Geek-Guy.com

Category: Endpoint

Auto Added by WPeMatico

How AI-Driven Governance Is Changing Enterprise Cybersecurity

In this post, I will talk about how AI-Driven governance is changing enterprise cybersecurity. Cybersecurity has traditionally focused on protecting networks from unauthorized access. Organizations deployed firewalls, monitoring tools, and endpoint protection systems to detect threats once attackers attempted to breach infrastructure. However, modern cyber threats have become far more sophisticated. Attackers now rely on…

CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks

The global cyber threat landscape shifted in 2025, as attackers increasingly abandoned complex malware in favor of faster, more scalable tactics centered on identity compromise, AI-driven automation, and SaaS ecosystem abuse.  According to the CyberProof 2026 Global Threat Intelligence Report, attackers are no longer focused on breaking through network perimeters.  Instead, they are logging in…

Channel M&A Roundup: February 2026 Consolidation Trends

During the month of February, the channel witnessed several key acquisitions and a couple of mergers aimed at increasing revenue and supporting partners. Among the moves are acquisitions by 11:11 Systems, Scale Computing, and Proofpoint, which continue to pursue strategic acquisitions to grow their businesses and expand their services. Proofpoint acquires Acuvity Cybersecurity and compliance…

Iran-nexus APT Dust Specter targets Iraq officials with new malware

A campaign by Iran-linked group Dust Specter is targeting Iraqi officials with phishing emails delivering new malware families. Zscaler ThreatLabz researchers linked the Iran-nexus group Dust Specter to a campaign targeting Iraqi government officials. Threat actors impersonated the country’s Ministry of Foreign Affairs in phishing messages that delivered previously unseen malware, including SPLITDROP, TWINTASK, TWINTALK,…

Challenges and projects for the CISO in 2026

Sophisticated attacks and the incorporation of AI tools, talent shortages, and tight budgets are some of the challenges commonly cited when it comes to managing cybersecurity in organizations. In a changing environment, the key is no longer to stay one step ahead, but to maintain a resilient infrastructure that ensures a rapid response when —…

Zero-day exploits hit enterprises faster and harder

Google tracked 90 vulnerabilities exploited as zero-days last year, with Chinese cyberespionage groups doubling their count from 2024 and commercial surveillance vendors overtaking state-sponsored hackers for the first time. Nearly half of the recorded zero-days targeted enterprise technologies such as security appliances, VPNs, networking devices, and enterprise software platforms. “Increased exploitation of security and networking…

Cisco SD-WAN Manager Vulnerabilities Actively Exploited

Cisco is warning customers that attackers are actively exploiting multiple vulnerabilities affecting its Catalyst SD-WAN Manager platform. The software serves as a centralized management console used to monitor and control large distributed SD-WAN deployments.  These vulnerabilities “… could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information,…

Cisco Firewall Management Flaw Enables Remote Code Execution

Cisco has reported a vulnerability in its Secure Firewall Management Center (FMC) software that could allow attackers to remotely execute code and take full control of affected systems.  The flaw does not require user interaction or authentication. “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface…

Coruna iOS Exploit Kit Compromises Thousands of iPhones

An iOS exploit framework has revealed how advanced mobile attack tools can move rapidly from surveillance operations to espionage and financial crime.  Google’s Threat Intelligence Group (GTIG) identified Coruna, a powerful exploit kit containing 23 vulnerabilities across five exploit chains that were used to compromise thousands of iPhones throughout 2025. “The core technical value of…

Forcepoint Revamps Partner Program, Data Security Platform

Forcepoint announced major updates to its AI-native Data Security Cloud platform and a revamped Global Partner Program designed to help partners deliver modern data security across cloud, endpoint, and AI-driven environments. The announcement comes as enterprises grapple with the security implications of artificial intelligence.  According to a recent World Economic Forum report cited by Forcepoint,…

SIEM vs Log Management: Observability, Telemetry, and Detection

Security teams are no longer short on data. They are drowning in it. Cloud control plane logs, endpoint telemetry, identity events, SaaS audit trails, application logs, and network signals keep expanding, while the SOC is still expected to deliver faster detection and cleaner investigations. That is why SIEM vs log management is not just a…

How a cybersecurity boss framed his own employee

When a top cybersecurity firm discovered it had a leak, you would expect the FBI to be called. Instead, the person put in charge of the investigation was the actual leaker… who promptly sent an innocent colleague into a career-ending ambush. In this episode, we unravel the jaw-dropping tale of a defence contractor caught selling…

Automate or orchestrate? Implementing a streamlined remediation program to shorten MTTR

Security teams want lower MTTR, but flaws persist. How to use automation vs. orchestration to reduce risk effectively? Almost all security teams want to reduce their Mean Time to Remediate (MTTR). And for good reason: research from 2024 found that it takes an average of 4.5 months to remediate critical vulnerabilities. The problem is that…

Iranian cyberattacks fail to materialize but threat remains acute

Five days into US and Israel’s war with Iran, the worst predictions for cyber-retaliation have yet to materialize. But Iran has built one of the world’s most active cyber operations, which means this is likely a temporary reprieve, experts warn. At the weekend, both the UK National Cyber Security Centre (NCSC) and the Canadian Centre…

Iranian cyberattacks fail to materialize but threat remains acute

Five days into US and Israel’s war with Iran, the worst predictions for cyber-retaliation have yet to materialize. But Iran has built one of the world’s most active cyber operations, which means this is likely a temporary reprieve, experts warn. At the weekend, both the UK National Cyber Security Centre (NCSC) and the Canadian Centre…

Google Workspace vs. Microsoft 365: What’s the best office suite for business?

Once upon a time, Microsoft Office ruled the business world. By the late ’90s and early 2000s, Microsoft’s office suite had brushed aside rivals such as WordPerfect Office and Lotus SmartSuite, and there was no competition on the horizon. Then in 2006 Google came along with Google Docs & Spreadsheets, a collaborative online word processing and…

Major Cyber Attacks in February 2026: BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution

February 2026 brought a surge of sophisticated cyber threats targeting businesses across industries. ANY.RUN’s analysts exposed and explored several major cyber threats this month, providing early visibility into emerging malware families and evolving attack techniques.  From new ransomware strains capable of encrypting entire environments in minutes, to fully undetected remote access trojans — the threat…

Alabama Sextortion Case Involved Hundreds of Victims

A 22-year-old Alabama man has pleaded guilty to federal charges after hijacking the social media accounts of hundreds of young women and extorting them with stolen intimate images.  Between 2022 and 2025, Jamarcus Mosley used impersonation tactics to seize control of victims’ Snapchat and Instagram accounts, then threatened to publish private photos unless they complied…

UK Warns of Heightened Iranian Cyber Risk as Middle East Conflict Intensifies

The United Kingdom’s National Cyber Security Centre (NCSC) is urging British organizations to brace for potential Iranian-linked cyber activity as tensions escalate in the Middle East.  While officials say there is no confirmed spike in direct attacks against the UK, they caution that the situation could shift rapidly.  “There is almost certainly a heightened risk…

$5M Microsoft Activation Key Fraud Ends in Prison Term

A Florida woman has been sentenced to 22 months in federal prison for running a years-long scheme that trafficked thousands of illicit Microsoft software activation keys.  Heidi Richards, who operated Trinity Software Distribution, was also ordered to pay a $50,000 fine after pleading guilty to charges tied to the resale of Microsoft Certificate of Authenticity…

OAuth phishers make ‘check where the link points’ advice ineffective

Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn’t. “OAuth includes a legitimate feature that allows identity…

OAuth phishers make ‘check where the link points’ advice ineffective

Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn’t. “OAuth includes a legitimate feature that allows identity…

What is digital employee experience — and why is it more important than ever?

On any given day, an organization’s employees might be using smartphones, laptops, desktop computers, tablets, a variety of cloud and networking services, a host of enterprise applications and mobile apps, and other digital tools. Many of them might be working remotely, and nearly all of them will be operating with tight security and data privacy…

New Defender deployment tool streamlines Windows device onboarding with single executable

Microsoft’s Defender deployment tool for Windows helps administrators manage device onboarding at scale with updated progress visibility and additional controls. Simplified deployment with added administrative controls The tool adapts to the operating system and supports endpoint security across a broad range of Windows devices. It eliminates the need for separate onboarding files for modern and…

Phishing campaign exploits OAuth redirection to bypass defenses

Microsoft researchers warn that threat actors abuse OAuth redirects to target government users and deliver malware. Microsoft has warned of phishing campaigns targeting government and public-sector organizations by abusing OAuth URL redirection. Instead of stealing credentials or exploiting software flaws, attackers leverage OAuth’s legitimate by-design behavior to bypass email and browser defenses. The tactic redirects…

Chrome Extension Hijacked to Push ClickFix Malware

A once-trusted Chrome extension with thousands of users was quietly transformed into a malware delivery vehicle, exposing how quickly browser add-ons can become security liabilities.  QuickLens – Search Screen with Google Lens was removed from the Chrome Web Store after researchers discovered it had been updated to deploy ClickFix attacks and steal cryptocurrency wallet data. …

BYOVD Turns Trusted Drivers Against Windows Security

A growing number of great actor groups are quietly abusing legitimate Windows drivers to turn endpoint defenses against themselves.  Known as Bring Your Own Vulnerable Driver (BYOVD), the technique allows attackers to load a digitally signed but flawed driver and exploit it to gain full kernel-level access.  Attackers “… load a legitimate, digitally signed, but…

Everyone Knows About Broken Authorization – So Why Does It Still Work for Attackers?

Broken authorization is one of the most widely known API vulnerabilities.  It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth in…

APT37 combines cloud storage and USB implants to infiltrate air-gapped systems

North Korea-linked APT 37 used Zoho WorkDrive and USB malware to breach air-gapped networks in the Ruby Jumper campaign. North Korean group ScarCruft (aka APT37, Reaper, and Group123) deployed new tools in a campaign dubbed Ruby Jumper, using a backdoor that leverages Zoho WorkDrive for C2 and a USB-based implant to breach air-gapped systems. Zscaler ThreatLabz…

Innovation without exposure: A CISO’s secure-by-design framework for business outcomes

The brief for security leaders has changed. It used to be enough to reduce risk and keep the lights on. Now you are expected to enable AI adoption, connect more “things” to the network, modernize cloud at pace and still demonstrably reduce exposure, often without the comfort of ever-expanding budgets. In that environment, innovation is…

How ‘silent probing’ can make your security playbook a liability

For years, cyberattacks followed a familiar pattern: reconnaissance, exploitation, persistence, impact. Defenders built their strategies around that cycle, patching vulnerabilities, monitoring indicators, and working to reduce dwell time. But a quieter shift is underway. Today’s most sophisticated adversaries are using AI to study how organizations defend themselves. They run what we call “silent probing campaigns:”…

CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances

About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses…

Who is the Kimwolf Botmaster “Dort”?

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks…

Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement

New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys (identified by the prefix “AIza”) embedded in client-side code to provide Google-related…

Aeternum botnet hides commands in Polygon smart contracts

Aeternum botnet uses Polygon blockchain smart contracts for C&C, making its infrastructure harder to detect and disrupt. Qrator Labs researchers uncovered Aeternum, a botnet that runs its command-and-control infrastructure through smart contracts on the Polygon blockchain. By decentralizing its C2, the malware avoids traditional server-based takedowns and becomes far harder to disrupt or shut down,…

Juniper PTX Flaw Could Allow Full Router Takeover

Juniper Networks has disclosed a critical vulnerability in Junos OS Evolved that could allow an unauthenticated attacker to gain root-level control of affected PTX Series routers.  These routers are widely used in service provider, telecom, and cloud environments. The vulnerability “… allows an unauthenticated, network-based attacker to execute code as root,” said the company in…

Trend Micro Patches Critical Apex One RCE Flaws

Trend Micro has released patches for two high-severity vulnerabilities in its Apex One endpoint security platform. The flaws impact the Apex One management console and could allow remote code execution on unpatched systems. One of the vulnerabilities, CVE-2025-71210, “… could allow a remote attacker to upload malicious code and execute commands on affected installations,” said…

Why application security must start at the load balancer

For a long time, I thought of the load balancer as a performance device. Its job was to distribute traffic, improve uptime, and make applications feel fast. Security was something that happened elsewhere, on firewalls, inside WAFs or deep in the application code. That perspective changed early in my consulting career. I worked with a…

Illumio Insights brings agentless visibility and breach containment to hybrid environments

Illumio unveiled its solution to deliver agentless visibility and breach containment across both data center and cloud environments. Illumio Insights ingests real-time telemetry and policy data from Check Point and Fortinet firewalls, converting existing firewall information into real-time traffic maps to provide agentless visibility across the hybrid environment. This extends Illumio Insights into data center…

How AI Aids Incident Response: Why Humans Alone Cannot Do IR Efficiently

AI accelerates incident response by correlating alerts and generating reports in minutes, helping teams scale beyond manual limits. Incident response has always been a race against the clock. It starts ticking the moment an alert is triggered, and each minute thereafter can lead to lost revenue, regulatory exposure, reputational damage, or customer churn. Traditionally, incident…

Ransomware groups switch to stealthy attacks and long-term access

Ransomware attackers are switching tactics in favor of more stealthy infiltration, as the threat of public exposure of sensitive corporate data is becoming the main mechanism of extortion. Picus Security’s annual red-teaming report shows attackers shifting away from loud disruption toward quiet, long-term access — or from “predatory” smash-and-grab tactics to “parasitic” silent residency. Four…

Backblaze launches two tools to automate endpoint backup management

Backblaze announced two new tools for Backblaze Computer Backup designed to give IT teams greater control, consistency, and automation across endpoint deployments: the Advanced Installer and the Backblaze Command Line Interface (bzcli). Backblaze Computer Backup has long been known for its simplicity. Install it, and it runs quietly in the background protecting data. While this…

Inside AWS Security Agent: A multi-agent architecture for automated penetration testing

AI agents have traditionally faced three core limitations: they can’t retain learned information or operate autonomously beyond short periods, and they require constant supervision. AWS addresses these limitations with frontier agents—a new category of AI that performs complex reasoning, multi-step planning, and autonomous execution for hours or days. Multi-agent collaboration has emerged as a powerful…

ServiceNow AI Platform Vulnerability Enables Unauthenticated RCE

ServiceNow has addressed a critical vulnerability in its AI Platform that could have allowed unauthenticated remote code execution in enterprise environments.  The flaw has a CVSS score of 9.8, reflecting its high severity and potential impact on workflow automation and AI-driven operations. “This vulnerability could potentially enable an unauthenticated user, in certain circumstances, to remotely…

Trend Micro fixes two critical flaws in Apex One

Trend Micro fixed two critical Apex One flaws enabling remote code execution on vulnerable Windows systems and urged immediate updates. Trend Micro has addressed two critical vulnerabilities in Apex One that could allow attackers to achieve remote code execution on affected Windows systems. The company released security updates and strongly urged customers to apply the…

Nearly 38 Million Impacted in ManoMano Third-Party Breach

European online DIY giant ManoMano is notifying roughly 38 million customers after threat actors compromised a third-party customer service provider, exposing personal data tied to user accounts and support interactions.  The incident, discovered in January 2026, underscores the persistent risk posed by supply chain and vendor-based breaches. “We can confirm that ManoMano has recently notified…

AWS Security Hub Extended brings enterprise security under one roof

AWS Security Hub Extended is a plan within Security Hub that simplifies how customers procure, deploy, and integrate a full-stack enterprise security solution across endpoint, identity, email, network, data, browser, cloud, AI, and security operations. The plan allows customers to expand their security coverage beyond AWS services and manage broader enterprise protection through a curated…

China-linked hackers used Google Sheets to spy on telecoms and governments across 42 countries

Google has disrupted a China-linked espionage group that used Google’s spreadsheet application as a covert spy tool to compromise telecom providers and government agencies across 42 countries, sending commands and receiving stolen data through it, Google’s Threat Intelligence Group (GTIG) said on Thursday. Working with Mandiant, GTIG confirmed intrusions at 53 organizations across 42 countries,…

The farmers and the mercenaries: Rethinking the ‘human layer’ in security

There’s a phrase that’s become gospel in cybersecurity: “Employees are the last line of defense.” We’ve built an entire industry around it. Billions of dollars in security awareness programs, mandatory simulations and user-reporting workflows across endpoints, applications and collaboration tools. All predicated on a premise that sounds reasonable until you examine what we’re actually asking.…

Google GTIG disrupted China-linked APT UNC2814 halting attacks on 53 orgs in 42 countries

Google and partners disrupted UNC2814, a suspected China-linked group that hacked 53 organizations across 42 countries. Google, with industry partners, disrupted the infrastructure of UNC2814, a suspected China-linked cyber espionage group that breached at least 53 organizations in 42 countries. The group has been active since at least 2017, and was spotted targeting governments and…

Five Eyes issue emergency directive on exploited Cisco SD-WAN zero-day

Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks. Officials confirmed that threat actors are targeting core SD-WAN control systems —infrastructure that manages traffic across government and enterprise networks — and urged organizations to…

Zenarmor Debuts Global SASE Channel Partner Program

Zenarmor on Feb. 24 launched a global SASE Channel Partner Program aimed at MSPs, MSSPs, ISPs, and security-focused channel partners seeking to deliver distributed secure access services without relying on centralized cloud points of presence (PoPs). The Cupertino, Calif.-based vendor said its partner-first initiative formalizes a go-to-market strategy built around what it calls a single-app,…

Treasury Sanctions Russian Exploit Brokerage

The U.S. government has imposed sanctions on a foreign exploit brokerage accused of purchasing and reselling stolen government cyber tools under the Protecting American Intellectual Property Act (PAIPA).  This action targets Operation Zero, a Russia-linked exploit broker, and signals a tougher stance against markets that monetize zero-day vulnerabilities tied to national security systems.  “If you…

SentinelOne addresses identity risk across endpoints, browsers, and AI workflows

SentinelOne has unveiled its Singularity Identity portfolio designed to secure the growing population of non-human identities, including AI agents, service accounts, APIs, and workloads. Identity attacks have long been a go-to tactic for nation-state actors and cybercriminals. Most defenses focus on stopping them at authentication and permissions. Attackers continue adapting their tactics to bypass those…

Beachhead Solutions Unveils ComplianceEZ 2.0 for MSPs

Beachhead Solutions has launched ComplianceEZ 2.0, a major update to its compliance management tool built into the BeachheadSecure for MSPs platform.  The company says the new version moves beyond simple documentation and delivers full lifecycle management of cybersecurity compliance, with AI-driven guidance included at no extra cost. Beachhead positions ComplianceEZ 2.0 as MSP-focused GRC alternative…

Microsoft warns of job‑themed repo lures targeting developers with multi‑stage backdoors

Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments. The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected. Telemetry collected during an incident…

Turn Your SOC Into a Detection Engine: Rethinking Threat Monitoring

Threat monitoring is treated as one capability among many. Something that sits alongside incident response and threat hunting on an org chart. That framing undersells how central it actually is.  Monitoring is the connective tissue of the entire security operation. Every other SOC function depends on it working well.  For SOC and MSSP leaders, building effective threat monitoring is not about “more alerts.” It…

What are the types of ransomware attacks?

Ransomware isn’t an isolated, potential cyber threat—it’s like a living organism that can shapeshift with multiple strains, tactics, and targets. The cybercriminals behind ransomware attacks run these operations like a business and are motivated to keep up profits at any cost.  Their tactics range from quickly locking down an entire network to slowly leaking sensitive…

Take control: Locking down common endpoint vulnerabilities

Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices—laptops, desktops, servers, IoT, and more—are like unlocked doors waiting for threat actors to stroll through. And here’s the kicker: many of these vulnerabilities are shockingly common and easily preventable. Let’s break down the weaknesses we most frequently track…

Know the red flags: Business email compromise signs to look out for

When it comes to cyber threats, business email compromise (BEC) is one of the sneakiest, most costly scams out there. These digital predators don’t rely on brute force, but are patient, tactical, and they exploit one weakness above all: human trust. If you’re in the cybersecurity game, spotting a BEC attack can mean the difference…

Cyber defense: From reactive to proactive

When systems are attacked, we should respond. But how much better would it be if we could anticipate attacks before they strike and stop them with a proactive defense? Faced with today’s cybersecurity challenges, that is no simple task. “It’s a cat-and-mouse situation. AI is changing the speed and sophistication of attacks, and AI is…

Google Patches Three High-Severity Chrome Flaws

Google has released a security update for its Chrome browser that addresses three high-severity vulnerabilities, which could pose risk to users. One of the vulnerabilities, CVE-2026-3061, allows “… a remote attacker to perform an out-of-bounds memory read via a crafted HTML page,” said NIST in its advisory. Inside the Chrome Vulnerabilities The security update addresses…

What Is a Security Data Pipeline Platform: Key Benefits for Modern SOC

Security teams are drowning in telemetry: cloud logs, endpoint events, SaaS audit trails, identity signals, and network data. Yet many programs still push everything into a SIEM, hoping detections will sort it out later. The problem is that “more data in the SIEM” doesn’t automatically translate into better detection. It often translates into chaos. Many…

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

Security professionals rely on early detection signals to prioritize and contain incidents. But what happens when a fully capable RAT generates none?  In a recent investigation, the ANY.RUN experts uncovered a new Go-based remote access trojan we named Moonrise. At the time of analysis, it wasn’t detected on VirusTotal and had no vendor signatures tied to it.  That’s the problem teams can’t ignore: credential theft, remote command execution, and persistence…

Operation MacroMaze: APT28 exploits webhooks for covert data exfiltration

Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze. Russia-linked APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) launched Operation MacroMaze, targeting select entities in Western and Central Europe from September 2025 to January 2026. The campaign used webhook-based macro malware, leveraging simple tools and legitimate services for infrastructure and data…

The rise of the evasive adversary

Since the earliest days of the internet, there has never been a let-up in adversarial activity. According to CrowdStrike’s just-released 12th annual Global Threat Report, malicious activity in cyberspace continues to not only accelerate but also expand its scale and increasingly abuse the trust of targeted organizations. The good news is that, despite discussion of…

Global Chip Supplier Advantest Discloses Cyber Incident 

Japanese semiconductor equipment company Advantest has confirmed it was hit by a ransomware attack after detecting unusual activity inside its corporate network on February 15.  The company says an unauthorized third party may have accessed internal systems and deployed ransomware, potentially affecting sensitive data tied to customers or employees. “Preliminary findings appear to indicate that…

How Exposed Endpoints Increase Risk Across LLM Infrastructure

As more organizations run their own Large Language Models (LLMs), they are also deploying more internal services and Application Programming Interfaces (APIs) to support those models. Modern security risks are being introduced less from the models themselves and more from the infrastructure that serves, connects and automates the model. Each new LLM endpoint expands the…

New Arkanix stealer blends rapid Python harvesting with stealthier C++ payloads

A newly uncovered infostealer, suspected to be built with the help of a large language model, is targeting victims with Python and C++ variants, each tailored for a different stage of data theft. Kaspersky researchers discovered a stealer dubbed “Arkanix,” which is capable of harvesting credentials, browser data, cryptocurrency, and banking assets from infected machines.…

Attackers exploit Ivanti EPMM zero-days to seize control of MDM servers

Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) to gain unauthenticated control of enterprise mobile device management infrastructure and install backdoors engineered to persist even after organizations apply available patches. “Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting…

Compromised npm package silently installs OpenClaw on developer machines

A new security bypass has users installing AI agent OpenClaw — whether they intended to or not. Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on…

University of Mississippi Medical Center Closes Clinics After Ransomware Attack

A ransomware attack has forced the University of Mississippi Medical Center (UMMC) to temporarily close most of its clinics, cancel elective procedures, and shift to manual documentation as IT systems remain offline.  The incident, detected in the early hours of Feb. 19, 2026, disrupted UMMC’s network, including its EPIC electronic medical record (EMR) platform. “We…

Barracuda: Firewall Exploits Drive 90% of Ransomware Incidents

Ninety percent of ransomware incidents in 2025 reportedly exploited firewalls via unpatched software or a vulnerable account, according to Barracuda Networks’ newly published Barracuda Managed XDR Global Threat Report. Outdated tools and remote access abuse heighten ransomware exposure According to the cybersecurity company, the findings show how attackers exploit legitimate IT tools such as remote…

Uptime Kuma: Open-source monitoring tool

Service availability monitoring remains a daily operational requirement across IT teams, SaaS providers, and internal infrastructure groups. Many environments rely on automated checks and alerting to track outages, latency issues, and service degradation across web applications and network endpoints. Uptime Kuma is an open-source uptime monitoring project that supports this type of operational monitoring through…

MCP Servers Expose a Hidden AI Attack Surface in Enterprise Environments

As enterprises rush to integrate AI assistants into daily workflows, a new and potentially overlooked attack surface is emerging: Model Context Protocol (MCP) servers.  Built to connect AI applications to external tools and data, MCP servers can be exploited to execute code, exfiltrate data and manipulate users — often without visible signs of compromise.  Attackers…

better-auth Flaw Allows Unauthenticated API Key Creation

A vulnerability in the better-auth library could allow attackers to take over user accounts without ever logging in.  The flaw affects the library’s API keys plugin and enables unauthenticated attackers to mint privileged API keys for arbitrary users. Exploitation of the vulnerability grants “… full authenticated access as the targeted user and, depending on the…

Ivanti EPMM Vulnerabilities Actively Exploited in the Wild

Two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, putting thousands of enterprise mobile management systems at risk.  The flaws allow unauthenticated attackers to remotely execute arbitrary code on vulnerable servers, potentially giving them full control over corporate mobile device management (MDM) environments. “Palo Alto Networks Cortex Xpanse has…

Bug in widely used VoIP phones allows stealthy network footholds, call interception (CVE-2026-2329)

A critical security vulnerability (CVE-2026-2329) in Grandstream VoIP phones could let hackers remotely take full control of the devices and even intercept calls, Rapid7 researchers discovered. “The vulnerability is present in the device’s web-based API service, and is accessible in a default configuration,” Rapid7 researcher Stephen Fewer noted. The risks related to CVE-2026-2329 exploitation CVE-2026-2329…

Six flaws found hiding in OpenClaw’s plumbing

Security researchers have uncovered six high-to-critical flaws affecting the open-source AI agent framework OpenClaw, popularly known as a “social media for AI agents.” The flaws were discovered by Endor Labs as its researchers ran the platform through an AI-driven static application security testing (SAST) engine designed to follow how data actually moves through the agentic…

CISA alerts to critical auth bypass CVE-2026-1670 in Honeywell CCTVs

CISA warns Honeywell CCTVs are affected by a critical auth bypass flaw (CVE-2026-1670) allowing unauthorized access or account hijacking. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that Honeywell CCTVs are affected by a critical authentication bypass flaw, tracked as CVE-2026-1670 (CVSS score of 9.8), that lets attackers change the recovery email without logging…

Hackers can turn Grok, Copilot into covert command-and-control channels, researchers warn

Enterprise security teams racing to enable generative AI tools may be overlooking a new risk: attackers can abuse web-based AI assistants such as Grok and Microsoft Copilot to quietly relay malware communications through domains that are often exempt from deeper inspection. The technique, outlined by Check Point Research (CPR), exploits the web-browsing and URL-fetch capabilities…

WatchGuard: New Malware Variants Surge 1,500% in H2 2025

A new report from WatchGuard Technologies reveals that unique malware detections on endpoints skyrocketed by 1,548% in the second half of 2025, even as overall malware volume dipped slightly.  Internet Security Report findings suggest threat actors are bypassing traditional defense The findings, published in the company’s H2 2025 Internet Security Report, highlight a sharp pivot…

Chinese hackers exploited zero-day Dell RecoverPoint flaw for 1.5 years

For the past 18 months, a Chinese cyberespionage group has been exploiting a prevously unknown vulnerability in Dell’s RecoverPoint for Virtual Machines, a VM disaster recovery solution. The flaw, patched by Dell this week, allows unauthenticated attackers to gain command execution on the underlying OS as root. The vulnerability, tracked as CVE-2026-22769, stems from hardcoded…

Zero-Day in Dell RecoverPoint Enables GRIMBOLT Backdoor 

A zero-day vulnerability in Dell RecoverPoint for Virtual Machines is being actively exploited to deploy backdoors and pivot deeper into enterprise networks.  The flaw has reportedly been abused since at least mid-2024 by a suspected China-linked threat cluster. “Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual…

XSS Bug in VS Code Extension Exposed Local Files

A widely used Microsoft Visual Studio Code (VS Code) extension quietly exposed millions of developers to potential local file exfiltration through a cross-site scripting (XSS) flaw.  The issue affected the official Live Preview extension — downloaded more than 11 million times — and allowed malicious websites to interact with a developer’s localhost environment.  An “……

CVE-2026-22769: Critical Dell RecoveryPoint Zero-Day Exploited in the Wild

SOC Prime has recently covered a wave of actively exploited zero-days across major ecosystems, including Apple’s CVE-2026-20700 and Microsoft’s CVE-2026-20805, alongside a fresh Chrome zero-day case. But the avalanche of threats keeps marching into 2026. Recently, researchers from Mandiant and Google Threat Intelligence Group (GTIG) detailed the active exploitation of CVE-2026-22769, a maximum-severity hardcoded-credential vulnerability…

Keenadu: Android malware that comes preinstalled and can’t be removed by users

There’s too little a user can do when hit with a complex Android malware that comes preinstalled on their new smartphone or tablet. Security researchers at Kaspersky have flagged a multifaceted Android malware dubbed Keenadu that can ship preinstalled via device firmware, compromising users before they even complete setup. “Keenadu serves as a reminder that…

From Shadow APIs to Shadow AI: How the API Threat Model Is Expanding Faster Than Most Defenses

The shadow technology problem is getting worse.  Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs.  We’re now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous actions,…

One stolen credential is all it takes to compromise everything

Attackers often gain access through routine workflows like email logins, browser sessions, and SaaS integrations. A single stolen credential can give them a quick path to move across systems when access permissions are broad and visibility is fragmented. That pattern appears across more than 750 incident response engagements covered in Unit 42’s Global Incident Response…