Windows Zero-Days Leaked, Exchange Under Active Attack, and Vulnerability Exploits Overtake Credential Theft in Breaches

BWH Hotels, Parent of Best Western, Confirms Major Data Breach After Six-Month Intrusion

BWH Hotels, the parent company of major brands like Best Western, WorldHotels, and SureStay, has confirmed a significant data breach involving sensitive guest reservation information. The breach was discovered on April 22, but investigations revealed that attackers had unauthorized access to a web application for over six months prior to detection. The compromised data includes thousands of guest reservations, putting affected customers at high risk of sophisticated phishing attacks. BWH Hotels, which operates over 4,500 hotels globally, is in the process of notifying affected guests and has warned them to be vigilant for fraudulent communications, such as fake booking pages or urgent payment requests that leverage their stolen data.

Data BreachHospitalityBWH HotelsBest WesternPhishing +1 more

BWH Hotels Breach: Attackers Had Access for Six Months, Exposing Guest Data

Ransomware Attack on West Pharmaceutical Services Disrupts Global Operations

West Pharmaceutical Services Shuts Down Infrastructure Following Ransomware Attack

West Pharmaceutical Services, a leading global manufacturer of pharmaceutical packaging and drug delivery systems, has suffered a ransomware attack that disrupted its global business operations. The company detected unusual network activity on May 4 and proactively shut down portions of its on-premise infrastructure to contain the threat. This decisive action, while causing temporary operational disruptions, was necessary to prevent the attack's spread. The incident highlights the significant threat ransomware poses to the healthcare supply chain, where any disruption can have cascading effects on patient care and drug availability. The specific ransomware group responsible has not been disclosed.

RansomwareHealthcareManufacturingSupply ChainWest Pharmaceutical Services

Ransomware Attack on West Pharmaceutical Services Disrupts Global Operations

NYC Health + Hospitals Breach May Affect 1.8 Million Patients and Employees

Massive Data Breach at NYC Health + Hospitals Exposes Data of 1.8 Million Individuals

NYC Health + Hospitals Corporation, the largest public health system in the United States, has reported a massive data breach that may have compromised the personal and protected health information (PHI) of approximately 1.8 million people. The breach, which occurred in late March, affects both current and former patients and employees. The compromised data puts a vast number of individuals at risk of identity theft, medical fraud, and other malicious activities. The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights. Details on how the attackers breached the system have not yet been disclosed, but the scale of the incident underscores the immense value of healthcare data to cybercriminals and the persistent challenges faced by healthcare organizations in protecting it.

Data BreachHealthcareHIPAAProtected Health InformationNYC

NYC Health + Hospitals Breach May Affect 1.8 Million Patients and Employees

Global Consulting Services Breach Exposes PII of 1,320 Individuals

MEDIUM

Data Breach at Global Consulting Services Exposes Names and Social Security Numbers

Global Consulting Services & Software Development, a California-based IT firm, has disclosed a data breach that exposed the personally identifiable information (PII) of 1,320 individuals. The breach occurred in early January 2026 when an unauthorized third party accessed personal information, including names and Social Security numbers, stored on the company's network. The company began notifying affected individuals on May 18, 2026, more than four months after the incident. In response, Global Consulting Services is offering 24 months of free identity monitoring and restoration services through Kroll to the affected individuals.

Data BreachPIISocial Security NumberIT Services

Global Consulting Services Breach Exposes PII of 1,320 Individuals

Six Windows Zero-Day Exploits Leaked by Threat Actor 'Nightmare-Eclipse'

CRITICAL

'Nightmare-Eclipse' Threat Actor Leaks Six Windows Zero-Days in Retaliation Against Microsoft

A threat actor operating under the alias 'Nightmare-Eclipse' has released a series of six zero-day exploits targeting Microsoft Windows. The campaign, which appears to be a personal vendetta against Microsoft rather than financially motivated, includes critical vulnerabilities that can lead to privilege escalation. One patched flaw, 'BlueHammer' (CVE-2026-33825), allows a standard user to gain SYSTEM-level privileges through a vulnerability in Windows Defender. The actor has also released exploits for unpatched vulnerabilities, including 'RedSun' for privilege escalation and 'MiniPlasma', which reportedly works on fully patched Windows 11 systems. Microsoft is investigating the claims, which pose a significant risk to the entire Windows ecosystem by providing attackers with powerful tools to escalate privileges on compromised machines.

Zero-DayVulnerabilityWindowsMicrosoftPrivilege Escalation +1 more

Six Windows Zero-Day Exploits Leaked by Threat Actor 'Nightmare-Eclipse'

Chinese APT 'Webworm' Uses Discord and MS Graph API for C2 in New Backdoor Attacks

'Webworm' APT Group Deploys 'EchoCreep' and 'GraphWorm' Backdoors Targeting Government and Enterprise

The China-aligned threat actor known as 'Webworm' has been observed deploying two new, sophisticated backdoors named 'EchoCreep' and 'GraphWorm'. These tools represent an evolution in the group's tactics, using legitimate and widely-used services for command-and-control (C2) to evade detection. EchoCreep uses Discord for its C2 communications, while GraphWorm leverages the Microsoft Graph API. This 'living off the land' technique allows the malware's traffic to blend in with normal network activity. Webworm, active since at least 2022, has historically targeted government, IT, aerospace, and energy sectors in Asia and Russia, but has recently expanded its targeting to Europe and Africa. The new backdoors demonstrate the group's continuous development and adaptation of its malware arsenal.

APTWebwormThreat ActorChinaDiscord +2 more

Chinese APT 'Webworm' Uses Discord and MS Graph API for C2 in New Backdoor Attacks

TamperedChef Malware: Trojanized Apps Masquerade as Productivity Tools to Deploy Stealthy Payloads

Unit 42 Tracks TamperedChef Malware Clusters Using Certificate and Code Reuse Analysis

Unit 42 has identified and analyzed several clusters of malware activity collectively known as TamperedChef. This threat involves trojanized productivity applications, such as PDF editors and file converters, distributed through malicious advertising (malvertising). While appearing as legitimate software, and often including deceptive End-User License Agreements (EULAs), these applications are designed to remain dormant for extended periods before executing malicious actions. Once activated, they establish command and control (C2) to download and execute secondary payloads, including information stealers, proxy tools, and remote access trojans (RATs). The research highlights three distinct clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110) encompassing over 4,000 unique samples, indicating a widespread and persistent campaign. This activity blurs the line between aggressive adware and outright malware, posing a significant threat due to its stealth and ability to grant attackers arbitrary code execution on victim systems.

TamperedChefMalvertisingAdwareTrojanRAT +4 more

21 min read

TamperedChef Malware: Trojanized Apps Masquerade as Productivity Tools to Deploy Stealthy Payloads

Updated Articles (5)

Verizon DBIR 2026: Vulnerability Exploitation Now the #1 Cause of Breaches, Surpassing Stolen Credentials

INFORMATIONAL

Verizon's 2026 DBIR Reveals Vulnerability Exploitation as the Leading Initial Access Vector in Data Breaches

The 2026 Verizon DBIR provides further insights into the alarming trend of vulnerability exploitation. New data indicates that the remediation rate for critical vulnerabilities in CISA's KEV catalog plummeted from 38% in 2024 to just 26% in 2025. Concurrently, the median time to patch these critical flaws has increased from 32 to 43 days, widening the window for attackers. While ransomware remains prevalent, a positive development shows that 69% of victims in the dataset chose not to pay the ransom, suggesting improved organizational resilience and a refusal to fund criminal enterprises. These details reinforce the urgent need for enhanced vulnerability management and patching strategies.

May 19, 2026

DBIRVerizonVulnerability ManagementPatch ManagementSupply Chain Security +5 more

Verizon DBIR 2026: Vulnerability Exploitation Now the #1 Cause of Breaches, Surpassing Stolen Credentials

Microsoft Takes Down 'Fox Tempest' Cybercrime Service That Sold Forged Code-Signing Certificates

Microsoft Disrupts Fox Tempest's Malware-Signing-as-a-Service Operation Used by Ransomware Gangs

Further analysis of the 'Fox Tempest' takedown reveals the malware-signing-as-a-service (MSaaS) was internally codenamed 'OpFauxSign'. Beyond Rhysida ransomware, the service was extensively utilized by operators of infostealers like Lumma and Vidar. Attackers leveraged the service to sign malware that impersonated legitimate applications such as AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex, enhancing their ability to bypass security controls and deceive users. The new report also provides additional MITRE ATT&CK mappings and specific hunting hints for detecting such signed malware.

May 19, 2026

Fox TempestMicrosoftCode SigningMSaaSRansomware +4 more

Microsoft Takes Down 'Fox Tempest' Cybercrime Service That Sold Forged Code-Signing Certificates

Virginia Man with Cybercrime History Convicted for Deleting 96 Government Databases

Former Database Administrator Found Guilty of Intentionally Deleting 96 U.S. Government Databases

Further information regarding the insider threat incident involving Akhter has been released. The attack occurred at Opexus, a software company serving federal agencies, and involved twin brothers, Muneeb and Suhaib Akhter. They are accused of deleting over 30 databases and 1,800 project files, causing outages in critical government software systems. Affected agencies include the IRS and GSA. The FBI has launched a federal investigation into the breach, highlighting the profound risk posed by trusted insiders. This update clarifies the scope and specific entities impacted by the data destruction.

May 9, 2026

Insider ThreatCybercrimeData DestructionDatabaseGovernment +1 more

Virginia Man with Cybercrime History Convicted for Deleting 96 Government Databases

Microsoft Scrambles to Mitigate Actively Exploited Exchange Server Zero-Day

CRITICAL

Microsoft Confirms Active Exploitation of Critical Spoofing Zero-Day (CVE-2026-42897) in Exchange Server

The latest report on CVE-2026-42897 provides additional technical context, including CVSS scores of 8.1 (Microsoft) and 6.1 (NIST). It further details potential impacts such as Business Email Compromise (BEC) and ransomware deployment. New hunting hints include monitoring mailbox auditing for forwarding rules and analyzing OWA sessions for unusual access patterns. Detection methods are expanded to suggest Web Application Firewalls (WAFs) and utilizing Microsoft's `Test-ExchangeServerHealth.ps1` script for identifying misconfigurations. The active exploitation status and lack of a patch remain unchanged.

May 17, 2026

Zero-DayXSSSpoofingOWAKEV +1 more

Microsoft Scrambles to Mitigate Actively Exploited Exchange Server Zero-Day

New 'WantToCry' Ransomware Uses Exposed SMB Services for Novel Remote Encryption Attacks

SophosLabs Details 'WantToCry' Ransomware Targeting Exposed SMB Ports for Remote File Encryption

The updated report provides a more structured technical analysis, mapping the attack to specific MITRE ATT&CK techniques including T1021.002 (SMB/Windows Admin Shares) and T1048 (Exfiltration Over Alternative Protocol). It explicitly highlights the data breach risk associated with file exfiltration prior to remote encryption. New mitigation recommendations include Multi-factor Authentication (M1032) and Privileged Account Management (M1026). The IOC list has been refined, focusing on the `WIN-LIVFRVQFMKO` attacker computer name.

May 19, 2026