Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.

The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.

“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”

Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.

Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.

The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners. 

GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.

Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said. 

GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.

“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now. 

Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.

“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”

The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.

The zero-day was designed to bypass 2FA and it was developed by a prominent cybercrime group.

The post Google Detects First AI-Generated Zero-Day Exploit appeared first on SecurityWeek.

Attackers are hitting Ivanti customers yet again — circling back to a common target and consistently susceptible vendor in the network edge space — by exploiting a zero-day vulnerability in one of the company’s most besieged products. 

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company alerted customers to the threat in a security advisory Thursday while also disclosing four additional high-severity vulnerabilities in the same product.

“At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement,” a spokesperson for Ivanti said in a statement.

Ivanti did not say when the first instance of exploitation occurred, or precisely how many customers have already been impacted.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s disclosure.

The company released patches for all five vulnerabilities Thursday, including the four additional defects — CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 — which it said haven’t been exploited in the wild.

“Ivanti discovered these vulnerabilities in recent weeks through internal detection processes which are supported by advanced AI, customer collaboration, and responsible disclosure,” the company spokesperson said. One of the defects was discovered and responsibly reported to Ivanti by a former employee.

The company suggested at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days — CVE-2026-1281 and CVE-2026-1340 — that were exploited starting in late January. The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February.

The latest Ivanti EPMM zero-day “requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk. Customers unaffected by the prior vulnerability are also at a much lower risk,” the company spokesperson said.

Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicates it was possibly exploited as part of an attack chain relying on another method for initial access. 

“No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups,” Condon told CyberScoop. 

“Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973,” she added. “Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication.”

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large, including many vulnerabilities that attackers exploited before the company caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.

During an interview with CyberScoop in March at the RSAC Conference, Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. 

“My position here at Ivanti is it doesn’t do our customers any good to be quiet about this,” he said, describing the company’s communication stance with the public, CISA and global partners as “very aggressive.”

That’s not always the case with other vendors, Spicer said. “I don’t know that transparency is a core tenant of all other organizations.”

The company, which serves many government agencies and critical infrastructure operators, also routinely notes that highly skilled and resourced attackers, including those backed by nation-states, are often responsible for these waves of attacks on its customers.

Ivanti maintains that it’s trying to consistently improve the security of its products. “Through continued investment in its product security program, including the use of advanced AI paired with human verification, Ivanti is strengthening its ability to identify, remediate, and disclose issues quickly, helping customers stay ahead of an increasingly compressed threat landscape,” the spokesperson said.

The way Spicer put it in March: “We want to make sure that people understand that we are trying to do the right thing.”

The post Ivanti customers confront yet another actively exploited zero-day appeared first on CyberScoop.

Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.

The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run  code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.

Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.

The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.

The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.

Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.

Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.” 

Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon. 

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted. 

Researchers are hunting for malicious activity and advise customers to apply patches upon release.

The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.

Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system. 

But the story behind CVE-2026-31431 is almost as interesting as the bug itself. Theori, the company that discovered the bug, leaned heavily on AI to find and initially disclose it. The result is a case study that  underscores the challenges that occur when the relentless hunt for defects collides with marketing impulses and inflated AI-generated language that was long on bluster but lacked technical details. 

Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access. 

Theori’s AI-powered penetration testing platform, Xint, discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23. Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit. 

The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog Friday.

Researchers have yet to determine how many organizations have been impacted by the flaw, but they noted that critical requirements for exploitation, specifically local access achieved through a separate exploit or pathway to unauthorized access, should limit potential exposure.

“The attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit,” Spencer McIntyre, secure researcher at Rapid7, told CyberScoop. “That’s a large limiting factor since this vulnerability would therefore need to be paired with another.”

Theori’s disclosure turned heads among other vulnerability researchers who noted the defect’s broad potential impact, but also for lacking details about the proof-of-concept exploit. 

“The exploit is real, there is something to worry about, but understandably, teams now have to do additional validation to know how to parse the extreme AI FUD (fear, uncertainty and doubt) from [Theori’s] blog post,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“It’s not helpful that the blog is AI slop, because it detracts from technical reality,” she added. 

Theori acknowledges it used AI to discover and describe the vulnerability, explaining that it’s focusing on finding and fixing a large amount of defects. 

“We used AI to help craft the disclosure site and the blog post to help speed things up, but all material was thoroughly reviewed by our internal teams for accuracy,” said Tim Becker, senior security researcher at Theori. 

Theori is intentionally withholding additional details until the patch is broadly applied, he added.

“We stand by our technical description of the vulnerability. Helping downstream users to understand the impact of a security bug has always been a challenge for security researchers,” Becker said. “Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions. It also has implications for containerization including Kubernetes.”

Other researchers have drawn similar conclusions, noting that exploitation can be automated and doesn’t require specialization. 

Meanwhile, hundreds of additional proof-of-concept exploits have surfaced since the vulnerability was disclosed five days ago. “As expected, the majority of these appear to be copycat AI PoCs that do nothing but add banners or different colors to the command-line interface. Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said. 

“Organizations should exercise caution when running untested research artifacts, including AI-generated exploit code that isn’t fully explained,” she added. 

Becker said Theori is aware of the burden defenders confront, and insists the company’s reports contain enough information for organizations to quickly triage and validate its findings.

The post ‘Copy Fail’ is a real Linux security crisis wrapped in AI slop appeared first on CyberScoop.

Many security leaders are still operating with frameworks built for a different era. For years, success was measured by fixed checkpoints, such as passing audits, closing vulnerabilities, and maintaining compliance. Those markers still have value, but they were designed for a threat landscape that moved in predictable, linear ways.

Today, that landscape is shifting in real time. AI is accelerating how attackers can identify and exploit weaknesses, while cloud environments and autonomous systems are constantly changing the terrain. The result is a gap between how risk is measured and how it actually unfolds, where static signals can’t keep up with dynamic threats.

CISOs are under pressure from two directions: risk is growing, and the tools meant to measure it are struggling to keep up. Traditional indicators often reflect yesterday’s threat landscape, leaving security leaders with an incomplete picture of where they actually stand.

The Mythos signal

Recent reports about Anthropic’s Claude Mythos Preview, described as so effective at vulnerability discovery that access has been restricted, offer a clear signal of where cybersecurity is headed. AI models like this one demonstrate that the speed and scale of exploitation have fundamentally changed. What once took skilled attackers days or weeks can now happen in minutes, and increasingly without human intervention.

That shift matters because attacker capabilities are accelerating faster than most organizations can measure them. The gap between how risk unfolds and how security teams track it is widening. A “passed” audit tells you where you’ve been, not where you are. A posture dashboard reflects a moment in time, not a continuously changing environment. And a pen test is a snapshot, in a world where conditions evolve constantly.

Sharpening the conversation this quarter

If your conversations haven’t evolved to match this new reality, your organization has a significant blind spot. Here are five questions CISOs should be using to turn the current shift into action:

What can we see at runtime without waiting for a report?
Configuration tools tell you what should be true. Runtime visibility tells you what is true right now. (Follow up: If an attacker starts moving laterally in our cloud environment today, how fast do we know, in minutes or days?)

Do we have a complete inventory of identities, including non-human?
Business environments are full of identities beyond employees. Vendors, contractors, service accounts, API keys, automations, machine identities, and cloud principals sprawl across systems. Attackers love that sprawl because stealing credentials is often easier than writing malware.
(Follow up: How many human and non-human identities do we have, and which ones can access sensitive data or modify critical infrastructure?)

Where are we over-permissioned, and how quickly can we reduce it?
Over-permissioned accounts act like master keys: convenient until they’re compromised. Least privilege must be measurable, not aspirational. (Follow up: Can you show me the highest-risk access paths and what we can remove or tighten in 30 days?)

Are we using AI to reduce noise and speed decisions or just adding another screen?
Many teams are drowning in alerts. AI can help by adding context (connecting a risky identity + vulnerable workload + exposed secret) so responders can act quickly, instead of chasing disconnected warnings. (Follow up: What’s our alert volume, what percentage is actionable, and what’s improved response time?)

Can you walk me through a realistic incident end to end, with decision points?
Prevention matters, but resilience is what separates organizations when something gets through. Incidents are inevitable. What matters is detection speed, containment, recovery, and communications. (Follow up: Pick a scenario — credential theft, ransomware, vendor compromise — What happens here, who decides what, and when does executive leadership need to know? What do customers need to know?)

What to do with the answers

If these questions surface gaps, the path forward is usually practical. Start by prioritizing runtime visibility on systems that support critical services and sensitive resident data. Treat identity like infrastructure — inventory it, right-size permissions, and monitor continuously. Shift measurement toward outcomes like time to detect, contain, and restore, rather than activity metrics like tickets closed or controls checked. And rehearse the hard day with both technical teams and leadership, including communications.

In an era where threats move at AI speed, the advantage belongs to teams that can see clearly and act immediately. The defining question now is how quickly you can identify a risk, understand its impact, and respond before it escalates.

Rinki Sethi is the chief security & strategy officer at Upwind Security, holding over two decades of cybersecurity leadership experience from roles at Twitter, Rubrik, BILL, Palo Alto Networks, IBM, and eBay. She is a founding partner at Lockstep Ventures, serves on the boards of ForgeRock and Vaultree, and is widely recognized for her contributions to the cybersecurity community, including developing the first national cybersecurity curriculum for the Girl Scouts of USA.

The post The AI era demands a different kind of CISO appeared first on CyberScoop.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report. 

These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as Scattered Spider, accounted for 11% of all incidents Mandiant investigated last year.

Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said. Yet, the rise of voice phishing marks a concerning shift in tactics, especially in large-scale attacks with sweeping impacts.

“This type of social engineering attack is extremely powerful. It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop. “We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”

Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including campaigns targeting Salesforce customers attributed to threat groups Google Threat Intelligence Group tracks as UNC6040 and UNC6240.

This global shift in attacks was most clearly seen in the sharp drop in email-based phishing., For years, phishing has been a popular method because it’s cheap and requires little technical skill. It works much like high-volume advertising — a spray-and-pray strategy focused on reaching as many people as possible rather than specific targeting.

Email phishing is no longer a top initial access vector, according to Mandiant. The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.

“The higher the investment, the higher the payout needs to be,” Kutscher said. “[Interactive phishing] takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”

These techniques are difficult to defend against because they’re designed to exploit human instincts and bypass many security controls. “We’ve always said, unfortunately the human tends to be the weakest link,” Kutscher said. 

Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year. Exploited defects remain a persistent problem.

The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-53770 in Microsoft SharePoint.

Attackers of various origins and objectives exploited all three of the vulnerabilities en masse and as zero-days. 

Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.

Technology companies were the most frequently attacked in 2025, accounting for 17% of all incidents. The following most-targeted industries included finance at 14.6%, business and professional services at 13.3% and health care at 11.9%.

The post The phone call is the new phishing email appeared first on CyberScoop.

Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.

Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise.

This marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. Both campaigns resulted in CISA emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were identified.

Authorities refrained from attributing the attacks to any nation state or threat group. Cisco Talos researchers assigned the exploits and post-compromise activity to UAT-8616, which they only described as a “highly sophisticated threat actor.”

The activity cluster’s “attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors to establish persistent footholds into high-value organizations including critical infrastructure sectors,” Cisco Talos said in a threat advisory.

Malicious activity linked to this campaign is far reaching and attackers have exploited vulnerabilities in targeted systems to access and potentially compromise federal networks, Nick Andersen, CISA’s executive assistant director for cybersecurity, said during a media briefing Wednesday. 

Andersen declined to say when CISA was first aware of this activity and did not provide details about potential victims, adding that officials are working through the beginning stages of mitigation.

In the jointly issued threat hunt guide, the Five Eyes said all members were aware that the most recent zero-day — CVE-2026-20127 — was identified and confirmed actively exploited in late 2025. Officials and Cisco did not explain why it took at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance. 

Attackers are gaining full control of a system in a chain by exploiting CVE-2026-20127 to bypass authentication, then downgrading software to a version vulnerable to CVE-2022-20775 to escalate privileges, said Douglas McKee, director of vulnerability intelligence at Rapid7.

“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history,” he told CyberScoop. “This is not opportunistic scanning. This is structured tradecraft.”

CISA added CVE-2022-20775 and CVE-2026-20127 to its known exploited vulnerabilities catalog Wednesday.

The three-year gap between known initial attacks and detected exploitation of the zero-days showcases the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign, said Ben Harris, founder and CEO of watchTowr. 

The timeline and known attack path also indicates operational discipline that allowed attackers to maintain long-term access in critical network infrastructure without triggering alarms, McKee said. Those activities align “more closely with state-sponsored espionage tradecraft than financially motivated crime,” he added.

CISA’s emergency directive requires federal agencies to take inventory of all vulnerable Cisco SD-WAN systems, collect logs from those systems, apply Cisco’s security updates, hunt for evidence of compromise and follow Cisco’s guidance by Friday. 

The latest campaign targeting Cisco network edge technology shares many similarities with another string of attacks officials and Cisco warned about in September. Those attacks, which involved at least two actively exploited zero-days, were underway for at least a year before they were first discovered in May. 

Cisco did not answer questions about any potential connections between the campaigns. The vendor and officials have also thus far avoided sharing any details about what occurred behind the scenes during these sustained attacks.

A spokesperson for Cisco urged customers to upgrade software and follow guidance from its advisory. 

Unfortunately, it’s too late for some Cisco SD-WAN customers to patch, Harris said. “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”

The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.

An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.

Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.

Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.

Additionally, Operation Zero was one of two zero-day brokerages sanctioned by the U.S. Treasury in a separate announcement made Tuesday.

Prosecutors said Williams used his access at Trenchant over roughly three years to obtain proprietary materials and entered into several deals with the broker, receiving payments in cryptocurrency. Officials said he used proceeds to buy luxury items. The Justice Department has estimated the theft caused $35 million in losses to the contractor, while prosecutors said Williams earned $1.3 million tied to the sales and should be ordered to pay that amount in restitution. 

Williams’ background added another layer noted in court. Prosecutors said he previously served in the Australian Signals Directorate, Australia’s foreign signals intelligence agency. Trenchant’s origins are also part of the record: it was formed after L3Harris acquired Azimuth Security and Linchpin Labs, Australian firms associated with exploit development.

Neither Trenchant nor L3Harris is accused of wrongdoing in the criminal case. 

A hearing for further restitution related to the $35 million in losses is scheduled for May.

The post Ex-L3Harris executive sentenced to 87 months in prison for selling zero-day exploits to Russian broker appeared first on CyberScoop.

Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.

The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.

“Threat actors are exploiting those cross-domain gaps to gain access to environments, so they’re wriggling in between the seams in cloud, identity, enterprise and unmanaged network devices,” Meyers said. 

Starting from an already disadvantaged position — made worse by faster attacks and living-off-the-land techniques — defenders face burnout, stress and other factors that can lead to mistakes, he added. 

The myriad sources of these problems are spreading, too. 

CrowdStrike tracked 281 threat groups at the end of 2025, including 24 new threats it named throughout the year. Researchers at the cybersecurity firm are also tracking 150 active malicious activity clusters and emerging threat groups.

Cybercriminals seeking a payout and nation states committing espionage or implanting footholds into critical infrastructure for prolonged access are increasingly seizing on security weaknesses in cloud-based environments to break into victim networks. 

These cloud-focused attacks have seen a reported 37% year-over-year increase, with a 266% surge in this activity from nation-state threat groups.

The vast majority of attacks detected last year, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials, CrowdStrike said in the report. More than 1 in 3 incident response cases involving cloud intrusions last year were linked back to a valid or abused credential that granted attackers access, according to CrowdStrike. 

Attacks originating from or sponsored by North Korea increased 130% last year, while incidents linked to China jumped 38% during the same period.

Chinese threat groups achieved immediate system access with two-thirds of the vulnerabilities they exploited last year, and 40% of those exploits targeted edge devices.

Zero-day exploits — especially defects in edge devices such as firewalls, routers and virtual private networks — allowed nation-state and cybercrime threat groups to break into systems, execute code and escalate privileges undetected.

CrowdStrike said it observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure last year. 

Meyers said he expects that number to grow further, predicting an explosion of activity from attackers using artificial intelligence to find and exploit zero-day vulnerabilities in various products during the next three to nine months.

CrowdStrike’s annual global threat report is full of figures moving in the wrong direction, yet the most worrying finding for Meyers comes down to attacker speed.

“The speed at which we’re seeing these breakout times accelerate is one of the markers,” he said, adding that it’s only a matter of time before the fastest attacks drop down to seconds, if not milliseconds.

The post CrowdStrike says attackers are moving through networks in under 30 minutes appeared first on CyberScoop.

Researchers uncovered more worrying details about a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve already caused significant damage.

Google Threat Intelligence Group and Mandiant said the Chinese threat group UNC6201 has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The group overlaps with UNC5221, also known as Silk Typhoon, which has been burrowing into critical infrastructure and government agency networks undetected since at least 2022.

The zero-day exploitation marks an escalation from this particular cluster of actors.  State-sponsored attackers spent years implanting Brickstorm malware into networks before the campaign was finally detected last summer. By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect, Google security researchers said Tuesday.

The zero-day vulnerability — CVE-2026-22769 — hinges on a hardcoded administrator password in Dell RecoverPoint for Virtual Machines that was pulled from Apache Tomcat. It carries a 10/10 CVSS rating. The Chinese threat group has been using the hardcoded password, which triggers the vulnerability and allows unauthenticated remote attackers to gain full system access with root-level persistence for at least 18 months, Google said. 

Dell Technologies disclosed and released a patch for the vulnerability Tuesday. A company spokesperson urged customers to follow guidance in its security advisory.

“We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments,” Austin Larsen, principal analyst at GTIG, told CyberScoop.

When the Cybersecurity and Infrastructure Security Agency unveiled new details about the campaign in December, Google said dozens of U.S. organizations, not including downstream victims, had already been impacted by Brickstorm. 

“The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage,” Larsen added.

The campaign — one of many concurrent efforts by China state-sponsored groups to embed themselves into networks for long-term access, disruptions and potential sabotage — remains a top area of concern for national security.

CISA, the National Security Agency and Canadian Centre for Cyber Security released new analysis on Brickstorm last week to share indicators and compromise that could help potential victims detect malicious activity on their networks.

Yet, the China-linked groups involved in this campaign have already moved on to Grimbolt, in some cases replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer, according to Google.

Marci McCarthy, director of public affairs at CISA, told CyberScoop the agency will share further information on Wednesday.

Google’s fresh research on the China state-sponsored campaign demonstrates how the threat group’s tenacity, and ability to dwell undetected in networks longer than 400 days, keeps defenders and cyber authorities at a disadvantage.

The threat groups typically target edge applications and devices running on systems without endpoint detection and response, but researchers don’t know how attackers broke into the networks of the most recently discovered victims. 

Researchers only have a narrow view of the threat groups’ activities at large. 

“We suspect a significant portion of UNC5221 and UNC6201’s activity likely remains unknown, and there is a strong probability that they are developing or using undiscovered zero-days and malware,” Larsen said. “The most concerning aspect of this campaign is that additional organizations were likely compromised as part of this campaign and do not know it yet.”

The post Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed appeared first on CyberScoop.

Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred.

The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday.

The attacks were publicly disclosed as researchers and threat hunters scrambled to assess the fallout and observed consistent waves of attacks linked to the Ivanti defects. As of Monday afternoon, Shadowserver scans identified 86 compromised instances based on artifacts of exploitation, Piotr Kijewski, CEO of the nonprofit, told CyberScoop.

Researchers last week warned that attacks involving the Ivanti zero-days would spread, repeating a common pattern following the vendor’s disclosure and a third party’s release of exploit code. The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti EPMM.

Ivanti said a “very limited number of customers” were exploited before it disclosed the defects in a Jan. 29 security advisory, but has declined multiple requests to provide an updated victim count. 

The company released indicators of compromise and a detection script Friday to help customers hunt for potential impact, and thanked The Netherlands’ National Cyber Security Centre for contributing to the script’s development. “We are collaborating closely with our customers as well as trusted government and security partners,” a spokesperson for Ivanti said in a statement.

Attackers of various intents and origins are still compromising additional Ivanti EPMM instances, Kijewski said. Shadowserver is using initial artifacts provided by Saudi Arabia’s National Cybersecurity Authority to scan for webshells and other signs of exploitation, including system commands.

“These artifacts are likely not linked to the initial threat actor targeting the vulnerability. It is likely, however, these instances were compromised by multiple actors by now,” Kijewski said. “More is happening than what we are able to observe.”

Nearly 1,300 instances of Ivanti EPMM are still exposed to the internet, but it’s unknown how many of those are vulnerable or already compromised, according to Shadowserver.

Other researchers that have been tracking the vulnerabilities have also found evidence of heightened malicious activity targeting potential victims. 

During a 24-hour period, Rapid7’s Ivanti EPMM honeypot “recorded hundreds of inbound traffic connections from more than 130 unique IP addresses, with 58% directly attempting exploitation of the latest Ivanti EPMM vulnerabilities,” said Christiaan Beek, the company’s senior director of threat intelligence and analytics. 

Beek emphasized that the dominant payloads observed by Rapid7’s honeypot were not attributed to researchers, but rather built to gain rapid control via reverse shells, webshell deployment attempts and automated payload droppers. 

Ivanti has thus far declined to say when and how it first became aware of the vulnerabilities or when the first known date of exploitation occurred.

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large.

The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.

The post Fallout from latest Ivanti zero-days spreads to nearly 100 victims appeared first on CyberScoop.

Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. 

The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday.

Ivanti’s post-attack warning marks a frequent occurrence for its customers, involving yet again highly destructive defects in its code that attackers exploited before the vendor caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. 

The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.

The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025. 

Ivanti declined to say how many customers have been impacted by the recent zero-day attacks, but researchers warn a recurring pattern is emerging with mass exploitation observed shortly after public disclosure and the release of exploit code.

“This started as tightly scoped zero-day exploitation,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told CyberScoop. “It has since devolved into global mass exploitation by a wide mix of opportunistic actors. That arc is depressingly predictable.”

Shadowserver said it observed a spike in CVE-2026-1281 exploitation attempts from at least 13 source IPs by Saturday. More than 1,400 instances of Ivanti EPMM are still exposed to the internet, according to Shadowserver scans, but it’s unknown how many of those are vulnerable or already compromised. 

“It’s important to remember that exposure does not equal exploitation,” Dewhurst said. “But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes.”

Ivanti advised all on-premises EPMM customers to apply patches, but warned that the script is temporary and will be overridden when customers upgrade software to a new version. The software packages that address the defects “takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers,” a company spokesperson said. 

Ivanti said it will issue a permanent fix for the vulnerability in a future update that it plans to release by April.

The new Ivanti zero-days share many similarities to previous EPMM vulnerabilities, said Ryan Emmons, staff security researcher at Rapid7. “The line between attacker input and trusted code is blurred, resulting in the ability to execute malicious payloads.”

Remotely exploitable vulnerabilities in network edge devices are an appealing and effective attack vector for hackers looking to break into targeted networks. Multiple threat groups last year, including some linked to China, exploited another zero-day defect in Ivanti EPMM — CVE-2025-4428 — and a string of vulnerabilities in other Ivanti products.

“State-sponsored adversaries have generally made strong use of remotely exploitable vulnerabilities in Ivanti kit, which isn’t surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

The latest actively exploited defects affecting Ivanti products reflect a continuation of a years-long battle between the vendor and threat groups that poses a consistent risk for customers. 

Some security researchers are more inclined to pin the blame for this sustained security problem on Ivanti itself, yet there is broad agreement these vulnerabilities were not easy for the company to discover prior to exploitation. 

Emmons described the defects as nuanced with an odd path to code injection. “With these vulnerable code patterns now known, the vendor’s security teams can more effectively hunt for these sorts of bugs in the future,” he added.

Dewhurst concurred the vulnerabilities were not easy to spot, but said that does not excuse the outcome. “Defensive engineering needs to assume attackers will find the non-obvious paths eventually, because they always do,” he said. 

Ivanti’s spokesperson said these types of vulnerabilities are difficult to find, and insisted the company’s security and engineering teams acted quickly to address the defects once they were identified.

The post Ivanti’s EPMM is under active attack, thanks to two critical zero-days appeared first on CyberScoop.

Attackers associated with Russia’s Main Intelligence Directorate (GRU) have targeted Western-based critical infrastructure with a special focus on the energy sector as part of an ongoing campaign dating back to 2021, Amazon Threat Intelligence said in a report Monday. 

The threat group simplified operations earlier this year by shifting away from vulnerability exploitation to focus on misconfigured network edge devices hosted on Amazon Web Services as the primary initial access vector, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post. 

Researchers said malicious infrastructure used by the attackers overlaps with operations linked to Sandworm, also known as APT44 and Seashell Blizzard, a detail that gives them confidence the activity is associated with Russia’s GRU. 

Amazon did not say how many attacks it’s attributed to the campaign, nor how the pace of activity has changed since the first wave of attacks occurred in 2021. The company said it has notified customers affected by the intrusions, remediated compromised EC2 instances and shared intelligence with partners and affected vendors to aid further investigations.

The Russia state-sponsored threat group has continued to target multiple Western-based organizations in the energy sector including electric utilities, energy providers and managed security service providers specializing in the industry, according to Amazon. 

Researchers said the threat group has also targeted collaboration platforms, source code repositories, organizations with cloud-based network infrastructure, critical infrastructure providers in North America and Europe, and telecom providers across multiple regions. 

Attacks typically begin with a compromised customer network edge device hosted on AWS, followed by attempts to capture data traversing the network in a bid to steal credentials and reuse those credentials against victim organizations’ other services and infrastructure to maintain access, according to Amazon.

Moses insists the compromise of network edge devices hosted on AWS is not due to a weakness in its  infrastructure, but rather improper device setup from customers. Attackers associated with Russia’s GRU have targeted enterprise routers and routing infrastructure, virtual private networks for large organizations, remote-access gateways and network-management appliances. 

The campaign initially relied on vulnerability exploitation from 2021 to 2024, including CVE-2022-26318 affecting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence and CVE-2023-27532 affecting Veeam, researchers said.

Yet, targeting shifted to misconfigured network edge devices this year, which allowed attackers to achieve the same strategic goals at a lower cost. 

“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses said in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”

Sandworm is one of the most notorious state-sponsored threat groups of the past decade. The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.

The University of Pennsylvania joined the steadily growing number of victim organizations impacted by the widespread data theft and extortion campaign involving a notorious ransomware group’s exploitation of a zero-day vulnerability and other defects in Oracle E-Business Suite earlier this year. 

The university filed a data breach notification in Maine Monday, confirming nearly 1,500 Maine residents were affected by an intrusion into its Oracle EBS environment over a three-day period in early August. 

The Ivy League school and dozens of other victims were not aware of the attack until Oracle acknowledged the critical vulnerability after members of the Clop ransomware group sent extortion emails to alleged victim organizations in late September. Attackers exploited multiple vulnerabilities to steal large amounts of data from several Oracle EBS customers in August, according to Mandiant.

The university said it determined some personal information was stolen from its Oracle EBS system on Nov. 11, but did not provide details about how many people were impacted and what type of data was stolen during the attack. 

“The University of Pennsylvania was one of nearly 100 already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,”a spokesperson for the university said in a statement.

“Penn has implemented the patches that Oracle issued to resolve the vulnerability,” the spokesperson added. “Penn has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes.”

Other Ivy League schools were impacted by the targeted attacks on Oracle EBS customers as well, including Dartmouth College and Harvard University. 

Dartmouth filed data breach disclosures in California and Maine last month confirming that its Oracle EBS environment was also compromised over a few days in August. Personal data exposed by the breach included names, Social Security numbers and financial account information, according to Dartmouth. 

Harvard University said it was investigating a data breach involving its Oracle EBS system in mid-October, noting at the time that a limited number of people in a small administrative unit were impacted. Harvard said it found no evidence of compromise to other systems. 

The pool of victim organizations impacted by the mass exploitation of vulnerabilities in Oracle EBS underscores the risk posed by interconnected and widely used systems.

Cox Enterprises last month said personal data on almost 10,000 people was exposed by an attack on its Oracle EBS environment, which it discovered in late September. The attack occurred during the same period as other victim organizations in August, the media and automotive company said in a data breach notification filed in California. 

Logitech said it, too, was impacted by the widespread attacks on Oracle EBS customers. “The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system,” the computer peripherals and software vendor said in a Nov. 20 regulatory filing.

Other previously confirmed victims include The Washington Post, Envoy Air and GlobalLogic. 

Clop specializes in exploiting vulnerabilities in file-transfer services and has successfully intruded multiple technology vendors’ systems to steal massive amounts of data for extortion efforts. These attacks typically flow downstream, ensnaring organizations and people multiple layers removed from the initial targeted victims.

Clop infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks appeared first on CyberScoop.

Amazon’s threat intelligence team said it observed an advanced persistent threat group exploiting zero-day vulnerabilities affecting Cisco Identity Service Engine and Citrix NetScaler products before the vendors disclosed and patched the defects last summer.

Amazon’s MadPot honeypot service detected active exploitation of the critical defects — CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco — and through further investigation determined a highly resourced threat actor was behind the attacks, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Wednesday.

“We assess with high confidence it was the same threat actor observed exploiting both vulnerabilities,” Moses told CyberScoop in an email.

Amazon said its discovery reinforced multiple trends afoot, including threat groups’ increased focus on identity and network edge infrastructure and their ability to quickly weaponize vulnerabilities as zero-days before vendors disclose or patch defects in their products.

The origins and identity of the threat group behind the attacks remains unknown, yet Moses said “prolonged access to the target for espionage is the most likely objective.”

Amazon threat researchers said the threat group used custom malware with a backdoor specifically designed for Cisco ISE environments that demonstrated advanced evasion techniques. “The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals and the specific architectural nuances of the Cisco ISE,” Moses said in the blog post.

Cisco disclosed CVE-2025-20337 on June 25, yet Amazon said exploitation was already underway in May. Amazon discovered the pre-disclosure exploits in early July and traced attacks back to May and June, Moses said.

Amazon disclosed active exploitation of the defect to Cisco, which informed its customers of the issue within hours, Moses added. He did not share information about how many organizations have been impacted by CVE-2025-20337 exploits.

Citrix disclosed CVE-2025-5777, also known as CitrixBleed 2 due to striking similarities with a 2023 defect in the same products, on June 17. The Cybersecurity and Infrastructure Security Agency added the exploit to its known exploited vulnerabilities catalog on July 10.

By mid-July, researchers had observed more than 11.5 million attack attempts, targeting thousands of sites since the exploit was disclosed.

Amazon declined to explain why it’s sharing information about active zero-day exploitation of the Cisco and Citrix defects months later, and the company said it doesn’t have additional information about more recent attacks linked to the vulnerabilities.

Moses noted the threat group’s use of multiple zero-day exploits indicates the attackers have advanced vulnerability research capabilities or access to undisclosed vulnerability information.

The post Amazon pins Cisco, Citrix zero-day attacks to APT group appeared first on CyberScoop.

GlobalLogic, a digital engineering and product design company, said it was impacted by a widespread data theft and extortion campaign linked to a zero-day vulnerability in Oracle E-Business Suite.

The company, which was acquired by Hitachi in 2021 and has a current customer base of nearly 600 clients, filed data breach notifications with authorities in California and Maine on Friday. GlobalLogic said the attack exposed human resources data on nearly 10,500 current and former employees. 

GlobalLogic is among many Oracle customers targeted by attackers aligned with the Clop ransomware group, which exploited a zero-day vulnerability affecting the enterprise platform to steal massive amounts of data as far back as July. John Hultquist, chief analyst at Google Threat Intelligence Group, previously told CyberScoop dozens of organizations were impacted. 

GlobalLogic said it discovered the data breach Oct. 9 and, upon investigation, determined the initial breach occurred July 10. The most recent malicious activity occurred Aug. 20, the company said.

“This incident did not target or impact GlobalLogic’s systems outside our Oracle platform, and, based on industry reports, we are one of many Oracle customers believed to be impacted,” the company said in the notification letter sent to people impacted. GlobalLogic did not immediately respond to a request for comment.

Data exposed by the attack includes names, addresses, phone numbers, emergency contact information, email addresses, dates of birth, nationality, passport information, internal employee numbers, tax identifiers such as Social Security numbers, salary information, bank account details and routing numbers, according to GlobalData.

Upon discovering it was impacted, GlobalLogic said it immediately activated incident response procedures, notified law enforcement and engaged with third-party firms to assist with an investigation. “We also promptly applied software patches upon their release from Oracle to address the vulnerability,” the company said. 

Oracle disclosed and issued a patch for the zero-day vulnerability —  CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. 

The zero-day wasn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims, according to Mandiant Consulting CTO Charles Carmakal. 

The significant lag time between when the attacks occurred and Oracle’s disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

Clop’s ransom demands reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop last month.

Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment. 

One of those named victims, Envoy Air, a subsidiary of American Airlines, confirmed it was impacted by the attack spree. 

“We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised,” a spokesperson for Envoy Air said in a statement. 

GlobalLogic said it implemented Oracle’s recommended mitigation steps in the wake of the attack and took additional steps to improve its security.

The post Hitachi subsidiary GlobalLogic impacted by Clop’s attack spree on Oracle customers appeared first on CyberScoop.

| Alyssa Snow In PART ONE and PART TWO of this blog series, we discussed common misconfigurations of Active Directory certificate templates. In this post, we will walk through exploitation […]

The post Abusing Active Directory Certificate Services (Part 3) appeared first on Black Hills Information Security, Inc..