Cybersecurity News and Magazine

The Cyber Express Weekly Roundup: Supply Chain Breaches, AI Content Enforcement, And Event Disruption Attacks

Ashish Khaitan — Fri, 22 May 2026 11:44:22 +0000

The global cybersecurity landscape continues to evolve rapidly as attackers expand their focus on developer ecosystems, public-facing institutions, and anonymization infrastructure. At the same time, regulators and law enforcement agencies are stepping up enforcement efforts around AI misuse and cybercrime-enabling services. This week’s weekly roundup developments highlight how cyber threats are becoming increasingly distributed across platforms and industries, with supply chain compromises, operational disruptions, and policy enforcement actions shaping the broader risk environment.

The Cyber Express Weekly Roundup

Austria Blocks Hundreds of Cyberattacks During Eurovision Week in Vienna

Austria successfully prevented nearly 500 cyberattack attempts targeting systems connected to Eurovision operations during the contest week in Vienna. Officials stated that the attacks were intended to disrupt event infrastructure and associated services, but no major operational failures were recorded. Read more...

Massive npm Supply Chain Attack Hits AntV Ecosystem

A large-scale software supply chain compromise has impacted more than 300 npm packages within the AntV ecosystem following the hijacking of a trusted maintainer account. The compromised packages were reportedly modified as part of the “Mini Shai-Hulud” malware campaign, which targeted developer environments and widely used JavaScript libraries. Read more...

Chanhassen Dinner Theatres Cyberattack Disrupts Operations and Ticketing Systems

A cyberattack targeting Chanhassen Dinner Theatres disrupted key operational systems, including ticketing, payment processing, and customer communications, forcing additional cancellations of scheduled performances of “Guys and Dolls.” The disruption comes amid concurrent operational challenges, including an illness outbreak affecting performers and attendees, further complicating recovery efforts. Read more...

FTC Targets AI “Nudify” Platforms Over TAKE IT DOWN Act Violations

The U.S. Federal Trade Commission has issued formal warnings to multiple AI-powered “nudify” platforms over alleged violations of the TAKE IT DOWN Act, which requires rapid removal of nonconsensual intimate content upon valid request. According to regulators, several platforms failed to implement compliant removal workflows, including the mandated 48-hour takedown requirement. Read more...

GitHub Confirms Internal Repository Breach via Malicious VS Code Extension

GitHub has confirmed a security incident in which attackers accessed thousands of internal repositories after compromising an employee's device through a malicious Visual Studio Code extension. The company stated that there is no evidence of customer repository compromise or enterprise data exposure, and that the incident was contained following detection. Read more...

European Authorities Shut Down VPN Service Used in Ransomware Operations

European law enforcement agencies have seized the infrastructure of a VPN service known as First VPN during “Operation Saffron,” targeting its alleged use in supporting ransomware and cybercriminal operations. Authorities dismantled 33 servers and detained the suspected administrator in Ukraine. Read more...

Weekly Cybersecurity Takeaway

This week’s weekly roundup reflects a cybersecurity landscape defined by ecosystem-level compromise rather than isolated incidents. Supply chain attacks continue to target developer tooling and open-source ecosystems, while AI-related enforcement actions signal growing regulatory pressure around synthetic content abuse. At the same time, law enforcement actions against anonymization infrastructure demonstrate a stronger focus on disrupting the operational backbone of cybercriminal networks. Taken together, these events highlight a shifting threat environment where compromise of platforms, dependencies, and infrastructure can cascade across multiple industries simultaneously.

AI-Powered Marketing Service “Active Listening” Deceived Customers: FTC

Mihir Bagwe — Fri, 22 May 2026 11:27:11 +0000

The pitch for "Active Listening," an AI-powered advertising service that listened to consumers' real-world conversations through their smartphones and smart speakers and delivered targeted ads to those people within precise geographic areas, with consumers consent, was extremely compelling, but until it wasn't really what it claimed.

The Federal Trade Commission will require Cox Media Group and two smaller marketing firms to pay a total of $930,000 to settle allegations they deceived customers by falsely claiming to offer an AI-powered service that could target localized ads based on conversations captured from consumers' smart devices and that consumers had opted into such targeting.

"Not only did the product these companies marketed not do what they claimed it did, but they also misled potential customers by claiming consumers had opted into this service when it's clear they did not," said Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection.

Every material element of that pitch was false.

Also read: FTC Probes AI Chatbots Designed as “Companions” for Children’s Safety

Was 'Active Listening' Actually Being Sold

The case centers on a marketing product introduced in 2023 that CMG sold to local businesses. Through presentations, website materials and sales pitches, the company promoted "Active Listening" as a way for advertisers to identify potential customers at the precise moment they were discussing products or services around smart devices.

According to the complaints, this service did not, in fact, listen in on consumers' conversations or use voice data at all and neither did the service accurately place ads in customers' desired locations. Instead, the service the companies provided consisted of reselling — at a significant markup — email lists obtained from other data brokers.

FTC investigators say the service was pitched as a breakthrough tool powered by "voice data" and AI. According to the government, CMG told clients its technology partner could aggregate and analyze voice data from smartphones, tablets and other devices to determine when consumers were in the market for particular products. When prospective clients pressed sales representatives on how exactly the technology worked, FTC filings say sales presentations became increasingly specific when potential customers questioned how the technology worked.

The Consent Fabrication

The fraudulent capability claim was compounded by a fraudulent consent claim. The companies told prospective clients that consumers had "opted in" to the Active Listening service. In fact, no consent was ever sought or obtained. The companies characterized routine click-through acceptance of app terms of service as affirmative opt-in consent to the collection of voice data — a characterization the FTC flatly rejected.

This consent fabrication mattered legally in both directions. It deceived the businesses buying the service into believing they were running a legally compliant targeted advertising campaign. And it obscured from consumers that their conversations were purportedly being harvested and monetized — which those consumers had never agreed to.

Also read: FTC Sues Adobe for ‘Trapping’ Users in Deceptive Subscription Practices

The FTC's Bluntest Finding

The most pointed element of the FTC's action is not the settlement amount. It is the Commission's explicit statement that the illegality ran deeper than the fraud itself.

The Commission noted that, had the service actually functioned as advertised, collecting voice data from consumers' homes without genuine consent would itself have violated Section 5 of the FTC Act. In other words, CMG and its partners were not just selling a fake product. They were selling a fake version of something that would have been illegal to sell as real.

Who Pays and Who Supplied the Deception

Under the proposed consent orders, CMG must pay $880,000, while MindSift and 1010 Digital Works will each pay $25,000. The funds will be used to provide redress to CMG customers harmed by the practices. MindSift and 1010 Digital Works also face a second count for providing CMG with the "means and instrumentalities" to deceive customers through misleading marketing materials and sales presentations.

The Active Listening enforcement action arrives at a moment when AI capability claims are proliferating faster than any regulator can evaluate them. Aattaching the phrase "AI-powered" to a product does not immunize that product from consumer protection law, and fabricating both technical capability and consumer consent simultaneously creates compounding liability — not just for the company selling the product but for the partners who built the sales materials that made the deception work.

Vulnerability Exploitation Overtakes Stolen Credentials in AI-Driven Cyberattacks

Samiksha Jain — Fri, 22 May 2026 10:54:21 +0000

Vulnerability exploitation has officially become the leading cause of cybersecurity breaches for the first time in nearly two decades, according to the latest Data Breach Investigations Report (DBIR) released by Verizon. The findings highlight how artificial intelligence is rapidly reshaping the threat landscape, enabling attackers to weaponize software flaws faster than security teams can respond. The 19th edition of the DBIR revealed that 31% of all recorded breaches now begin with vulnerability exploitation, surpassing stolen credentials as the most common attack entry point. Researchers warned that AI-driven automation is dramatically reducing the time between vulnerability disclosure and active exploitation, shrinking defensive response windows from months to just hours. The report paints a broader picture of an evolving cybersecurity environment where AI-powered attacks, mobile-focused social engineering, shadow AI usage, and supply chain compromises are all expanding organizational risk.

Vulnerability Exploitation Surpasses Stolen Credentials

For years, stolen usernames and passwords remained the primary method used by cybercriminals to breach corporate systems. However, the latest DBIR findings show a major shift in attacker behavior. Researchers found that threat actors are increasingly prioritizing vulnerability exploitation because AI tools can quickly identify weak systems, automate reconnaissance, and accelerate exploit development. According to the report, attackers are now moving much faster after vulnerabilities become public. Organizations that previously had weeks or months to deploy security patches are now facing exploitation attempts within hours of disclosure. Security experts said this trend is creating significant pressure on security operations teams already struggling to manage patching priorities across complex environments. Daniel Lawson, Senior Vice President of Global Solutions at Verizon Business, said the growing speed of cyberattacks reinforces the importance of strong cybersecurity fundamentals. “While the velocity of cyber threats driven by AI and faster vulnerability exploitation is increasing, the foundational principles of security and strong risk management remain the most effective defense,” Lawson said.

AI Reshaping the Cyber Threat Landscape

The report repeatedly emphasized the growing influence of artificial intelligence on cybercrime operations. Researchers noted that AI is not only helping defenders identify vulnerabilities more efficiently, but also allowing attackers to automate exploitation at unprecedented scale and speed. The DBIR warned that AI-assisted attack workflows are creating what researchers described as a “capacity crisis” for many security teams. Organizations are being forced to process increasing numbers of vulnerabilities while facing shorter remediation timelines. The report recommended that enterprises:

Strengthen patch management programs
Reduce overall attack surface exposure
Integrate AI into secure-by-design frameworks
Expand defense-in-depth strategies
Improve visibility into internet-facing assets

Researchers also highlighted rapid growth in AI bot activity across the internet. According to the report, AI bot crawler traffic is increasing by 21% month over month, while human-driven traffic growth remains almost flat at just 0.3%.

Mobile Social Engineering Attacks Rising

Beyond vulnerability exploitation, the DBIR identified major changes in social engineering tactics. As users become more cautious about traditional phishing emails, attackers are increasingly shifting toward mobile-based scams involving text messages and voice calls. The report found that conversational and interactive mobile attacks now achieve success rates roughly 40% higher than traditional email phishing campaigns. Researchers said attackers are leveraging:

Fake SMS messages
Voice phishing calls
Messaging app impersonation
Mobile account verification scams

Cybersecurity analysts warned that mobile devices continue to represent a major blind spot for many organizations because security monitoring on smartphones often remains less mature than on corporate desktops and servers.

Shadow AI Creates New Data Leakage Risks

Another major concern highlighted in the DBIR involves the rapid rise of “shadow AI” usage inside organizations. The term refers to employees using unapproved artificial intelligence tools without formal oversight from security or compliance teams. According to Verizon’s findings, frequent use of AI platforms by employees surged from 15% to 45% within a single year. Researchers said shadow AI has now become the third most common cause of non-malicious data leakage incidents. Security experts warned that employees may unknowingly expose:

Confidential corporate data
Customer information
Source code
Internal business documents
Sensitive communications

The report stressed that organizations need clearer governance policies around AI usage as adoption continues accelerating across workplaces.

Supply Chain Breaches Continue to Grow

The DBIR also documented a significant rise in third-party and supply chain compromises. Researchers found that breaches involving external vendors increased by 60% compared to previous reporting periods. Third-party involvement now accounts for 48% of all recorded breaches. As organizations rely more heavily on cloud providers, software vendors, and outsourced services, attackers are increasingly targeting weaker links within interconnected supply chains. The report concluded that the cybersecurity industry is entering a period where resilience, rapid response capabilities, and basic security hygiene remain critical despite rapid advances in AI-powered attack techniques. While artificial intelligence is changing the speed and scale of cyber threats, researchers stressed that organizations must continue focusing on foundational cybersecurity practices to defend against the growing wave of vulnerability exploitation and AI-driven attacks.

Microsoft Patches Actively Exploited Defender Vulnerabilities Affecting Enterprise Systems

Ashish Khaitan — Fri, 22 May 2026 09:01:46 +0000

Microsoft has confirmed active exploitation of two security vulnerabilities in its security ecosystem, identified as CVE-2026-41091 and CVE-2026-45498, both evaluated under the CVSS scoring system. The issues affect Microsoft Defender and have raised concerns due to confirmed in-the-wild exploitation and potential impact on enterprise systems. The first issue, CVE-2026-41091 (CVSS 7.8), is a privilege escalation vulnerability affecting Microsoft Defender. If successfully exploited, it could allow a local attacker to obtain SYSTEM-level privileges. The flaw is rooted in improper link resolution before file access, commonly described as a “link following” issue. Microsoft stated in its advisory: "Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally," The second vulnerability, CVE-2026-45498 (CVSS 4.0), is a denial-of-service flaw impacting Microsoft Defender. While rated lower in severity under the CVSS framework, it has still been confirmed as actively exploited in real-world environments alongside CVE-2026-41091. Both vulnerabilities have been addressed in updated releases of the Microsoft Defender Antimalware Platform, specifically versions 1.1.26040.8 and 4.18.26040.7, respectively.

CVE-2026-41091, CVE-2026-45498, and CVSS Context

Although Microsoft has not explicitly confirmed the link, the behavior associated with CVE-2026-41091 and CVE-2026-45498 overlaps with earlier publicly discussed issues named RedSun and UnDefend, which were disclosed by the threat research group Chaotic Eclipse (also known as Nightmare-Eclipse). Security researchers from Huntress have reported active exploitation of both CVE-2026-41091 and CVE-2026-45498 in the wild. These observations also include exploitation activity related to BlueHammer (CVE-2026-33825), suggesting a broader campaign targeting Microsoft Defender components and adjacent security mechanisms.

Additional Security Findings

Alongside the two actively exploited vulnerabilities CVE-2026-41091 and CVE-2026-45498, Microsoft also patched another flaw in the same Defender update cycle: CVE-2026-45584 (CVSS 8.1). This vulnerability is a heap-based buffer overflow that could allow remote code execution if exploited. Unlike CVE-2026-41091 and CVE-2026-45498, there is currently no evidence that CVE-2026-45584 has been used in active attacks. Microsoft Defender systems that have been disabled are not affected by these vulnerabilities, according to the company. Microsoft also noted that no manual intervention is required for most users, as updates are delivered automatically through malware definition updates and the Microsoft Malware Protection Engine.

CVSS Updates and Security Guidance

To verify protection status against CVE-2026-41091 and CVE-2026-45498, Microsoft recommends users check their Microsoft Defender configuration using the Windows Security interface (Microsoft Windows Security). The recommended steps include navigating to Virus & threat protection, checking protection updates, and verifying the Antimalware Client Version. Microsoft credited five researchers for identifying CVE-2026-41091, including Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an anonymous contributor.

CISA KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) (Cybersecurity and Infrastructure Security Agency) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by June 3, 2026, reflecting the urgency of addressing CVSS-rated threats that are already being exploited. With this addition, three Microsoft vulnerabilities have been flagged as actively exploited within a single week, highlighting a concentrated wave of CVE-based attacks targeting Microsoft products.

Legacy Vulnerabilities

CISA’s KEV catalog update also included several older but still relevant vulnerabilities:

CVE-2010-0806: Internet Explorer use-after-free flaw enabling remote code execution
CVE-2010-0249: Another Internet Explorer use-after-free vulnerability allowing arbitrary code execution
CVE-2009-1537: DirectX issue in QuickTime Movie Parser Filter via crafted media files
CVE-2008-4250: Windows Server Service buffer overflow via crafted RPC request
CVE-2009-3459: Adobe Acrobat and Reader heap-based buffer overflow via malicious PDF files

These legacy issues demonstrate that exploitation of older software remains relevant in modern threat landscapes, especially when combined with newer vulnerabilities like CVE-2026-41091 and CVE-2026-45498, both evaluated using CVSS metrics.

European Agencies Shutter VPN Service Used for Ransomware Attacks

Mihir Bagwe — Fri, 22 May 2026 08:17:08 +0000

The French and Dutch law enforcement seized a large-scale virtual private network (VPN) service catering to cybercriminals, offering services to mask their illicit activities of scanning, botnets, denial of service attacks, scams, hacking and ransomware attacks. Under the banner name "Operation Saffron," the authorities shuttered 33 critical servers of the First VPN service provider during the seizure and detained the alleged administrator of the service in Ukraine, in a coordinated operation. First VPN advertised itself as a provider of anonymity, assuring its users non-cooperation with any law enforcement authorities, zero data storage, and no jurisdiction issues. The VPN Service was almost exclusively promoted in known Russian-language dark web forums such as Exploit[.]in and XSS[.]is, which provide marketplaces for cybercriminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband. The U.S. Federal Bureau of Investigation in its Flash Alert confirmed the service to be active since at least 2014 and provided exit node servers in 27 countries. It also concurred that an upwards of 25 ransomware groups, including Avaddon Ransomware, used First VPN Service infrastructure to perform network reconnaissance and intrusions.

Also read: Ransomware Attacks Have Soared 30% in Recent Months

Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences," Europol said. "For years, cybercriminals saw this VPN service as a gateway to anonymity," added Edvardas Šileris, Head of Europol’s European Cybercrime Centre. "They believed it would keep them beyond the reach of law enforcement." However, the First VPN service came up in almost every major cybercrime that the law enforcement authorities investigated in recent years, eventually leading to its take down. The domain names seized during Operation Saffron includes:

1vpns[.]com
1vpns[.]net
1vpns[.]org
and associated onion domains

The users coming to these domains are now greeted with a seizure banner that displays the names of all the agencies across Europe who worked actively in this operation. [caption id="attachment_112259" align="aligncenter" width="500"] Seizure banner on First VPN domains (Source: Eurojust)[/caption] Europol said, that before it turned off the lights on First VPN, investigators gained access to the service and that led them to the user database, which also helped identify VPN connections used by several other cybercriminals.

Also read: Stolen VPN Credentials Most Common Ransomware Attack Vector

"The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide," Europol said. The agency shared 83 intelligence packages since it initially began the operation, which also included information on 506 international users. Investigators in multiple jurisdictions are now using this intelligence to support further investigations, the Agency confirmed.

Cisco Secure Workload Flaw CVE-2026-20223 Gets Maximum CVSS 10 Rating

Ashish Khaitan — Fri, 22 May 2026 07:36:24 +0000

Cisco has released security updates to fix a critical vulnerability, tracked as CVE-2026-20223, affecting its Cisco Secure Workload platform. The flaw, which received the maximum CVSS score of 10.0, could allow an unauthenticated remote attacker to access sensitive information and make unauthorized configuration changes through vulnerable REST API endpoints. The company said the issue originates from insufficient validation and authentication checks in internal REST API functions used by Secure Workload. The vulnerability has also been classified under CWE-306, a category associated with missing authentication protections for critical operations. According to Cisco, “an attacker could exploit this vulnerability if they can send a crafted API request to an affected endpoint.” The company added that a successful exploitation of CVE-2026-20223 could allow attackers to “read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”

CVE-2026-20223 Impacts Internal Secure Workload REST API Functions

Cisco stated in its advisory that the vulnerability affects internal REST API endpoints within Cisco Secure Workload Cluster Software. The issue impacts both SaaS and on-premises deployments regardless of device configuration. However, the company clarified that the flaw does not affect the web-based management interface. Instead, the exposure is limited to internal API functions associated with Secure Workload infrastructure. The advisory, identified as “cisco-sa-csw-pnbsa-g8WEnuy,” was first published on May 20, 2026, at 16:00 GMT. Cisco assigned the flaw a base CVSS score of 10.0 due to the severity of the potential impact and the lack of authentication requirements needed for exploitation. The issue is internally tracked under Cisco Bug ID CSCwt99942. Cisco explained that the root cause behind CVE-2026-20223 is “insufficient validation and authentication when accessing REST API endpoints.” Because of these missing protections, attackers may be able to bypass authorization boundaries and gain access to site resources with Site Admin-level privileges.

Cisco Warns of Cross-Tenant Data Exposure Risks

The company warned that exploitation of CVE-2026-20223 could allow unauthorized access to sensitive information across tenant environments. Attackers could also modify configurations across tenant boundaries while operating with elevated Site Admin permissions. The nature of the vulnerability makes it particularly severe in multi-tenant Secure Workload environments where administrative controls and segmentation are critical for protecting customer data. Cisco also confirmed that there are currently no workarounds available to mitigate the REST API vulnerability. As a result, organizations using affected Secure Workload releases are being advised to install fixed software versions as quickly as possible. The company stated that temporary mitigations are not enough to fully remediate the issue and strongly recommended upgrading to patched releases to avoid future exposure related to CVE-2026-20223.

Fixed Secure Workload Versions for CVE-2026-20223

Cisco released patches for affected Secure Workload versions and outlined the following fixed releases:

Cisco Secure Workload Release 3.10 — fixed in version 3.10.8.3
Cisco Secure Workload Release 4.0 — fixed in version 4.0.3.17
Cisco Secure Workload Release 3.9 and earlier — customers are advised to migrate to a fixed release

The company also noted that the cloud-based Cisco Secure Workload SaaS deployment has already been secured against CVE-2026-20223. Cisco said no user action is required for SaaS customers because the fixes have already been applied to the hosted environment. Customers requiring additional support were advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers for guidance regarding patch deployment and remediation.

Cisco Says No Active Exploitation Has Been Detected

Despite the maximum severity rating assigned to CVE-2026-20223, Cisco stated that its Product Security Incident Response Team (PSIRT) is “not aware of any public announcements or malicious use of the vulnerability” at the time of disclosure. The company added that the vulnerability was identified during internal security testing rather than through reports of active attacks in the wild. The disclosure highlights the increasing risks associated with insecure REST API implementations in enterprise infrastructure products. Vulnerabilities tied to CWE-306 can become especially dangerous when authentication checks are absent from critical administrative functions. As more organizations rely on APIs to manage workloads, automate infrastructure, and support cloud-native environments, flaws like CVE-2026-20223 demonstrate how authentication weaknesses in Secure Workload platforms can expose sensitive systems and tenant data to unauthorized access. Cisco published version 1.0 of the advisory as a final release on May 20, 2026, and has not indicated whether additional revisions related to the Secure Workload REST API vulnerability are expected.

EMEA Emerges as Global Hotspot for Financial Services DDoS Attacks

Samiksha Jain — Fri, 22 May 2026 07:28:46 +0000

The global financial sector is facing a sharp rise in Financial Services DDoS Attacks, with cybercriminals increasingly targeting banks, payment systems, and online financial platforms through larger, longer, and more attacks, according to new research from Akamai. In its latest State of the Internet (SOTI) Security report titled AI-Empowered Botnets and API Visibility Gaps: Attack Trends in Financial Services, research warned that AI-powered botnets and politically motivated hacktivist groups are intensifying the cyber threat landscape for the banking and financial services industry. Researchers found that Financial Services DDoS Attacks have become more persistent and operationally disruptive, particularly across Layers 3 and 4 web and API infrastructure.

Financial Services DDoS Attacks Top the Chart

According to the report, financial services organizations are now the most targeted industry for web and API distributed denial-of-service attacks. Akamai revealed that the median duration of global Layers 3 and 4 Financial Services DDoS Attacks has increased by 738% since 2024. The company attributed the surge to AI-powered attack infrastructure and growing hacktivist activity, including campaigns linked to pro-Iran cyber groups. Security researchers said attackers are increasingly focusing on:

Online banking systems
Real-time payment platforms
API infrastructure
Customer-facing financial applications

The report noted that while financial institutions continue expanding digital banking and payment services, the growing reliance on APIs and cloud-connected infrastructure has also expanded the attack surface available to threat actors.

API-Related Cyber Risks Emerging as Major Security Weakness

One of the strongest findings in the report involved API-related cyber risks. According to reserach’s 2026 API Security Impact Study, 96% of financial service leaders surveyed reported at least one API security incident within the past year. That figure was the highest recorded among all industries included in the research. The report also found that:

60% of all web attacks in 2025 targeted banking institutions
83% of attacks against API endpoints focused on financial organizations

Researchers warned that APIs are increasingly becoming high-value targets because they support critical services such as digital payments, account management, authentication systems, and mobile banking applications. Steve Winterfeld, Advisory Chief Information Security Officer at Akamai, said APIs are now central to modern cyberattacks against financial institutions. “Cybercriminals and hacktivists continue to escalate DDoS from nuisance attacks to a sustained siege encompassing both hacktivism and cybercrime, and financial services are in the crosshairs,” Winterfeld said. He added that artificial intelligence is accelerating existing cybersecurity threats rather than replacing them.

AI Botnets Driving DDoS Campaigns

The report highlighted how AI-driven infrastructure is helping attackers automate and scale malicious operations more effectively. Researchers observed a 147% surge in advanced bot activity during late 2025. In one case study referenced by Akamai, nearly 96% of all traffic reaching a targeted website was identified as malicious scraping bot activity. The company warned that AI-powered botnets are making Financial Services DDoS Attacks more difficult to detect and mitigate because attackers can dynamically adapt attack patterns and traffic behavior. These botnets are also being used to:

Overwhelm infrastructure
Disrupt payment systems
Target APIs
Scrape sensitive data
Launch credential abuse campaigns

Cybersecurity experts have increasingly warned that AI-enabled automation allows threat actors to launch large-scale attacks with fewer technical resources.

Attack Patterns Differ Across Global Regions

Research also identified major regional differences in cyberattack patterns targeting financial institutions. The report found:

Europe, the Middle East, and Africa accounted for 62% of Layers 3 and 4 DDoS attacks
Asia-Pacific experienced 52% of Layer 7 DDoS attacks
North America recorded the highest volume of web attacks at 44%

Researchers said these differences reflect varying attacker strategies, infrastructure deployment patterns, and regional cybersecurity maturity levels. The report also revealed that nearly 80% of financial institutions experienced ransomware attacks during the past two years. However, fewer than half of surveyed organizations reported adopting advanced cybersecurity technologies capable of handling modern attack methods.

Growing Pressure on Financial Sector Cybersecurity

The latest findings add to growing concerns around operational resilience within the global financial industry. As banks and financial institutions continue accelerating digital transformation initiatives, cybersecurity teams are being forced to defend increasingly complex environments that rely heavily on APIs, cloud platforms, automated infrastructure, and third-party integrations. Research said organizations must improve visibility into APIs, strengthen DDoS mitigation strategies, and modernize threat detection capabilities to address the evolving threat landscape. The SOTI report also includes guidance on DNS security, DDoS mitigation practices, AI architecture security considerations, and insights from financial sector cybersecurity experts, including contributions from the FS-ISAC.

INJ3CTOR3 Deploys JOMANGY Webshell in Advanced FreePBX Attacks

Ashish Khaitan — Fri, 22 May 2026 07:20:35 +0000

Researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered an advanced cyber campaign targeting FreePBX systems and, with high confidence, linked the activity to the threat actor INJ3CTOR3. The operation introduces a previously undocumented PHP webshell family named JOMANGY and deploys the ZenharR malware toolkit, which has previously been associated with the same actor. Unlike conventional malware campaigns centered on ransomware or data theft, this operation is designed to hijack telephony infrastructure and abuse victims’ SIP trunks to generate fraudulent outbound calls billed directly to affected organizations. Researchers said the campaign demonstrates an unusually persistent architecture capable of surviving cleanup attempts and restoring infections within minutes.

INJ3CTOR3 Builds a Self-Healing Persistence Framework

At the center of the operation is a multi-stage Bash-based infection chain that installs six separate persistence mechanisms across compromised FreePBX systems. These mechanisms continuously reinforce one another, creating what researchers described as a “self-healing” malware ecosystem. The persistence channels include cron-based command-and-control polling every one to three minutes, shell profile injections triggered during reboots and root logins, immutable crontab backups protected with chattr +i, watchdog processes that automatically relaunch malware components, multiple immutable copies of JOMANGY webshells scattered across the server, and a self-reinstalling PHP executor embedded into the environment. [caption id="" align="alignnone" width="1024"] Image source: Cyble[/caption] Researchers noted that partial remediation efforts are ineffective because any surviving component can rapidly rebuild the full compromise. Even if administrators remove several malicious files or cron jobs, remaining persistence layers can silently restore the infection.

Attackers Create 18 Backdoor Accounts Across FreePBX Systems

The campaign also establishes extensive unauthorized access using 18 separate backdoor accounts spread across multiple privilege levels. Nine of these accounts possess UID-0 privileges, effectively granting root-level access to the attackers. Another eight accounts imitate legitimate service accounts commonly found in FreePBX systems, while one additional account is inserted directly into the FreePBX MySQL database to provide administrative web-panel access. To avoid suspicion, the attackers used names such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma,” allowing the malicious accounts to blend into ordinary PBX administrative environments. Researchers believe this approach significantly reduces the chances of casual detection during routine inspections.

JOMANGY Introduces a New PHP Webshell Family

CRIL researchers identified JOMANGY as a previously undocumented malware family, making this investigation the first publicly known analysis of the toolset. Every recovered sample used a double-obfuscation technique involving Base64 encoding layered over ROT13 transformations. All identified payloads also contained the watermark string trace_e1ebf9066a951be519a24140711839ea, linking the malware samples to a common development source. Beyond persistence and remote command execution, JOMANGY contains active toll fraud functionality capable of initiating outbound calls through compromised PBX infrastructure. Researchers observed commands such as: asterisk -rx "channel originate Local/@" This capability allows attackers to abuse victims’ telephony infrastructure directly for financial gain.

Large-Scale Reconnaissance Suggests Mass Exploitation

Researchers also discovered a command-and-control-hosted inventory file named people2.txt containing 3,080 IP addresses believed to represent automated reconnaissance results. Approximately 39 percent of the listed systems were hosted on Alibaba Cloud infrastructure located in China, Hong Kong, and Singapore, suggesting a geographically broad scanning operation. The findings indicate that INJ3CTOR3 is pursuing mass exploitation rather than highly selective targeting. Additional evidence recovered from stolen Elastix databases and references to Issabel and Sangoma environments suggests the campaign targets a wide range of PBX deployments across Latin America, Southeast Asia, and the Middle East.

Infrastructure Overlaps Tie the Campaign to INJ3CTOR3

The malware infrastructure demonstrated strong operational continuity with earlier INJ3CTOR3 campaigns. The Stage 1 dropper aggressively removed competing malware families and defensive tooling before deploying its own payloads. Researchers found that more than 50 webshell signatures were deleted from infected systems, while firewall rules blocked 11 rival command-and-control IP addresses. Interestingly, the malware also removed artifacts associated with the actor’s own January 2026 campaign. Researchers believe this indicates that the operators migrated infrastructure from Brazilian-hosted systems to Dutch-hosted servers while attempting to erase remnants of older compromises. Attribution to INJ3CTOR3 is supported by several overlapping indicators. Researchers identified the marker string bm2cjjnRXac1WW3KT7k6MKTR, previously documented by Fortinet during analysis of the encystPHP campaign in January 2026. [caption id="" align="alignnone" width="1024"] Source: Cyble[/caption] Additional overlaps involving command-and-control infrastructure, file paths, credential implantation patterns, and binary names matched prior reporting from Palo Alto Networks Unit 42, Check Point Research, and SANS Internet Storm Center.

Stage 1 Establishes Initial Control and Persistence

The infection chain unfolds in multiple stages. Stage 1 begins with a large Bash dropper that removes competing implants, creates unauthorized accounts, deploys persistence mechanisms, and wipes evidence from system logs. The malware modifies .bash_profile, .bashrc, and /etc/rc.local to ensure execution during reboots and root logins. It also installs recurring cron jobs that continuously retrieve additional payloads from the command-and-control infrastructure. Researchers said the malware additionally creates immutable crontab backups and deploys watchdog processes capable of restoring deleted components automatically.

Stage 2 Deploys JOMANGY Across Legitimate FreePBX Directories

Stage 2 is delivered through k.php, which introduces the JOMANGY webshell family into compromised FreePBX systems. The payload first re-executes portions of Stage 1 to reinforce persistence before writing obfuscated PHP backdoors into legitimate FreePBX web directories. One major target is /var/www/html/admin/views/ajax.php, a legitimate administrative file frequently accessed in FreePBX environments. Additional JOMANGY copies are deployed into locations such as rest_phones/ajax.php, admin/modules/h/, and several PBX management directories. The attackers also implement .htaccess rewrite rules that redirect arbitrary requests toward hidden webshell copies, improving accessibility and survivability. Researchers observed that k.php actively reinstalls malicious MySQL backdoor accounts whenever the payload executes, ensuring administrative access is recreated even if defenders remove compromised accounts.

Possible Exploitation Paths Remain Under Investigation

Researchers could not conclusively identify the initial exploitation vector because relevant web logs and exploit payloads were unavailable during analysis. However, two vulnerabilities emerged as likely candidates. The first is CVE-2025-64328, a post-authentication command injection flaw affecting the FreePBX filestore module. The vulnerability had previously been exploited during earlier INJ3CTOR3 operations. The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module capable of inserting malicious cron jobs into the scheduler. CRIL researchers believe CVE-2025-57819 may be particularly relevant because the campaign’s persistence architecture closely mirrors the scheduling abuse associated with the flaw. Earlier malware variants reportedly disabled the Endpoint module after exploitation, while the latest campaign leaves it active.

ZenharR Malware Toolkit Expands the Infection

Stage 3 of the campaign is delivered through wr.php, a Bash-based dropper associated with the ZenharR malware toolkit. Like earlier stages, the payload reruns portions of the infection chain before deploying additional malware components. ZenharR webshells are written into key FreePBX directories, including /var/www/html/digium_phones/ajax.php and /var/www/html/admin/views/some.php. However, researchers noted that the propagation logic also replicated the already-installed JOMANGY webshell into 15 additional locations across the web root. As a result, both JOMANGY and the ZenharR malware toolkit operate side by side on infected systems. Another payload named wor.php was also discovered on the command-and-control server, although researchers could not identify an active trigger mechanism during analysis.

license.php Functions as a Privileged Persistence Mechanism

The license.php component acts as a highly privileged PHP command executor embedded within the FreePBX HA infrastructure. Unlike browser-accessible JOMANGY and ZenharR webshells, license.php contains no authentication controls and relies on remotely supplied format-string placeholders before activation. Once triggered, the component enables arbitrary command execution with elevated privileges. Researchers observed that it could delete competing accounts, reset passwords for service users and even the root account, promote accounts to UID-0 privileges, modify SSH settings to preserve root access, and install dual-track cron persistence for both k.php and wr.php. The malware also repeatedly scrubbed Apache logs and communicated with root.php on the command-and-control infrastructure.

Obfuscation and Evasion Techniques Reduce Detection Rates

The campaign’s evasion methods were carefully optimized rather than excessively complex. In Stage 1, Base64 encoding was selectively applied only to highly suspicious commands, including useradd instructions responsible for creating UID-0 accounts. [caption id="" align="alignnone" width="919"] Source: Cyble[/caption] Cron payloads were hidden inside encoded variables, causing malicious crontab entries to appear relatively benign during casual inspection. JOMANGY’s double-obfuscation design represents a notable evolution over earlier malware associated with INJ3CTOR3. Many automated analysis tools decode only the outer Base64 layer, leaving unreadable ROT13 output rather than functional PHP code. [caption id="" align="alignnone" width="1024"] Source: Cyble[/caption] Combined with dead-code anti-analysis logic, these techniques contributed to extremely low antivirus detection rates. Researchers reported that both k.php and wr.php showed zero detections on VirusTotal during analysis, while the Stage 1 dropper was detected by only four out of 76 antivirus engines.

VoIP Toll Fraud Continues to Grow Globally

The broader implications of the campaign are substantial. Industry estimates place global telecom fraud losses at more than $41 billion annually, with VoIP toll fraud representing a major segment of the underground economy. Unlike ransomware campaigns that generate immediate visibility, toll fraud operations provide cybercriminals with a quieter and more sustainable revenue stream by routing calls through premium-rate numbers or third-party fraud networks. FreePBX systems remain particularly attractive targets because many organizations expose management interfaces directly to the internet while running outdated or poorly secured deployments. According to data from the Shadowserver Foundation collected in early 2026, more than 900 FreePBX systems were actively compromised by related campaigns, while over 700 remained infected months after public disclosure and remediation guidance. Researchers concluded that INJ3CTOR3 continues to evolve its tooling, infrastructure, and persistence techniques. The introduction of JOMANGY alongside the ZenharR malware toolkit demonstrates a highly mature threat operation specifically engineered for resilience, monetization, and long-term control over vulnerable FreePBX systems.

UK Cybersecurity Innovation SilentGlass Goes Global After Licensing Deal

Samiksha Jain — Fri, 22 May 2026 06:21:07 +0000

The UK government has officially licensed SilentGlass, a government-developed cyber security device, for global commercial use, marking a major step in expanding public sector cybersecurity innovation into international markets. Developed by the National Cyber Security Centre, a part of Government Communications Headquarters, SilentGlass was originally designed to protect sensitive government systems from cyber threats linked to smart display connections. The technology is now being commercialized with support from the Government Office for Technology Transfer through a global intellectual property licensing agreement with a UK-based company. The launch highlights growing concerns around hardware-based cyber risks in modern workplaces, especially as organizations increasingly adopt hybrid work environments, shared office spaces, and connected devices.

SilentGlass Designed to Block Video Connection Cyber Threats

According to the NCSC, the cyber security device was created to address risks associated with modern smart monitors and digital video connections. Security experts have warned that video connections between laptops and monitors can potentially be exploited by attackers to compromise connected systems. The threat becomes more serious in environments where devices with different security levels are connected to shared displays. SilentGlass works as a small plug-and-play hardware device positioned between a laptop and monitor. Its primary role is to prevent the physical video connection from being used as a pathway for cyberattacks. By blocking that attack route, the cyber security device helps organizations reduce exposure to hardware-level threats while enabling safer flexible working arrangements, including hot desking and remote work setups. The NCSC stated that the technology was initially developed for internal government operations before demonstrating broader commercial potential across multiple sectors.

UK Government Expands Cyber Security Innovation to Global Market

Following a competitive commercial process, the UK government approved a global intellectual property licensing agreement for SilentGlass with a UK-based company. The agreement allows the cyber security device to be distributed internationally, expanding access to technology that was originally built for high-security government environments. Officials said the move reflects a wider effort to commercialize public sector innovation while ensuring strong governance and protection of government-developed intellectual property. The NCSC noted that SilentGlass could support:

Government departments
Public sector organizations
Critical national infrastructure operators
Businesses with advanced cybersecurity requirements
Employers supporting hybrid work environments

The technology is expected to benefit sectors where device trust, network security, and hardware protection are considered critical operational requirements.

GOTT Supported Commercialization of SilentGlass

The Government Office for Technology Transfer played a key role in helping the NCSC bring the cyber security device to market. According to officials, GOTT supported the project by advising on intellectual property licensing strategies, funding commercialization initiatives, and connecting the NCSC with technology transfer and investment experts. The organization also provided mentoring support for knowledge asset management and helped guide the licensing process through market engagement and competitive partner selection. The UK government has increasingly focused on turning public sector-developed technologies into commercially viable products that can deliver broader economic and security benefits.

Growing Focus on Hardware-Level Cybersecurity

The release of SilentGlass comes as cybersecurity experts continue raising concerns about hardware-level attack vectors that are often overlooked in traditional cybersecurity strategies. Modern monitors, docking stations, USB-connected devices, and display interfaces are increasingly viewed as potential entry points for attackers targeting enterprise and government systems. As hybrid work models expand globally, organizations are under pressure to secure not only software environments but also physical device connections used in day-to-day operations. The NCSC said SilentGlass was specifically designed to address these emerging risks without requiring complex deployment or major infrastructure changes.

NCSC Highlights Future Commercialization Plans

Ollie Whitehouse, Chief Technology Officer at the NCSC, described the commercialization of SilentGlass as an example of how government-developed innovation can support both national cybersecurity and economic growth. According to Whitehouse, the partnership demonstrates how UK government departments can derive greater value from intellectual property while making advanced security technologies more widely available. The NCSC also indicated that additional government-developed cybersecurity technologies could be commercialized in the future following the success of the SilentGlass initiative.

Hackers Exploit Butter Network Bridge to Mint Massive MAPO Supply

Ashish Khaitan — Thu, 21 May 2026 09:25:50 +0000

The cryptocurrency market witnessed another major security breach this week after the MAPO token collapsed by 96% following an exploit tied to the Butter Network cross-chain bridge. The incident resulted in the unauthorized minting of a quadrillion MAPO tokens, flooding the market with a supply vastly larger than the legitimate circulating amount and causing severe disruption across decentralized finance ecosystems connected to ETH and other blockchains. According to blockchain security researchers, the exploit enabled the attacker to generate tens of thousands of times more MAPO tokens than the official supply. As panic selling intensified, the price of the Map Protocol token dropped from nearly $0.003 to around $0.0001 within hours, based on market tracking data from CoinGecko.

Attacker Drains ETH From Liquidity Pools

The attack primarily targeted the Butter Network bridge infrastructure, a cross-chain protocol associated with Map Protocol. Security platform Blockaid reported that the exploiter used a newly created externally-owned account (EOA) to offload approximately one billion MAPO tokens into decentralized exchanges. During the process, the attacker reportedly drained nearly 52 ETH from Uniswap liquidity pools, an amount valued at roughly $180,000 at the time of the incident. Despite the liquidation of a portion of tokens, blockchain analysts noted that the attacker still retained close to a trillion MAPO tokens. Those remaining holdings continue to create risks for additional liquidity pools and potential exchange listings linked to the Map Protocol token ecosystem. The sudden flood of tokens severely impacted market confidence and highlighted ongoing vulnerabilities within cross-chain bridge infrastructure.

MAPO Exploit Adds to Growing List of DeFi Attacks

The exploit comes during an already damaging month for decentralized finance projects. Reports indicate that at least 18 DeFi and blockchain protocols have been compromised in recent weeks. Among the affected projects are THORChain, Verus Protocol, Transit Finance, TrustedVolumes, Ekubo, Echo Protocol, and RetoSwap. The repeated attacks have intensified concerns surrounding interoperability protocols, especially those handling assets across ETH, Bitcoin, and other blockchain ecosystems. Cross-chain bridges remain frequent targets because of the complexity involved in validating transactions between multiple networks.

Map Protocol Pauses Mainnet Operations

In response to the breach, Map Protocol confirmed that the vulnerability originated in the Solidity contract layer. The project announced that it had paused its mainnet and initiated a migration process while the investigation continues. Butter Network also suspended ButterSwap operations, although the team stated that user funds were not directly at risk. In its latest statement, the Map Protocol team said it would announce a new contract address and later conduct an asset snapshot. The project added that “any remaining tokens held by attacker-controlled addresses will be fully invalidated and will not be included in any future snapshot or conversion process.” Blockchain data further revealed that approximately one billion MAPO tokens were transferred to Uniswap shortly after the quadrillion-token mint occurred.

How the MAPO Mint Exploit Happened

Security researchers later outlined how the attack unfolded. According to Blockaid, the attacker initially submitted a legitimate oracle multisig-signed message before deploying a malicious smart contract at a carefully chosen address. The exploiter then resent a modified “retry” message that appeared identical in transaction hash but had actually been manipulated. Because the cross-chain bridge incorrectly verified the altered message as authentic, the system approved the minting of the massive MAPO supply. Researchers stressed that no private keys were stolen and no light clients were compromised during the attack. Instead, the incident was described as a “classic Solidity vulnerability involving multiple dynamic fields.” The exploit once again demonstrated how weaknesses in smart contract validation can place both MAPO and ETH liquidity ecosystems at risk.