New Tooling
- Introducing EvidenceForge: Synthetic Security Logs That Don’t Look (as) Fake
"A lot of important work in security depends on having realistic log data to work with, and a lot of that work gets blocked, watered down, or quietly skipped because the data just isn’t available. The use cases come up constantly: teaching threat hunters, incident responders, and detection engineers with datasets that have known ground truth; validating that a detection fires on the right activity without drowning in false positives; and training ML models that need labeled, balanced, multi-source telemetry at scale. These are different problems with the same root cause. You need realistic, labeled security logs and you can’t get them easily."
https://blog.talosintelligence.com/introducing-evidenceforge-synthetic-security-logs-that-dont-look-as-fake/
https://github.com/Cisco-Talos/EvidenceForge - Vigolium: Open-Source Vulnerability Scanner
"Vigolium, an open-source vulnerability scanner that combines deterministic scanning with AI-driven auditing, launched its initial open-source release this month. The project ships 235+ scanner modules and an in-process agent runtime called olium that handles autonomous endpoint discovery, attack planning, and finding triage. The tool exposes two scanning paths. vigolium scan runs a multi-phase deterministic pipeline covering content discovery, browser-based spidering, and active and passive auditing. vigolium agent hands control to an LLM-driven harness that selects modules, generates custom JavaScript extensions, and runs source-code audits alongside dynamic scans."
https://www.helpnetsecurity.com/2026/05/27/vigolium-open-source-vulnerability-scanner/
https://github.com/vigolium/vigolium - Ebpf101
"Liz Rice's Learning eBPF — via the Isovalent tutorial — was our starting point, one chapter per directory. The repo has since gone well beyond it. The opening chapters retrace the tutorial's arc (BCC → libbpf/CO-RE → kprobes/uprobes); from there it keeps going — the verifier as a gate, the bpftool workflow, the XDP and tc datapath, tail calls, LSM BPF (policy enforcement), BPF iterators, and two applied capstones the tutorial never reaches: an XDP firewall and a rule-based intrusion-detection system, drawn respectively from a Columbia EECS6891 lecture (Yannis Zarkadas, Spring 2024) and a research paper (arXiv:2102.09980). All 23 chapters are built and run live on this machine; every program is written to be read."
https://github.com/douglasmun/ebpf101
Vulnerabilities
- CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability
CVE-2026-45321 TanStack Unspecified Vulnerability
CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/27/cisa-adds-three-known-exploited-vulnerabilities-catalog - MediaArea Heap-Based Buffer Overflow Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed four vulnerabilities in MediaArea MediaInfoLib library. The vulnerabilities mentioned in this blog post have been patched by their respective vendor, in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/mediaarea-heap-based-buffer-overflow-vulnerabilities/ - All Major LLMs Exposed To Multi-Turn Manipulation, Warn Researchers
"The safety guardrails of several prominent large language models (LLM) can be bypassed if a user tricks the LLM into having a multi-pronged, ongoing conversation, researchers at Cisco have warned. The researchers examined commonly used LLMs and frontier AI models including OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, Amazon Nova, xAI’s Grok and others to test how their built-in safety guardrails held up against potential threats from real-world attackers. They found that many of the models could be tricked into performing actions they should not be able to."
https://www.infosecurity-magazine.com/news/all-major-llms-exposed-to-multi/ - How To Get a 100% Conference Acceptance Rate, The Novee Way: A High-Severity CVE In Leading Call-For-Papers Software
"As a founding engineer and security researcher at Novee, my job is to think like an attacker – and to train Novee’s AI agents to do the same. When I discovered this particular exploit, however, I was doing something ordinary: preparing conference submissions. Different events, different review committees, different deadlines, but I noticed the same submission form kept appearing under different logos. Much of the technical conference world runs its CFPs on pretalx, an open-source platform behind everything from hacker camps to academic symposiums. From the outside, each event looks independent. Underneath, it is one codebase serving them all."
https://novee.security/blog/pretalx-stored-xss-vulnerability-account-takeover/
https://www.securityweek.com/vulnerability-in-popular-conference-software-granted-attackers-a-100-talk-acceptance-rate/
https://www.theregister.com/security/2026/05/27/pretalx-xss-flaw-exposed-conference-cfp-systems/5246598 - CVE-2026-27771: NoScope Discovered 30,000+ Gitea Instances Exposing Private Container Images For 4 Years
"CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances. 30,000+ deployments were affected. The flaw went undetected for 4 years. NoScope discovered and responsibly disclosed it. If you run Gitea Update to v1.26.2 immediately. If you can't update right now, set [service].REQUIRE_SIGNIN_VIEW=true in your Gitea configuration as a temporary stopgap. Note this stopgap isn't suitable if you intentionally expose some containers publicly."
https://www.noscope.com/blog/gitea-instances-exposing-private-container
https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html
Malware
-
Don’t Trust ‘secure Mail’! Malicious Files Impersonating Credit Card Companies Are Being Distributed
"ahnLab recently confirmed the distribution of malicious files disguised as security emails from a major credit card company in Korea. this attack has a similar flow to the Kimsuky group’s past malicious LNK distribution case of disguising password files, but it is characterized by a change in the command execution of the initial LNK file. in particular, the execution of additional files and malicious files and the behavior of the malicious files changed depending on whether the security service of the infected environment was enabled or disabled. let’s take a look at the main behavior of this case and user precautions."
https://asec.ahnlab.com/en/93855/ -
From Poisoned Search Results To GPU Mining: A Cryptojacking Campaign Abusing ScreenConnect And Microsoft .NET Utilities
"Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations. The campaign impersonates trusted system utilities including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear to target users likely to own high-performance GPUs. Rather than maximizing infection volume, the threat actor appears focused on compromising systems with higher mining value."
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html
https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/
https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/ -
Disrupting Glassworm: Inside CrowdStrike’s Takedown Of a Developer-Targeting Botnet
"On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads. This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them."
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/
https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html
https://www.bankinfosecurity.com/glassworm-group-software-supply-chain-attackers-disrupted-a-31792
https://www.infosecurity-magazine.com/news/crowdstrike-google-takedown/
https://cyberscoop.com/crowdstrike-glassworm-botnet-takedown/
https://www.securityweek.com/glassworm-botnet-disrupted/
https://securityaffairs.com/192749/cyber-crime/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html
https://www.theregister.com/cyber-crime/2026/05/27/crowdstrike-google-shatter-glassworm-botnet/5247337 -
FBI Warns Of In-Person Data Theft Attacks From Extortion Gang
"The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a Tuesday flash alert. "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer.""
https://www.bleepingcomputer.com/news/security/fbi-warns-of-silent-ransom-group-in-person-data-theft-attacks/
https://www.ic3.gov/CSA/2026/260526.pdf
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-actors-steal-law-firm-data
https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data
https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/
https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/
https://www.theregister.com/security/2026/05/27/fbi-crooks-enter-legal-offices-and-steal-data-via-usb-drive/5247212
https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/ -
OverlayPhantom: The Android Banking Trojan Hiding In Plain Sight
"Cyble Research and Intelligence Labs (CRIL) has identified a novel Android banking trojan, dubbed OverlayPhantom, actively distributed in the wild via malicious URLs. The malware employs a two-stage infection chain, using a dropper application that impersonates trusted platforms, including the official Austrian government identity application, ID Austria, and the widely used consumer platform TikTok, to deceive victims into installing it. Once deployed, OverlayPhantom masquerades as “Google Play Services” and abuses Android’s Accessibility Service to gain persistent, elevated control of the infected device."
https://cyble.com/blog/overlayphantom-android-banking-trojan/ -
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
"The 2026 FIFA World Cup is set to be the largest sporting event in history. Hosted across three nations — the United States, Canada, and Mexico — the tournament will take place from June 11 to July 19, 2026, featuring 104 matches played in 16 cities. The scale is unprecedented: FIFA estimates that more than six million fans will fill stadiums, with an average of 450,000 visitors per city. More than 150 million tickets were requested within the first 15 days of the sales window alone, making this edition approximately 30 times oversubscribed compared to previous tournaments. For context, the 2022 Qatar World Cup drew over 3.4 million in-stadium fans with an average attendance capacity of 96.3 per cent. The 2026 edition is expected to nearly double that figure."
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
https://www.infosecurity-magazine.com/news/ghost-stadium-fifa-world-cup-fraud/ -
Fake LinkedIn Emails Abuse Adobe To Track Victims
"Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. The phishing email masquerades as a business inquiry designed to look like it’s come via LinkedIn and includes a fake “contract” attachment. But it contains a number of red flags:"
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-linkedin-emails-abuse-adobe-to-track-victims -
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
"Trust and automation are key to many attacks; and trust with automation is inherent in the use of AI coding agents. Malicious repositories are a frequent factor in many supply chain attacks, estimated at between 20% and 40%. Such repositories can be used to fool a developer using an AI coding agent into generating bad code that can silently slip into the CI pipeline. That is just one possibility of the SymJack attack described by Adversa AI. The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer’s use of an AI coding tool."
https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/
https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build -
Grandoreiro Malware Campaign Targets Europe And Latin America
"WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal. Also, it was identified cases of a known campaign that uses a malicious VBS to deliver the malware, targeting companies in Spain, Portugal, Mexico and Latin America. Grandoreiro has been active since at least 2016 and is now one of the most widespread banking trojans globally. Despite the disruption of some operators and the joint operations with INTERPOL and local law enforcement resulting in the arrest of gang members in Spain, Brazil, and Argentina, that occurred in 2021 and 2024, they’re still active due to only part of the gang was arrested and the ones that was not arrested are continuing the operations."
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america -
Malware-Slop: New Malicious Npm Package Leaks Its Own GitHub Private Token
"A malicious npm package that reads and uploads files from “/mnt/user-data” was uploaded to GitHub. OX Security observed around 7 active exfiltration in the threat actor’s GitHub repository before it was taken down, most of them are probably tests conducted by the threat actor itself. The malware reached 676 downloads, and is still live on npm (at time of publishing)."
https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html -
Ababil Of Minab: How An Iran-Linked Crew Exfiltrated Data From Four Countries And Destroyed IT, Backups, And Recovery At a Subset Of Victims
"Gambit Security Threat Intelligence team investigated an intrusion campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey: exfiltration across all of them, with destructive operations at a subset. The activity surfaced publicly in late March and early April 2026, after a pro-Iranian persona calling itself Ababil of Minab claimed to have compromised the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro), destroyed systems, and exfiltrated data. Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim."
https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign
https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system
https://www.securityweek.com/la-metro-cyberattack-linked-to-iranian-state-sponsored-hackers/
https://securityaffairs.com/192764/hacktivism/the-la-metro-attack-wasnt-hacktivism-it-was-a-state-operation-with-a-costume-on.html -
Attackers Disguising Phishing As Google AppSheet Notifications
"Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address? Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims’ accounts and sensitive data."
https://www.kaspersky.com/blog/appsheet-phishing-emails/55827/ -
Breaches/Hacks/Leaks
-
Latin American Cybercriminals Hoover Up Government Data
"Cyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year. In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March."
https://www.darkreading.com/cyberattacks-data-breaches/latin-american-cybercriminals-government-data -
UK Visa Portal Exposed Thousands Of Applicants’ Passports And Selfies — Then Called The Lawyers On Us
"A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website."
https://techcrunch.com/2026/05/27/uk-visa-portal-spilled-thousands-of-applicants-passports-and-selfies-online-and-hasnt-fixed-the-leak/
General News
- Dutch Police Arrests Suspect Linked To Ajax Football Club Hack
"The Dutch National Police arrested a 35-year-old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year. The suspect was arrested in Buren and, according to a Tuesday press release, he is believed to have hacked into the football club's systems multiple times. "On the morning of Tuesday, May 26, the police arrested a 35-year-old man from the municipality of Buren for computer trespassing at the Amsterdam football club Ajax. The man is suspected of deliberately unlawful intrusion into Ajax's computer systems several times," the police said."
https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/
https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football - UK Spy Chief Labels AI ‘unstoppable Force’ With Offensive, Defensive Ramifications For Cyberspace
"Artificial intelligence is an “unstoppable force” that allows tech to be “weaponized just below the threshold of traditional warfare,” including in cyberspace, the head of a U.K. intelligence, security and cybersecurity agency said Wednesday. We live in a world “where the latest frontier AI is rapidly unearthing fault lines in technologies our society relies on every single day,” said Anne Keast-Butler, director of the Government Communications Headquarters (GCHQ) spy agency. “The ground beneath our feet is shifting, and shifting fast. Which means cybersecurity has never been more important.”"
https://cyberscoop.com/gchq-warns-ai-cyber-warfare-threats/
https://www.securityweek.com/uk-cyberspying-chief-calls-ai-an-unstoppable-force-and-warns-about-russia/ - 62% Of Critical Vulnerabilities Have Exploits Circulating Before Scanners Can Detect Them
"Eighteen months ago, security teams had roughly four months between a new CVE and a working exploit. As of April 2026, that window is ten hours. We wanted to understand what that compression means for the detection tools most organizations depend on: vulnerability scanners. So the Cogent Research team analyzed 69,159 CVEs published between January 2025 and April 2026, tracking three timestamps for each one: when the CVE was published, when a working exploit became available, and when the major scanner vendors (Tenable, Qualys, and Rapid7) shipped detection signatures. The findings are not encouraging for teams that rely on scanner output as their primary visibility into new threats."
https://www.cogent.com/blog/2026-q2-detection-gap-report-findings
https://www.darkreading.com/threat-intelligence/ai-assisted-exploit-development-scanner-detection - Coinflow CISO On Crypto Payments Security Under AI Pressure
"Crypto payment firms sit near the top of the target list for advanced persistent threat groups, and the workload on their security leaders keeps growing. Malcolm Portelli, CISO at Coinflow, runs the company’s security program from Malta. Coinflow is headquartered in the United States and operates across multiple jurisdictions. Portelli sat down for this interview at the Span Cyber Security Arena conference. Portelli says the sector drives his threat model more than the location. “It’s more the industry which we operate in. So, financial services, Web3, and crypto and all that comes with that. Crypto is a big target, especially for the big APTs. They’re always looking at how they can get into crypto firms because that’s their chosen money.”"
https://www.helpnetsecurity.com/2026/05/27/malcolm-portelli-coinflow-crypto-payments-security/ - 68% Of UK Firms Plan To Increase Cyber Spending As AI Risks Rise
"More than two-thirds of UK businesses have said they plan to increase cybersecurity spending over the next 12 months as AI adoption and geopolitical uncertainty reshape technology budgets. According to the Q1 2026 Barclays Business Prosperity Index, 68% of UK business leaders expect to increase cybersecurity investment, while 46% believe new technologies are increasing their exposure to cybersecurity risks."
https://www.infosecurity-magazine.com/news/uk-firms-cyber-spending-ai-risks/ - More CVEs, Same Playbook: 2026 Vulnerability Exploitation In The Wild
"Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a global network sensor array that generated over 3 million alerts and identified four undisclosed CVEs in 2026 to date — present a consistent picture: attackers are opportunistic. They grab newly published CVEs when public proof-of-concept code appears, chain them with established techniques, and move on. What has changed is the volume of vulnerabilities feeding that pipeline. NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year, and that the National Vulnerability Database still cannot keep pace with enrichment. The widely-cited driver is AI-assisted vulnerability discovery: frontier models are enabling both defenders and researchers — and, increasingly, anyone with access to an open-weights model — to surface bugs at machine speed. The exploit window is narrowing, but the exploitation pattern remains recognizable."
https://www.proofpoint.com/us/blog/threat-insight/more-cves-same-playbook-2026-vulnerability-exploitation-wild - The Credential Crisis: How Stolen Credentials Defeat Modern Security
"The modern cyber use of the word ‘credentials’ stems from the Latin ‘creder’: to believe. As society evolved into the Middle Ages, the early notion of ‘Believe me. I am Socrates’ became, ‘Believe this physical letter that proves I am Socrates.’ Those physical letters became known as ‘credentialis’, or a paper that authenticated the bearer. In today’s cyber world, we call that paper ‘credentials. It is no longer physical, but virtual, and the meaning has expanded to ‘you can trust in the belief that I am who I say I am and you can treat me as such: I am Socrates.’ Socrates is the identity, and the credentials prove it."
https://www.securityweek.com/the-credential-crisis-how-stolen-credentials-defeat-modern-security/ - Expecting The Unexpected: Monitoring For Drift In ML Systems
"Imagine the following scenario: you and a team of cyber experts have been tasked with protecting your organization from cyberattacks. You’ve developed a machine learning (ML) model to screen incoming and outgoing traffic. You feel you can rest easy, as your model achieves near-perfect performance during test and evaluation. One day, you are awakened by a frantic call from your CEO—your customers’ private data have been leaked. How could this happen? you think to yourself, as you begin investigating why your model failed to stop this attack."
https://www.sei.cmu.edu/blog/expecting-the-unexpected-monitoring-for-drift-in-ml-systems/ - SOC Threat Radar — May 2026
"Attackers are successfully signing in to Microsoft 365 accounts using IP addresses that look more like legitimate users. To do this, attackers are using VPNs or frequently changing IP addresses. This helps their activity to blend in with everyday employee logins. Researchers noted that in April there was an increase of around 25% in malicious logins coming from low-risk countries such as the UK and the U.S., rather than regions that are more usually associated with suspicious logins."
https://blog.barracuda.com/2026/05/27/soc-threat-radar-may-2026 - Romanian National Sentenced For Selling Access To Networks Of Oregon State Government Office And Other U.S. Victims
"A Romanian national was sentenced yesterday to 56 months in prison in connection with an online intrusion into an Oregon state government office in 2021 and other cyber-attacks on U.S. victims. According to court documents, Catalin Dragomir, 46, formerly of Constanta, Romania, sold access to a computer on the network of an Oregon state government office after obtaining unauthorized access to it in June of 2021. During the sale, Dragomir provided the prospective buyer with samples of personal identifying information from the computer. He also sold access to the computer networks of numerous other victims in the United States, causing losses of at least $250,000."
https://www.justice.gov/opa/pr/romanian-national-sentenced-selling-access-networks-oregon-state-government-office-and-other
https://therecord.media/romanian-national-sentenced-to-over-4-years-oregon-hack
https://www.securityweek.com/romanian-hacker-sentenced-to-prison-in-us-for-selling-access-to-state-network/
https://securityaffairs.com/192770/cyber-crime/romanian-hacker-gets-nearly-5-years-in-us-prison-over-network-intrusion.html - Out Of The Crypt: The Evolving Cyber Extortion Economy
"This blog dives into the growing trend of data theft and extortion activities which no longer require the use of ransomware to pressure victims into paying a demand. We examine the financially-motivated threat actors using both single and double extortion techniques and what this means for organizations going forward, especially with the arrival of frontier AI models."
https://unit42.paloaltonetworks.com/cyber-extortion-economy/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
zenon system is deployed. At the time of writing, there is no evidence that this vulnerability is being actively exploited in the wild."
