FISA

A new cyberattack campaign is turning a routine business process into a serious security risk. Threat actors are now distributing fake job applications containing malicious files, allowing them to infiltrate corporate systems and steal sensitive data. The campaign, identified as FAUX#ELEVATE , targets organizations by sending emails that appear to come from legitimate job candidates. Attached to these emails are resumes that look normal but actually contain hidden malicious scripts. Once opened, the file quietly executes in the background without raising immediate suspicion. From that point, the attack progresses rapidly. Within seconds, the malware connects to external infrastructure to download additional components and begin extracting sensitive information from the infected system. This includes stored credentials, browser data, and other valuable corporate information. In some cases, the attackers also deploy cryptocurrency mining software, although the primary objective appear...

The Model We’ve Always Trusted For a long time, the “kill chain” has been one of the most reliable ways to understand cyberattacks. The idea was straightforward: every attacker follows a path starting with reconnaissance, moving through access and lateral movement, and ending with impact. This structure gave security teams something very valuable: predictability. If you knew the stages, you could detect patterns. If you could detect patterns, you had a chance to stop the attack before it went too far. But that predictability is starting to disappear. AI Is Changing the Rules of the Game AI is no longer just a tool sitting on the side. It’s now deeply embedded in systems, helping automate processes, make decisions, and interact across environments. And that’s where things start to shift. Instead of building an attack step by step, an attacker can now target something that already exists inside the environment: an AI agent. These agents are designed to be efficient and helpful, wh...

  The ransomware operation known as  LeakNet  has adopted the   ClickFix  social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs) . The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory. The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time.That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in. LeakNet first emerged in  November 2024 , ...

  Amazon Threat Intelligence is warning of an active  Interlock  ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is  CVE-2026-20131  (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. According to data gleaned from the tech giant's  MadPot   global sensor network , the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco. This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look.  The discovery was made possible, thanks to an operational...

A new cybersecurity alert from Cybersecurity and Infrastructure Security Agency has raised serious concerns about two widely used enterprise platforms: Zimbra Collaboration Suite and Microsoft SharePoint . According to a report published by The Hacker News , both systems contain vulnerabilities that are now being actively exploited by cyber attackers. Critical Vulnerabilities Identified The warning focuses on two specific security flaws that have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog , a list of threats that are already being used in real-world attacks. CVE-2026-20963 (SharePoint) This is a high-severity vulnerability that allows attackers to execute malicious code remotely over a network. It stems from a weakness known as “deserialization of untrusted data,” which can let hackers take control of a system without needing authentication. CVE-2025-66376 (Zimbra) This flaw is a stored cross-site scripting (XSS) vulnerability found in Zimbra’s Class...

  A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as  CVE-2026-3888  (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system. "This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components:  snap-confine  and systemd-tmpfiles," the Qualys Threat Research Unit (TRU)  said . "While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system."  The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older ...

  Apple on Tuesday released its first round of  Background Security Improvements  to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as  CVE-2026-20643  (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming. Apple  notes  that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuin...

  Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as  CVE-2026-32746 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution. Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7. A fix for the vulnerability is expected to be available no later than April 1, 2026. "An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears," Dream  said  in an alert. "Success...

  A new cybersecurity report from The Hacker News has revealed a dangerous hacking campaign linked to North Korea that uses everyday communication tools to spread malware. The attack focuses on targeting individuals through phishing emails and then exploiting their trusted messaging networks. The campaign begins when a victim receives a carefully crafted email designed to look legitimate. Once the attached file is opened, it installs a malicious program known as EndRAT onto the victim’s device. This malware allows attackers to gain full access to the system, including the ability to monitor activity, steal sensitive data, and maintain long-term control without being detected. What makes this attack especially concerning is its use of KakaoTalk , a widely used messaging platform. After infecting a device, the hackers use the victim’s KakaoTalk account to send malicious messages to their contacts. Because these messages come from a trusted source, recipients are much more likely to ...