Industrial Sector
- CI Fortify: Strengthening Resilience Across Critical Infrastructure
"U.S. critical infrastructure (CI) operators face constant intrusion attempts from nation-state cyber threat actors. These adversaries aim for more than espionage. To win a wider geopolitical conflict: They have successfully pre-positioned across critical infrastructure to disrupt and destroy the operational technology (OT) running the United States, and they could leverage access to telecommunications infrastructure to take out phone and internet services. CI owners and operators must fortify their systems to allow vital services in the United States to sustain essential operations during a geopolitical conflict. Investing in isolation and recovery capabilities today is essential to maintaining service delivery during a future crisis, when an adversary may disrupt communications and manipulate control systems."
https://www.cisa.gov/topics/industrial-control-systems/ci-fortify
https://cyberscoop.com/cisa-ci-fortify-critical-infrastructure-isolation-recovery-guidance-during-conflict/
Vulnerabilities
- MetInfo CMS CVE-2026-29014 Exploited For Remote Code Execution Attacks
"Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code," the NIST National Vulnerability Database (NVD) states."
https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html
https://www.securityweek.com/metinfo-weaver-e-cology-vulnerabilities-in-attackers-crosshairs/ - Critical Bug Could Expose 300,000 Ollama Deployments To Information Theft
"Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns. Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine. A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says. Tracked as CVE-2026-7482 (CVSS score of 9.3) and dubbed Bleeding Llama, the bug affects the GGUF model loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and size larger than the file’s length."
https://www.securityweek.com/critical-bug-could-expose-300000-ollama-deployments-to-information-theft/ - Critical, High-Severity Vulnerabilities Patched In Apache MINA, HTTP Server
"Apache on Monday released patches for over a dozen vulnerabilities in HTTP Server and MINA, including critical and high-severity issues that could be exploited for remote code execution (RCE). Apache HTTP Server 2.4.67 was released with fixes for 11 vulnerabilities, 10 of which affect all previous releases. The first is CVE-2026-23918, a double-free and possible RCE bug in the HTTP/2 protocol handling. By triggering an early reset, an attacker could cause a denial-of-service (DoS) condition and potentially execute arbitrary code. Next in line is CVE-2026-28780, a heap buffer overflow issue that could allow remote attackers to send crafted AJP messages to cause a DoS condition and execute code."
https://www.securityweek.com/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server/
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html - Microsoft Edge Stores Passwords In Process Memory, Posing Enterprise Risk
"An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft. Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub."
https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk - WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
"Meta-owned WhatsApp has published two new security advisories describing vulnerabilities that were patched earlier this year in the popular messaging app. One of the vulnerabilities is CVE-2026-23863, a medium-impact attachment spoofing issue affecting WhatsApp for Windows prior to version 2.3000.1032164386.258709. An attacker could have exploited the flaw to create a maliciously formatted document with embedded NUL bytes in the file name. When sent as an attachment, the recipient would see it as a harmless file, but it would run as an executable when opened, WhatsApp’s advisory explains. The second vulnerability, CVE-2026-23866, has also been assigned a ‘medium impact’ rating. It affects WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and WhatsApp for Android (v2.25.8.0-v2.26.7.10)."
https://www.securityweek.com/whatsapp-discloses-file-spoofing-arbitrary-url-scheme-vulnerabilities/
https://www.malwarebytes.com/blog/news/2026/05/update-whatsapp-now-two-new-flaws-could-expose-you-to-malicious-files - Critical Remote Code Execution Vulnerability Patched In Android
"Google announced on Monday the release of an Android update patching a critical vulnerability that can be exploited for remote code execution. The flaw, tracked as CVE-2026-0073, affects Android’s System component, allowing an attacker to exploit it to execute code as the shell user without additional execution privileges. User interaction is not required for exploitation. The advisory reveals that the issue impacts ‘adbd’ (Android Debug Bridge daemon), a background process running on Android devices that manages communication between the device and a computer, facilitating debugging and shell access."
https://www.securityweek.com/critical-remote-code-execution-vulnerability-patched-in-android-2/
https://securityaffairs.com/191710/breaking-news/critical-android-vulnerability-cve-2026-0073-fixed-by-google.html
Malware
- DAEMON Tools Software Infected – Supply Chain Attack Ongoing Since April 8, 2026
"In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences."
https://securelist.com/tr/daemon-tools-backdoor/119654/
https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html - Student Hacked Taiwan High-Speed Rail To Trigger Emergency Brakes
"A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). According to local media reports, the student halted four trains for 48 minutes on April 5 by using software-defined radio (SDR) communications and handheld radios to transmit a high-priority “General Alarm” signal, triggering emergency braking procedures. THSR is a high-speed railway network in Taiwan that runs a single 350 km (217 miles) two-way line along the western coast of the country, with trains reaching speeds of up to 300 km/h (186 mph)."
https://www.bleepingcomputer.com/news/security/student-hacked-taiwan-high-speed-rail-to-trigger-emergency-brakes/ - CloudZ RAT Potentially Steals OTP Messages Using Pheno Plugin
"Windows Phone Link (formerly "Your Phone") is a synchronization tool developed by Microsoft and built directly into Windows 10 and 11 that bridges a PC and a smartphone (Android or iPhone). By establishing a secure connection via Wi-Fi and Bluetooth, the application mirrors essential phone activities (such as application notifications and SMS messages) onto the computer screen, reducing the user’s need to physically interact with the mobile device while working on the computer. The Phone Link application writes synchronized phone data such as SMS messages, call logs, and the application notification history to the Windows PC in the application’s SQLite database file."
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/ - A Rigged Game: ScarCruft Compromises Gaming Platform In a Supply-Chain Attack
"ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor. The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor."
https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/scarcruft-hackers-push-birdcall-android-malware-via-game-platform/
https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html
https://therecord.media/north-korean-hackers-target-ethnic-koreans-in-china
https://www.bankinfosecurity.com/north-koreans-spy-on-defectors-via-android-game-apps-a-31592
https://www.infosecurity-magazine.com/news/scarcruft-birdcall-android-yanbian/ - UAT-8302 And Its Box Full Of Malware
"Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world. Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware. Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least. Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports."
https://blog.talosintelligence.com/uat-8302/
https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html - Breaking The Code: Multi-Stage ‘code Of Conduct’ Phishing Campaign Leads To AiTM Token Compromise
"Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. A large-scale credential theft campaign observed by Microsoft Defender Research exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. The campaign targeted tens of thousands of users, primarily in the United States, and directed them through several stages of CAPTCHA and intermediate staging pages designed to reinforce legitimacy while filtering out automated defenses. The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications."
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
https://www.infosecurity-magazine.com/news/microsoft-phishing-fake-compliance/
https://www.securityweek.com/microsoft-warns-of-sophisticated-phishing-campaign-targeting-us-organizations/
https://securityaffairs.com/191695/security/microsoft-warns-of-global-campaign-stealing-auth-tokens-from-35k-users.html - Malicious OpenClaw Skill Distributes Remcos RAT And GhostLoader
"OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular "skill" architecture has been weaponized as a significant attack vector. In March 2026, Zscaler ThreatLabz identified a campaign leveraging the framework to exploit the growing adoption of agentic AI workflows. The threat actor published a deceptive "DeepSeek-Claw" skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of seemingly legitimate installation and configuration steps."
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader - InstallFix And Claude Code: How Fake Install Pages Lead To Real Compromise
"In an era where artificial intelligence tools have become indispensable to modern workflows, threat actors are exploiting this dependency with alarming sophistication. The InstallFix campaign — also known as the Fake Claude Installer threat — represents a dangerous evolution in social engineering, weaponizing trust in legitimate AI platforms to deliver state-linked espionage malware. This report examines how adversaries are impersonating Anthropic's Claude AI assistant, leveraging its 290 million monthly users to distribute malware through meticulously crafted fake installation pages. As organizations rush to integrate AI capabilities, understanding these deceptive tactics is no longer optional, but critical to survival in today's threat landscape. As modern software installation often involves copying and running commands (for example, “curl-to-bash”), attackers take advantage of this behavior by creating fake but realistic installation pages. These pages trick users into executing malicious commands, leading to malware infections."
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
Breaches/Hacks/Leaks
- Instructure Hacker Claims Data Theft From 8,800 Schools, Universities
"The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms. Instructure is a cloud-based education technology company best known for its Canvas learning management system, which schools and universities use to manage coursework, assignments, grading, and communication. Last Friday, Instructure disclosed that it was investigating a cyberattack and later revealed that it had suffered a data breach, during which users' names, email addresses, and private messages were exposed."
https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/
https://securityaffairs.com/191686/cyber-crime/educational-tech-firm-instructure-data-breach-may-have-impacted-9000-schools.html - Vimeo Data Breach Exposes Personal Information Of 119,000 People
"The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. Vimeo is a video hosting and streaming platform publicly traded on the Nasdaq stock market, with over 300 million registered users and over 1,100 employees, and reported revenues of $417 million for FY2024. The company disclosed on April 27 that customer and user data had been accessed without authorization following a recent breach at Anodot, a data anomaly detection company."
https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/
https://securityaffairs.com/191715/data-breach/vimeo-confirms-breach-via-third-party-vendor-impacts-119k-users.html
https://www.theregister.com/2026/05/05/shinyhunters_dump_puts_119k_vimeo/ - Anti-ICE Site GTFO ICE Accused Of Exposing Data Of 17,000+ Activists
"Miles Taylor, a former Department of Homeland Security Chief of Staff and former Google security executive, is at the centre of a major data exposure-related controversy. His new project, GTFO ICE, was launched just a couple of weeks ago with a media appearance on The Rachel Maddow Show. The platform, found at GTFOICE.org, was meant to be a tool for people to organise against immigration detention centres. However, it allegedly failed to protect the personal details of every person who signed up. For context, GTFO ICE (“Get The Facilities Out”) is a rapid-response network and advocacy tool launched in April 2026. It enables users to identify, track, and protest proposed Immigration and Customs Enforcement (ICE) detention facilities in their communities, aiming to “crowd cancel” them."
https://hackread.com/anti-ice-site-gtfo-ice-expose-activists-data/
https://blog.hagerstownrapidresponse.com/p/breaking-news-apparent-data-breach-hits-miles-taylors-anti-ice-organizing-site-gtfoice-org - Real Estate Giant Confirms Vishing Incident As ShinyHunters And Qilin Both Come Knocking
"Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company. A spokesperson told The Register the attack was "limited" in scope and stemmed from vishing (voice phishing), suggesting an employee was socially engineered. The representative said: "Cushman & Wakefield recently became aware of a limited data security incident due to vishing. We have activated our response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response."
https://www.theregister.com/2026/05/05/cushman_wakefield/
General News
- Member Of Prolific Russian Ransomware Group Sentenced To Prison
"A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies. “With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”"
https://www.justice.gov/opa/pr/member-prolific-russian-ransomware-group-sentenced-prison
https://www.bleepingcomputer.com/news/security/karakurt-extortion-gang-negotiator-sentenced-to-85-years-in-prison/
https://therecord.media/conti-akira-ransomware-affiliate-sentenced
https://cyberscoop.com/latvian-russia-ransomware-conti-sentenced/
https://www.securityweek.com/karakurt-ransomware-negotiator-sentenced-to-prison/
https://securityaffairs.com/191722/cyber-crime/u-s-court-sentences-karakurt-ransomware-negotiator-to-8-5-years.html - Skills Gap Top CISO Concern, Says New SANS Survey
"Concerns about the skills and capabilities of cybersecurity teams have for the first time overtaken worries about headcount and unfilled vacancies among chief information security officers, according to a new survey. The shift highlights the challenges CISOs face in addressing new threats driven by emergent technologies like artificial intelligence and quantum computing - and the difficulty they confront identifying and quantifying skills among their existing staff. That's even more so the case for new recruits. "Not having the right staff" was picked by 60% compared to only 40% who chose "not enough staff," in the SANS/GIAC 2026 Cybersecurity Workforce Research Report, which surveyed 947 CISOs from a range of companies across the globe."
https://www.bankinfosecurity.com/skills-gap-top-ciso-concern-says-new-sans-survey-a-31603 - AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed To Cyber Risk
"AI has become embedded in organizations, yet fewer than half have any form of AI safety or security policies in place, potentially leaving them exposed to data breaches, privacy failures and other cyber threats. According to new research published by ISACA on May 5, 90% of digital trust professionals believe that employees in their organization use AI tools. However, only 38% said their organization has a formal, comprehensive AI policy in place to manage use of AI tools, while 30% said they have a limited policy in place. Despite the rise of AI in the workplace, 25% of organizations said they don’t have any policies in place around AI at all."
https://www.infosecurity-magazine.com/news/ai-adoption-outpaces-safety-policy/
https://www.isaca.org/-/media/files/isacadp/project/isaca/resources/infographics/2026-taking-the-pulse-of-ai.pdf - Targeting The Defense Industrial Base: What Network Telemetry Reveals About Nation-State Pre-Positioning
"Intelligence drives operations. It provides commanders with options across time and space and enables them to shape the battlefield on their terms. This concept is not new. What has changed is the domain. Nation states are applying the same intelligence playbook in cyberspace, with the Defense Industrial Base as a primary target. What is being observed is not limited to intrusion activity, it is reconnaissance and pre positioning. Analysis of large-scale network telemetry reinforces this, showing sustained patterns of infrastructure mapping and access development long before disruptive activity occurs. In MITRE ATT&CK terms, this maps directly to reconnaissance and resource development. Adversaries are identifying targets, mapping infrastructure, and preparing access long before anything disruptive happens. Volt Typhoon is a clear example. They maintained access to US critical infrastructure for over five years before it was publicly disclosed. This is not an attack. It is intelligence preparation of the battlefield, carried out in cyberspace."
https://www.team-cymru.com/post/defense-industrial-base-nation-state-network-telemetry
https://www.infosecurity-magazine.com/news/small-defense-firms-lack-network/ - Romance Scammers Turn Sweet Talk Into £102M Payday
"Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures. That works out to roughly £280,000 ($379,000) a day, the City of London Police said Tuesday. The average victim loses around £9,500 ($12,866) per scam, though individual cases have reached £1 million ($1.35 million). The figures come from Report Fraud, a City of London Police service that logged 10,784 romance scam reports in 2025, a 29 percent year-on-year bump. "Romance fraud is particularly harmful because it targets trust and emotional connection," said Detective Superintendent Oliver Little at the City of London Police."
https://www.theregister.com/2026/05/05/romance_scam_figures/
อ้างอิง
