DragonForce Ransomware Abuses Microsoft Teams TURN Relays in Sophisticated Attack In December 2025, the DragonForce ransomware group deployed a novel malware strain, Backdoor.Turn, to conceal command-and-control (C2) traffic within Microsoft Teams’ infrastructure. The attack targeted a major U.S. services company, leveraging a custom Go-based remote access trojan (RAT) to evade detection. The malware exploits Microsoft Teams’ Traversal Using Relays around NAT (TURN) protocol, which facilitates message delivery when direct client connections are unavailable. By obtaining an anonymous Teams visitor token and routing traffic through legitimate Microsoft TURN relays, Backdoor.Turn masks malicious communications as trusted network activity making it the first known in-the-wild malware to abuse this technique. DragonForce, active since at least 2023 and linked to the Scattered Spider threat group, employed a multi-stage attack chain. Initial access likely came via an unknown SQL/MSSQL server vulnerability, followed by the deployment of a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL for sideloading. Attackers then established persistence, created rogue user accounts, weakened Windows security policies, and modified firewall rules. To escalate privileges and disable defenses, the group used Bring Your Own Vulnerable Driver (BYOVD) tactics, exploiting multiple drivers, including: - Huawei’s HWAuidoOs2Ec.sys (Havoc Process Terminator) - Topaz Antifraud wsftprm.sys (CVE-2023-52271) - Tower of Fantasy GameDriverx64.sys (CVE-2025-61155) - K7 Security K7RKScan.sys (CVE-2025-1055) - A custom malicious driver, ABYSSWORKER, disguised as a Palo Alto driver. Backdoor.Turn was injected into DbgView64.exe, enabling capabilities such as command execution, process manipulation, network scanning, credential theft, and Active Directory reconnaissance. After exfiltrating data, the attackers deployed DragonForce ransomware, encrypting the victim’s systems. Symantec researchers described the campaign as employing "exceptionally sophisticated cyber tradecraft" and released indicators of compromise (IoCs) to aid detection. The incident underscores the growing abuse of trusted enterprise tools for covert C2 operations.

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability Exploited in the Wild On May 29, 2026, CISA added CVE-2026-0257, a critical authentication bypass vulnerability in Palo Alto Networks’ PAN-OS and Prisma Access, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw resides in the "authentication override" feature a non-default setting in GlobalProtect portals and gateways that issues session cookies to authenticated users, eliminating the need for repeated logins. The vulnerability is triggered when the same certificate used to encrypt and decrypt these cookies is also employed by another feature, such as the HTTPS service of the portal or gateway. Exploitation of this misconfiguration allows attackers to bypass authentication controls, potentially gaining unauthorized access to affected systems. The issue underscores the risks of improperly configured security features, even in enterprise-grade solutions. Organizations using PAN-OS or Prisma Access with the authentication override feature enabled are urged to review their deployments for shared certificate usage.

Palo Alto Networks Patches Critical Flaw in Cortex XSOAR and XSIAM Microsoft Teams Integration Palo Alto Networks has released an urgent security update to address a high-severity vulnerability (CVE-2026-0234) in the Microsoft Teams integration for Cortex XSOAR and Cortex XSIAM. The flaw, classified as an "Improper Verification of Cryptographic Signature" (CWE-347), could allow unauthenticated attackers to bypass security controls and access or modify sensitive data. The vulnerability stems from the integration’s failure to properly validate cryptographic signatures, enabling attackers to forge authentication tokens. With no prior privileges or user interaction required, threat actors could remotely exploit the flaw to manipulate security playbooks, access confidential incident data, or disrupt defensive operations. The flaw carries a CVSS base score of 9.2, with an adjusted operational severity score of 7.2, reflecting its high potential impact despite requiring advanced technical expertise to exploit. Affected versions include Cortex XSOAR and XSIAM Microsoft Teams Marketplace integrations (1.5.0 through 1.5.51). Palo Alto Networks has confirmed no active exploitation in the wild but warns that no temporary mitigations exist patching to version 1.5.52 or later is the only remediation. The vulnerability was discovered by an external researcher identified as "quinn." Organizations using these platforms are advised to apply the update immediately to prevent potential breaches.

New Insights into "The Gentlemen" Ransomware Group Revealed Amid Affiliate Leak A ransomware affiliate known as hastalamuerte has exposed operational details of The Gentlemen, a rapidly emerging ransomware-as-a-service (RaaS) group, following internal disputes. Research published by Group-IB on March 19 provides a rare look into the group’s infrastructure, attack methods, and affiliate dynamics. The Gentlemen emerged from a split within the Qilin RaaS ecosystem, leveraging existing tools to establish itself as a new threat. The group employs a dual-extortion model, encrypting victim data while threatening public leaks to pressure payments. Targets span Windows, Linux, and ESXi environments, with initial access often gained through vulnerable FortiGate VPN devices via exploitation or brute-force attacks. Once inside, affiliates use automated lateral movement including PowerShell and Windows Management Instrumentation to harvest credentials, disrupt backups, and deploy domain-wide encryption. The group also employs anti-forensic measures, such as log deletion and Bring Your Own Vulnerable Driver (BYOVD) attacks, to evade detection and hinder recovery. The leak underscores growing tensions within RaaS networks, where disputes among affiliates can expose operational details. The Gentlemen’s rise reflects broader trends in cybercrime, including increased specialization and professionalization of ransomware groups. Their use of advanced evasion techniques and flexible infrastructure continues to challenge traditional security defenses, while internal instability may create opportunities for disruption.

Critical Vulnerability Discovered in Palo Alto Cortex XDR Broker VM (CVE-2026-0231) Palo Alto Networks has issued a security advisory for a newly identified vulnerability in the Cortex XDR Broker Virtual Machine (VM), tracked as CVE-2026-0231. The flaw, classified as a sensitive information disclosure vulnerability (CWE-497), could allow a highly privileged, authenticated attacker to access and modify sensitive system data. The vulnerability carries a Medium CVSS 4.0 score of 5.7 and is rated Moderate in urgency. Exploitation requires an attacker to have high-level administrative privileges and direct network access to the targeted Broker VM. If these conditions are met, the threat actor can initiate an unauthorized terminal session via the Cortex UI, exposing embedded sensitive data and altering critical configurations. Despite its potential impact scoring "High" in confidentiality, integrity, and availability the attack’s strict prerequisites (high privileges and local access) limit the risk of widespread exploitation. Currently, there are no reports of active malicious exploitation, and exploit maturity remains unreported, meaning no automated attack tools have been observed. The flaw was discovered internally by researcher Nicola Kalak, providing organizations with time to apply fixes before external threats emerge. ### Affected Versions & Mitigation The vulnerability impacts Cortex XDR Broker VM versions 30.0.0 through 30.0.49. Palo Alto Networks has released patches, with no known workarounds available. Security teams are advised to: - Verify their Broker VM version. - Upgrade to version 30.0.49 or later immediately. - Enable automatic upgrades to ensure future patches are applied without manual intervention. The Cortex XDR Broker VM plays a critical role in security environments, routing traffic and collecting logs. Unauthorized access to its configurations could have serious operational implications, reinforcing the need for prompt patching.

Palo Alto Networks Discloses PAN-OS Firewall DoS Vulnerability (CVE-2026-0229) Palo Alto Networks has identified a denial-of-service (DoS) vulnerability in its PAN-OS firewall software, tracked as CVE-2026-0229, which could allow unauthenticated attackers to force repeated device reboots. The flaw resides in the Advanced DNS Security (ADNS) feature and can be exploited via a maliciously crafted network packet, potentially pushing affected firewalls into a reboot loop and eventually maintenance mode, disrupting traffic inspection and connectivity. The vulnerability, rated medium severity (CVSS 6.66), was discovered internally by Palo Alto Networks and disclosed on February 11, 2026. No known malicious exploitation has been reported, and the company classifies the exploit maturity as unreported. Affected systems include on-premises and self-managed PAN-OS deployments with ADNS enabled and a spyware security profile configured to block, sinkhole, or alert environments actively enforcing ADNS protections are most at risk. Cloud NGFW and Prisma Access are unaffected. Palo Alto Networks has released patches for impacted versions: - PAN-OS 12.1.4+ (12.1 train) - PAN-OS 11.2.10+ (11.2 train) No workarounds or Threat Prevention signatures are available, making patching the primary remediation. Administrators are advised to inventory firewalls with ADNS enabled, verify affected versions, and monitor for unexpected reboots that may indicate exploitation attempts.

State-Backed Hackers Target Government and Critical Infrastructure in 37 Countries On February 5, 2026, cybersecurity firm Palo Alto Networks uncovered a large-scale espionage campaign orchestrated by state-aligned threat actors. The operation, spanning 37 nations, focused on infiltrating government agencies and critical infrastructure sectors, including energy, telecommunications, and defense. The attack leveraged sophisticated tactics, techniques, and procedures (TTPs) to evade detection, suggesting involvement by well-resourced adversaries. While specific attribution remains undisclosed, the scale and precision of the campaign point to a coordinated effort with geopolitical motivations. The breach highlights the growing threat posed by nation-state cyber operations, underscoring vulnerabilities in global digital infrastructure. Authorities and affected organizations are assessing the extent of the compromise, though details on data exfiltration or operational disruptions remain limited. The incident serves as a reminder of the persistent risks faced by high-value targets in an increasingly contested cyber landscape.

Palo Alto Networks Firewall Vulnerability Exposes GlobalProtect to DoS Attacks Palo Alto Networks has disclosed a critical denial-of-service (DoS) vulnerability in its PAN-OS firewall software, tracked as CVE-2026-0227, which allows unauthenticated attackers to disrupt GlobalProtect gateways and portals. The flaw, rated 7.7 (HIGH severity) under CVSS v4.0, stems from improper handling of unusual conditions, forcing affected firewalls into maintenance mode after repeated exploitation attempts. Classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-210 (Abuse Existing Functionality), the vulnerability severely impacts product availability while leaving confidentiality and integrity unaffected. The issue was identified in PAN-OS, though specific affected versions and mitigation steps have not been publicly detailed at this time. Organizations relying on Palo Alto Networks firewalls for remote access security should monitor updates for patches and remediation guidance.

A critical denial-of-service (DoS) vulnerability (CVE-TBD) in Palo Alto Networks’ PAN-OS allows unauthenticated attackers to remotely reboot firewalls by sending maliciously crafted packets via the data plane. Repeated exploits can force firewalls into maintenance mode, disabling network protections and exposing organizations to secondary attacks. The flaw affects PA-Series, VM-Series firewalls, and Prisma Access (excluding Cloud NGFW) across multiple PAN-OS versions (10.2, 11.1, 11.2), with no evidence of active exploitation yet. The issue stems from improper exception handling (CWE-754) and pointer manipulation (CAPEC-129), requiring no authentication or user interaction. While Palo Alto Networks assigned a CVSS 8.7 (MEDIUM severity, MODERATE urgency), the vulnerability’s network-based, no-authentication exploitability poses significant risk to critical infrastructure. Affected organizations lack workarounds, making immediate patching essential. Unpatched systems face operational disruption, potential follow-on attacks, and loss of firewall resilience, though no data breaches or ransomware are reported. Remediation requires upgrades to PAN-OS 10.2.14, 11.1.7, or 11.2.5 (or hotfixes), with Prisma Access patches pending for some deployments.

The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Palo Alto Networks fell victim to a sophisticated supply chain cyberattack after threat actors (UNC6395) exploited a vulnerability in Salesloft Drift, a third-party sales/marketing SaaS tool integrated with Salesforce. The attackers stole OAuth tokens, granting unauthorized access to Palo Alto’s Salesforce instance. While the breach was confined to business contact details (names, emails, job titles, phone numbers), sales account records, and case metadata, it exposed sensitive customer data tied to major tech firms. The company disabled the compromised integration, revoked affected tokens, and collaborated with Salesforce/Salesloft for forensic analysis. No evidence suggested misuse of the exposed data, but the incident underscored risks in third-party dependencies. Customers were notified, and internal safeguards were reviewed to mitigate future threats. The attack aligns with a broader trend targeting Salesforce ecosystems, including TransUnion’s recent breach affecting 4.4M US consumers.

A newly disclosed command injection vulnerability in Palo Alto Networks’ PAN-OS operating system poses significant security risks to enterprise firewall infrastructures worldwide. The vulnerability, catalogued as CVE-2025-4230, enables authenticated administrators with command-line interface (CLI) access to execute arbitrary commands with root-level privileges, potentially compromising entire network security architectures. This flaw allows malicious actors to exploit insufficient input validation within the PAN-OS CLI interface, enabling them to bypass system restrictions and execute unauthorized commands with elevated privileges.

Palo Alto Networks disclosed a reflected cross-site scripting (XSS) vulnerability (CVE-2025-0133) in its GlobalProtect gateway and portal (PAN-OS software). The flaw allows attackers to execute malicious JavaScript in authenticated users' browsers via crafted links, enabling credential theft through phishing. While the default CVSS score is 2.0 (Low), it escalates to 5.5 (Medium) when Clientless VPN is enabled. Proof-of-concept (PoC) exploit code is already public, increasing the risk of active exploitation before patches (expected June–August 2025) are deployed.The vulnerability affects multiple PAN-OS versions (11.2, 11.1, 10.2, 10.1) and Cloud NGFW, but Prisma Access is unaffected. Mitigations include upgrading to patched versions, enabling Threat Prevention IDs (510003, 510004), or disabling Clientless VPN. Though no confirmed malicious exploitation exists yet, the social engineering risk—tricking users into clicking malicious links—poses a significant threat to authentication integrity, particularly for organizations relying on Clientless VPN. Urgent action is advised to prevent credential compromise and downstream attacks.

Storm-2561 Credential Theft Campaign Exploits SEO to Target Enterprise VPN Users Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign by manipulating search engine rankings to distribute fake VPN software. The operation targets employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to spoofed websites that deliver malicious download packages. Victims who install the fake software unknowingly expose their VPN credentials, which are silently harvested and sent to attacker-controlled servers. The campaign leverages SEO poisoning to push fraudulent sites to the top of search results for queries such as “Pulse VPN download.” These sites mimic legitimate vendor portals, complete with logos and download buttons, while hosting malicious ZIP files on GitHub repositories since removed. The trojans were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, which has since been revoked. Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561 based on its history of malware distribution through SEO abuse and software impersonation. After credential theft, the fake VPN client displays a convincing error message before redirecting the victim to the official vendor website, ensuring no visible signs of compromise. The attack delivers its payload via a Windows Installer (MSI) package disguised as a legitimate Pulse Secure installer, dropping malicious DLL files (dwmapi.dll and inspector.dll) that function as an in-memory loader and a variant of the Hyrax infostealer. The malware exfiltrates credentials to 194.76.226[.]93:8080 and maintains persistence via the Windows RunOnce registry key. The campaign extends beyond Pulse Secure, with additional fake installers for GlobalProtect VPN and Sophos Connect discovered under the same certificate. Stolen credentials enable lateral movement within corporate networks, unauthorized data access, and follow-on attacks, posing a significant risk to enterprises relying on VPNs for remote operations. The attack’s sophistication combining realistic spoofing, legitimate-looking signatures, and post-compromise redirection makes detection particularly challenging.

Palo Alto Networks' PAN-OS software was found to contain a significant denial-of-service (DoS) vulnerability, labeled CVE-2025-0128, affecting several versions and potentially putting organizations at risk of service interruptions. Unauthenticated attackers could exploit this vulnerability to force system reboots and maintenance mode engagement, leading to service unavailability for those reliant on the company's firewall appliances. The security flaw, while rated 'MEDIUM' in severity due to a CVSS score of 6.6, has a high impact on availability, albeit not directly threatening data confidentiality or integrity. Security recommendations encourage immediate updates to patched software versions to prevent exploitation.

Silicon Valley Crosswalk Buttons Hacked in Unprecedented Cyberattack In April, an unknown attacker targeted roughly 20 street intersections across Silicon Valley, exploiting weak default passwords on wireless crosswalk buttons to replace standard pedestrian alerts with spoofed recordings of tech CEOs. At a Menlo Park intersection, a fake Mark Zuckerberg warned of AI’s inevitable dominance, while another clip mocked democracy. Nearby, an altered Elon Musk voice made bizarre claims about former President Donald Trump and personal loneliness. The hack, which later spread to Seattle and Denver, exposed glaring security oversights in municipal infrastructure. Emails obtained by WIRED reveal city officials in Menlo Park, Redwood City, and Palo Alto scrambling to respond, with Redwood City’s then-manager demanding accountability for the lapse. The city’s vendor contract lacked explicit cybersecurity requirements, despite the buttons’ Bluetooth-enabled customization features. Polara Enterprises, a major supplier of these buttons, ships models with a default password of “1234” and provides public documentation for their configuration app. Months before the attack, a security researcher had demonstrated the vulnerability in a YouTube video, though authorities have yet to identify the perpetrator. Surveillance footage and the buttons’ lack of user tracking left the investigation at a dead end. The incident prompted federal scrutiny, with a retired Federal Highway Administration official emphasizing the need for stronger cybersecurity clauses in municipal contracts. The agency had previously issued advisories on securing crosswalk systems, but enforcement remains inconsistent. The hack underscores the risks of overlooked vulnerabilities in critical urban infrastructure.

The Great SaaS Breach of 2025: How a Single OAuth Token Compromised 700+ Organizations A new report from Grip Security reveals alarming trends in SaaS security, analyzing 23,000 SaaS environments and uncovering critical vulnerabilities. Every company examined operates AI-embedded SaaS applications, with a 490% year-over-year surge in public SaaS attacks. 80% of incidents involve PII or customer data, but the most concerning finding is the average organization’s exposure to 140 AI-enabled SaaS environments each a potential vector for cascading breaches. The Salesloft Drift incident, dubbed the "Great SaaS Breach of 2025," exemplifies this risk. UNC6395 attackers compromised Salesloft’s GitHub repositories, then pivoted to Drift’s AWS environment, stealing OAuth and refresh tokens used by customers to connect the Drift Chatbot to Salesforce, Slack, and other apps. With a legitimate OAuth token, the attackers impersonated Drift, breaching Salesforce installations across 700+ organizations, including Cloudflare, Palo Alto Networks, Zscaler, and CyberArk. The attack exploited shadow AI AI embedded in SaaS apps without formal oversight where businesses unknowingly adopt agentic AI for efficiency, often without auditing security implications. OAuth tokens, treated as routine access credentials, became the weak link. Once stolen (often via infostealers), they granted attackers unhindered access, enabling them to cascade through connected systems via IdentityMesh a unified authentication flaw that links multiple AI environments. The report warns that 2026 could see even larger breaches, as autonomous workflows outpace security controls. While regulations are emerging, they remain fragmented, conflicting, and unevenly enforced. The solution, according to Grip, lies in dynamic governance: replacing static approvals with continuous oversight, discovery, and risk-based controls to treat AI as a managed third-party risk. The incident underscores that AI is not a future threat but a present one, reshaping business risk and without proactive measures, the blast radius of a single breach will only grow.

Ransomware Landscape Shifts in 2025 as Cybercriminals Pivot to Data Extortion Google Threat Intelligence’s 2025 ransomware report reveals a major transformation in cybercriminal tactics, driven by declining profits from traditional encryption-based attacks. With organizations improving their defenses nearly half of victims restored systems from backups in 2024 ransom payment rates hit a historic low by 2025. The average ransom demand also dropped by a third, falling from $2 million in 2024 to $1.34 million. The ransomware ecosystem has faced significant disruptions, including law enforcement crackdowns and internal conflicts that dismantled prominent groups like LockBit, ALPHV, Basta, and RansomHub. These upheavals forced cybercriminals to adopt stricter vetting processes for affiliates. Despite these challenges, the threat landscape remains active, with groups like Qilin and Akira filling the void. Data-leak site posts surged by nearly 50% in 2025, with the REDBIKE ransomware family accounting for 30% of analyzed incidents. Attackers continue to exploit vulnerabilities in firewalls and VPNs, particularly in products from Fortinet, SonicWall, and Palo Alto, which were used in a third of 2025 intrusions. Virtualization infrastructure, such as ESXi hypervisors, has become a prime target, involved in 43% of attacks up from 29% the previous year. Cybercriminals are also adopting cross-platform ransomware and leveraging AI for victim analysis, while decentralized Web3 networks help shield their operations. As profits shrink, the report warns of a potential rise in aggressive extortion tactics in 2026.