Cybersecurity News and Magazine

Critical Flowise RCE Vulnerability Actively Exploited, Thousands of Systems at Risk

Ashish Khaitan — Wed, 08 Apr 2026 09:19:18 +0000

A critical Flowise RCE vulnerability is now being actively exploited. The flaw, tracked as CVE-2025-59528, carries a maximum severity rating and enables attackers to execute arbitrary code on affected systems, potentially leading to full system compromise. Security researchers have confirmed that threat actors are taking advantage of the Flowise RCE vulnerability to infiltrate vulnerable deployments. This issue, identified as CVE-2025-59528, allows malicious actors to inject and execute arbitrary code through unsafe handling of user input within the platform. The vulnerability was first publicly disclosed in September of last year, accompanied by warnings that successful exploitation could result in command execution and unauthorized access to the file system. Despite the availability of a patch, exploitation attempts have now been observed in real-world environments.

Unsafe JavaScript Execution

The issue arises in the Flowise CustomMCP node, a component designed to connect with external Model Context Protocol (MCP) servers. The vulnerability arises because the node unsafely evaluates user-supplied input in the mcpServerConfig setting. This design flaw allows attackers to inject malicious JavaScript code without undergoing proper validation or security checks. As a result, attackers can leverage the Flowise RCE vulnerability (CVE-2025-59528) to execute arbitrary code, potentially gaining control over the affected system. The developers addressed the vulnerability in Flowise version 3.0.6. The latest available version, 3.1.1, was released two weeks ago and includes the necessary fixes. Flowise itself is a low-code, open-source platform used to build AI agents and large language model (LLM) workflows. It features a drag-and-drop interface that enables users to design pipelines for chatbots, automation tools, and other AI-driven systems.

Evidence of Flowise RCE Vulnerability

According to Caitlin Condon, VP of Security Research at VulnCheck, exploitation activity has already begun. She stated: “New hashtag#KEV: Early this morning, VulnCheck's Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform. The vulnerability resides in the CustomMCP server logic in multiple versions of Flowise and allows for code execution.” She further noted: “Observed activity so far originates from a single Starlink IP. Our team's ASM queries show 12,000 - 15,000 instances of Flowise on the public internet as of today. CVE-2025-59528 is patched in version 3.0.6 of Flowise.” This suggests that while exploitation is currently limited, the attack surface remains significant due to the large number of exposed instances.

Additional Vulnerabilities Increase Risk

The Flowise RCE vulnerability (CVE-2025-59528) is not the only security concern affecting the platform. Researchers have also observed active exploitation of two other vulnerabilities: CVE-2025-8943 and CVE-2025-26319. Condon emphasized that both of these flaws are included in VulnCheck’s Known Exploited Vulnerabilities (KEV) catalog and have been detected through their monitoring systems. This indicates a broader pattern of attackers targeting Flowise deployments to execute arbitrary code and gain unauthorized access. Although estimates suggest that between 12,000 and 15,000 Flowise instances are accessible on the public internet, it remains unclear how many of these are vulnerable to CVE-2025-59528. Even so, the presence of such a large number of exposed systems increases the likelihood of further attacks, especially as exploit techniques become more widely available.

Recommendations for Users

Users of Flowise are strongly advised to take immediate action to mitigate the risks associated with CVE-2025-59528. Upgrading to version 3.1.1, or at a minimum version 3.0.6, is critical to patch the Flowise RCE vulnerability and prevent attackers from exploiting it to execute arbitrary code. Additionally, organizations should evaluate whether their Flowise instances need to be publicly accessible. If external access is not required, removing these systems from the public internet can significantly reduce exposure to attacks.

Gov. Tim Walz Deploys National Guard After Winona Cyberattack Disrupts Services

Samiksha Jain — Wed, 08 Apr 2026 07:37:30 +0000

A Winona County cyberattack has disrupted critical systems and forced Minnesota to step in with emergency support. The cyberattack on Winona County began on April 6 and continued overnight into April 7, affecting key digital infrastructure used to run emergency and municipal services. County officials said the disruption significantly impaired their ability to deliver essential services, including core administrative and public-facing operations. Governor Tim Walz signed an executive order authorizing the Minnesota National Guard to assist with the response. “Cyberattacks are an evolving threat that can strike anywhere, at any time,” said Governor Walz. “Swift coordination between state and local experts matters in these moments. That's why I am authorizing the National Guard to support Winona County as they work to protect critical systems and maintain essential services.”

Winona County Cyberattack Strains Local Response

The Winona County cyberattack quickly overwhelmed local response efforts. Officials said teams have been working around the clock since the incident was detected. The county is coordinating with Minnesota Information Technology Services, the Minnesota Bureau of Criminal Apprehension, the League of Minnesota Cities, the Federal Bureau of Investigation, and external cybersecurity specialists. Despite this multi-agency response, officials confirmed that the scale and complexity of the incident exceeded both internal and commercial response capabilities. This led to a formal request for cyber protection support from the Minnesota National Guard. The incident highlights how even smaller jurisdictions are now facing large-scale cyber disruptions that require state-level intervention.

National Guard Activated Under Emergency Order

Under the emergency order, the Adjutant General is authorized to deploy personnel, equipment, and other resources to support the response to the Winona County cyberattack. The order also allows the state to procure services needed to manage the incident and confirms that costs will be covered through the state’s general fund. It is already in effect and will remain active until the emergency conditions subside or the order is formally rescinded. Officials say the priority is to stabilize affected systems, prevent further damage, and restore full functionality as quickly as possible.

Essential Services Continue Amid Disruption

Even as systems remain impacted, officials stressed that emergency services are still operational. 911 services, fire response, and other emergency operations continue to function during the Winona County cyberattack, ensuring that urgent public safety needs are not affected. However, the disruption has slowed other county services, and officials have warned that some delays are expected as systems are brought back online. Residents have been asked for patience while recovery efforts continue.

Investigation Underway

Authorities have not disclosed the nature of the Winona County cyberattack or whether it involves ransomware or another type of cyber intrusion. The FBI is actively involved in the investigation, along with state agencies and external cybersecurity experts. Investigators are working to determine how the attack occurred, what systems were impacted, and whether any sensitive data was accessed. For now, the focus remains on containment, system recovery, and strengthening defenses to prevent further intrusion.

Earlier Ransomware Incident Raises Concerns

The latest Winona County cyberattack comes as an update to a ransomware incident the county first reported in January 2026. At the time, officials said, “We recently identified and responded to a ransomware incident affecting our computer network. Upon discovery, we immediately initiated an investigation to assess the scope and impact of the incident.” A local emergency was declared during that event by County Board Chair Commissioner Meyer, as officials worked to maintain continuity of services. Emergency operations, including 911 and fire response, remained active while systems were analyzed and restored. The recurrence of cyber incidents in such a short period has raised concerns about ongoing vulnerabilities and the growing threat landscape facing local governments.

Growing Cyber Pressure on Local Governments

The Winona County cyberattack highlight a broader trend, local governments are increasingly targeted but often lack the resources to respond to complex cyber incidents on their own. When systems go down, the impact is immediate. Public services are disrupted, and recovery can take time. State support is now helping Winona County stabilize operations. But the incident highlights a larger issue: cyberattacks are becoming more frequent, more disruptive, and harder for local agencies to handle without outside assistance.

FBI Takes Down APT28 Network Behind Global DNS Hijacking Attacks

Ashish Khaitan — Wed, 08 Apr 2026 07:00:10 +0000

The Russian-linked threat group APT28 has continued to leverage vulnerable network devices to carry out large-scale DNS hijacking campaigns, enabling adversary-in-the-middle attacks. Recent developments show that these operations have drawn direct intervention from U.S. authorities. The U.S. Department of Justice and the FBI announced a court-authorized operation to disrupt a network of compromised routers controlled by Russia’s military intelligence unit, widely known as APT28. According to findings aligned with prior reporting from the NCSC, the group has been exploiting routers to intercept communications, harvest credentials, and target individuals and organizations of intelligence interest.

DNS Hijacking and Adversary-in-the-Middle Tactics

APT28’s operations include DNS hijacking, a technique that manipulates how domain names are resolved into IP addresses. By altering DNS settings, often at the router level, attackers redirect legitimate traffic through malicious infrastructure. This enables adversary-in-the-middle (AitM) attacks, where victims unknowingly connect to spoofed services. These malicious endpoints are designed to imitate legitimate platforms, allowing attackers to intercept login sessions and extract sensitive data, including passwords, OAuth tokens, and emails. Both the FBI and the NCSC have noted that these attacks can impact browser sessions and desktop applications alike, increasing the scale and effectiveness of credential harvesting.

U.S. Operation Targets APT28 Infrastructure

The disruption effort, publicly disclosed by the Department of Justice, targeted a network of small office/home office (SOHO) routers compromised by APT28, also known as Fancy Bear, Sofacy, Sednit, STRONTIUM, Forest Blizzard, and Pawn Storm. The group is widely attributed to Russia’s GRU Unit 26165. Since at least 2024, APT28 actors have exploited known vulnerabilities to gain access to thousands of TP-Link routers globally. After stealing credentials, they modified router configurations to redirect DNS traffic to malicious servers under their control. These operations were initially indiscriminate. However, the attackers implemented automated filtering mechanisms to identify DNS queries of intelligence value. For selected targets, the malicious DNS resolvers returned fraudulent records for domains, particularly those mimicking Microsoft Outlook services, to facilitate adversary-in-the-middle attacks against encrypted traffic. Through this approach, APT28 was able to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to compromised routers.

Official Statements on the Threat

U.S. officials described the campaign as both persistent and dangerous. Assistant Attorney General John A. Eisenberg stated, “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.” U.S. Attorney David Metcalf added, “Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” emphasizing that the government would continue to respond aggressively to nation-state cyber threats. FBI officials also stressed the scale of the campaign. Assistant Director Brett Leatherman noted that compromised routers were used globally for espionage, while Special Agent Ted E. Docks highlighted that devices across more than 23 U.S. states had been weaponized.

How the FBI Disrupted the DNS Hijacking Network

As part of the court-authorized operation, referred to as Operation Masquerade, the FBI deployed technical measures to neutralize the U.S. portion of APT28’s infrastructure. According to court documents:

The FBI sent commands to compromised routers to collect evidence of APT28 activity.
Reset DNS settings, removing malicious resolvers and restoring legitimate ISP configurations.
Blocked the actors’ ability to regain unauthorized access.

The operation was carefully tested on affected TP-Link devices to ensure that it did not disrupt normal functionality or collect user content. Importantly, the remediation steps can be reversed by users through factory resets or manual configuration changes.

Continued Router Exploitation and Infrastructure Tactics

These developments align closely with earlier findings from the NCSC, which documented how APT28 used Virtual Private Servers (VPSs) as malicious DNS infrastructure. Two main clusters were identified:

Cluster One: Focused on modifying DHCP DNS settings in SOHO routers, enabling selective DNS hijacking and adversary-in-the-middle attacks.
Cluster Two: Involved forwarding DNS traffic through a layered infrastructure, with some operations targeting high-value devices, including those in Ukraine.

APT28’s activity has also included exploitation of vulnerabilities such as CVE-2023-50224 in TP-Link routers, allowing attackers to extract credentials and reconfigure DNS settings via crafted HTTP requests.

Targeted Services and Indicators

APT28’s DNS hijacking campaigns have frequently targeted Microsoft Outlook-related domains, including:

autodiscover-s.outlook[.]com
imap-mail.outlook[.]com
outlook.live[.]com
outlook.office[.]com
outlook.office365[.]com

These targets reflect a clear focus on email-based intelligence gathering. Supporting infrastructure includes numerous malicious IP ranges and identifiable server configurations, such as unusual SSH ports and “dnsmasq-2.85” DNS services.

Mitigation and Security Recommendations

Both the FBI and the NCSC recommend immediate steps to mitigate risks associated with DNS hijacking and adversary-in-the-middle attacks:

Replace end-of-life or unsupported routers
Update firmware to the latest available versions
Verify DNS settings to ensure they point to legitimate resolvers
Disable or secure remote management interfaces
Implement firewall rules to limit exposure
Enable multi-factor authentication (MFA) to reduce credential abuse
Users are also encouraged to monitor their networks and report suspected compromises to appropriate authorities.

Researchers Find a Zero-Day Attack Targeting Adobe Reader Users

Mihir Bagwe — Wed, 08 Apr 2026 05:47:47 +0000

A newly uncovered zero-day attack targeting Adobe Reader has raised alarms across enterprise security teams, as researchers identified an exploit chain that bypasses traditional detection controls and executes malicious code through seemingly benign PDF files.

Security analysts tracking the campaign report that the vulnerability enables attackers to trigger remote code execution, a method that allows hackers to run commands on a victim’s system without authorization. In this case, the exploit requires no user interaction beyond opening the file, which significantly increases its success rate in enterprise environments.

The attack surfaced through independent research published and has since circulated among threat intelligence communities monitoring advanced persistent threats.

Researchers noted that the exploit leverages a memory corruption flaw inside Adobe Reader. Memory corruption occurs when a program mishandles data in memory, allowing attackers to overwrite critical areas and execute arbitrary code. This class of vulnerability remains a preferred entry point for threat actors due to its reliability and stealth.

The exploit chain shows signs of deliberate engineering. Analysts observed multiple layers of obfuscation designed to evade both static and behavioral detection systems. Threat actors embedded the payload inside a crafted PDF structure that appears legitimate under standard inspection. Once opened, the file initiates a sequence that bypasses sandbox protections and proceeds to execute shellcode directly in memory.

The campaign reflects a broader shift toward file-based initial access vectors, especially in environments where email filtering and endpoint detection have matured. Attackers increasingly rely on trusted file formats such as PDFs to deliver payloads that blend into everyday business workflows.

Also read: Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Early indicators suggest that traditional antivirus engines fail to flag the malicious file, while endpoint detection and response systems show limited visibility into the exploit’s initial execution phase. This gap stems from the exploit’s use of in-memory execution. Unlike traditional malware that writes files to disk, in-memory attacks operate entirely within a system’s RAM, leaving fewer artifacts for security tools to detect.

Researchers also identified potential links to nation-state-level tradecraft. While attribution remains inconclusive, the sophistication of the exploit chain — combined with its targeted delivery method — suggests involvement from a well-resourced threat actor. The use of zero-day vulnerabilities further supports this assessment.

Organizations continue to rely heavily on PDF workflows for documentation, legal processes and internal communications, making Adobe Reader a high-value target across industries. Security practitioners have begun analyzing the exploit’s behavior to develop detection signatures. Early recommendations include monitoring abnormal memory allocations, unusual process spawning from PDF readers and deviations in application behavior patterns.

Network-level detection also plays a critical role. Analysts advise organizations to inspect outbound connections initiated by PDF reader processes, especially those attempting to communicate with unfamiliar or suspicious domains.

Despite regular patching cycles, complex applications like Adobe Reader maintain large attack surfaces that adversaries continue to probe for weaknesses. Cloud-based document handling systems may also face indirect exposure. Organizations that process PDFs through cloud storage or collaboration platforms must evaluate whether infected files could propagate across shared environments.

Incident response teams must prepare for potential exploitation scenarios. Organizations should review logging capabilities, ensure visibility into endpoint activity and validate response playbooks for file-based attacks.

From a strategic perspective, the campaign aligns with trends observed in cyber espionage operations. Threat actors increasingly deploy stealthy, targeted exploits to gain initial access and maintain persistence within high-value networks.

Persistence mechanisms — methods that allow attackers to remain within a system over time — often follow initial exploitation. While researchers have not fully mapped this stage of the attack, they expect additional payloads to establish long-term access.

For now, the Adobe Reader zero-day serves as a stark reminder of the persistent risks embedded within everyday tools. Even widely trusted applications can become vectors for advanced attacks when adversaries uncover hidden weaknesses.

Iran-Linked Hackers Breach U.S. Industrial Systems, Trigger Disruptions

Samiksha Jain — Wed, 08 Apr 2026 05:47:24 +0000

A new U.S. government advisory has raised fresh concerns over Iranian-affiliated APT targeting PLCs, warning that cyberattacks are now moving beyond data theft into direct disruption of industrial systems. Issued on April 7, 2026, the joint alert from the FBI, CISA, NSA and other agencies confirms that Iran-linked threat actors are actively exploiting internet-facing programmable logic controllers (PLCs), with incidents already impacting multiple critical infrastructure sectors. This is not a theoretical threat. According to the advisory, several organizations have experienced operational disruptions and even financial losses after attackers interfered with industrial processes.

From Network Access to Operational Disruption

What makes this campaign stand out is its intent. The Iranian-affiliated APT targeting PLCs activity is not focused on espionage, it is designed to disrupt. Attackers have been manipulating PLC project files and altering data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. In practice, this means operators could be relying on inaccurate data while underlying processes are being changed in real time. The affected sectors include government services, water and wastewater systems, and energy, areas where even minor disruptions can have significant downstream impact. [caption id="attachment_111119" align="aligncenter" width="600"] Image Source: FBI[/caption]

How the Attacks Are Carried Out

The entry point is often simple: internet exposure. The advisory notes that attackers are scanning for publicly accessible PLCs, particularly models such as CompactLogix and Micro850—and connecting to them using legitimate engineering tools like Studio 5000 Logix Designer. Once inside, the activity becomes more deliberate. Threat actors extract configuration files, modify logic, and establish persistence. In some cases, they deploy tools like Dropbear SSH to maintain remote access through port 22. The attacks rely on commonly used industrial communication ports, including 44818, 2222, 102, 22, and 502, allowing malicious traffic to blend in with normal OT operations. Investigators also observed the use of overseas IP addresses and leased third-party infrastructure, suggesting a coordinated and sustained effort rather than opportunistic scanning.

A Campaign That Has Been Building Over Time

The current activity is not happening in isolation. U.S. agencies link it to earlier Iran-aligned operations, including campaigns attributed to the CyberAv3ngers group that targeted PLCs in 2023. What has changed is the persistence. The latest advisory tracks activity spanning from at least January 2025 through March 2026, with ongoing incidents reported as recently as March. Officials suggest the escalation may be tied to broader geopolitical tensions, but the technical pattern is clear: industrial control systems are becoming a repeated target.

Exposure and Weak OT Security

The Iranian-affiliated APT targeting PLCs campaign exposes a long-standing weakness in critical infrastructure, too many industrial devices remain directly accessible from the internet. In many cases, attackers did not need sophisticated exploits. They gained access because systems lacked basic protections like network segmentation, strong authentication, or restricted remote access. The result is a dangerous scenario where adversaries can move from initial access to operational control with relatively little resistance.

What Organizations Are Being Urged to Do

The advisory calls for immediate action, starting with visibility. Organizations are urged to review logs for suspicious traffic, especially connections originating from overseas infrastructure, and check for unusual activity on key OT ports. More broadly, the guidance reinforces a set of practical steps: removing PLCs from direct internet exposure, routing access through secure gateways, enabling stronger authentication controls, and maintaining offline backups of PLC logic and configurations. In some cases, even operational settings matter, such as ensuring controllers remain in “run” mode to prevent unauthorized remote changes.

A Shift in Cyber Threat Priorities

The bigger takeaway is the shift in attacker focus. By targeting PLCs, threat actors are going straight to the systems that control physical processes. This marks a move from cyber intrusion to potential real-world disruption. The advisory also highlight the role of manufacturers, urging a stronger push toward “secure-by-design” systems that are not exposed by default. For now, the warning is clear: as long as industrial systems remain exposed, campaigns like Iranian-affiliated APT targeting PLCs are likely to continue, and could become more disruptive over time.

Child Safety at Risk as EU CSAM Detection Law Lapses, Reporting Concerns Rise

Ashish Khaitan — Tue, 07 Apr 2026 08:07:47 +0000

A growing surge in CSAM (Child Sexual Abuse Material) circulating online has become an urgent concern for authorities and child protection organizations across the EU. As digital platforms continue to play a central role in communication, the challenge of tackling child sexual exploitation has intensified. The main issue lies in the expiration of a temporary EU legal framework that allowed online service providers to scan private communications for CSAM voluntarily. This legislation, originally introduced as a derogation under ePrivacy rules in 2021, officially lapsed on April 3, 2026. With lawmakers failing to agree on an extension, technology companies now face an uncertain legal environment that could undermine years of progress in combating child sexual exploitation online.

Expiry of EU Law Leaves CSAM Detection in Limbo

The now-expired framework had enabled major technology firms to proactively identify and report Child Sexual Abuse Material using tools such as hash-matching technology. This method relies on digital fingerprints to detect known abusive content with high accuracy, while still maintaining user privacy. Law enforcement agencies have consistently described such detection systems as “vital” in identifying perpetrators and rescuing victims. Without a clear legal basis, however, companies risk operating in a grey area where continuing these practices may expose them to legal challenges. Despite this uncertainty, several major firms, including Google, Meta, Microsoft, and Snap, have stated they will continue voluntary efforts to detect CSAM. In a joint statement, they emphasized the urgency for EU institutions to establish a stable regulatory framework, noting that child safety cannot be compromised due to political delays.

Sharp Decline in CSAM Reports Expected

Authorities warn that the absence of legal clarity could lead to a dramatic drop in reports related to child sexual exploitation. Data from previous years highlights the scale of the issue. In 2025 alone, Europol processed approximately 1.1 million CyberTips received from the U.S.-based National Center for Missing & Exploited Children (NCMEC). These reports included files, videos, and images linked to Child Sexual Abuse Material, and were relevant to investigations across 24 European countries. Officials have warned that this scenario is not hypothetical. A similar lapse in legal provisions in 2021 led to a noticeable decline in reporting, demonstrating how dependent investigations are on cooperation from digital platforms.

Widespread Criticism of EU Inaction

The failure of EU lawmakers to renew the legislation has sparked strong reactions from policymakers, advocacy groups, and industry leaders alike. European Home Affairs Commissioner Magnus Brunner described the situation as “hard to understand,” while child protection organizations labeled it an “abject political failure.” A coalition of 247 organizations dedicated to children’s rights issued a joint statement condemning the lapse. They argued that the inability to maintain detection mechanisms creates a “deeply alarming and irresponsible gap” in efforts to combat Child Sexual Abuse Material. According to the coalition, detection at scale is foundational in addressing child sexual exploitation. It enables companies to remove harmful content, report cases to authorities, and prevent the redistribution of abusive material. Without it, millions of illegal files could continue circulating unchecked, prolonging the suffering of victims.

Real-World Consequences for Victims

Behind every instance of CSAM is a real child subjected to abuse. The continued circulation of such material forces victims to relive their trauma repeatedly. Advocacy groups stress that failing to detect and remove this content effectively denies children their fundamental rights, including privacy and protection. The absence of robust detection tools also means that many victims may remain unidentified and trapped in abusive environments. Law enforcement agencies rely heavily on digital evidence to locate and rescue affected individuals. Any disruption in this process directly impacts their ability to intervene.

Commitment Amid Uncertainty

Despite the legal ambiguity, technology companies have reaffirmed their commitment to tackling Child Sexual Abuse Material. They argue that voluntary detection practices have been in place for nearly two decades and remain a cornerstone of online safety. These companies maintain that tools like hash-matching are essential for identifying known CSAM and preventing its spread. They also emphasize that such systems are designed to balance safety with privacy, countering concerns about overreach. However, industry leaders have made it clear that a long-term solution must come from policymakers. Without a consistent legal framework in the EU, even well-intentioned efforts at risk are becoming unsustainable.

Germany Names Suspected Leader of REvil and GandCrab Ransomware Gangs

Samiksha Jain — Tue, 07 Apr 2026 07:14:03 +0000

German authorities have named a key figure behind some of the most notorious ransomware operations in recent years, linking a real identity to the REvil ransomware gang and its predecessor, the GandCrab ransomware network. According to Germany’s Federal Criminal Police (BKA), a 31-year-old Russian national, Daniil Maksimovich Shchukin, has been identified as the individual operating under the alias “UNKN” or “UNKNOWN.” Investigators say he led both ransomware gangs and was directly involved in at least 130 cyberattacks targeting victims in Germany between 2019 and 2021. The identification marks a significant development in the long-running investigation into the REvil ransomware gang, which at its peak was one of the most aggressive and financially successful cybercrime operations globally.

Inside the REvil Ransomware Gang’s Operations

Authorities allege that Shchukin, along with another suspect, Anatoly Sergeevitsch Kravchuk, carried out coordinated attacks that extorted nearly €2 million, while causing more than €35 million in economic damage. The REvil ransomware gang and GandCrab ransomware group were among the first to popularize “double extortion”, a tactic that changed the ransomware landscape. Victims were not only asked to pay for decryption keys but also pressured to pay again to prevent stolen data from being published. This model has since become standard across ransomware gangs, making attacks more damaging and recovery more difficult for victims.

From GandCrab to REvil: Evolution of a Cybercrime Enterprise

The GandCrab ransomware operation first appeared in 2018 and quickly gained traction through an affiliate model. Hackers were offered a share of profits in exchange for breaching corporate systems, while the core operators maintained and improved the malware. Over time, GandCrab released multiple versions of its ransomware, each designed to evade detection and improve effectiveness. By May 2019, the group claimed to have earned over $2 billion before announcing its shutdown. Soon after, the REvil ransomware gang emerged. Many cybersecurity experts viewed it as a direct continuation or rebranding of GandCrab. Operating under the same alias “UNKNOWN,” the group expanded its reach and began targeting larger organizations with deeper pockets. REvil became known for “big-game hunting”—focusing on enterprises with significant revenues and cyber insurance coverage, increasing the likelihood of large payouts.

Industrialization of Ransomware Gangs

What makes the REvil ransomware gang particularly significant is how it operated more like a business than a traditional cybercriminal group. Ransomware developers outsourced tasks such as gaining initial access, encrypting systems, and laundering payments. Specialized actors—like access brokers and crypto laundering services—formed an entire underground ecosystem supporting these attacks. This structure allowed ransomware gangs to scale operations quickly, reinvest profits, and continuously improve their tools. As a result, attacks became more targeted, more sophisticated, and more difficult to stop.

High-Profile Attacks and Law Enforcement Response

One of the most notable incidents linked to the REvil ransomware gang was the 2021 attack on Kaseya, which impacted over 1,500 businesses worldwide. The scale of the breach demonstrated how ransomware could disrupt entire supply chains. However, the same attack also marked the beginning of REvil’s decline. The FBI later revealed it had gained access to the group’s infrastructure before the incident but could not act immediately without compromising its investigation. Subsequent actions, including the release of a free decryption key, weakened the group’s operations significantly.

Following the Money and Identity Trail

Shchukin’s name had previously surfaced in a 2023 U.S. Department of Justice filing related to cryptocurrency seizures tied to REvil activities. Authorities linked him to digital wallets holding over $317,000 in illicit funds. Despite the identification, German authorities believe Shchukin remains in Russia, beyond immediate reach. “Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA noted.

What This Means for the Ransomware Landscape

The exposure of a suspected leader behind the REvil ransomware gang is a rare win for law enforcement in a space where attribution is often difficult. But the broader issue remains. The structure pioneered by GandCrab ransomware and refined by REvil continues to influence modern ransomware gangs. The tools, tactics, and business models are still widely used. Even as individual operators are identified, the ecosystem they helped build continues to operate. The takeaway is clear: ransomware is no longer just a technical threat—it is an organized, evolving industry.

FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE

Ashish Khaitan — Tue, 07 Apr 2026 06:26:21 +0000

A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited. The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers. One of the vulnerabilities, CVE-2026-21643, stems from an improper neutralization of special elements in SQL commands, commonly referred to as a SQL Injection flaw (CWE-89). This weakness exists within the administrative interface of FortiClientEMS, allowing unauthenticated attackers to send specially crafted HTTP requests and execute unauthorized code or commands.

Critical SQL Injection Flaw in FortiClientEMS (CVE-2026-21643)

Security researchers have confirmed that this SQL Injection issue is not just theoretical. It has already been observed being exploited in real-world attacks, increasing the urgency for mitigation. Because the flaw does not require authentication, attackers can directly target exposed systems, making it a particularly dangerous entry point. In terms of affected versions, FortiClientEMS 7.4.4 is vulnerable and requires an upgrade to version 7.4.5 or later. Versions 8.0 and 7.2 are not affected by this issue. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet’s Product Security team. The initial advisory was published on February 6, 2026, with a subsequent clarification removing FortiEMS Cloud from the affected products list.

Improper Access Control Vulnerability (CVE-2026-35616)

The second major flaw, CVE-2026-35616, involves improper access control (CWE-284) in FortiClientEMS. This vulnerability enables attackers to bypass API authentication and authorization mechanisms, again allowing unauthenticated execution of arbitrary code or commands through crafted requests. Like the SQL Injection flaw, CVE-2026-35616 has also been confirmed to be actively exploited in the wild. The potential impact is severe, as successful exploitation could lead to a complete compromise of the FortiClientEMS server. The vulnerability was officially published on April 4, 2026, and later added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) Catalog on April 6, 2026. CISA noted that such vulnerabilities are frequently used by malicious actors and pose significant risks, particularly to federal enterprise environments.

Government and Industry Response

The Cyber Security Agency of Singapore (CSA) issued an alert on April 6, 2026, warning of the active exploitation of CVE-2026-35616 in FortiClientEMS deployments. The advisory noted the critical nature of the vulnerability and urged organizations to take immediate action. According to the alert, “successful exploitation of this vulnerability could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests, potentially resulting in a full compromise of the FortiClient EMS server.” The agency also reiterated that exploitation activity has already been observed in the wild.

Affected Versions and Mitigation Steps

The improper access control vulnerability CVE-2026-35616 affects FortiClientEMS versions 7.4.5 through 7.4.6. Organizations using these versions are advised to apply the available hotfix immediately and upgrade to version 7.4.7 or later once it becomes available. Fortinet has provided specific guidance for applying fixes through its official release notes for versions 7.4.5 and 7.4.6. The company has indicated that the upcoming FortiClientEMS 7.4.7 release will include a permanent fix, while the currently available hotfix is sufficient to fully mitigate the issue in the interim. For CVE-2026-21643, upgrading from version 7.4.4 to 7.4.5 or above resolves the SQL Injection vulnerability.

$20 Billion Lost to Cybercrime as AI and Investment Scams Surge: FBI Report

Samiksha Jain — Tue, 07 Apr 2026 05:37:26 +0000

The FBI Internet Crime Report 2025 shows just how expensive cybercrime has become. In 2025, the FBI’s Internet Crime Complaint Center (IC3) received over one million complaints, with reported losses touching $20.8 billion, the highest ever recorded. That figure is not just a statistic. It reflects everyday incidents, individuals losing life savings to investment scams, businesses wiring money to fraudulent accounts, and organizations dealing with disruptions from ransomware attacks. What used to be isolated cases are now happening at scale. The FBI Internet Crime Report 2025 also shows how the nature of cybercrime is changing. Fraud is no longer limited to suspicious emails or obvious scams. Criminals are using social platforms, messaging apps, and now even artificial intelligence to make their operations look legitimate. In many cases, victims don’t realize they are being targeted until the money is already gone. At the same time, the report highlights that law enforcement is trying to keep pace. Operations targeting crypto scams and international fraud networks are making an impact, but the overall trend shows that cybercrime is expanding faster than it is being contained.

Cyber-Enabled Fraud Remains the Biggest Driver

A large share of these losses comes from cyber-enabled fraud, which alone accounts for nearly 85% of the total financial damage, or about $17.7 billion. Investment fraud continues to cause the most damage. In 2025, it led to $8.6 billion in losses, followed by business email compromise (BEC) and tech support scams. Within this, cryptocurrency investment fraud stands out. Losses linked to crypto scams reached $7.2 billion, making it the biggest single category. [caption id="attachment_111088" align="aligncenter" width="577"] Image Source: FBI Report[/caption] These scams are no longer basic phishing attempts. Attackers spend time building trust, approaching victims through social media, messaging apps, or even dating platforms. Once trust is established, victims are guided toward fake investment platforms that show fabricated profits. By the time withdrawals are attempted, the money is gone.

AI-Enabled Scams Are Growing Fast

The FBI Internet Crime Report 2025 includes a separate section on AI-enabled scams for the first time, and the early numbers are already concerning.

More than 22,000 complaints linked to AI
Around $893 million in losses

AI is making scams more convincing. Fake profiles, cloned voices, and realistic conversations can now be created quickly and at scale. This allows attackers to run highly targeted campaigns without much effort. The challenge is that these scams often look legitimate, making it harder for individuals and even businesses to identify red flags in time.

Ransomware Continues to Target Critical Sectors

Ransomware remains a steady threat, especially for critical infrastructure.

Over 3,600 complaints reported in 2025
Losses crossed $32 million

The actual impact is likely much higher. Many organizations do not report full losses, especially indirect costs like downtime or recovery expenses. The report also notes 63 new ransomware variants identified during the year, showing how quickly these attacks continue to evolve. Sectors such as healthcare, manufacturing, and government facilities remain frequent targets, where even short disruptions can have serious consequences.

FBI Operations Are Preventing Some Losses

The report also highlights efforts by law enforcement to limit the damage. One example is Operation Level Up, focused on cryptocurrency investment scams. Since its launch in 2024, the initiative has helped reduce potential losses by more than $500 million. In many cases, victims did not realize they were being scammed until they were contacted. This reflects a larger issue, many cyber fraud cases go unnoticed until significant financial damage has already occurred.

Cybercrime Is Becoming More Structured

The report also points to broader trends. Cybercriminal groups are operating more like organized businesses. At the same time, state-linked actors are becoming more active, targeting infrastructure and sensitive data. One example highlighted is the DPRK IT worker scam, where individuals posing as remote IT workers gain access to company systems and use that access for data theft or further attacks. These developments show that cybercrime is no longer limited to isolated incidents. It is part of a larger, global ecosystem.

A Growing Gap Between Threats and Preparedness

The FBI Internet Crime Report 2025 shows a clear pattern—cybercrime is scaling faster than awareness and response.

Fraud tactics are becoming more personal and long-term
AI is helping attackers improve success rates
Cryptocurrency is making transactions harder to trace

While recovery efforts and law enforcement actions are improving, most interventions still happen after the damage is done.

Final Take on FBI Internet Crime Report 2025

The FBI Internet Crime Report 2025 highlights a shift in how cybercrime operates today. The scale—over $20 billion in losses—is significant, but the methods behind these numbers are just as important. From cyber-enabled fraud to AI-enabled scams and cryptocurrency investment fraud, attackers are using a mix of technology and human psychology to succeed. For individuals and organizations, the risk is no longer occasional—it is constant, and it is evolving.

75% of Cyberattacks Start with Phishing Emails, UAE Cyber Council Says

Samiksha Jain — Mon, 06 Apr 2026 11:02:06 +0000

The scale of phishing emails cyberattacks is growing, and the UAE Cyber Security Council is making it clear that the threat is far from under control. In a recent warning, the Council told Emirates News Agency (WAM) that more than 75% of cyberattacks now begin with phishing emails or fraudulent messages, underlining how attackers continue to rely on simple, deceptive tactics to gain access to sensitive systems. The advisory, shared with WAM, points to email fraud as a primary entry point for breaches involving personal accounts, financial data, and institutional systems. These messages are often designed to look legitimate, making them difficult to detect at a glance and easy to act on without verification.

Phishing Emails Cyberattacks Continue at Massive Scale

The numbers behind phishing emails cyberattacks highlight why the problem persists. According to the Council, more than 3.4 billion phishing messages are sent globally every day, targeting individuals across sectors and regions. These messages are not limited to basic scams. Many are crafted to steal login credentials, distribute malware, or collect personal information that can later be used in identity theft, extortion, or broader cyber campaigns. The volume ensures that even a small success rate can lead to significant impact. The Council noted that this type of fraud continues to spread widely, often taking advantage of gaps in user awareness and digital behaviour rather than weaknesses in technology alone.

How Phishing Emails Cyberattacks Trick Users

The UAE Cyber Security Council outlined how phishing emails cyberattacks are typically structured to push users into quick action. Messages may request urgent payments, prompt users to verify accounts, or direct them to login pages through embedded links. In many cases, these emails imitate trusted entities such as banks or service providers. Others rely on offers that appear unusually attractive, drawing users into clicking links or sharing information without proper checks. The Council also pointed to common red flags, including emails with spelling or grammatical errors, unclear sender identities, and requests for personal data without valid justification. Despite being widely recognised indicators, such tactics continue to be used because they still manage to bypass user caution.

User Awareness Remains Central to Prevention

The phishing emails cyberattacks trend places significant responsibility on users, particularly as attackers continue to refine how these messages are presented. The Council stressed that individuals and employees remain a primary target, making awareness a critical part of any defence strategy. To reduce exposure, the Council advised users to avoid interacting with suspicious links or messages and to refrain from scanning QR codes in untrusted environments. It also emphasised the importance of keeping login credentials private and enabling multi-factor authentication across accounts. Regular system updates and application patches were also highlighted as necessary steps to limit vulnerabilities that may be exploited following a phishing attempt.

Reporting Plays a Key Role in Limiting Damage

Beyond prevention, the UAE Cyber Security Council underlined the importance of timely reporting in addressing phishing emails cyberattacks. Users who identify suspicious messages are encouraged to report them immediately rather than ignore or delete them. Early reporting allows security teams to analyse patterns, identify ongoing campaigns, and take steps to block further attacks. In large-scale phishing operations, even a single reported message can help trace and disrupt wider activity. The Council reiterated that quick action at the user level can significantly reduce the overall impact of these attacks.

Phishing Emails Cyberattacks Remain a Persistent Threat

The continued dominance of phishing emails cyberattacks reflects a broader trend in the cybersecurity landscape. While organisations invest in advanced tools and systems, attackers continue to rely on methods that require minimal technical effort but deliver consistent results. The Council noted that safety in cyberspace has become an ongoing challenge, particularly as digital communication channels expand. Email remains one of the most widely used platforms, making it a reliable target for threat actors. The warning serves as a reminder that phishing is not a declining threat. It remains active, widespread, and closely tied to how users interact with everyday digital tools.