Coverage: Last 24 hours

Today’s Highlights

Active exploitation, abuse of cloud and SaaS platforms, and a surge in AI-enabled threats underscore an attack landscape where attacker speed and tool diversity are accelerating. Defenders must prioritize rapid patching, third-party risk monitoring, and hardened credential hygiene to minimize both technical and human factors that attackers now target. Ongoing themes include the exploitation of high-severity vulnerabilities, cloud service misuse for command and control, proliferation of phishing scams using low-cost frameworks, and the future impact of quantum computing on sensitive data security.

Table of Contents

1. New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking
2. WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy
3. Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
4. Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input
5. WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private
6. Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
7. Why Post-Quantum Cryptography Starts With Credentials

Top Stories

New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking

Source: SecurityWeek | Risk: High | Impacted: DOTs and municipal transit authorities, Daktronics controller operators, Critical infrastructure with networked signage

Summary: CISA has published an advisory to inform organizations about three vulnerabilities found by a researcher in Daktronics controllers. The post New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking appeared first on SecurityWeek.

Why it matters: Flaws in digital sign controllers may allow attackers to manipulate operational technology, disrupt public messaging, or stage social engineering attacks through altered highway infrastructure.

Practitioner Perspective

Municipal and transportation operators with Daktronics hardware must regard any externally exposed controller as a high-value target. Attacker control of highway signs poses both safety and reputational risk, particularly in concert with physical or hybrid campaigns. While CISA advisories offer mitigation guidance, most environments lack dedicated OT patch management processes. Failing to isolate or patch these controllers exposes organizations to adversarial messaging, traffic disruptions, or incident response resource drain. OT and IT must coordinate closely given rising convergence.

Recommended Actions

• Apply patches or mitigations recommended by CISA for affected Daktronics sign and billboard controllers
• Segment controller networks from IT or internet-facing subnets using firewall or air-gap architectures

WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy

Source: SecurityWeek | Risk: Medium | Impacted: Organizations using WhatsApp as official or customer communication, Individuals with high-risk or public relationships tied to WhatsApp, IT/security teams overseeing messaging compliance

Summary: An optional ‘username key’ adds another layer by requiring a secondary credential before someone can message users. The post WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy appeared first on SecurityWeek.

Why it matters: Shift to username-based authentication changes the vector landscape for contact discovery and user profiling, with important implications for exposure of organization-linked accounts.

Practitioner Perspective

Organizations leveraging WhatsApp in regulated or public-facing roles need to monitor for evolving impersonation scenarios enabled by the new username system. Adoption of secondary credentials adds security but introduces a fresh layer for verification and possible social engineering. Any automated onboarding or communication workflows that rely on phone numbers must be refactored. Security awareness content should explain the limits and caveats of the privacy provided by usernames. Defensive controls around messaging channels must be updated to reflect this fundamental change in identity anchoring.

Recommended Actions

• Revise contact discovery and vetting processes to accommodate username-based messaging in WhatsApp
• Instruct staff to enable and secure username feature upon availability

Emerging Signals

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Source: The Hacker News | Risk: High | Impacted: Organizations allowing unmanaged Chrome extensions, Users of Perplexity or similar AI browser add-ons, Chrome browser fleets in enterprise

Summary: Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Microsoft says Google removed it from the store after responsible disclosure. The extension was called “

Why it matters: Malicious browser extensions masquerading as legitimate AI tools can silently siphon corporate search and browsing data, increasing the risk of credential leakage and business intelligence loss.

Practitioner Perspective

Organizations permitting unsanctioned Chrome extensions face elevated risk as attackers now mimic trusted AI brands to exfiltrate sensitive data through the browser. Enterprise traffic, passwords, and cloud app credentials can all be exposed when extension vetting is weak. This event underscores the need for strict extension allow/disallow lists, particularly for tools claiming AI integration where risk appetite is not justified by business need. Even after removal from the Chrome Web Store, pre-existing installs may persist inside organizations and require explicit cleaning. Monitor for data egress to unfamiliar domains, especially from AI-themed browser add-ons.

Recommended Actions

• Audit Chrome extension inventory for the Perplexity-branded malicious extension and remove it from all endpoints
• Enforce enterprise extension allowlisting in managed Chrome environments

WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private

Source: The Hacker News | Risk: Medium | Impacted: WhatsApp enterprise users, High-profile or public-facing employees, Organizations with WhatsApp-driven alerting

Summary: WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. Username reservations will start rolling out starting

Why it matters: Alternative identity features in major messaging platforms can alter the risk surface for social engineering, impersonation, and user privacy, depending on how identities are managed and discovered.

Practitioner Perspective

WhatsApp’s move away from using phone numbers as the primary identifier addresses bulk harvesting and narrows some phishing lures dependent on exposed numbers. However, the adoption of usernames could enable new enumeration or targeted attack vectors unless directory access is properly governed. Organizations using WhatsApp for business or executive communications should adapt user privacy awareness training to emphasize username security, not just phone number hygiene. Monitoring for anomalous invite or contact requests remains important. User provisioning and HR onboarding should refresh any use of WhatsApp as an official channel.

Recommended Actions

• Review WhatsApp username reservation policies for organizational accounts
• Update training materials to cover username privacy and new impersonation risks

Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

Source: The Hacker News | Risk: High | Impacted: Government endpoints using Zoho SaaS, Organizations with open cloud storage policies, Critical infrastructure with SaaS integration

Summary: The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with

Why it matters: Espionage groups co-opting trusted SaaS cloud storage like Zoho WorkDrive for C2 operations complicate network visibility and increase dwell time for targeted organizations, making detection far less straightforward.

Practitioner Perspective

Targeted organizations in government or critical infrastructure are facing campaigns where legitimate SaaS tools are subverted as covert command channels, undermining perimeter controls and traffic analytics. Blocking by domain or broad SaaS restriction is no longer viable when platforms like Zoho WorkDrive remain business-critical. Defenders need context-aware monitoring of cloud API and storage usage, focusing on abnormal access or file workflow. MITRE ATT&CK T1567 (Exfiltration Over Web Service) is a growing pattern in sophisticated campaigns. Assume that attacker C2 may now blend perfectly with sanctioned productivity traffic.

Recommended Actions

• Monitor Zoho WorkDrive API logs for unauthorized or anomalous access and file transfer events
• Restrict third-party OAuth and API token creation for Zoho cloud services

Why Post-Quantum Cryptography Starts With Credentials

Source: The Hacker News | Risk: Medium | Impacted: Industries requiring long-term data confidentiality, Credential management teams, Organizations using RSA or ECC public key cryptography

Summary: Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured by

Why it matters: Data and credentials being stolen now may be decrypted in the future with quantum advances, making forward secrecy and quantum-resilient credential strategies a necessity for sensitive data holders.

Practitioner Perspective

Organizations holding sensitive, regulatory, or long-lifetime data face a future decryption risk from attackers who stockpile encrypted material today. Post-quantum cryptography is not an academic concern but an operational planning gap, especially for industries obliged to keep secrets safe for years to come. Inventory of algorithms in use and mapping of exposed secrets should be started ahead of regulatory compulsion. Insider risk grows as tools for quantum decryption develop outside state control. Proactivity now is cheaper than existential risk later.

Recommended Actions

• Initiate a review of all credential types and storage mechanisms for quantum vulnerability
• Prioritize post-quantum cryptography pilots for critical secrets and future-proof root of trust

Exploits & CVEs

Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild

Source: The Hacker News | Risk: Critical | Impacted: Oracle E-Business Suite customers, Payment integrations with Oracle, ERP backends using Oracle Payments

Summary: A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances. “Easily exploitable vulnerability allows

Why it matters: Actively exploited privilege escalation flaws in Oracle E-Business Suite create direct financial fraud risk and business continuity threats where Oracle Payments modules are internet-accessible or integrated with critical backend systems.

Practitioner Perspective

Organizations running Oracle E-Business Suite, especially those exposing Oracle Payments to external networks or lacking strong segmentation, are directly exposed to takeover. Exploitation of CVE-2026-46817 could enable unauthorized wire transfers, data exfiltration, or further lateral movement. The exploitation in the wild should reshape patch management priorities and trigger urgent detection and response planning. Network controls and application hardening for Oracle modules are non-optional for any system processing sensitive financial or HR data. The window for cleanup is slim once active exploitation is observed.

Recommended Actions

• Immediately apply the Oracle patch for CVE-2026-46817 to all E-Business Suite and Oracle Payments deployments
• Isolate internet-facing Oracle Payments modules until patching is validated

Defensive Actions

• Patch and validate all Oracle E-Business Suite instances for CVE-2026-46817
• Detect and cleanse malicious Chrome extensions imitating Perplexity or similar AI tools
• Monitor and restrict uploads and API use for Zoho WorkDrive and similar SaaS platforms
• Prepare for quantum-resistant credential management
• Apply patches or mitigations recommended by CISA for affected Daktronics sign and billboard controllers
• Audit Chrome extension inventory for the Perplexity-branded malicious extension and remove it from all endpoints
• Review WhatsApp username reservation policies for organizational accounts
• Monitor Zoho WorkDrive API logs for unauthorized or anomalous access and file transfer events
• Initiate a review of all credential types and storage mechanisms for quantum vulnerability
• Revise contact discovery and vetting processes to accommodate username-based messaging in WhatsApp

What We’re Watching

Ongoing attacker innovation with AI-discovered vulnerabilities, large-scale abuse of cloud and SaaS platforms, and the rapid shift toward identity-independent contact and authentication continue to redefine the risk calculus for every organization. The convergence of OT and IT threats, post-quantum preparedness gaps, and the challenge of spotting malicious activity within legitimate-looking SaaS traffic all warrant close attention in the coming weeks.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Cloud, cve, cybersecurity, daily briefing, patching, Risk Management, SaaS