Mandiant and Google Threat Intelligence Group identified exploitation of a critical Dell RecoverPoint for Virtual Machines vulnerability (CVE-2026-22769) by UNC6201 beginning in mid-2024, enabling lateral movement, persistent access, and deployment of SLAYSTYLE, BRICKSTORM, and a new AOT-compiled backdoor called GRIMBOLT. Dell published remediations and the report details Tomcat Manager WAR deployment using hard-coded admin credentials, persistence via convert_hosts.sh modification, VMware pivoting using “Ghost NICs,” and iptables-based Single Packet Authorization techniques. #CVE-2026-22769 #UNC6201 #GRIMBOLT #BRICKSTORM #SLAYSTYLE #DellRecoverPoint
Tag: ZERO-DAY
Google released the first Android 17 beta with a range of privacy, security, and developer-focused improvements across performance, media, camera, and connectivity. Major security changes include deprecation of the usesCleartextTraffic attribute (blocking cleartext by default without a network security config), a public SPI for HPKE hybrid cryptography, certificate transparency enabled by…
Google released emergency updates to fix a high-severity Chrome zero-day, CVE-2026-2441, that has been exploited in the wild. The vulnerability is a use-after-free caused by an iterator invalidation in CSSFontFeatureValuesMap, and Google backported fixes to Stable Desktop releases for Windows, macOS, and Linux while noting further related work remains. #CVE-2026-2441 #Chrome
CISA ordered federal civilian agencies to secure their BeyondTrust Remote Support instances within three days after a critical remote code execution vulnerability was found to be actively exploited. BeyondTrust patched SaaS instances but on-premises customers must apply manual fixes amid warnings that thousands of exposed deployments may already be compromised. #BeyondTrust #CVE-2026-1731
The defense industrial base faces sustained, multi-vector cyber threats from state-sponsored groups and hacktivists targeting personnel, supply chains, edge devices, and battlefield technologies such as UAS and secure messaging apps. Notable tactics include phishing and job-themed lures, exploitation of edge device zero-days, mobile malware, supply-chain compromises, and hack-and-leak or DDoS operations by pro-Russia and pro-Iran hacktivists. #UNC5221 #CANFAIL
Google’s GTIG warns the defense industrial base is under a constant, multi-vector siege from state-sponsored actors and criminal syndicates that aim to steal secrets, disrupt supply chains, and undermine national security. The report details attacks ranging from Russian groups targeting UAS and battlefield apps (e.g., APT44 using INFAMOUSCHISEL and TEMP.Vermin lures),…
Two critical Ivanti Endpoint Manager Mobile vulnerabilities, CVE-2026-21962 and CVE-2026-24061, are being actively exploited for unauthenticated remote code execution, with vendor hotfixes released and full patches promised in EPMM 12.8.0.0. Most exploitation activity (over 83%) traces to a single IP hosted on bulletproof infrastructure, prompting recommendations to apply temporary RPM mitigations or migrate to a rebuilt EPMM instance. #IvantiEPMM #PROSPERO_OOO
Apple released security updates to patch a zero-day arbitrary code execution vulnerability in dyld tracked as CVE-2026-20700 that was exploited in an “extremely sophisticated” targeted attack against specific individuals. The flaw, discovered by Google’s Threat Analysis Group, affects iPhone, iPad, Mac, tvOS, watchOS, and visionOS devices and was fixed in iOS…
An alleged Uzbekistan cyberattack originally claimed to have exposed personal data of 15 million citizens actually involved roughly 60,000 individual data units, not 60,000 people. Digital Technologies Minister Sherzod Shermatov said three government information systems were accessed in late January and authorities have strengthened controls, including added OneID authorization, to limit…
This week’s Cyber Express Weekly Roundup covers cross-border incidents including a breach of the European Commission’s mobile device management system, a ransomware attack that halted Senegal’s national identity services, a landmark AU$2.5 million penalty for FIIG Securities after a data-exposing ransomware incident, and the in‑absentia sentencing of crypto scam leader Daren…
GTIG observed widespread misuse of generative AI in late 2025, including an uptick in model extraction (“distillation”) attempts and AI-augmented operations such as reconnaissance, hyper-personalized phishing, and AI-assisted malware development. Notable examples include the HONESTCUE downloader that called Gemini’s API to generate stage-two code and the COINBAIT phishing kit built with AI-assisted code generation and hosted on legitimate services (#HONESTCUE #COINBAIT)
Coveware’s report concludes that pure data-exfiltration extortion is no longer widely profitable, prompting many ransomware groups to return to encryption or seek other ways to monetize network access. Despite low overall payment rates after breaches like MOVEit and Cleo, average ransom settlements rose due to isolated high-impact incidents, and attackers such…
The European Commission’s central mobile device management infrastructure was hit by a cyberattack on January 30 that may have exposed staff names and mobile numbers, but the system was contained and cleaned within nine hours with no compromise of mobile devices detected. Observers suspect a link to a Dutch campaign exploiting…
The European Commission is investigating a breach after detecting traces of a cyberattack on its mobile device management platform that may have exposed some staff names and phone numbers, though no mobile devices have been found to be compromised. The incident appears linked to zero-day code-injection flaws in Ivanti Endpoint Manager Mobile (EPMM) that have also affected Dutch authorities and Finland’s Valtori, and the Commission says the system was contained and cleaned within nine hours. #IvantiEPMM #EuropeanCommission
BeyondTrust warned of a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) in Remote Support and Privileged Remote Access that allows unauthenticated attackers to execute OS commands via crafted client requests. The vendor has secured cloud instances and urged on‑premises customers to upgrade to Remote Support 25.3.2 and Privileged Remote Access 25.1.1 to mitigate exposure affecting roughly 11,000 internet-facing instances. #CVE-2026-1731 #BeyondTrust