Cyber Threat Intelligence 07 May 2026
-
Industrial Sector
- Johnson Controls CEM AC2000
"Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-125-05 - Hitachi Energy PCM600
"Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-125-01 - ABB B&R PVI
"ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exploited this vulnerability could read sensitive information in the logging data of the PVI client application. Logging is deactivated by default in all PVI client versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-125-02 - ABB B&R Automation Runtime
"ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. An attacker who successfully exploited this vulnerability could cause the product to stop."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-125-03 - ABB B&R Automation Studio
"ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. Successful exploitation of this vulnerability may enable an attacker to masquerade as a trusted party when B&R Automation Studio establishes a connection with a server via the ANSL over TLS or OPC-UA protocol."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-125-04
Vulnerabilities
- Critical Vm2 Sandbox Bug Lets Attackers Execute Code On Hosts
"A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published. In the security advisory, the maintainer says that the issue only impacts environments with Node.js 25 (confirmed on Node.js 25.6.1) that have enabled WebAssembly exception handling and JSTag support."
https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/
https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 - Palo Alto Networks Warns Of Firewall RCE Zero-Day Exploited In Attacks
"Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. Also known as the Captive Portal, the User-ID Authentication Portal is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall. Tracked as CVE-2026-0300, this zero-day bug stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets."
https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day/
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
https://security.paloaltonetworks.com/CVE-2026-0300
https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html
https://therecord.media/palo-alto-warns-of-critical-software-bug-firewalls
https://www.bankinfosecurity.com/palo-alto-firewalls-being-exploited-no-patch-yet-available-a-31612
https://cyberscoop.com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/
https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/
https://securityaffairs.com/191748/security/palo-alto-networks-pan-os-flaw-exploited-for-remote-code-execution.html - Attackers Actively Exploiting Critical Vulnerability In Breeze Cache Plugin
"On April 22nd, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Breeze Cache, a WordPress plugin with an estimated 400,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files, including PHP backdoors, and achieve remote code execution. The vendor released the fully patched version on April 21st, 2026. Our records indicate that attackers started exploiting the issue the same day the vulnerability was disclosed in the Wordfence Intelligence vulnerability database – April 22nd, 2026. The Wordfence Firewall has already blocked over 30,000 exploit attempts targeting this vulnerability."
https://www.wordfence.com/blog/2026/05/attackers-actively-exploiting-critical-vulnerability-in-breeze-cache-plugin/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog - New Cisco DoS Flaw Requires Manual Reboot To Revive Devices
"Cisco released security updates to fix a Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) denial-of-service (DoS) vulnerability that requires manually rebooting targeted systems for recovery. Large enterprises and service providers leverage the CNC software suite to simplify multivendor network management and operations handling with automation, while the NSO orchestration platform helps them manage network devices and resources. Tracked as CVE-2026-20188, this high-severity security flaw stems from inadequate rate limiting on incoming network connections and can be exploited remotely by unauthenticated threat actors to crash unpatched Cisco CNC and Cisco NSO systems through low-complexity attacks."
https://www.bleepingcomputer.com/news/security/new-cisco-dos-flaw-requires-manual-reboot-to-revive-devices/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-dos-7Egqyc
Malware
- Hackers Abuse Google Ads For GoDaddy ManageWP Login Phishing
"A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy’s platform for managing fleets of WordPress websites. The threat actor is using an adversary-in-the-middle (AitM) approach where the fake login page acts as a real-time proxy between the victim and the legitimate ManageWP service. ManageWP is a centralized remote administration platform for WordPress websites, enabling users to manage multiple sites from a single panel instead of logging into separate dashboards. Common users include web developers, web agencies managing client sites, and enterprises. Researchers at Guardio Labs warn that the fake result is displayed above the real one for the 'managewp' query, luring users who rely on Google to find the URL for logging into ManageWP."
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-for-godaddy-managewp-login-phishing/ - DAEMON Tools Devs Confirm Breach, Release Malware-Free Version
"Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version. "Within less than 12 hours of identifying the issue, we were able to implement a solution. Based on our current findings, the issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products," Disc Soft told BleepingComputer. "We have not identified evidence supporting claims that all DAEMON Tools users were impacted, and at this stage, we are not in a position to confirm any impact on paid versions customers. Our current analysis indicates that DAEMON Tools Pro and DAEMON Tools Ultra were not affected and absolutely safe.""
https://www.bleepingcomputer.com/news/security/daemon-tools-devs-confirm-breach-release-malware-free-version/ - Muddying The Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
"In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS)."
https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/
https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html
https://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks/
https://www.infosecurity-magazine.com/news/iran-linked-apt-chaos-ransomware/
https://securityaffairs.com/191765/breaking-news/iranian-cyber-espionage-disguised-as-a-chaos-ransomware-attack.html
https://www.securityweek.com/iranian-apt-intrusion-masquerades-as-chaos-ransomware-attack/
https://www.theregister.com/security/2026/05/06/iran-cyberspies-larping-as-ransomware-crims-in-espionage-ops/5230993 - Insights Into The Clustering And Reuse Of Phone Numbers In Scam Emails
"Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. According to Talos’ observations, the ease of API-driven provisioning makes a few VoIP providers the preferred tool for attackers, allowing for high-volume, cost-effective scam operations that are difficult to trace. Attackers maintain operational continuity by rotating through sequential blocks of phone numbers and utilizing strategic cool-down periods, with a median phone number lifespan of 14 days, to effectively evade reputation-based security filters."
https://blog.talosintelligence.com/insights-into-the-clustering-and-reuse-of-phone-numbers-in-scam-emails/ - Steal Smarter, Not Harder: Malicious Use Of Vercel For Credential Phishing
"Threat actors are using the Artificial Intelligence (AI) web development tool, Vercel, to quickly create large numbers of realistic phishing websites that spoof well-known brands. With just a few text prompts, attackers can generate phishing pages that closely resemble legitimate sites in both appearance and functionality. This shift in tactic shows the full adoption of Generative Artificial Intelligence (GenAI) by threat actors. Although Vercel requires an account to use its Gen AI features, signing up is easy, and there is a free tier available that allows threat actors to make use of basic features."
https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing - New VoidStealer Trojan Bypasses Chrome’s Stored Data Protection
"Malicious actors have developed a new way to steal data stored by Chrome for Windows. Researchers discovered the technique while analyzing a fresh build of an infostealer known as VoidStealer. The new method allows the malware to bypass Chrome’s Application-Bound (App-Bound) Encryption (ABE), a mechanism intended to protect session cookies and other valuable information stored in the browser. Google hoped this mechanism would secure the master key Chrome uses to encrypt all sensitive data. Unfortunately, this isn’t the first time malware authors have found a workaround for this defense — leaving secrets stored in Chrome vulnerable once again."
https://www.kaspersky.com/blog/chrome-application-bound-encryption-bypass-voidstealer/55735/
https://www.darkreading.com/endpoint-security/yet-another-way-bypass-google-chromes-encryption-protection - The Architecture Of Deception: How a $187 Million Fraud Ecosystem Exploits Trust Across Australia And The United States
"In 2025, Australians lost $837.7 million to investment scams — the single highest-loss fraud category in the country, representing over a third of the $2.18 billion in total scam-related losses reported across all agencies. In the United States, the picture is even starker: consumers reported $7.9 billion in losses to investment scams, with a median individual loss exceeding $10,000. These figures, drawn from the Australian Competition and Consumer Commission (ACCC) and the U.S. Federal Trade Commission (FTC), point to a problem that is growing in both scale and sophistication."
https://www.group-ib.com/blog/architecture-deception-investment-crypto-fraud/ - How DataDome Stopped a 2.45B-Request DDoS Attack Against a High-Traffic Content Platform
"In mid-April 2026, a DDoS attack targeting a large-scale user-generated content platform made more than 2.45 billion requests in just five hours but never triggered traditional rate limits. Instead of overwhelming systems with brute force, the attack distributed traffic across more than 1.2 million unique IPs, exposing a structural weakness in how most defenses are designed. Systems like these are a prime target for DDoS attacks: their scale means availability is business-critical, their data richness makes them attractive to scrapers and aggregators, and their reliance on user-generated content creates multiple exploitable surfaces that a distributed attack can hit simultaneously. Disrupting one can cascade across all, giving attackers the opportunity to extort payment, disrupt operations at scale, or use the outage as cover for other malicious activity."
https://datadome.co/threat-research/how-datadome-stopped-a-2-billion-request-ddos-attack/
https://hackread.com/low-and-slow-ddos-attack-hits-2-45-billion-5-hours/ - Attackers Adopt JavaScript Runtime Bun To Spread NWHStealer
"In our previous research, we analyzed a Windows infostealer we track as NWHStealer. The attackers behind this stealer are continuously finding new methods to distribute the stealer. During our hunting activities, we noticed how attackers are using a JavaScript runtime called Bun to help distribute it. Bun is a legitimate, fast, all-in-one JavaScript and TypeScript toolkit designed as a modern, high-performance replacement for Node.js. It is built from the ground up to simplify modern web development by integrating several essential tools into a single executable."
https://www.malwarebytes.com/blog/threat-intel/2026/05/attackers-adopt-javascript-runtime-bun-to-spread-nwhstealer - OceanLotus Suspected Of Using PyPI To Deliver ZiChatBot Malware
"Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for analysis. Based on the results, we believe the packages may be linked to malware discussed in a Threat Intelligence report on OceanLotus. While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. These files can be either .DLL or .SO (Linux shared library), indicating the packages’ ability to target both Windows and Linux platforms."
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/ - Iranian Proxy Networks In Latin America Post-Maduro: IRGC
"Following the arrest of Nicolás Maduro and the destabilization of Venezuela in early 2026, Iranian threat actors have experienced significant disruption in Latin America. Venezuela’s loss as a safe haven has forced these networks to adapt in Colombia and Ecuador. IRGC and Hezbollah operatives remain active in espionage, failed terrorist plots, and criminal collaboration with local groups. Across the region, these actors continue to exploit drugs trafficking routes, money laundering schemes, and new alliances."
https://www.resecurity.com/es/blog/article/iranian-proxy-networks-in-latin-america-post-maduro-irgc - Someone Published Four Versions Of a Fake "tanstack" Package In 27 Minutes To Steal Your .env Files
"Someone registered the tanstack name on npm, built a video player SDK they called "TanStack Player," and today published four rapid-fire versions designed to exfiltrate your environment files the moment you run npm install. The real TanStack, the home of TanStack Query, TanStack Table, TanStack Router, all those @tanstack/* packages with millions of weekly downloads, has nothing to do with this. The attacker just grabbed the unscoped name, dressed it up convincingly, and waited. Today at 17:08 UTC, they deployed the payload."
https://www.aikido.dev/blog/fake-tanstack-packages-steal-env-files
General News
- Research Hub Bridges Cybersecurity Gap For Under-Resourced Organizations
"States, cities, and localities are struggling to stay ahead of devastating cyberattacks, but some under-resourced organizations are buckling under pressure. Recent cuts to federal initiatives and policy changes mean they can't expect help from that quarter, paving the way for independent organizations and initiatives to fill the ever-widening void. The Cybersecurity Infrastructure and Security Agency (CISA) has seen its budget slashed and its workforce dramatically downsized over the past two years. The US government has also pulled back help for the Multi-State Information Sharing and Analysis Center, a public-private information-sharing initiative for people, businesses, and governments at the state, local, and tribal levels. And the White House's Cyber Strategy for America encourages organizations to adopt a more offensive approach as part of their defense strategies, something that may be difficult, if not out of reach, for smaller-scale organizations lacking dedicated IT and cybersecurity teams."
https://www.darkreading.com/cyber-risk/research-hub-bridges-cybersecurity-gap-organizations - Why Security Leadership Makes Or Breaks a Pen Test
"The effectiveness of a penetration test depends largely on the commitment of an organization's security leadership to the process. Leadership decisions that happen before testing begins — around scope, objectives, and stakeholder alignment — determine the quality of everything that follows. Decisions made after the test determine whether the exercise produces lasting security value or simply generates a document that gets filed away. Getting both right requires a level of organizational discipline that many companies still struggle to maintain, according to security experts."
https://www.darkreading.com/vulnerabilities-threats/security-leadership-makes-breaks-penetration-tests - Middle East Cyber Battle Field Broadens — Especially In UAE
"In early February, prior to the start of the 2026 conflict in the Middle East, the United Arab Emirates saw anywhere from 90,000 to 200,000 breach attempts every day. Following the opening of military operations by Israel and the US against Iran, cyberattacks surged a few weeks later, with the current daily average ranging between 600,000 and 800,000 breach attempts, Mohammed Al Kuwaiti, chairman of the UAE Cyber Security Council, told various publications. In addition, the mix of cyberattacks has changed from denial-of-service boasts on Telegram by hacktivists to more serious claims of intrusions and compromise, according to CypherLeak, a cybersecurity services firm with offices in the UAE and Morocco. Several Gulf nations saw a big jump in their "cyber-relevant activity" — a proxy for attacker and defender activity. The UAE saw 15 times the normal volume of cyber-relevant activity, Saudi Arabia 25 times, and Qatar more than quadrupled."
https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyber-battle-field-broadens-uae - One In Eight Workers Has Sold Their Corporate Logins
"A large share of UK employees have sold their corporate credentials over the past year, exposing their organization to cyber and financial crime, according to Cifas. The non-profit fraud prevention service revealed the findings in its latest Workplace Fraud Trends report, which is based on responses from 2000 UK employees working in companies with 1000+ staff. It found that 13% of respondents admitted selling their logins over the past 12 months, or knew someone who had. The same share (13%) claimed they thought the act of selling credentials was “justifiable” – rising even higher for senior managers (32%), directors (36%), C-suite executives (43%) and business owners (81%)."
https://www.infosecurity-magazine.com/news/one-eight-workers-sold-corporate/ - Websites With An Undefined Trust Level: Avoiding The Trap
"The online landscape is filled with various traps lying in wait for users. One such threat involves websites that can’t be strictly classified as phishing, yet whose activities are inherently unsafe. These sites often operate on the fringes of the law, even if they aren’t directly violating it. Sometimes they use a cleverly crafted Terms of Service document as a loophole. These agreements might include clauses such as no-refund policies or forced automatic subscription renewals."
https://securelist.com/suspicious-websites-undefined-trust-level/119675/ - Romanian National Appears In Federal Court Following Extradition From Romania On Bank Fraud Charges Stemming From “Vishing” Scheme
"A Romanian national appeared in court today to face bank fraud charges for his role in a “vishing” scheme, following his extradition from Romania, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina. On November 14, 2017, a federal grand jury in Charlotte returned a criminal indictment charging Gavril Sandu, 53, with one count of conspiracy to commit bank fraud and one count of bank fraud. Sandu was arrested in Romania on January 9, 2026. He was extradited to the United States on April 30, 2026."
https://www.justice.gov/usao-wdnc/pr/romanian-national-appears-federal-court-following-extradition-romania-bank-fraud
https://www.securityweek.com/romanian-extradited-to-us-for-role-in-hacking-scheme-17-years-ago/
https://securityaffairs.com/191771/cyber-crime/after-17-years-gavril-sandu-extradited-to-u-s-for-hacking-scheme.html - Oracle Debuts Monthly Critical Security Patch Updates
"Starting this month, Oracle is supplementing the quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities. The first monthly Critical Security Patch Update (CSPU) will roll out on May 28, addressing critical-severity vulnerabilities in the company’s products. It will be followed by a second CSPU on June 16, and a third on August 18. In July, Oracle will release the usual quarterly CPU, which will contain both fixes for new security defects and the patches included in the prior CSPUs."
https://www.securityweek.com/oracle-debuts-monthly-critical-security-patch-updates/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Johnson Controls CEM AC2000
