Cyber Threat Brief

Show Notes - 2026-05-04 Stories Covered: - Today: - Over 40,000 Servers Compromised in Ongoing cPanel Exploitation (CVE-2026-41940) (https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/) - Microsoft Defender Wrongly Removes DigiCert Certificates from Windows Trust Store (https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/) - Instructure (Canvas LMS) Breached, ShinyHunters Claims 275M Records Across 9,000 Institutions (https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/) - DigiCert Breached via SCR Social Engineering, 27 Code-Signing Certificates Used to Distribute Zhong Stealer (https://news.risky.biz/risky-bulletin-digicert-hacked-with-a-malicious-screensaver-file/) - Zhong Stealer (DigiCert certificate abuse) - DigiCert Root Certificates Removed by Erroneous Defender Signature - FEMITBOT Telegram Fraud Infrastructure - FEMITBOT: Telegram Mini Apps Used for Crypto Scams and Android Malware Distribution (https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/) - Pig Butchering Crackdown: 276 Arrested, 9 Scam Centers Shut, $701M Seized (https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html) - Public Voter Records as Re-Identification Attack Surface (https://go.theregister.com/feed/www.theregister.com/2026/05/04/public_voter_records_weaponized_for_privacy_violation/) - Microsoft Defender Removes DigiCert Root Certificates, Breaks Windows Trust Chains (https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/) - Five Eyes Agencies Warn Against Rapid Agentic AI Deployment (https://go.theregister.com/feed/www.theregister.com/2026/05/04/five_eyes_agentic_ai_recommendations/) - OpenAI Launches Advanced Account Security for High-Risk ChatGPT Users (https://www.securityweek.com/openai-rolls-out-advanced-security-for-chatgpt-accounts/) - Wireshark 4.6.5 (38 CVEs Fixed) (https://isc.sans.edu/diary/rss/32944) CVEs Referenced: CVE-2026-41940 Indicators of Compromise: IPs: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5 Full brief: https://carolinacleartech.com/brief/2026-05-04/

Show Notes - 2026-05-01 Stories Covered: - Today: - CVE-2026-41940: cPanel & WHM / WP Squared Authentication Bypass - Actively Exploited Zero-Day, CISA KEV (https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog) - CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation - 100% Reliable Public Exploit (https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/) - Former Incident Responders Sentenced to 4 Years for BlackCat/ALPHV Ransomware Attacks (https://www.bleepingcomputer.com/news/security/us-ransomware-negotiators-get-4-years-in-prison-over-blackcat-attacks/) - Cordial Spider and Snarky Spider: Two New Scattered Spider Affiliates Targeting US Sectors (https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/) - Multi-Ecosystem Supply Chain Attack Wave: SAP npm, PyTorch Lightning, Intercom, Ruby Gems, and Go Modules (https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html) - SonicWall Patches Access Control Bypass and Two Other Firewall Vulnerabilities (https://www.securityweek.com/sonicwall-urges-immediate-patching-of-firewall-vulnerabilities/) - Malicious AI Browser Extensions Surveilling Emails, Intercepting Credentials, and Exfiltrating Prompts (https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/) - Gemini CLI Flaw Allowed Host Code Execution via Untrusted Workspace Config (https://www.securityweek.com/critical-gemini-cli-flaw-enabled-host-code-execution-supply-chain-attacks/) - April KB5083769 Windows 11 Update Breaks VSS-Dependent Backup Software (https://www.bleepingcomputer.com/news/microsoft/april-kb5083769-windows-11-update-causes-backup-software-failures/) - 86% of Phishing Campaigns Now Use AI; Teams and Calendar Invite Vectors Surge (https://go.theregister.com/feed/www.theregister.com/2026/04/30/modern_phishing_campaigns_ai/) - DPRK IT Worker Fraud: Ongoing Insider Risk for Hiring Organizations (https://databreaches.net/2026/04/30/the-human-element-dprk-it-worker-fraud-and-insider-risk/) - Versus Project Dark Web Marketplace Operator Extradited to US (https://databreaches.net/2026/04/30/versus-project-marketplace-creator-and-operator-extradited-from-colombia-to-the-united-states/) - CVE-2026-0204 / CVE-2026-0205 / CVE-2026-0206: SonicWall SonicOS (https://www.securityweek.com/sonicwall-urges-immediate-patching-of-firewall-vulnerabilities/) - CVE-2026-3087: Python shutil.unpack_archive() Windows Absolute Path Bypass (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3087) - CVE-2023-5869 / CVE-2023-39417: ABB Ability Symphony Plus Engineering - PostgreSQL RCE (https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-06) - CVE-2025-14510: ABB Ability OPTIMAX Azure AD SSO Authentication Bypass (https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-04) - Chromium/Edge Security Update - Multiple CVEs (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7337) CVEs Referenced: CVE-2023-39417, CVE-2023-5869, CVE-2025-14510, CVE-2026-0204, CVE-2026-0205, CVE-2026-0206, CVE-2026-3087, CVE-2026-31431, CVE-2026-41940, CVE-2026-7337, CVE-2026-7343, CVE-2026-7346, CVE-2026-7351, CVE-2026-7353, CVE-2026-7354, CVE-2026-7360 Indicators of Compromise: Domains: Webhook[.]site. IPs: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, 11.136.1.7, 6.5.5.1, 6.5.5.2 Full brief: https://carolinacleartech.com/brief/2026-05-01/

Show Notes - 2026-04-30 Stories Covered: - Today: - Windows Shell Zero-Click NTLM Hash Leak (CVE-2026-32202) - Actively Exploited, CISA KEV (https://go.theregister.com/feed/www.theregister.com/2026/04/29/microsoft_zero_click_exploit/) - GitHub Enterprise Server Critical RCE (CVE-2026-3854) (https://www.bleepingcomputer.com/news/security/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos/) - Linux "Copy Fail" LPE (CVE-2026-31431) - Root via Page Cache Write (https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html) - Vect 2.0 Ransomware Functions as a Wiper - Do Not Pay (https://www.darkreading.com/threat-intelligence/vect-ransomware-wiper-design-error) - Sandhills Medical Foundation Breach - 170,000 Affected, Inc Ransom (https://www.securityweek.com/sandhills-medical-says-ransomware-breach-affects-170000/) - Japanese Ransomware Payment Study: 60% Fail to Recover Data (https://databreaches.net/2026/04/29/over-200-japanese-firms-have-paid-ransomware-attackers-60-fail-to-recover-data/) - TeamPCP "Mini Shai-Hulud" - SAP npm Supply Chain Campaign - Compromised packages (remove immediately if installed): - IOC indicators: (https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html) - Checkmarx Supply Chain Attack Confirmed: Bitwarden CLI npm Compromised (https://www.securityweek.com/checkmarx-confirms-data-stolen-in-supply-chain-attack/) - Pine Bluff School District Loses $3.2M in Business Email Compromise (https://databreaches.net/2026/04/29/ar-pine-bluff-school-district-loses-3-2-million-in-business-email-compromise-attack/) - Exchange Online Blocking TLS 1.0/1.1 for POP3/IMAP4 - July 2026 Deadline (https://go.theregister.com/feed/www.theregister.com/2026/04/29/exchange_online_blocks_old_versions/) - Claude Mythos Finds 271 Zero-Days in Firefox, Anthropic Withholds Public Release (https://www.schneier.com/blog/archives/2026/04/claude-mythos-has-found-271-zero-days-in-firefox.html) - AI Agent Identity: Credential Systems Not Built for Non-Human Actors (https://cyberscoop.com/ai-agent-identity-security-anthropic-mythos/) - CISA Releases Zero Trust Guidance for Operational Technology (https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principles-operational-technology) - CVE-2026-34477 - Apache Log4j Core TLS Hostname Verification Bypass (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34477) - Apache Thrift - Multiple CVEs (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41603) - CVE-2026-3298 - Windows asyncio Out-of-Bounds Write (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3298) CVEs Referenced: CVE-2025-48431, CVE-2026-21510, CVE-2026-21513, CVE-2026-31431, CVE-2026-3220, CVE-2026-32202, CVE-2026-3298, CVE-2026-34477, CVE-2026-3854, CVE-2026-41602, CVE-2026-41603, CVE-2026-41607, CVE-2026-41636 Full brief: https://carolinacleartech.com/brief/2026-04-30/

Show Notes - 2026-04-29 Stories Covered: - 2026-04-29 - Today: - CISA KEV: ConnectWise ScreenConnect Path Traversal + Windows Shell Spoofing (CVE-2024-1708, CVE-2026-32202) (https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html) - LiteLLM SQL Injection Exploited in 36 Hours (CVE-2026-42208) (https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html) - VECT 2.0: Ransomware-as-a-Service That Functions as a Wiper (https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html) - Feuding RaaS Groups 0APT and KryBit Leak Each Other's Infrastructure (https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data) - LiteLLM SQL Injection Campaign - GlassWorm VS Code Extension Campaign Scales to 73 New Extensions (https://www.darkreading.com/application-security/fresh-glassworm-vs-code-extensions-supply-chain) - Hugging Face LeRobot Unpatched RCE via Pickle Deserialization (CVE-2026-25874) (https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html) - Microsoft Exchange Online Dropping TLS 1.0/1.1 for POP and IMAP Starting July 2026 (https://www.bleepingcomputer.com/news/microsoft/microsoft-to-deprecate-legacy-tls-in-exchange-online-starting-july/) - Talos Year in Review: Five Defender Priorities (https://blog.talosintelligence.com/five-defender-priorities-from-the-talos-year-in-review/) - Cyber Insurance Data: MFA Misconfiguration Accounts for 26% of Ransomware Losses (https://www.securityweek.com/cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks/) - GitHub CVE-2026-3854 - Critical RCE via git push (CVSS 8.7) (https://thehackernews.com/2026/04/researchers-discover-critical-github.html) - Hugging Face LeRobot CVE-2026-25874 - Unpatched RCE via Pickle Deserialization (CVSS 9.3) (https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html) - MSRC Advisory Batch - Low-Severity Linux Kernel and Dependency CVEs (https://msrc.microsoft.com/update-guide/) CVEs Referenced: CVE-2024-1708, CVE-2024-1709, CVE-2026-21510, CVE-2026-21513, CVE-2026-22701, CVE-2026-24051, CVE-2026-25874, CVE-2026-27141, CVE-2026-31548, CVE-2026-31584, CVE-2026-31661, CVE-2026-31686, CVE-2026-32202, CVE-2026-33999, CVE-2026-3854, CVE-2026-41898, CVE-2026-42208 Indicators of Compromise: Domains: 27[.]132, 25[.]67., 25[.]67 Full brief: https://carolinacleartech.com/brief/2026-04-29/

Show Notes - 2026-04-28 Stories Covered: - Today: - Windows Shell Spoofing Actively Exploited by APT28 (CVE-2026-32202) (https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html) - D-Link DIR-823X RCE Deployed for Mirai Botnet, No Patch Available (CVE-2025-29635) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - React2Shell Under AI-Assisted Mass Exploitation (CVE-2025-55182) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - OpenSSH Root Shell Flaw, 15 Years Old, No Log Trace (CVE-2026-35414) (https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/) - Bitwarden CLI Supply Chain Compromise via TeamPCP/Checkmarx Cascade (CVE-2026-33634) (https://isc.sans.edu/diary/rss/32926) - Akira Ransomware Now Drives 40%+ of Cyber Insurance Claims via SonicWall VPN Exploitation (https://databreaches.net/2026/04/27/one-ransomware-crew-now-drives-half-of-all-cyber-claims-at-bay/) - ShinyHunters Breaches ADT (5.5M Records) and Medtronic (9M Claimed) via Vishing/Okta SSO (https://www.bleepingcomputer.com/news/security/home-security-giant-adt-data-breach-affects-55-million-people/) - GlassWorm v2 Malicious VS Code Extensions in OpenVSX (https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/) - UNC6692 Uses Microsoft Teams Help Desk Impersonation to Deploy "Snow" Malware Suite (https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html) - FIRESTARTER Backdoor on Cisco ASA Survives Patches and Reboots (CVE-2025-20333, CVE-2025-20362) (https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html) - PyPI elementary-data Backdoored via GitHub Actions PR Comment Injection (1.1M Monthly Downloads) (https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/) - Fidelity Brokerage Fined $1.25M for 2024 IDOR Breach Affecting 77,000 Customers (https://databreaches.net/2026/04/27/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach/) - Microsoft Entra ID Agent ID Administrator Role Allowed Arbitrary Service Principal Takeover (Patched April 9) (https://thehackernews.com/2026/04/microsoft-patches-entra-id-role-flaw.html) - Windows RDP Security Warnings Display Incorrectly on Multi-Monitor Setups (April 2026 Updates) (https://www.bleepingcomputer.com/news/microsoft/microsoft-new-remote-desktop-warnings-may-display-incorrectly/) - Huntress EDR/ITDR Correlation: Infostealer on Endpoint Now Auto-Triggers Identity Lockdown (https://www.huntress.com/blog/edr-itdr-correlations) - PhantomCore Exploiting TrueConf Server Chain for Lateral Movement Across Russian Networks (https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html) - Deepfake Voice Attacks Up 680% in 2025, Finance Teams and IT Help Desks Primary Targets (https://www.bleepingcomputer.com/news/security/deepfake-voice-attacks-are-outpacing-defenses-what-security-leaders-should-know/) - Silk Typhoon (Hafnium) Contractor Extradited to US from Italy (https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/) - Vercel Discloses Breach via Context.ai OAuth Token Theft - ASP.NET Core Cookie Forgery Enables SYSTEM-Level Access (CVE-2026-40372) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - LMDeploy SSRF Exploited Within 13 Hours of Disclosure (CVE-2026-33626) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - Unpatched Windows RPC Privilege Escalation (PhantomRPC, Five Exploit Paths) (https://www.darkreading.com/vulnerabilities-threats/unpatched-phantomrpc-flaw-windows-privilege-escalation) - Apple iOS/iPadOS Notification Services Flaw Retained Deleted Alerts (CVE-2026-28950) (https://research.checkpoint.com/2026/27th-ap ...

Show Notes - 2026-04-27 Stories Covered: - Today: - Firefox and Tor Browser User Fingerprinting via IndexedDB (CVE-2026-6770) (https://www.securityweek.com/firefox-vulnerability-allows-tor-user-fingerprinting/) - Hasbro Delays Q1 Financials After March Cyberattack (https://news.risky.biz/risky-bulletin-new-fingerprinting-technique-can-track-tor-users/) - SafePay Leaks Favelle Favco Data; TridentLocker Posts RT Software (https://news.risky.biz/risky-bulletin-new-fingerprinting-technique-can-track-tor-users/) - Itron Internal Network Breach (112 Million Utility Endpoints) (https://www.bleepingcomputer.com/news/security/american-utility-firm-itron-discloses-breach-of-internal-it-network/) - Fake CAPTCHA IRSF Campaign Silently Sends 60 International SMS Messages Per Session (https://thehackernews.com/2026/04/fake-captcha-irsf-scam-and-120-keitaro.html) - CVE-2018-0734: OpenSSL DSA Timing Side-Channel (MSRC Resurface) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0734) - US Crackdown on Southeast Asia Cyberscam Operations; Cambodian Senator Sanctioned (https://www.securityweek.com/us-launches-sweeping-crackdown-on-southeast-asia-cyberscams-and-sanctions-cambodian-senator/) - OneIndia Media Group Breached by Afghani Hacktivist Group (https://news.risky.biz/risky-bulletin-new-fingerprinting-technique-can-track-tor-users/) - DeFi Platforms Lose $606M in 18 Days (https://news.risky.biz/risky-bulletin-new-fingerprinting-technique-can-track-tor-users/) - CVE-2026-6770: Firefox IndexedDB Cross-Session Fingerprinting - CVE-2018-0734: OpenSSL DSA Timing Side-Channel CVEs Referenced: CVE-2018-0734, CVE-2026-6770 Full brief: https://carolinacleartech.com/brief/2026-04-27/

Show Notes - 2026-04-26 Stories Covered: - Today: - UNC6692 "Snow" Malware Suite Deployed via Microsoft Teams Social Engineering (https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/) - Snow Malware Toolkit (UNC6692) (https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/) - CVE-2022-2068 - OpenSSL c_rehash Script Command Injection (EPSS 95th Percentile) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2068) - CVE-2026-41677 - rust-openssl Out-of-Bounds Read in PEM Password Callback (EPSS 25th Percentile) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41677) - CVE-2026-41079 - OpenPrinting CUPS Heap Out-of-Bounds Read via SNMP (EPSS 2nd Percentile) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41079) - Linux Kernel ksmbd and SMB Server/Client CVEs (Batch - MSRC Publication) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31610) - Additional Linux Kernel CVEs (Low EPSS, Infrastructure Context) CVEs Referenced: CVE-2022-2068, CVE-2026-23414, CVE-2026-23420, CVE-2026-23422, CVE-2026-31536, CVE-2026-31537, CVE-2026-31557, CVE-2026-31565, CVE-2026-31566, CVE-2026-31570, CVE-2026-31589, CVE-2026-31590, CVE-2026-31593, CVE-2026-31599, CVE-2026-31602, CVE-2026-31606, CVE-2026-31608, CVE-2026-31610, CVE-2026-31611, CVE-2026-31612, CVE-2026-31613, CVE-2026-31617, CVE-2026-31618, CVE-2026-31619, CVE-2026-31620, CVE-2026-31621, CVE-2026-31624, CVE-2026-31626, CVE-2026-31627, CVE-2026-31637, CVE-2026-31646, CVE-2026-31651, CVE-2026-31660, CVE-2026-31663, CVE-2026-31672, CVE-2026-41079, CVE-2026-41677 Full brief: https://carolinacleartech.com/brief/2026-04-26/

Show Notes - 2026-04-25 Stories Covered: - 2026-04-25 - Today: - FIRESTARTER Backdoor on Cisco ASA/FTD Firewalls Survives Patching (CVE-2025-20333, CVE-2025-20362) (https://www.bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/) - CISA Adds Four Exploited Vulnerabilities to KEV - Federal Deadline May 8, 2026 (CVE-2024-7399, CVE-2024-57726, CVE-2024-57728, CVE-2025-29635) (https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog) - BlackFile Extortion Group Vishing Retail and Hospitality Organizations (https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/) - HHS OCR Settles Four HIPAA Ransomware Investigations - $1.165M Total, 427K+ Individuals Affected (https://databreaches.net/2026/04/24/ocr-announces-settlements-of-four-ransomware-investigations-that-affected-over-427000-individuals/) - ADT Confirms Data Breach via ShinyHunters Vishing/Okta SSO Compromise (https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/) - FIRESTARTER / LINE VIPER (Cisco ASA/FTD - UAT-4356) - Snow Malware Ecosystem (UNC6692 - Teams Vishing) - npm Supply Chain - Shai-Hulud Campaign - UNC6692 Using Microsoft Teams and Snow Malware to Steal Credentials (https://go.theregister.com/feed/www.theregister.com/2026/04/25/new_crime_crew_impersonates_help_desks/) - npm Ecosystem Under Sustained Supply Chain Attack - Shai-Hulud Successor Campaign (https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/) - Over 10,000 Zimbra Servers Vulnerable to Actively Exploited XSS (https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/) - Microsoft Entra Passkeys Rolling Out to Windows Devices Late April (https://www.bleepingcomputer.com/news/microsoft/microsoft-to-roll-out-entra-passkeys-on-windows-in-late-april/) - Microsoft Releases Copilot Removal Policy for Enterprise Devices (https://www.bleepingcomputer.com/news/microsoft/microsoft-now-lets-admins-uninstall-copilot-on-enterprise-devices/) - UNC3944 Leader and BlackCat Insider Plead Guilty (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-17-7/) - China-Linked Groups Expanding Proxy Botnets to Mask Attack Origins (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-17-7/) - 26 Fake Cryptocurrency Wallet Apps Found on Apple App Store (https://thehackernews.com/2026/04/26-fakewallet-apps-found-on-apple-app.html) - NASA Chinese Spear-Phishing Campaign - Export Control Violations (https://thehackernews.com/2026/04/nasa-employees-duped-in-chinese.html) - Pack2TheRoot - PackageKit Local Privilege Escalation (CVE-2026-41651) (https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/) - MSRC CVE Publications (April 25, 2026) CVEs Referenced: CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, CVE-2025-13763, CVE-2025-20333, CVE-2025-20362, CVE-2025-29635, CVE-2026-23428, CVE-2026-23434, CVE-2026-41080, CVE-2026-41205, CVE-2026-41651 Indicators of Compromise: Domains: checkmarx[.]cx Full brief: https://carolinacleartech.com/brief/2026-04-25/

Show Notes - 2026-04-24 Stories Covered: - Today: - CVE-2026-33825 (BlueHammer) and CVE-2025-60710 - Windows Zero-Days Actively Exploited, CISA KEV (https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-microsoft-defender-flaw-exploited-in-zero-day-attacks/) - FIRESTARTER Backdoor on Cisco ASA/FTD - Persists Through Patches, State-Sponsored (https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/) - CVE-2026-39987 - Marimo Remote Code Execution, CISA KEV (https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog) - Trigona Ransomware Returns With Custom Exfiltration Tool (https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/) - Mile Bluff Medical Center Ransomware Incident (https://databreaches.net/2026/04/23/mile-bluff-medical-center-says-security-incident-that-involved-data-encryption-disrupted-phone-computer-systems/) - RAMP Cybercrime Marketplace Leak Analysis (https://databreaches.net/2026/04/23/ramp-uncovered-anatomy-of-russias-ransomware-marketplace/) - Kyber Ransomware Uses Post-Quantum Cryptography (https://arstechnica.com/security/2026/04/now-even-ransomware-is-using-post-quantum-cryptography/) - FIRESTARTER (Cisco ASA/FTD Backdoor) (https://www.cisa.gov/news-events/analysis-reports/ar26-113a) - Bitwarden CLI Supply Chain Attack (https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/) - GopherWhisper APT (China-Linked) (https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/) - LMDeploy SSRF Exploitation (CVE-2026-33626) (https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html) - UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware (https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html) - Bitwarden CLI NPM Package Compromised in Supply Chain Attack (https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/) - Help Desk Password Reset Procedures Remain a Primary Attack Vector (https://www.bleepingcomputer.com/news/security/regular-password-resets-arent-as-safe-as-you-think/) - PhantomRPC - Unpatched Windows RPC Privilege Escalation to SYSTEM (https://securelist.com/phantomrpc-rpc-vulnerability/119428/) - CVE-2026-35431 - Microsoft Entra ID Entitlement Management SSRF/Spoofing (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431) - CVE-2026-33102 - M365 Copilot Elevation of Privilege (Open Redirect) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33102) - CVE-2026-33819 - Microsoft Bing Remote Code Execution (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819) - CISA and 14 International Agencies Warn on China-Nexus Covert Device Networks (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a) - GopherWhisper APT Abuses Slack, Discord, and Outlook Graph API for C2 (https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/) - LMDeploy CVE-2026-33626 SSRF Exploited in Under 13 Hours (https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html) - Apple Patches iOS CVE-2026-28950 - Signal Notification Data Retained After Deletion (https://isc.sans.edu/diary/rss/32922) - npm Supply Chain Malware Surge (https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html) - Milesight IP Cameras - Multiple Critical CVEs (CVE-2026-28747, CVE-2026-32644, CVE-2026-20766, CVE-2026-32649, CVE-2026-2874, CVE-2026-27785) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03) - Intrado 911 Emergency Gateway - Path Traversal (CVE-2026-6074) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-06) - Xiongmai XM530 IP Camera - Authentication Bypass (CVE-2 ...

Show Notes - 2026-04-23 Stories Covered: - April 23, 2026 - Today: - Microsoft Defender Insufficient Granularity of Access Control (CVE-2026-33825) (https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog) - Microsoft ASP.NET Core Privilege Escalation (CVE-2026-40372) (https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html) - Kyber Ransomware: Dual-Platform Attacks with Post-Quantum Claims (https://www.bleepingcomputer.com/news/security/kyber-ransomware-gang-toys-with-post-quantum-encryption-on-windows/) - 'The Gentlemen' Ransomware Group Scales Rapidly (https://www.darkreading.com/threat-intelligence/gentlemen-rapidly-rise-ransomware) - Kyber Ransomware - CanisterSprawl npm Worm - Checkmarx Supply Chain Attack - Checkmarx Developer Toolchain Supply Chain Compromise (https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html) - CanisterSprawl npm/PyPI Self-Propagating Worm (https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html) - Mirai Botnet Exploiting Command Injection in Discontinued D-Link Routers (https://www.securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/) - BlueLeaks 2.0: 8.3 Million Anonymous Tips Exposed in Navigate360/P3 Breach (https://databreaches.net/2026/04/22/blueleaks-2-0-7300-schools-referral-systems-reported-and-a-breach-navigate360-still-hasnt-publicly-confirmed/) - NCSC Officially Endorses Passkeys as Default Authentication Standard (https://go.theregister.com/feed/www.theregister.com/2026/04/23/ncsc_passkey_tech_now_reliable/) - Microsoft Teams Security Detection Report and External User Reporting Coming in June (https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-gets-efficiency-mode-for-hardware-constrained-devices/) - CVE-2026-40372 - ASP.NET Core DataProtection Privilege Escalation (CVSS 9.1) (https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html) - CVE-2026-6507 - Dnsmasq Out-of-Bounds Write in DHCP Processing (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6507) - CVE-2026-3219 - pip Does Not Reject Concatenated ZIP/tar Archives (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3219) - CVE-2026-31432, CVE-2026-31476, CVE-2026-31477, CVE-2026-31444 - Linux Kernel ksmbd (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432) CVEs Referenced: CVE-2026-31432, CVE-2026-31444, CVE-2026-31476, CVE-2026-31477, CVE-2026-3219, CVE-2026-33825, CVE-2026-40372, CVE-2026-6507 Indicators of Compromise: Domains: api-monitor[.]com, icp0[.]io, checkmarx[.]cx Full brief: https://carolinacleartech.com/brief/2026-04-23/

Show Notes - 2026-04-22 Stories Covered: - 2026-04-22 - Today: - CISA Adds Cisco SD-WAN Manager Flaws to KEV, April 23 Deadline (CVE-2026-20122, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128) (https://www.bleepingcomputer.com/news/security/cisa-flags-new-sd-wan-flaw-as-actively-exploited-in-attacks/) - Apache ActiveMQ Actively Exploited, 6,400 Servers Still Exposed (CVE-2026-34197) (https://www.bleepingcomputer.com/news/security/actively-exploited-apache-activemq-flaw-impacts-6-400-servers/) - Microsoft SharePoint Zero-Day Exploited, 1,300+ Servers Unpatched (CVE-2026-32201) (https://www.bleepingcomputer.com/news/security/over-1-300-microsoft-sharepoint-servers-vulnerable-to-ongoing-attacks/) - Bomgar RMM Critical RCE Under Active Exploitation, Ransomware-Linked (CVE-2026-1731) (https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exploitation-demonstrates-supply-chain-risk) - The Gentlemen Ransomware: 1,570+ Victims, Mostly Unreported (https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html) - Ransomware Negotiator Pleads Guilty to Betraying Victims to BlackCat (ALPHV) (https://www.bleepingcomputer.com/news/security/former-ransomware-negotiator-pleads-guilty-to-blackcat-attacks/) - Congress Considers Terrorism Labels, Homicide Charges for Healthcare Ransomware (https://go.theregister.com/feed/www.theregister.com/2026/04/21/exfbi_cyber_chief_urges_felony_charges_ransomware/) - SystemBC (The Gentlemen affiliate) - LOTUSLITE (Mustang Panda) - Bomgar RMM Exploitation Enabling Ransomware and MSP Supply Chain Attacks - North Korean IT Workers Infiltrating Hiring Pipelines via Workday API Abuse (https://www.microsoft.com/en-us/security/blog/2026/04/21/detection-strategies-cloud-identities-against-infiltrating-it-workers/) - Phishing Responsible for 40% of Initial Access in 2025; MFA Spray Surging (https://blog.talosintelligence.com/phishing-and-mfa-exploitation-targeting-the-keys-to-the-kingdom/) - Microsoft Out-of-Band Patch: ASP.NET Core Data Protection Auth Cookie Forgery (CVE-2026-40372) (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/) - Windows Defender Being Turned Against Users via PoC Exploits (https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool) - Mustang Panda LOTUSLITE Targets Indian Banks, South Korean Policy Community (https://thehackernews.com/2026/04/mustang-pandas-new-lotuslite-variant.html) - Scattered Spider Member "Tylerb" Pleads Guilty (https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/) - Cohere AI Terrarium Sandbox Escape Enables Root Code Execution (CVE-2026-5752) (https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html) - Progress Patches RCE, Command Injection Flaws in MOVEit WAF and LoadMaster (https://www.securityweek.com/progress-patches-multiple-vulnerabilities-in-moveit-waf-loadmaster/) - Siemens ICS Advisory Batch (CISA ICS Advisories) - SenseLive X3050 ICS Device (ICSA-26-111-12) - Silex Technology SD-330AC and AMC Manager (ICSA-26-111-10) - Hardy Barth Salia EV Charge Controller (ICSA-26-111-05) CVEs Referenced: CVE-2015-5621, CVE-2022-0778, CVE-2023-44373, CVE-2023-46604, CVE-2025-10371, CVE-2025-2884, CVE-2025-40745, CVE-2025-5873, CVE-2025-6965, CVE-2026-1731, CVE-2026-20122, CVE-2026-20127, CVE-2026-20128, CVE-2026-20133, CVE-2026-24032, CVE-2026-27668, CVE-2026-32201, CVE-2026-32955, CVE-2026-32956, CVE-2026-33892, CVE-2026-34197, CVE-2026-40372, CVE-2026-5752 Indicators of Compromise: Domains: gleeze[.]com, cosmosmusic[.]com Full brief: https://carolinacleartech.com/brief/2026-04-22/

Show Notes - 2026-04-21 Stories Covered: - Today: - CISA Adds 8 Exploited Vulnerabilities to KEV - Cisco SD-WAN Deadline April 23 (https://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.html) - Apache ActiveMQ CVE-2026-34197 and Windows Task Host CVE-2025-60710 Actively Exploited (https://research.checkpoint.com/2026/20th-april-threat-intelligence-report/) - Windows Server April Update KB5082063 Causing Domain Controller Restart Loops (https://go.theregister.com/feed/www.theregister.com/2026/04/20/microsoft_releases_a_windows_server_update_fix/) - Gentlemen RaaS Deploys SystemBC Botnet; Adaptavist Breach Spawns Phishing Lures (https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/) - Ransomware Negotiator Pleads Guilty to Feeding Client Intel to BlackCat (https://www.justice.gov/opa/pr/florida-man-working-ransomware-negotiator-pleads-guilty-conspiracy-deploy-ransomware-and) - Minidoka Memorial Hospital Cyberattack; New 'Blackwater' Group Claims Responsibility (https://databreaches.net/2026/04/20/minidoka-memorial-hospital-updates-easter-morning-cyberattack/) - Axios npm Supply Chain Compromise - North Korea-Linked RAT (https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager) - WAV File Used as Malware Container (https://isc.sans.edu/diary/rss/32910) - Microsoft Teams Helpdesk Impersonation Attacks Targeting Enterprise Networks (https://www.bleepingcomputer.com/news/security/microsoft-teams-increasingly-abused-in-helpdesk-impersonation-attacks/) - Anthropic MCP STDIO Architecture Flaw Enables RCE Across AI Frameworks (https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html) - Microsoft Entra Managed Identities: Credential Elimination at Scale (https://www.microsoft.com/en-us/security/blog/2026/04/20/making-opportunistic-cyberattacks-harder-by-design/) - Scattered Spider Leader Tyler Buchanan Pleads Guilty; Faces 22 Years (https://www.bleepingcomputer.com/news/security/british-scattered-spider-hacker-pleads-guilty-to-crypto-theft-charges/) - Vercel Breach Traced to Compromised AI Tool OAuth Tokens (https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html) - Law Enforcement Takes Down 53 DDoS-for-Hire Domains (https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html) - SGLang CVE-2026-5760 (CVSS 9.8): RCE via Malicious GGUF Model Files (https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html) - Splunk Enterprise CVE-2026-20204: Low-Privilege File Upload to RCE (https://research.checkpoint.com/2026/20th-april-threat-intelligence-report/) - GitHub Copilot and Visual Studio Code CVE-2026-21523 (RCE) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21523) CVEs Referenced: CVE-2023-27351, CVE-2024-27199, CVE-2024-34359, CVE-2025-2749, CVE-2025-32975, CVE-2025-48700, CVE-2025-60710, CVE-2025-61620, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, CVE-2026-20204, CVE-2026-21523, CVE-2026-30615, CVE-2026-30623, CVE-2026-30624, CVE-2026-33825, CVE-2026-34197, CVE-2026-40933, CVE-2026-5760 Indicators of Compromise: Domains: Sfrclak[.]com Full brief: https://carolinacleartech.com/brief/2026-04-21/

Show Notes - 2026-04-20 Stories Covered: - Today: - Microsoft Emergency Out-of-Band Updates: Domain Controller LSASS Crash Loop (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-updates-to-fix-windows-server-issues/) - Qilin's 2024 NHS Synnovis Attack - Still Disrupting Patient Care in 2026 (https://databreaches.net/2026/04/19/qilins-2024-attack-on-nhs-vendor-continues-to-impact-patient-care-for-one-nhs-trust/) - FakeWallet iOS Crypto Stealer - App Store Distribution (https://securelist.com/fakewallet-cryptostealer-ios-app-store/119482/) - Vercel Breached via Third-Party AI Tool Supply Chain - ShinyHunters Selling Data for $2M (https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html) - Apple Account Change Alerts Abused for Callback Phishing (https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/) - Half of 6 Million Internet-Facing FTP Servers Lack Encryption (https://www.securityweek.com/half-of-the-6-million-internet-facing-ftp-servers-lack-encryption/) - Microsoft Teams Launch Failures - Service Update Reverted (https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-teams-client-launch-failures-caused-by-service-update/) - ZionSiphon OT Malware Targets Israeli Water and Desalination Infrastructure (https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html) - NIST Stops Enriching Non-Priority CVEs - NVD Triage Impact (https://www.bleepingcomputer.com/news/security/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase/) - AI Agent Security: MCP Design Flaws and GitHub Actions Credential Theft (https://go.theregister.com/feed/www.theregister.com/2026/04/19/ai_vendors_response_to_security/) - Windows Server Emergency OOB Updates (Multiple KB Articles) - TP-Link Discontinued Router - In-the-Wild Exploitation Attempts (https://www.securityweek.com/hackers-fail-to-exploit-flaw-in-discontinued-tp-link-routers/) Indicators of Compromise: IPs: 17.111.110.47, 2.52.0.0, 79.176.0.0, 212.150.0.0 Full brief: https://carolinacleartech.com/brief/2026-04-20/

Show Notes - 2026-04-19 Stories Covered: - 2026-04-19 - Today: - Critical RCE in protobuf.js (GHSA-xq3m-2v4x-88gg) (https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/) - LA County Office of Education Tax Document Theft, Rhysida Breach Connection (https://databreaches.net/2026/04/18/tax-documents-for-school-employees-potentially-stolen-across-los-angeles-county/) - Blue Cross Blue Shield of Montana Breach Regulatory Investigation Proceeds (https://databreaches.net/2026/04/18/judge-lets-state-auditors-investigation-into-data-breach-affecting-blue-cross-blue-shield-members-move-forward/) - AgingFly Malware (UAC-0247, Ukraine Campaign) (https://databreaches.net/2026/04/18/ukrainian-emergency-services-and-hospitals-hit-by-espionage-campaign-using-new-agingfly-malware/) - Tycoon 2FA Phishing Tooling Spreading to Other Kits After Platform Disruption (https://www.securityweek.com/tycoon-2fa-loses-phishing-kit-crown-amid-surge-in-attacks/) - Cross-Tenant Teams Helpdesk Impersonation to Domain Controller Access (Microsoft Intrusion Playbook) (https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/) - RubyGems Infrastructure Governance at Risk (https://go.theregister.com/feed/www.theregister.com/2026/04/19/rubygems_nonprofit_in_real_financial/) - CVE-2026-4786 / CVE-2026-4519 (Command Injection, webbrowser.open()) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4786) - CVE-2026-5160 (MSRC, minimal detail) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5160) - CVE-2026-6100 (Python Use-After-Free in Compression Libraries) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6100) CVEs Referenced: CVE-2026-4519, CVE-2026-4786, CVE-2026-5160, CVE-2026-6100 Full brief: https://carolinacleartech.com/brief/2026-04-19/

Show Notes - 2026-04-18 Stories Covered: - Today: - Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched (https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html) - Apache ActiveMQ CVE-2026-34197 Added to CISA KEV -- Patch by April 30 (https://go.theregister.com/feed/www.theregister.com/2026/04/17/cisa_tells_feds_to_patch/) - Payouts King Ransomware Deploys Hidden QEMU VMs to Evade Endpoint Detection (https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/) - Former Black Basta Affiliates Automating Executive Targeting with 12-Minute Intrusion Window (https://databreaches.net/2026/04/17/are-former-black-basta-affiliates-automating-executive-targeting/) - Nexcorium Mirai Botnet -- TBK DVR and TP-Link Router Exploitation (https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html) - Oklahoma Tax Commission Failed to Detect Data Breach for 18 Months - Tycoon 2FA Phishing Kit Operators Shift to Device Code Phishing (https://www.darkreading.com/threat-intelligence/tycoon-2fa-hackers-device-code-phishing) - Grinex (Garantex Rebrand) Suffers $13.7M Hack (https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html) - Windows Server 2025 Cumulative Update Resolves Rogue Upgrades, Introduces DC Boot Loop (https://go.theregister.com/feed/www.theregister.com/2026/04/17/microsoft_windows_server_2025/) - Microsoft Defender Predictive Shielding Stops Lateral Movement at Domain Compromise (https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/) - Multiple Chromium/Edge CVEs Patched (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6363) - FBI Dismantles W3LL Phishing Platform; DPRK IT Worker Facilitators Sentenced (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-7/) - Scattered Spider Member Tyler Buchanan Pleads Guilty (https://databreaches.net/2026/04/17/tyler-robert-buchanan-pleads-guilty-to-one-count-of-conspiracy-to-commit-wire-fraud-and-one-count-of-aggravated-identity-theft/) - Anthropic Mythos: AI Model with Advanced Vulnerability Discovery Capabilities (https://www.schneier.com/blog/archives/2026/04/mythos-and-cybersecurity.html) - NIST Cutting Back CVE Enrichment; Industry Filling the Gap (https://www.darkreading.com/threat-intelligence/nist-cutbacks-nvd-handling-impacts-cyber-teams) - CVE-2026-33825 -- Microsoft Defender Local Privilege Escalation (BlueHammer) - CVE-2026-34197 -- Apache ActiveMQ Remote Code Execution - CVE-2026-33032 -- Nginx UI Authentication Bypass (Critical) - CVE-2025-26399 -- SolarWinds Web Help Desk (CISA-KEV) - Chromium CVEs (Edge/Chrome) CVEs Referenced: CVE-2017-17215, CVE-2023-33538, CVE-2024-32114, CVE-2024-3721, CVE-2025-26399, CVE-2025-5777, CVE-2026-33032, CVE-2026-33825, CVE-2026-34197, CVE-2026-6296, CVE-2026-6311, CVE-2026-6313, CVE-2026-6359, CVE-2026-6363, CVE-2026-6364 Full brief: https://carolinacleartech.com/brief/2026-04-18/

Show Notes - 2026-04-17 Stories Covered: - Today: - Windows Defender Zero-Days RedSun and UnDefend Actively Exploited in the Wild (CVE-2026-33825) (https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/) - Apache ActiveMQ CVE-2026-34197 Under Active Exploitation, CISA KEV Deadline April 30 (https://www.bleepingcomputer.com/news/security/cisa-flags-apache-activemq-flaw-as-actively-exploited-in-attacks/) - CVE-2009-0238: 17-Year-Old Microsoft Excel RCE Added to CISA KEV, Due April 28 (https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html) - ShinyHunters Claims McGraw Hill Breach via Salesforce Misconfiguration; 13.5M Records Circulating (https://go.theregister.com/feed/www.theregister.com/2026/04/16/mcgraw_hill_salesforce/) - Rhysida Breach at Cookeville Regional Medical Center Affects 337,000 (https://www.securityweek.com/data-breach-at-tennessee-hospital-affects-337000/) - P3 Campus School Safety Platform Breached; 8.3M Anonymous Tips Exposed (https://databreaches.net/2026/04/16/p3-advertised-20-years-and-0-security-breaches-you-can-guess-what-happened-next/) - Sapphire Sleet macOS Campaign (https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/) - TP-Link EOL Routers Targeted by Mirai-Like Botnet (CVE-2023-33538, CISA KEV) (https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/) - Cisco Patches Critical Webex and Identity Services Engine Flaws; Webex Requires Customer Action (https://www.bleepingcomputer.com/news/security/cisco-says-critical-webex-services-flaw-requires-customer-action/) - Anviz Access Control Devices: 12 Unpatched CVEs, Vendor Unresponsive (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) - April KB5082063 Causes LSASS Crash Reboot Loops on Domain Controllers in PAM Environments (https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-reboot-loops-affecting-some-domain-controllers/) - Microsoft Secure Boot Certificate Expiration Requires Attention (https://www.darkreading.com/endpoint-security/microsoftoriginal-windows-secure-boot-certificates-expire) - AI-Powered Code Reviewers Bypassed via Git Author Spoofing (https://go.theregister.com/feed/www.theregister.com/2026/04/16/git_identity_spoof_claude/) - AI-Generated Breach Narratives as a Threat Vector (https://cyberscoop.com/ai-generated-breach-narratives-ghost-threat-vector-op-ed/) - AVEVA Pipeline Simulation CVE-2026-5387 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-04) - Delta Electronics ASDA-Soft CVE-2026-5726 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-01) - Horner Automation Cscape/XL4/XL7 PLCs CVE-2026-6284 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02) - Microsoft MSRC Disclosures CVEs Referenced: CVE-2009-0238, CVE-2023-33538, CVE-2024-32114, CVE-2025-14821, CVE-2025-64669, CVE-2026-20147, CVE-2026-20180, CVE-2026-20184, CVE-2026-20186, CVE-2026-32316, CVE-2026-32648, CVE-2026-33093, CVE-2026-33825, CVE-2026-33947, CVE-2026-33948, CVE-2026-34197, CVE-2026-35199, CVE-2026-35469, CVE-2026-35682, CVE-2026-39956, CVE-2026-39979, CVE-2026-40164, CVE-2026-40179, CVE-2026-40461, CVE-2026-5387, CVE-2026-5726, CVE-2026-6284 Indicators of Compromise: Domains: 137[.]113 Full brief: https://carolinacleartech.com/brief/2026-04-17/

Show Notes - 2026-04-16 Stories Covered: - Today: - Windows Task Host Privilege Escalation Added to CISA KEV (CVE-2025-60710) (https://www.bleepingcomputer.com/news/security/cisa-flags-windows-task-host-vulnerability-as-exploited-in-attacks/) - 17-Year-Old Excel RCE Under Active Exploitation (CVE-2009-0238, CVSS 9.3) (https://go.theregister.com/feed/www.theregister.com/2026/04/15/excel_exploit/) - SharePoint Server Spoofing Zero-Day Exploited Before Patch (CVE-2026-32201, CVSS 6.5) (https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html) - Adobe Acrobat Reader RCE Under Active Exploitation (CVE-2026-34621, CVSS 8.6) (https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html) - nginx-ui Authentication Bypass Under Active Exploitation (CVE-2026-33032, CVSS 9.8) (https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html) - Automotive Data Firm Autovista Hit by Ransomware (https://go.theregister.com/feed/www.theregister.com/2026/04/15/automotive_data_biz_autovista_ransomware/) - TeamPCP Supply Chain Attack: LiteLLM and Checkmarx Compromised (https://www.recordedfuture.com/blog/your-supply-chain-breach-is-someone-else-payday) - Germany Sees 92% Growth in Ransomware Extortion Victims in 2025 (https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape/) - AgingFly Malware (UAC-0247 Campaign Against Ukrainian Government and Healthcare) (https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html) - Signed Adware Deploying AV-Killing Script at Scale (Dragon Boss Solutions) (https://www.bleepingcomputer.com/news/security/signed-software-abused-to-deploy-antivirus-killing-scripts/) - n8n Webhook Platform Abused for Phishing and RMM Malware Delivery (https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html) - 30+ WordPress Plugins Backdoored via EssentialPlugin Acquisition (https://www.bleepingcomputer.com/news/security/wordpress-plugin-suite-hacked-to-push-malware-to-thousands-of-sites/) - DPRK IT Worker Laptop Farm Operators Sentenced (https://www.bleepingcomputer.com/news/security/us-nationals-behind-north-korean-it-worker-laptop-farm-sent-to-prison/) - April 2026 Patch Tuesday: 169 Vulnerabilities Including Critical SAP, Adobe, and Fortinet Flaws (https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html) - April KB5082063 May Trigger BitLocker Recovery or Fail to Install on Server 2025 (https://www.bleepingcomputer.com/news/microsoft/microsoft-some-windows-servers-ask-for-bitlocker-key-after-april-updates/) - NIST Narrows NVD Analysis Scope Amid CVE Volume Surge (https://cyberscoop.com/nist-narrows-cve-analysis-nvd/) - MCP Protocol Design Flaw Enables Unauthenticated AI Supply Chain Compromise (https://www.securityweek.com/by-design-flaw-in-mcp-could-enable-widespread-ai-supply-chain-attacks/) - Windows 11 Recall Database Side Entrance Demonstrated (https://arstechnica.com/gadgets/2026/04/totalrecall-reloaded-tool-finds-a-side-entrance-to-windows-11s-recall-database/) - Adobe ColdFusion Multiple Critical CVEs (2025 and 2023 Affected) (https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html) - SAP BPC/BW SQL Injection (CVE-2026-27681, CVSS 9.9) (https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html) - FortiClient EMS Bug Overdue for Federal Agencies (CVE-2026-35616, CISA KEV) (https://go.theregister.com/feed/www.theregister.com/2026/04/15/critical_fortinet_sandbox_bugs/) CVEs Referenced: CVE-2009-0238, CVE-2025-60710, CVE-2026-27282, CVE-2026-27304, CVE-2026-27305, CVE-2026-27306, CVE-2026-27681, CVE-2026-27944, CVE-2026-32201, CVE-2026-33032, CVE-2026-34619, CVE-2026-34621, CVE-2026-35616, CVE-2026-39808, CVE-2026-39813 Indicators of Compromise: Domains: chromsterabrowser[.]com, worldwidewebframework3[.]com. IPs: 0.0.0.0 Full brief: https://carolinacleartech.co ...

Show Notes - 2026-04-15 Stories Covered: - Today: - Microsoft SharePoint Server Spoofing Zero-Day (CVE-2026-32201) (https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html) - Microsoft Defender Elevation of Privilege "BlueHammer" (CVE-2026-33825) (https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/) - Windows IKE Extension Critical RCE (CVE-2026-33824) (https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html) - Adobe Reader/Acrobat Zero-Day Actively Exploited (CVE-2026-34621) (https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/) - FortiClient EMS Critical Vulnerability - KEV Deadline Already Passed (CVE-2026-35616) (https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/) - Google Chrome Zero-Day - KEV Deadline Today (CVE-2026-5281) (https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/) - Microsoft Office Legacy RCE Added to CISA KEV (CVE-2009-0238) (https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog) - Rival Ransomware Gangs 0APT and Krybit in Public Conflict (https://go.theregister.com/feed/www.theregister.com/2026/04/14/0apt_krybit_spat/) - CPU-Z Watering Hole Attack - Supply Chain Compromise (April 9, 2026) (https://www.sentinelone.com/blog/securing-the-software-supply-chain-how-sentinelones-ai-edr-autonomously-blocked-the-cpu-z-watering-hole-cyber-attack/) - CPU-Z Official Download Served Malware for 19 Hours (https://www.sentinelone.com/blog/securing-the-software-supply-chain-how-sentinelones-ai-edr-autonomously-blocked-the-cpu-z-watering-hole-cyber-attack/) - Apache ActiveMQ Classic 13-Year-Old RCE Patched (https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/) - Cisco IMC Authentication Bypass - Admin Access (https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/) - ICS Patch Tuesday: 8 Industrial Vendors Release Advisories (https://www.securityweek.com/ics-patch-tuesday-8-industrial-giants-publish-new-security-advisories/) - April 2026 Patch Tuesday: Critical Windows Components (https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html) - WSUS Tampering Vulnerability (CVE-2026-26154) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26154) - Git for Windows NTLM Hash Leak (CVE-2026-32631) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32631) - UEFI Secure Boot SFB and Cert Rotation (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5082200-extended-security-update/) - Windows Ancillary Function Driver (AFD/WinSock) EoP Trio (https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/) - RDP Phishing Protection Added in Windows 10 Update (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5082200-extended-security-update/) - EDR-Killer BYOVD Ecosystem Expanding (https://www.darkreading.com/vulnerabilities-threats/edr-killer-ecosystem-expansion-requires-stronger-byovd-defenses) - OpenAI Launches GPT-5.4-Cyber for Defenders (https://thehackernews.com/2026/04/openai-launches-gpt-54-cyber-with.html) - AI Driving Increase in Vulnerability Submissions (https://go.theregister.com/feed/www.theregister.com/2026/04/14/microsofts_massive_patch_tuesday/) - Additional April 2026 Patch Tuesday Noteworthy CVEs - CVE-2026-20945 - CVE-2026-21637 - CVE-2026-40175 - wolfSSL bundle - zlib CPU consumption (CVE-2026-27171) (https://msrc.microsoft.com/update-guide/) CVEs Referenced: CVE-2009-0238, CVE-2026-0390, CVE-2026-20945, CVE-2026-21637, CVE-2026-23666, CVE-2026-26151, CVE-2026-26154, CVE-2026-26169, CVE-2026-26173, CVE-2026-26177, CVE-2026-26182, C ...

Show Notes - 2026-04-14 Stories Covered: - Today: - CISA Adds 7 Known Exploited Vulnerabilities: Microsoft, Fortinet, and Adobe (CVE-2026-21643, CVE-2023-21529, CVE-2023-36424, CVE-2025-60710, CVE-2012-1854, CVE-2020-9715, CVE-2026-34621) (https://go.theregister.com/feed/www.theregister.com/2026/04/13/ransomware_gang_other_crims_attacking/) - Adobe Acrobat and Reader Zero-Day Exploited Since December 2025 (CVE-2026-34621) (https://www.bleepingcomputer.com/news/security/adobe-rolls-out-emergency-fix-for-acrobat-reader-zero-day-flaw/) - ShowDoc RCE Flaw Actively Exploited on Unpatched Servers (CVE-2025-0520) (https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html) - Storm-1175 Exploiting Exchange Server Flaw to Deploy Medusa Ransomware (https://go.theregister.com/feed/www.theregister.com/2026/04/13/ransomware_gang_other_crims_attacking/) - Interlock Ransomware Exploiting Cisco FMC Zero-Day (CVE-2026-20131) (https://www.recordedfuture.com/blog/march-2026-cve-landscape) - Silent Ransom Group Hits Law Firms Hard (https://databreaches.net/2026/04/13/a-silent-threat-loud-consequences-ransom-group-hits-law-firms-hard/) - Spring Lake Park Schools, MN Closed Due to Ransomware (https://databreaches.net/2026/04/13/mn-spring-lake-park-schools-closed-after-suspected-ransomware-attack/) - Storm Infostealer - Server-Side Browser Credential Decryption (https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/) - ShinyHunters Leaks Rockstar Games Data via Anodot Third-Party Breach (https://go.theregister.com/feed/www.theregister.com/2026/04/13/shinyhunters_rockstar_breach/) - wolfSSL Certificate Forgery Vulnerability Affects Billions of Devices (CVE-2026-5194) (https://www.bleepingcomputer.com/news/security/critical-flaw-in-wolfssl-library-enables-forged-certificate-use/) - North Korean UNC1069 Compromises Axios npm Package; OpenAI Rotating macOS Certs (https://www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/) - Anthropic Mythos Model Autonomously Discovers and Exploits Zero-Days (https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html) - JanelaRAT Banking Trojan Active in Latin America (https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html) - GNU Binutils Multiple Low-Severity CVEs - Linux Kernel Network/Netfilter CVEs (CVE-2026-31414 through CVE-2026-31428 series) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1147) CVEs Referenced: CVE-2012-1854, CVE-2017-7921, CVE-2020-9715, CVE-2023-21529, CVE-2023-36424, CVE-2025-0520, CVE-2025-1147, CVE-2025-1148, CVE-2025-11839, CVE-2025-60710, CVE-2025-69645, CVE-2025-69646, CVE-2025-69649, CVE-2025-69652, CVE-2026-20131, CVE-2026-21643, CVE-2026-31414, CVE-2026-31428, CVE-2026-34621, CVE-2026-5194 Full brief: https://carolinacleartech.com/brief/2026-04-14/

Show Notes - 2026-04-13 Stories Covered: - Today: - Critical Marimo Pre-Auth RCE Now Under Active Exploitation (CVE-2026-39987) (https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/) - Mailbox Rules in O365: Post-Exploitation Tactic in Cloud Account Takeover (https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato) - Fake Claude Website Distributing PlugX RAT (https://www.securityweek.com/fake-claude-website-distributes-plugx-rat/) - JanelaRAT Financial Trojan: Updated Infection Chain Targets Banking Credentials (https://securelist.com/janelarat-financial-threat-in-latin-america/119332/) - OpenAI Revokes macOS App Certificate After Axios Supply Chain Incident (https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html) - Gmail End-to-End Encryption Extended to Android and iOS for Enterprise Users (https://www.securityweek.com/gmail-brings-end-to-end-encryption-to-android-and-ios-for-enterprise-users/) - France's DINUM Migrates from Windows to Linux in Sovereignty Push (https://go.theregister.com/feed/www.theregister.com/2026/04/13/france_tech_sovereignty_plan/) - Anthropic's Mythos AI Model Targets Zero-Day Discovery (https://go.theregister.com/feed/www.theregister.com/2026/04/12/anthropic_mythos_kettle_podcast/) - CVE-2026-39987 - Marimo Unauthenticated Remote Code Execution (https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/) CVEs Referenced: CVE-2026-39987 Indicators of Compromise: IPs: 0.0.0.0 Full brief: https://carolinacleartech.com/brief/2026-04-13/

Show Notes - 2026-04-12 Stories Covered: - Today: - Adobe Acrobat Reader Zero-Day Actively Exploited (CVE-2026-34621) (https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html) - Anubis Ransomware Continues Brockton Hospital Disruption (https://databreaches.net/2026/04/11/brockton-hospital-still-dealing-with-aftermath-of-ransomware-attack/) - STX RAT from CPUID Watering Hole Attack (https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html) - CPUID.com Watering Hole Serves STX RAT via CPU-Z and HWMonitor Trojanization (https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html) - March Supply Chain Attacks on Trivy and Axios Still Playing Out (https://go.theregister.com/feed/www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/) - Operation Atlantic: 20,000 Crypto Fraud Victims Identified, $12M Frozen (https://www.bleepingcomputer.com/news/security/police-identifies-20-000-victims-in-international-crypto-fraud-crackdown/) - CVE-2026-34621 - Adobe Acrobat Reader (Critical, CVSS 8.6) (https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html) - CVE-2026-39853, CVE-2026-39855, CVE-2026-39856 - osslsigncode (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-39853) - CVE-2026-34757 - LIBPNG Use-After-Free (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34757) - CVE-2026-35206 - Helm Chart Path Traversal (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35206) CVEs Referenced: CVE-2026-34621, CVE-2026-34757, CVE-2026-35206, CVE-2026-39853, CVE-2026-39855, CVE-2026-39856 Indicators of Compromise: Domains: web[.]id, r2[.]dev, transitopalermo[.]com, vatrobran[.]hr Full brief: https://carolinacleartech.com/brief/2026-04-12/

Show Notes - 2026-04-11 Stories Covered: - Today: - Marimo Python Notebook RCE Exploited in the Wild (CVE-2026-39987) (https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html) - CPUID Supply Chain Attack: Trojanized CPU-Z and HWMonitor Downloads (https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/) - Stryker Cyberattack; Jones Day and China Supercomputer Hack Roundup (https://www.securityweek.com/in-other-news-cyberattack-stings-stryker-windows-zero-day-china-supercomputer-hack/) - FCC Foreign Router Ban Creates Security Paradox (https://go.theregister.com/feed/www.theregister.com/2026/04/10/gea_fcc_routers/) - Silent Ransom Group Leaks Orrick Law Firm Data After Negotiation Failure (https://databreaches.net/2026/04/10/silent-ransom-group-leaked-another-big-law-firm-orrick-herrington-sutcliffe/) - Azure Arc Elevation of Privilege (CVE-2026-24302) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24302) - Chrome/Edge Security Update: 13 Chromium CVEs (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5871) - Windows Zero-Day (Unspecified) (https://www.securityweek.com/in-other-news-cyberattack-stings-stryker-windows-zero-day-china-supercomputer-hack/) - CISA KEV Analysis: 1 Billion Remediation Records Show Human-Scale Security Is Broken (https://www.bleepingcomputer.com/news/security/analysis-of-one-billion-cisa-kev-remediation-records-exposes-limits-of-human-scale-security/) - Anthropic Mythos AI: Exploit-Writing Model and Project Glasswing (https://go.theregister.com/feed/www.theregister.com/2026/04/10/project_glasswing/) - Lotte Card: $3M Penalty and Business Suspension Over Data Breach (https://databreaches.net/2026/04/09/lotte-card-given-notice-of-3m-penalty-business-suspension-over-massive-data-breach/) - Go Runtime and Standard Library (Multiple CVEs) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-28810) - OpenTelemetry-Go (CVE-2026-29181, CVE-2026-39882) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-29181) - libcap TOCTOU Privilege Escalation (CVE-2026-4878) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4878) - Go archive/tar Unbounded Allocation (CVE-2026-32288) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32288) CVEs Referenced: CVE-2026-24302, CVE-2026-27143, CVE-2026-27144, CVE-2026-28810, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32288, CVE-2026-33119, CVE-2026-33810, CVE-2026-39882, CVE-2026-39987, CVE-2026-4878, CVE-2026-5869, CVE-2026-5871, CVE-2026-5883, CVE-2026-5886, CVE-2026-5888, CVE-2026-5889, CVE-2026-5893 Full brief: https://carolinacleartech.com/brief/2026-04-11/

Show Notes - 2026-04-10 Stories Covered: - Today: - Adobe Reader Zero-Day (No CVE, No Patch) - Active Exploitation Since November 2025 (https://go.theregister.com/feed/www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/) - Apache ActiveMQ Classic Chained RCE (CVE-2026-34197 / CVE-2024-32114 / CVE-2022-41678) (https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html) - BlueHammer Windows Zero-Day - Local Privilege Escalation PoC Released (https://www.darkreading.com/vulnerabilities-threats/bluehammer-windows-exploit-microsoft-bug-disclosure-issues) - ChipSoft Healthcare EHR Provider Hit by Ransomware (https://www.bleepingcomputer.com/news/security/healthcare-it-solutions-provider-chipsoft-hit-by-ransomware-attack/) - FBI 2025 IC3 Report: $20.87B in Internet Crime Losses, 63 New Ransomware Variants (https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html) - Phorpiex/Twizt Botnet - Hybrid P2P C2, ~125K Daily Infections (https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html) - Adobe Reader Zero-Day C2 - Storm-2755 AiTM Phishing Infrastructure - Formbook Delivery Chain (SANS ISC, April 9) (https://isc.sans.edu/diary/rss/32884) - Storm-2755 "Payroll Pirate" - AiTM Attacks on Canadian M365 Accounts (https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/) - ICS Advisory: GPL Odorizers GPL750 - Unauthenticated Modbus Register Manipulation (CVE-2026-4436) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-02) - ICS Advisory: Contemporary Controls BASC 20T - End-of-Life BACnet Controller (CVE-2025-13926) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01) - Microsoft Locks Out VeraCrypt and WireGuard Developers - Kernel Driver Signing Risk (https://go.theregister.com/feed/www.theregister.com/2026/04/09/microsoft_dev_account_deactivations/) - M365 Copilot Information Disclosure Update (CVE-2026-26133) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133) - UAT-10362 Deploys LucidRook Malware Against Taiwanese NGOs (https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html) - EngageLab Android SDK - Intent Redirection Flaw Exposed 50M+ Users (CVE Fixed in v5.2.1) (https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html) - Apache ActiveMQ Classic - CVE-2026-34197 (CVSS 8.8) - Linux AppArmor Kernel CVEs - CVE-2026-23403 through CVE-2026-23411 - Sleuth Kit CVEs - CVE-2026-40024 (Path Traversal), CVE-2026-40025, CVE-2026-40026 (OOB Read) - Vim Ex Command Injection - CVE-2026-39881 - Microsoft Edge Android Spoofing - CVE-2026-0385 CVEs Referenced: CVE-2022-41678, CVE-2024-32114, CVE-2025-13926, CVE-2025-27152, CVE-2026-0385, CVE-2026-23403, CVE-2026-23411, CVE-2026-26133, CVE-2026-34197, CVE-2026-39881, CVE-2026-40024, CVE-2026-40025, CVE-2026-40026, CVE-2026-4436 Indicators of Compromise: Domains: 2[.]68, bluegraintours[.]com, bluegraintours[.]com. Hashes: a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285, 53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b Full brief: https://carolinacleartech.com/brief/2026-04-10/

Show Notes - 2026-04-09 Stories Covered: - Today: - CVE-2026-1340: Ivanti EPMM Code Injection (CISA KEV, Due 2026-04-11) (https://www.cisa.gov/news-events/alerts/2026/04/08/cisa-adds-one-known-exploited-vulnerability-catalog) - Adobe Reader Zero-Day Exploited Since December (No Patch Available) (https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/) - CVE-2026-33634: Trivy Supply Chain / TeamPCP Campaign (CISA KEV Due Today) (https://isc.sans.edu/diary/rss/32880) - ChipSoft Ransomware Attack Knocks Dutch Healthcare Software Vendor Offline (https://go.theregister.com/feed/www.theregister.com/2026/04/08/chipsoft_ransomware/) - Iran-Linked Pay2Key Targets US Healthcare with Destructive Ransomware (https://go.theregister.com/feed/www.theregister.com/2026/04/08/cynthia_kaiser_interview/) - FBI: US Cybercrime Losses Hit $21 Billion in 2025 (https://www.securityweek.com/fbi-cybercrime-losses-neared-21-billion-in-2025/) - APT28 PRISMEX Campaign - Adobe Reader Zero-Day - APT28 Router DNS Hijacking - TeamPCP/UNC6780: Cisco Breached, 300+ Repos and AWS Keys Stolen (https://isc.sans.edu/diary/rss/32880) - APT28 Exploiting SOHO Routers for DNS Hijacking and AitM Attacks (https://databreaches.net/2026/04/08/russians-hijacking-routers-for-cyber-spying/) - AWS Bedrock AgentCore Default IAM Roles Enable Cross-Agent Privilege Escalation (https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/) - APT28 PRISMEX Malware Exploits Patched CVEs in Active LNK Attack Chain (https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html) - Password Cracking Benchmarks: NTLM Still Falls Quickly, Length is the Only Reliable Defense (https://www.bleepingcomputer.com/news/security/is-a-30-000-gpu-good-at-password-cracking/) - LAPD Internal Documents Stolen and Publicly Leaked (https://databreaches.net/2026/04/08/hackers-steal-and-leak-sensitive-lapd-police-documents/) - Iowa AG Sues Change Healthcare Over 2024 Breach (https://databreaches.net/2026/04/08/iowa-ag-files-lawsuit-against-change-healthcare-over-2024-data-breach/) - Cyber Insurance War Exclusion Clauses Remain Untested Under Current Geopolitical Conditions (https://databreaches.net/2026/04/08/act-of-war-clauses-cloud-cyber-insurance-coverage/) - CVE-2026-34197: Apache ActiveMQ Classic RCE (13-Year-Old Bug) (https://www.bleepingcomputer.com/news/security/13-year-old-bug-in-activemq-lets-hackers-remotely-execute-commands/) - MSRC Disclosures (Low Priority): CVEs Referenced: CVE-2016-3088, CVE-2023-46604, CVE-2023-50224, CVE-2024-32114, CVE-2026-1340, CVE-2026-21509, CVE-2026-21513, CVE-2026-28387, CVE-2026-28388, CVE-2026-31789, CVE-2026-31790, CVE-2026-33634, CVE-2026-34197, CVE-2026-34445, CVE-2026-34446, CVE-2026-34933, CVE-2026-35093, CVE-2026-39314, CVE-2026-39316 Indicators of Compromise: Domains: wellnesscaremed[.]com Full brief: https://carolinacleartech.com/brief/2026-04-09/

Show Notes - 2026-04-08 Stories Covered: - Today: - BlueHammer: Unpatched Windows Zero-Day Exploit Published on GitHub (https://databreaches.net/2026/04/07/1-billion-microsoft-users-warned-as-angry-hacker-drops-0-day-exploit/) - Flowise CVE-2025-59528 / CVE-2025-8943 / CVE-2025-26319: Three RCE Flaws Under Active Exploitation (https://www.bleepingcomputer.com/news/security/max-severity-flowise-rce-vulnerability-now-exploited-in-attacks/) - APT28 FrostArmada: SOHO Router DNS Hijacking Campaign Disrupted (CVE-2023-50224) (https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/) - Iranian Actors Exploiting Internet-Exposed PLCs Across U.S. Critical Infrastructure (CVE-2021-22681) (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a) - NightSpire Ransomware: IOC Variability and Defender Implications (https://www.huntress.com/blog/nightspire-ransomware) - Storm-1175 Operating Medusa Ransomware at High Velocity (https://www.securityweek.com/medusa-ransomware-fast-to-exploit-vulnerabilities-breached-systems/) - Web Shell Scanning Activity from Azure IP Space (https://isc.sans.edu/diary/rss/32874) - Microsoft Device Code Phishing (EvilTokens Kit): Hundreds of Orgs Compromised Daily (https://go.theregister.com/feed/www.theregister.com/2026/04/07/microsoft_device_code_phishing/) - Snowflake Customers Hit in Data Theft After SaaS Integrator Breach (https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/) - Ninja Forms File Upload WordPress Plugin CVE-2026-0740: Critical RCE Under Active Exploitation (https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-flaw-in-ninja-forms-wordpress-plugin/) - Docker Engine CVE-2026-34040: AuthZ Bypass Grants Host File System Access (https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html) - ComfyUI Cryptomining Botnet Targeting 1,000+ Exposed Instances (https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html) - AWS AgentCore Sandbox Bypass via DNS Tunneling (https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/) - BlueHammer Unpatched Windows Zero-Day - APT28 Targeting Microsoft Outlook on the Web via DNS Hijacking (https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/) - Anthropic Claude Mythos and Project Glasswing: AI-Powered Vulnerability Discovery at Scale (https://go.theregister.com/feed/www.theregister.com/2026/04/07/anthropic_all_your_zerodays_are_belong_to_us/) - FBI IC3 Report: Americans Lost $21 Billion to Cybercrime in 2025 (https://www.bleepingcomputer.com/news/security/fbi-americans-lost-a-record-21-billion-to-cybercrime-last-year/) - Mitsubishi Electric GENESIS64/ICONICS Suite: SQL Credentials in Plaintext (CVE-2025-14815) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01) - CVE-2025-59528 / CVE-2025-8943 / CVE-2025-26319 - Flowise - CVE-2026-0740 - Ninja Forms File Upload (WordPress) - CVE-2026-34040 - Docker Engine - CVE-2025-14815 / CVE-2025-14816 - Mitsubishi Electric GENESIS64/ICONICS Suite - CVE-2021-22681 - Rockwell Automation Logix Controllers - CVE-2023-50224 - TP-Link Router - CVE-2026-34982 - Vim Modeline Bypass - CVE-2026-35177 - Vim zip.vim Path Traversal CVEs Referenced: CVE-2021-22681, CVE-2023-50224, CVE-2024-41110, CVE-2025-14815, CVE-2025-14816, CVE-2025-26319, CVE-2025-59528, CVE-2025-8943, CVE-2026-0740, CVE-2026-34040, CVE-2026-34982, CVE-2026-35177 Indicators of Compromise: IPs: 20.48.232.178, 20.215.65.23, 51.12.84.116, 51.103.130.249 Full brief: https://carolinacleartech.com/brief/2026-04-08/

Show Notes - 2026-04-07 Stories Covered: - Today: - Storm-1175 Exploits Zero-Days to Deploy Medusa Ransomware Within 24 Hours (https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html) - FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited; Federal Deadline April 9 (https://go.theregister.com/feed/www.theregister.com/2026/04/06/forticlient_ems_bug_exploited/) - BlueHammer Windows LPE Zero-Day Leaked with No Patch Available (https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/) - Notable: - Germany Identifies REvil and GandCrab Leaders (https://www.bleepingcomputer.com/news/security/german-authorities-identify-revil-and-gangcrab-ransomware-bosses/) - Qilin and Warlock Use BYOVD to Kill 300+ EDR Tools (https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html) - Jones Day Law Firm Confirms Limited Breach by Silent Ransom Group (https://databreaches.net/2026/04/06/jones-day-confirms-limited-breach-after-phishing-attack-by-silent-ransom-group/) - Iran Revives Pay2Key Ransomware; M365 Password-Spraying Campaign Targets 300+ Organizations (https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html) - Gritman Medical Center Recovers from Cyber Incident (https://databreaches.net/2026/04/06/moscow-idaho-clinics-reopen-after-gritman-cyber-incident/) - BYOVD Drivers (Qilin / Warlock): - Qilin Post-Compromise Tools: - Warlock Post-Compromise Tools: - Flowise AI Agent Builder Under Active CVSS 10.0 Exploitation; 12,000+ Exposed Instances (https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html) - AI-Enabled Device Code Phishing Campaign (EvilToken PhaaS) (https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/) - Axios npm Package Compromised by North Korean Threat Actor (WAVESHAPER.V2) (https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html) - Chrome Zero-Day CVE-2026-5281 Under Active Exploitation (CISA KEV Due April 15) (https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html) - TrueConf Zero-Day CVE-2026-3502 Exploited Against Government Targets (https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html) - GPUBreach: RowHammer Attacks Enable Full CPU Privilege Escalation via GDDR6 Bit-Flips (https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html) - New Mexico Court Ruling Against Meta Has Encryption Implications (https://www.schneier.com/blog/archives/2026/04/new-mexicos-meta-ruling-and-encryption.html) - Microsoft Security Update Guide - New CVEs Published: CVEs Referenced: CVE-2023-46805, CVE-2024-1709, CVE-2024-21887, CVE-2024-27198, CVE-2024-57727, CVE-2025-10035, CVE-2025-26319, CVE-2025-52691, CVE-2025-59528, CVE-2025-8943, CVE-2026-1731, CVE-2026-21643, CVE-2026-23760, CVE-2026-31407, CVE-2026-31408, CVE-2026-31410, CVE-2026-3184, CVE-2026-34591, CVE-2026-34743, CVE-2026-3502, CVE-2026-35616, CVE-2026-5281 Full brief: https://carolinacleartech.com/brief/2026-04-07/

Show Notes - 2026-04-06 Stories Covered: - Today: - FortiClient EMS Zero-Day Actively Exploited (CVE-2026-35616, CVE-2026-21643) (https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/) - React2Shell / Next.js Mass Credential Harvesting Campaign (CVE-2025-55182) (https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/) - Germany's BKA Unmasks REvil and GandCrab Leadership (https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html) - Ransom Payments and Data Deletion: What the Evidence Shows (https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/) - UAT-10608 NEXUS Listener Infrastructure (CVE-2025-55182 Campaign) (https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/) - Traffic Violation QR Code Phishing Campaign Hits Multiple US States (https://www.bleepingcomputer.com/news/security/traffic-violation-scams-switch-to-qr-codes-in-new-phishing-texts/) - Open Redirects Remain Heavily Abused in Phishing (21% of Campaigns) (https://isc.sans.edu/diary/rss/32870) - CBP Facility Security Codes Potentially Exposed via Public Quizlet Flashcards (https://arstechnica.com/security/2026/04/cbp-facility-codes-sure-seem-to-have-leaked-via-online-flashcards/) - DPRK UNC4736 Behind $285M Drift Crypto Theft via Six-Month Social Engineering Operation (https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html) - Cambodia Passes Law Imposing Life Sentences for Scam Compound Operators (https://news.risky.biz/risky-bulletin-new-cambodian-law-will-put-scam-compound-operators-in-prison-for-life/) - Trellix "Dark Web Roast" Advocates for De-Glamorizing Threat Actors (https://go.theregister.com/feed/www.theregister.com/2026/04/05/trellix_john_fokker_roasting_crims/) - CVE-2026-35616 - FortiClient EMS Improper Access Control (Critical) - CVE-2026-21643 - FortiClient EMS (Critical, Prior Week) - CVE-2025-55182 - React2Shell in Next.js (Critical) - CVE-2026-20045 - Cisco RCE (High) CVEs Referenced: CVE-2025-55182, CVE-2026-20045, CVE-2026-21643, CVE-2026-35616 Indicators of Compromise: Domains: gov-skd[.]org, ofkhv[.]life Full brief: https://carolinacleartech.com/brief/2026-04-06/

Show Notes - 2026-04-05 Stories Covered: - Today: - Fortinet FortiClient EMS Actively Exploited Zero-Day (CVE-2026-35616, CVE-2026-21643) (https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html) - North Korean Supply Chain Attack on Axios npm Package (CVE: UNC1069/WAVESHAPER.V2) (https://www.bleepingcomputer.com/news/security/axios-npm-hack-used-fake-teams-error-fix-to-hijack-maintainer-account/) - Cyberattack Disrupts Public Safety Communications Across Four Massachusetts Towns (https://databreaches.net/2026/04/04/serious-cyberattack-impacts-phones-public-safety-systems-in-several-massachusetts-towns/) - UK Education Authority Hit Ahead of Exam Season (https://databreaches.net/2026/04/04/uk-school-it-system-targeted-in-cyber-attack-ahead-of-exam-season/) - Claude Code Source Leak Weaponized to Deliver Vidar Infostealer via Fake GitHub Repos (https://databreaches.net/2026/04/04/claude-code-leak-used-to-push-infostealer-malware-on-github/) - 36 Malicious npm Packages Deploying Persistent Implants (Strapi Plugin Campaign) (https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html) - Device Code Phishing Surges 37x; 11 PhaaS Kits Now Commoditizing the Attack (https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/) - European Commission Loses 300GB via Trivy Supply Chain Attack (https://www.securityweek.com/european-commission-confirms-data-breach-linked-to-trivy-supply-chain-attack/) - Meta Suspends AI Data Contractor Mercor After Breach Exposes Training Data Secrets (https://databreaches.net/2026/04/04/meta-pauses-work-with-mercor-after-data-breach-puts-ai-industry-secrets-at-risk/) - LinkedIn Confirmed to Fingerprint 6,236 Browser Extensions and Collect Device Data (https://www.bleepingcomputer.com/news/security/linkedin-secretly-scans-for-6-000-plus-chrome-extensions-collects-data/) - Auger & Auger Law Firm Breach: 5,102 Affected After 25-Minute Intrusion (https://databreaches.net/2026/04/04/the-breach-lasted-25-minutes-how-long-will-the-litigation-last/) - Hong Kong Hospital Authority: 56,000 Patient Records Leaked via Third-Party Platform (https://databreaches.net/2026/04/04/hong-kong-hospital-authority-apologises-for-data-breach-involving-56000-patients/) - OpenPrinting CUPS: Five New CVEs (CVE-2026-34978, CVE-2026-27447, CVE-2026-34979, CVE-2026-34980, CVE-2026-34990) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34978) - Linux Kernel CVEs: Six New MSRC Advisories (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23473) - util-linux TOCTOU Race in mount(8) Loop Device Setup (CVE-2026-27456) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27456) CVEs Referenced: CVE-2026-21643, CVE-2026-23442, CVE-2026-23444, CVE-2026-23468, CVE-2026-23472, CVE-2026-23473, CVE-2026-27447, CVE-2026-27456, CVE-2026-31394, CVE-2026-34978, CVE-2026-34979, CVE-2026-34980, CVE-2026-34990, CVE-2026-35616 Full brief: https://carolinacleartech.com/brief/2026-04-05/

Show Notes - 2026-04-04 Stories Covered: - Today: - TeamPCP Supply Chain / European Commission Cloud Breach (CVE-2026-33634) (https://isc.sans.edu/diary/rss/32864) - Axios npm Supply Chain Attack - UNC1069 (North Korea) (https://blog.talosintelligence.com/axois-npm-supply-chain-incident/) - Critical ShareFile Flaws - Unauthenticated RCE (https://www.securityweek.com/critical-sharefile-flaws-lead-to-unauthenticated-rce/) - bqtlock - Metro Hospital USA (2026-04-03): - Qilin Claims Die Linke Political Party Breach (https://www.bleepingcomputer.com/news/security/die-linke-german-political-party-confirms-data-stolen-by-qilin-ransomware/) - Hasbro Cyberattack - SEC Disclosure, Weeks-Long Recovery (https://databreaches.net/2026/04/03/toymaker-hasbro-says-it-may-take-weeks-to-recover-from-cyberattack/) - BakerHostetler 2026 Report: Extortion Economics Have Shifted (https://databreaches.net/2026/04/03/bakerhostetlers-2026-report-findings-from-1250-clients-breach-experiences-in-2025/) - Axios WAVESHAPER.V2 / UNC1069 - Confidence: High (Talos confirmed) (https://blog.talosintelligence.com/axois-npm-supply-chain-incident/) - Cookie-Controlled PHP Web Shells with Cron-Based Self-Healing Persistence (https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html) - Hims & Hers Data Breach - Zendesk via Okta SSO Pivot (https://www.bleepingcomputer.com/news/security/hims-and-hers-warns-of-data-breach-after-zendesk-support-ticket-breach/) - Nacogdoches Memorial Hospital - 257,073 Patients Notified (https://databreaches.net/2026/04/03/nacogdoches-memorial-hospital-notifies-257073-after-january-data-breach/) - TA416 (China) - Entra ID OAuth Abuse + PlugX Targeting European Government/NATO Entities (https://thehackernews.com/2026/04/china-linked-ta416-targets-european.html) - TrueConf Zero-Day Exploited in Asian Government Attacks (https://www.securityweek.com/trueconf-zero-day-exploited-in-asian-government-attacks/) - CISA FY2027 Budget: $707M Cut Proposed (https://go.theregister.com/feed/www.theregister.com/2026/04/03/trump_cisa_budget/) - North Korea - 18th Crypto Exploit of 2026, $285M from Drift Protocol (https://databreaches.net/2026/04/03/285-million-drift-protocol-exploit-shows-signs-of-north-korea-linked-hackers/) - Infiniti Stealer - macOS ClickFix Distribution Campaign (https://databreaches.net/2026/04/03/everything-you-need-to-know-about-the-malware-stealing-data-from-mac-users/) - CVE-2026-33634 - Trivy (Supply Chain RCE) - CVE-2026-5281 - (CISA KEV, deadline 2026-04-15) - Citrix ShareFile - Unauthenticated RCE (CVE pending) - Apple iOS 18 - DarkSword Backport CVEs Referenced: CVE-2026-33634, CVE-2026-5281 Indicators of Compromise: Domains: 142[.]11, 206[.]73., 206[.]73, Sfrclak[.]com Hashes: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09, fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf, 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101, 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a, ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c Full brief: https://carolinacleartech.com/brief/2026-04-04/

Show Notes - 2026-04-03 Stories Covered: - April 3, 2026 - Today: - CVE-2026-3502 -- TrueConf Client Code Integrity Check Bypass (CISA KEV, Deadline April 16) (https://www.cisa.gov/news-events/alerts/2026/04/02/cisa-adds-one-known-exploited-vulnerability-catalog) - CVE-2025-55182 -- Next.js React Server Components RCE (CVSS 10.0, CISA KEV, 766 Hosts Compromised) (https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html) - CVE-2025-30208 -- Vite Dev Server Filesystem Access Bypass (EPSS 100th Percentile, Active Scanning) (https://isc.sans.edu/diary/rss/32860) - Akira Ransomware: Sub-Hour Encryption, $245M in Ransom Payments (https://cyberscoop.com/akira-ransomware-initial-access-to-encryption-in-hours/) - Qilin Ransomware Deploys EDR Killer Capable of Terminating 300+ EDR Drivers (https://blog.talosintelligence.com/qilin-edr-killer/) - Hasbro Cyberattack: Unauthorized Access, Systems Taken Offline, Weeks to Remediate (https://www.darkreading.com/cyberattacks-data-breaches/toying-around-hasbro-attack-remediate) - WAVESHAPER.V2 -- Axios npm Supply Chain Attack (North Korea UNC1069/Sapphire Sleet) (https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/) - North Korean State Actor Backdoors Axios npm Package (600,000 Downloads, 3-Hour Window) (https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/) - AI Democratizes Business Email Compromise: SMBs Now Primary Targets (https://blog.talosintelligence.com/the-democratisation-of-business-email-compromise-fraud/) - BRICKSTORM Malware Targets VMware vSphere Below the EDR Layer (https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/) - Cookie-Controlled PHP Webshells Evading Detection on Linux Hosting Environments (https://www.microsoft.com/en-us/security/blog/2026/04/02/cookie-controlled-php-webshells-tradecraft-linux-hosting-environments/) - Mercor Breached via LiteLLM Supply Chain Attack; Lapsus$ Claims 4TB Theft (https://www.securityweek.com/mercor-hit-by-litellm-supply-chain-attack/) - Windows 11 25H2 Force Upgrade Begins; Out-of-Band Patches for RRAS and Bluetooth (https://www.bleepingcomputer.com/news/microsoft/microsoft-now-force-upgrades-unmanaged-windows-11-24h2-pcs/) - Azure Patches: AI Foundry EoP, Custom Locations SSRF, and SRE Agent Info Disclosure (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32213) - Chromium/Edge: Five CVEs Patched (CVE-2026-5289, 5283, 5279, 5277, 5276) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5289) - Former IT Admin Pleads Guilty to Domain Controller Extortion; 3,284 Workstations Affected (https://www.bleepingcomputer.com/news/security/man-admits-to-extortion-plot-locking-coworkers-out-of-thousands-of-windows-devices/) - Cisco Source Code Stolen via Malicious GitHub Action, Extortion Underway (https://news.risky.biz/risky-bulletin-russia-will-revoke-licenses-for-unruly-isps/) - US Executive Order Bans Import of Foreign-Made Consumer Routers (https://www.schneier.com/blog/archives/2026/04/us-bans-all-foreign-made-consumer-routers.html) - Cisco IMC and SSM On-Prem Critical Authentication Bypass and RCE (CVE-2026-20093, CVE-2026-20160) (https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html) - Siemens SICAM 8 ICS Products -- Denial of Service (CVE-2026-27663, CVE-2026-27664) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-01) - Hitachi Energy Ellipse -- RCE via Java Deserialization in Jasper Report (CVE-2025-10492) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-03) - Yokogawa CENTUM VP -- Hardcoded Password for PROG Account (CVE-2025-7741) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02) - CVE-2026-34073 -- Python Cryptography Library: Incomplete DNS Name Constraint Enfor ...

Show Notes - 2026-04-02 Stories Covered: - 2026-04-02 - Today: - Chrome Zero-Day CVE-2026-5281 - Fourth Actively Exploited Bug of 2026 (https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html) - Apple iOS 18.7.7 - DarkSword Exploit Kit Patches, CISA Deadline April 3 (https://www.bleepingcomputer.com/news/security/apple-expands-ios-18-updates-to-more-iphones-to-block-darksword-attacks/) - TrueConf CVE-2026-3502 - Zero-Day Exploited by Chinese-Nexus Actor in Government Campaign (https://www.bleepingcomputer.com/news/security/hackers-exploit-trueconf-zero-day-to-push-malicious-software-updates/) - Qilin Ransomware - 2025 Year in Review and 2026 Outlook (https://blog.talosintelligence.com/an-overview-of-ransomware-threats-in-japan-in-2025-and-early-detection-insights-from-qilin-cases/) - TrueChaos Campaign (Chinese-Nexus, TrueConf exploitation) - Axios Supply Chain / Sapphire Sleet (DPRK) - AGEWHEEZE RAT (UAC-0255 / Cyber Serp) - ADS Removal / DonutLoader Dropper (SANS ISC) - Axios npm Supply Chain Attack - Sapphire Sleet (DPRK), 70M+ Weekly Downloads Affected (https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/) - TeamPCP / LiteLLM Supply Chain - First Confirmed Victim, Active Cloud Credential Exploitation (https://isc.sans.edu/diary/rss/32856) - F5 BIG-IP APM - 14,000+ Instances Still Exposed to Critical RCE (https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/) - EvilTokens - New Service Commoditizing Microsoft Device Code Phishing (https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/) - Classic Outlook Email Delivery Failures - Known Issue Under Investigation (https://www.bleepingcomputer.com/news/microsoft/microsoft-links-classic-outlook-bug-to-email-delivery-issues/) - CERT-UA Impersonation Campaign Distributes AGEWHEEZE RAT to 1M Emails (https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html) - Casbaneiro Banking Trojan Targeting Spanish-Speaking Organizations via Horabot (https://thehackernews.com/2026/04/casbaneiro-phishing-targets-latin.html) - Talos 2025 Year in Review - Key Defender Takeaways (https://blog.talosintelligence.com/inside-the-talos-2025-year-in-review-a-discussion-on-what-the-data-means-for-defenders/) - CVE-2026-5121 - CVE-2026-2436 - CVE-2026-5119 - CVE-2026-33216 - CVE-2026-29785 - CVE-2026-4897 - CVE-2026-2739 - CVE-2026-5107 - CVE-2026-5201 (https://msrc.microsoft.com/update-guide/) CVEs Referenced: CVE-2025-14174, CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2026-20700, CVE-2026-2436, CVE-2026-2441, CVE-2026-2739, CVE-2026-29785, CVE-2026-33216, CVE-2026-3502, CVE-2026-3909, CVE-2026-3910, CVE-2026-4897, CVE-2026-5107, CVE-2026-5119, CVE-2026-5121, CVE-2026-5201, CVE-2026-5281 Indicators of Compromise: Domains: sfrclak[.]com, npm[.]org, 237[.]92, cert-ua[.]tech Full brief: https://carolinacleartech.com/brief/2026-04-02/

Show Notes - 2026-04-01 Stories Covered: - 2026-04-01 - Today: - TeamPCP Multi-Stage Supply Chain Attack on Security Infrastructure (CVE-2025-55182) (https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/) - Operation TrueChaos: TrueConf Zero-Day Exploited Against Government Networks (CVE-2026-3502) (https://thehackernews.com/2026/03/trueconf-zero-day-exploited-in-attacks.html) - Iran Deploys Pseudo-Ransomware, Revives Pay2Key Operations (https://www.darkreading.com/threat-intelligence/iran-pseudo-ransomware-pay2key-operations) - Statistics South Africa Extorted by XP95 (https://news.risky.biz/risky-bulletin-iranian-password-sprays-came-first-then-came-the-missiles/) - UNC1069 / WAVESHAPER.V2 (Axios npm Supply Chain) - TeamPCP / CanisterWorm (https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/) - North Korean UNC1069 Backdoors Axios npm Package (WAVESHAPER.V2) (https://go.theregister.com/feed/www.theregister.com/2026/03/31/axios_npm_backdoor_rat/) - WhatsApp Malware Campaign: VBScript and MSI Backdoors (https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/) - Venom Stealer: Continuous Credential Harvesting with Persistence (https://www.securityweek.com/venom-stealer-raises-stakes-with-continuous-credential-harvesting/) - UK Manufacturers: 80% Reporting Cyber Incidents (https://go.theregister.com/feed/www.theregister.com/2026/04/01/uk_manufacturer_cyberattacks/) - CVE-2026-20929: Kerberos Authentication Relay via DNS CNAME Abuse (https://www.crowdstrike.com/en-us/blog/detecting-kerberos-relay-attack-via-dns-cname-abuse/) - Windows 11 KB5086672 Emergency OOB Update (https://www.bleepingcomputer.com/news/microsoft/new-windows-11-kb5086672-emergency-update-fixes-install-issues/) - Iranian APT Password-Spraying Microsoft 365 (Gray Sandstorm) (https://news.risky.biz/risky-bulletin-iranian-password-sprays-came-first-then-came-the-missiles/) - Vim RCE on File Open; Emacs Flaw Remains Unpatched (https://www.bleepingcomputer.com/news/security/claude-ai-finds-vim-emacs-rce-bugs-that-trigger-on-file-open/) - Google Drive Ransomware Detection Now GA for Paid Users (https://www.bleepingcomputer.com/news/security/google-drive-ransomware-detection-now-on-by-default-for-paying-users/) - OpenSC Stack Buffer Overflows (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66037) - Anritsu Remote Spectrum Monitor: No-Auth ICS Flaw (CVE-2026-3356, No Fix Planned) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-01) - PX4 Autopilot MAVLink Auth Bypass (CVE-2026-1579) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02) - Additional MSRC CVEs Published CVEs Referenced: CVE-2023-52676, CVE-2024-35839, CVE-2024-41013, CVE-2025-49010, CVE-2025-55182, CVE-2025-66037, CVE-2025-66038, CVE-2026-1579, CVE-2026-20929, CVE-2026-3356, CVE-2026-34043, CVE-2026-34714, CVE-2026-3502, CVE-2026-4176 Indicators of Compromise: Domains: 15[.]197., sfrclak[.]com, 206[.]73 Hashes: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 Full brief: https://carolinacleartech.com/brief/2026-04-01/

Show Notes - 2026-03-31 Stories Covered: - Today: - Citrix NetScaler Out-of-Bounds Read Actively Exploited (CVE-2026-3055) (https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-citrix-flaw-by-thursday/) - F5 BIG-IP APM RCE Exploited in Wild, Webshells Deployed (CVE-2025-53521) (https://www.bleepingcomputer.com/news/security/hackers-now-exploit-critical-f5-big-ip-flaw-in-attacks-patch-now/) - Axios npm Supply Chain Attack: Cross-Platform RAT in 83M-Download Package (https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html) - TeamPCP Supply Chain Campaign Update: CipherForce RaaS, Databricks Investigation (https://isc.sans.edu/diary/rss/32846) - Talos 2025 Ransomware Year in Review: Qilin #1, Blending-In Tactics (https://blog.talosintelligence.com/ransomware-in-2025-blending-in-is-the-strategy/) - XP95 Targets Government Agency and Healthcare Software Provider (https://databreaches.net/2026/03/30/south-african-government-agency-and-spanish-psychological-software-provider-victims-of-cyberattacks-by-xp95/) - TeamPCP / CipherForce Campaign Indicators - Axios Supply Chain RAT C2 Indicators (https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html) - DeepLoad: ClickFix-Delivered Credential Stealer with WMI Persistence (https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html) - Secrets Sprawl 2026: 29 Million Hardcoded Secrets Leaked, 34% YoY Increase (https://thehackernews.com/2026/03/the-state-of-secrets-sprawl-2026-9.html) - NGFW App-ID Bypass for Sub-5KB Data Exfiltration (https://isc.sans.edu/diary/rss/32850) - Windows 11 Preview Update KB5079391 Pulled After Install Failures (https://go.theregister.com/feed/www.theregister.com/2026/03/30/microsoft_faulty_windows_update/) - ChatGPT DNS Exfiltration Side Channel Patched (February 20) (https://thehackernews.com/2026/03/openai-patches-chatgpt-data.html) - Red Menshen BPFDoor Implants Targeting Telecom Backbone Infrastructure (https://thehackernews.com/2026/03/weekly-recap-telecom-sleeper-cells-llm.html) - CVE-2026-3055 / CVE-2026-4368 - Citrix NetScaler ADC and Gateway (https://www.bleepingcomputer.com/news/security/critical-citrix-netscaler-memory-flaw-actively-exploited-in-attacks/) - CVE-2025-53521 - F5 BIG-IP APM Remote Code Execution (https://www.bleepingcomputer.com/news/security/hackers-now-exploit-critical-f5-big-ip-flaw-in-attacks-patch-now/) - Handlebars.js Multiple CVEs (CVE-2026-33938 / 33939 / 33941 / 33916) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33938) - node-forge CVE-2026-33895 / CVE-2026-33896 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33895) - libssh CVE-2026-0964 / 0965 / 0966 / 0967 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0964) - CVE-2026-4676 - Chromium Use-After-Free in Dawn (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4676) CVEs Referenced: CVE-2025-53521, CVE-2026-0964, CVE-2026-0965, CVE-2026-0966, CVE-2026-0967, CVE-2026-3055, CVE-2026-33895, CVE-2026-33896, CVE-2026-33938, CVE-2026-4368, CVE-2026-4676 Full brief: https://carolinacleartech.com/brief/2026-03-31/

Show Notes - 2026-03-30 Stories Covered: - Today: - Critical Fortinet FortiClient EMS Flaw Actively Exploited (CVE-2026-21643) (https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/) - Citrix NetScaler Vulnerability Under Active Exploitation (https://www.securityweek.com/exploitation-of-fresh-citrix-netscaler-vulnerability-begins/) - F5 BIG-IP DoS Flaw Reclassified to Critical RCE, Now Exploited (https://www.securityweek.com/f5-big-ip-dos-flaw-upgraded-to-critical-rce-now-exploited-in-the-wild/) - ShinyHunters Breaches European Commission, Claims 350 GB Stolen (https://www.bleepingcomputer.com/news/security/european-commission-confirms-data-breach-after-europaeu-hack/) - CareCloud EHR Environment Breached, Patient Data Potentially Exposed (https://databreaches.net/2026/03/29/carecloud-notifies-the-sec-after-attack-on-one-of-its-ehr-environments/) - Ransomware Attack Cripples Jackson County, Indiana Sheriff's Department (https://news.risky.biz/risky-bulletin-apple-adds-clickfix-warning-to-macos-terminal/) - Tax Season RMM Campaigns Surge: Over 100 Campaigns in 2026 (https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers) - White House Official App Has Serious Security Issues (https://databreaches.net/2026/03/29/did-you-sign-up-for-the-new-white-house-app-dont-use-it-until-you-read-this/) - Microsoft Pulls KB5079391 Windows 11 Update Over 0x80073712 Install Errors (https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-windows-kb5079391-update-over-0x80073712-install-errors/) - FBI Confirms Handala (Iran/MOIS) Hacked Director Kash Patel's Personal Gmail (https://www.bleepingcomputer.com/news/security/fbi-confirms-hack-of-director-patels-personal-email-inbox/) - Apple Adds ClickFix Warning to macOS Terminal (https://news.risky.biz/risky-bulletin-apple-adds-clickfix-warning-to-macos-terminal/) - AI-Assisted Malware Development Reaches Operational Maturity (https://research.checkpoint.com/2026/ai-threat-landscape-digest-january-february-2026/) - Three China-Linked Clusters Jointly Target Southeast Asian Government (https://thehackernews.com/2026/03/three-china-linked-clusters-target.html) - BreachForums v5 Hacked by ShinyHunters (https://news.risky.biz/risky-bulletin-apple-adds-clickfix-warning-to-macos-terminal/) - File Read Vulnerability in Smart Slider 3 WordPress Plugin (CVE-2026-3098) (https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/) CVEs Referenced: CVE-2026-21643, CVE-2026-24858, CVE-2026-3098 Indicators of Compromise: IPs: 3.5.1.34, 3.5.1.33 Full brief: https://carolinacleartech.com/brief/2026-03-30/

Show Notes - 2026-03-29 Stories Covered: - Today: - Citrix NetScaler CVE-2026-3055 (CVSS 9.3) Under Active Reconnaissance (https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html) - TeamPCP Supply Chain Campaign: Monetization Phase, CISA KEV Deadline April 8 (CVE-2026-33634) (https://isc.sans.edu/diary/rss/32842) - Woodfords Family Services Discloses 2024 Ransomware Attack Nearly Two Years Later (https://databreaches.net/2026/03/28/woodfords-family-services-notifying-patients-and-families-about-2024-ransomware-attack/) - Infinite Campus Breach: ShinyHunters Leak Contains Limited Sensitive Student Data (https://databreaches.net/2026/03/28/thankfully-the-infinite-campus-incident-did-not-involve-a-lot-of-non-directory-student-information/) - Infinity Stealer (macOS): ClickFix/Cloudflare CAPTCHA Lure (https://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/) - Handala (Iran/MOIS) Executes Destructive Wiper at Stryker, Breaches FBI Director's Email (https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html) - Corewell Health: 19,000 Patients Exposed via Former Vendor Breach (https://databreaches.net/2026/03/28/thousands-of-corewell-health-patients-affected-by-security-breach/) - Anthropic Claude Mythos Model Details Exposed via CMS Misconfiguration (https://databreaches.net/2026/03/28/meet-claude-mythos-leaked-anthropic-post-reveals-the-powerful-upcoming-model/) - CVE-2026-32241: Flannel Cross-Node Remote Code Execution via BackendData Injection (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32241) - MSRC Batch: BIND DNS, LIBPNG, Flannel, Python Libraries, nf_tables - Handala's Kubernetes Wiper Analyzed by Cloud Security Alliance (https://isc.sans.edu/diary/rss/32842) CVEs Referenced: CVE-2023-4966, CVE-2025-5777, CVE-2025-67030, CVE-2026-1519, CVE-2026-23399, CVE-2026-25645, CVE-2026-3055, CVE-2026-3104, CVE-2026-3119, CVE-2026-32241, CVE-2026-33416, CVE-2026-33634, CVE-2026-33636, CVE-2026-33671, CVE-2026-33672, CVE-2026-33936, CVE-2026-3591, CVE-2026-4833 Indicators of Compromise: Domains: update-check[.]com Full brief: https://carolinacleartech.com/brief/2026-03-29/

Show Notes - 2026-03-28 Stories Covered: - Today: - CVE-2025-53521: F5 BIG-IP APM Remote Code Execution (CISA KEV, Patch Deadline March 30) (https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog) - TeamPCP Supply Chain Escalation: Telnyx PyPI Compromise + Vect Ransomware Affiliate Program (https://isc.sans.edu/diary/rss/32838) - Ransomware Attack Cripples Jackson County Sheriff's Office (Indiana) (https://databreaches.net/2026/03/27/ransomware-attack-totally-cripples-jackson-county-sheriffs-office-in-indiana/) - Bearlyfy Deploys Custom GenieLocker Ransomware Against Russian Firms (https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html) - Law Enforcement Actions: Yanluowang IAB Sentenced, RedLine Operator Extradited (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-13-7/) - TeamPCP / Telnyx Malware Indicators - F5 BIG-IP Compromise Indicators - FAUX#ELEVATE Phishing Campaign - AitM Phishing Domains (TikTok Business / Google Careers lures) (https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html) - Fake VS Code Security Alerts on GitHub Spreading Malware to Developers (https://www.bleepingcomputer.com/news/security/fake-vs-code-alerts-on-github-spread-malware-to-developers/) - Open VSX "Open Sesame" Bug Allowed Malicious Extensions to Bypass Security Scanning (Patched) (https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html) - European Commission Investigating AWS Account Breach (https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/) - CanisterWorm Wiper Targeting Iranian Systems via TeamPCP (https://databreaches.net/2026/03/27/canisterworm-springs-wiper-attack-targeting-iran-but-why/) - Microsoft Defender High-Value Asset Protection for Domain Controllers and Identity Infrastructure (https://www.microsoft.com/en-us/security/blog/2026/03/27/microsoft-defender-protects-high-value-assets/) - TA446 (COLDRIVER/Star Blizzard) Deploys DarkSword iOS Exploit Kit in Broader Campaign (https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html) - China's Red Menshen Upgrades BPFdoor for Telco Espionage (https://www.darkreading.com/threat-intelligence/china-upgrades-backdoor-spy-telcos) - Google Sets 2029 Deadline for Post-Quantum Cryptography Migration (https://www.darkreading.com/application-security/google-2029-deadline-quantum-safe-cryptography) - Chromium CVEs (Microsoft Edge Chromium-based) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4673) - etcd Authorization Bypass CVEs (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33343) CVEs Referenced: CVE-2025-53521, CVE-2026-32187, CVE-2026-33343, CVE-2026-33413, CVE-2026-4673, CVE-2026-4677, CVE-2026-4680 Indicators of Compromise: Domains: 209[.]203, mail[.]ru, careerscrews[.]com, careerstaffer[.]com, careersworkflow[.]com, careerstransform[.]com, careersupskill[.]com, careerssuccess[.]com, careerstaffgrid[.]com, careersprogress[.]com, careersgrower[.]com, careersengage[.]com, drnatashachinn[.]com, escofiringbijou[.]com IPs: 17.5.1.3, 16.1.6.1, 15.1.10.8 Full brief: https://carolinacleartech.com/brief/2026-03-28/

Show Notes - 2026-03-27 Stories Covered: - March 27, 2026 - Today: - TeamPCP Supply Chain Campaign: All 91 Checkmarx ast-github-action Tags Compromised (CVE-2026-33634) (https://isc.sans.edu/diary/rss/32834) - Langflow AI Framework Actively Exploited for RCE (CVE-2026-33017) (https://www.bleepingcomputer.com/news/security/cisa-new-langflow-flaw-actively-exploited-to-hijack-ai-workflows/) - Iran-Linked Threat Actor Escalation: 27 Days of Internet Blackout, Wiper Attack Risk Elevated (https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/) - TikTok for Business Phishing Infrastructure - Confidence: High (https://www.bleepingcomputer.com/news/security/tiktok-for-business-accounts-targeted-in-new-phishing-campaign/) - PTC Windchill and FlexPLM Critical RCE via Deserialization (CVE-2026-4681) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-03) - WAGO Industrial Managed Switches: Unauthenticated RCE via Hidden CLI Function (CVE-2026-3587) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01) - Windows 11 KB5079391 Optional Preview Update - Smart App Control Improvements (https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5079391-update-rolls-out-smart-app-control-improvements/) - MSRC: Curl Credential and Token Exposure CVEs (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3783) - FCC Proposes Restrictions on Offshore Call Centers, Raising AI Automation Questions (https://go.theregister.com/feed/www.theregister.com/2026/03/26/ai_companies_lick_their_chops/) - Squid Proxy: Two ICP Denial of Service CVEs (CVE-2026-33526, CVE-2026-33515) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33526) - NGINX ngx_mail_proxy_module Vulnerability (CVE-2026-28753) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-28753) - Additional MSRC CVE Batch - March 27, 2026 (https://msrc.microsoft.com/update-guide/) CVEs Referenced: CVE-2025-3248, CVE-2025-70614, CVE-2025-71183, CVE-2025-71184, CVE-2026-1965, CVE-2026-23004, CVE-2026-23068, CVE-2026-23396, CVE-2026-23397, CVE-2026-23398, CVE-2026-28753, CVE-2026-33017, CVE-2026-33515, CVE-2026-33526, CVE-2026-33634, CVE-2026-3587, CVE-2026-3713, CVE-2026-3783, CVE-2026-3784, CVE-2026-4645, CVE-2026-4647, CVE-2026-4681, CVE-2026-4775 Indicators of Compromise: Domains: careerscrews[.]com, careerstaffer[.]com, careersworkflow[.]com, careerstransform[.]com, careersupskill[.]com, careerssuccess[.]com, careerstaffgrid[.]com, careersprogress[.]com, careersengage[.]com, careergrower[.]com IPs: 13.1.3.0 Full brief: https://carolinacleartech.com/brief/2026-03-27/

Show Notes - 2026-03-26 Stories Covered: - Today: - Citrix NetScaler CVE-2026-3055 / CVE-2026-4368 - CitrixBleed-Class Memory Overread and Session Mixup (https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-netscaler-flaws-as-soon-as-possible/) - CVE-2026-33017 Langflow Code Injection - CISA KEV Addition (https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog) - TA551 Operator Sentenced, IcedID/BitPaymer Botnet Operator Faces 2 Years (https://thehackernews.com/2026/03/russian-hacker-sentenced-to-2-years-for.html) - Blackbaud Ransomware Breach - Delaware Supreme Court Reinstates Cyber Insurer Subrogation Claim (https://databreaches.net/2026/03/25/delaware-supreme-court-reverses-holds-cyber-insurers-sufficiently-pled-collective-subrogation-claim-resulting-from-blackbaud-data-breach/) - Device Code Phishing Campaign - Railway.com Infrastructure (https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html) - Device Code Phishing Hits 340+ Microsoft 365 Orgs via OAuth Token Abuse (https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html) - TeamPCP Supply Chain Campaign Hits Trivy, Checkmarx, and LiteLLM (https://databreaches.net/2026/03/25/teampcp-hits-trivy-checkmarx-and-litellm-in-credential-theft-campaign/) - AI Supply Chain Attack Vector: Poisoned Documentation via Context Hub (https://go.theregister.com/feed/www.theregister.com/2026/03/25/ai_agents_supply_chain_attack_context_hub/) - Paid AI Platform Accounts Now Traded on Underground Markets (https://www.bleepingcomputer.com/news/security/paid-ai-accounts-are-now-a-hot-underground-commodity/) - CVE-2025-66413 - Git for Windows NTLM Hash Leak on Clone (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66413) - CVE-2026-3805 - SMB Use-After-Free in Connection Reuse (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3805) - Identity Fragmentation as a Root Cause for Lateral Movement (https://www.microsoft.com/en-us/security/blog/2026/03/25/identity-security-is-the-new-pressure-point-for-modern-cyberattacks/) - Operation Triangulation Exploit Kit "Coruna" - Updated Framework Analysis (https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/) - MSRC Kernel and System CVE Batch (https://msrc.microsoft.com/update-guide) CVEs Referenced: CVE-2023-32434, CVE-2023-38606, CVE-2023-4966, CVE-2024-45336, CVE-2024-45341, CVE-2025-66413, CVE-2025-68357, CVE-2026-23303, CVE-2026-23364, CVE-2026-23370, CVE-2026-29111, CVE-2026-3055, CVE-2026-33017, CVE-2026-3805, CVE-2026-4368 Indicators of Compromise: Domains: 234[.]41, 234[.]66, 232[.]57, 232[.]99, 232[.]235 Full brief: https://carolinacleartech.com/brief/2026-03-26/

Show Notes - 2026-03-25 Stories Covered: - Today: - Trivy Supply Chain Compromise Expands to Checkmarx (CVE-2026-33634) (https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/) - EvilTokens PhaaS: Active M365 Device Code Phishing via Railway PaaS (https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign) - Tax Malvertising Delivers ScreenConnect + BYOVD EDR Killer (HwAudKiller) (https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html) - Two Russian Cybercriminals Sentenced in U.S. Courts (https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-access-broker-gets-81-months-in-prison/) - TeamPCP Cloud Stealer (https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html) - HwAudKiller / BYOVD Campaign (https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html) - Schneider Electric Plant iT/Brewmaxx ICS Vulnerabilities (RCE) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-03) - FCC Bans New Foreign-Made Routers (https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html) - Pharos Controls Mosaic Show Controller: Unauthenticated RCE (CVE-2026-2417) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01) - Palo Alto Networks Recruiter Impersonation Phishing (https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/) - Microsoft 365 Identity Threat: Device Code Phishing at Scale (https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign) - Classic Outlook Gmail Sync Issue Resolved (https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-causing-outlook-sync-issues-for-gmail-users/) - Google Workspace as Identity Infrastructure: Huntress Launches ITDR (https://www.huntress.com/blog/managed-itdr-google-workspace) - Healthcare, Pharma, Retail Are the Worst Windows Patching Offenders (https://go.theregister.com/feed/www.theregister.com/2026/03/25/omnissa_digital_workspace_report/) - MSRC Published CVEs (March 25, 2026) - Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650): (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01) CVEs Referenced: CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844, CVE-2025-58160, CVE-2026-0716, CVE-2026-1005, CVE-2026-23669, CVE-2026-2369, CVE-2026-2417, CVE-2026-2443, CVE-2026-25075, CVE-2026-2645, CVE-2026-27623, CVE-2026-3099, CVE-2026-3229, CVE-2026-3230, CVE-2026-33055, CVE-2026-33056, CVE-2026-33634, CVE-2026-3549, CVE-2026-3650, CVE-2026-4395, CVE-2026-4424, CVE-2026-4426 Indicators of Compromise: Domains: checkmarx[.]zone, 209[.]11, bringetax[.]com, paloaltonetworks-careers[.]com Full brief: https://carolinacleartech.com/brief/2026-03-25/

Show Notes - 2026-03-24 Stories Covered: - Today: - Citrix NetScaler ADC/Gateway Unauthenticated Memory Read and Session Mixup (CVE-2026-3055, CVE-2026-4368) (https://thehackernews.com/2026/03/citrix-urges-patching-critical.html) - Zimbra Collaboration Suite Stored XSS Actively Exploited (CVE-2025-66376) -- CISA KEV Due 2026-04-01 (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - Langflow AI Framework RCE Weaponized Within 20 Hours of Disclosure (CVE-2026-33017) (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - ConnectWise ScreenConnect Cryptographic Signature Bypass (CVE-2026-3564) (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - Ubiquiti UniFi Network Application Unauthenticated Path Traversal (CVE-2026-22557) (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - Trio-Tech International Semiconductor Firm Ransomware: "Immaterial" Assessment Reversed After Data Leak (https://go.theregister.com/feed/www.theregister.com/2026/03/23/us_chip_testing_firm_shrugged/) - Woundtech Healthcare Breach: 928K Patients, FulcrumSec, Plaintext AWS Credentials (https://databreaches.net/2026/03/23/if-threat-actors-gave-you-a-chance-to-redact-the-patient-data-they-hacked-before-they-leak-it-would-you-take-them-up-on-the-offer-read-about-the-woundtech-incident/) - 3.7 Million Telehealth Patient Records: OpenLoop Health and Zealthy (https://databreaches.net/2026/03/23/3-7-million-telehealth-patients-allegedly-affected-by-two-recent-breaches/) - Russian IAB Sentenced 81 Months; BlackCat Negotiator Charged (https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html) - IRS Tax Phishing Campaign IOCs - Railway.com-Hosted OAuth Phishing Campaign - IRS Tax Phishing Deploys RMM Tools Against 29,000+ Users (ScreenConnect, Datto, SimpleHelp) (https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html) - AI-Generated Phishing via Railway.com Bypasses Email Filters, Hits Hundreds of Orgs (https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/) - Trivy Supply Chain Attack Spreads to Docker Hub, Aqua Security GitHub (https://www.bleepingcomputer.com/news/security/trivy-supply-chain-attack-spreads-to-docker-github-repos/) - GPO-Based Ransomware: Defender Case Study Exposes Full Attack Chain (https://www.microsoft.com/en-us/security/blog/2026/03/23/case-study-predictive-shielding-defender-stopped-gpo-based-ransomware-before-started/) - Exchange Online Outage and Out-of-Band Windows Patch (https://www.bleepingcomputer.com/news/microsoft/new-exchange-online-virtual-account-blocks-email-access-via-mobile-mac-apps/) - M-Trends 2026: Vishing Is Now #2 Attack Vector, IAB Hand-offs Collapse to 22 Seconds (https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/) - Major Breach Roundup: Navia Benefit Solutions (2.6M), Aura (900K), Puerto Rico Water Authority (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - GNU InetUtils Telnetd Remote Code Execution (CVE-2026-32746) (https://research.checkpoint.com/2026/23rd-march-threat-intelligence-report/) - Microsoft DNS Resolution Functions (CVE-2026-4438, CVE-2026-4437) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4438) CVEs Referenced: CVE-2023-4966, CVE-2025-5777, CVE-2025-66376, CVE-2026-22557, CVE-2026-3055, CVE-2026-32746, CVE-2026-33017, CVE-2026-3564, CVE-2026-4368, CVE-2026-4437, CVE-2026-4438 Indicators of Compromise: Domains: irs-doc[.]com, gov-irs216[.]net, smartvault[.]im Full brief: https://carolinacleartech.com/brief/2026-03-24/

Show Notes - 2026-03-23 Stories Covered: - Today: - CISA Adds DarkSword iOS Exploit Kit CVEs to KEV (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) - April 3 Deadline (https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-darksword-ios-flaws-exploited-attacks/) - Quest KACE SMA Authentication Bypass Exploited in the Wild (CVE-2025-32975, CVSS 10.0) (https://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.html) - Oracle Identity Manager Unauthenticated RCE (CVE-2026-21992) - Emergency Patch Released (https://www.securityweek.com/oracle-releases-emergency-patch-for-critical-identity-manager-vulnerability/) - Iranian Handala Group: Stryker Attack via Microsoft Intune, FBI Domain Seizures (https://www.bleepingcomputer.com/news/security/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/) - Marquis Financial Services: 670,000 Notified of August 2025 Ransomware Breach - Quest KACE SMA Active Exploitation - DarkSword iOS Exploit Kit - Iranian Handala / Homeland Justice (Seized) - VoidStealer (Chrome ABE Bypass) - Trivy Supply Chain Compromise Escalates to npm Worm and Kubernetes Wiper (TeamPCP) (https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html) - GitHub Malware Distribution: Growing Systemic Problem (https://news.risky.biz/risky-bulletin-github-is-starting-to-have-a-real-malware-problem/) - Russian Intelligence Targeting Signal and WhatsApp Accounts (https://go.theregister.com/feed/www.theregister.com/2026/03/22/russian_messaging_support_phishing_scam/) - KB5085516 Emergency Update: Microsoft Account Sign-In Broken by March Patch Tuesday (https://www.bleepingcomputer.com/news/microsoft/new-kb5085516-emergency-update-fixes-microsoft-account-sign-in/) - VoidStealer Chrome ABE Bypass: New Infostealer Extracts Master Key via Hardware Breakpoints (https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/) - Microsoft Acknowledges Windows 11 Quality Issues, Promises Improvements (https://go.theregister.com/feed/www.theregister.com/2026/03/23/windows_quality_commitment/) - Chrome / Edge - Six New CVEs Patched (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4464) CVEs Referenced: CVE-2025-14174, CVE-2025-31277, CVE-2025-32975, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2026-20700, CVE-2026-21992, CVE-2026-4451, CVE-2026-4456, CVE-2026-4457, CVE-2026-4461, CVE-2026-4462, CVE-2026-4464 Indicators of Compromise: Domains: 225[.]156, 225[.]156., handala-hack[.]to, handala-redwanted[.]to, justicehomeland[.]org, karmabelow80[.]org., karmabelow80[.]org Full brief: https://carolinacleartech.com/brief/2026-03-23/

Show Notes - 2026-03-22 Stories Covered: - Today: - Trivy Vulnerability Scanner Supply Chain Compromise (https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/) - Microsoft Azure Monitor Alert Abuse for Callback Phishing (https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/) - Russian State Phishing Targeting Signal and WhatsApp Accounts (https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html) - Google Announces Advanced Flow for Android APK Sideloading (https://www.bleepingcomputer.com/news/security/google-adds-advanced-flow-for-safe-apk-sideloading-on-android/) Indicators of Compromise: Domains: aquasecurtiy[.]org, aquasecurtiy[.]org. Full brief: https://carolinacleartech.com/brief/2026-03-22/

Show Notes - 2026-03-21 Stories Covered: - 2026-03-21 - Today: - CISA Adds Five Known Exploited Vulnerabilities to Catalog (https://www.cisa.gov/news-events/alerts/2026/03/20/cisa-adds-five-known-exploited-vulnerabilities-catalog) - CISA Orders Feds to Patch Max-Severity Cisco Flaw by Sunday (CVE-2026-20131) (https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-cisco-flaw-by-sunday/) - Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure (https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html) - Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager (https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html) - Interlock Ransomware Targets Cisco Enterprise Firewalls (https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-cisco-flaw-by-sunday/) - Beast Gang Exposes Ransomware Server (https://www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server) - City of Hamilton Ransomware Highlights Insurance Gaps (https://databreaches.net/2026/03/20/strengthening-cybersecurity-in-canadas-municipal-sector-a-verified-analysis/) - Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm (https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html) - Russian Intelligence Services Target Commercial Messaging Applications (https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts) - Justice Department Disrupts Botnet Networks Hijacking 3 Million Devices (https://cyberscoop.com/botnet-disruption-aisuru-kimwolf-jackskid-mossad/) - Operation Alice Shuts Down 373,000 Dark Web Sites (https://databreaches.net/2026/03/20/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down/) - Operation Synergia III Disrupts Global Cybercrime Infrastructure (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-12-7/) - UK Cyber Watchdog Warns JLR Bailout Sets Worrying Precedent (https://go.theregister.com/feed/www.theregister.com/2026/03/20/jlr_bailout_cmc/) - Microsoft Breaks Microsoft Account Sign-Ins in Windows 11 with Latest Update (https://go.theregister.com/feed/www.theregister.com/2026/03/20/microsoft_account_not_working_have/) - Microsoft Publishes Multiple CVE Advisories (https://msrc.microsoft.com/) - MuddyWater (Boggy Serpens) Increases Technological Capabilities (https://thehackernews.com/2026/03/cisa-flags-apple-craft-cms-laravel-bugs.html) - DarkSword iOS Exploit Targeting iOS 18.4 to 18.7 (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-12-7/) - CISA KEV Additions (Due April 3, 2026) (https://www.cisa.gov/news-events/alerts/2026/03/20/cisa-adds-five-known-exploited-vulnerabilities-catalog) - Microsoft Security Update Guide Publications (https://msrc.microsoft.com/) CVEs Referenced: CVE-2025-31277, CVE-2025-32432, CVE-2025-43510, CVE-2025-43520, CVE-2025-54068, CVE-2026-20131, CVE-2026-21992, CVE-2026-23204, CVE-2026-23271, CVE-2026-23272, CVE-2026-23274, CVE-2026-23276, CVE-2026-23277, CVE-2026-23278, CVE-2026-30922, CVE-2026-32766, CVE-2026-33017, CVE-2026-3479, CVE-2026-3632, CVE-2026-3633, CVE-2026-3634 Indicators of Compromise: Domains: 205[.]251 IPs: 12.2.1.4, 14.1.2.1 Full brief: https://carolinacleartech.com/brief/2026-03-21/

Show Notes - 2026-03-20 Stories Covered: - Today: - SharePoint CVE-2026-20963 Under Active Exploitation (https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog) - Cisco Firewall Management Deserialization Flaw (CVE-2026-20131) (https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog) - Gentlemen RaaS Exploiting FortiGate at Scale (https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html) - Medusa Ransomware Exfiltrated 1TB from University of Mississippi Medical Center (https://databreaches.net/2026/03/19/ummc-continues-investigating-cyberattack-and-recovering-from-impact/?pk_campaign=feed&pk_kwd=ummc-continues-investigating-cyberattack-and-recovering-from-impact) - FBI Seizes Handala Domains After Stryker Attack (https://www.bleepingcomputer.com/news/security/fbi-seizes-handala-data-leak-site-after-stryker-cyberattack/) - BMC FootPrints Pre-Auth RCE Chain (https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html) - Tax Season Phishing Campaigns Target Accountants (https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/) - 54 EDR Killers Abuse 35 Vulnerable Drivers (https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html) - Langflow Vulnerability Exploited Hours After Disclosure (https://www.securityweek.com/critical-langflow-vulnerability-exploited-hours-after-public-disclosure/) - March Windows 11 Update Breaks Microsoft Account Sign-Ins (https://www.bleepingcomputer.com/news/microsoft/kb5079473-march-windows-11-update-breaks-microsoft-account-sign-ins/) - CISA Urges Intune Hardening After Stryker Breach (https://www.bleepingcomputer.com/news/security/cisa-warns-businesses-to-secure-microsoft-intune-systems-after-stryker-breach/) - Microsoft Bing Images RCE (CVE-2026-32191) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32191) - Schneider Electric EcoStruxure Automation Expert (CVE-2026-2273) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03) - Linux Kernel CVEs in MSRC Feed (https://msrc.microsoft.com/update-guide/) CVEs Referenced: CVE-2024-55591, CVE-2025-53770, CVE-2025-71221, CVE-2025-71225, CVE-2025-71227, CVE-2025-71233, CVE-2025-71236, CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, CVE-2025-71260, CVE-2026-20131, CVE-2026-20963, CVE-2026-2273, CVE-2026-23110, CVE-2026-23113, CVE-2026-23118, CVE-2026-23126, CVE-2026-23154, CVE-2026-23157, CVE-2026-23169, CVE-2026-23171, CVE-2026-23191, CVE-2026-23207, CVE-2026-23208, CVE-2026-23213, CVE-2026-23214, CVE-2026-23221, CVE-2026-23227, CVE-2026-23269, CVE-2026-32191 Indicators of Compromise: Domains: handala-redwanted[.]to, handala-hack[.]to, Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, Handala-Redwanted[.]to. Full brief: https://carolinacleartech.com/brief/2026-03-20/

Show Notes - 2026-03-19 Stories Covered: - Today: - Cisco FMC / Security Cloud Control Zero-Day Exploited by Interlock Ransomware (CVE-2026-20131) (https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html) - Microsoft SharePoint Deserialization RCE Actively Exploited (CVE-2026-20963) - CISA Deadline March 21 (https://www.bleepingcomputer.com/news/microsoft/critical-microsoft-sharepoint-flaw-now-exploited-in-attacks/) - Zimbra XSS Exploited by Russian APT - Operation GhostMail (CVE-2025-66376) - CISA Deadline April 1 (https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html) - "The Gentlemen" RaaS Maintains Database of 14,700 Exploited FortiGate Devices (CVE-2024-55591) (https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html) - BYOVD EDR Killers: 54 Tools Exploiting 34 Vulnerable Signed Drivers (https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html) - Ransomware Exfiltration Increasingly Uses Legitimate Tools (https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-ransomware-exfiltration-playbook/) - SnappyClient C2 Framework via Hijack Loader (New, December 2025) (https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html) - Handala Wipes 80,000 Stryker Devices via Microsoft Intune; FBI Seizes Hacktivist Domains (https://www.bleepingcomputer.com/news/security/fbi-seizes-handala-data-leak-site-after-stryker-cyberattack/) - BMC FootPrints ITSM Pre-Auth RCE Chain (CVE-2025-71257, -71258, -71259, -71260) (https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html) - Tax Season Phishing Targeting Finance and Accounting Professionals (https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/) - Privilege Escalation via Password Reset Paths (https://www.bleepingcomputer.com/news/security/7-ways-to-prevent-privilege-escalation-via-password-resets/) - DarkSword iOS Exploit Kit - 6 CVEs, 3 Zero-Days, Full Device Takeover (https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html) - BMC FootPrints ITSM (CVE-2025-71257, -71258, -71259, -71260) - Schneider Electric EcoStruxure Automation Expert (CVE-2026-2273) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03) - Microsoft Azure and Bing (CVE-2026-32191, CVE-2026-32169, CVE-2026-26120, CVE-2026-23659) - pyOpenSSL (CVE-2026-27448, CVE-2026-27459) CVEs Referenced: CVE-2024-55591, CVE-2025-14174, CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2025-66376, CVE-2025-71257, CVE-2025-71258, CVE-2025-71260, CVE-2026-20131, CVE-2026-20700, CVE-2026-20963, CVE-2026-2273, CVE-2026-23659, CVE-2026-26120, CVE-2026-27448, CVE-2026-27459, CVE-2026-32169, CVE-2026-32191 Full brief: https://carolinacleartech.com/brief/2026-03-19/

Show Notes - 2026-03-18 Stories Covered: - Today: - Critical Unpatched Telnetd Flaw (CVE-2026-32746) (https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html) - CISA Adds Wing FTP Vulnerability to KEV Catalog (https://www.securityweek.com/cisa-flags-year-old-wing-ftp-vulnerability-as-exploited/) - Ubuntu Privilege Escalation (CVE-2026-3888) (https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html) - LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader (https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html) - Warlock Ransomware Group Augments Post-Exploitation Activities (https://www.darkreading.com/threat-intelligence/warlock-ransomware-post-exploitation-activities) - Ransomware Market Shifts as Payment Rates Hit Record Lows (https://www.darkreading.com/threat-intelligence/less-lucrative-ransomware-market-makes-attackers-alter-methods) - GlassWorm Malware Hits 400+ Code Repos on GitHub, npm, VSCode, OpenVSX (https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/) - AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE (https://thehackernews.com/2026/03/ai-flaws-in-amazon-bedrock-langsmith.html) - Europe Sanctions Chinese and Iranian Firms for Cyberattacks (https://www.bleepingcomputer.com/news/security/europe-sanctions-chinese-and-iranian-firms-for-cyberattacks/) - Credential Theft Soared in H2 2025 (https://www.darkreading.com/identity-access-management-security/more-attackers-logging-in-not-breaking-in) - Microsoft: Enabling Teams Meeting Add-in Breaks Outlook Classic (https://www.bleepingcomputer.com/news/microsoft/microsoft-enabling-teams-meeting-add-in-breaks-outlook-classic/) - Microsoft Shares Fix for Windows C: Drive Access Issues on Samsung PCs (https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-fix-for-windows-c-drive-access-issues-on-samsung-pcs/) - New Windows 11 Hotpatch Fixes Bluetooth Device Visibility Issue (https://www.bleepingcomputer.com/news/microsoft/new-windows-11-hotpatch-fixes-bluetooth-device-visibility-issue/) - Microsoft Stops Force-Installing the Microsoft 365 Copilot App (https://www.bleepingcomputer.com/news/microsoft/microsoft-stops-force-installing-the-microsoft-365-copilot-app/) - UK Companies House Portal Had Major Bug (https://news.risky.biz/risky-bulletin-eu-finally-imposes-more-cyber-sanctions/) - Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass (CVE-2026-20643) (https://thehackernews.com/2026/03/apple-fixes-webkit-vulnerability.html) - South Korean Police Accidentally Post Cryptocurrency Wallet Password (https://www.schneier.com/blog/archives/2026/03/south-korean-police-accidentally-post-cryptocurrency-wallet-password.html) - Siemens SICAM SIAPP SDK (6 CVEs) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-04) - Schneider Electric EcoStruxure Data Center Expert (CVE-2025-13957) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-03) - Schneider Electric SCADAPack and RemoteConnect (CVE-2026-0667) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-02) - CODESYS in Festo Automation Suite (CVE-2025-2595, CVE-2010-5250) (https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-01) CVEs Referenced: CVE-2010-5250, CVE-2025-13957, CVE-2025-2595, CVE-2025-47813, CVE-2026-0667, CVE-2026-20643, CVE-2026-24061, CVE-2026-25569, CVE-2026-25570, CVE-2026-25571, CVE-2026-25572, CVE-2026-25573, CVE-2026-25605, CVE-2026-25750, CVE-2026-32746, CVE-2026-3888 Indicators of Compromise: IPs: 2.8.0.138, 3.5.16.10, 3.5.21.20 Full brief: https://carolinacleartech.com/brief/2026-03-18/

Show Notes - 2026-03-17 Stories Covered: - Today: - Wing FTP Server Path Disclosure (CVE-2025-47813) (https://www.bleepingcomputer.com/news/security/cisa-flags-wing-ftp-server-flaw-as-actively-exploited-in-attacks/) - Google Chrome Zero-Days (CVE-2026-3909, CVE-2026-3910) (https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html) - Ransomware Profitability Declining Despite Record Victim Posts (https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/) - Iranian Threat Actors Shift to Identity Weaponization (https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/) - Microsoft Teams Vishing Campaign Enables Quick Assist Compromise (https://www.microsoft.com/en-us/security/blog/2026/03/16/help-on-the-line-how-a-microsoft-teams-support-call-led-to-compromise/) - Infostealer Credential Exposure Accelerating Throughout 2025 (https://www.recordedfuture.com/blog/identity-trend-report-march-blog) - Router Botnets Enslaved for Criminal Proxy Services (https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html) - Storm-2561 Distributes Fake VPN Clients via SEO Poisoning (https://www.securityweek.com/threat-actor-targeting-vpn-users-in-new-credential-theft-campaign/) - Samsung Galaxy Connect App Locks Users Out of C:\ Drive (https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-samsung-app-blocking-windows-c-drive-from-store/) - Microsoft Exchange Online Outage Blocks Mailbox Access (https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-outage-blocks-access-to-mailboxes/) - Meta Discontinuing Instagram End-to-End Encryption in May 2026 (https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html) - UNC6426 Leverages nx npm Supply Chain Attack for AWS Admin Access (https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html) - Commonwealth Bank Builds AI Threat Hunting Agents (https://go.theregister.com/feed/www.theregister.com/2026/03/17/commonwealth_bank_ai_defense/) - Python pip (CVE-2026-1703) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-1703) - Libarchive (CVE-2026-4111) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4111) - Systemd (CVE-2026-4105) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4105) - OpenSSL TLS 1.3 (CVE-2026-2673) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-2673) - Erlang ssh_sftpd (CVE-2026-23942) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23942) - Erlang SSH (CVE-2026-23943) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23943) - Erlang inets httpd (CVE-2026-23941) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23941) - Vim (CVE-2026-32249) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32249) - Linux Kernel (CVE-2026-23066, CVE-2026-23069) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23066) CVEs Referenced: CVE-2025-47812, CVE-2025-47813, CVE-2026-1703, CVE-2026-23066, CVE-2026-23069, CVE-2026-23941, CVE-2026-23942, CVE-2026-23943, CVE-2026-2673, CVE-2026-32249, CVE-2026-3909, CVE-2026-3910, CVE-2026-4105, CVE-2026-4111 Full brief: https://carolinacleartech.com/brief/2026-03-17/

Show Notes - 2026-03-16 Stories Covered: - Today: - Citrix CISO Issues Emergency Patch Warning (https://go.theregister.com/feed/www.theregister.com/2026/03/15/telus_breach_starbucks_attack/) - Ransomware Negotiator Indicted for Aiding BlackCat Gang (https://databreaches.net/2026/03/15/ransomware-incident-responder-gave-info-to-blackcat-cybercriminals-during-negotiations-doj-alleges/?pk_campaign=feed&pk_kwd=ransomware-incident-responder-gave-info-to-blackcat-cybercriminals-during-negotiations-doj-alleges) - Telus Digital Breach Leaks Up to One Petabyte (https://go.theregister.com/feed/www.theregister.com/2026/03/15/telus_breach_starbucks_attack/) - Starbucks HR Portal Phishing Compromises 889 Employees (https://go.theregister.com/feed/www.theregister.com/2026/03/15/telus_breach_starbucks_attack/) - AI Exploits Moving Faster Than Defenses Can Respond (https://cyberscoop.com/booz-allen-report-ai-helps-attackers-move-faster-than-current-defenses/) - Poland Nuclear Research Center Targeted (https://www.securityweek.com/hack-attempt-reported-at-polands-nuclear-research-center/) - Swedish E-Government Code Leaked (https://news.risky.biz/risky-bulletin-meta-disrupts-mexican-cartels/) - Betterleaks Replaces Gitleaks for Secrets Scanning (https://www.bleepingcomputer.com/news/security/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks/) - Meta Takes Down Mexican Cartel Accounts (https://news.risky.biz/risky-bulletin-meta-disrupts-mexican-cartels/) - Former German Intelligence Official Falls for Signal Phishing (https://news.risky.biz/risky-bulletin-meta-disrupts-mexican-cartels/) - Android 17 Blocks Non-Accessibility Apps from API (https://thehackernews.com/2026/03/android-17-blocks-non-accessibility.html) - Trump Executive Order Labels Cybercrime as Transnational Organized Crime (https://cyberscoop.com/executive-order-cyber-enabled-fraud-transnational-criminal-organizations/) Full brief: https://carolinacleartech.com/brief/2026-03-16/

Show Notes - 2026-03-15 Stories Covered: - Today: - Microsoft Windows 11 RRAS Remote Code Execution (CVE-2026-26111, CVE-2026-25173, CVE-2026-25172) (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/) - Critical HPE AOS-CX Authentication Bypass (https://www.securityweek.com/critical-hpe-aos-cx-vulnerability-allows-admin-password-resets/) - AppsFlyer Web SDK Supply-Chain Attack (March 9-11) (https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-spread-crypto-stealer-javascript-code/) - GlassWorm Supply-Chain Campaign Targets Developers (72+ Malicious VS Code Extensions) (https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html) - OpenClaw AI Agent Security Risks (Prompt Injection, Data Exfiltration) (https://thehackernews.com/2026/03/openclaw-ai-agent-flaws-could-enable.html) - Loblaw Data Breach Exposes Customer Information (https://www.securityweek.com/loblaw-data-breach-impacts-customer-information/) - Microsoft Windows 11 RRAS Remote Code Execution (https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/) - HPE AOS-CX Unauthenticated Admin Password Reset (https://www.securityweek.com/critical-hpe-aos-cx-vulnerability-allows-admin-password-resets/) CVEs Referenced: CVE-2026-25172, CVE-2026-25173, CVE-2026-26111 Full brief: https://carolinacleartech.com/brief/2026-03-15/

Show Notes - 2026-03-14 Stories Covered: - Today: - Google Chrome Vulnerabilities Added to CISA KEV (CVE-2026-3909, CVE-2026-3910) (https://www.cisa.gov/news-events/alerts/2026/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog) - Microsoft Patch Tuesday (79 Vulnerabilities, 2 Zero-Days) (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-11-7/) - FortiGate Next-Gen Firewalls Exploited for Network Access (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-11-7/) - Storm-2561 Campaign: Fake VPN Clients Steal Credentials (https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/) - New ClickFix Variant Uses WebDAV Mapping (https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html) - INTERPOL Operation Synergia III: 45,000 Malicious IPs Sinkholed (https://www.bleepingcomputer.com/news/security/police-sinkholes-45-000-ip-addresses-in-cybercrime-crackdown/) - SmartApeSG Campaign Pushes Remcos RAT via ClickFix (https://isc.sans.edu/diary/rss/32796) - FBI Investigation: Malicious Steam Games Spread Cryptodrainas and Infostealers (https://www.bleepingcomputer.com/news/security/fbi-seeks-victims-of-steam-games-used-to-spread-malware/) - Windows 11 February 2026 Updates Cause C:\ Drive Access Denial on Samsung PCs (https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-users-cant-access-c-drive-on-some-samsung-pcs/) - BlackCat Insider Charged: Former DigitalMint Employee Conspired with Ransomware Group (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-11-7/) - SocksEscort Cybercrime Proxy Network Dismantled (https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-11-7/) - Classic Outlook Bugs: Sync Issues, Connection Errors, Disappearing Mouse Pointer (https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-classic-outlook-sync-and-connection-issues/) - Poland's Nuclear Research Centre Targeted by Cyberattack (https://www.bleepingcomputer.com/news/security/polands-nuclear-research-centre-targeted-by-cyberattack/) - Meta to Discontinue Instagram End-to-End Encryption After May 2026 (https://thehackernews.com/2026/03/meta-to-shut-down-instagram-end-to-end.html) - GitHub Removes Premium Models from Free Copilot Student Plan (https://go.theregister.com/feed/www.theregister.com/2026/03/13/microsoft_github_removes_models_student_plan/) - CVE-2026-27171 (zlib CPU Consumption) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27171) - CVE-2026-31802 (node-tar Symlink Path Traversal) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31802) - CVE-2026-3381 (Perl Compress::Raw::Zlib) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3381) - CVE-2026-0385 (Microsoft Edge for Android Spoofing) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385) - Multiple Chromium Vulnerabilities (Microsoft Edge) (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3942) CVEs Referenced: CVE-2025-59718, CVE-2025-59719, CVE-2026-0385, CVE-2026-21262, CVE-2026-24858, CVE-2026-26127, CVE-2026-26144, CVE-2026-27171, CVE-2026-31802, CVE-2026-3381, CVE-2026-3909, CVE-2026-3910, CVE-2026-3926, CVE-2026-3929, CVE-2026-3930, CVE-2026-3931, CVE-2026-3939, CVE-2026-3941, CVE-2026-3942 Indicators of Compromise: Domains: 170[.]255, 170[.]155, 170[.]155. Full brief: https://carolinacleartech.com/brief/2026-03-14/