Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Veeam Fixes RCE Bugs ...

 Firewall Daily

An important Veeam security patch to address multiple vulnerabilities in its Backup & Replication platform that potentially allowed attackers to execute malicious code remotely, has been released. The flaws, tracked as CVE-2026-21666 and CVE-2026-21667, were identified as critical and could enable remote code   show more ...

execution on affected systems ,if successfully exploited.  The vulnerabilities impact Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, prompting the company to release fixes in version 12.3.2.4465. The security update was published on March 12, 2026, under KB ID: 4830, and addresses a total of seven security issues affecting the backup platform.  In its advisory, the company emphasized the urgency of applying the update, noting that threat actors often analyze security patches to identify weaknesses in systems that have not yet been updated.  The official notice states, “It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”  The Veeam Security Patch Includes Among the vulnerabilities fixed in the Veeam security patch, two of the most severe are CVE-2026-21666 and CVE-2026-21667. Both issues received a CVSS v3.1 score of 9.9, indicating critical severity.  CVE-2026-21666  The vulnerability CVE-2026-21666 allows an authenticated domain user to trigger remote code execution on a Veeam Backup Server. If exploited, an attacker with domain-level authentication could run arbitrary commands on the server hosting backup services.  Severity: Critical  CVSS v3.1 Score: 9.9  Reported via: HackerOne  CVE-2026-21667  Another major flaw, CVE-2026-21667, similarly enables an authenticated domain user to achieve remote code execution on the Backup Server.  Severity: Critical  CVSS v3.1 Score: 9.9  Source: Discovered during internal testing  Both vulnerabilities demonstrate how attackers with valid credentials could compromise backup infrastructure, potentially gaining control of systems responsible for storing critical data.  Additional Vulnerabilities Fixed in the Update  Beyond CVE-2026-21666 and CVE-2026-21667, the Veeam security patch resolves several other high-impact security issues affecting the Backup & Replication platform.  CVE-2026-21668  This vulnerability allows an authenticated domain user to bypass restrictions and manipulate arbitrary files stored within a Backup Repository.  Severity: High  CVSS v3.1 Score: 8.8  Source: Discovered during internal testing  CVE-2026-21672  The flaw CVE-2026-21672 could allow attackers to escalate privileges locally on Windows-based Veeam Backup & Replication servers.  Severity: High  CVSS v3.1 Score: 8.8  Reported through: HackerOne  CVE-2026-21708  Another critical vulnerability enables a user with the Backup Viewer role to perform remote code execution as the postgres user.  Severity: Critical  CVSS v3.1 Score: 9.9  Source: Discovered during internal testing  These vulnerabilities highlight multiple ways attackers could potentially abuse authentication, permissions, or internal components to compromise backup infrastructure.  Other Security Improvements Included  Alongside fixes for remote code execution vulnerabilities such as CVE-2026-21666 and CVE-2026-21667, the update also introduces a configuration change for Veeam Agent for Linux. The software now opens firewall ports 2500–3300, aligning its port range with other Veeam products.  While not directly tied to a CVE identifier, the change aims to standardize network behavior across Veeam tools and improve operational consistency.  Additional Fixes Introduced in Newer Versions  The company also addressed more vulnerabilities in Backup & Replication 13.0.1.2067. In addition to CVE-2026-21672 and CVE-2026-21708, two additional critical issues were fixed:  CVE-2026-21669 (CVSS score: 9.9): Allows an authenticated domain user to perform remote code execution on the Backup Server.  CVE-2026-21671 (CVSS score: 9.1): Allows an authenticated user with the Backup Administrator role to execute code in high availability (HA) deployments of Veeam Backup & Replication.  These issues further demonstrate the potential impact of credentialed attacks against backup systems if vulnerabilities remain unpatched.  Backup systems are frequently targeted by attackers because they contain copies of critical organizational data. Exploiting flaws such as CVE-2026-21666 or CVE-2026-21667 could allow adversaries to run code directly on backup servers, potentially tampering with stored backups or gaining broader access to enterprise infrastructure.  Security experts often warn that once vendors publish patches, threat actors begin analyzing them to identify exploitable weaknesses in systems that have not yet been updated. 

image for The Cyber Express We ...

 Firewall Daily

This week’s The Cyber Express weekly roundup highlights major cybersecurity developments affecting organizations, governments, and individuals worldwide. Key stories include destructive cyberattacks, such as system-wide wipes and targeted breaches, as well as state-backed cyber espionage targeting technology and   show more ...

research sectors.   The roundup also covers proactive defense measures, including bug bounty programs, critical software patches, and industry responses to emerging malware. Together, these incidents highlight the technical prowess of cyber threats, the direct impact on operations and data security, and the urgent need for timely mitigation strategies across both public and private sectors.  The Cyber Express Weekly Roundup  Iran-Linked Hackers Wipe 200,000 Devices in Stryker Cyberattack  In one of the most significant cybersecurity incidents this week, an Iran-linked hacker group known as Handala carried out a large-scale attack on Stryker Corporation. The group remotely wiped over 200,000 devices across 79 countries, bringing portions of the company’s operations to a halt. Handala has claimed responsibility, stating the attack was retaliation for a recent U.S. military strike in Iran. Read more...  India Launches Bug Bounty to Secure Aadhaar Ecosystem  India’s Unique Identification Authority (UIDAI) has launched a structured bug bounty program aimed at strengthening the Aadhaar ecosystem. Twenty expert ethical hackers have been enlisted to rigorously test core platforms, including the myAadhaar portal, the official website, and the Secure QR Code app. Read more...  Finland Issues Warning on Russian and Chinese Cyber Espionage  Finland’s Security and Intelligence Service (SUPO) has issued a warning regarding ongoing cyber espionage campaigns from Russian and Chinese state-backed actors. These campaigns are targeting technology companies, research institutions, and government networks. Read more...  Microsoft March 2026 Patch Tuesday Addresses Critical Vulnerabilities  Microsoft’s March 2026 Patch Tuesday update addresses 79 vulnerabilities across its ecosystem, including SQL Server, .NET, Office, SharePoint, Azure, and Windows. Notably, the update resolves two zero-day vulnerabilities and multiple remote code execution flaws. Additional updates target SharePoint, Azure MCP Tools, and Windows privilege escalation vectors. Read more...  Cyberattack Forces Polish Hospital to Revert to Paper Operations  The Independent Public Regional Hospital in Szczecin, Poland, experienced a cyberattack on March 7–8, 2026, which encrypted parts of its IT system and blocked access to critical digital records. Hospital officials confirmed that patient care continued without interruption, but administrative processes slowed considerably. Read more...  ClipXDaemon: Linux Malware Hijacks Cryptocurrency Transactions  A new Linux-based malware, ClipXDaemon, has been discovered targeting cryptocurrency users. The malware silently replaces copied wallet addresses with attacker-controlled addresses, allowing the theft of Ethereum, Bitcoin, Monero, Dogecoin, and Litecoin. ClipXDaemon operates locally without network communication, disguises itself as a kernel process, and persists by modifying the user’s ~/.profile file. Read more...  Weekly Takeaway  This week’s The Cyber Express weekly roundup highlights the breadth of modern cybersecurity challenges, from geopolitically motivated attacks and malware targeting cryptocurrencies to proactive measures such as India’s bug bounty program and Microsoft’s critical patches. Organizations, governments, and individuals must remain vigilant, prioritize timely patching, and adopt proactive monitoring to navigate the complex threat landscape. 

image for Stryker Says Cyberat ...

 Business News

The U.S.-based MedTech giant Stryker in an update shared late Thursday night confirmed that its supply chain has been impacted adversely with no timeline in place for a full restoration due to the cyberattack claimed by Iran-linked hacker collective - the Handala group. While Stryker maintained that the root of the   show more ...

global disruption is an intrusion in its Microsoft environment, it now added that the incident is contained to its "own internal systems" and not spilled over to its customers. "Our connected products are not impacted and are safe to use," the update said. Based on reports on several social media platforms, Handala allegedly used data wiper malware in this campaign, in accordance to its regular modus operandi. However, Stryker reiterated that no malware or ransomware was detected on its systems, as of now. Also read: Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices Even though Stryker claims negligible impact on its connected products, the MedTech firm admitted disruption to its supply chain. "This incident has caused disruptions to order processing, manufacturing and shipping," Stryker said. This is not the worrying part alone. The fact that there is no definitive timeline that Stryker foresees for its resumption, is. In an 8-K filing to the U.S. SEC, the company said: "The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions. While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known." The full scope of financial and material impact is yet to be determined too. Stryker added that although the timeline to get up and running is blurry at this point, it "has business continuity measures in place to continue to support its customers and partners." CISA Joins Investigation While the company responds and conducts its own assessment, CISA said it was following the due process of investigating the incident as well. “We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation’s critical infrastructure,” CISA acting director Nick Andersen told Nextgov/FCW. “As with all cyber incidents, we have launched an investigation into this matter.” The Israel Connect of Stryker, The Real Reason? And while the world calls this an attack on a U.S.-based company - a country that has supported Israel in the ongoing West Asia war - the actual reason could be debated. Why? Because half a decade ago Stryker acquired OrthoSpace, Ltd., a privately held company headquartered in Caesarea, Israel, in an all cash transaction. What does this imply? Not to jump to conclusions, but all the companies with trade and links to Israel may be carrying targets on their back.

image for Hive0163 Ransomware ...

 Firewall Daily

Researchers have identified a suspected case of AI-generated malware being used during a ransomware attack. The malware, which analysts dubbed "Slopoly," was linked to a financially motivated cybercrime group tracked as Hive0163. The appearance of Slopoly in an active ransomware intrusion suggests that   show more ...

cybercriminal groups are beginning to experiment with AI-generated malware as part of their operational toolkit.  Hive0163 and the Experimentation with AI-generated Malware  Hive0163 is a cluster of financially motivated threat actors known for conducting ransomware campaigns that focus on large-scale data theft and extortion. The group has been associated with several global ransomware incidents involving Interlock ransomware, as well as a range of custom backdoors and loaders such as NodeSnake, InterlockRAT, and the JunkFiction loader.  During a ransomware investigation in early 2026, IBM X-Force analysts discovered that Hive0163 deployed Slopoly, a suspected AI-generated malware framework designed to maintain persistent access to a compromised server. According to the investigation, the attackers retained access to the infected machine for more than a week using the malware.  Notably, Slopoly was deployed during the later stages of the attack, suggesting the operators may have been testing the AI-generated framework in a real-world scenario. Researchers described the situation as resembling a “live-fire exercise,” where the threat actors experimented with the new tool during an active operation.  The naming conventions of variables within the script indicated that the system generating the code was explicitly instructed to produce malicious functionality. This suggests that any safety guardrails implemented in the underlying AI model were successfully bypassed. However, researchers were unable to determine which specific model generated Slopoly, although the overall quality suggested it was likely produced by a relatively less advanced system.  Slopoly is a Suspected LLM-generated C2 Tool  The Slopoly malware was discovered as a PowerShell script on an infected server. Analysis revealed that the script functioned as the client component of a command-and-control (C2) framework used by Hive0163.  Investigators believe the malware was generated through a builder tool that automatically inserted configuration data such as a session ID, mutex name, C2 server address, and beacon intervals. The builder reportedly deployed Slopoly into the directory C:ProgramDataMicrosoftWindowsRuntime and established persistence by creating a scheduled task named “Runtime Broker.”  Several characteristics strongly suggested that Slopoly was produced using a large language model. The script contained extensive comments, structured logging functions, clear error handling routines, and well-named variables, features commonly seen in AI-generated malware and AI-assisted programming.  Another clue pointing to AI-assisted development was the presence of an unused “Jitter” function within the code. Researchers believe this may have been left over from iterative development with an LLM.  Interestingly, the script’s internal comments describe it as a “Polymorphic C2 Persistence Client.” In practice, however, the malware does not exhibit true polymorphic behavior. It cannot modify its own code during execution. Instead, the builder likely generates new variants of the malware with randomized configuration values and function names, a common technique used by malware builders.  How Slopoly Operates on Infected Systems  Despite its limited technicalities, Slopoly operates as a functional backdoor. After execution, it collects basic system information from the infected machine and sends it to a remote command-and-control server.  The data is transmitted in JSON format using an HTTP POST request to the /api/commands endpoint. A typical beacon includes information such as the public IP address of the infected system, the user account name, the computer name, and whether the process is running with elevated privileges.  The malware sends a heartbeat message every 30 seconds and checks for new commands roughly every 50 seconds. Any instructions received from the C2 server are executed using cmd.exe, and the results are returned to the server.  The malware also maintains a detailed log file named persistence.log, which records activity and rotates once it reaches a size of 1 MB.  Initial Infection Through ClickFix  The attack investigated by the researchers began with a social engineering technique known as ClickFix. This method tricks victims into executing malicious PowerShell commands themselves.  Victims are typically shown a CAPTCHA-style verification page that secretly copies a malicious script into the clipboard. The page then instructs users to press a sequence of keyboard commands—“Win+R” to open the Windows Run dialog, followed by “Ctrl+V” to paste the script and “Enter” to execute it.  Once executed, the PowerShell payload installs NodeSnake, a NodeJS-based malware that serves as the first stage of a larger command-and-control framework used by Hive0163.  NodeSnake supports multiple commands, including downloading and executing payloads, running shell commands, establishing persistence, updating itself, or terminating its own process.  In the observed attack, NodeSnake eventually deployed a more advanced JavaScript-based backdoor known as InterlockRAT, which supports WebSocket communications, reverse shell access, and SOCKS5 tunneling capabilities.  Ransomware Deployment and Encryption  The final stage of the intrusion involved the deployment of Interlock ransomware, packaged using the JunkFiction loader. Once executed, the ransomware scans logical drives and encrypts targeted files across the system.  Interlock uses a combination of AES-GCM encryption and RSA cryptography through the OpenSSL library (version 3.5.0). Each encrypted file receives a unique session key, which is then protected using an attacker-controlled RSA public key.  Encrypted files are typically renamed with extensions such as . !NT3RLOCK or .int3R1Ock. After completing the encryption process, the ransomware drops a ransom note, often named FIRST_READ_ME.txt, containing instructions for victims to contact the attackers. 

image for ATM Jackpotting Susp ...

 Cyber News

ATM jackpotting, once considered a niche cybercrime technique, has now reached a level where it is drawing the attention of the highest levels of law enforcement. The FBI has added Anibal Alexander Canelon Aguirre, an alleged leader of a global ATM jackpotting operation, to its Ten Most Wanted Fugitives list,   show more ...

highlighting the growing threat posed by cyber-enabled financial crime. The announcement was made by FBI Omaha Special Agent in Charge Eugene Kowel and U.S. Attorney for the District of Nebraska Lesley Woods, who said Aguirre allegedly orchestrated a large-scale ATM jackpotting conspiracy that targeted banks across the United States. Authorities believe the operation generated millions of dollars that ultimately supported Tren de Aragua, a transnational gang designated as a foreign terrorist organization. ATM Jackpotting at the Center of the Case At the heart of the investigation is ATM jackpotting, a cyberattack technique in which criminals install ATM malware to force machines to dispense cash without authorization. Instead of physically robbing a bank vault, attackers exploit software vulnerabilities in the ATM system. According to investigators, Aguirre allegedly led teams that traveled across the United States to carry out these attacks. Once the ATM jackpotting malware was installed, cash withdrawals could be triggered on command, allowing crews to quickly empty machines. Law enforcement officials say this was not a series of isolated attacks. The operation allegedly involved a coordinated network where the stolen money moved through complex laundering channels before reaching the criminal organization behind the scheme. [caption id="attachment_110176" align="aligncenter" width="626"] Image Source: FBI[/caption] Charges Linked to Cybercrime and Financial Fraud A federal arrest warrant for Aguirre was issued on December 9, 2025, in the U.S. District Court for the District of Nebraska. Prosecutors have charged him with multiple offenses connected to the ATM jackpotting conspiracy, including: Conspiracy to commit bank fraud Conspiracy to commit bank burglary and damage a protected computer system Conspiracy to commit money laundering Conspiracy to provide material support to terrorists The case is being investigated through Joint Task Force Vulcan, working alongside the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice. Officials say the charges reflect the scale and seriousness of the alleged cybercrime network. Why ATM Jackpotting Is Now a National Security Concern For years, ATM jackpotting attacks were largely viewed as financial crimes affecting banks and ATM operators. But this case demonstrates how cybercrime techniques can intersect with organized crime and even terrorism financing. Special Agent Eugene Kowel said the alleged ATM jackpotting operation created a “multimillion-dollar revenue stream” that ultimately supported the activities of Tren de Aragua. This development signals an important shift in how authorities view ATM jackpotting malware attacks. What once looked like opportunistic cyber theft is now seen as a tool that organized criminal groups can use to generate funds at scale. The decision to place Aguirre on the FBI Ten Most Wanted list—a list historically reserved for violent offenders—shows how seriously authorities are treating the threat. First Cyber Fugitive on the FBI’s Most Wanted List Aguirre’s addition to the list is significant for another reason. He is the first cyber fugitive to appear on the FBI’s Ten Most Wanted Fugitives list since it was created in 1950. The list has included 540 fugitives over the decades, and more than 500 have been captured or located, often with assistance from the public. The FBI believes public awareness could once again play a key role in locating Aguirre. Officials say the suspect should be considered armed and dangerous. He is described as a 49-year-old man with black and gray hair, approximately 5’5” to 5’7” tall, and weighing about 190 pounds. Authorities say he has connections in Venezuela and Mexico and speaks Spanish. Public Help Could Be Critical The FBI is offering a reward of up to $1 million for information leading to Aguirre’s arrest. Investigators are urging anyone with information to contact the FBI tip line or submit information online. Beyond the manhunt, the case serves as a reminder that ATM jackpotting attacks are no longer just technical exploits. When cybercrime merges with organized criminal networks, the financial damage can quickly turn into a broader security issue.

 Feed

A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. "SocksEscort infected home and small business internet routers with malware," the U.S. Department of Justice (DoJ) said. "The malware allowed SocksEscort to direct internet

 Feed

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution. The vulnerabilities are as follows - CVE-2026-21666 (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. CVE-2026-21667 (

 Feed

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The list of vulnerabilities is as follows - CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML

 Feed

Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel's AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees. The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU). The

 Feed

Microsoft has disclosed details of a credential theft campaign that employs fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques. "The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients

 Feed

Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only. Read more blogs around threat

 Feed

A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020. Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087, where CL refers to cluster, and STA stands for state-backed motivation. "The activity demonstrated strategic operational patience and

 Feed

Meta has announced plans to discontinue support for end-to-end encryption (E2EE) for chats on Instagram after May 8, 2026. "If you have chats that are impacted by this change, you will see instructions on how you can download any media or messages you may want to keep," the social media giant said in a help document. "If you're on an older version of Instagram, you may also need to update the

 Feed

INTERPOL on Friday announced the takedown of 45,000 malicious IP addresses and servers used in connection with phishing, malware, and ransomware campaigns, as part of the agency's ongoing efforts to dismantle criminal networks, disrupt emerging threats, and safeguard victims from scams. The effort is part of an international law enforcement operation that involved 72 countries and territories.

2026-03
Aggregator history
Friday, March 13
SUN
MON
TUE
WED
THU
FRI
SAT
March