Windows Zero-Days Leaked, Exchange Under Active Attack, and Vulnerability Exploits Overtake Credential Theft in Breaches
Summary
A tumultuous day in cybersecurity for May 20, 2026, is marked by the active exploitation of a new Microsoft Exchange zero-day (CVE-2026-42897) and the public leak of six Windows zero-day exploits by a threat actor dubbed 'Nightmare-Eclipse'. Verizon's 2026 DBIR confirms a strategic shift in the threat landscape, with vulnerability exploitation now the top initial access vector in breaches, surpassing stolen credentials for the first time. Major data breaches continue to plague critical sectors, with NYC Health + Hospitals reporting a potential impact on 1.8 million individuals and BWH Hotels confirming a long-term intrusion. Ransomware attacks also persist, hitting West Pharmaceutical Services and a new 'WantToCry' variant abusing SMB for remote encryption.
Today New Articles
BWH Hotels Breach: Attackers Had Access for Six Months, Exposing Guest Data
BWH Hotels, the parent company of major brands like Best Western, WorldHotels, and SureStay, has confirmed a significant data breach involving sensitive guest reservation information. The breach was discovered on April 22, but investigations revealed that atta...
Ransomware Attack on West Pharmaceutical Services Disrupts Global Operations
West Pharmaceutical Services, a leading global manufacturer of pharmaceutical packaging and drug delivery systems, has suffered a ransomware attack that disrupted its global business operations. The company detected unusual network activity on May 4 and proact...
NYC Health + Hospitals Breach May Affect 1.8 Million Patients and Employees
NYC Health + Hospitals Corporation, the largest public health system in the United States, has reported a massive data breach that may have compromised the personal and protected health information (PHI) of approximately 1.8 million people. The breach, which o...
Global Consulting Services Breach Exposes PII of 1,320 Individuals
Global Consulting Services & Software Development, a California-based IT firm, has disclosed a data breach that exposed the personally identifiable information (PII) of 1,320 individuals. The breach occurred in early January 2026 when an unauthorized third par...
Six Windows Zero-Day Exploits Leaked by Threat Actor 'Nightmare-Eclipse'
A threat actor operating under the alias 'Nightmare-Eclipse' has released a series of six zero-day exploits targeting Microsoft Windows. The campaign, which appears to be a personal vendetta against Microsoft rather than financially motivated, includes critica...
Chinese APT 'Webworm' Uses Discord and MS Graph API for C2 in New Backdoor Attacks
The China-aligned threat actor known as 'Webworm' has been observed deploying two new, sophisticated backdoors named 'EchoCreep' and 'GraphWorm'. These tools represent an evolution in the group's tactics, using legitimate and widely-used services for command-a...
TamperedChef Malware: Trojanized Apps Masquerade as Productivity Tools to Deploy Stealthy Payloads
Unit 42 has identified and analyzed several clusters of malware activity collectively known as TamperedChef. This threat involves trojanized productivity applications, such as PDF editors and file converters, distributed through malicious advertising (malverti...
Article Updates
Virginia Man with Cybercrime History Convicted for Deleting 96 Government Databases
Update:Further information regarding the insider threat incident involving Akhter has been released. The attack occurred at Opexus, a software company serving federal agencies, and involved twin brothers, Muneeb and Suhaib Akhter. They are accused of deleting over 30...
Microsoft Scrambles to Mitigate Actively Exploited Exchange Server Zero-Day
Update:The latest report on CVE-2026-42897 provides additional technical context, including CVSS scores of 8.1 (Microsoft) and 6.1 (NIST). It further details potential impacts such as Business Email Compromise (BEC) and ransomware deployment. New hunting hints includ...
Update:The 2026 Verizon DBIR provides further insights into the alarming trend of vulnerability exploitation. New data indicates that the remediation rate for critical vulnerabilities in CISA's KEV catalog plummeted from 38% in 2024 to just 26% in 2025. Concurrently,...
Microsoft Takes Down 'Fox Tempest' Cybercrime Service That Sold Forged Code-Signing Certificates
Update:Further analysis of the 'Fox Tempest' takedown reveals the malware-signing-as-a-service (MSaaS) was internally codenamed 'OpFauxSign'. Beyond Rhysida ransomware, the service was extensively utilized by operators of infostealers like Lumma and Vidar. Attackers...
New 'WantToCry' Ransomware Uses Exposed SMB Services for Novel Remote Encryption Attacks
Update:The updated report provides a more structured technical analysis, mapping the attack to specific MITRE ATT&CK techniques including T1021.002 (SMB/Windows Admin Shares) and T1048 (Exfiltration Over Alternative Protocol). It explicitly highlights the data breach...