Massive Canvas LMS Breach, Unpatched Linux Zero-Day, and Palo Alto Firewall Exploits Rattle Global Organizations

A BlackFog report for Q1 2026 indicates a severe underreporting crisis in ransomware, with 2,160 undisclosed attacks tracked via dark-web leak sites compared to only 264 public disclosures. This 10-to-1 ratio suggests the true scale of the ransomware epidemic is far greater than publicly known. The US remains the most targeted, while manufacturing is the top victim in undisclosed attacks (20%) and healthcare in disclosed ones (27%). Qilin is confirmed as the most prolific group overall. This underreporting skews the threat landscape, hindering effective risk management and collective defense efforts, allowing groups like Qilin, The Gentlemen, and Akira to operate with greater impunity.

Further analysis of the Microsoft AiTM phishing campaign suggests the use of Phishing-as-a-Service (PhaaS) kits, enabling rapid deployment. The attack chain is further mapped to MITRE ATT&CK techniques including T1480.001 (CAPTCHA Evasion), T1003 (OS Credential Dumping), and T1185 (Browser Session Hijacking). New hunting hints include monitoring for connections to newly registered domains (NRDs) and specific email subject lines related to 'code of conduct' or 'internal case' policies. Mitigation advice now explicitly includes browser isolation technology to render untrusted links safely.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that all federal agencies apply mitigations or patches for the critical Palo Alto Networks zero-day by May 9, 2026. CISA's inclusion in the KEV catalog signifies the high confidence in active exploitation and elevates the urgency for all organizations to address the vulnerability immediately. The article also suggests the limited exploitation pattern points to sophisticated threat actors, possibly state-sponsored.

The new report reiterates CISA's consideration of a 72-hour patching deadline, expanding on the AI models driving this concern by explicitly mentioning OpenAI's GPT-5.4-Cyber alongside Anthropic's Mythos. It also offers a more detailed breakdown of compliance requirements for federal agencies and outlines potential enforcement mechanisms and penalties for non-compliance. The article confirms that no official timeline for the policy change has been announced, indicating it remains under internal debate at CISA.

New intelligence confirms that the Russian state-sponsored group APT28 (Fancy Bear) is actively exploiting CVE-2026-32202. The campaign specifically targets government and defense entities in Europe, Ukraine, and NATO member states. Attackers are delivering malicious .LNK shortcut files via email, which trigger the zero-click vulnerability when viewed in Windows Explorer, leading to NTLM hash theft. CISA has set a May 12 deadline for federal agencies to patch, highlighting the increased urgency and threat level posed by this sophisticated actor.