FISA

  What Happened Solana-based decentralized exchange Drift confirmed that attackers drained approximately $285 million from the platform on April 1, 2026. The attack was notable for what it  wasn't : Drift stated the breach did not exploit a vulnerability in its programs or smart contracts, and there is no evidence of compromised seed phrases.  Instead, it was a sophisticated social engineering operation. The attackers obtained sufficient multisig approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions, ultimately using that access to introduce a malicious asset and remove all pre-set withdrawal limits. How the Attack Worked Drift described the incident as involving "unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms." Preparations for the hack were underway as early as March 23, 2026 — more than a week before execution.  ...

  Executive Summary The next major breach hitting an organization probably won't come from inside its own walls. It'll arrive through a trusted vendor, a SaaS tool a business unit quietly adopted, or a subcontractor nobody in IT knows about. That's the new attack surface — and most organizations are underprepared for it. The Perimeter Has Dissolved Traditional cybersecurity strategy revolved around a defined boundary: firewalls, endpoint controls, identity management. That model no longer reflects reality. Today, client data lives in third-party SaaS applications, flows through vendor APIs, and is processed by subcontractors that internal IT teams may not even be aware of. The numbers back this up. The 2025 Verizon Data Breach Investigations Report found third parties involved in 30% of all breaches. IBM's 2025 Cost of a Data Breach Report puts the average remediation cost of a third-party breach at $4.91 million. This is no longer an edge case — it's a core fe...

  A recent wave of cyberattacks has highlighted the serious risks posed by the critical vulnerability CVE-2025-55182 , also referred to as React2Shell . Threat actors are actively exploiting this flaw to compromise servers running modern web frameworks such as Next.js . What is CVE-2025-55182? CVE-2025-55182 is a Remote Code Execution (RCE) vulnerability that can be exploited without prior authentication. It affects server-side components in React-based environments, allowing attackers to execute arbitrary code on targeted systems. The root cause of the issue lies in how user input is processed, creating an opportunity for malicious payload injection and exploitation. How is the vulnerability being exploited? Recent reports indicate that threat actors are leveraging this vulnerability to: Compromise large numbers of Next.js servers Steal sensitive data and credentials Establish persistence mechanisms for long-term access Operate command-and-control (C2) infrastructur...

  Overview Apple has expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a wider range of supported devices in order to protect users against web-based attacks linked to the DarkSword exploit kit. According to the report, Apple enabled the broader rollout on April 1, 2026, so that users with Automatic Updates enabled can receive the protections more easily. What the update addresses The report states that DarkSword is an iOS exploit kit that has been used in real-world attacks since July 2025. It reportedly targets iPhones and iPads running versions between iOS 18.4 and 18.7. The attack is triggered when a victim visits a legitimate but compromised website, making it a watering hole attack scenario. Once activated, the exploit chain can reportedly install backdoors and steal data from the device. Expansion of device coverage Apple had initially released iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026, but only for a limited group of older devices, including the iPhone ...

 The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a new phishing campaign where attackers impersonated CERT-UA to distribute a remote access trojan called AGEWHEEZE. The campaign, attributed to threat group UAC-0255, involved phishing emails sent on March 26–27, 2026, containing a password-protected ZIP file disguised as a security tool. The archive downloaded malware that allows attackers to execute commands, manage files, capture screenshots, and maintain persistence on infected systems. The campaign targeted government institutions, medical centers, financial institutions, educational organizations, security companies, and software development firms. Some phishing emails were sent from the address incidents@cert-ua[.]tech. The malware communicates with a remote server via WebSockets and can maintain persistence through scheduled tasks, registry changes, or startup folder modifications. Authorities reported that the campaign had limited success, affectin...

  Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware. According to reports from Italian newspaper   La Repubblica   and news agency   ANSA , the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering tactics to get users to install malicious software that mimicked WhatsApp. All the affected users have been logged out and have been recommended to uninstall the malware-laced apps and download the official WhatsApp app. WhatsApp did not reveal who was targeted in these attacks. The tech giant said it's also taking action against Asigint, an Italian subsidiary of spyware company SIO, for allegedly creating a counterfeit version of WhatsApp.  On its website, the company advertises solutions to law enforcement agencies, government organizations, and ...

Security researchers at Elastic Security Labs have uncovered an ongoing financially motivated campaign, tracked as REF1695 , that has been distributing malware through fake software installers since at least November 2023. The operation combines cryptocurrency mining with Cost Per Action (CPA) fraud, redirecting victims to content locker pages disguised as software registration screens. How the Attack Works The infection chain begins with an ISO file, a disk image typically associated with legitimate software, which contains a protected loader and a text file. The instructions inside the file actually guide the victim into bypassing Microsoft Defender SmartScreen, the built-in Windows protection against unrecognized apps, by clicking "More info" and then "Run anyway." Once executed, the loader calls PowerShell to disable Windows Defender antivirus protections across the board, then silently installs a newly identified malware called CNB Bot. To keep the victim un...