SolarWinds Serv-U Vulnerability Under Active Exploitation, CISA Warns The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog after confirming that threat actors are actively exploiting a high-severity flaw in SolarWinds Serv-U, a widely used file transfer software for Windows and Linux. The vulnerability, classified as an uncontrolled resource consumption (CWE-400) issue, allows unauthenticated attackers to remotely crash Serv-U servers by sending a maliciously crafted HTTP POST request with a `Content-Encoding: deflate` header. The exploit triggers a denial-of-service (DoS) condition, forcing the Serv-U service to exhaust system resources during decompression, leading to a crash without requiring user interaction or elevated privileges. While the flaw does not directly compromise confidentiality or integrity, its impact on availability can disrupt critical operations, including payroll processing, compliance workflows, partner data exchanges, and automated file transfers. SolarWinds released Serv-U 15.5.4 Hotfix 1 to address the vulnerability, but all versions prior to 15.5.4 and even patched 15.5.4 instances without the hotfix remain vulnerable. Shodan data indicates over 12,000 Serv-U servers exposed online, with Shadowserver tracking approximately 3,100, though the number of unpatched systems is unclear. CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, mandating federal agencies under Binding Operational Directive (BOD) 22-01 to remediate the flaw by June 19, 2026. While the directive applies only to federal entities, CISA urged private-sector organizations to prioritize patching, citing the vulnerability as a frequent attack vector for malicious actors. Serv-U has been a persistent target for cybercriminals and nation-state groups. The Clop ransomware gang previously exploited CVE-2021-35211 (a remote code execution flaw) in 2021, while Chinese state-sponsored threat group DEV-0322 weaponized the same vulnerability in zero-day attacks. In June 2024, GreyNoise and Rapid7 reported active exploitation of CVE-2024-28995, a Serv-U path traversal bug. With 11 SolarWinds vulnerabilities now listed in CISA’s KEV catalog, the platform remains a prime target for both cybercrime and espionage operations.

CISA Warns of Actively Exploited LiteSpeed cPanel Plugin Vulnerability (CVE-2026-48172) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding CVE-2026-48172, a critical privilege escalation vulnerability in the LiteSpeed cPanel Plugin that is being actively exploited in the wild. The flaw, classified under CWE-266 (Improper Privilege Management), allows attackers with basic cPanel access to execute arbitrary scripts with root-level privileges, enabling full administrative control over affected servers. The vulnerability poses a severe risk to shared hosting environments and cloud-based infrastructures, where multiple users operate on the same system. Even a low-privileged or compromised account can serve as an entry point for attackers to execute commands, alter configurations, implant backdoors, or access sensitive data belonging to other users on the server. While no direct links to ransomware campaigns have been confirmed, the flaw’s potential for lateral movement makes it a prime target for threat actors. CVE-2026-48172 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, with federal agencies and organizations required to remediate the issue by May 29, 2026. CISA has urged immediate patching or mitigation, including restricting user permissions and monitoring for suspicious activity such as unauthorized script execution or privilege escalation. In cases where patches are unavailable, discontinuing use of the plugin may be necessary to mitigate exposure. Given LiteSpeed’s widespread adoption in web hosting, the vulnerability threatens service providers and enterprises, with potential consequences including server compromise, service disruption, or unauthorized data access. Security teams are advised to prioritize remediation, enforce strict access controls, and enhance monitoring to prevent exploitation.

CISA Contractor Exposes Highly Sensitive Credentials in Public GitHub Repository A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly privileged credentials and internal system details in a public GitHub repository, marking one of the most severe government data leaks in recent history. The repository, named "Private-CISA," was flagged on May 15 by security researcher Guillaume Valadon of GitGuardian after the account owner failed to respond to automated alerts about exposed secrets. The leaked files included administrative credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems such as the agency’s secure code development environment (Landing Zone DevSecOps) and access tokens for CISA’s internal artifactory, a repository of software packages. Security experts confirmed the exposed credentials were valid and could have allowed attackers to move laterally within CISA’s infrastructure, potentially embedding backdoors in software builds. The repository, maintained by a Nightwing contractor, contained poor security practices, including plaintext passwords in CSV files, disabled GitHub secret detection, and easily guessable credentials (e.g., platform names followed by the current year). Metadata suggested the account was used as a personal synchronization tool between work and home devices, with commits dating back to November 2025. The GitHub account was created in September 2018 but was taken offline shortly after CISA was notified. CISA acknowledged the incident, stating there was no evidence of sensitive data compromise but confirmed an ongoing investigation. The exposed AWS keys remained active for 48 hours after the repository was removed. The agency, already operating with reduced staffing and budget, faces heightened scrutiny over its internal security controls following the breach.

Zero-Day Exploit in Arista EOS Remains Unpatched as Hackers Target Network Devices Hackers are actively exploiting a zero-day vulnerability in Arista Extensible Operating System (EOS), a Linux-based network OS used in high-performance switches for data centers, cloud, and enterprise environments. Tracked as CVE-2026-7473 (CVSS 6.9), the flaw stems from improper verification of tunnel protocol types, allowing unauthorized decapsulation of non-configured tunnel traffic. The vulnerability affects Arista EOS devices configured as tunnel endpoints, including those using decap-groups, GRE tunnels, or VXLAN. Specifically, devices set to decapsulate one tunnel type may incorrectly process other protocols destined for the same IP address even if those protocols weren’t explicitly configured. Impacted models include the 7020R, 7280R/R2, 7500R/R2 series, with additional risks for 7280R3, 7500R3, and 7800R3 series in certain IP-in-IPv6 and GUE IPv6 decap group scenarios. Arista confirmed in a May advisory that the flaw is being exploited in the wild. However, the company will not release patches or hotfixes, citing the risk of disrupting existing configurations. Instead, it has provided mitigation instructions for affected users. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-7473 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, mandating federal agencies to address the issue within two weeks. The agency also included two other actively exploited zero-days in its KEV list: CVE-2026-11645 (Chrome) and CVE-2026-20245 (Cisco SD-WAN).

Linux Kernel Vulnerability "Copy Fail" Exploited in the Wild, CISA Warns The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about active exploitation of CVE-2026-31431, a critical Linux kernel vulnerability dubbed Copy Fail. The flaw, present in all Linux distributions since 2017, allows authenticated attackers with code execution privileges to escalate to root access by manipulating the kernel’s AEAD template. Disclosed on April 29, the bug was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Friday, with federal agencies directed to patch within two weeks. While exploitation remains limited primarily involving proof-of-concept (PoC) testing Microsoft warns of its broad applicability and the release of a working exploit, heightening risks for defenders. The vulnerability enables full root privilege escalation, posing severe threats to confidentiality, integrity, and availability. Attackers can leverage it for container breakout, multi-tenant compromise, and lateral movement in shared environments. Its stealthy in-memory exploitation and cross-platform compatibility make it particularly dangerous in cloud, CI/CD, and Kubernetes setups, where untrusted code execution is common. Exploitation requires only local, unprivileged access and can be chained with SSH, malicious CI jobs, or container access to achieve root shell. An attack typically begins with reconnaissance to identify vulnerable kernels, followed by a script to overwrite in-memory data and escalate privileges. Microsoft advises organizations to prioritize patching, isolate vulnerable systems, enforce access controls, and monitor logs for signs of compromise. The flaw’s decade-long presence underscores the ongoing risks of long-undetected kernel vulnerabilities in critical infrastructure.

Critical F5 BIG-IP APM Vulnerability Exploited in the Wild, CISA Flags Urgent Risk The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 a critical vulnerability in F5 BIG-IP APM to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active exploitation in the wild. Initially disclosed by F5 in October 2025 as a denial-of-service (DoS) flaw with a CVSS score of 7.5, the vulnerability has since been reclassified as a pre-authentication remote code execution (RCE) issue, now carrying a CVSS score of 9.8. The flaw affects BIG-IP APM systems, including those in Appliance mode, and allows unauthenticated attackers to execute arbitrary code remotely. Unlike the initial assessment, which suggested no control plane exposure, the updated risk profile has prompted urgent warnings from security experts, including watchTowr CEO Benjamin Harris, who described the shift as a "big ‘yikes’ moment." ### Affected Versions & Mitigation The vulnerability impacts the following BIG-IP APM versions: - 17.5.0 – 17.5.1.3 (fixed in 17.5.1.3) - 17.1.0 – 17.1.3 (fixed in 17.1.3) - 16.1.0 – 16.1.6.1 (fixed in 16.1.6.1) - 15.1.0 – 15.1.10.8 (fixed in 15.1.10.8) F5 has released an updated advisory, urging organizations to upgrade to patched versions or apply mitigations if immediate patching is not feasible. The company confirmed that no control plane exposure exists, but the data plane remains vulnerable until remediated. ### Exploitation & Response With evidence of in-the-wild exploitation, security teams are prioritizing patching and investigating potential breaches. The CISA KEV listing underscores the severity, as federal agencies and private sector organizations are now required to address the flaw under binding operational directives. The shift from a DoS to RCE classification highlights the evolving threat landscape, where initial vulnerability assessments may underestimate risk.

State-Backed Hackers Target Government and Critical Infrastructure in 37 Countries On February 5, 2026, cybersecurity firm Palo Alto Networks uncovered a large-scale espionage campaign orchestrated by state-aligned threat actors. The operation, spanning 37 nations, focused on infiltrating government agencies and critical infrastructure sectors, including energy, telecommunications, and defense. The attack leveraged sophisticated tactics, techniques, and procedures (TTPs) to evade detection, suggesting involvement by well-resourced adversaries. While specific attribution remains undisclosed, the scale and precision of the campaign point to a coordinated effort with geopolitical motivations. The breach highlights the growing threat posed by nation-state cyber operations, underscoring vulnerabilities in global digital infrastructure. Authorities and affected organizations are assessing the extent of the compromise, though details on data exfiltration or operational disruptions remain limited. The incident serves as a reminder of the persistent risks faced by high-value targets in an increasingly contested cyber landscape.

Critical RCE Vulnerability in SolarWinds Web Help Desk Demands Immediate Action A severe remote code execution (RCE) vulnerability, CVE-2025-40551, has been identified in SolarWinds Web Help Desk, posing a major risk to organizations using the platform. The flaw stems from unsafe deserialization of untrusted data (CWE-502), allowing attackers to execute arbitrary commands on vulnerable systems without authentication. The unauthenticated nature of the exploit makes it particularly dangerous, as threat actors can target exposed instances directly no credentials or insider access are required. Successful exploitation could lead to arbitrary command execution, persistent backdoor access, malware deployment (including ransomware), lateral movement within networks, and compromise of sensitive IT ticketing data. CISA has classified the vulnerability as critical, setting a remediation deadline of February 6, 2026, and urging organizations to act swiftly. Recommended mitigations include: - Applying the latest SolarWinds patches immediately. - Isolating unpatched systems from internet exposure. - Discontinuing use if mitigations cannot be implemented. - Monitoring logs for signs of compromise. The flaw highlights the ongoing threat posed by deserialization vulnerabilities in enterprise software, particularly those that bypass authentication. Security teams are advised to prioritize patching and investigate affected systems for potential breaches.

CISA Releases New Guidance to Combat Rising Insider Threats in Critical Infrastructure The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to help critical infrastructure organizations particularly in healthcare proactively defend against insider threats, a growing source of data breaches. According to a 2018 Verizon study, insiders were responsible for 56% of healthcare data breaches, surpassing external actors (43%). A 2024 report by Metomic found that the percentage of healthcare organizations reporting no insider incidents dropped from 34% in 2019 to just 24%, highlighting the escalating risk. Insider threats stem from negligence, malicious intent, or policy violations, such as employees snooping on medical records or exfiltrating patient data for financial gain or personal motives. These incidents can lead to severe consequences, including reputational damage, financial losses, and operational disruptions. CISA warns that insiders’ legitimate access and institutional knowledge make detection particularly challenging. To address this, CISA’s new resource provides a framework for assembling a multi-disciplinary insider threat management team, emphasizing collaboration across cybersecurity, physical security, human resources, legal, and external partners like law enforcement and mental health professionals. The guidance outlines a four-stage POEM framework Plan, Organize, Execute, and Maintain to structure threat mitigation efforts. Key steps include scoping the team’s role, fostering a culture of reporting, enforcing policies, and continuously refining the program. Acting CISA Director Dr. Madhu Gottumukkala emphasized that insider threats "erode trust and disrupt critical operations," while CISA Executive Assistant Director Steve Casapulla noted that organizations with mature programs are better equipped to withstand disruptions. The guidance aims to help state, local, tribal, and territorial governments, as well as critical infrastructure sectors, reduce the frequency and impact of insider incidents.

DHS Warns of Escalating Cyber Threats from Iran-Backed Hackers Amid Rising Tensions The U.S. Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin on Sunday, warning of heightened cyberattack risks from Iran-backed hacking groups and pro-Iranian hacktivists following recent geopolitical escalations. The advisory highlights a "heightened threat environment" in the U.S., with low-level cyberattacks likely targeting vulnerable networks. The DHS cautioned that violent extremists within the U.S. could mobilize in response to the Israel-Iran conflict, particularly if Iranian leadership issues a religious ruling calling for retaliatory violence. The bulletin also noted that anti-Semitic and anti-Israel sentiment has already motivated recent domestic attacks, raising concerns about further violence. The warning follows a pattern of Iranian state-affiliated hackers and hacktivists exploiting poorly secured U.S. networks. In October, authorities in the U.S., Canada, and Australia reported that Iranian hackers were acting as initial access brokers, breaching organizations in healthcare, government, IT, engineering, and energy sectors through brute-force attacks, password spraying, and MFA fatigue (push bombing). A separate August advisory from CISA, the FBI, and the Defense Department’s Cyber Crime Center (DC3) identified Br0k3r (also known as Pioneer Kitten, Fox Kitten, and other aliases) as a state-sponsored Iranian threat group involved in selling access to compromised networks to ransomware affiliates in exchange for a share of profits. While the DHS did not explicitly link the NTAS bulletin to recent events, the warning comes after U.S. strikes on Iranian nuclear facilities—including Fordow, Natanz, and Isfahan—on Saturday, just over a week after Israel targeted Iranian nuclear and military sites on June 13. Iran’s Foreign Minister, Abbas Araghchi, responded by warning of "everlasting consequences" and asserting Iran’s right to defend its sovereignty.

Critical Cisco Secure Email Gateway Vulnerability Exploited in Ongoing Attacks Cisco has disclosed an active cyberattack campaign targeting vulnerabilities in its Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS Software. The flaw, tracked as CVE-2025-20393 (CVSS 10.0), allows threat actors to execute arbitrary commands with root privileges, enabling full system compromise. The vulnerability affects both physical and virtual instances of the appliances when the Spam Quarantine feature is enabled and exposed to the internet—a configuration not enabled by default per Cisco’s deployment guidelines. Cisco Secure Email Cloud remains unaffected, and there is no evidence of exploitation targeting Cisco Secure Web. ### Attack Details & Timeline The campaign was first detected through a Cisco Technical Assistance Center (TAC) case, with Cisco Talos confirming active exploitation. Attackers exploited exposed ports to gain unauthorized root access, disable security tools, and establish persistence mechanisms for long-term control. Compromised appliances may require a full rebuild to remove embedded threats. ### Mitigation & Hardening Measures Cisco has stated that no direct workarounds exist for CVE-2025-20393. Organizations are advised to: - Restrict appliance access to trusted hosts and avoid direct internet exposure. - Deploy behind firewalls, filtering traffic to allow only authorized communication. - Separate mail and management interfaces to limit internal access risks. - Monitor web logs and forward them to external servers for analysis. - Disable unnecessary services (HTTP, FTP) and enforce SSL/TLS with trusted certificates. - Upgrade to the latest AsyncOS release and implement strong authentication (SAML, LDAP). ### Broader Impact The incident highlights risks posed by misconfigured network services, emphasizing the need for immediate exposure assessment, access restrictions, and continuous monitoring. Organizations should consult Cisco TAC if compromise is suspected.

Notepad++ Patches Critical Update Hijacking Vulnerability Notepad++, the widely used text and code editor, recently addressed a severe security flaw in its update mechanism that could allow attackers to hijack the update process. The vulnerability, stemming from insufficient file authentication in the Notepad++ updater, was identified by security researcher Kevin Beaumont. The flaw enabled threat actors to intercept and manipulate update traffic, tricking the software into accepting malicious update files. Without proper verification, users risked downloading compromised updates, potentially leading to unauthorized access, data theft, or further exploitation. In response, the Notepad++ development team implemented enhanced authentication measures to secure the updater utility. The patched version now prevents unauthorized modifications to update files, reducing the risk of exploitation. Users running older versions are urged to upgrade immediately to mitigate potential threats. The incident underscores the importance of robust update verification in software distribution, particularly for widely adopted tools. While the vulnerability has been resolved, the discovery highlights ongoing risks in update mechanisms across applications.

CISA Suffers Major Data Leak via Exposed GitHub Repository A public GitHub repository named “Private-CISA” exposed highly sensitive internal credentials and systems belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), marking one of the most severe government data leaks in recent history. Security researcher Guillaume Valadon discovered the repository, which contained a trove of critical data, including: - AWS GovCloud administrative credentials for three accounts - AWS access keys and tokens (including a file labeled “importantAWStokens”) - Plaintext usernames and passwords for internal CISA systems - A CSV file (“AWS-Workspace-Firefox-Passwords.csv”) with stored login credentials - Credentials for CISA’s Landing Zone DevSecOps (LZ-DSO) and other internal systems - SSH keys and authentication details for CISA/DHS infrastructure - Access credentials for an internal Artifactory software repository Valadon, who described the leak as “the worst [he’d] witnessed in [his] career,” initially suspected the data was fake due to its sensitivity. However, multiple security researchers confirmed its authenticity, with some credentials reportedly functional. The repository, created in mid-November 2025, was likely exposed since its inception. The repository was maintained by government contractor Nightwing, which declined to comment and referred inquiries to CISA. After researchers alerted the agency, the repository was locked down. CISA acknowledged the incident, stating there was “no indication that any sensitive data was compromised” but confirmed it was implementing additional safeguards to prevent future breaches. The exposure revealed internal practices for how CISA builds and deploys software, raising concerns about operational security within federal cybersecurity agencies. The full duration of the leak remains unclear.

Exploited Vulnerabilities Surge as Top Initial Access Vector in 2025 Breaches Verizon’s latest Data Breach Investigations Report, analyzing over 22,000 breaches from October 2024 to October 2025, reveals a sharp rise in exploited vulnerabilities as the leading initial access method. Exploits accounted for 31% of breaches up from 20% the prior year highlighting the growing challenge of vulnerability management amid an overwhelming volume of unpatched flaws. Organizations struggled to keep pace, with only 26% of critical vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog fully remediated in 2025, down from 38% in 2024. The median patching time also worsened, stretching to 43 days nearly two weeks longer than the previous year’s 32 days. Meanwhile, the median number of KEV vulnerabilities requiring patches per organization rose from 11 to 16. As of February 2025, CISA’s KEV catalog listed over 1,500 CVEs, with 65% exploited in the past year. The most common weaknesses included out-of-bounds reads, heap-based buffer overflows, use-after-free flaws, external control of file paths, and incompatible resource access. Financially motivated attacks dominated, comprising 88% of breaches, while state-affiliated espionage made up the remainder. Ransomware remained a persistent threat, involved in 48% of breaches (up from 44% in 2024). However, ransom payments declined, with 69% of victims refusing to pay, and the median payment dropping from $150,000 to $140,000. Researchers noted challenges in tracking ransomware due to threat actors fabricating or recycling breach claims for notoriety. Despite data inconsistencies, ransomware’s prevalence showed no signs of slowing, reinforcing its status as a pervasive and adaptable cybersecurity threat.

U.S. Government Agency Breached via Cisco Firewall Vulnerabilities, Persistent Malware Detected In September 2025, a U.S. federal agency was compromised by sophisticated hackers exploiting vulnerabilities in Cisco Adaptive Security Appliances (ASA). The Cybersecurity and Infrastructure Security Agency (CISA) revealed that attackers deployed FIRESTARTER, a malware strain allowing persistent access to compromised Cisco Firepower devices without re-exploiting the original flaws. The breach was discovered through CISA’s continuous monitoring, which detected suspicious connections on an agency’s Cisco Firepower device running ASA software. Forensic analysis uncovered FIRESTARTER, installed before September 25, 2025, enabling hackers to regain access in March 2026. Additionally, attackers used Line Viper, a secondary malware, to establish unauthorized VPN sessions, bypass authentication, and extract administrative credentials, certificates, and private keys. The vulnerabilities CVE-2025-30333 and CVE-2025-20362 were first flagged by CISA in September 2025, with federal agencies ordered to patch them. However, CISA later confirmed that patched systems remained vulnerable due to FIRESTARTER’s persistence mechanism. The agency also noted that attackers exploited dormant federal accounts to maintain access. While CISA has not attributed the attack, reports suggest alignment with China-linked state interests, consistent with previous campaigns like ArcaneDoor (2024). Cisco’s analysis supports this assessment, linking the activity to the same threat actors. In response, CISA issued updated directives requiring federal agencies to: - Conduct malware checks by May 1, 2026, with initial confirmations due by midnight on Friday. - Submit an inventory of all Cisco Firepower devices by May 1. - Follow CISA’s guidance for physical disconnection of infected devices if necessary. CISA emphasized that standard patching is insufficient to remove FIRESTARTER, warning agencies to avoid unplugging devices without explicit instructions. The agency will compile a report on the campaign for the National Cyber Director and White House by August 1, 2026. The incident underscores the risks of persistent malware in critical security infrastructure, particularly in widely used Cisco ASA and Firepower Threat Defense (FTD) systems.

Taiwan’s Government Agencies Face 637 Cybersecurity Incidents in Six Months, Revealing Key Attack Trends Taiwan’s public sector reported 637 cybersecurity incidents over the past six months, accounting for the majority of 723 total cases logged by government and select non-government organizations, according to the Cybersecurity Academy (CSAA). The findings, published in its Cybersecurity Weekly Report, highlight four dominant attack patterns targeting government agencies reflecting broader global threats. Illegal intrusion was the most prevalent threat, comprising 410 cases, where attackers exploited both technical vulnerabilities and human behavior to gain unauthorized access. The CSAA identified four recurring tactics behind these incidents: 1. Malicious Software Disguised as Legitimate Tools – Attackers distributed infected files masquerading as trusted applications, often used in government operations. Once installed, these programs established backdoors for data exfiltration or remote control. 2. USB-Based Worm Infections – Despite being an older technique, USB-driven malware remained effective, particularly in environments where portable media is routinely used. Infected devices triggered automatic code execution, enabling lateral movement within networks. 3. Social Engineering Phishing Emails – Highly targeted phishing campaigns impersonated administrative or legal communications, leveraging urgency and authority to trick recipients into engaging with malicious links or attachments. 4. Watering Hole Attacks – Attackers compromised legitimate websites frequented by government officials, silently executing malicious commands during normal browsing to compromise endpoints. Beyond government agencies, critical infrastructure providers including emergency response, healthcare, and communications sectors reported incidents, though many stemmed from equipment malfunctions or environmental disruptions (e.g., typhoons) rather than direct cyberattacks. The Cybersecurity Research Institute (CRI) emphasized that operational resilience, alongside digital security, is critical in mitigating disruptions. In response, experts advocate for strengthened endpoint protection, including abnormal behavior monitoring and stricter controls on portable media and software sourcing. Governance reforms, such as ongoing cybersecurity training and clear policies for external website access, are also recommended to address both technical and human vulnerabilities. The report underscores the need for proactive, layered defenses as digital threats grow more persistent and adaptive.

U.S. Indicts Ukrainian National for Role in Russian-Backed Cyberattacks on Critical Infrastructure The U.S. Department of Justice (DoJ) has indicted 33-year-old Ukrainian national Victoria Eduardovna Dubranova (also known as "Vika," "Tory," and "SovaSonya") for her alleged involvement in cyberattacks targeting global critical infrastructure. Dubranova, extradited to the U.S. earlier this year, is accused of supporting two Russian-aligned hacking groups: NoName057(16) and CyberArmyofRussia_Reborn (CARR), also referred to as Z-Pentest, both suspected of receiving backing from Russian state entities. Dubranova faces charges in two separate cases—one tied to CARR and another to NoName—and has pleaded not guilty. Her trial is scheduled for 2026. While her extradition details remain undisclosed, authorities in July 2025 dismantled over 100 servers linked to NoName057(16) and arrested two individuals in France and Spain, though no direct connection to Dubranova has been publicly confirmed. The attacks were not financially motivated but instead aimed at disrupting essential services. CARR claimed responsibility for breaches of U.S. drinking water systems, causing spills and failures, as well as an attack on a Los Angeles meat processing facility that resulted in food spoilage and an ammonia leak. NoName057(16), meanwhile, deployed its custom DDoSia tool to take down government websites, recruiting global volunteers with cryptocurrency rewards and leaderboard incentives. The group’s infrastructure was reportedly built by CISM, a Russian state-sponsored IT group operating under a 2018 presidential order. The DoJ alleges both groups received direction and funding from Russian intelligence, including a GRU officer who guided CARR’s targeting and paid for cybercriminal services. At its peak, CARR had over 100 members, including minors, and an online following in the tens of thousands. The U.S. State Department is offering a $2 million reward for information leading to the identification or location of three key CARR associates: Yuliya Pankratova, Denis Degtyarenko, and "Cyber_1ce_Killer", the latter linked to a GRU officer. Dubranova faces severe penalties—up to 27 years in the CARR case for conspiracy, damaging protected systems, fraud, and identity theft, and a five-year maximum in the NoName case for a separate conspiracy charge. The indictment underscores how cybercriminal networks exploit geopolitical tensions, operating across borders even as traditional conflicts persist. Similar operations in 2025 saw the arrest of the suspected administrator of XSS.IS, a major Russian-language cybercrime forum with alleged intelligence ties, during a joint French-Ukrainian Europol operation. In 2024, Ukrainian authorities detained a cryptor-developer accused of aiding Conti and LockBit ransomware groups by creating tools to evade antivirus detection.

Cybersecurity Subcommittee Chair Opposes CISA’s Mobile App Vetting Program Shutdown After Salt Typhoon Attack Rep. Andrew Garbarino (R-N.Y.), chair of the House Homeland Security Subcommittee on Cybersecurity, has voiced strong opposition to the planned termination of the Cybersecurity and Infrastructure Security Agency’s (CISA) Mobile App Vetting (MAV) Program. The move follows the Salt Typhoon cyberattack, which targeted U.S. telecommunications firms and impacted federal agencies, raising concerns about mobile device security vulnerabilities. In a letter to Department of Homeland Security (DHS) Secretary Kristi Noem, Garbarino argued that ending the MAV program would leave a critical gap in assessing mobile device risks and undermine confidence among Federal Civilian Executive Branch (FCEB) agencies, which remain on high alert due to the fallout from Salt Typhoon. He also called for a priority review of CISA’s role as the sector risk management agency for telecommunications, emphasizing the need for stronger oversight in light of recent threats. Garbarino has demanded that DHS provide a justification for the program’s termination and outline CISA’s updated strategy for securing the telecommunications sector by June 13. The request underscores growing congressional scrutiny over federal cybersecurity measures in the wake of high-profile attacks.

CISA Dodges Potential Breach After Researcher Discovers Exposed Credentials A security researcher uncovered a significant lapse in U.S. cybersecurity practices after discovering publicly exposed credentials that could have granted access to CISA’s cloud and internal systems. Guillaume Valadon of GitGuardian found plaintext credentials including access tokens and cloud keys stored in unprotected spreadsheets within a GitHub repository maintained by a CISA contractor. Valadon verified the validity of some keys before reporting the issue to journalist Brian Krebs after the contractor failed to respond to alerts. The exposed credentials could have provided entry to systems belonging to CISA and its parent agency, the Department of Homeland Security. The incident is particularly notable given CISA’s role in securing federal civilian networks and promoting cybersecurity best practices including proper credential management. It remains unclear whether malicious actors accessed the credentials before their discovery. CISA has not confirmed whether the exposed credentials were revoked or if any breach occurred. While the lapse originated from a contractor, CISA retains ultimate responsibility for securing its systems. The agency has operated without a permanent director since January 20, 2025, following the departure of former director Jen Easterly, and has faced workforce reductions under the current administration.

The U.S. government shutdown has severely weakened CISA, the nation’s leading civilian cybersecurity agency, by furloughing 65% of its 2,540-strong workforce (1,651 employees) and issuing Reductions in Force (RIF) notices that may lead to permanent layoffs. Critical divisions like the Infrastructure Security Division (ISD), responsible for protecting power grids, water treatment plants, and chemical facilities, face deep cuts—including the elimination of the Chemical Security subdivision, which secured high-risk chemical sites from cyber-physical threats. The Stakeholder Engagement Division (SED), which coordinates national and international cybersecurity partnerships, is also targeted. Experts warn that this reduction—amid rising nation-state cyber threats, ransomware, and misinformation campaigns—creates exploitable blind spots, crippling the U.S. government’s ability to detect, respond, and recover from attacks. The shutdown and political redirection of CISA’s mission (e.g., accusations of censorship) further destabilize its operational capacity, leaving critical infrastructure (energy, water, chemical sectors) vulnerable to cyberattacks that could disrupt essential services or trigger cascading failures. The long-term impact includes eroded national resilience, increased risk of state-sponsored espionage or sabotage, and potential physical harm if industrial control systems (e.g., power grids, water treatment) are compromised.

The Cybersecurity and Infrastructure Security Agency (CISA) faced a tumultuous period marked by significant breaches, including the Salt Typhoon espionage campaign linked to Beijing, which compromised American telecoms, collecting sensitive data such as call logs, recordings, and potential location information. The largest hack in US telecom history occurred under the leadership of Jen Easterly, who was not asked to stay post-Inauguration Day. Her departure coincided with demands for CISA to become 'smaller' and 'more nimble' and the dismissal of the Cyber Safety Review Board members who were investigating the breaches, potentially jeopardizing the agency’s future and national cybersecurity.

As a relatively new and essential cyber-security component of the DHS, CISA faces a significant potential setback. With changing political climates and Trump’s apparent intentions to reshape the agency, its core missions of protecting government systems and supporting private and nonprofit entities could be compromised. Employees fear that reduced corporate oversight and a possible dismantling or repurposing of the agency may impair its ability to safeguard against cyber threats, potentially weakening national cybersecurity infrastructure. There is a palpable fear among the staff of a decline in efficacy and a change in direction that could pose threats not just to the agency's mandate but also to the broader security landscape.

CISA Issues Emergency Directive Over Actively Exploited Microsoft Configuration Manager Vulnerability The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive on Thursday, mandating federal agencies to patch a critical vulnerability in Microsoft Configuration Manager that is being actively exploited in attacks. The flaw, addressed in Microsoft’s October 2024 patch cycle, has been assigned CVE-2024-XXXX and poses severe risks to system security. The vulnerability enables unauthorized command execution and privilege escalation, allowing attackers to compromise data integrity and intercept sensitive information. Due to its high severity, CISA has imposed strict remediation deadlines, requiring agencies to take immediate action. Federal organizations must: - Apply the Microsoft-released patch without delay. - Conduct system audits to verify no unauthorized access has occurred. - Enhance monitoring to detect and respond to further exploitation attempts. The directive highlights the urgency of addressing the flaw to prevent potential breaches of federal networks and data. Agencies are also instructed to assess residual risks and ensure comprehensive mitigation strategies are in place.

Amid rising cyber threats, the Heritage Foundation's Project 2025 proposes to significantly reduce the scope of CISA, which could undermine the agency's ability to protect against cyber attacks and misinformation. This move aligns with former President Trump's agenda and his critique of CISA's role in debunking electoral misinformation. If implemented, CISA's counter-misinformation efforts would be halted, its relationship with social media firms would change, and its cyber defense responsibilities could be redistributed to military and intelligence agencies. As a result, the United States could face an increased risk of cyber threats that can disrupt societal stability, influence elections, or compromise sensitive information.

CISA faces potential undermining from elements within the Heritage Foundation who seek to scale back its operations, especially concerning its role in mitigating misinformation online. This approach could significantly weaken the agency, impacting its principal cybersecurity functions and potentially affecting its efforts to combat foreign propaganda. If the 2024 election leads to an administration aligning with the Project 2025 playbook, CISA could experience reduced effectiveness or an existential crisis. Such a shift could have far-reaching consequences for national cybersecurity and the protection against online falsehoods that threaten societal stability.

A new warning issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security documents an ongoing campaign by Chinese hackers making use of the sophisticated BRICKSTORM malware to target public sector organizations and IT companies for long-term espionage purposes. The average dwell time for these documented breaches is a little over a year, and the total victim count is impossible to know at this point. The BRICKSTORM malware was first documented by Google security researchers in 2024 and is considered one of the most advanced current threats. It targets Windows and VMware vSphere environments and serves as a long-term backdoor for stealthy data exfiltration. It has numerous advanced obfuscation features and will also reinstall itself if removed or disrupted. Once inside a target network, the Chinese hackers look to capture legitimate credentials through various means and create hidden virtual machines to conceal their activities. Chinese hackers may have been active since 2022 Though BRICKSTORM first came to broad attention in 2024, the researchers believe the Chinese hackers may have been successfully running this campaign since as far back as 2022. The average dwell time among documented victims of the malware is 393 days. If true, this would mean the attackers had been actively penetrating targets with this approach for at least two years before even being detected by security resear

CISA Flags Actively Exploited VMware vCenter Server Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical remote code execution (RCE) vulnerability in Broadcom’s VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog. The move follows confirmed reports of active exploitation in the wild, heightening risks for enterprises using vCenter for virtualization management. The flaw allows attackers with network access to the vCenter Server to execute arbitrary code, potentially gaining full control over the system. No additional user interaction or privileges are required, making it a high-severity threat. Organizations running affected versions of vCenter are urged to prioritize patching, as exploitation could lead to unauthorized access, data breaches, or lateral movement within networks. VMware released patches for the vulnerability earlier this month, but the inclusion in CISA’s KEV catalog underscores its urgency. Federal agencies under CISA’s binding operational directive (BOD 22-01) must remediate the flaw by a specified deadline, though private sector entities are also advised to act swiftly. The incident highlights the growing targeting of virtualization infrastructure, a critical component in enterprise IT environments. Details on attack vectors and threat actors remain limited, but the vulnerability’s inclusion in the KEV catalog signals its immediate operational risk.

In order to assist critical infrastructure organizations in thwarting ransomware gang attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new information detailing security flaws and configuration errors that ransomware gangs have exploited. This information was made public by CISA as part of the Ransomware Vulnerability Warning Pilot (RVWP) program, and said that it would notify critical infrastructure organizations of any ransomware-vulnerable devices found on its network. Since its launch, CISA's RVWP has found and exchanged information about more than 800 susceptible systems with internet-accessible flaws regularly targeted by various ransomware activities. The U.S. cybersecurity agency has also released a dedicated website, StopRansomware.gov, which acts as the focal point for CISA's initiative to give defenders all the information they need to anticipate and neutralize ransomware assaults.

CISA’s Secure Software Tool Found Vulnerable to XSS Attack A tool designed by the Cybersecurity and Infrastructure Security Agency (CISA) to help government agencies procure secure software was itself found to contain a cross-site scripting (XSS) vulnerability. The flaw was discovered by Jeff Williams, former leader of OWASP and co-founder of Contrast Security, who reported it to CISA in September 2023. The vulnerability allowed attackers to inject malicious JavaScript into the Software Acquisition Guide: Supplier Response Web Tool, potentially enabling defacement of the site or attacks on other users. Williams noted that the flaw was basic and should have been easily detected, calling it "hypocritical" for an agency promoting secure software development to overlook such a fundamental issue. Initially dismissed as non-critical under CISA’s bug bounty program, the vulnerability gained attention through the agency’s Vulnerability Information and Coordination Environment (VIC) program. The fix, which Williams estimated would take only minutes to implement, was delayed until December, partly due to the government shutdown. CISA’s Chief Information Officer, Robert Costello, confirmed the agency patched the flaw and found no evidence of exploitation. The incident was documented as a CVE, and CISA acknowledged the researcher’s report while citing process improvements for future vulnerability handling. The discovery follows a separate 2024 breach at CISA, underscoring that even cybersecurity authorities remain targets for attacks.

In January 2023, the BianLian ransomware group shifted its tactics from encrypting files to data theft-based extortion, leveraging stolen Remote Desktop Protocol (RDP) credentials—often obtained via phishing or initial access brokers. The group deployed custom Go-based backdoors, remote management tools, and credential-harvesting utilities to infiltrate networks undetected. Once inside, they exfiltrated sensitive data and threatened to publish it on a leak site, demanding ransom payments in cryptocurrency. To evade security measures, BianLian disabled antivirus processes using PowerShell and Windows Command Shell, escalating risks for targeted organizations. The attack posed severe threats to critical infrastructure sectors, prompting warnings from CISA, FBI, and ACSC. Victim organizations faced potential operational disruptions, financial losses, and reputational damage, with stolen data ranging from employee records to proprietary business information. While no specific company was named, the group’s focus on high-value targets—such as healthcare, energy, or government-adjacent entities—suggested systemic risks. Mitigations included auditing RDP access, restricting PowerShell, and enforcing multi-factor authentication (MFA), but the breach’s scale and sophistication highlighted vulnerabilities in defensive postures.

CISA and Partners Release Updated #StopRansomware Guide to Strengthen Incident Response In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an updated #StopRansomware Guide to standardize ransomware response protocols. The guide outlines a structured approach for organizations to detect, contain, eradicate, and recover from ransomware attacks, emphasizing coordinated action to minimize damage. The response process begins with detection and analysis, where impacted systems must be isolated immediately either by disconnecting networks at the switch level or physically unplugging devices. For cloud environments, snapshots of volumes should be taken for forensic review. Organizations are advised to use out-of-band communication (e.g., phone calls) to avoid tipping off attackers, who may monitor internal activity to escalate attacks. If isolation isn’t feasible, powering down devices is recommended, though this risks losing volatile memory evidence. Critical systems such as those tied to health, safety, or revenue should be prioritized for restoration, while unaffected systems are deprioritized to streamline recovery. Security teams are urged to examine logs for precursor malware (e.g., Bumblebee, QakBot, or Cobalt Strike) and signs of data exfiltration, as ransomware often follows earlier compromises. Threat hunting should focus on anomalous activity, including unauthorized Active Directory accounts, suspicious VPN logins, and misuse of built-in Windows tools (e.g., vssadmin.exe, PsExec) to inhibit recovery. Reporting and notification are critical, with organizations directed to engage internal stakeholders (IT, leadership, cyber insurers) and external agencies like CISA, the FBI, or the U.S. Secret Service. If a data breach occurs, legal and communications teams must follow incident response plans to manage disclosures. Containment and eradication involve capturing system images, memory dumps, and malware samples for analysis. Trusted guidance (e.g., from CISA or security vendors) should be followed to disable ransomware binaries and remove associated registry entries. Breaches often involve credential theft, requiring measures like disabling remote access and resetting passwords. Forensic analysis should identify persistence mechanisms, such as rogue accounts or backdoors, before systems are rebuilt using clean images or infrastructure-as-code templates. Recovery prioritizes reconnecting systems from offline backups while preventing reinfection. Post-incident, organizations are encouraged to document lessons learned and share indicators of compromise with CISA or sector-specific ISACs to bolster collective defense. The guide underscores that ransomware incidents may signal deeper compromises, necessitating thorough investigation to prevent recurrence.

Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat. Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site. ### Attack Methods & Tools Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks. Other tools in Medusa’s arsenal include: - PDQ Deploy for lateral movement and payload delivery - Navicat for database access - RoboCopy and Rclone for data exfiltration - Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance - Ligolo and Cloudflared for command-and-control (C2) evasion The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected. ### Evasion & Triple Extortion Risks Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme. ### CISA Advisory & Historical Context A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations. Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.

The Cybersecurity and Infrastructure Security Agency (CISA), created in 2018, faces uncertain times as the return of former President Trump could significantly alter its function and direction. Trump's promises to reduce government spending and oversight have CISA staffers concerned about the potential dismantling of cybersecurity initiatives and a shift in focus toward immigration enforcement. The agency, which has a reputation for bipartisanship and was involved in election security and countering online misinformation, now finds itself at odds with Republican claims of censorship and surveillance. The fear of policy reversal and mission compromise looms among the employees, who remain dedicated to protecting national cyber infrastructure.

The lapse of the Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program, combined with a staffing reduction to under 900 employees (from ~2,500) due to government funding expiration, has left CISA critically under-resourced. Without liability protections for private-sector threat-sharing, companies may hesitate to report cyber threats, increasing systemic vulnerabilities. The absence of grant funding further weakens state/local defenses (e.g., hospitals, schools, water systems), raising risks of cascading disruptions. Experts warn of potential major cyberattacks during this period, with CISA lacking sufficient personnel to respond effectively. Legal uncertainties (e.g., antitrust exposure, FOIA disclosures) and reduced real-time intelligence-sharing exacerbate the threat landscape, particularly for critical infrastructure. Senators and industry leaders emphasize the urgency of reauthorization, citing risks to national/economic security, but partisan delays persist.