FISA

  The ransomware operation known as  LeakNet  has adopted the   ClickFix  social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs) . The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory. The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time.That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in. LeakNet first emerged in  November 2024 , ...

  Amazon Threat Intelligence is warning of an active  Interlock  ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is  CVE-2026-20131  (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. According to data gleaned from the tech giant's  MadPot   global sensor network , the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco. This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look.  The discovery was made possible, thanks to an operational...

A new cybersecurity alert from Cybersecurity and Infrastructure Security Agency has raised serious concerns about two widely used enterprise platforms: Zimbra Collaboration Suite and Microsoft SharePoint . According to a report published by The Hacker News , both systems contain vulnerabilities that are now being actively exploited by cyber attackers. Critical Vulnerabilities Identified The warning focuses on two specific security flaws that have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog , a list of threats that are already being used in real-world attacks. CVE-2026-20963 (SharePoint) This is a high-severity vulnerability that allows attackers to execute malicious code remotely over a network. It stems from a weakness known as “deserialization of untrusted data,” which can let hackers take control of a system without needing authentication. CVE-2025-66376 (Zimbra) This flaw is a stored cross-site scripting (XSS) vulnerability found in Zimbra’s Class...

  A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as  CVE-2026-3888  (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system. "This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components:  snap-confine  and systemd-tmpfiles," the Qualys Threat Research Unit (TRU)  said . "While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system."  The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older ...

  Apple on Tuesday released its first round of  Background Security Improvements  to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as  CVE-2026-20643  (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming. Apple  notes  that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuin...

  Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as  CVE-2026-32746 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution. Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7. A fix for the vulnerability is expected to be available no later than April 1, 2026. "An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears," Dream  said  in an alert. "Success...

  A new cybersecurity report from The Hacker News has revealed a dangerous hacking campaign linked to North Korea that uses everyday communication tools to spread malware. The attack focuses on targeting individuals through phishing emails and then exploiting their trusted messaging networks. The campaign begins when a victim receives a carefully crafted email designed to look legitimate. Once the attached file is opened, it installs a malicious program known as EndRAT onto the victim’s device. This malware allows attackers to gain full access to the system, including the ability to monitor activity, steal sensitive data, and maintain long-term control without being detected. What makes this attack especially concerning is its use of KakaoTalk , a widely used messaging platform. After infecting a device, the hackers use the victim’s KakaoTalk account to send malicious messages to their contacts. Because these messages come from a trusted source, recipients are much more likely to ...

  The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py," StepSecurity  said . "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware." According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts,  rebasing  the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. Th...