plus 8 Ch. Network Video Recorder are affected: /p ul li CP-UNR-108F1 Hardware V1.0 /li li CP-UNR-108F1 Web V3.2.7.128806 nbsp; /li li CP-UNR-108F1 System V4.001.00AT009.0.R nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.4 /td td CP Plus /td td CP Plus 8 Ch. Network Video Recorder /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Emergency Services /li li strong Countries/Areas Deployed: /strong India, Nepal, United Arab Emirates, Gambia /li li strong Company Headquarters Location: /strong India /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6824 /a /h3 div class="csaf-accordion-content" p A stored Cross-Site Scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6824" View CVE Details /a /p hr h4 Affected Products /h4 h5 CP Plus 8 Ch. Network Video Recorder /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br CP Plus /div div class="ics-version" strong Product Version: /strong br CP Plus CP-UNR-108F1 Hardware: V1.0, CP Plus CP-UNR-108F1 Web: V3.2.7.128806, CP Plus CP-UNR-108F1 System: V4.001.00AT009.0.R /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br CP Plus recommends updating the firmware on the device to the latest firmware version. /p p strong Mit
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-148-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to read and write arbitrary handle values and change clinical readings, which could result in taking control of the device and lead to patient harm. /strong /p p The following versions of Fourth Frontier Frontier X Mobile Application, Frontier X2 are affected: /p ul li Frontier X Android application vers lt;v15.0.0 /li li Frontier X IOS application vers lt;v25.0.0 /li li Frontier X2 vers:all/* /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.8 /td td Fourth Frontier /td td Fourth Frontier Frontier X Mobile Application, Frontier X2 /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-5768 /a /h3 div class="csaf-accordion-content" p The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-5768" View CVE Details /a /p hr h4 Affected Products /h4 h5 Fourth Frontier Frontier X Mobile Application, Frontier X2 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Fourth Frontier /div div class="ics-version" strong Product Version: /strong br Fourth Frontier Frontier X Android application: lt;v15.0.0, Fourth Frontier Frontier X IOS application: lt;v25.0.0, Fourth Frontier Frontier X2: vers:all/* /div div class="ics-sta
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-04.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could gain physical, unauthorized access to a Building where the product is installed /strong /p p The following versions of ABB Busch-Welcome 2 Wire Door Opener Actuator are affected: /p ul li Switch Actuator 4 DU vers:all/* nbsp; /li li Switch actuator, door/light 4 DU vers:all/* nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 6.8 /td td ABB /td td ABB Busch-Welcome 2 Wire Door Opener Actuator /td td Active Debug Code /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-7705 /a /h3 div class="csaf-accordion-content" p Authentication bypass due to compatibility mode enabled by default /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-7705" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB Busch-Welcome 2 Wire Door Opener Actuator /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br Switch Actuator 4 DU -83330 - All Versions, Switch actuator, door/light 4 DU -83330-500 - All Versions /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br The following actions need to be executed on premise where the respective Busch-Welcome® System is installed: • While the Busch-Welcome® System is in operation, toggle the mode switch on the product from “Door-Open” - to “Light” – Mode, wait one second and switch back to “Door-Open” - Mode. • Restart the Busch-Welcome® System with a Power reset (mains power off and on again). By executing the above steps, the system will recalibrate itself during boot up and will correct the misconfiguration automatically. ABB recommends that customers apply the above listed actions at the earliest convenience. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/489.html" CWE-489 Active Debug Code /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tables
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-02.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could result in an attacker gaining administrator access to the device. /strong /p p The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter are affected: /p ul li USR-W610 RS232/485 to Wi-Fi/Ethernet Converter 7.03T.07 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Jinan USR IOT Technology Limited (PUSR) /td td Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter /td td Use of Hard-coded Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-7786 /a /h3 div class="csaf-accordion-content" p The device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-7786" View CVE Details /a /p hr h4 Affected Products /h4 h5 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Jinan USR IOT Technology Limited (PUSR) /div div class="ics-version" strong Product Version: /strong br Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter: 7.03T.07 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Jinan USR IOT Technology Limited (PUSR) did not respond to CISA's attempts at coordination. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/798.html" CWE-798 Use of Hard-coded Credentials /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th ro
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-07.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Schneider Electric is aware of a vulnerability in its EcostruxureTM Machine Expert HVAC product. The [EcostruxureTM Machine Expert HVAC](https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC/) product is a programming software for Modicon M171-M172 logic controllers. Failure to apply the remediation provided below may risk in revealing sensitive information, which could result in disclosing protected source code, leading to loss of confidentiality. /strong /p p The following versions of Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) are affected: /p ul li Ecostruxure™ Machine Expert HVAC vers lt;1.10.0 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 5.5 /td td Schneider Electric /td td Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /td td Cleartext Storage of Sensitive Information /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6332 /a /h3 div class="csaf-accordion-content" p CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, when an authorized attacker accesses the source code for editing or compiling it. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6332" View CVE Details /a /p hr h4 Affected Products /h4 h5 Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Schneider Electric /div div class="ics-version" strong Product Version: /strong br Ecostruxure™ Machine Expert HVAC Versions prior to 1.10.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Version 1.10.0 of Ecostruxure™ Machine Expert HVAC includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/ nbsp; br a href="https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/"
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-03.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. A firmware update is available that resolves these privately reported vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited these vulnerabilities could access sensitive information stored inside the device and can change the configuration of the device. /strong /p p The following versions of ABB EIBPORT are affected: /p ul li EIBPORT V3 KNX (2CLA963710W1001) lt;3.9.2 /li li EIBPORT V3 KNX (2CSM256242R2001) lt;3.9.2 /li li EIBPORT V3 KNX GSM (2CLA963720W1001) lt;3.9.2 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8 /td td ABB /td td ABB EIBPORT /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing, Information Technology /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2021-22291 /a /h3 div class="csaf-accordion-content" p The vulnerability allows the successful attacker to receive a copy of the session id. /p p a href="https://www.cve.org/CVERecord?id=CVE-2021-22291" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB EIBPORT /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br EIBPORT V3 KNX (2CLA963710W1001) Version lt;3.9.2, EIBPORT V3 KNX (2CSM256242R2001) Version lt;3.9.2, EIBPORT V3 KNX GSM (2CLA963720W1001) version lt; 3.9.2 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br ABB recommends that customers apply the update at the earliest convenience. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/79.html" CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Sc
Overview Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch. The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_CREATION_LIMIT = -1 ), an unauthenticated attacker can simply create an account and repository on any default-configured instance. Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user. Alternatively, any user with write access to a repository where rebase is already enabled can exploit it directly. On instances where repository creation is restricted, an attacker still only needs write access to any repository that has (or can have) rebase merging enabled. The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code. The latest release versions at the time of research, Gogs 0.14.2 and 0.15.0+dev (commit b53d3162 ), were confirmed to be affected. All prior versions supporting the "Rebase before merging" style are likely vulnerable as well. Product description Gogs is a lightweight, self-hosted Git service written in Go. With ~50,000 GitHub stars and over 5,000 forks , it's one of the more popular self-hosted alternatives to GitHub, commonly deployed by companies, universities, and open-source projects. A Shodan search for http.title:"Gogs" http.title:"Sign In" returns 1,141 internet-facing instances at the time of publication. The real install base is much larger since most deployments sit behind VPNs or internal networks. Credit This vulnerability was discovered by Jonah Burgess (CryptoCat), Senior Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy . Impact Any Gogs instance with more than one user account is effectively "multi-tenant", meaning each user has their own repositories, credentials, and data on a shared server. This is the default for organizations, universities, and teams that use Gogs as a shared Git hosting platform. On any such
Microsoft warned the disclosure of several unpatched vulnerabilities without notice has put “customers at unnecessary risk”
State of AI Usage Report 2026 (full report here) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a
New actor Jinx-0164 hit crypto developers with fake recruiter lures and macOS malware
Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. [...]
ISC2 survey of cybersecurity professionals suggests that staff want their information security leaders to have experienced reacting to a significant cyber incident
GCHQ director urges urgent business cyber action as AI and quantum reshape the threat
A Canadian man was sentenced to 33 years in prison after pleading guilty to targeting more than 145 children across the United States, some as young as 6 years old, in an eight-year-long sextortion scheme. [...]
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal,
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. [...]
Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did they get in. When did they get domain admin. What did they touch before the binary fired. Those answers live in the days before impact. They sit in two log sources that almost never get joined. The perimeter firewall and the Windows event channel. This diary walks through a recent Akira-attributed intrusion at a mid-sized organization. The reconstruction used only SSLVPN syslog and Windows EVTX exports. No EDR. No memory captures. Every identifier in the post has been anonymized. The event types and sequencing are preserved exactly as observed. The setup The environment was a single-site Active Directory forest behind a perimeter NGFW. SSLVPN gave remote access to a small workforce. We started the engagement with the following sources available: Firewall syslog covering roughly seven days before the encryption event. Authentication, IPS and traffic categories were retained. EVTX exports from both domain controllers and three member servers. Channels covered were Security, System and Microsoft-Windows-PowerShell/Operational. The ransom note text file and a sample of encrypted files. Used only to confirm attribution. No EDR. No PCAP. No proxy logs. This is a representative starting point for many small and mid-sized organizations. It is also why the joinable signal between the firewall and the Windows event channels matters so much. Stage 1: Initial access The first useful signal came from the firewall authentication log. We filtered SSLVPN events for the 72 hours before the encryption event. An unambiguous brute-force pattern jumped out. It targeted a single local SSLVPN account. The customer confirmed later that the account had been disabled in Active Directory. It remained provisioned as a local firewall user. Two details from Figure 1 deserve a closer look. The brute force was not distributed. Every failure came from a single source IP in a hosting-provider range. One IPS rule or a geo-block would have stopped it. The successful authentication landed inside the ramp. There was no pause to test the credential. The attacker walked straight in once one matched. That is the behavioral fingerprint of credential stuffing against a known target. Mapping this to the firewall vendor known SSLVPN credential exposure issue is plausible. It is not strictly provable from the logs we had. What is provable is this. The local account had no MFA. It had been deprovisioned in AD but not in the firewall. Its password survived a six-hour online attack. Stages 2 and 3: Discovery and credential access Once on the VPN the attacker had a layer-3 path into the user VLAN. The pivot point to internal evidence was the firewall NAT log. It gave us the post-VPN source IP and the relevant time window. We joined that window against the Windows Security channel. The first internal e
Can Big Data predict markets? Learn how AI, investor behavior, and digital signals shape modern forecasting across stocks and crypto trends.