Vulnerabilities News

In this week’s weekly roundup, The Cyber Express reviews major developments across the cybersecurity domain. highlighting incidents involving crypto ecosystem attacks, state-linked fraud operations, regulatory scrutiny, and underground cybercrime activity. The broader threat landscape continues to show attackers targeting infrastructure weaknesses, social engineering pathways, and third-party dependencies rather than isolated technical flaws.  Across multiple cases, state-aligned and financially motivated actors are focusing on routers, DNS layers, and decentralized systems to intercept data and manipulate transactions. At the same time, gaps in regulation and enforcement continue to complicate platform accountability, particularly in online safety and digital content governance.   The Cyber Express Weekly Roundup  $15M Grinex Hack Halts Trading After Wallet Breach  Grinex suspended trading and withdrawals following a coordinated attack that compromised its wallet infrastructure, resulting in the theft of more than $15 million in USDT. The attackers rapidly moved assets across Ethereum and Tron networks, using chain-hopping and layering techniques to obscure transaction trails and avoid detection. Read more…  Two U.S. Nationals Sentenced in $5M North Korea IT Worker Scheme  Two U.S. nationals, Kejia Wang and Zhenxing Wang, received prison sentences of 108 and 92 months for their roles in a North Korea-linked remote employment scheme that generated over $5 million. The operation used stolen identities, domestic “laptop farms,” and shell companies to present overseas workers as U.S.-based employees across more than 100 companies. Read more…  Australia Social Media Ban Faces Enforcement Questions  Australia’s under-16 social media restriction is facing renewed scrutiny after a study of 1,050 children found that over 60% of previously active users aged 12–15 continue accessing platforms such as TikTok, YouTube, and Instagram. Many accounts remained active without intervention from providers, and in some cases, users created new profiles after restrictions were applied. Read more…  TierOne Dark Web Contest Offers $10K for Exploit Writeups  A dark web forum known as TierOne has launched a $10,000 contest encouraging detailed technical write-ups on vulnerability exploitation techniques. Running from April 13 to May 14, 2026, and reportedly sponsored by a ransomware group, the contest focuses on topics such as remote code execution, IDOR, SSTI, firmware attacks, and EDR bypass methods.  Read more…  Rockstar Cyberattack Confirmed Amid Extortion Threat  Rockstar Games confirmed a cyberattack involving unauthorized access through a third-party service, though it stated that core operations and player systems were unaffected. The threat actor group ShinyHunters claimed responsibility, alleging access to internal company data and demanding payment by April 14, 2026, under threat of public release. Read more…  Weekly Takeaway  The Cyber Express weekly roundup reflects a threat landscape that is fragmented yet interconnected. From multimillion-dollar crypto thefts and criminal employment schemes to underground exploit markets and extortion-driven breaches, attackers are consistently blending technical exploitation with deception and supply chain targeting.   Regulatory uncertainty and weak enforcement mechanisms further amplify these risks, allowing both state-linked and financially motivated actors to operate with greater flexibility across digital environments. 

A new joint cybersecurity advisory has revealed an ongoing Russian GRU cyber campaign targeting Western logistics entities and technology companies, particularly those involved in coordinating and delivering aid to Ukraine. The activity has been linked to the Russian General Staff Main Intelligence Directorate’s Unit 26165, widely tracked in the cybersecurity community as APT28 or Fancy Bear. According to the advisory, the Russian GRU cyber campaign has been active since early 2022 and continues to evolve, posing a sustained risk to organizations across multiple sectors. Security agencies warn that companies involved in transportation, IT services, and defense supply chains should assume they are potential targets and strengthen monitoring and threat detection efforts. GRU Unit 26165 Expands Logistics Cyber Targeting The campaign, attributed to GRU Unit 26165, has focused on entities supporting Ukraine through logistics and infrastructure. This includes companies operating across air, sea, and rail transport, as well as IT service providers connected to these operations. Targets span multiple countries, including the United States, Germany, Poland, France, and Ukraine. The attackers have also exploited trust relationships between organizations, moving from one compromised entity to another to expand access. Image source: https://www.cyber.gov.au/ Officials noted that the Russian GRU cyber campaign is not limited to direct targets. Organizations with business ties to logistics providers have also been drawn into the attack chain, increasing the overall risk surface. APT28 Attacks Use Known but Effective Techniques The advisory highlights that APT28 attacks rely heavily on established tactics, techniques, and procedures. These include credential guessing, brute-force attacks, and spearphishing campaigns designed to steal login details or deploy malware. Spearphishing remains a key component of the Russian GRU cyber campaign, with emails crafted in the target’s native language and often impersonating government or trusted services. Many of these emails direct victims to fake login pages hosted on compromised devices or free web platforms. The attackers have also used multi-stage redirect systems to filter victims based on location and device characteristics, making detection more difficult. CVE Exploitation and Malware Deployment Observed A significant aspect of the campaign involves the exploitation of known vulnerabilities. The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials Roundcube vulnerabilities for email server access CVE-2023-38831 in WinRAR for remote code execution These vulnerabilities have enabled attackers to gain initial access and move deeper into targeted networks. The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration. Post-Compromise Activity Focuses on Sensitive Data Once inside a network, attackers conduct extensive reconnaissance to identify high-value targets, including employees managing transport operations and cybersecurity teams. The Russian GRU cyber campaign places particular emphasis on accessing sensitive logistics data. This includes shipment details such as routes, cargo contents, sender and recipient information, and transport schedules. Attackers use tools like Remote Desktop Protocol and open-source frameworks to move laterally within networks. They also manipulate email permissions to maintain long-term access and collect communications from compromised accounts. IP Cameras Targeted to Track Aid Movement In addition to corporate networks, the campaign has extended to internet-connected cameras. The advisory reports that GRU actors have targeted IP cameras located near border crossings, rail stations, and military facilities. By exploiting weak credentials and unsecured Real Time Streaming Protocol servers, attackers have been able to access live feeds and monitor the movement of aid into Ukraine. A large portion of these attempts has focused on cameras in Ukraine and neighboring countries. This tactic adds a physical surveillance dimension to the Russian GRU cyber campaign, enabling real-time tracking of logistics operations. Organizations Urged to Strengthen Defenses Cybersecurity agencies are urging organizations to take immediate steps to mitigate risks associated with the Russian GRU cyber campaign. Recommended measures include: Enforcing multi-factor authentication and strong access controls Monitoring for unusual login activity and lateral movement Patching known vulnerabilities and securing internet-facing systems Limiting access to critical infrastructure and sensitive data Auditing logs and deploying endpoint detection tools Companies are also advised to review their relationships with partners and suppliers, as attackers frequently exploit these connections to expand their reach. Persistent Threat Expected to Continue The advisory concludes that the Russian GRU cyber campaign is likely to persist, with continued use of similar tactics and targeting patterns. As geopolitical tensions remain high, logistics and technology sectors are expected to stay at the forefront of cyber espionage activity. Organizations operating in these sectors are being encouraged to adopt a proactive security posture, recognizing that the threat is ongoing and highly targeted.

A newly disclosed set of ITSM vulnerabilities in Ivanti Neurons has been reported. The flaws could allow attackers to retain access to enterprise systems under certain conditions. The issues, tracked as CVE-2026-4913 and CVE-2026-4914, affect Ivanti’s Neurons for IT Service Management (ITSM) platform.  Ivanti recently published the security advisory outlining these two vulnerabilities. These flaws could enable remote authenticated attackers to hijack or persist in user sessions, potentially maintaining unauthorized access even after administrative actions such as account deactivation.  The vulnerabilities affect both on-premises and cloud deployments running version 2025.3 and earlier. While the risks are notable, Ivanti stated that, at the time of disclosure on April 14, 2026, there is no evidence to suggest active exploitation in real-world attacks.  In its advisory, the company noted: “We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” The vulnerabilities were identified and reported through a responsible disclosure program.  Technical Breakdown of ITSM Vulnerabilities  The two vulnerabilities, CVE-2026-4913 and CVE-2026-4914, have distinct behaviors but share a reliance on some level of authenticated access or user interaction.  CVE-2026-4913: Session Persistence After Account Deactivation  The first flaw, CVE-2026-4913, is classified as an “improper protection of an alternate path” vulnerability (CWE-424). It affects Ivanti Neurons for ITSM versions prior to 2025.4 and carries a CVSS score of 5.7 (Medium), with the vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.  This vulnerability allows a remote authenticated attacker to retain access to the system even after their account has been disabled. In practice, this could enable a user with previously valid credentials to continue interacting with the platform through an alternate access path, bypassing expected session termination controls.  CVE-2026-4914: Stored XSS and Session Data Exposure  The second issue, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability (CWE-79) with a CVSS score of 5.4 (Medium). Its vector is: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.  This flaw allows a remote authenticated attacker to inject malicious scripts that may execute in another user’s session, provided user interaction occurs. Successful exploitation could result in limited information disclosure from other sessions, posing a risk to sensitive operational data within the ITSM environment.  Affected Versions and Fix Timeline  Both vulnerabilities impact Ivanti Neurons for ITSM version 2025.3 and earlier across deployment models:  On-premise deployments: Versions 2025.3 and prior are affected, with fixes available in version 2025.4 via the Ivanti License System (ILS).   Cloud deployments: Versions 2025.3 and earlier were also impacted; however, Ivanti applied fixes automatically to all cloud environments on December 12, 2025.   The patched release, version 2025.4, addresses both CVE-2026-4913 and CVE-2026-4914. Mitigation Guidance for Ivanti Neurons Users  To reduce exposure to these vulnerabilities, Ivanti recommends that organizations update their systems to version 2025.4 as soon as possible. The mitigation steps differ depending on the deployment type.  For cloud customers using Ivanti Neurons, no action is required, as the company has already implemented the necessary fixes across hosted environments. This proactive update ensures that cloud users are protected against both CVE-2026-4913 and CVE-2026-4914.  In contrast, organizations running on-premises deployments must take manual action. Administrators and security teams are advised to log into the Ivanti License System and apply the 2025.4 update without delay.  Detection and Support Considerations  At present, Ivanti has not identified any indicators of compromise associated with these vulnerabilities, largely due to the absence of known exploitation. As a result, organizations may not have specific forensic markers to determine whether their systems were targeted.  For organizations requiring assistance, Ivanti recommends submitting a support request through its Success Portal to address any concerns related to Ivanti Neurons, CVE-2026-4913, or CVE-2026-4914. 

A recently disclosed Kali Forms vulnerability affecting a widely used WordPress plugin has escalated into an active security threat, enabling unauthenticated attackers to achieve Remote Code Execution on affected websites. The flaw impacts Kali Forms, a drag-and-drop form builder with more than 10,000 active installations, and has already been exploited in the wild shortly after public disclosure.  Security researchers reported that the vulnerability was first submitted on March 2, 2026, through a bug bounty program, identifying a critical Remote Code Execution issue in the Kali Forms vulnerability chain. The vendor released a patched version on March 20, 2026, and the issue was simultaneously added to the Wordfence Intelligence database. On the same day, attackers began actively exploiting it on scale.  Timeline of the Kali Forms Vulnerability in the WordPress Plugin Ecosystem  The Kali Forms vulnerability followed a rapid disclosure-to-exploitation cycle:  March 2, 2026: Initial submission of the Remote Code Execution flaw via bug bounty reporting.  March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection.  March 20, 2026: Patched version released; vulnerability publicly disclosed; attackers began exploiting the same day.  April 4, 2026: Free Wordfence users received delayed firewall protection.  April 4–10, 2026: Peak exploitation activity observed against the Kali Forms vulnerability.  The patched release addressed the issue in version 2.4.10 of the WordPress plugin, while all versions up to and including 2.4.9 remained vulnerable.  Technical Root Cause Behind the Kali Forms Vulnerability The core of this WordPress plugin flaw lies in how user-supplied form data is processed and stored internally. The vulnerability resides in the form_process flow and the prepare_post_data() function, which incorrectly maps attacker-controlled input into internal placeholder storage without proper validation or allow-list restrictions.  These placeholders are later used in the _save_data() method, where unsafe execution occurs through call_user_func().  A simplified excerpt of the vulnerable logic includes:  if (isset($this->placeholdered_data[‘{entryCounter}’])) {    $this->placeholdered_data[‘{entryCounter}’] =        call_user_func($this->placeholdered_data[‘{entryCounter}’], $this->post->ID); }  Because the Kali Forms vulnerability allows attackers to fully control values like {entryCounter} and {thisPermalink}, an unauthenticated user can inject arbitrary PHP function names. These are then executed directly, resulting in Remote Code Execution (RCE) attacks.  Researchers noted that the lack of input restrictions in prepare_post_data() enables overwriting internal placeholders. As a result, attacker-controlled values flow directly into call_user_func(), making exploitation trivial once the request is submitted.  One observed abuse pattern demonstrates authentication bypass attempts using built-in WordPress functions. For example, attackers can assign:  {entryCounter} = wp_set_auth_cookie   formId = 1   This leads to execution of wp_set_auth_cookie(1), which may log attackers in as the default administrator account if it exists, effectively turning the Kali Forms vulnerability into a full account takeover vector.  Active Exploitation of the Kali Vulnerability in Real-world Attacks  Telemetry from security monitoring shows that exploitation began immediately after disclosure. Attackers have been systematically targeting the WordPress plugin using automated requests to admin-ajax.php.  A representative exploit request includes:  POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=66ddddb2b7& data[entryCounter]=wp_set_auth_cookie  This confirms how the Remote Code Execution flaw is triggered through manipulated form submission data.  Security systems recorded significant attack volume:  Over 312,200 exploit attempts were blocked targeting the Kali Forms vulnerability.  Heavy targeting was observed immediately after March 20, 2026 disclosure.  Increased spike in activity between April 4 and April 10, 2026.  Top Attacking IP Addresses Observed  Threat intelligence identified several IPs responsible for large-scale exploitation attempts:  209.146.60.26 – over 152,000 blocked requests   49.156.40.126 – over 50,000   124.248.183.139 – over 26,000   202.56.2.126 – over 14,000   130.12.182.154 – over 11,000   104.28.160.197 – over 9,000   1.53.114.181 – over 5,700   157.15.40.74 – over 3,000   114.10.99.126 – over 2,500   83.147.12.83 – over 1,300   These sources were repeatedly associated with exploitation attempts targeting the Kali Forms vulnerability in the affected WordPress plugin. 

In an unusual development within the underground cyber world, a dark web article contest has been announced on a well-known dark web forum, TierOne forum. The initiative is backed by a $10,000 prize pool. The contest places a spotlight on technical writing centered around vulnerability exploitation, offering insight into how knowledge is shared and rewarded in these spaces.  Traditionally, dark web forums have been linked to illicit activities such as trading stolen data, coordinating ransomware attacks, and distributing malware. However, this contest introduces a different dynamic, one that mirrors legitimate cybersecurity ecosystems, where researchers document findings and share exploit techniques.   The Dark Web Article Contest Overview and Prize Structure  According to an official announcement shared by an administrator on the forum, the post states: “Всем привет! Мы рады сообщить T1 erone [КОНКУРС СТАТЕЙ #1 – 2026]. Победители конкурса получают призы: 1 место 5.000$, 2 место – 3.000$, 3 место – 2.000$, [Призовой фонд 10.000$]. Прием статей начинается 13.04.2026 и заканчивается 14.05.2026.”   The announcement indicates that the dark web article contest will run from April 13, 2026, to May 14, 2026, with prize amounts set at $5,000 for first place, $3,000 for second place, and $2,000 for third place, making up a total prize pool of $10,000, reportedly sponsored by the ransomware group cry0.  Topics Focused on Vulnerability Exploitation  The contest invites submissions covering a wide range of advanced topics related to vulnerability exploitation with real-world applicability. These include:  Remote Code Execution (RCE) through deserialization flaws in React and Node.js frameworks.  Command injection attacks in APIs and backend systems.  Insecure Direct Object Reference (IDOR) vulnerabilities in SaaS platforms.  Server-Side Template Injection (SSTI) in modern templating engines.  Exploitation of insecure deserialization in PHP and Java.  Client-side RCE via Markdown or Office file rendering.  Firmware attacks targeting routers and cameras.  Privilege escalation techniques in RouterOS and similar systems.  Exploitation methods for products from Cisco, MikroTik, Oracle, and Ubiquiti.  Zero-day discovery in browser components like WebGPU and Blink.  AI-assisted vulnerability discovery and reverse engineering.  Techniques for bypassing AV and EDR security systems.  Exploitation of Remote Procedure Call (RPC) mechanisms.  For context, vulnerabilities such as RCE, IDOR, and SSTI allow attackers to execute arbitrary code or access restricted data, while firmware attacks enable persistent control over hardware devices. Similarly, AV/EDR bypass techniques are designed to evade detection by modern security solutions.  Participation Rules and Requirements  The TierOne forum has outlined strict guidelines for participants. Articles must be published within the forum’s designated section and include a specific prefix to qualify:  Submissions must be posted under the Articles section with the prefix “[Contest]”.  A link to the article must be shared in the contest thread with a participation note.  All users are eligible, regardless of registration date or activity level.  The use of multiple accounts is strictly prohibited.  In addition, the contest enforces content quality standards:  Articles must be original and based on the author’s own experience.  Copy-pasted or reposted material is not allowed.  Submissions should comprehensively cover the chosen topic, including tools, techniques, and methodologies.  Minimum length requirement is at least one A4 page.  Excessive filler content is discouraged.  Including video demonstrations may improve chances of winning.  A Glimpse into Dark Web Knowledge Sharing  While the existence of such a contest may seem surprising, it notes a bigger trend within dark web forums. Beyond illegal marketplaces and data trading, these platforms also function as hubs for technical exchange, where members document and refine vulnerability exploitation techniques. In many ways, the structure resembles legitimate bug bounty programs and penetration testing workflows, where cybersecurity professionals publish detailed reports on discovered flaws. The key difference lies in the intent and environment in which this knowledge is applied. It is important to note that this article does not endorse participation in such activities. Instead, it aims to shed light on how these underground ecosystems operate. The TierOne forum contest highlights that even within the dark web, there are organized efforts to produce structured, experience-based technical content, albeit in a context that raises ethical and legal concerns.

Adobe has issued emergency security updates addressing a severe Acrobat Reader flaw tracked as CVE-2026-34621, a high-impact Adobe vulnerability that has already been observed being exploited in real-world attacks.   The issue, rated with a CVSS score of 8.6 out of 10.0, affects multiple Acrobat and Reader products across Windows and macOS platforms. According to Adobe, the vulnerability could enable attackers to execute arbitrary code on targeted systems if successfully exploited.  Acrobat Reader Flaw and CVSS Severity Assessment  The Acrobat Reader flaw CVE-2026-34621 has been classified as a critical security defect with a CVSS base score of 8.6. The scoring notes impact potential, including confidentiality, integrity, and availability compromise. The CVSS vector associated with the flaw is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating that local access and user interaction are required for exploitation, while the scope change increases the severity.  Initially, the Adobe vulnerability was assessed with a higher score, but later revisions adjusted the attack vector from network-based (AV:N) to local (AV:L). This change reduced the overall CVSS rating from 9.6 to 8.6, as noted in Adobe’s revision history dated April 12, 2026.  Adobe Vulnerability Impact and Affected Acrobat Products  The Adobe vulnerability affects several widely deployed versions of Acrobat and Acrobat Reader. The impacted software includes:  Acrobat DC versions 26.001.21367 and earlier (fixed in 26.001.21411)   Acrobat Reader DC versions 26.001.21367 and earlier (fixed in 26.001.21411)   Acrobat 2024 versions 24.001.30356 and earlier (fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)   These versions are used across both Windows and macOS environments, increasing the exposure range of the Acrobat Reader flaw CVE-2026-34621 in enterprise and consumer settings.  Adobe classified the update under bulletin APSB26-43, published on April 11, 2026, with a priority rating of 1, indicating the highest urgency level for patch deployment. The bulletin confirms that the Adobe vulnerability can result in arbitrary code execution if exploited successfully.  Exploitation of Acrobat Reader flaw CVE-2026-34621 in the Wild  Adobe has confirmed that it is “aware of CVE-2026-34621 being exploited in the wild.” This statement indicates active exploitation attempts against unpatched systems, elevating the urgency of the Acrobat Reader flaw CVE-2026-34621 beyond theoretical risk.  The exploitation activity suggests that threat actors may already be leveraging the Adobe vulnerability in targeted attacks. While specific campaigns have not been fully detailed publicly, the confirmed exploitation status places the flaw in a high-risk category, particularly for organizations that have not yet applied for the latest updates.  Prototype Pollution Behind the Adobe Vulnerability  The root cause of the Acrobat Reader flaw CVE-2026-34621 is identified as a prototype pollution issue. Prototype pollution is a JavaScript-based vulnerability class that allows attackers to manipulate object prototypes within an application.  In this case, the Adobe vulnerability is categorized under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). Successful exploitation could allow an attacker to manipulate internal object structures, potentially leading to arbitrary code execution within Acrobat environments.  Because prototype pollution affects how objects inherit properties, attackers may be able to inject malicious attributes into running applications, escalating the severity of the Acrobat Reader flaw CVE-2026-34621 when combined with user interaction.  CVSS-rated fix and APSB26-43 remediation guidance  Adobe addressed the Adobe vulnerability through security updates released under bulletin APSB26-43. Fixed versions include:  Acrobat DC and Acrobat Reader DC: 26.001.21411   Acrobat 2024: 24.001.30362 (Windows), 24.001.30360 (macOS)   Adobe recommends immediate updating via built-in update mechanisms (Help > Check for Updates) or through managed deployment systems in enterprise environments such as AIP-GPO, SCUP/SCCM, Apple Remote Desktop, or SSH-based workflows on macOS. Full installers are also available through Adobe’s official download channels.  The CVSS scoring for the Adobe vulnerability CVE-2026-34621 was revised on April 12, 2026. The adjustment reduced the attack vector classification from network (AV:N) to local (AV:L), resulting in a revised CVSS score of 8.6.  Adobe credited researcher Haifei Li of EXPMON for reporting the issue and coordinating disclosure efforts. 

In this week’s weekly roundup, The Cyber Express summarizes key cybersecurity news across state-sponsored attacks, crypto ecosystem breaches, regulatory gaps, and mobile data exposure risks.   State-linked groups are focusing on internet infrastructure like routers and DNS for interception and credential theft, while crypto-related actors are exploiting weaknesses in decentralized finance systems and governance layers. Regulatory uncertainty in areas such as online content detection further complicates response efforts.  The Cyber Express weekly roundup also notes that even secure messaging systems can leave residual data on devices through OS-level features like notification storage.   The Cyber Express Weekly Roundup  APT28 DNS Hijacking Campaign Disrupted  APT28, a Russian-linked threat group, has been exploiting vulnerable routers to carry out DNS hijacking and adversary-in-the-middle (AITM) attacks. These operations were primarily aimed at intercepting traffic and stealing credentials, with a particular focus on email platforms such as Microsoft Outlook. Read more…  EU CSAM Legal Gap Raises New Concerns  The expiration of the EU’s temporary 2021 regulatory framework on April 3, 2026, has created uncertainty around how technology companies can detect and report Child Sexual Abuse Material (CSAM). The framework previously allowed platforms to voluntarily scan private communications using techniques such as hash-matching, a method widely considered essential by investigators for identifying illegal content and tracking offenders. Read more…  $285M Drift Protocol Hack Shakes Cybersecurity Landscape  In a major cryptocurrency-related incident, attackers successfully stole $285 million from Drift Protocol on April 1, 2026. Drift Protocol, the largest decentralized perpetual futures exchange on Solana, reportedly lost over half of its total value within just 12 minutes of the breach. Read more…  FBI Finds Deleted Signal Data Can Persist in iPhone Systems  A notable finding in this weekly roundup comes from an FBI investigation related to the Prairieland ICE Detention Facility case in Texas. Investigators discovered that deleted Signal messages may still be partially recoverable from iPhones. Importantly, this is not a failure of Signal’s encryption. Instead, the issue stems from how iOS handles notification previews. Read more…  Treasury Launches Digital Asset Cybersecurity Initiative  The U.S. Department of the Treasury has launched a Digital Asset Cybersecurity Initiative through its Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). The initiative is designed to strengthen cybersecurity defenses across the cryptocurrency ecosystem. Read more…  Weekly Takeaway  This weekly roundup highlights a rapidly diversifying threat landscape, ranging from state-sponsored DNS hijacking campaigns and multimillion-dollar crypto thefts to regulatory uncertainty and mobile data persistence risks.  Across all incidents, a consistent pattern emerges; attackers are blending technical exploitation with social engineering, infrastructure compromise, and long-term strategic planning.  

When Microsoft reintroduced its redesigned Recall feature, security took center stage. The architecture was built around hardened components, including Virtualization-Based Security (VBS) enclaves, AES-256-GCM encryption, Windows Hello authentication, and a Protected Process Light (PPL) host.  On paper, this layered approach suggested a tightly sealed system where sensitive data, screenshots, OCR text, and metadata would remain protected at every stage. However, findings from TotalRecall Reloaded reveal that, while the vault itself is secure, the path data that results from decryption raises serious concerns.  A Strong Core with a Fragile Edge  Recall’s encryption model is technically sound. Data resides inside a secure enclave, with cryptographic keys never leaving its boundary. The use of AES-256-GCM encryption ensures both confidentiality and integrity. But the weakness does not lie in storage; it lies in how decrypted data is handled once it exits the enclave.  The process responsible for rendering Recall’s timeline, AIXHost.exe, lacks the protections applied elsewhere. Unlike aihost.exe, which runs under PPL, AIXHost.exe operates without PPL enforcement, AppContainer isolation, or strict code integrity checks. This creates a critical gap where other processes running under the same user account can interact with it. Once a user authenticates through Windows Hello, decrypted Recall data begins flowing through AIXHost.exe. At that moment, the system implicitly trusts everything inside that process, whether legitimate or malicious.  How TotalRecall Exploits the Gap  TotalRecall Reloaded takes advantage of this trust boundary issue. It uses a classic DLL injection technique to embed itself into AIXHost.exe. The tool consists of two parts: an injector (totalrecall.exe) and a payload DLL (totalrecall_payload.dll).   Using standard Windows APIs like CreateToolhelp32Snapshot, VirtualAllocEx, WriteProcessMemory, and LoadLibraryW, injects code into the target process. No administrative privileges or kernel exploits are required. The attack relies entirely on user-level permissions and legitimate system functionality.   This is important because Windows allows processes under the same user to interact freely by default.  Authentication: Timing Instead of Bypassing  Importantly, TotalRecall Reloaded does not bypass Windows Hello. Instead, it waits for authentication to occur naturally or triggers it indirectly.  In “launch” mode, it simulates the Win+J shortcut, prompting the user to authenticate. Once authenticated, decrypted data becomes accessible. In “stealth” mode, the tool modifies the DiscardDataAccess function so that access is never revoked after Recall closes. It then waits for normal user activity and begins extraction silently, without triggering another authentication prompt.  A third mode, “wait,” simply monitors for Recall activity and acts once authentication occurs.  What Data Gets Extracted  Once embedded, the payload uses Recall’s own internal COM interfaces to extract data. This includes:  Full-resolution screenshots (PNG format)   OCR text, including lines and individual words with pixel-level bounding boxes   Metadata such as application names, URLs, timestamps, and window dimensions   Named entities like people, locations, and email addresses   AI-generated activity descriptions   Recall captures data every few seconds, building a detailed behavioral profile. It stores this in an encrypted SQLite database (ukg.db) protected by AES-256-GCM encryption. Default retention is 90 days with a 75 GB storage limit.  The dataset includes everything from browser activity and document edits to terminal commands and messaging conversations, fully indexed and searchable.  Pre-Authentication Concerns  Some functions exposed by Recall do not require Windows Hello authentication at all. For example, GetRecentCaptureThumbnail can return a full-resolution screenshot simply by requesting a large size. Similarly, IDataStoreManager::DeleteEvents allows complete deletion of the recall history without authorization checks.  Additional metadata, such as storage paths, database size, and capture counts, can also be accessed without authentication. Microsoft’s design assumes that data remains safe within the enclave and PPL-protected processes. However, once decrypted data reaches AIXHost.exe, that assumption no longer holds.  There is no verification of which code is making requests inside AIXHost.exe. Whether it’s legitimate UI logic or injected malware, the system treats all requests equally. This effectively ends the trust boundary too early, leaving decrypted data exposed.  Inconsistent Access Controls  Further issues arise from inconsistent COM interface protections. Some methods enforce access restrictions properly, returning errors when accessed without authorization. Others, such as alternate interface versions, allow access to the same data without checks. This inconsistency enables attackers to bypass intended safeguards by simply calling different interfaces.  Once Windows Hello authentication is completed, the authenticated state is cached in the PPL-protected aihost.exe for the entire Windows session. Restarting AIXHost.exe does not reset this state.  By patching the DiscardDataAccess function, TotalRecall Reloaded ensures that access persists indefinitely. Even after Recall is closed, the tool can reinject itself and continue extracting data without further prompts or user awareness.  The Bigger Picture  Recall’s underlying technologies—VBS enclaves, AES-256-GCM encryption, TPM-backed keys, and Windows Hello- are implemented correctly. The issue is not cryptographic weakness or flawed authentication. It is the decision to pass decrypted data into a process that lacks equivalent protections.  In simple terms, the vault is secure, but once opened, its contents are left unguarded.   This research was submitted to the Microsoft Security Response Center (MSRC) on March 6, 2026. After review, the case (109586) was closed on April 3, 2026, as “Not a Vulnerability.” Microsoft stated that the observed behavior aligns with the system’s documented security design.  Tested Environment  OS: Windows 11 25H2 (Build 26300.8155)   Architecture: ARM64   AIXHost.exe version: 2126.7602.0.0   Privilege level: Standard user (medium integrity, no elevation) 

GitLab has rolled out a major security update to address a series of vulnerabilities impacting both its Community Edition (CE) and Enterprise Edition (EE) platforms. The GitLab security update resolves multiple flaws, including high-severity issues that could be exploited to disrupt services or gain unintended access to system functionality. This update is particularly critical for organizations operating in self-managed GitLab environments, where administrators are responsible for applying patches and maintaining system security.  Delaying the deployment of this GitLab security update could leave systems exposed to known threats, including the actively addressed CVE-2026-5173 vulnerability. The patch release not only strengthens access controls but also mitigates risks tied to denial-of-service attacks, data exposure, and improper authorization checks. As a result, GitLab is strongly urging all affected users to upgrade to the latest versions immediately to ensure their environments remain protected against potential exploitation.  Critical GitLab Security Update Targets High-Severity Flaws  GitLab security update covers a high-severity vulnerability tracked as CVE-2026-5173, which impacts websocket connections. This flaw could allow an authenticated attacker to bypass access controls and invoke unintended server-side methods. With a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), the issue represents a serious risk to affected environments.  The vulnerability was discovered internally by GitLab team member Simon Tomlinson. It affects GitLab CE/EE versions from 16.9.6 prior to 18.8.9, version 18.9 before 18.9.5, and version 18.10 before 18.10.3. The latest security patch resolves this issue along with several others.  Patch Releases and Affected Versions  The GitLab security update includes patched versions 18.10.3, 18.9.5, and 18.8.9. According to the official release statement:  “Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.”  GitLab confirmed that users of GitLab.com and GitLab Dedicated services are already protected and do not need to take action.  Twelve Vulnerabilities Addressed  This GitLab security update resolves a total of twelve vulnerabilities, ranging from high to low severity. Alongside CVE-2026-5173, several denial-of-service (DoS) vulnerabilities were identified:  CVE-2026-1092: A DoS issue in the Terraform state lock API caused by improper JSON validation (CVSS 7.5).   CVE-2025-12664: A DoS vulnerability in the GraphQL API that could be triggered through repeated queries (CVSS 7.5).   CVE-2026-1403: A CSV import flaw allowing authenticated users to disrupt Sidekiq workers (CVSS 6.5).   CVE-2026-1101: A GraphQL SBOM API issue affecting GitLab EE, also enabling DoS attacks (CVSS 6.5).   In addition to these, multiple medium-severity flaws were patched:  CVE-2026-1516: A code injection issue in Code Quality reports that could expose user IP addresses (CVSS 5.7).   CVE-2026-4332: A cross-site scripting vulnerability in analytics dashboards (CVSS 5.4).   CVE-2026-2619: Incorrect authorization in the vulnerability flags AI detection API (CVSS 4.3).   CVE-2025-9484: Information disclosure via GraphQL queries (CVSS 4.3).   CVE-2026-1752: Improper access control in the Environments API (CVSS 4.3).   CVE-2026-2104: Information disclosure through CSV export (CVSS 4.3).   A low-severity issue, CVE-2026-4916, was also addressed, involving missing authorization checks in custom role permissions (CVSS 2.7). Many of these vulnerabilities were reported through GitLab’s HackerOne bug bounty program, highlighting contributions from researchers such as a92847865, foxribeye, sim4n6, maksyche, go7f0, and others.  Bug Fixes and Stability Improvements  Beyond security fixes, the update also includes a wide range of bug fixes across all three versions. These improvements address issues such as failed Git operations for deploy keys on Geo sites, performance optimizations in migration helpers, and compatibility fixes for Amazon Linux 2023.  Other fixes include resolving flaky test cases, improving dependency proxy access, and addressing regressions in project archiving and deletion workflows. These updates aim to enhance overall platform stability alongside the security patch.  Upgrade Guidance and Deployment Notes  GitLab emphasized that no new migrations are included in these releases, meaning multi-node deployments should not require downtime. However, by default, Omnibus packages will stop services, run migrations, and restart during upgrades unless configured otherwise via the /etc/gitlab/skip-auto-reconfigure file.  The company also noted that certain package builds, such as SLES 12.5 for versions 18.10.3 and 18.9.5, are not included in this release. Additionally, GitLab confirmed that version numbers 18.10.2, 18.9.4, and 18.8.8 were skipped, with no patches issued under those versions. 

The rise of SOHO router compromise campaigns has exposed a critical weakness in global network security, particularly as threat actors like Forest Blizzard continue to exploit poorly secured home and small-office devices.   According to security researchers, this Russia-linked group has been systematically targeting vulnerable routers since at least August 2025, transforming them into covert infrastructure for surveillance and follow-on cyberattacks.   Forest Blizzard and the Expanding SOHO Router Compromise Campaign  Forest Blizzard, a threat actor associated with Russian military intelligence and tracked in part as Storm-2754, has conducted widespread exploitation of SOHO devices. By leveraging the SOHO router compromise, the group has successfully hijacked Domain Name System (DNS) requests, allowing it to passively monitor and collect network traffic at scale.  Microsoft identified more than 200 organizations and over 5,000 consumer devices impacted by this malicious DNS infrastructure. Notably, telemetry showed no compromise of Microsoft-owned systems. However, the breadth of affected networks highlights the campaign’s reach and the effectiveness of targeting edge devices that often lack strong monitoring or security controls.  For actors like Forest Blizzard, DNS hijacking provides persistent and low-visibility access to sensitive data flows. By positioning themselves upstream of enterprise environments, attackers can observe and potentially manipulate traffic without directly breaching corporate systems.  How SOHO Router Compromise Leads to DNS Hijacking  After gaining access to vulnerable routers, Forest Blizzard alters their default configurations to use attacker-controlled DNS resolvers. This manipulation causes connected devices to unknowingly send DNS queries to malicious servers.  Most endpoint devices rely on routers for network configuration via the Dynamic Host Configuration Protocol (DHCP). Once a router is compromised, all connected devices inherit the malicious DNS settings. This makes the SOHO router a compromise, an efficient and scalable attack vector.  The group is believed to use the legitimate dnsmasq utility to handle DNS queries. While dnsmasq is commonly used in home networking for DNS forwarding and DHCP services, in this context, it enables attackers to intercept, log, and respond to DNS requests while maintaining the appearance of normal operations.  Forest Blizzard’s Use of Adversary-in-the-Middle Attacks  Beyond passive surveillance, Forest Blizzard has extended its SOHO router compromise operations to support adversary-in-the-middle (AiTM) attacks. These attacks specifically target Transport Layer Security (TLS) connections, enabling interception of sensitive communications.  In most cases, DNS traffic is transparently proxied, allowing users to connect to legitimate services without disruption. However, in select high-value scenarios, the attackers spoof DNS responses for targeted domains. This redirects victims to malicious infrastructure controlled by Forest Blizzard.  Once redirected, victims may encounter invalid TLS certificates mimicking legitimate services such as Outlook on the web. If users ignore certificate warnings, attackers can intercept plaintext data within the encrypted session. This may include emails and other sensitive cloud-hosted content.  Researchers observed two notable AiTM scenarios:  Attacks on Microsoft 365 domains, particularly Outlook on the web.   Targeted operations against government servers in at least three African countries, where DNS interception enabled further data collection.   Mitigation Strategies Against Forest Blizzard Threats  To counter risks associated with SOHO router compromise, researchers recommend several defensive measures. For DNS protection, organizations should enforce domain-based access controls using Zero Trust DNS (ZTDNS), block malicious domains, and maintain detailed DNS logs to detect anomalies. Enabling network and web protection features in Microsoft Defender for Endpoint further strengthens defenses.  Equally critical is addressing identity security. Centralizing identity management, enforcing multifactor authentication (MFA), and applying Conditional Access policies can reduce the impact of credential theft from AiTM attacks. It is also advised to adopt passwordless solutions such as passkeys and restrict authentication to trusted devices and locations.