Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools.
A scan of 2M hosts found 1M exposed services, revealing widespread security gaps in self-hosted AI systems.
31% of 5,200 Ollama servers responded without authentication, and 90+ platforms were publicly accessible. Weak defaults and misconfigurations are driving exposure.
31% of 5,200 Ollama servers responded without authentication, and 90+ platforms were publicly accessible. Weak defaults and misconfigurations are driving exposure.
North Korea-linked ScarCruft breached sqgame[.]net in a supply chain attack, deploying BirdCall malware targeting ethnic Koreans in China.
Trojanized Android apps and earlier Windows updates enabled surveillance via cloud-based control systems.
Trojanized Android apps and earlier Windows updates enabled surveillance via cloud-based control systems.
A critical MetInfo CMS flaw (CVE-2026-29014, CVSS 9.8) is under active exploitation, allowing unauthenticated remote code execution.
Attacks began April 25 and surged by May 1, targeting exposed systems globally.
Attacks began April 25 and surged by May 1, targeting exposed systems globally.
Critical RCE flaw (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 is under active exploitation.
Attackers use unauthenticated requests to execute commands; activity observed since March 17–31, 2026, with failed payload drops & MSI attempts.
Attackers use unauthenticated requests to execute commands; activity observed since March 17–31, 2026, with failed payload drops & MSI attempts.
Microsoft says 35,000 users were targeted in an April 2026 phishing campaign across 13,000 organizations in 26 countries.
Attackers used AiTM phishing, CAPTCHA pages, and trusted email services to steal credentials and bypass MFA.
Attackers used AiTM phishing, CAPTCHA pages, and trusted email services to steal credentials and bypass MFA.
CRITICAL: Palo Alto Networks has disclosed CVE-2026-0300, a buffer overflow in PAN-OS that is already being exploited in the wild.
CVSS 4.0 score: 9.3.
Unauthenticated attackers can hit the User-ID Authentication Portal (the Captive Portal service) with crafted packets and pop a root shell on the firewall.
CVSS 4.0 score: 9.3.
Unauthenticated attackers can hit the User-ID Authentication Portal (the Captive Portal service) with crafted packets and pop a root shell on the firewall.
China plans to nearly double its data center capacity to around 60 GW by 2030, adding 28 GW of new projects to the existing 32 GW installed at the end of 2025, according to Rystad Energy analysis. This AI- and HPC-driven expansion will boost power consumption to 289 TWh annually, accounting for 2.3% of national electricity demand with a 19% CAGR.
CVE-2026-23918 (CVSS 8.8) in HTTP Server 2.4.66.
The HTTP/2 double-free flaw can trigger DoS and potentially enable remote code execution via crafted requests. Fixed in 2.4.67.
The HTTP/2 double-free flaw can trigger DoS and potentially enable remote code execution via crafted requests. Fixed in 2.4.67.
US Gov't AI Pre-Release Testing Pact
The US Commerce Department's Center for AI Standards and Innovation (CAISI) has new voluntary agreements with Microsoft, Google, and xAI to evaluate advanced AI models for security risks before public release. Building on prior deals with OpenAI and Anthropic, this covers all major US frontier labs and involves over 40 assessments to date. It expands military-industry AI collaborations amid growing national security concerns.
The US Commerce Department's Center for AI Standards and Innovation (CAISI) has new voluntary agreements with Microsoft, Google, and xAI to evaluate advanced AI models for security risks before public release. Building on prior deals with OpenAI and Anthropic, this covers all major US frontier labs and involves over 40 assessments to date. It expands military-industry AI collaborations amid growing national security concerns.
Phishing Surge via Amazon SES
Kaspersky reports a rise in phishing attacks abusing Amazon Simple Email Service (SES), enabled by exposed AWS IAM access keys found in public GitHub repos, .env files, Docker images, and S3 buckets. Attackers use tools like TruffleHog to harvest keys, then send high-volume, authenticated emails (passing SPF/DKIM/DMARC) mimicking DocuSign or BEC invoices.The SES infrastructure's credibility helps evade spam filters.
Kaspersky reports a rise in phishing attacks abusing Amazon Simple Email Service (SES), enabled by exposed AWS IAM access keys found in public GitHub repos, .env files, Docker images, and S3 buckets. Attackers use tools like TruffleHog to harvest keys, then send high-volume, authenticated emails (passing SPF/DKIM/DMARC) mimicking DocuSign or BEC invoices.The SES infrastructure's credibility helps evade spam filters.
Cisco Acquires Astrix Security
Cisco has acquired Israeli startup Astrix Security (also referred to as Strix in some reports) for approximately $400 million to enhance protections against AI agent threats. The platform monitors non-human identities like API keys and OAuth tokens used by autonomous AI agents in enterprises, addressing unsupervised access risks by integrating with Cisco's Duo, Splunk, and Zero Trust tools.[4][6] This bolsters security for "digital workforces" amid rising agentic AI adoption.
Cisco has acquired Israeli startup Astrix Security (also referred to as Strix in some reports) for approximately $400 million to enhance protections against AI agent threats. The platform monitors non-human identities like API keys and OAuth tokens used by autonomous AI agents in enterprises, addressing unsupervised access risks by integrating with Cisco's Duo, Splunk, and Zero Trust tools.[4][6] This bolsters security for "digital workforces" amid rising agentic AI adoption.
CloudZ RAT exploits Microsoft Phone Link to intercept SMS and OTPs without infecting phones.
Active since January 2026, the attack enables credential theft and 2FA bypass via synced data.
Active since January 2026, the attack enables credential theft and 2FA bypass via synced data.
PAN-OS firewalls hit by active exploitation of CVE-2026-0300, enabling unauthenticated RCE with root access.
The unpatched flaw targets publicly exposed User-ID portals, affecting multiple versions.
The unpatched flaw targets publicly exposed User-ID portals, affecting multiple versions.
Rapid7 Research: MuddyWater Group Uses Chaos Ransomware to Mask Its Activity
Rapid7's research notes that the attackers execute all stages of the attack, including encryption and ransom demands, but the main goal is espionage, not money.
The research also mentions the incident in which the Qilin group attacked Asaf HaRofeh Hospital—a case that channel members know well.
Rapid7's research notes that the attackers execute all stages of the attack, including encryption and ransom demands, but the main goal is espionage, not money.
The research also mentions the incident in which the Qilin group attacked Asaf HaRofeh Hospital—a case that channel members know well.
Widespread GPS Disruption in Strait of Hormuz Still Unresolved
Maritime tracking data shows that the widespread disruption in the GPS system in the Strait of Hormuz, which began two days ago, has caused confusion for many commercial vessels.
In maritime tracking images, some vessels are displayed as moving on land.
Notably, this disruption has continued for the third consecutive day in the Persian Gulf and Strait of Hormuz region.
Maritime tracking data shows that the widespread disruption in the GPS system in the Strait of Hormuz, which began two days ago, has caused confusion for many commercial vessels.
In maritime tracking images, some vessels are displayed as moving on land.
Notably, this disruption has continued for the third consecutive day in the Persian Gulf and Strait of Hormuz region.