#0135
Socket17 days ago▣LLM reportinfo The European Union Agency for Cybersecurity (ENISA) has released a technical advisory on the secure use of package managers ahead of the Cyber Resilience Act's (CRA) strict reporting deadlines in 2026. The advisory highlights critical software supply chain risks, such as typosquatting, compromised maintainers, and dependency confusion, mandating a shift toward continuous dependency monitoring, SBOM generation, and reachability analysis to avoid severe regulatory penalties.
#0134
Canadian Centre for Cyber Security17 days ago▣LLM reportcritical The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability (CVE-2026-21992) affecting Oracle Identity Manager and Oracle Web Services Manager. Organizations utilizing these products are advised to review Oracle's security alerts and apply necessary patches or mitigations.
#0133
CrowdStrike17 days ago▣LLM reporthigh The CrowdStrike 2026 Global Threat Report highlights a shift toward highly evasive, malware-free attacks leveraging valid credentials, AI tools, and supply chain compromises. Adversaries are operating with unprecedented speed, with average breakout times dropping to 29 minutes, while increasingly targeting AI infrastructure, cloud environments, and network edge devices.
#0132
CISA17 days ago▣LLM reporthigh CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five new actively exploited vulnerabilities affecting Apple products, Craft CMS, and Laravel Livewire. Organizations are strongly urged to prioritize timely remediation of these flaws to reduce exposure to cyberattacks.
#0131
Microsoft17 days ago▣LLM reporthigh Microsoft Threat Intelligence observed a significant increase in tax-themed phishing and malware campaigns targeting individuals and accounting professionals. These campaigns utilize sophisticated social engineering, Phishing-as-a-Service (PhaaS) platforms for credential theft, and abused legitimate Remote Monitoring and Management (RMM) tools to establish persistent remote access.
#0130
Huntress17 days ago▣LLM reportcritical Threat actors breached a network via compromised SonicWall SSLVPN credentials and deployed a sophisticated EDR killer to blind endpoint security prior to a planned ransomware deployment. The malware utilizes a Bring Your Own Vulnerable Driver (BYOVD) technique, dropping a revoked EnCase forensic driver encoded with a novel wordlist substitution cipher to terminate 59 different security processes directly from kernel mode.
#0129
CERT-EU17 days ago▣LLM reportcritical Cisco has disclosed multiple critical and high-severity vulnerabilities affecting Catalyst SD-WAN Controller and Manager, including CVE-2026-20127, a CVSS 10 authentication bypass exploited in the wild since 2023. Successful exploitation allows unauthenticated remote attackers to gain administrative privileges, manipulate network configurations, and establish persistent access, sometimes by downgrading software to exploit older vulnerabilities.
#0128CERT-EU17 days ago▣LLM reportcritical Ivanti has released a security advisory addressing two critical code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile (EPMM) that allow unauthenticated remote code execution. At least one of these flaws is currently being exploited in the wild, prompting urgent recommendations to secure forensic evidence and apply available hotfixes.
#0127CERT-EU17 days ago▣LLM reportcritical Cisco has disclosed a critical, unpatched vulnerability (CVE-2025-20393) affecting its Secure Email Gateway and Secure Email and Web Manager appliances. The flaw allows attackers to execute arbitrary commands with root privileges if the Spam Quarantine feature is enabled and exposed to the internet. Organizations are urged to immediately restrict internet access to this feature and contact Cisco TAC to check for indicators of compromise.
#0126CrowdStrike17 days ago▣LLM reportlow CrowdStrike has announced the integration of Falcon AI Detection and Response (AIDR) with NVIDIA NeMo Guardrails to secure enterprise AI agents against runtime attacks. The solution provides programmable guardrails to prevent prompt injection, data exposure, and unauthorized actions by applying over 75 built-in classification rules to LLM interactions.
#0125PProjectzero17 days ago▣LLM reportlow The article details the limitations of mutational coverage-guided grammar fuzzing, specifically its tendency to produce similar samples and struggle with complex function chaining. To mitigate this, the author introduces a methodology using the Jackalope fuzzer that periodically restarts workers to combine generative and mutational fuzzing, significantly improving the discovery rate of unique crashes in targets like libxslt.
#0124
Elastic Security Labs17 days ago▣LLM reportinfo Elastic has introduced Defend for Containers (D4C) in version 9.3.0, providing runtime visibility and detection capabilities for Linux container workloads in Kubernetes environments. The integration captures process and file activity enriched with orchestration metadata, enabling detection engineers to build robust, behavior-based security policies.
#0123
Cisco Talos17 days ago▣LLM reporthigh Threat actors increasingly abuse legitimate native utilities, third-party tools, and cloud service clients for data exfiltration, bypassing traditional static detections. The Exfiltration Framework models the behavioral and forensic characteristics of these tools to enable detection based on execution context, network patterns, and artifact persistence rather than tool presence.
#0122
Infoblox17 days ago▣LLM reporthigh Threat actors are extensively abusing the legitimate Keitaro Tracker platform to conduct domain cloaking, facilitating large-scale, AI-driven investment and tech support scams. By combining traffic distribution systems with AI-generated deepfakes and localized lures, attackers effectively evade automated security scanners while maximizing victim engagement and conversion rates.
#0121Socket17 days ago▣LLM reporthigh The GlassWorm malware campaign has evolved to deploy 'sleeper' extensions on Open VSX that are subsequently weaponized to download malicious VSIX payloads hosted on GitHub. The malware employs sophisticated evasion techniques, including Russian geofencing, source-to-compiled code mismatches, and utilizing the Solana blockchain as a dead-drop resolver for command and control, ultimately leading to arbitrary Node.js code execution across multiple developer IDEs.
#0120Huntress17 days ago▣LLM reportinfo Huntress has introduced a new Incident Report Timeline feature for its Managed ITDR platform to combat rapid, identity-driven data exfiltration in cloud environments. This feature provides a chronological narrative of attacker actions and response efforts, enabling faster decision-making and better communication for security teams and MSPs.
#0119Elastic Security Labs17 days ago▣LLM reporthigh Elastic Security Labs identified a new .NET loader dubbed SILENTCONNECT, which is distributed via phishing emails and Cloudflare Turnstile CAPTCHA pages. The loader utilizes living-off-the-land binaries, PEB masquerading, and UAC bypass techniques to silently install remote monitoring and management (RMM) tools like ScreenConnect for persistent access.
#0118Huntress17 days ago▣LLM reporthigh Attackers are utilizing the SOAPHound enumeration tool to map Active Directory environments by querying non-existent LDAP attributes. Due to Active Directory's query optimization logic, these queries are transformed into a generic '(! (FALSE))' pattern in Event ID 1644 logs, effectively hiding the tool's signature and bypassing traditional string-based detection mechanisms.
#0117CrowdStrike17 days ago▣LLM reportlow CrowdStrike has expanded its FedRAMP High authorized Falcon Platform for Government to include Falcon for XIoT, providing federal agencies with unified visibility, AI-powered risk prioritization, and threat detection across converged IT and OT environments.
#0116
ESET17 days ago▣LLM reportcritical Ransomware affiliates increasingly rely on EDR killers—ranging from BYOVD exploits and abused anti-rootkits to driverless tools—to disrupt security solutions prior to deploying encryptors. This approach allows encryptors to remain simple while the EDR killers handle complex defense evasion, complicating attribution and defense strategies.
