Hacking News

CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.

Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Anthropic alleges DeepSeek, Moonshot AI, and MiniMax used 24,000 fake accounts to extract Claude capabilities through 16 million distillation queries.

CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.

Serv-U 15.5.4 fixes four CVSS 9.1 bugs including type confusion and access control flaws. Admin access required, but file transfer platforms remain high-value targets.

A coding error in PayPal Working Capital exposed customer SSNs and business data since July 2025. Unauthorized transactions detected on some affected accounts.

Japanese semiconductor test equipment maker Advantest hit by ransomware on Feb 15. Investigation ongoing as company assesses potential data exposure.

Threat actors bypass ClawHub security by hiding Base64 payloads in fake troubleshooting comments. Atomic Stealer delivered to unsuspecting OpenClaw users.

CVE-2025-40540 is a critical type confusion vulnerability in SolarWinds Serv-U with CVSS 9.1. Attackers with admin access can execute arbitrary code.

Cloudflare's February 20 outage withdrew 25% of BYOIP customer prefixes after API query misinterpretation. 1,100 prefixes went offline for over six hours.

ShinyHunters claims 800,000+ Wynn Resorts employee records including SSNs, salaries, and personal details. Group demands 22 Bitcoin by February 23, exploited Oracle PeopleSoft.

VIQ Solutions confirms sensitive Australian court data including domestic violence and national security cases accessed by unauthorized Indian subcontractor e24 Technologies.

Iranian APT MuddyWater launches Operation Olalampo against MENA organizations, deploying four new malware families including GhostFetch and CHAR, a Rust backdoor controlled via Telegram.

Kaspersky exposes Arkanix Stealer, a Python and C++ infostealer likely built with LLM assistance. After two months of targeting crypto wallets and VPNs, the operation vanished.

Attacker impersonating civil servant accessed French FICOBA registry containing 300M+ bank account records. 1.2 million accounts compromised in late January attack.

Banking trojan disguised as IPTV streaming apps targets users in Portugal and Greece, enabling device takeover and credential theft through overlay attacks.

New espionage campaign uses protest-themed lures and Chrome DLL side-loading to deploy RAT malware against Iranian diaspora, activists, and journalists.

Amazon threat intelligence exposes Russian-speaking actor using generative AI to breach 600+ FortiGate devices across 55 countries. Attack used ARXON tool with DeepSeek and Claude.

University of Mississippi Medical Center shuts 35 clinics statewide after ransomware attack disables Epic EHR access. FBI investigating as doctors resort to pen and paper for patient care.

ESET discovers PromptSpy, the first Android malware weaponizing Google's Gemini AI to maintain persistence by analyzing UI and generating real-time tap instructions to stay pinned in recent apps.

Elastic Security Labs uncovers ClickFix campaign abusing compromised bincheck.io to deliver MIMICRAT, a custom C++ RAT with SOCKS5 tunneling and token impersonation capabilities.

CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.

WormGPT database allegedly leaked on dark web forums, exposing emails, payment data, and subscription details of cybercriminals using the service.

Attackers exploiting CVE-2026-1731 deploy cross-platform backdoors across finance, healthcare, and tech. Over 10,600 instances remain exposed.

CVE-2026-26119 lets attackers escalate from standard user to domain admin via improper authentication. Microsoft rates exploitation 'more likely.'

CVE-2026-26030 in Microsoft's Semantic Kernel Python SDK enables unauthenticated RCE through InMemoryVectorStore. Upgrade to 1.39.4 immediately.

Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.

Cisco 360 Partner Program offers new AI specializations and certifications tied to NVIDIA partnership, with $267B in projected partner-delivered AI services by 2030.

Cisco's State of AI Security 2026 report reveals a dangerous gap between agentic AI adoption ambitions and enterprise security readiness. Here's what the threat landscape looks like.

SANS ISC analyzes DynoWiper's internals revealing Mersenne Twister seeding, 16-byte overwrite buffers, and directory exclusions. Technical breakdown of Sandworm's latest wiper.

Radware's 2026 threat report reveals network-layer DDoS attacks jumped 168% year-over-year. NoName057 claimed 4,693 attacks, setting a new hacktivist record.

Microsoft warns of ClickFix variant using nslookup commands to stage malware via DNS traffic. Delivers ModeloRAT through fileless attack chain.

CVE-2026-2329 (CVSS 9.3) enables unauthenticated RCE on Grandstream GXP1600 VoIP phones. Attackers can intercept calls, steal credentials. Patch to 1.0.7.81.

Critical CVE-2026-1490 (CVSS 9.8) in CleanTalk anti-spam plugin allows unauthenticated attackers to install malicious plugins via DNS spoofing. Update to 6.72 now.

Cisco AI Defense research finds OpenAI's safeguard models perform worse than standard versions under sustained attack. Multi-turn jailbreaks spike success rates up to 92%.

New catalog at developer.cisco.com/codeexchange/ai centralizes AI agents and MCP servers for network automation, with built-in testing tools.

Chinese threat group UNC6201 exploited a critical hardcoded credential flaw (CVE-2026-22769) in Dell RecoverPoint for 18 months before disclosure. Patch now.

Cisco Talos researcher uses 'good enough' emulation to fuzz Socomec DIRIS M-70 energy gateway, discovering CVE-2025-54848 through CVE-2025-55222 in Modbus protocol handling.

Microsoft Defender Experts track expanding infostealer campaigns hitting macOS via ClickFix prompts, malicious DMG installers, and Python-based stealers. DigitStealer, MacSync, and AMOS lead the wave.

Cloud-native worm campaign by TeamPCP has compromised 60,000+ servers by exploiting Docker APIs, Kubernetes, and React2Shell. Flare researchers detail the industrialized operation.

CISA confirms active exploitation of Chrome CVE-2026-2441, Zimbra SSRF, Windows ActiveX CVE-2008-0015, and ThreatSonar flaws. Federal agencies face March 10 deadline.

Xavier Mertens discovers 846 images reusing the same Base64 steganography technique to deliver .NET malware via Equation Editor exploits. Here's how defenders can hunt for copycats.

Wiz researchers found Moltbook's Supabase database exposed without authentication, leaking 1.5M API tokens, private messages, and plaintext OpenAI keys.

Public CAs will stop issuing TLS certificates with clientAuth EKU by June 2026. Cisco outlines the impact on CUBE, Expressway, and mTLS deployments.