Daily Digest

Cisco and Microsoft Grapple with Actively Exploited Zero-Days; Foxconn Hit by Major Ransomware Attack

Cisco and Microsoft Grapple with Actively Exploited Zero-Days; Foxconn Hit by Major Ransomware Attack

May 15, 2026
13 articles (9 new, 4 updated)
39 min read

Summary

This reporting period has been dominated by critical zero-day vulnerabilities, with both Cisco and Microsoft confirming active exploitation of flaws in Catalyst SD-WAN and on-premises Exchange Servers, respectively. Adding to the pressure, two unpatched Windows zero-days affecting BitLocker and privilege escalation were publicly disclosed. In the threat landscape, electronics giant Foxconn confirmed a significant ransomware attack by the Nitrogen group, while multiple Chinese and Belarusian state-sponsored APTs were observed launching new campaigns with updated toolsets. Regulators in the UK have also issued a stark warning about emerging cyber risks from frontier AI, signaling a new front in cybersecurity policy.

Filter by Category

New Articles (9)

Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

CRITICAL

Cisco Warns of Actively Exploited Zero-Day in Catalyst SD-WAN (CVE-2026-20182)

Cisco has released emergency patches for a critical authentication bypass vulnerability (CVE-2026-20182) in its Catalyst SD-WAN products, which carries a maximum CVSS score of 10.0. The flaw is being actively exploited in targeted attacks by a sophisticated threat actor tracked as UAT-8616, allowing remote attackers to gain full administrative control over SD-WAN fabrics. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies.

May 15, 2026
4 min read
CVE-2026-20182Zero-DayCiscoSD-WANAuthentication Bypass +3 more
Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

HIGH

Microsoft Confirms Actively Exploited Zero-Day in Exchange Server (CVE-2026-42897)

Microsoft has disclosed a new high-severity zero-day vulnerability (CVE-2026-42897) in on-premises Exchange Server 2016, 2019, and Subscription Edition. The flaw, a cross-site scripting (XSS) issue in Outlook Web Access (OWA), is being actively exploited for spoofing attacks. While a full security update is pending, Microsoft's Emergency Mitigation service has automatically deployed a fix to most servers, and manual scripts are available for others.

May 15, 2026
4 min read
CVE-2026-42897Microsoft ExchangeZero-DayXSSOWA +2 more
Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

UK Financial Regulators Put Firms on Notice Over Frontier AI Cyber Risks

INFORMATIONAL

UK Financial Regulators Issue Joint Warning on Frontier AI Cyber Risks

The Bank of England, the Financial Conduct Authority (FCA), and HM Treasury have issued a joint statement warning UK financial firms about the escalating cyber threats posed by frontier AI. The regulators stressed that AI's ability to amplify attacks requires firms to urgently enhance their cyber defenses, improve vulnerability management, and potentially adopt AI-driven defensive tools to keep pace with the evolving threat landscape.

May 15, 2026
4 min read
AIArtificial IntelligenceRegulationPolicyUK +3 more
UK Financial Regulators Put Firms on Notice Over Frontier AI Cyber Risks

Belarus-Aligned APT 'FrostyNeighbor' Deploys New JavaScript Loader in Attacks on Poland & Ukraine

HIGH

Belarusian APT 'FrostyNeighbor' Targets Poland and Ukraine with New Toolkit

The Belarus-aligned cyber-espionage group 'FrostyNeighbor' (also known as Ghostwriter/UNC1151) has launched a new wave of attacks targeting government and military organizations in Poland and Ukraine. Active since at least March 2026, the campaign showcases an evolved toolset, including a new JavaScript-based version of its 'PicassoLoader' malware and a more deliberate, server-side victim validation process to evade analysis before deploying Cobalt Strike.

May 15, 2026
5 min read
FrostyNeighborGhostwriterAPTBelarusUkraine +4 more
Belarus-Aligned APT 'FrostyNeighbor' Deploys New JavaScript Loader in Attacks on Poland & Ukraine

Massive Phishing Blitz Targets 2026 FIFA World Cup Fans with 79+ Fake Sites

MEDIUM

Large-Scale Phishing Operation Targets 2026 FIFA World Cup Fans

Security researchers are warning of a massive phishing campaign targeting fans of the upcoming 2026 FIFA World Cup. Attackers have registered at least 79 fraudulent websites that are near-perfect clones of the official FIFA site. These scams aim to steal credentials, payment card information, and money through the sale of fake tickets and merchandise, leveraging typosquatting and lookalike domains to deceive victims.

May 15, 2026
4 min read
PhishingScamFIFAWorld Cup 2026Credential Theft +1 more
Massive Phishing Blitz Targets 2026 FIFA World Cup Fans with 79+ Fake Sites

New 'Rex' Ransomware Emerges, Using Double Extortion and .rex48 Extension

HIGH

New 'Rex' Ransomware Strain Emerges with Double Extortion Tactics

A new ransomware strain named "Rex" has been discovered by researchers at CYFIRMA. Targeting Windows enterprise environments, the malware encrypts files, appends a ".rex48" extension, and drops an HTML ransom note. Rex employs a double extortion strategy, threatening to leak confidential data stolen from the victim's network if the ransom is not paid within a 72-hour deadline.

May 15, 2026
4 min read
RansomwareRex RansomwareMalwareDouble ExtortionWindows +1 more
New 'Rex' Ransomware Emerges, Using Double Extortion and .rex48 Extension

Chinese APT FamousSparrow Hits Azerbaijan Energy Sector with Deed RAT

HIGH

Chinese APT FamousSparrow Targets Azerbaijan Energy Sector with Deed RAT

The China-linked APT group FamousSparrow has expanded its targeting to include the energy sector in Azerbaijan, likely driven by the country's growing importance as an energy supplier to Europe. A campaign running until February 2026 saw the group exploit Microsoft Exchange vulnerabilities to deploy an updated version of the Deed RAT malware. The attackers used advanced DLL sideloading techniques and mimicked legitimate software to achieve persistence and conduct cyber-espionage.

May 15, 2026
5 min read
FamousSparrowAPTChinaAzerbaijanEnergy Sector +3 more
Chinese APT FamousSparrow Hits Azerbaijan Energy Sector with Deed RAT

UK Announces Major Cyber Law Overhaul, Including Reforms to Computer Misuse Act

INFORMATIONAL

UK Government Announces Major Cyber and AI Regulatory Overhaul

The UK government has announced a significant legislative agenda to reform its digital and cyber regulatory framework. The plan includes a new Cyber Security and Resilience Bill, which will align the UK more closely with the EU's NIS 2 directive, and crucial reforms to the 1990 Computer Misuse Act (CMA). The CMA reforms aim to provide a legal defense for legitimate cybersecurity professionals, a move long awaited by the industry.

May 15, 2026
4 min read
UKRegulationPolicyComputer Misuse ActCMA +2 more
UK Announces Major Cyber Law Overhaul, Including Reforms to Computer Misuse Act

Gremlin Stealer Hides in Plain Sight, Using .NET Resources to Steal Crypto and Sessions

HIGH

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Unit 42 has analyzed a new, highly evolved variant of the Gremlin information stealer. This version marks a significant upgrade in stealth and capability, now embedding its malicious payload within the .NET resource section and using XOR encoding to bypass detection. The malware has expanded its targets beyond simple credential harvesting to include active session hijacking from Chromium-based browsers, a dedicated Discord token stealer, and a new clipboard hijacker that replaces cryptocurrency wallet addresses to commit financial fraud. The stealer exfiltrates stolen data in a ZIP archive to a command-and-control server, with recent samples showing zero initial detection on VirusTotal, highlighting its evasiveness.

May 15, 2026
7 min read
Gremlin StealerInfoStealerMalware AnalysisObfuscationCryptocurrency +4 more
Gremlin Stealer Hides in Plain Sight, Using .NET Resources to Steal Crypto and Sessions

Updated Articles (4)

Chinese APT Mustang Panda Targets Indian Banks, Korean Policy Experts in Espionage Campaign

HIGH

Mustang Panda APT Targets Indian Financial Sector and Korean Policy Circles with LotusLite Backdoor

Update:

The new report details Mustang Panda's (aka Twill Typhoon) continued espionage, now using fake CDN sites impersonating Apple and Yahoo for initial access. This campaign, active since September 2025, targets organizations in the Asia-Pacific and Japan, including the finance sector. Attackers leverage DLL sideloading to deploy an updated FDMTP modular backdoor (v3.2.5.1), which is heavily obfuscated and provides remote command execution and data theft capabilities. This represents an evolution in their initial access and malware toolset for ongoing intelligence gathering.

April 21, 2026
Updated: May 15, 2026
5 min read
Mustang PandaAPTTA416espionageDLL side-loading +4 more
Chinese APT Mustang Panda Targets Indian Banks, Korean Policy Experts in Espionage Campaign

Foxconn North America Hit by Nitrogen Ransomware; 8TB of Data Allegedly Stolen

CRITICAL

Nitrogen Ransomware Group Claims Attack on Foxconn, Threatens to Leak Data from Apple, Google, and Intel

Update:

The Nitrogen ransomware group has provided further evidence of the alleged 8TB data exfiltration from Foxconn's North American operations by posting screenshots of stolen files. These screenshots reportedly include hardware schematics and confidential project details from clients like Apple, Google, Intel, and Nvidia. Foxconn has confirmed the attack and operational disruption but has not yet verified the extent of the data theft claims. This development strengthens the credibility of the attackers' claims regarding intellectual property theft.

May 14, 2026
Updated: May 15, 2026
5 min read
RansomwareNitrogenFoxconnData BreachSupply Chain +3 more
Foxconn North America Hit by Nitrogen Ransomware; 8TB of Data Allegedly Stolen

Researcher Leaks Two Windows Zero-Day Exploits, 'YellowKey' and 'GreenPlasma', Amid Dispute with Microsoft

CRITICAL

Angry Researcher Drops Two Windows Zero-Day Exploits, Citing Frustration with Microsoft's MSRC

Update:

Further technical details have been released for the YellowKey and GreenPlasma Windows zero-days. YellowKey, a BitLocker bypass, is confirmed to affect Windows 11, Server 2022, and Server 2025, leveraging the Windows Recovery Environment (WinRE) with specially crafted FsTx files. GreenPlasma, a local privilege escalation, exploits the CTFMON service by manipulating memory-section objects to achieve SYSTEM-level privileges. Both vulnerabilities now include MITRE ATT&CK mappings (T1553 for YellowKey, T1068 for GreenPlasma), providing clearer context for detection and mitigation strategies. Updated hunting hints and remediation steps, such as monitoring WinRE reboots and enforcing BitLocker pre-boot authentication, have also been provided.

May 14, 2026
Updated: May 15, 2026
5 min read
Zero-DayWindowsVulnerabilityExploitYellowKey +4 more
Researcher Leaks Two Windows Zero-Day Exploits, 'YellowKey' and 'GreenPlasma', Amid Dispute with Microsoft

Industrial Sector Most Targeted by Ransomware, NCC Group Report Warns

HIGH

NCC Group Report: Industrial Sector Hit by Over 2,000 Ransomware Attacks in One Year

Update:

This update reinforces the NCC Group's findings on the industrial sector being the primary target for ransomware. It expands on the technical analysis of IT-to-OT lateral movement, explicitly mentioning initial access via VPN vulnerabilities (MITRE T1133) and network service scanning (MITRE T1046) for discovery. The mitigation recommendations are also further detailed, highlighting the critical importance of immutable backups for both IT systems and OT configurations to ensure recovery post-attack.

May 13, 2026
Updated: May 15, 2026
4 min read
OT SecurityICS SecurityIT-OT convergencecritical infrastructuremanufacturing +1 more
Industrial Sector Most Targeted by Ransomware, NCC Group Report Warns

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.