
Coverage: Last 24 hours
Today’s Highlights
Signs of increasingly effective exploitation of identity, critical flaws in endpoint and kernel infrastructure, and supply chain attacks should compel defenders to revisit their patch management, CI/CD secrets handling, and zero trust controls. This cycle included confirmed real-world impact from credential abuse, incomplete vendor patching, and attackers using commodity anonymization services. Supply chain hygiene and access revocation discipline remain recurring weak points, while defenders must also track old kernel flaws that resurface. Prioritize patching, audit MFA bypass scenarios, and review all unrotated credentials in CI/CD and cloud environments.
Table of Contents
- Police seize “First VPN” service used in ransomware, data theft attacks
- Flipper One project needs community help to build open Linux platform
- Hackers bypass SonicWall VPN MFA due to incomplete patching
- Grafana breach caused by missed token rotation after TanStack attack
- Identity Alone Isn’t Enough: Why Device Security Has to Share the Load
- Microsoft warns of new Defender zero-days exploited in attacks
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
- When Identity is the Attack Path
- 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Top Stories
Police seize “First VPN” service used in ransomware, data theft attacks
Source: BleepingComputer | Risk: Medium | Impacted: SOC teams responding to ransomware, Network defenders monitoring VPN traffic, Investigators tracking historical attack infrastructure
Summary: International law enforcement agencies, coordinated by Europol, seized the servers and infrastructure of a VPN service known as “First VPN” that was being used by ransomware groups and other cybercriminals to anonymize attacks, including ransomware and data theft, effectively shutting down the service.
Why it matters: Removal of this anonymization service raises the barrier for financially motivated intrusions, decreasing attacker operational security and potentially exposing past activity and infrastructure.
Practitioner Perspective
Threat groups leveraging VPN services like First VPN undermine investigation, attribution, and timely blocking. The takedown may disrupt some active threat actor campaigns, but expect adversaries to rapidly pivot to alternative infrastructure or double up on evasion. Use any law enforcement-provided indicators or sinkholed addresses to retrospectively hunt for related C2 traffic and login attempts. The most pragmatic action is to monitor for a surge in new VPN endpoints and proactively update blocklists and detection logic.
Recommended Actions
- Ingest IP and domain IoCs released via Europol or local law enforcement tied to First VPN
- Retrospectively analyze perimeter traffic for beaconing or credential use to First VPN infrastructure
Flipper One project needs community help to build open Linux platform
Source: BleepingComputer | Risk: Medium | Impacted: OT and IoT operators, Wireless network admins, Red and blue teams monitoring physical ingress, MSSPs watching for asset enumeration attempts
Summary: Flipper Devices has launched the Flipper One project, a Linux-based ARM platform built around a Rockchip RK3576 CPU and RP2350 microcontroller, designed for networking, SDR, AI and hardware experimentation. Development remains early-stage with various technical challenges, and the company is asking engineers and enthusiasts to contribute to hardware, software, firmware and documentation.
Why it matters: Open, extensible hardware platforms lower the barrier to hands-on hardware hacking and may accelerate proliferation of affordable, customizable attack tools.
Practitioner Perspective
Security teams should anticipate Flipper One democratizing the development and distribution of offensive tooling that can interact with networking, wireless, SDR, and embedded targets. While it’s not inherently malicious, attackers will likely exploit its flexibility for both local and remote access attacks. Evaluate the threat this poses to physical and wireless assets, and ensure security awareness addresses social engineering and hardware-based intrusions. Consider threat modeling for environments where rogue or modifiable devices can bypass controls.
Recommended Actions
- Develop and deliver security awareness training on the risks posed by Flipper One and similar open platforms
- Implement asset detection and rogue device discovery on wireless and local networks
Hackers bypass SonicWall VPN MFA due to incomplete patching
Source: BleepingComputer | Risk: High | Impacted: Organizations relying on SonicWall Gen6 SSL-VPN, Remote access admins, Incident response teams handling VPN breach alerts
Summary: Threat actors exploited SonicWall Gen6 SSL‑VPN appliances by brute‑forcing credentials and bypassing multi‑factor authentication due to incomplete patching, enabling rapid internal access despite firmware being updated.
Why it matters: Even after patching, VPN appliances with inconsistently applied updates can be bypassed by attackers targeting authentication workflows, exposing internal assets to credential stuffing and brute force.
Practitioner Perspective
Enterprises using SonicWall Gen6 SSL-VPN remain at significant risk if patch management workflows do not account for firmware update gaps or partially applied fixes. Attackers are specifically targeting authentication flows to bypass MFA and enable lateral movement. Security teams cannot rely on patch status indicators alone and must validate end-to-end MFA enforcement. Periodic credential rotation and brute force monitoring are essential for these devices. The most critical step is to independently verify successful update rollout and authentication resilience.
Recommended Actions
- Validate firmware version and MFA state on all SonicWall Gen6 SSL-VPN appliances, not just patch management consoles
- Test for successful MFA enforcement post-update using real-world attack scenarios (credential stuffing, replay)
Grafana breach caused by missed token rotation after TanStack attack
Source: BleepingComputer | Risk: Medium | Impacted: DevOps and CI/CD pipeline operators, Teams consuming npm dependencies, Organizations automating via GitHub Actions
Summary: Grafana’s breach stemmed from a failure to rotate a GitHub workflow token following the TanStack ‘Mini Shai‑Hulud’ npm supply‑chain attack. When Grafana’s CI/CD pipeline consumed a compromised TanStack package, malware exfiltrated tokens, one of which wasn’t rotated and allowed attackers to access private repositories and download source code. No customer or production systems were affected.
Why it matters: Unrotated secrets following supply chain incidents can give attackers prolonged access to sensitive development resources, bypassing traditional network controls.
Practitioner Perspective
Grafana’s failure to rotate workflow tokens after the TanStack npm compromise is proof that organizations must treat third-party dependency events as credential breach scenarios. CI/CD pipeline tokens, especially those consumed by GitHub workflows, are high-value targets and often overlooked in the incident response process. Security teams must establish strict protocols for immediate secret rotation after any upstream compromise. The most important takeaway: never trust that supply chain remediation is complete until all access tokens are confirmed replaced.
Recommended Actions
- Inventory and rotate all GitHub workflow tokens following upstream npm or TanStack package compromises
- Audit access logs to GitHub private repositories for anomalous downloads after secret leakage events
Identity Alone Isn’t Enough: Why Device Security Has to Share the Load
Source: BleepingComputer | Risk: Medium | Impacted: Hybrid and remote workforces, SaaS environment admins, Identity and access management teams
Summary: The article, published May 20, 2026, argues that relying solely on identity verification is insufficient for cybersecurity, especially in environments with SaaS, BYOD, and hybrid work. It explains how attackers can bypass multi-factor authentication and session tokens via phishing kits, and advocates for continuous device posture checks alongside identity to ensure access is granted only from trusted, healthy endpoints.
Why it matters: Attackers routinely defeat identity-based defenses by targeting session tokens and phishing for MFA codes, making device trust and posture checks critical for preventing unauthorized access.
Practitioner Perspective
Identity-first approaches are exploitable due to frequent abuse of token theft and MFA-bypass phishing kits, especially in distributed, hybrid, and BYOD-heavy organizations. Without validated device security, even strong credentials mean little, adversaries leverage compromised endpoints to inherit trust. Defenders must extend risk analysis beyond the identity to the posture and health of every accessing device. The primary focus should be real-time assessment of device hygiene, not just who the user claims to be.
Recommended Actions
- Enable and enforce device posture and compliance checks in Zero Trust and conditional access policies (Azure AD, Okta, Google Workspace)
- Audit authentication logs for active session token reuse and suspicious device fingerprints
Emerging Signals
When Identity is the Attack Path
Source: The Hacker News | Risk: Medium | Impacted: Cloud administrators, IAM engineers, Incident response teams
Summary: A cached AWS access key stored on a standard Windows machine, configured normally and without policy violations, could have allowed an attacker to access approximately 98 percent of a company’s cloud resources. The article underscores how identity, via credentials and permissions, has become a primary attack vector, with chains of privileges across hybrid environments enabling attackers to progress from minor footholds to critical assets.
Why it matters: Theft and lateral movement via cloud credentials challenge assumptions that well-formed device images and standard roles are sufficiently secure.
Practitioner Perspective
Security teams must adopt least-privilege and rapid credential revocation, treating every local credential as a potential pathway to enterprise-wide compromise. Prioritize risk assessments on cloud connected desktops and servers, routinely scanning for stored secrets that would allow privilege chains to materialize after initial access.
Recommended Actions
- Scan Windows and endpoint machines for unencrypted or mismanaged cloud credentials (focused on AWS, Azure, GCP)
- Implement automated detection and alerting on anomalous cloud role assumption events
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Source: The Hacker News | Risk: High | Impacted: Linux systems (Debian, Fedora, Ubuntu), Cloud server operators, OT/ICS deployments relying on Linux
Summary: Cybersecurity researchers revealed a nine‑year‑old logic flaw in the Linux kernel’s __ptrace_may_access() function (CVE‑2026‑46333) that allows unprivileged local users to disclose sensitive files and execute arbitrary root commands on major distributions such as Debian, Fedora, and Ubuntu. The vulnerability, nicknamed ssh‑keysign‑pwn, was introduced in November 2016, and patches are being released.
Why it matters: Unpatched Linux systems remain vulnerable for years due to legacy flaws, enabling attackers to escalate privileges and compromise critical assets in both enterprise and OT environments.
Practitioner Perspective
CVE-2026-46333, an old but only recently revealed vulnerability in __ptrace_may_access(), puts major Linux distributions at risk of local root compromise. These flaws persist mainly because older images are not updated or due to inertia in patching ‘stable’ systems. Attackers can use even limited access on a host to exploit this for root control. The primary concern is rapid patch deployment and restricting local access to production and OT/ICS systems where kernel upgrades are less routine.
Recommended Actions
- Apply vendor patches for CVE-2026-46333 on all affected Linux systems, including containers and VMs
- Audit for local user or service accounts with shell access who could leverage ptrace-related exploits
Exploits & CVEs
Microsoft warns of new Defender zero-days exploited in attacks
Source: BleepingComputer | Risk: High | Impacted: Windows environments using Microsoft Defender, SOC teams monitoring EDR logs, Organizations with compliance baselines around Defender
Summary: Microsoft has released security updates for two actively exploited Defender zero-day flaws: CVE‑2026‑41091, a privilege escalation bug in the Malware Protection Engine that allows attackers to gain SYSTEM access, and CVE‑2026‑45498, which enables denial-of-service on vulnerable systems. CISA has added both to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 3, 2026.
Why it matters: Active exploitation of endpoint security software vulnerabilities can neutralize core detection capabilities, increasing the likelihood that attackers gain persistence and privilege on managed endpoints.
Practitioner Perspective
CVE-2026-41091 and CVE-2026-45498 are being exploited in the wild; these flaws allow privilege escalation and service denial against the Microsoft Defender Malware Protection Engine. Organizations running Defender must respond urgently, failure to patch could let malware bypass or disable defenses at scale. The security risk is especially acute on systems where Defender is relied upon as the sole anti-malware tool. Immediate remediation is non-negotiable to prevent systemic bypass of endpoint controls.
Recommended Actions
- Deploy Microsoft’s emergency patches for CVE-2026-41091 and CVE-2026-45498 to all endpoints running Defender Malware Protection Engine
- Query EDR/XDR telemetry for SYSTEM-level process activity tied to Defender binaries as potential exploitation evidence
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Source: The Hacker News | Risk: Medium | Impacted: Security Operations Centers, Telecom providers, Latin American organizations, Web developers, Financial institutions
Summary: The article provides a weekly cybersecurity roundup highlighting 30 notable events, including the resurgence of the Linux OrBit rootkit, an unpatched Huawei router zero‑day causing a telecom outage in Luxembourg, rising AI‑driven intrusions against Latin American targets, a Composer token leak, and new scams involving scam kits, fake apps, phishing, and a massive dump of stolen credit cards.
Why it matters: A range of threat vectors are increasing, including legacy Linux malware, telecom router zero-days, and commodity scam kits, requiring defenders to maintain broad visibility and prioritize based on exposure.
Practitioner Perspective
SOC analysts and defenders should incorporate legacy Linux malware and router zero-day monitoring into threat models, prioritize patching exposed telecom infrastructure, and watch for surges in phishing and scam kits tied to financial fraud.
Recommended Actions
- Monitor for Linux OrBit rootkit activity on high-risk servers
- Track IoCs related to Huawei router vulnerability if used in regional infrastructure
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Source: The Hacker News | Risk: High | Impacted: Windows Defender users, EDR/SOC defenders, Federal agencies
Summary: Microsoft disclosed that two vulnerabilities in Defender, a privilege‑escalation flaw (CVE‑2026‑41091, CVSS 7.8) allowing SYSTEM access and a denial‑of‑service flaw (CVE‑2026‑45498, CVSS 4.0), are being actively exploited. Both issues have been fixed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, and are listed in CISA’s Known Exploited Vulnerabilities catalog with a June 3, 2026 patch deadline for federal agencies.
Why it matters: These vulnerabilities in security products themselves open up opportunities for attackers who can bypass or disable endpoint protection altogether.
Practitioner Perspective
EDR/SOC teams must move quickly to verify Defender patch levels everywhere in fleet, as these vulnerabilities could allow attackers to fully control endpoint response and security monitoring, increasing blast radius in incident scenarios.
Recommended Actions
- Confirm Defender Antimalware Platform is updated to at least version 1.1.26040.8 or 4.18.26040.7 on all assets
- Use vulnerability scanning to close gaps against CISA’s Known Exploited Vulnerabilities list
Defensive Actions
- Apply Microsoft’s emergency patches for CVE-2026-41091 and CVE-2026-45498 to all Defender endpoints and validate via CISA’s KEV catalog.
- Audit, inventory, and rotate all CI/CD and GitHub workflow tokens downstream of npm/Supply chain incidents like TanStack and Grafana.
- Scan for stored, unencrypted cloud access credentials on endpoints and revoke any found; automate alerts for suspicious role assumptions.
- Enable device posture checks in Zero Trust/conditional access policies (Azure AD, Okta, Google Workspace), and monitor session token activity for compromise.
- Independently verify successful firmware update and enforce full MFA on all SonicWall Gen6 SSL-VPN appliances; simulate credential-stuffing and brute force post-update.
- Deploy asset discovery/rogue device detection to identify unauthorized Flipper One and similar platforms on your networks.
- Monitor for IoCs, domains, and traffic linked to First VPN infrastructure released by Europol; block and hunt accordingly.
- Prioritize urgent patching for CVE-2026-46333 across all Linux systems, especially in OT/ICS and cloud deployments.
- Educate staff and users about MFA-bypass phishing kits and token theft risks in SaaS, hybrid, and remote work settings.
- Review access logs and rotate secrets or passwords for any systems or services impacted by supply-chain attacks or that lack post-event credential rotation.
What We’re Watching
- Ongoing patch adoption for Defender zero-days and old Linux kernel flaws across enterprise fleets
- Adjustments in attacker infrastructure after the takedown of First VPN
- New exploit modules for emerging platforms like Flipper One
- Organizational follow-through on token rotation and identity/device parity in security policies
- Trends in MFA bypass and privilege escalation attacks against VPNs and cloud infrastructure
Categories: Cybersecurity Blog, Cybersecurity News
Leave a comment