Author: Curated

Source: FBI warns of Kali Oauth stealers | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4176464/fbi-warns-of-kali-oauth-stealers.html

ONE SENTENCE SUMMARY:

FBI warns Kali365 phishing steals Microsoft 365 OAuth tokens, bypasses MFA via device authorization, urging conditional access blocks and transfer restrictions.

MAIN POINTS:

1. FBI alerted organizations about a new Kali365-enabled phishing wave targeting Microsoft 365 accounts.
2. Kali365 captures OAuth access tokens rather than stealing usernames or passwords.
3. Bypassing multi-factor authentication occurs because valid tokens authenticate without credential interception.
4. Attackers impersonate trusted cloud document-sharing services in convincing phishing emails.
5. Victims are instructed to enter a specific code on a legitimate Microsoft website.
6. Entered code authorizes the attacker’s device to access the victim’s Microsoft account.
7. Mitigation includes conditional access policies blocking device code flow for most users.
8. Exceptions should be narrowly granted only for essential business processes needing code flow.
9. Blocking authentication transfer policies prevents rights handoff from corporate PCs to mobile devices.
10. World Economic Forum data shows phishing is CEOs’ top concern and growing across organizations.

TAKEAWAYS:

1. Token-based phishing can defeat MFA without ever capturing user credentials.
2. Legitimate login pages don’t guarantee safety when attackers abuse device authorization workflows.
3. Conditional access controls are central to reducing exposure to device code phishing.
4. Preventing authentication transfers limits attackers’ ability to persist across devices.
5. Rising phishing volume makes rapid policy hardening and user awareness critical.

Source: Microsoft patches two zero-day flaws in Defender | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4175970/microsoft-patches-two-zero-day-flaws-in-defender.html

ONE SENTENCE SUMMARY:

Microsoft patched two exploited Microsoft Defender zero-days enabling privilege escalation or protection disruption, urging updates to specific engine/platform versions.

MAIN POINTS:

1. Emergency fixes address two zero-day flaws in Microsoft Defender malware protection components.
2. Local attackers can obtain SYSTEM privileges or break antimalware service functionality.
3. Either outcome helps malware evade detection and increases attacker control.
4. CISA added CVE-2026-41091 and CVE-2026-45498 to the KEV catalog.
5. Inclusion in KEV indicates exploitation was observed in the wild.
6. Researchers link issues to RedSun and UnDefend GitHub exploits by “Nightmare Eclipse.”
7. CVE-2026-41091 resides in mpengine.dll within the Microsoft Malware Protection Engine.
8. Improper link resolution before file access underlies CVE-2026-41091; CVSS 7.8 high severity.
9. CVE-2026-45498 affects MsMpEng.exe, central to real-time monitoring with kernel drivers.
10. Recommended minimum versions: MPE 1.1.26040.8+ and platform 4.18.26040.7+.

TAKEAWAYS:

1. Rapid patching is critical because active exploitation against endpoints has been detected.
2. Verifying component versions matters since platform binaries update less frequently than signatures.
3. Endpoint fleets using Defender or related products share exposure due to common code components.
4. Local privilege escalation plus defense disruption creates a powerful combination for malware operations.
5. Deploying the engine update also remediates an additional RCE, CVE-2026-45584.

Source: Critical vulnerability in Cisco Secure Workload rated at maximum severity | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4175913/critical-vulnerability-in-cisco-secure-workload-rated-at-maximum-severity.html

ONE SENTENCE SUMMARY:

Cisco Secure Workload on-prem has a CVSS 10 auth-bypass REST API flaw granting site-admin control, requiring immediate patching.

MAIN POINTS:

1. Vulnerability enables attackers to gain site admin privileges and compromise endpoints.
2. Cisco Secure Workload controls zero trust, micro-segmentation, and network visibility across enterprises.
3. Threat actors likely will scan aggressively for exposed, unpatched internal API endpoints.
4. Site-admin access could modify or dismantle security policies, opening previously restricted pathways.
5. Multi-tenant deployments face cross-tenant impact, expanding potential exposure across business units or customers.
6. CVE-2026-20223 has CVSS 10.0, allowing unauthenticated remote authentication bypass.
7. Crafted HTTP requests to internal REST APIs instantly confer site admin privileges.
8. Root cause is insufficient validation and authentication on REST API endpoint access.
9. No workarounds exist; only software updates remediate the issue.
10. SaaS is already patched, while on-prem customers must upgrade to fixed releases.

TAKEAWAYS:

1. Prioritize emergency patching for on-prem Secure Workload as if responding to an active incident.
2. Upgrade targets: 4.0→4.0.3.17, 3.10→3.10.8.3, 3.9 and earlier→migrate forward.
3. Focus assessment on internal REST API exposure rather than the web management interface.
4. Treat multi-tenant environments as higher-risk due to potential cross-tenant “blast radius.”
5. Verify patch status promptly despite no known exploitation reported at disclosure time.

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/

ONE SENTENCE SUMMARY:

Microsoft issued mitigations for YellowKey BitLocker zero-day, detailing registry, WinRE, and TPM+PIN changes to reduce exploitation risk.

MAIN POINTS:

1. YellowKey is a Windows BitLocker zero-day enabling access to protected drives.
2. Anonymous researcher “Nightmare Eclipse” disclosed it and released a proof-of-concept exploit.
3. Exploitation uses crafted FsTx files on USB/EFI, booting into WinRE.
4. Holding CTRL reportedly triggers an unrestricted shell against BitLocker-protected volumes.
5. Microsoft tracks YellowKey as CVE-2026-45585 and published interim mitigations.
6. Guidance includes removing autofstx.exe from Session Manager BootExecute registry value.
7. Mitigation requires reestablishing BitLocker trust for WinRE using CVE-2026-33825 procedures.
8. Analyst explanation: blocking autofstx.exe stops NTFS replay deleting winpeshl.ini.
9. Microsoft recommends switching encrypted devices from TPM-only to TPM+PIN pre-boot authentication.
10. For unencrypted devices, enforce additional startup authentication via Intune/Group Policy settings.

TAKEAWAYS:

1. Treat WinRE and boot-time paths as critical attack surfaces for BitLocker bypasses.
2. Implement registry and WinRE trust hardening immediately while awaiting a security update.
3. Enforcing TPM+PIN materially raises the bar against pre-boot local bypass techniques.
4. Public PoCs increase likelihood of real-world exploitation, demanding rapid configuration changes.
5. Validate security controls beyond pentest “reachability,” including detection and configuration effectiveness.

Source: Varonis Blog

Author: efeldman@varonis.com (Eugene Feldman)

URL: https://www.varonis.com/blog/platform-advantage

ONE SENTENCE SUMMARY:

Varonis argues unified data, AI, and email security platform reduces risk, stops cross-system attacks, and lowers costs versus siloed tools.

MAIN POINTS:

1. Board-level data security is essential to sustain AI initiatives, innovation, and competitive advantage.
2. Stitched-together point tools are costly, inefficient, and ineffective against modern multi-system attacks.
3. Varonis offers one platform spanning data security, AI security, and email security capabilities.
4. DSPM continuously finds sensitive data, access permissions, and usage across the data estate.
5. DAM provides agentless database threat and policy-violation monitoring with fast deployment.
6. DAG enforces least-privilege at scale to reduce overprivileged, exploitable access.
7. DLP and DDR prevent exfiltration and detect ransomware/insiders using behavioral baselines.
8. AI SPM, runtime guardrails, and AI governance secure agents/models, prompts, and compliance evidence.
9. Email Social Engineering Defense blocks phishing/BEC and ties attempts to recipient blast radius.
10. Unified telemetry, identity graph, and automated remediation improve outcomes and reduce MTTR and TCO.

TAKEAWAYS:

1. Consolidating security into a single platform improves cross-domain visibility and actionable context.
2. Correlation across SaaS, cloud, databases, and identities is critical for detecting OAuth abuse.
3. Preventing AI-driven data exposure requires native sensitivity and permission awareness.
4. Automated containment actions can minimize blast radius while supporting rollback and dependency checks.
5. Replacing 5–8 tools can cut integration debt, analyst workload, and compliance reporting effort.

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/cybercrime-service-disrupted-for-abusing-microsoft-platform-to-sign-malware/

ONE SENTENCE SUMMARY:

Microsoft disrupted Fox Tempest’s malware-signing service abusing Azure Artifact Signing, revoking certificates, seizing infrastructure, and aiding ransomware campaigns worldwide operations.

MAIN POINTS:

1. Azure Artifact Signing lets developers obtain Microsoft-backed signatures for released software.
2. Fox Tempest exploited the service to issue short-lived code-signing certificates for malware.
3. Over 1,000 certificates and hundreds of Azure tenants/subscriptions supported the MSaaS business.
4. A U.S. Southern District of New York lawsuit underpinned the disruption action.
5. Microsoft seized signspace[.]cloud, blocked hosting, and took hundreds of related VMs offline.
6. Signed binaries impersonated Teams, AnyDesk, PuTTY, and Webex to appear legitimate.
7. Oyster loaders installed signed malware that enabled Rhysida ransomware deployment on victims.
8. Threat actors including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 used the service.
9. Operators likely used stolen U.S./Canada identities to pass Artifact Signing verification.
10. Telegram marketing offered access for 5,000–9,000 USD-equivalent bitcoin, generating millions in profit.

TAKEAWAYS:

1. Code-signing trust can be operationalized as a criminal “service” when onboarding controls are bypassed.
2. Short validity certificates still meaningfully increase malware success by suppressing OS and user suspicion.
3. Rapid revocation and infrastructure takedowns reduce blast radius, but abuse can scale quickly in cloud ecosystems.
4. Defenders should treat “signed” as a signal, not proof of safety, and validate publisher reputation.
5. Cross-industry coordination plus legal action can effectively dismantle enabling platforms for ransomware affiliates.

Source: Vulnerabilities and Threat Research – Qualys Security Blog

Author: Saeed Abbasi

URL: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/19/inside-the-2026-verizon-dbir-what-one-billion-records-revealed-about-vulnerability-remediation

ONE SENTENCE SUMMARY:

Verizon’s 2026 DBIR shows remediation capacity hitting a human-speed limit as KEV workload explodes, demanding autonomous, machine-speed risk operations.

MAIN POINTS:

1. Qualys contributed analysis of over one billion anonymized vulnerability remediation records to DBIR.
2. DBIR uses survival analysis to track KEV remediation over time, not year-end snapshots.
3. Remediation performance improved across 2022–2024 DBIR cycles at multiple curve milestones.
4. The 2025 cycle reversed gains: 35% open at Day 28 versus 27% prior.
5. Long-tail exposure hardened at 9%, equating to roughly 47 million lingering instances.
6. Median detection-to-closure stayed at nine days, indicating defender effort didn’t decline.
7. KEV-linked instances increased 7.7x in four years, from 68.7M to 527.3M.
8. Day-28 open backlog surged from 31M to 184M instances, overwhelming built capacity.
9. Top performers patch before KEV listing using risk prioritization and threat-context scoring.
10. Proposed solution shifts to autonomous remediation via machine-speed “Risk Operations Center” pipelines.

TAKEAWAYS:

1. Measuring vulnerability lifecycles with survival curves reveals systemic backlog dynamics obscured by snapshots.
2. Scaling volume, not weaker execution, is driving defenders behind despite stable closure speed.
3. Proactive remediation improved in output but fell in rate because workload grew faster.
4. Human-gated remediation appears capped by a practical “speed of light” limit.
5. Closing the structural gap requires architectural automation, not incremental staffing or tooling.

Source: Why the best security investment a board can make in 2026 isn’t another tool | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4171883/why-the-best-security-investment-a-board-can-make-in-2026-isnt-another-tool.html

ONE SENTENCE SUMMARY:

Security programs overinvest in tools while lacking unified visibility, leaving credential and system relationship blind spots attackers exploit.

MAIN POINTS:

1. Boardroom cycles repeatedly approve new tools without closing underlying security gaps.
2. Enterprises struggle answering basic questions about assets, access, and current activity.
3. Risk reduction depends more on visibility than detection, prevention, or response tools.
4. Tool stacks lack unified coverage mapping, creating dangerous unmonitored seams.
5. Attackers exploit legitimate credentials and trust relationships to move between tool boundaries.
6. Incident reconstruction often takes days because information exists but isn’t connected.
7. Security marketing confuses data volume with true visibility and fast, trusted answers.
8. Effective visibility requires pre-incident understanding of assets and cross-system relationships.
9. Machine credentials now outnumber tracked assets, often unreviewed and unmonitored.
10. Boards should prioritize inventory, gap ownership, and rapid end-to-end tracing over new tools.

TAKEAWAYS:

1. Prioritize an accurate, current “map” of the environment before buying additional controls.
2. Measure security maturity by speed and confidence answering access-and-activity questions.
3. Treat gaps between tools as explicit risk areas with defined monitoring responsibility.
4. Inventory and govern service accounts, API keys, integrations, and AI agents aggressively.
5. Reframe board oversight from “Are we protected?” to “What can we see?”

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/cloud-security-challenges

ONE SENTENCE SUMMARY:

Modern businesses face cloud security challenges—misconfigurations, identity risks, data exposure, compliance gaps, and shared responsibility—impacting employees and operations daily significantly.

MAIN POINTS:

1. Misconfigured storage, networks, and permissions are leading causes of cloud breaches.
2. Weak identity and access management enables account takeover and privilege escalation.
3. Insufficient visibility across multi-cloud and SaaS environments hampers threat detection.
4. Data leakage occurs through insecure APIs, exposed secrets, and improper sharing.
5. Compliance requirements demand continuous controls, logging, and evidence for audits.
6. Shared responsibility confusion leaves gaps between provider controls and customer obligations.
7. Insecure endpoints and remote work devices expand attack surface into cloud resources.
8. Supply-chain and third-party integrations introduce vulnerabilities and risky permissions.
9. Ransomware and destructive attacks target cloud backups, snapshots, and management consoles.
10. Cost and speed pressures can bypass security reviews, increasing technical debt.

TAKEAWAYS:

1. Prioritize strong IAM: MFA, least privilege, conditional access, and periodic access reviews.
2. Automate configuration management with guardrails, policy-as-code, and continuous monitoring.
3. Encrypt sensitive data in transit and at rest; manage keys and secrets securely.
4. Train employees on phishing, safe sharing, and reporting incidents promptly.
5. Establish incident response and backup strategies aligned to shared responsibility and compliance.

Source: BankInfoSecurity.com RSS Syndication

Author: unknown

URL: https://www.bankinfosecurity.com/blogs/upscale-vs-upskill-real-cybersecurity-gap-p-4119

ONE SENTENCE SUMMARY:

AI is rapidly upscaling enterprise technology, but insufficient upskilling and security mindset create widening gaps, increasing incidents, breaches, and unmet capability.

MAIN POINTS:

1. Cybersecurity faces a divide between inevitable technology scaling and urgent capability building.
2. AI embeds across enterprises, expanding attack surfaces regardless of organizational readiness.
3. Competitive pressure drives AI adoption, often sidelining foundational security principles.
4. “Need to know” and “need to do” access controls are eroding amid rapid deployments.
5. Generative AI experimentation frequently outpaces governance, risk evaluation, and data-flow understanding.
6. Stanford’s 2025 AI Index reports 56.4% incident growth, totaling 233 cases in 2024.
7. Global cybersecurity workforce gap hit 4.8 million unfilled roles, up 19% year-over-year.
8. SANS/GIAC found 52% of leaders see skill mismatch, not headcount shortage, as primary issue.
9. In-demand skills increasingly include communication, collaboration, problem solving, and strategic thinking.
10. Over 58% of organizations attribute breaches to insufficient skills and poor security awareness.

TAKEAWAYS:

1. Prioritize capability-building to match AI-driven expansion of tools, platforms, and attack surfaces.
2. Reinforce least-privilege principles before deploying AI systems and integrating new tools.
3. Establish governance and risk assessment ahead of generative AI pilots and data sharing.
4. Develop non-technical competencies to translate technical work into business risk decisions.
5. Start security mindset formation early and sustain it organization-wide, not role-by-role.

Source: Cloud Security Alliance

Author: unknown

URL: https://cloudsecurityalliance.org/blog/2026/05/12/ai-agent-security-starts-with-scope-control

ONE SENTENCE SUMMARY:

Enterprise AI agents increasingly cause operational scope violations, demanding runtime behavioral security controls, visibility, ownership, and traceability to prevent incidents.

MAIN POINTS:

1. AI agents are moving from pilots into production across enterprise workflows.
2. Scope violations occur when agents exceed intended tasks, authority, or access boundaries.
3. Over-permissioned integrations and ambiguous prompts frequently drive unintended agent actions.
4. Autonomy, task chaining, and context drift make agent behavior non-deterministic.
5. Only 8% report agents never exceeding permissions; 53% see occasional overruns.
6. Behavior becomes the primary security boundary, not just infrastructure or model protection.
7. Risks mirror classic threats: privilege escalation, data exposure, unauthorized changes, insider-like activity.
8. Cascading actions across connected systems amplify blast radius from a single mistake.
9. 47% experienced an agent-related security incident; 58% needed five hours or longer to respond.
10. Gaps in inventory, identity/ownership, runtime controls, and forensics hinder effective containment.

TAKEAWAYS:

1. Treat scope violations as expected operational conditions requiring engineered controls.
2. Establish complete agent discovery and inventory, including shadow AI deployments.
3. Assign explicit owners and model agents as governed identities with defined permissions.
4. Implement runtime authorization, least privilege, and Zero Trust-style continuous verification.
5. Improve audit logging, session recording, and behavioral monitoring to enable faster investigations.

Source: Vulnerabilities and Threat Research – Qualys Security Blog

Author: Diksha Ojha

URL: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/12/microsoft-patch-tuesday-may-2026-security-update-review

ONE SENTENCE SUMMARY:

May 2026 Patch Tuesday fixes 137 Microsoft flaws plus 52 Adobe issues, emphasizing deployment, prioritization, and mitigations to reduce risk.

MAIN POINTS:

1. Microsoft addressed 137 vulnerabilities: 30 critical and 103 important across its ecosystem.
2. No publicly disclosed zero-day vulnerabilities were included in this month’s Microsoft fixes.
3. Edge (Chromium-based) accounted for 128 vulnerabilities, patched earlier in the month.
4. Updates span Hyper-V, .NET, M365 Copilot, Windows Kernel, RDP, MQ, Azure agents, and more.
5. High-severity impacts include remote code execution, elevation of privilege, and denial-of-service.
6. Category totals: 61 EoP, 31 RCE, 15 spoofing, 15 disclosure, 8 DoS, 6 bypass.
7. Notable critical RCEs affect Word/Office, DNS Client, GDI, Netlogon, SharePoint, and WiFi driver.
8. Azure and identity-related issues include spoofing, disclosure, SSRF, and privilege escalation paths.
9. Adobe issued 10 advisories fixing 52 vulnerabilities, including 27 critical across creative products.
10. Qualys guidance provides VMDR detection QQLs, one-click patching via QIDs, and TruRisk mitigations.

TAKEAWAYS:

1. Prioritize patching RCE and SYSTEM-level EoP bugs to minimize compromise likelihood.
2. Protect domain controllers by urgently addressing Windows Netlogon network-reachable overflow risk.
3. Reduce document-based attack surface by accelerating Office/Word updates across endpoints and servers.
4. Treat Azure, Entra ID, and Copilot-related fixes as critical for cloud identity and data exposure.
5. When patching is delayed, apply compensating controls and mitigations to immediately lower risk.

Source: CISOs step into the AI spotlight | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4169623/why-patching-slas-should-be-the-floor-not-the-strategy.html

ONE SENTENCE SUMMARY:

Patching SLAs create compliance theater by rewarding easy fixes, while true cyber risk persists in hard-to-remediate legacy, architecture, and control gaps.

MAIN POINTS:

1. CISOs often recite green SLA metrics while significant unresolved vulnerabilities remain.
2. Quickly closed criticals are typically inexpensive, low-friction remediation tasks.
3. Difficult issues linger: legacy systems, architectural flaws, identity misconfigurations, and unsupported platforms.
4. Governance and reporting overemphasize SLA compliance, masking concentrated high-impact exposures.
5. SLA performance indicates ticketing discipline, not actual security risk reduction.
6. Fire-drill analogy: repeated success doesn’t prove resilience against unscripted incidents.
7. Boards can be misled when the riskiest failures live inside the “small” noncompliant percentage.
8. Expressing cyber risk in dollar terms changes executive prioritization and funding discussions.
9. Exception processes often become paperwork, letting exposure disappear from dashboards without mitigation.
10. Meaningful remediation needs capital/opex investment justified by quantified risk reduction.

TAKEAWAYS:

1. Reframe SLAs as minimum hygiene requirements, not primary vulnerability program success metrics.
2. Prioritize trending quantified residual risk by business service over raw closure percentages.
3. Require risk acceptances to include loss exposure, review cadence, and funded remediation plans.
4. Use attacker-speed evidence (e.g., DBIR, KEV) to challenge long patch timelines for hard changes.
5. Accept imprecision in CRQ estimates because actionable dollars beat misleading green scorecards.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/05/your-purple-team-isnt-purple-its-just.html

ONE SENTENCE SUMMARY:

Autonomous purple teaming uses AI agents to close red-blue validation loops at machine speed, outpacing shrinking exploit windows.

MAIN POINTS:

1. Night-shift defense suffers from manual handoffs like copying hashes, rewriting scripts, awaiting approvals.
2. Exploit availability time dropped from 56 days in 2024 to roughly 10 hours.
3. Defender processes improved to hours, but attacker operations now execute in seconds.
4. Purple teaming aims to iteratively convert red findings into blue validations continuously.
5. Traditional execution fails because human coordination introduces meetings, delays, and missed communications.
6. Tool outputs become artifacts that require reinterpretation, creating fragile “spaghetti” workflows between teams.
7. Approval and ticketing cycles often exceed exploitation windows, making fixes arrive too late.
8. AI-assisted adversaries can compromise systems in about 73 seconds, widening operational asymmetry.
9. Autonomous purple teaming replaces handoffs with auditable agents running end-to-end iterative loops.
10. Effective autonomy combines automated pentesting, BAS validation, and AI-driven mobilization into one queue.

TAKEAWAYS:

1. Speed gaps are primarily workflow problems, not analyst competence or tool capability.
2. Exploit windows now demand validation and remediation cycles measured in minutes, not days.
3. Operationalizing purple teaming requires eliminating manual knowledge-transfer bottlenecks.
4. End-to-end autonomous loops must remain transparent, controllable, and reversible for defenders.
5. Unified action queues based on real exploitability beat CVSS-based prioritization for timely defense.

Source: BleepingComputer

Author: Sponsored by Specops Software

URL: https://www.bleepingcomputer.com/news/security/why-changing-passwords-doesnt-end-an-active-directory-breach/

ONE SENTENCE SUMMARY:

Password resets alone may not evict attackers in AD/hybrid Entra ID due to caching, sync delays, tickets, sessions, permissions.

MAIN POINTS:

1. Changing a password doesn’t instantly invalidate old credentials across all authentication paths.
2. Windows cached password hashes can allow offline logon using pre-reset credentials.
3. Hybrid setups add Entra ID synchronization delays where old passwords may still work.
4. Post-reset states vary depending on device reconnection and successful new logons.
5. Pass-the-hash attacks reuse captured hashes even after passwords are changed.
6. Kerberos tickets keep sessions alive without re-entering passwords after resets.
7. Service accounts’ long-lived, privileged credentials provide resilient attacker fallback access.
8. Golden and Silver Ticket attacks bypass password checks by forging Kerberos tickets.
9. ACL abuse and AdminSDHolder modifications can persist privileges despite password changes.
10. Effective eviction needs session termination, ticket purging, KRBTGT resets, rotations, and directory auditing.

TAKEAWAYS:

1. Treat password resets as one control within broader incident response, not final remediation.
2. Reduce reset-gap exposure by forcing sync and updating endpoint cached credentials.
3. Kick attackers out by terminating sessions and clearing Kerberos tickets on affected systems.
4. Rotate privileged and service-account credentials to remove reliable persistence mechanisms.
5. Audit AD changes—memberships, delegated rights, ACLs, privileged roles—to eliminate hidden backdoors.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html

ONE SENTENCE SUMMARY:

Checkmarx confirmed a tampered Jenkins AST plugin publication, linked to TeamPCP, highlighting repeated supply-chain compromises and likely incomplete remediation.

MAIN POINTS:

1. Checkmarx acknowledged a modified Jenkins AST plugin appeared in the Jenkins Marketplace.
2. Users were told to keep versions 2.0.13-829.vc72453fa_1c16 or earlier.
3. Checkmarx released version 2.0.13-848.v76e89de8a_053 on GitHub and Marketplace.
4. Incident updates still suggested a new plugin version was being published.
5. The company did not explain how the malicious version reached the Marketplace.
6. TeamPCP was identified as the attacker targeting Checkmarx again.
7. Earlier compromises included KICS Docker image, VS Code extensions, and GitHub Actions workflow.
8. Bitwarden CLI npm package was briefly compromised to distribute credential-stealing malware.
9. Researchers reported unauthorized access to the plugin’s GitHub repo and defacement/renaming.
10. SOCRadar inferred unrotated credentials or an undetected foothold enabled rapid re-entry.

TAKEAWAYS:

1. Verify Jenkins plugin versions immediately and rollback if beyond the known-safe build.
2. Supply-chain trust is being exploited to distribute credential stealers through developer tooling.
3. Secret rotation and credential hygiene appear central to preventing repeated intrusions.
4. Monitor code repositories for defacement, renames, and unauthorized administrative actions.
5. Treat rapid repeat incidents as evidence of incomplete remediation or persistent access.

Source: Unit 42

Author: Stav Setty, Tom Fakterman and Shachar Roitman

URL: https://origin-unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/

ONE SENTENCE SUMMARY:

AD CS misconfigurations enable stealthy certificate-based privilege escalation and persistence, detectable through correlated telemetry, behavioral analytics, and targeted Windows event monitoring.

MAIN POINTS:

1. AD CS underpins PKI authentication and encryption but often ships with insecure defaults.
2. Misconfigured certificate templates can grant unintended, long-lived privileged authentication capabilities.
3. Adversaries exploit native issuance workflows rather than zero-days or malware.
4. Under-monitoring and configuration complexity create persistent blind spots for defenders.
5. Attack lifecycle spans initial access, discovery, exploitation, escalation, lateral movement, and persistence.
6. ESC1 abuses templates allowing low-privileged enrollment with SAN control and auth EKUs.
7. Shadow credentials persist by adding attacker keys to msDS-KeyCredentialLink for passwordless access.
8. PKINIT enables Kerberos ticket requests using certificates, facilitating impersonation and lateral movement.
9. Tools like Certify, Certipy, Whisker, and PKINITtools industrialize AD CS exploitation.
10. Detection requires correlating certificate events, LDAP reconnaissance, directory changes, and Kerberos activity.

TAKEAWAYS:

1. Harden templates by removing broad enrollment rights and disabling ENROLLEE_SUPPLIES_SUBJECT where unnecessary.
2. Investigate mismatches between requester identity and issued certificate subject as strong abuse indicators.
3. Monitor Event IDs 4886/4887/4898/5136/4768/4769 plus LDAP client/server query logs.
4. Treat unusual LDAP enumeration of pKICertificateTemplate and msDS-KeyCredentialLink as early warning.
5. Combine posture management with behavior-based detection to catch stealthy, certificate-driven persistence.

Source: Microsoft Security Blog

Author: Microsoft Defender Security Research Team

URL: https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/

ONE SENTENCE SUMMARY:

Dirty Frag is a Linux local privilege escalation exploiting esp4/esp6 and rxrpc kernel components, enabling reliable root escalation post-compromise.

MAIN POINTS:

1. Newly disclosed LPE “Dirty Frag” targets Linux kernel networking and memory-fragment handling.
2. Affected components include esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500).
3. Public PoCs suggest higher reliability than timing-sensitive race-condition Linux escalation techniques.
4. Attacks typically follow initial access via SSH, web-shells, container escape, or low-privileged accounts.
5. Impacted ecosystems include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift.
6. Microsoft Defender is monitoring related activity and developing detections and protections.
7. Root access enables disabling security tools, credential theft, log tampering, lateral movement, and persistence.
8. Multiple kernel attack paths improve consistency across vulnerable environments.
9. Exploit behavior resembles CopyFail (CVE-2026-31431) via page cache manipulation, with added paths.
10. Exposure increases where IPsec/VPN and xfrm-related functionality keeps vulnerable modules enabled.

TAKEAWAYS:

1. Treat any foothold on vulnerable Linux hosts as potentially becoming root quickly.
2. Reduce attack surface by disabling unused rxrpc and, if feasible, esp/xfrm functionality.
3. Limit unnecessary local shell availability and harden container boundaries to slow post-compromise escalation.
4. Monitor aggressively for anomalous privilege changes and kernel-module load/unload activity.
5. Prepare rapid kernel patch deployment once vendor advisories and fixed builds are available.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/05/day-zero-readiness-operational-gaps.html

ONE SENTENCE SUMMARY:

Incident response readiness requires pre-provisioned access, tested workflows, clear authority, resilient communications, and adequate logging to act immediately.

MAIN POINTS:

1. Retainers ensure availability, but operational readiness enables immediate, meaningful incident work.
2. Early response delays increase attacker dwell time, impact breadth, and recovery costs.
3. Paper plans don’t equal readiness; speed depends on practiced, executable procedures.
4. Day Zero priorities are visibility first, then authority for containment actions.
5. Identity access is most urgent to map blast radius and compromised credentials.
6. Cloud/SaaS visibility must be immediate because audit telemetry can be ephemeral.
7. EDR investigator access enables fast host-wide querying and reliable containment decisions.
8. Centralized logging needs sufficient retention; ninety days minimum supports reconstruction.
9. Breach conditions require out-of-band communications and a designated incident manager.
10. Pre-approved access policies must specify triggers, roles, approvals, time-boxing, and revocation.

TAKEAWAYS:

1. Pre-create dormant IR accounts with MFA across IdP, cloud, EDR, and SIEM.
2. Eliminate Day Zero legal/procurement friction through pre-cleared external responder access.
3. Test activation end-to-end via tabletop exercises, timing visibility and containment steps.
4. Ensure backups are isolated and restorations are validated against attacker reach.
5. Maintain asset inventory and network maps to reduce investigative blind spots.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html

[‘## ONE SENTENCE SUMMARY:\nPalo Alto Networks warns CVE-2026-0300 enables unauthenticated root RCE via PAN-OS Captive Portal, exploited, unpatched until May 13, 2026.\n\n## MAIN POINTS:\n1. Palo Alto Networks issued an advisory for a critical PAN-OS buffer overflow vulnerability. \n2. CVE-2026-0300 allows unauthenticated remote code execution with root privileges. \n3. Exploitation occurs through specially crafted packets targeting the User-ID Authentication Portal. \n4. CVSS is 9.3 when the portal is internet/untrusted-network accessible. \n5. Severity drops to 8.7 if access is restricted to trusted internal IPs. \n6. Palo Alto observed limited in-the-wild exploitation against publicly exposed portals. \n7. Affected platforms include PA-Series and VM-Series firewalls using the portal. \n8. Impacted PAN-OS branches span 10.2, 11.1, 11.2, and 12.1 before listed fixed builds. \n9. No patch is currently available; fixes are planned starting May 13, 2026. \n10. Recommended mitigations are restricting portal access to trusted zones or disabling it. \n\n## TAKEAWAYS:\n1. Internet-exposed Captive Portal configurations materially increase risk of full device compromise. \n2. Unauthenticated root-level RCE demands immediate defensive configuration changes, not waiting for patches. \n3. Validate whether User-ID Authentication Portal is enabled across PA/VM fleets and identify exposures. \n4. Prioritize upgrading to upcoming fixed releases once available across all impacted PAN-OS versions. \n5. Enforcing least-exposure best practices for management/sensitive portals reduces exploitability significantly.’]

Source: Qualys Security Blog

Author: Amit Patil

URL: https://blog.qualys.com/qualys-insights/2026/05/06/before-the-breach-there-was-a-test-environment-qa-cloud-security

[‘## ONE SENTENCE SUMMARY:\nCloud risk often originates in QA environments, where temporary infrastructure, misconfigurations, and excessive entitlements persist, requiring integrated security controls.\n\n## MAIN POINTS:\n1. Breaches surface in production, but enabling decisions typically occur earlier in QA.\n2. Temporary test infrastructure frequently becomes permanent, creating shadow assets and exposure.\n3. Internet-facing QA tools like Jenkins attract attackers because they look non-eventful.\n4. QA teams now shape enterprise security via provisioning, CI/CD, and automation frameworks.\n5. Cloud accelerates template reuse, causing risky configurations to propagate across environments.\n6. Four primary QA risk areas include configuration, identity, workloads, and Infrastructure as Code.\n7. CSPM reduces exposure by enforcing benchmarks and detecting drifted or insecure configurations.\n8. CIEM reveals entitlement sprawl where deployment privileges quietly become lasting permissions.\n9. CWP finds vulnerable dependencies, exposed secrets, and runtime compromise within test workloads.\n10. Combined prevention and detection improve outcomes through IaC security and behavioral CDR monitoring.\n\n## TAKEAWAYS:\n1. Treat QA as a strategic security control point, not a lower-risk “non-production” zone.\n2. Eliminate public exposure and weak access controls in test infrastructure before attackers find them.\n3. Enforce least privilege for pipelines and service accounts to minimize blast radius.\n4. Scan containers and automation dependencies continuously as production-grade workloads.\n5. Unify posture, entitlement, workload, IaC, and runtime signals to prioritize true business risk.’]