cybersecurity

cross-posted from: https://mander.xyz/post/51598804

A pro-Russian hacker group accused by European authorities of carrying out cyberattacks against governments, banks and infrastructure across the West has turned participation in cybercrime into what it calls a “patriotic online game,” recruiting volunteers through Telegram and rewarding them with cryptocurrency.

The group, NoName057(16), has claimed responsibility for waves of distributed denial-of-service (DDoS) attacks on public institutions and private companies across Europe since Russia’s full-scale invasion of Ukraine in 2022. Western intelligence agencies and Europol say the hackers function as part of Russia’s broader hybrid war against countries supporting Kyiv.

An investigation by the Poland-based news outlet Vot Tak, conducted with cybersecurity experts from RKS.Global, found that the group’s activity has not diminished despite a major Europol-led crackdown in July 2025 known as Operation Eastwood.

...

One of the group’s most visible campaigns came during Denmark’s municipal elections in November 2025. Fearing disruptions, local authorities installed backup generators, printed paper voter lists and bought camping lanterns for polling stations in case of outages.

The precautions followed waves of cyberattacks that temporarily disrupted Danish government websites, political parties, municipal administrations, police services, railway operators and a defense company.

Responsibility was claimed by NoName057(16), which had warned in a private channel days earlier that Denmark would be its next target.

...

Initially focused on Ukrainian media and government websites, it later expanded across Europe and beyond, targeting countries that support Kyiv, including the U.S., Canada, Israel and Taiwan.

...

The group’s operations rely on software called DDoSia, which experts say is simple enough for non-specialists to install.

RKS.Global researchers downloaded and analyzed the program for Vot Tak. Available for Windows, Linux, macOS and Android, it can be installed on phones, computers and even routers.

Once installed, the software effectively turns the device into a participant in cybercrime.

Users do not choose targets themselves. NoName057(16) administrators send attack configurations from rented control servers, specifying which domains or IP addresses should be hit. After receiving those instructions, the infected device automatically begins generating traffic against the selected targets.

...

Web Archive link

The Vulnerability Garden is a catalog of named vulnerabilities, attack techniques and exploits.

https://vulnerability.garden/

Here's an intro post on why this exists, how you can contribute (if you wanted), etc… https://shellsharks.com/hello-vulnerability-garden

It is the successor to the long-running "Designer Vulnerabilities" resource: https://shellsharks.com/designer-vulnerabilities

Let me know if there's any vulns I've missed and I can add it to the catalog!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Hey everyone,

for a secops class we're expected to do some preliminary evaluation of some SIEM and/or SOAR services. Some cybersecurity firm that gave a guest lecture was raving about both Darktrace and Sentinel, so our group figured we'll look into those at least.

Has anybody had any particular experience with those? Or if you have any other services in mind, that would also be helpful.

I have gone through their sites and I'm scouring through forums to have an idea on sentiment on the current services. (Which at the moment seems to be that none are exactly ... popular) I'm not trying to get others to do our work; we're basically only after actual user experience, which we can't really get ourselves.

Cheers!

Hacker News.

When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.

At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.

Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.

It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.

Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.

If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on

(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is "by design". They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions

about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway

Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.

Source.

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform's community.

It highlights the most frequently mentioned vulnerabilities for April 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

April 2026 was dominated by a Linux kernel crypto subsystem flaw, CVE-2026-31431 ("Copy Fail"), an algif_aead in-place operation regression that drew 279 sightings -- by far the highest activity of the month. Local privilege escalation against shared multi-user Linux hosts and container infrastructure (including Microsoft WSL) was confirmed in the wild, and CISA added the entry to its KEV catalog on May 1.

Edge-security appliances and developer tooling shaped the rest of the top ranking. Fortinet FortiClient EMS (improper access control, CVSS 9.1) was added to both the CISA and CIRCL KEV catalogs on April 6, and a related FortiClient EMS SQLi -- CVE-2026-21643 -- was KEV-listed on April 13. Adobe Acrobat Reader prototype-pollution CVE-2026-34621 and GitHub Enterprise Server git-push option injection CVE-2026-3854 both crossed 140 sightings, while Apache ActiveMQ CVE-2026-34197 (Jolokia/Spring code injection) followed closely.

A burst of "AI-stack" exposure also marked the month: marimo (pre-auth RCE via an unauthenticated terminal WebSocket) was added to KEV on April 23, and Meta React Server Components CVE-2025-55182 (KEV since December 2025, known ransomware use) continued to rack up sightings as scanning persisted.

The end of the month brought a critical hosting-stack incident: WebPros cPanel & WHM CVE-2026-41940, an authentication bypass in the login flow (CVSS 9.8), was disclosed on April 28-29 and added to CISA KEV on April 30 with a 3-day remediation deadline.

The CISA Known Exploited Vulnerabilities catalog added 30 entries during April. Highlights:

• CVE-2026-41940: WebPros cPanel & WHM authentication bypass
• CVE-2026-39987: marimo pre-auth RCE
• CVE-2026-34197: Apache ActiveMQ code injection via Jolokia
• CVE-2026-35616: Fortinet FortiClient EMS improper access control
• CVE-2026-34621: Adobe Acrobat & Reader prototype pollution
• CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) RCE
• CVE-2026-32201: Microsoft SharePoint Server spoofing
• CVE-2026-3502: TrueConf Client update integrity bypass
• CVE-2026-5281: Google Chrome / Dawn use-after-free

CISA also re-anchored attention on long-standing exploited issues -- ConnectWise ScreenConnect (CVE-2024-1708), SimpleHelp (CVE-2024-57726, CVE-2024-57728), Samsung MagicINFO (CVE-2024-7399), JetBrains TeamCity (CVE-2024-27199), PaperCut NG (CVE-2023-27351), Microsoft Exchange (CVE-2023-21529) and even legacy Microsoft Office issues from 2009/2012 (CVE-2009-0238, CVE-2012-1854).

The CIRCL Known Exploited Vulnerabilities catalog added one entry: CVE-2026-35616 (Fortinet FortiClient EMS), confirmed via incident-response evidence. The ENISA EUVD KEV catalog had no new entries in April.

Contributor activity in April focused on operational mitigations for the Linux kernel "Copy Fail" issue, with practical SELinux, systemd RestrictAddressFamilies, and initcall_blacklist recipes shared by community members.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-31431	279	Linux	Kernel (algif_aead)	High (confidence: 0.9482)
CVE-2026-34621	147	Adobe	Acrobat Reader	High (confidence: 0.997)
CVE-2026-35616	142	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)
CVE-2026-3854	142	GitHub	Enterprise Server	Critical (confidence: 0.8704)
CVE-2026-34197	138	Apache	ActiveMQ	Critical (confidence: 0.6661)
CVE-2025-55182	111	Meta	React Server Components	Critical (confidence: 0.9934)
CVE-2026-5281	104	Google	Chrome (Dawn)	High (confidence: 0.9874)
CVE-2026-39987	96	marimo-team	marimo	Critical (confidence: 0.9856)
CVE-2026-41940	92	WebPros	cPanel & WHM	Critical (confidence: 0.8211)
CVE-2026-32201	91	Microsoft	SharePoint Server	High (confidence: 0.5863)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-32202	2026-04-28	Microsoft	Windows Shell	Medium (confidence: 0.8578)
CVE-2024-1708	2026-04-28	ConnectWise	ScreenConnect	High (confidence: 0.6127)
CVE-2024-57726	2026-04-24	SimpleHelp	SimpleHelp	High (confidence: 0.7288)
CVE-2024-57728	2026-04-24	SimpleHelp	SimpleHelp	High (confidence: 0.8902)
CVE-2024-7399	2026-04-24	Samsung	MagicINFO 9 Server	Critical (confidence: 0.6987)
CVE-2025-29635	2026-04-24	D-Link	DIR-823X	High (confidence: 0.9867)
CVE-2026-39987	2026-04-23	marimo-team	marimo	Critical (confidence: 0.9856)
CVE-2026-33825	2026-04-22	Microsoft	Defender Antimalware Platform	High (confidence: 0.9396)
CVE-2024-27199	2026-04-20	JetBrains	TeamCity	High (confidence: 0.785)
CVE-2025-32975	2026-04-20	Quest	KACE Systems Management Appliance	Critical (confidence: 0.8677)
CVE-2026-20128	2026-04-20	Cisco	Catalyst SD-WAN Manager	High (confidence: 0.5543)
CVE-2025-48700	2026-04-20	Synacor	Zimbra Collaboration Suite	Medium (confidence: 0.9744)
CVE-2023-27351	2026-04-20	PaperCut	NG	High (confidence: 0.7781)
CVE-2025-2749	2026-04-20	Kentico	Xperience	High (confidence: 0.9762)
CVE-2026-20133	2026-04-20	Cisco	Catalyst SD-WAN Manager	High (confidence: 0.7295)
CVE-2026-20122	2026-04-20	Cisco	Catalyst SD-WAN Manager	Medium (confidence: 0.9478)
CVE-2026-34197	2026-04-16	Apache	ActiveMQ	Critical (confidence: 0.6661)
CVE-2026-32201	2026-04-14	Microsoft	SharePoint Server	High (confidence: 0.5863)
CVE-2009-0238	2026-04-14	Microsoft	Office Excel	High (confidence: 0.5354)
CVE-2026-34621	2026-04-13	Adobe	Acrobat Reader	High (confidence: 0.997)
CVE-2026-21643	2026-04-13	Fortinet	FortiClient EMS	Critical (confidence: 0.9881)
CVE-2020-9715	2026-04-13	Adobe	Acrobat & Reader	High (confidence: 0.8726)
CVE-2023-36424	2026-04-13	Microsoft	Windows CLFS Driver	High (confidence: 0.9933)
CVE-2023-21529	2026-04-13	Microsoft	Exchange Server	High (confidence: 0.6307)
CVE-2025-60710	2026-04-13	Microsoft	Host Process for Windows Tasks	High (confidence: 0.9957)
CVE-2012-1854	2026-04-13	Microsoft	Office VBE6 / VBA	Critical (confidence: 0.954)
CVE-2026-1340	2026-04-08	Ivanti	Endpoint Manager Mobile (EPMM)	Critical (confidence: 0.9867)
CVE-2026-35616	2026-04-06	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)
CVE-2026-3502	2026-04-02	TrueConf	TrueConf Client	High (confidence: 0.9884)
CVE-2026-5281	2026-04-01	Google	Chrome / Dawn	High (confidence: 0.9874)

More KEV entries from the CISA Catalog.

CIRCL

Vulnerability ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-35616	2026-04-06	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

No new entry in April.

More KEV entries from the ENISA Catalog.

Insights from Contributors

Community members focused on operational mitigations for the Linux kernel "Copy Fail" issue, sharing concrete defensive recipes:

• Quick remediation for CVE-2026-31431 (algif_aead "Copy Fail") -- unloading the algif_aead kernel module, blacklisting via modprobe.d, and initcall_blacklist=algif_aead_init for kernels with the module compiled in.
• Microsoft WSL is also vulnerable to CVE-2026-31431 -- pointer to the Microsoft WSL issue tracker confirming impact on Windows hosts running WSL.
• Deny alg_socket to Containers with SELinux to Mitigate CVE-2026-31431 -- end-to-end SELinux deny-rule walk-through plus systemd-run -p RestrictAddressFamilies=~AF_ALG and SystemCallArchitectures=native mitigations for non-container services.

The recurring theme across these contributions: AF_ALG / algif_aead is rarely needed by user workloads, so disabling it at the kernel, container-runtime, or systemd-unit boundary is a pragmatic mitigation while distributions roll out the corrected kernel patches.

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL's contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Lobsters.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

cross-posted from: https://mander.xyz/post/50988211

Here is the report, Defending against China-nexus covert networks of compromised devices (pdf).

A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.

"Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks," the security advisory warned. It was jointly released by the UK National Cyber Security Centre (NCSC) and 15 other government agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.

"The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale," according to the alert.

Some of these covert networks are created and maintained by Chinese information security companies, the advisory says. For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.

...

Web Archive link

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.bestiver.se/post/1063291

Comments