Miasma Worm Hits Microsoft, Cisco &amp; Android Zero-Days Exploited, and FBI Network Breached by State-Sponsored Hackers

FBI Declares 'Major Incident' After China-Linked Group Salt Typhoon Breaches Surveillance Data Network

The FBI has classified a breach of its Digital Collection Systems Network as a 'major incident,' attributing the attack to 'Salt Typhoon,' a threat actor linked to China's Ministry of State Security. The compromised network manages highly sensitive law enforcement data, including wiretap returns and information on individuals under investigation. This breach is an extension of a multi-year campaign by Salt Typhoon that previously targeted major U.S. telecom providers to access call records and wiretap infrastructure. The intrusion highlights a significant counterintelligence threat, providing a foreign adversary with visibility into active FBI operations.

FBISalt TyphoonChinaAPTData Breach +3 more

FBI 'Major Incident': China-Linked Hackers Breach Sensitive Surveillance Network

DentaQuest Data Breach Exposes PHI of 2.6 Million; ShinyHunters Claims Attack

DentaQuest Investigates Data Breach Affecting 2.6 Million After ShinyHunters Claims 234GB Data Theft

DentaQuest, a major U.S. dental and vision benefits administrator, is investigating a data breach that has compromised the personal and health information of approximately 2.6 million individuals. The cybercriminal group ShinyHunters has claimed responsibility, stating on its dark web leak site that it exfiltrated over 234 gigabytes of data. The compromised information includes names, dates of birth, government IDs, and health insurance details. The incident, which involved unauthorized access to DentaQuest's network, has prompted an investigation by a law firm over potential violations of data breach notification laws.

DentaQuestData BreachShinyHuntersHealthcarePHI +2 more

DentaQuest Data Breach Exposes PHI of 2.6 Million; ShinyHunters Claims Attack

Whistleblower Lawsuit: Former Exec Accuses IBM of Covering Up Chinese State-Sponsored Hacking

Former IBM VP Alleges Company Concealed 56,000 Breaches by Chinese Hackers in Whistleblower Lawsuit

A newly unsealed whistleblower lawsuit filed by a former IBM executive alleges that the technology giant knowingly concealed thousands of data breaches by a Chinese state-linked hacking group between 2013 and 2016. William Barlow, IBM's former VP of Threat Intelligence, claims the company was aware of over 56,000 intrusions into its network but deliberately failed to notify U.S. authorities. The lawsuit brings to light historical allegations of corporate malfeasance regarding breach disclosure, drawing parallels to other high-profile concealment cases and highlighting the importance of recent SEC regulations mandating timely incident reporting.

IBMWhistleblowerData BreachChinaAPT +2 more

Whistleblower Lawsuit: Former Exec Accuses IBM of Covering Up Chinese State-Sponsored Hacking

Dutch NCSC: Cloud Misconfigurations Are an 'Easy Ride' for Hackers

MEDIUM

Netherlands NCSC Warns of Growing Data Breaches from Cloud Misconfigurations

The Dutch National Cyber Security Centre (NCSC) has issued a warning about the rising threat of data breaches caused by simple cloud misconfigurations. The agency stated that cybercriminals are using automated tools to scan the internet for improperly configured cloud systems, such as those with incorrect permissions or exposed access. These misconfigurations allow attackers to access and steal sensitive data without needing to exploit a technical software vulnerability. The NCSC's alert highlights the critical need for organizations to adopt robust Cloud Security Posture Management (CSPM) as they migrate more data to the cloud.

Cloud SecurityMisconfigurationNCSCData BreachCSPM +3 more

4 min read

Dutch NCSC: Cloud Misconfigurations Are an 'Easy Ride' for Hackers

CISA KEV Alert: Two-Year-Old Oracle WebLogic Flaw Now Under Active Attack

Oracle WebLogic Vulnerability (CVE-2024-21182) from 2024 Sees Renewed, Active Exploitation

A two-year-old, high-severity vulnerability in Oracle WebLogic Server, CVE-2024-21182, is being actively exploited in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, originally patched in July 2024, allows an unauthenticated remote attacker to compromise a server via the T3 or IIOP protocols, potentially leading to complete system takeover. The renewed exploitation campaign, which began in mid-May 2026, highlights the persistent risk posed by unpatched legacy systems in critical sectors like banking, healthcare, and government.

CVE-2024-21182OracleWebLogicVulnerabilityKEV +3 more

CISA KEV Alert: Two-Year-Old Oracle WebLogic Flaw Now Under Active Attack

Strategic Education Data Breach Exposes SSNs, Passports of Over 100,000

Strategic Education, Inc. Discloses Data Breach Affecting Over 100,000 Students and Staff

Strategic Education, Inc., the parent company of Strayer University and Capella University, has disclosed a data breach that occurred in February 2026. The incident involved unauthorized access to its computer network, compromising the highly sensitive personal information of over 100,000 individuals. An investigation that concluded in May revealed that stolen data may include names, Social Security numbers, driver's license numbers, and passport numbers. The breach affects students and staff across its various educational institutions and has exposed a large number of people to a high risk of identity theft and fraud.

Data BreachStrategic EducationStrayer UniversityCapella UniversityEducation +2 more

Strategic Education Data Breach Exposes SSNs, Passports of Over 100,000

Active Exploitation of Critical PAN-OS Auth Bypass (CVE-2026-0257) Detected in the Wild

Unit 42 Reports Active Exploitation of PAN-OS CVE-2026-0257 Authentication Bypass Vulnerability

Palo Alto Networks' Unit 42 has issued a threat brief detailing the active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting PAN-OS software. Unidentified attackers are exploiting the flaw to gain unauthorized access to GlobalProtect VPN services. This vulnerability, which circumvents security controls on portal and gateway components, has been added to the CISA Known Exploited Vulnerability (KEV) catalog due to observed in-the-wild attacks. While no post-exploitation activity has been confirmed, the potential for network compromise is severe. Organizations are strongly urged to apply patches or mitigations immediately and hunt for indicators of compromise.

CVE-2026-0257PAN-OSGlobalProtectAuthentication BypassVPN +2 more

6 min read

Active Exploitation of Critical PAN-OS Auth Bypass (CVE-2026-0257) Detected in the Wild

Updated Articles (5)

Ransomware Market Consolidates in Q1 2026; Qilin Remains Top Threat as LockBit 5.0 Rebounds

Check Point Research: Qilin Dominates Ransomware Landscape in Q1 2026, Top 10 Groups Claim 71% of Victims

The new report covers May 2026, showing a 3% overall increase in ransomware attacks to 661 incidents. The education sector was severely impacted with a 54% surge. Qilin continues to be the most active group, responsible for 97 attacks, alongside The Gentlemen and DragonForce. Notably, 115 terabytes of data were exfiltrated. The US remains the top target. New groups like Play and Genesis showed significant activity increases. The article also provides new hunting hints and detection strategies, including specific command-line patterns and process names for data exfiltration.

May 12, 2026

RansomwareQilinLockBitThe GentlemenCheck Point Research +2 more

Ransomware Market Consolidates in Q1 2026; Qilin Remains Top Threat as LockBit 5.0 Rebounds

The Agentic Era: Frontier AI Models Fuel a Surge in Vulnerability Discovery

INFORMATIONAL

Cybersecurity Enters 'Agentic Era' as Frontier AI Models Like GPT-5.5-Cyber and Claude Mythos Dramatically Accelerate Vulnerability Discovery

An autonomous AI agent from depthfirst has discovered 21 zero-day vulnerabilities in the widely used FFmpeg multimedia library, some existing for nearly two decades. Nine of these flaws have been assigned CVEs, posing a significant supply chain risk. Concurrently, Google Chrome 149 released a record 429 security patches, including a critical sandbox escape (CVE-2026-10881, CVSS 9.6). These events provide concrete evidence of the accelerating pace of AI-driven vulnerability discovery, validating concerns about the 'Agentic Era' and increasing pressure on defenders to manage a growing influx of bugs.

May 14, 2026

AIArtificial IntelligenceVulnerability DiscoveryExploitationProject Glasswing +3 more

The Agentic Era: Frontier AI Models Fuel a Surge in Vulnerability Discovery

CISA Warns of Active Exploitation of Palo Alto GlobalProtect Auth Bypass Flaw (CVE-2026-0257)

Palo Alto GlobalProtect Vulnerability (CVE-2026-0257) Under Active Attack, CISA Issues Directive

Palo Alto Networks' Unit 42 has officially confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability in PAN-OS GlobalProtect. The new report highlights the increased threat level due to the public release of a Proof-of-Concept (PoC) exploit, which significantly raises the risk of widespread attacks. Unit 42 reiterates the critical impact of the flaw, even without observed lateral movement, as it provides an initial foothold for attackers. The update also provides enhanced guidance for detection, response, and threat hunting, including monitoring for suspicious host IDs and device names, and leveraging Cortex Xpanse for asset identification.

June 1, 2026

CVE-2026-0257Palo Alto NetworksGlobalProtectVPNAuthentication Bypass +2 more

4 min read

CISA Warns of Active Exploitation of Palo Alto GlobalProtect Auth Bypass Flaw (CVE-2026-0257)

Actively Exploited Zero-Day in Cisco SD-WAN Allows Root Access, No Patch Available

Cisco Warns of Actively Exploited Zero-Day Flaw in Catalyst SD-WAN Products

New information clarifies that CVE-2026-20245 affects 'Cisco Catalyst SD-WAN Manager' and requires an 'authenticated attacker with administrative privileges (netadmin)' to exploit, correcting the previous understanding of it being unauthenticated. The vulnerability was reported by Mandiant and impacts all deployment types. While no direct patch is available, Cisco recommends upgrading to a version that addresses CVE-2026-20182 (an authentication bypass) to make exploitation of CVE-2026-20245 more difficult. This is the seventh SD-WAN zero-day from Cisco in 2026.

June 5, 2026

Zero-DayCiscoSD-WANCVE-2026-20245Active Exploitation +2 more

Actively Exploited Zero-Day in Cisco SD-WAN Allows Root Access, No Patch Available

Android Zero-Day Under Attack: Google Issues Urgent Patch for Privilege Escalation Flaw

Google Patches Actively Exploited Android Zero-Day (CVE-2025-48595) in June Security Update

The actively exploited Android zero-day, CVE-2025-48595, is now confirmed to be an integer overflow vulnerability in the Android Framework, carrying a high CVSS score of 8.4. This flaw allows for local privilege escalation without user interaction, affecting Android versions 14, 15, 16, and 16 QPR2. A significant development is CISA's addition of this CVE to its Known Exploited Vulnerabilities (KEV) catalog, which mandates federal agencies to patch by June 5, 2026. This highlights the critical nature and active threat posed by the vulnerability, reinforcing the urgency for all users to apply the June 2026 security update.

June 2, 2026