Pressure is mounting on Instructure, the company behind Canvas, as cybercriminals threaten to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Widespread outages left schools, students and teachers temporarily unable to access critical data late last week after the company took Canvas offline following additional malicious activity, including a defacement of the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals affiliated with The Com, claimed responsibility for the attack on its data leak site and is attempting to extort the company for an unknown ransom amount. Instructure hasn’t confirmed the existence of a ransom demand and declined to answer questions about its response.

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained soon after it disclosed the attack — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

“The scope makes this one of the largest single education-sector exposures we’ve tracked,” she added.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption caused has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters threatened Instructure and all affected schools to contact the threat group and reach a resolution by end of day Tuesday. The cybercrime group, which has a “known pattern of removing victim entries once communications and negotiations have started,” removed Instructure from its data leak site after it defaced the Canvas login pages, Halcyon said. 

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

“Historically, their claims of compromise typically hold up, but they often exaggerate the impact, scale, and type of data stolen,” Kaiser said.

Education is a recurring and consistent target for cybercriminals. Researchers at Halcyon tracked more than 250 ransomware attacks on education institutions globally last year. Yet, the attack on Canvas stands apart from most of these attacks because of its widespread use and downstream impact.

“This is student, parent, and staff data, including minors, which creates downstream phishing and impersonation risk that will outlast the immediate incident,” Kaiser said. 

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure hasn’t indicated what it plans to do as part of any effort to prevent the leak of stolen data. 

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

The post Pressure mounts on Canvas as data leak extortion deadline looms appeared first on CyberScoop.

Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.

The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.

“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”

Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.

Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.

The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners. 

GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.

Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said. 

GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.

“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now. 

Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.

“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”

The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.

Attackers are hitting Ivanti customers yet again — circling back to a common target and consistently susceptible vendor in the network edge space — by exploiting a zero-day vulnerability in one of the company’s most besieged products. 

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company alerted customers to the threat in a security advisory Thursday while also disclosing four additional high-severity vulnerabilities in the same product.

“At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement,” a spokesperson for Ivanti said in a statement.

Ivanti did not say when the first instance of exploitation occurred, or precisely how many customers have already been impacted.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s disclosure.

The company released patches for all five vulnerabilities Thursday, including the four additional defects — CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 — which it said haven’t been exploited in the wild.

“Ivanti discovered these vulnerabilities in recent weeks through internal detection processes which are supported by advanced AI, customer collaboration, and responsible disclosure,” the company spokesperson said. One of the defects was discovered and responsibly reported to Ivanti by a former employee.

The company suggested at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days — CVE-2026-1281 and CVE-2026-1340 — that were exploited starting in late January. The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February.

The latest Ivanti EPMM zero-day “requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk. Customers unaffected by the prior vulnerability are also at a much lower risk,” the company spokesperson said.

Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicates it was possibly exploited as part of an attack chain relying on another method for initial access. 

“No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups,” Condon told CyberScoop. 

“Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973,” she added. “Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication.”

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large, including many vulnerabilities that attackers exploited before the company caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.

During an interview with CyberScoop in March at the RSAC Conference, Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. 

“My position here at Ivanti is it doesn’t do our customers any good to be quiet about this,” he said, describing the company’s communication stance with the public, CISA and global partners as “very aggressive.”

That’s not always the case with other vendors, Spicer said. “I don’t know that transparency is a core tenant of all other organizations.”

The company, which serves many government agencies and critical infrastructure operators, also routinely notes that highly skilled and resourced attackers, including those backed by nation-states, are often responsible for these waves of attacks on its customers.

Ivanti maintains that it’s trying to consistently improve the security of its products. “Through continued investment in its product security program, including the use of advanced AI paired with human verification, Ivanti is strengthening its ability to identify, remediate, and disclose issues quickly, helping customers stay ahead of an increasingly compressed threat landscape,” the spokesperson said.

The way Spicer put it in March: “We want to make sure that people understand that we are trying to do the right thing.”

The post Ivanti customers confront yet another actively exploited zero-day appeared first on CyberScoop.

Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.

The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run  code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.

Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.

The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.

The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.

Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.

Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.” 

Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon. 

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted. 

Researchers are hunting for malicious activity and advise customers to apply patches upon release.

The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.

A federal judge sentenced a Latvian national to 102 months in prison for his involvement in a series of ransomware attacks for more than two years prior to his arrest in 2023, the Justice Department said Monday.

Deniss Zolotarjovs, a resident of Moscow at the time, helped an organization led by former leaders of the Conti ransomware group extort payments from more than 54 companies. 

The 35-year-old was mostly tasked with putting pressure on the crew’s victims. In one case, Zolotarjovs urged co-conspirators to leak or sell children’s health records stolen from a pediatric healthcare company and ultimately sent a collection of sensitive data to “hundreds of patients,” according to court records. 

The ransomware crew identified itself in ransom notes under multiple names during Zolotarjovs’ involvement, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, Akira and others. 

Zolotarjov and his co-conspirators extorted nearly $16 million in confirmed ransom payments from their victims. Officials estimate the group’s crimes resulted in hundreds of millions of dollars in losses, not including the psychological and future financial exposure confronting tens of thousands of people whose personal data was stolen.

“Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline,” A. Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division, said in a statement. 

Officials said Zolotarjovs searched for points of leverage after researching victim companies and analyzing stolen data. Many of the victims impacted during his active participation between June 2021 and August 2023 were based in the United States.

Zolotarjov was arrested in the country of Georgia in December 2023 and extradited to the United States in August 2024. He pleaded guilty to money laundering and wire fraud in July 2025. 

“Cybercriminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries,” Dominick S. Gerace II, U.S. attorney for the Southern District of Ohio, said in a statement. “But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”

The Russian ransomware crew was prolific and spread across multiple teams, relying on companies registered in Russia, Europe and the United States to conceal its operations. Authorities said the group included former Russian law enforcement officers whose connections allowed members to access Russian government databases to harass detractors and identify potential new recruits.

Conti was among the most prolific ransomware groups globally for a time, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

The post Latvian national sentenced for ransomware attacks run by former Conti leaders appeared first on CyberScoop.

Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system. 

But the story behind CVE-2026-31431 is almost as interesting as the bug itself. Theori, the company that discovered the bug, leaned heavily on AI to find and initially disclose it. The result is a case study that  underscores the challenges that occur when the relentless hunt for defects collides with marketing impulses and inflated AI-generated language that was long on bluster but lacked technical details. 

Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access. 

Theori’s AI-powered penetration testing platform, Xint, discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23. Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit. 

The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog Friday.

Researchers have yet to determine how many organizations have been impacted by the flaw, but they noted that critical requirements for exploitation, specifically local access achieved through a separate exploit or pathway to unauthorized access, should limit potential exposure.

“The attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit,” Spencer McIntyre, secure researcher at Rapid7, told CyberScoop. “That’s a large limiting factor since this vulnerability would therefore need to be paired with another.”

Theori’s disclosure turned heads among other vulnerability researchers who noted the defect’s broad potential impact, but also for lacking details about the proof-of-concept exploit. 

“The exploit is real, there is something to worry about, but understandably, teams now have to do additional validation to know how to parse the extreme AI FUD (fear, uncertainty and doubt) from [Theori’s] blog post,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“It’s not helpful that the blog is AI slop, because it detracts from technical reality,” she added. 

Theori acknowledges it used AI to discover and describe the vulnerability, explaining that it’s focusing on finding and fixing a large amount of defects. 

“We used AI to help craft the disclosure site and the blog post to help speed things up, but all material was thoroughly reviewed by our internal teams for accuracy,” said Tim Becker, senior security researcher at Theori. 

Theori is intentionally withholding additional details until the patch is broadly applied, he added.

“We stand by our technical description of the vulnerability. Helping downstream users to understand the impact of a security bug has always been a challenge for security researchers,” Becker said. “Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions. It also has implications for containerization including Kubernetes.”

Other researchers have drawn similar conclusions, noting that exploitation can be automated and doesn’t require specialization. 

Meanwhile, hundreds of additional proof-of-concept exploits have surfaced since the vulnerability was disclosed five days ago. “As expected, the majority of these appear to be copycat AI PoCs that do nothing but add banners or different colors to the command-line interface. Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said. 

“Organizations should exercise caution when running untested research artifacts, including AI-generated exploit code that isn’t fully explained,” she added. 

Becker said Theori is aware of the burden defenders confront, and insists the company’s reports contain enough information for organizations to quickly triage and validate its findings.

The post ‘Copy Fail’ is a real Linux security crisis wrapped in AI slop appeared first on CyberScoop.

Two former cybersecurity professionals who moonlighted as cybercriminals, committing a series of ransomware attacks in 2023, were each sentenced to four years in prison, the Justice Department said Thursday.

Ryan Clifford Goldberg and Kevin Tyler Martin previously pleaded guilty to one of three charges brought against them in December and faced up to 20 years behind bars. 

Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with Angelo John Martino III to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.

“These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement. “They used ransomware to lock down critical systems, steal sensitive data, and pressure American businesses into paying to regain access to their own information.”

Victims impacted by the attacks Goldberg and Martin participated in over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia. 

“They harmed important firms who were providing medical and engineering services. They played hardball with them, going so far as to cause the leak of patient data from a doctor’s office victim,” A. Tysen Duva, assistant attorney general of the Justice Department’s criminal division, said in a statement.

“These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed. Ransomware attackers like this should be punished and removed from society to serve their lawful sentences so they cannot harm others,” Duva added.

Goldberg and Martin received identical sentences for their crimes, despite significant differences surrounding their initial arrests. Martin was arrested without incident in October and freed on bond later that month.

Goldberg fled the country in June, 10 days after he was interviewed by the FBI. He was arrested Sept. 22 and ordered to remain in custody pending trial due to flight risk. 

Goldberg and his wife boarded a one-way flight to Paris from Atlanta on June 27 and remained in Europe until Sept. 21. When Goldberg flew directly from Amsterdam to Mexico City, he was arrested upon landing and deported to the United States.

“When Goldberg sought to flee abroad and escape prosecution, the FBI tracked him through 10 countries, demonstrating the lengths we will go to hold cyber criminals accountable and protect victims,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.

The cases against Golberg, Martin and their co-conspirator Martino showcase an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons.

Goldberg, 40, and Martin, 36, extorted a $1.3 million ransom payment from the medical company with Martino in May 2023, but did not receive ransom payments from their other victims.

Martino’s ransomware scheme went much further and caused significantly more damage, helping accomplices extort a combined $75.3 million in ransom payments. Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides.

He pleaded guilty earlier this month to sharing confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates.

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

Sygnia and DigitalMint are not accused of any knowledge or involvement in the crimes, and both previously said they fired their former employees once federal authorities alerted the companies to their alleged crimes. 

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

The post Former incident responders sentenced to 4 years in prison for committing ransomware attacks appeared first on CyberScoop.

A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.

The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release. 

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. 

Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns. 

CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others. 

Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said. 

These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.

Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. 

The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. 

The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.

CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.

Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said. 

CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic. 

Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. 

“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

A Chinese national allegedly involved in a massive, pandemic-era attack spree that compromised nearly 13,000 U.S. organizations was extradited from Italy to the United States and formally charged in federal court, the Justice Department said Monday.

Xu Zewei and his co-conspirators are accused of exploiting a string of zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatment and testing during the initial wave and subsequent height of the pandemic.

His alleged crimes, directed by China’s intelligence services, were part of a broader espionage campaign known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors and policy think tanks, according to an indictment filed against Xu and Zhang Yu, who remains at large. 

The China state-sponsored threat group behind those attacks against Microsoft customers, and many other vendors’ customers since, is now more widely known as Silk Typhoon.

“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.

“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” he added.

Xu allegedly committed the attacks while working for Shanghai Powerock Network, one of many companies that conducted attacks for China’s various intelligence services, according to court records.

Italian authorities arrested Xu at the United States’ request in Milan in July. His capture underscores a window of opportunity U.S. officials and allies can take when nation-state attackers travel to countries that cooperate with the United States.

Italy extradited Xu to the United States Saturday but didn’t release his extradition orders until Monday, Simona Candido, his attorney in Italy, told CyberScoop.

Officials said Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.

“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement.

Xu allegedly worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into U.S. organizations’ networks, steal data and implant webshells for persistent remote access. Officials also accuse Xu of stealing information regarding U.S. policymakers and government agencies from a global law firm with offices in Washington. 

Microsoft first warned customers about the HAFNIUM campaign in March 2021. The FBI and Cybersecurity and Infrastructure Security Agency followed soon after with a joint advisory about the widespread compromise of Microsoft Exchange Server. 

“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop.

“Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China’s notorious targeting of not just the American people and their businesses, but individuals globally as well,” Shraberg added.

Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft. 

The 34-year-old faces up to 62 years in prison for his alleged crimes.

The post Chinese national extradited to US for pandemic-era Silk Typhoon attacks appeared first on CyberScoop.

Researchers warn that BlackFile, an extortion group likely associated with The Com, continues to impersonate IT support in voice-phishing and social engineering attacks that have impacted organizations in multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail.

Attackers have been actively targeting organizations in the retail and hospitality industry since February, according to Unit 42’s latest intelligence on the campaign, which the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) released alongside indicators of compromise Thursday.

The threat group, which is also tracked as CL-CRI-1116, UNC6671 and Cordial Spider, appears to be targeting victims opportunistically in a campaign that remains active and ongoing, Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop. 

“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Brady said.

Unit 42 declined to say how many organizations have been impacted thus far, and RH-ISAC did not respond to a request for comment.

BlackFile’s attacks against companies in the retail and hospitality sector are part of a broader wave of voice-phishing attacks initiated by multiple cybercrime groups, which Google Threat Intelligence Group and Okta warned about in January. 

Unit 42 also noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign CrowdStrike has been tracking as Cordial Spider since at least October 2025.

Yet, the threat group’s tactics have been far from cordial. RH-ISAC said some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands. 

The threat group lures victims via voice-phishing attacks and phishing pages mimicking corporate single-sign on services to steal credentials before moving into privileged accounts. 

“They scrape internal employee directories to obtain contact lists for executives,” RH-ISAC wrote in a blog post. “By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

The group’s unauthorized access and data theft for extortion activity spans SaaS environments, Microsoft Graph API permissions, Salesforce API access, internal repositories, SharePoint sites and datasets containing employee’s phone numbers and business records. 

BlackFile also created a data-leak site to extort victims that it claims ignored or failed to agree to its demands, according to researchers. 

Brady said Unit 42 has observed relatively consistent activity from the threat group since February. 

RH-ISAC advises organizations to manage multi-factor identity verification for callers and limit the IT support actions that can be completed in a single call without escalation to management.

The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.

Vercel said the fallout from an attack on its internal systems hit more customers than previously known, as ongoing analysis uncovered additional evidence of compromise. 

The company, which makes tools and hosts cloud infrastructure for developers, maintains a “small number” of accounts were impacted, but it has yet to share a number or range of known incidents linked to the attack. Vercel created and maintains Next.js, a platform supporting AI agents that’s downloaded more than 9 million times per week, and other popular open-source projects. 

Vercel CEO Guillermo Rauch said the company and partners have analyzed nearly a petabyte of logs across the Vercel network and API, and learned malicious activity targeting the company and its customers extends beyond an initial attack that originated at Context.ai. 

“Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers,” Rauch said in a post on X. 

“Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables,” he added.

The attack exemplifies the widespread and compounded risk posed by interconnected systems that rely on OAuth tokens, trusted relationships and overly privileged permissions linking multiple services together.

“The real vulnerability was trust, not technology,” Munish Walther-Puri, head of critical digital infrastructure at TPO Group, told CyberScoop. “OAuth turned a productivity app into a backdoor. Every AI tool an employee connects to their work account is now a potential attack surface.”

An attacker traversed Vercel’s internal systems to steal and decrypt customer data, including environment variables it stored, posing significant downstream risk. 

The company insists the breach originated at Context.ai, a third-party AI tool used by one of its employees. Researchers at Hudson Rock previously said the seeds of that attack were planted in February when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. 

Vercel has not specified the systems and customers data compromised, nor has it described the threat eradicated or contained. The company said it’s found no evidence of tampering across the software packages it publishes, concluding “we believe the supply chain remains safe.” 

The company fueled further intrigue in its updated security bulletin, noting that it also identified a separate “small number of customers” that were compromised in attacks unrelated to the breach of its systems. 

“These compromises do not appear to have originated on Vercel systems,” the company said. “This activity does not appear to be a continuation or expansion of the April incident, nor does it appear to be evidence of an earlier Vercel security incident.”

It’s unclear how Vercel became aware of those attacks and why it’s disclosing them publicly. 

Vercel declined to answer questions, and Mandiant, which is running incident response and an investigation into the attack, referred questions back to Vercel. 

Vercel has not attributed the breach to any named threat group or described the attackers’ objectives. 

An online persona identifying themselves as ShinyHunters took responsibility for the attack and is attempting to sell the stolen data, which they claim includes access keys, source code and databases. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said the attacker is “likely an imposter,” but emphasized the risk of exposure is real.

Walther-Puri warned that the downstream blast radius from the attack on its systems remains undefined. “Stolen API keys and source code snippets from internal views are potentially keys to customer production environments,” he said.

The stolen data attackers claim to have “sounds almost boring … but it’s infrastructure intelligence,” Walther-Puri added. “The right environment variable doesn’t just unlock a system — it lets adversaries become that system, silently, from the inside.”

The post Vercel attack fallout expands to more customers and third-party systems appeared first on CyberScoop.

A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U.S. companies he represented as a ransomware negotiator for DigitalMint in 2023, the Justice Department said Monday.

Angelo John Martino III shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates, according to his plea agreement.

Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides. DigitalMint, which is not accused of any knowledge or involvement in the crimes, fired Martino the day after the Justice Department informed the company they were investigating him in April 2025. 

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Prosecutors previously said Martino helped accomplices extort a combined $75.3 million in ransom payments, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company. 

Martino also admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware, also known as ALPHV, against five additional U.S. companies between April and November 2023. 

Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, said in a statement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Officials shared a series of chats Martino held with co-conspirators and his victims that exemplify the lengths he went to betray DigitalMint’s clients and empower his accomplices with crucial tips for a successful negotiation strategy.

DigitalMint did not respond to a request for comment on Martino’s guilty plea.

Negotiation chats exemplify Martino’s crimes

During an incident response with one of his victims, Martino told a BlackCat affiliate the company’s insurance carrier “was only approving small accounts,” according to his plea agreement. “Keep denying our offers and I will let you know once I find out the max the[y] want to pay,” he added.

“We don’t know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates,” Martino said in a negotiation chat visible to DigitalMint and the victim organization in the hospitality industry. “We are able to give you $1 million now, which is a very serious offer.”

Following Martino’s instructions, the BlackCat accomplice responded: “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time.”

That victim company ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data. The two other victims Martino represented via DigitalMint at the time paid $6.1 million and $213,000 ransoms for similar commitments.

“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement.

Martino received a portion of the ransomware payments for his involvement in the conspiracy.

Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. Law enforcement seized multiple vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. 

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.

“The FBI works every day to dismantle the ransomware ecosystem,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals.”

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Martino pleaded guilty to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

You can read Martino’s plea agreement below.

The post Former DigitalMint ransomware negotiator pleads guilty to extortion scheme appeared first on CyberScoop.

A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 

Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 

The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.

Victims included high net worth individuals and businesses in the entertainment, telecom, technology, business process outsourcing, IT, cloud and virtual currency sectors, officials said.

Buchanan and his co-conspirators were part of an aggressive subset of The Com coined Scattered Spider. While The Com and its offshoots don’t operate with formal leaders in the traditional sense, Buchanan played a crucial role in the operation, according to Allison Nixon, chief research officer at Unit 221B.

“[Buchanan] was the glue that held this gang together. His success at wiping out victims’ savings made him a target for both law enforcement and rival Com gangs,” Nixon told CyberScoop.

“[Buchanan] is part of an older generation that came from certain toxic gaming servers before the pandemic. People from this generation learned hacking in order to steal vanity usernames and bully kids before using it to steal peoples’ savings,” she added.

Federal authorities filed charges against five individuals with links to the Scattered Spider cybercrime outfit in 2024. Buchanan and Urban’s alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans — still face charges in the case, officials said. 

Nixon lauded law enforcement for acting decisively to arrest Buchanan during a brief window of opportunity while he was traveling internationally. 

“Com members are obsessed with private jets and foreign vacations, and the feds took that dream away with one arrest,” she said. 

The tactic, which U.S. officials also use against Russian cybercriminals, works because most countries are willing to support in the arrest of foreign criminals, thereby keeping them out of their respective jurisdictions, Nixon said. 

“As a foreigner, he was caught in a weaker legal position than if he was arrested at home, and cases following this tactic tend to have very long sentences,” she added. “The takeaway for Com members watching this case is that criminal foreigners associated with violence are the lowest class in every country. And that’s what Com members are when they travel.”

The Justice Department said Buchanan and his co-conspirators defrauded at least a dozen companies and their employees throughout the United States. A digital device police found at his residence in April 2023 contained personal data on numerous individuals and victim companies, according to his plea agreement.

It’s unclear what transpired between that search in April 2023 in Scotland and his June 2024 arrest at a resort city on the Spanish island of Mallorca. Moreover, his plea agreement doesn’t include the entirety of his alleged crimes. 

Buchanan attracted a lot of attention and successfully coordinated many attacks before a rival Com gang allegedly broke into his home and used a blowtorch on him to extract crypto keys in his possession, according to Nixon. 

Following his arrest, Spanish police said Buchanan had gained control of bitcoin worth more than $27 million at that time. 

While early leaders of Scattered Spider have been arrested or sentenced for their crimes, others have filled those roles with even more exceptional impact. 

The Com has grown to thousands of members, typically between 11 and 25 years old, splintered into three primary subsets the FBI describes as Hacker Com, In Real Life Com and Extortion Com.

Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes. 

You can read the indictment against Buchanan and some of his co-conspirators below.

The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.

Vercel customers are at risk of compromise after an attacker hopped through multiple internal systems to steal credentials and other sensitive data, the company said in a security bulletin Sunday. 

The attack, which didn’t originate at Vercel, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. 

An attacker traversed third-party systems and connections left exposed by employees before it hit the San Francisco-based company that created and maintains Next.js and other popular open-source libraries. 

Researchers at Hudson Rock said the seeds of the attack were planted in February when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments.

Each of the companies are pinning at least some blame for the attack on the other vendor.

Context.ai on Sunday said that breach allowed the attacker to access its AWS environment and OAuth tokens for some users, including a token for a Vercel employee’s Google Workspace account. Vercel is not a Context customer, but the Vercel employee was using Context AI Office Suite and granted it full access, the artificial intelligence agent company said. 

“The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as sensitive,” Vercel said in its bulletin. 

The company said a limited number of its customers are impacted and were immediately advised to rotate credentials. Vercel, which declined to answer questions, did not specify which internal systems were accessed or fully explain how the attacker gained access to Vercel customers’ credentials. 

Vercel CEO Guillermo Rauch said customer data stored by the company is fully encrypted, yet the attacker got further access through enumeration, or by counting and inventorying specific variables. 

“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI,” he said in a post on X. “They moved with surprising velocity and in-depth understanding of Vercel.”

A threat group identifying itself as ShinyHunters took responsibility for the attack in a post on Telegram and is attempting to sell the stolen data, which they claim includes access keys, source code and databases.

The attacker “is likely an imposter attempting to use an established name to inflate their notoriety,” Austin Larsen, principal threat analyst at Google Threat Intelligence, wrote in a LinkedIn post. “Regardless of the threat actor involved, the exposure risk is real.”

Vercel also warned that the attack on Context’s Google Workspace OAuth app “was the subject of a broader compromise, potentially affecting its hundreds of users across many organizations.” It published indicators of compromise and encouraged customers to review activity logs, review and rotate variables containing secrets.

Context and Vercel said their separate and coordinated investigations into the attack aided by CrowdStrike and Mandiant remain underway.

The post Vercel’s security breach started with malware disguised as Roblox cheats appeared first on CyberScoop.

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 

The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia.

The elaborate scheme involved shell companies posing as software development firms, money laundering, and espionage with national security implications. Operatives involved in the conspiracy stole sensitive files from a California-based defense contractor related to U.S. military technology controlled under International Traffic in Arms Regulations (ITAR), officials said.

“Democratic People’s Republic of Korea (DPRK) IT workers are not limited to revenue generation. When tasked, they can operationalize their placement and access to support strategic intelligence requirements, including intellectual property theft, network disruption or extortion,” Michael Barnhart, nation state investigator at DTEX, told CyberScoop.

While most of North Korea’s scheme is focused on revenue, it sometimes applies a dual-use approach, tasking certain privileged IT workers with malicious activity aiding other state-backed hacking groups, Barnhart added.

“Not all IT workers can be hackers but every North Korean hacker can or has been an IT worker,” he said. “This distinction matters for insider‑threat analysis because unlike typical fraudulent hires motivated by personal financial gain, IT workers can inflict national‑security‑level damage.”

Kejia Wang, 42, Zhenzing Wang, 39, and their co-conspirators stole the identities of at least 80 U.S. residents to facilitate the hiring of North Korean operatives and collected at least $696,000 in fees combined, officials said. U.S. victim companies also incurred legal fees, remediation costs and other damages and losses exceeding $3 million. 

Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 

The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.

The conspiracy, which ran from at least 2021 through October 2024, relied in part on shell companies — Hopana Tech, Tony WKJ and Independent Lab — the men set up to create the appearance of legitimate businesses. 

“Pairing a U.S. person, a U.S. address, and a front company such as Independent Lab, the facilitators created the illusion of a legitimate domestic effort allowing the IT workers to present themselves as U.S.-based without triggering suspicion during onboarding or daily workflows,” Barnhart said. 

“Front companies can act as that middle financial flow from victim companies back to DPRK units, which then pushes funds upward through the Workers’ Party of Korea to support whichever program the unit was aligned with, whether weapons development or domestic priorities,” he added. 

These front companies reflect a higher level of tradecraft that exploits a weak spot in insider risk assessments because threats aren’t always a malicious person trying to break into a network, Barnhart said. “Sometimes it looks like an entire company appearing clean on paper.”

Authorities have responded to North Korea’s scheme by targeting U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and seizing cryptocurrency linked to theft. 

Law enforcement wins are stacking up, but researchers warn that North Korea’s operation is massive and consistently evolving. 

The sentencing of Kejia Wang and Zhenxing Wang comes less than a month after a trio of American men were sentenced for similar crimes, including the operation of laptop farms, wire fraud and identity theft. 

The Justice and Treasury Departments have also issued indictments and sanctioned people and entities allegedly involved in North Korea’s effort to send thousands of specialized technical professionals outside of the country to secure jobs under false pretenses and funnel their wages back to Pyongyang.

You can read the full indictments against Kejia Wang and Zhenxing Wang below.

The post US nationals sentenced for aiding North Korea’s tech worker scheme appeared first on CyberScoop.

Authorities from 21 countries took down 53 domains and arrested four people allegedly involved in distributed denial-of-service operations used by more than 75,000 cybercriminals, Europol said Thursday. 

The globally coordinated effort dubbed “Operation PowerOFF” disrupted booter services and seized and dismantled infrastructure, including servers and databases, that supported the DDoS-for-hire services, officials said.

Law enforcement agencies obtained data on more than 3 million alleged criminal user accounts from the seized databases, and ultimately sent more than 75,000 emails and letters to participants, warning them to halt their activities.

Officials from the countries involved in the operation also served 25 search warrants, removed more than 100 URLs advertising DDoS-for-hire services in search engine results and created search engine ads to target young people searching for DDoS-for-hire tools.

The operation, which is ongoing, primarily targets IP stressors or DDoS booters that cybercriminals use to inundate websites, servers and networks with junk traffic, rendering legitimate services inaccessible. 

Officials described DDoS-for-hire tools as prolific and easily accessible, often including tutorials that allow non-tech savvy people to initiate attacks on various organizations.

“Attacks are often regionally focused, with users targeting servers and websites within their continent, and directed at a wide range of targets including online marketplaces, telecommunications providers and other web-based services,” Europol said in a news release. “Motivations vary from curiosity to ideological purposes linked to hacktivism, as well as financial gain through extortion or the disruption of competitors’ services.”

Operation PowerOFF is supported by multiple law enforcement agencies from the United States, United Kingdom, Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Norway, Poland, Portugal, Sweden and Thailand.

The international crackdown disrupted other popular DDoS-for-hire services in late 2024, netting three arrests and 27 domain takedowns. Authorities in Poland in May arrested four alleged administrators of DDoS-for-hire tools that cybercriminals used to launch thousands of attacks from 2022 to 2025.

The post Officials seize 53 DDoS-for-hire domains in ongoing crackdown appeared first on CyberScoop.

The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.

NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.

The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.

The agency still hasn’t cleared a backlog of unenriched CVEs that built up during that pause and grew since then. 

NIST said it analyzed nearly 42,000 vulnerabilities last year, adding that CVE submissions surged 263% from 2020 to 2025. “We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” the agency said in a blog post announcing the change. 

Indeed, vulnerabilities are increasing across the board. For instance, Microsoft addressed 165 vulnerabilities Tuesday, its second-largest monthly batch of defects on record.

NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 

“This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

Researchers and threat hunters who analyze vulnerabilities for CVE Numbering Authorities (CNA) and vendors that publish their own assessments view NIST’s new approach as inevitable.

“They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

“I’m not sure if it was a herculean task or a sisyphean one, but either way, they were set up for failure under their previous system. This change allows them to prioritize their work,” he added.

NIST’s new approach will impact the vulnerability research community at large, but also put more private companies and organizations in a position to gain more authority as defenders seek out more alternative sources.

Caitlin Condon, vice president of security research at VulnCheck, previously told CyberScoop that prioritization remains a problem, with too many defenders paying attention to vulnerabilities that aren’t worth their time. 

Of the more than 40,000 newly published vulnerabilities that VulnCheck cataloged last year, only 1% of those defects, just 422, were exploited in the wild. 

NIST is also trying to reduce other duplicitous efforts with its new approach, effectively leaning even more on CNAs. CVEs that are submitted with a severity rating will no longer receive a separate CVSS score from NIST, the agency said. 

While the agency remains the ultimate authority providing a government-backed catalog of vulnerability assessments, it acknowledged these changes will affect its users.

“This risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community,” the agency said. “By evolving the NVD to meet today’s challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities.”

The post NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities appeared first on CyberScoop.

Microsoft addressed 165 vulnerabilities affecting its various products and underlying systems, including one actively exploited vulnerability in Microsoft Office SharePoint, in this month’s Patch Tuesday update. 

“By my count, this is the second-largest monthly release in Microsoft’s history,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Microsoft didn’t explain why its monthly batch of patches grew so large this month, but Childs noted that many vulnerability programs are experiencing a significant increase in submissions found by artificial intelligence tools. “For us, our incoming rate has essentially tripled, making triage a challenge, to say the least,” he added. 

The zero-day vulnerability — CVE-2026-32201 — has a CVSS rating of 6.5 and allows attackers to view sensitive information and make changes to disclosed information. Microsoft said the improper input validation defect in Microsoft Office SharePoint allows unauthenticated attackers to perform spoofing over a network.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog shortly after Microsoft’s disclosure. 

Microsoft also addressed a high-severity vulnerability — CVE-2026-33825 — that was publicly known at the time of release. The vendor said the defect in Microsoft Defender is more likely to be exploited and could allow unauthorized attackers to elevate privileges locally.

“What starts as a foothold can quickly become full system domination,” Jack Bicer, director of vulnerability research at Action1, said in a blog post about the vulnerability. 

“Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools and lateral movement across networks,” Bicer said.

Proof-of-concept exploit code for the defect is publicly available, which increases the likelihood of exploitation in the wild, he added.

Microsoft disclosed two critical vulnerabilities this month — CVE-2026-33824 affecting Windows IKE Extension and CVE-2026-26149 affecting Microsoft Power Apps — but designated both of the defects as less likely to be exploited.

More than three-quarters of the vulnerabilities disclosed this month are less likely to be exploited, according to Microsoft. Meanwhile, the company designated 19 vulnerabilities as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft drops its second-largest monthly batch of defects on record appeared first on CyberScoop.

A small group of former Black Basta affiliates have targeted more than 100 employees across dozens of organizations to intrude network systems for potential data theft, ransomware deployment and extortion, according to ReliaQuest.

The social engineering campaign, which involves mass email bombing and Microsoft Teams help desk impersonation, surged last month and dates back to at least May 2025, ReliaQuest said in a report Tuesday. 

Attackers have primarily targeted senior leadership to gain highly privileged access. “Roughly three-quarters of targeted users were executives, directors, managers or similarly high-value roles,” researchers who worked on the report told CyberScoop via email. 

Cybercriminals involved in Black Basta, an offshoot of Conti, scattered after the threat group’s internal chat logs leaked online in February 2025, providing threat researchers and authorities key details about the group’s operations. 

German police publicly identified Oleg Evgenievich Nefedov, a Russian national, as Black Basta’s alleged leader in January. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally.

ReliaQuest said the recently observed campaign shares many similarities with previous Black Basta activity and follows the same playbook — tooling, targeting and execution style — associated with the once-prolific ransomware group. 

“That includes the repeated use of remote access tools, a strong concentration in sectors Black Basta historically favored, and a level of speed and coordination that suggests experienced operators are building on a playbook they already know works,” researchers said. 

“We’re careful not to treat any one artifact as definitive proof, but taken together, the similarities are strong enough that we assess it is highly likely former affiliates or closely aligned operators are involved,” ReliaQuest researchers added. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment. Threat hunters warned that former members were still actively targeting additional victims earlier this year. 

ReliaQuest released its report, including indicators of compromise, after it observed a particularly sharp spike in activity in March, noting that the group’s targeting was more focused on senior employees.

“The operators are moving very quickly, with parts of the workflow becoming more automated or highly streamlined, which makes the campaign easier to scale and harder for defenders to interrupt before remote access is established,” researchers said.

The top-five sectors targeted in recent Black Basta-style attacks include manufacturing, professional services, finance and insurance, construction and technology, according to ReliaQuest.

Attackers typically bombard targeted employees with hundreds of emails within minutes and then contact targeted users, posing at IT support via direct messages on Microsoft Teams or a phone call. ReliaQuest said it’s observed some attackers achieve remote access minutes after the first sign of an email bomb.

Researchers did not say how many organizations have been successfully intruded as a result of this campaign thus far. 

While extortion appears to be the most likely objective, ReliaQuest cautioned against assuming every attack results in ransomware encryption.

“Based on what we’ve observed, the intrusion chain is built to gain access quickly, understand the environment, and create options for follow-on monetization,” researchers said. “That could lead to data theft, extortion without encryption, or ransomware deployment, depending on the victim and the opportunity.”

The post Black Basta’s playbook lives on as former affiliates launch fast-scale intrusion campaign appeared first on CyberScoop.