Security Round-Up

Tuesday

2026-07-14
Your source for daily security alerts from some of the best experts in the world.
Find the problems, secure your systems now!

Scripts and tools to help manage your network found, managed and
happily shared with documentation on usage at the IP WORk eXchange.
https://www.ipworx.com

Get these alerts in your inbox every morning. Coming Soon

CONTENTS

Check Point Research ( 2 )
Cisco Talos ( 2 )
CISA ( 2 )
DataBreaches.net ( 10 )
Huntress Blog ( 2 )
CVEMon Intruder ( 10 )
Hacker News ( 17 )
Publications | Hacking Lab ( 2 )


Check Point Research

07/13 TOC AI Security Report 2026

For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the Annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the […]

The post AI Security Report 2026 appeared first on Check Point Research.

07/13 TOC 13th July Threat Intelligence Report

For the latest discoveries in cyber research for the week of 13th July, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES U.S. auto insurer AssuranceAmerica has disclosed a data breach affecting approximately 7 million people. Attackers targeted an employee and used compromised credentials to access company systems, stealing names, contact information, driver’s license […]

The post 13th July – Threat Intelligence Report appeared first on Check Point Research.


Cisco Talos

07/14 TOC [Video] Where protection starts: Cisco Talos Intelligence Integrations…
Every day, defenders make high-consequence decisions with incomplete information. Learn how Cisco Talos Intelligence Integrations help reduce uncertainty by turning the latest threat intelligence into proactive protections across Cisco technologies.
07/14 TOC The serpents tongue: Luring the Python out of its den
This blog examines the full lifecycle of a Python package, from hosting on repositories such as PyPI or custom web servers, through source and wheel distribution formats, to the final installation into virtual or system-wide Python environments.

CISA

07/13 TOC CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.

While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance. 

07/13 TOC Improve Router Hygiene to Protect Against Russian State-Sponsored Targ…

Russian Government-Sponsored Activity Targets Poorly Configured and Vulnerable Devices Across Critical Sectors

Executive summary

Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat. [1] 

This CSA is being released by the following authoring and co-sealing agencies: 

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Federal Bureau of Investigation (FBI)
  • United States Department of Defense Cyber Crime Center (DC3)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom National Cyber Security Centre (NCSC-UK)
  • Czech Republic National Cyber and Information Security Agency (NÚKIB)1 
  • Danish Defence Intelligence Service (DDIS)2 
  • Estonian Foreign Intelligence Service (EFIS)3 
  • Estonian Information System Authority (RIA)4
  • Finnish Defence Intelligence (FDI)5
  • Finnish Security and Intelligence Service (SUPO)6
  • French National Cybersecurity Agency (ANSSI)7
  • Italian External Intelligence and Security Agency (AISE)8 
  • Italian Internal Intelligence and Security Agency (AISI)9
  • The Military Counterintelligence Service of Poland (SKW)10 
  • Sweden National Cyber Security Centre (NCSC-SE)11 

The authoring and co-sealing agencies strongly urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers.

Adversary Techniques and corresponding Mitigation Actions as described in the Technical details and Mitigation actions sections.
Figure 1: FSB Center 16 activity and recommended mitigation actions

Download the PDF version of this report:

Cybersecurity industry tracking 

The cybersecurity industry provides overlapping cyber threat intelligence, indicators of compromise (IOCs), and mitigation recommendations related to this activity. Although not all encompassing, the following list contains the most notable threat group names commonly used within the cybersecurity community related to this activity: 

  • Berserk Bear 
  • Energetic Bear
  • Crouching Yeti 
  • Dragonfly
  • Ghost Blizzard
  • Static Tundra

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this list may not provide a 1:1 correlation to the authoring agencies’ understanding for all activity related to these groupings.

Targeting details

Critical infrastructure sectors most at risk from the Russian Federal Security Service (FSB) Center 16 cyber actors’ targeting include:

  • Communications,
  • Defense Industrial Base,
  • Energy,
  • Financial Services,
  • Government Services and Facilities, especially organizations at the state and local level, and
  • Healthcare and Public Health.

Technical details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise12 framework, version 19. See Appendix A for tables of the activity mapped to MITRE ATT&CK tactics and techniques. This advisory also uses MITRE DEFENDTM version 1.4.0.

The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation. The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication [T1595.001, T1595.002]. These scans, run via proxies, consist of SNMP Set-Requests from a spoofed IP address [T1027] containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to [T1569, T1602.001, T1090]:

  • Copy its configuration to a file, often called “config.bkp” or “output.txt” [T1003, T1602.002].
  • Transfer the file, typically using Trivial File Transfer Protocol (TFTP), to an actor-controlled leased virtual private server (VPS) or compromised FTP server [T1583.003, T1090, T1071, T1048].

While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices. The actors previously exploited at least the following CVEs [T1584.008, T1588.005, T1190, T1068]: 

Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon. Even though this CSA focuses on Russian FSB Center 16 cyber activity, the mitigations below should detect and counter these and similar TTPs used by other actors.

Mitigation actions

The authoring agencies highly recommend network defenders implement the following mitigations to harden networks against this exploitation:

  • Disable Cisco Smart Install on all devices [D3-ACH]. [2]
  • Use SNMPv3 with “authPriv” configured to the most modern encryption standard that is supported by the device instead of SNMPv1 or SNMPv2 [D3-ACH]. [3]
    • Disable SNMPv1 and SNMPv2. These are legacy protocols and should no longer be needed on current devices. If they are necessary, change all community strings from defaults and only allow read-only community strings rather than read-write access.
    • SNMPv3 adds strong authentication and data encryption that are unavailable in SNMPv1 and v2. SNMPv3 replaces clear text shared passwords, known as community strings, with more securely encoded parameters, and authenticates and encrypts data [D3-MAN, D3-MENCR].
  • Use strong, unique passwords for local accounts on network devices and configure credentials to be stored securely to prevent reuse of compromised passwords [D3-CH].
    • Cisco devices protect passwords in the configuration file using different hashing types. Use hashing type 8 for user credentials. Avoid using hashing type 0, 4, and 7 as they are insecure or store passwords in plaintext in the configuration file. [4]
    • Monitor for unusual credentials that do not conform to standard organizational naming conventions [D3-PM]. 
    •  Monitor for and alert on logins using local accounts. Local accounts should only be used in emergency situations when accounts supported by centralized authentication servers are unavailable. Centralized authentication to network devices should support multi-factor authentication where feasible. [3]
  • Monitor and restrict access to SNMP OIDs using a Management Information Base (MIB) allow list [D3-ACH]. [5] Reference the vendor-specific MIB for the network devices and monitor OIDs for indications of reconnaissance or misconfiguration in logs or intrusion detection systems (IDS). IDS rules should be written for inbound SNMP Set-Requests that contain OIDs targeting sensitive device data [D3-PM].
    • Example OIDs include:
      • 1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy)
      • 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (Config Copy Server Address, value for this OID is where the configuration file is being sent to) 
  • Restrict management protocols [D3-NTF].
    • Use Access Control Lists (ACLs) to only allow management protocols, such as SNMP, from management devices, preferably on an out-of-band network. [3]
    • On edge firewalls and devices deny all external communications on the following ports unless mission critical, with strict monitoring if blocking is not feasible:
      • User Datagram Protocol (UDP) port 69 (TFTP) 
      • Transmission Control Protocol (TCP) port 4786 (SMI)
      • UDP ports 161 and 162 (SNMP)
      • TCP/UDP ports 10161 and 10162 (SNMPv3)
  • Update network device software and firmware images, especially to patch known vulnerabilities, and upgrade end-of-life devices to supported ones. 
    • Use an attack surface management service to identify and secure Internet-facing systems with weak configurations and known vulnerabilities [D3-NVA].
      • U.S.-based federal, state, local, tribal, and territorial governments and U.S. critical infrastructure organiztions should consider signing up for CISA’s no-cost Cyber Hygiene services.
      • U.S. Defense Industrial Base organizations should consider signing up for NSA’s DIB Cybersecurity Services.

Resources

United States:

Canada:

Works cited

[1] FBI. Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure. Alert Number: I-082025-PSA. 2025. https://www.ic3.gov/PSA/2025/PSA250820

[2] NSA. Cisco Smart Install Protocol Misuse. 2017. https://media.defense.gov/2019/Jul/16/2002157833/-1/-1/0/CSA-CISCO-SMART-INSTALL-PROTOCOL-MISUSE.PDF

[3] NSA. Network Infrastructure Security Guide. 2023. https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF

[4] NSA. Cybersecurity Information Sheet Cisco Password Types: Best Practices. 2022. https://media.defense.gov/2022/Feb/17/2002940795/-1/-1/0/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF

[5] NSA. Cybersecurity Information Sheet: Reducing the Risk of Simple Network Management Protocol (SNMP) Abuse. 2026. https://media.defense.gov/2026/Jul/09/2003959459/-1/-1/0/CSI_REDUCING_RISK_OF_SNMP_ABUSE.PDF

Footnotes

1  Národní úřad pro kybernetickou a informační bezpečnost

2  Forsvarets Efterretningstjeneste

3 Välisluureamet

4 Riigi Infosüsteem Amet

5 Sotilastiedustelu

6 Suojelupoliisi

7 Agence nationale de la sécurité des systèmes d’information

8 Agenzia Informazioni e Sicurezza Esterna

9 Agenzia Informazioni e Sicurezza Interna

10 Służba Kontrwywiadu Wojskowego

11 Nationellt Cybersäkerhetscenter

12 MITRE and ATT&CK are registered trademarks of The MITRE Corporation. MITRE DEFEND is a trademark of the MITRE Corporation.

13 CVE-2008-4128 only affects end-of-life Cisco devices.

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

  • National Security Agency (NSA)
  • Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
    •  U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact. 
  • United States Department of Defense Cyber Crime Center (DC3)  
    • Defense Industrial Base Inquiries and Cybersecurity Services: DC3.DCISE@us.af.mil 
    • Defense Industrial Base mandatory cyber incident reporting as required by 10 U.S. Code Sections 391 and 393 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 is submitted at https://dibnet.dod.mil.
    •  Media Inquiries / Press Desk: DC3.Information@us.af.mil

Australian organizations

  • Australian Signals Directorate
    • Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

  • The Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment, encourages Canadian organizations to report cyber incidents and to strengthen the security of their networking devices. 

New Zealand organizations

United Kingdom organizations

Estonia organizations

Finnish organizations

French organizations

  • French organizations are encouraged to report suspicious activity or incident related information found in this advisory by contacting ANSSI/CERT-FR at: cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

Italian Organizations

Appendix A: MITRE ATT&CK tactics and techniques

See Table 1 through Table 10 for all the threat actor tactics and techniques referenced in this advisory.

Table 1: Reconnaissance

Technique Title

ID

Use

Active Scanning: Scanning IP Blocks T1595.001 Scan range of IP addresses
Active Scanning: Vulnerability Scanning T1595.002 Scan victims for vulnerabilities that can be used during targeting
Table 2: Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Virtual Private Servers  T1583.003  Leverage VPS as infrastructure 
Compromise Infrastructure: Network Devices  T1584.008  Compromise intermediate routers 
Obtain Capabilities: Exploits  T1588.005  Use publicly available code to exploit vulnerable devices 
Table 3: Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application  T1190  Exploit publicly known CVEs 
Proxy T1090 Use a connection proxy to direct network traffic 
Table 4: Execution

Technique Title

ID

Use

System Services T1569 Executing commands via SNMP
Table 5: Privilege Escalation

Technique Title

ID

Use

Exploitation for Privilege Escalation T1068 Exploit publicly known CVEs for escalated privileges
Table 6: Stealth

Technique Title

ID

Use

Obfuscated Files or Information T1027 Obfuscate source IP addresses in system logs, as actions may be recorded as originating from local IP addresses
Table 7: Credential Access

Technique Title

ID

Use

OS Credential Dumping T1003 Collect router configuration with weak Cisco Type 7 passwords and Type 0
Table 8: Collection

Technique Title

ID

Use

Data from Configuration Repository: SNMP (MIB Dump)  T1602.001  Target MIB to collect network information via SNMP 
Data from Configuration Repository: Network Device Configuration Dump T1602.002 Acquire credentials by collecting network device configurations
Table 9: Command and Control

Technique Title

ID

Use

Proxy  T1090  Use VPS for C2 
Application Layer Protocol  T1071  Open and expose a variety of different services, including TFTP and FTP
Table 10: Exfiltration

Technique Title

ID

Use

Exfiltration Over Alternative Protocol T1048 Exfiltrating over a different protocol than that of the existing command and control channel. 

Appendix B: MITRE D3FEND countermeasures

See Table 11 for a mapping of several of the cybersecurity countermeasures mentioned in this advisory.

Table 11: MITRE D3FEND Countermeasures

Countermeasure Title

ID

Description

Application Configuration Hardening D3-ACH
  • Use SNMPv3 and disable SNMPv1 and SNMPv2. 
  • Use SNMP allowlisting to restrict access to OIDs and MIBs. 
  • Disable Cisco Smart Install.
Message Authentication D3-MAN
  • Use SNMPv3 with strong authentication.
Message Encryption D3-MENCR
  • Use SNMPv3 to encrypt payloads.
Credential Hardening D3-CH
  • Use strong, unique passwords and store them securely.
Platform Monitoring D3-PM
  • Monitor for unusual credentials. 
  • Monitor SNMP Set-Requests for OIDs targeting sensitive device data.
Network Traffic Filtering D3-NTF
  • Use ACLs to only allow management protocols from management devices. 
  • Block TFTP, SMI, and SNMP at edge firewalls.
Network Vulnerability Assessment D3-NVA
  • Use an attack surface management service.

DataBreaches.net

07/13 TOC VPN service favored by ransomware groups is sanctioned by US
Suzanne Smalley reports: The U.S. government on Monday sanctioned a VPN provider and its Ukrainian administrator for abetting ransomware gangs behind attacks on American municipalities, hospitals, schools and businesses. First VPN Service (1VPNS) provided ransomware groups with tools to “hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions…

Source

07/13 TOC NG: Zenith Bank, Others To Be Arraigned Over Alleged Data Breach
Fatima Abdullahi reports: The Federal High Court in Abuja has fixed July 21, 2026, for the arraignment of Zenith Bank Plc and three other defendants over allegations of illegally accessing and disclosing the confidential financial records of Makers Island Company Limited. The other defendants are Oluwaseyi Famousa, Paul Oku and Yesu-Felix Abosede Alice. Justice Hauwa…

Source

07/13 TOC EU and UK hit Russia with joint sanctions over cyberattacks
BGNES News reports: The European Union and the United Kingdom have imposed coordinated sanctions against Russia in connection with cyberattacks in Europe. Brussels and London have accused the Federal Security Service of the Russian Federation (FSB) of recent malicious activities. This move comes amid warnings from Western officials that Russia has intensified its “hybrid” campaign…

Source

07/13 TOC A cyberattack in March resulted in ZEGO filing for insolvency
A statement on ZEGO Textilveredelungszentrum GmbH’s website explains why they are filing for insolvency: Insolvency proceedings have been initiated – and why we are still looking ahead Ladies and gentlemen,  dear business partners, Today we are contacting you with a message that is very difficult for us personally. ZEGO Textilveredelungszentrum GmbH has filed for insolvency….

Source

07/13 TOC Progress urges ShareFile admins to shut down servers over credible thr…
Lawrence Abrams reports: Progress Software is emailing ShareFile customers who use Storage Zone Controllers to immediately shut down their servers after identifying what it describes as a “credible external security threat” targeting the on-premises secure file-sharing software. ShareFile is Progress Software’s enterprise secure file sharing and collaboration platform that allows customers to host their files…

Source

07/12 TOC KR: Military targeted in nearly 19,000 cyberattack attempts in 2025: l…
Chae Yun-hwan reports: Cyberattack attempts against the South Korean military reached nearly 19,000 last year, marking the highest figure in five years, a lawmaker said Sunday. The military was targeted in 18,951 cyberattack attempts in 2025, compared with 11,700 in 2021, 9,115 in 2022, 13,599 in 2023 and 14,419 in 2024, according to Rep. Yu…

Source

07/11 TOC Armenian National Extradited to the United States Pleads Guilty to Ran…
PORTLAND, Ore.— An Armenian national extradited from Ukraine to the United States pleaded guilty yesterday for his role in Ryuk ransomware attacks and an extortion conspiracy targeting companies throughout the United States, including a technology company operating in Oregon. Karen Serobovich Vardanyan, 34, pleaded guilty to conspiracy and computer fraud. According to court documents, between…

Source

07/11 TOC Ransomware negotiator who conspired with BlackCat threat actors senten…
Jon Brodkin reports that a third co-conspirator who helped BlackCat attackers by giving them inside information on victims’ defense strategies has now been sentenced. A former ransomware negotiator was sentenced to 70 months in prison yesterday after colluding with BlackCat scammers to extort the victims he was hired to protect. As a ransomware negotiator for the company DigitalMint,…

Source

07/11 TOC TikTok class action alleges data breach affected 2.4B users
Brandon Richards reports: California resident Sean Mortazi filed a class action lawsuit against TikTok Inc. on June 11, 2026, alleging a data breach exposed the personal data of more than 2.4 billion users worldwide. The complaint, filed in the U.S. District Court for the Central District of California, claims TikTok stored unencrypted data and skipped basic…

Source

07/11 TOC Dutch police trace Odido telco cyberattack to suspected local accompli…
Daryna Antoniuk reports: Dutch police said Thursday they had uncovered evidence suggesting that Dutch criminals were involved in the cyberattack on telecom provider Odido that exposed the personal data of more than 6 million customers earlier this year. Authorities said a Dutch-speaking man posing as an Odido IT employee called the company’s customer service department before the…

Source


Huntress Blog

07/13 TOC Effective Patch Management Strategies: 7 Best Practices | Huntress
Stop letting bad actors exploit old bugs. Build a practical patch management strategy to keep them out and learn to stay secure without all the fluff.
07/13 TOC Threat Actors Achieve Persistence After SQL Injection
See how a threat actor used SQL injection and BadIIS to gain persistence, disable Windows Defender, and quietly install a cryptominer.

CVEMon Intruder

07/14 TOC CVE-2024-21338
Currently trending CVE – Hype Score: 32 – Windows Kernel Elevation of Privilege Vulnerability
07/14 TOC CVE-2026-33557
Currently trending CVE – Hype Score: 3 – A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, …
07/14 TOC CVE-2026-13753
Currently trending CVE – Hype Score: 3 – A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve ...
07/14 TOC CVE-2026-4670
Currently trending CVE – Hype Score: 2 – Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
07/14 TOC CVE-2026-55255
Currently trending CVE – Hype Score: 2 – Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the …
07/14 TOC CVE-2026-5174
Currently trending CVE – Hype Score: 2 – Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
07/14 TOC CVE-2026-59939
Currently trending CVE – Hype Score: 1 – httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP …

Hacker News

07/14 TOC Grok Build Uploads Entire Git Repositories to xAI Storage, Not Just Fi…
xAI’s Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not
07/14 TOC U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ranso…
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors’ and other cybercriminals’ malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian
07/14 TOC 148 npm Packages Disguised as Student Proxies Turned Browsers Into a D…
A campaign of 148 npm packages disguised as student web proxies turned visitors’ browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge
07/14 TOC Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHu…
Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. In
07/13 TOC CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper C…
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. “It validates the victim’s login password locally before
07/13 TOC Google and Microsoft Pull ModHeader With 1.6 Million Installs After Do…
Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The
07/13 TOC Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding A…
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That’s supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don’t file tickets. That’s the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too
07/13 TOC New MemGhost Attack Plants Persistent False Memories in AI Agents Thro…
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The
07/13 TOC Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session …
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing
07/13 TOC Meta Files Patent for AI That Can Listen All Day and Track How You’re …
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would
07/13 TOC Thinking Fast and Slow in the SOC: The Case for Combining Autonomous A…
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building
07/13 TOC Attacker Uses Suspected AI-Generated PowerShell Script to Map Active D…
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. “The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the
07/13 TOC Misconfigured Server Reveals Three Evilginx Phishing Operations Target…
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator’s entire toolkit and pivoted through it to two more
07/13 TOC iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-D…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below – CVE-2026-48939 – A vulnerability in the
07/11 TOC Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer Durin…
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your
07/11 TOC Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage C…
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. “At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and
07/11 TOC Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in Us…
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user’s session. It has yet to be assigned a CVE identifier. “The

Publications | Hacking Lab

09/30 TOC Prism: A Multi-Team Orchestration of LLM Agents for Automatic Program …
08/31 TOC QueryHouse: Cross-DBMS Differential Testing with LLM and Query Transpi…

Content on this page is collected from remote sources by IPWorx but is not created by IPWorx. The contents belong to the creators and should be considered theirs for all legal purposes, we have no editorial control or responsibility over them. IPWorx does not represent or endorse the accuracy or reliability of any opinion, statement, or other information provided by any third party.

This page contains links to third-party websites. These links are provided solely for your convenience. IPWorx does not control, maintain, or endorse the content, accuracy, or reliability of any third-party resources, and you access them at your own risk.