Welcome to Cyber Briefing, your daily source for all things cybersecurity. We bring you the latest advisories, alerts, incidents, and news every weekday.

The global threat landscape is currently dominated by high-impact supply chain compromises and critical infrastructure vulnerabilities. North Korean state-sponsored group ScarCruft has successfully pivoted to supply chain attacks by trojanizing gaming platforms to deploy the BirdCall backdoor, while Trellix, a major cybersecurity vendor, recently confirmed that threat actors gained unauthorized access to its source code repository. Simultaneously, hardware and software giants like Qualcomm and WhatsApp have rushed to patch critical flaws—ranging from remote code execution in chipsets to URL execution vulnerabilities in Instagram Reels integration—highlighting a persistent trend where attackers exploit trusted third-party integrations and ubiquitous hardware to gain foothold in diverse environments.

On the regulatory and strategic front, the industry is seeing a shift toward more nuanced attribution and a reversal in privacy standards. The introduction of DarkAtlas’s campaign-based attribution framework represents a move away from rigid group labels toward a multi-layered, confidence-based model for tracking APT evolution. Meanwhile, legal systems are securing wins against cybercrime infrastructure, evidenced by the 8.5-year sentencing of a Latvian negotiator for the Karakurt ransomware group. However, user privacy faces a setback as Meta announces the discontinuation of end-to-end encryption for Instagram DMs, citing low adoption and shifting focus toward moderation and AI training capabilities.

Listen to our podcast here ⏬

Get BlueSleuth-Lite

⚡THREAT LANDSCAPE

CISA Adds Major Linux Kernel Vulnerability to Known Exploited Vulnerabilities Catalog

The United States Cybersecurity and Infrastructure Security Agency has officially added CVE-2026-31431, a critical Linux Kernel flaw known as Copy Fail, to its list of exploited vulnerabilities. This high-severity bug allows unprivileged local users to gain root access across nearly all major Linux distributions by manipulating the system page cache. Read More

Cybercrime Syndicates Exploit Vishing and SSO Vulnerabilities for High-Speed Cloud Extortion

Recent investigations into modern cyber threats reveal that sophisticated hacking groups are increasingly leveraging voice phishing and Single Sign-On weaknesses to execute rapid extortion campaigns against corporate SaaS environments. These attackers bypass traditional perimeter defenses by tricking employees into revealing credentials or approving multi-factor authentication prompts, allowing them to move laterally through cloud applications with unprecedented speed. Read More

Subscribe Now

🚨INCIDENTS & REAL-WORLD IMPACT

Trellix Confirms Unauthorized Source Code Access

Trellix, a major US cybersecurity vendor formed from the 2021 merger of McAfee Enterprise and FireEye, disclosed on May 4 that threat actors gained unauthorized access to a portion of its source code repository. The company claims no evidence shows its code release or distribution process was compromised or that the stolen code has been exploited, though investigations continue with law enforcement and forensic experts. Security researchers warn that access to a security vendor’s source code provides attackers with detailed knowledge of detection mechanisms and potential supply chain attack vectors, particularly concerning recent campaigns targeting security tools like Trivy that exposed enterprise credentials. Read More

ScarCruft Compromises Gaming Platform

North Korean state-sponsored hacking group ScarCruft compromised a video game platform in a supply chain attack, embedding the BirdCall backdoor into platform components. The attack specifically targets ethnic Koreans living in China, expanding beyond the backdoor’s previous Windows-only deployment. By trojanizing legitimate gaming software, the attackers can distribute malware to a broader user base through trusted update mechanisms. Read More

Claim Your Workspace

🔓 EXECUTIVE RISK & CYBERNOMICS

New Attribution Framework for APT Campaign Tracking

Security researchers at DarkAtlas have introduced a campaign-based attribution framework that tracks Advanced Persistent Threat (APT) groups by analyzing discrete operational clusters rather than assuming fixed group identities. The framework uses a multi-layered evidence model examining six dimensions (strategic, operational, tactical, technical, infrastructure, and human factors) to establish confidence-based connections between campaigns, addressing the problem that adversaries frequently change tools, infrastructure, and personnel. This approach replaces single-indicator attribution with a Campaign Linkage Graph that maps weighted relationships between operations, allowing analysts to track threat actor evolution without relying on rigid group labels. Read More

Instagram Discontinues End-to-End Encryption

Meta will discontinue Instagram’s optional end-to-end encrypted direct messaging feature on May 8, 2026, citing low adoption rates. After this date, all Instagram direct messages will use standard transport encryption, meaning Meta’s servers can decrypt and access message content for moderation, AI training, and law enforcement requests. Users who previously used encrypted chats have until May 8 to export their encrypted message history before it becomes accessible to Meta’s systems. Read More

Get Help

🛡️ POLICY, REGULATION & LEGAL SIGNALS

Karakurt negotiator sentenced to 8.5 years

A Latvian national has been sentenced to 8.5 years in U.S. prison for serving as a negotiator for the Karakurt ransomware group, a Russian cybercrime operation. The defendant was extradited to the United States to face charges related to his role in facilitating ransom negotiations between the criminal group and its victims. Organizations should review their incident response plans and ensure they have protocols for handling ransomware negotiations while cooperating with law enforcement. Read More

💻 CAREER ENABLEMENT

Carleton College launches student cybersecurity teams

Carleton College has launched student cybersecurity teams with funding support from Shavlik to provide dedicated servers for training and competition. Information Security Officer Kendall George is directing the project across multiple colleges. The initiative aims to develop practical cybersecurity skills among students through hands-on team activities. Read More

Click Here To Read

Copyright © 2026 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium

Read more

Carleton College has established new student cybersecurity teams designed to provide hands-on security training and competitive opportunities. The program receives financial backing from Shavlik, which will supply dedicated server infrastructure for participating institutions.

Kendall George, who serves as Information Security Officer for the colleges involved, is directing the cybersecurity team project. The Shavlik funding will enable each participating school to deploy its own server environment for student training exercises and security competitions.

The technical infrastructure provided through this support will give students access to realistic environments where they can practice defensive and offensive security techniques. Dedicated servers allow teams to conduct exercises without impacting production systems, providing a safe space for learning through experimentation and simulated attacks.

This initiative addresses the growing demand for cybersecurity professionals by creating pathways for students to gain practical experience before entering the workforce. Student security teams typically participate in capture-the-flag competitions, vulnerability assessments, and other exercises that mirror real-world security challenges.

Colleges looking to develop similar programs should consider partnerships with security vendors for infrastructure support and ensure experienced security professionals are available to mentor student participants. Students interested in cybersecurity careers can benefit from joining these teams to build technical skills and professional networks in the security community.

Subscribe now

Source: https://www.carleton.edu/news/stories/funds-will-launch-student-cybersecurity-teams/

A Latvian citizen has been sentenced to 8.5 years in federal prison after being convicted for his role as a negotiator for the Karakurt ransomware group, a Russian cybercrime operation. The defendant was extradited from Latvia to the United States to face charges related to his participation in the criminal enterprise, which targeted organizations through data theft and extortion schemes.

Karakurt is a financially motivated threat group known for stealing sensitive data from victim organizations and threatening to release it publicly unless a ransom is paid. Unlike traditional ransomware operations that encrypt files, Karakurt primarily focuses on data exfiltration and extortion. The group has targeted victims across multiple sectors, including healthcare, financial services, and critical infrastructure organizations.

The convicted individual served as a negotiator, acting as an intermediary between the ransomware operators and their victims. This role involved communicating ransom demands, negotiating payment amounts, and providing instructions for cryptocurrency transfers. Negotiators are essential to ransomware operations, as they handle the direct interaction with victims while insulating the core technical operators from law enforcement.

The case represents a significant law enforcement success in prosecuting ransomware-related crimes, particularly given the challenges of international cooperation and extradition. The 8.5-year sentence reflects the serious nature of ransomware offenses and the U.S. government's commitment to pursuing cybercriminals regardless of their location. This prosecution also demonstrates that individuals in supporting roles, not just the technical operators who deploy malware, face substantial criminal liability.

Organizations should maintain robust cybersecurity defenses, including regular data backups, network segmentation, and employee security awareness training. When facing a ransomware incident, victims should immediately contact law enforcement and consider engaging experienced incident response professionals. Companies should avoid paying ransoms when possible, as payments fund further criminal activity and provide no guarantee of data recovery or deletion.

Subscribe now

Source: https://www.bleepingcomputer.com/news/security/karakurt-extortion-gang-negotiator-sentenced-to-85-years-in-prison/

Meta has announced it will shut down Instagram's optional end-to-end encrypted direct messaging feature on May 8, 2026. The company first introduced the feature in 2021 as a testing initiative to provide users with secure communications accessible only to senders and recipients. Meta attributes the decision to discontinue the feature to extremely low adoption rates among Instagram's user base.

The removal of end-to-end encryption represents a fundamental change in how Instagram handles user data. Under end-to-end encryption, cryptographic keys remain stored exclusively on user devices, preventing anyone from reading intercepted messages. The platform will now rely solely on Transport Layer Security (TLS), which protects data in transit but allows Meta to decrypt and access message content once it reaches company servers.

This architectural shift enables Meta to perform several operations on private messages that were previously impossible. The company can now conduct automated scanning for safety violations and malicious links, integrate private chat data into machine learning and AI training models, respond to law enforcement subpoenas with plaintext data, and perform routine moderation using server-side keyword tracking. Cybersecurity experts warn that this change also increases exposure risk during potential server-side data breaches.

Meta is actively notifying affected users to export their encrypted chat data before the infrastructure changes take effect. After May 8, previously encrypted message threads will become fully accessible to Meta's automated moderation systems. Users can request a secure download of their personal information through account security settings. Failure to export data before the deadline means those private conversations will be added to the platform's scannable database.

The decision has drawn sharp criticism from cybersecurity professionals and privacy advocates who argue that removing security features contradicts growing demands for digital privacy. Security firms including Malwarebytes have publicly highlighted concerns about corporate data harvesting. While Meta encourages privacy-focused users to migrate to WhatsApp, many security researchers recommend independent platforms like Signal for sensitive communications.

Subscribe now

Source: https://cybersecuritynews.com/instagram-end-encryption-direct-messages/

Advanced Persistent Threat (APT) tracking faces a fundamental challenge: adversaries no longer behave as stable, predictable entities. Traditional attribution methods that rely on consistent Tactics, Techniques, and Procedures (TTPs) are failing as threat actors routinely change operators, swap tools, rebuild infrastructure, and shift objectives within single campaign cycles. This evolution leaves security analysts with fragmented signals and no reliable method to connect related activities across time.

DarkAtlas researchers have developed a campaign-based attribution framework that fundamentally rethinks how defenders track APT activity. Instead of treating threat groups as fixed identities, the framework focuses on discrete, time-bound clusters of activity called campaigns. Each campaign is defined by its objectives, infrastructure patterns, and operational behavior, with continuity between campaigns inferred through partial overlaps across multiple independent evidence layers rather than identical TTPs.

The framework employs an Overlap Model that examines six analytical dimensions before establishing attribution confidence. The strategic layer analyzes geopolitical alignment and targeting intent. The operational layer tracks targeting patterns, campaign timing, and victim sequencing. The tactical layer maps procedural execution against frameworks like MITRE ATT&CK. The technical layer examines custom malware characteristics, encryption routines, and build artifacts. The infrastructure layer studies domain naming conventions, TLS certificate reuse, and DNS behavior. The human layer captures operator-specific traits including coding style, language artifacts, and operational security habits. Attribution confidence is rated as high, medium, or low depending on how many independent evidence layers converge, with high-confidence assessments requiring strong, multi-layered overlap.

This approach produces a Campaign Linkage Graph where each node represents a distinct campaign and edges represent weighted relationships between operations. Strong links indicate substantial overlap across multiple layers, medium links reflect partial alignment, and weak links flag tentative connections requiring further validation. The graph-based structure naturally accommodates adversary evolution by absorbing tooling changes as new nodes, treating infrastructure rotation as weaker but traceable connections, and capturing group fragmentation as branching paths within the network.

Security teams should move away from single-indicator attribution and require multi-layer evidence before drawing conclusions about campaign origin. Organizations should treat TTPs as behavioral signals rather than definitive fingerprints, since adversaries routinely modify or share techniques to create false attribution trails. Teams should adopt campaign-centric tracking models where each operation is logged as a discrete unit, assign confidence tiers to all attribution assessments, and focus monitoring resources on stable indicators such as victimology and geopolitical timing that persist longer than tools or infrastructure.

Subscribe now

Source: https://cybersecuritynews.com/new-attribution-framework-connects-apt-campaigns/

A North Korean state-sponsored hacking group known as ScarCruft has successfully compromised a video game platform in a supply chain espionage operation, according to recent threat intelligence findings. The attackers embedded their BirdCall backdoor into legitimate platform components, transforming trusted gaming software into a malware distribution vehicle. The campaign appears specifically designed to target ethnic Koreans residing in China.

ScarCruft, also tracked by various security vendors under different names, has maintained a consistent focus on espionage operations aligned with North Korean state interests. The group has historically concentrated on intelligence gathering from targets in South Korea, China, and other regions with significant Korean diaspora populations. This latest campaign represents a tactical evolution in their approach to victim compromise.

The BirdCall backdoor, previously documented in attacks targeting Windows systems, has been modified for this supply chain operation. By compromising the gaming platform itself rather than individual users, the attackers gain access to automatic distribution through legitimate software update channels. This method allows malware to bypass many traditional security controls that would flag suspicious downloads from unknown sources. Users receive the trojanized components through normal platform operations, making detection significantly more difficult.

The targeting of ethnic Koreans in China suggests intelligence collection objectives related to diaspora communities. Gaming platforms provide an attractive vector for such operations because they maintain persistent connections, require regular updates, and often request elevated system permissions. The compromise of platform infrastructure enables attackers to reach numerous users simultaneously while maintaining operational security through the use of legitimate distribution channels.

Organizations using the affected gaming platform should immediately verify the integrity of installed components and monitor for suspicious network activity. Security teams should review logs for unusual outbound connections and consider implementing additional network segmentation for gaming and entertainment software. Users in potentially targeted demographics should exercise heightened caution with gaming platform updates and consider using dedicated systems for such applications separate from devices containing sensitive information.

Subscribe now

Source: https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html

Trellix, a prominent cybersecurity vendor, has confirmed that threat actors successfully accessed portions of its source code repository in an incident disclosed May 4. The company, which was formed in 2021 through the merger of McAfee Enterprise and FireEye under private equity firm Symphony Technology Group, has notified law enforcement and engaged forensic experts to investigate the breach. Trellix provides threat intelligence, AI-powered detection and response services including network and endpoint detection, along with data and email security solutions.

According to the company's statement, investigators have found no evidence that the source code release or distribution process was affected, nor have they identified any exploitation of the stolen code. However, the investigation remains ongoing, and Trellix has declined to share additional details about the incident or the threat actors responsible until the investigation concludes.

Security experts warn that source code access to a cybersecurity vendor presents significant risks. Isaac Evans, founder of software security firm Semgrep, explained that such access provides attackers with detailed information about where security controls exist, how detection systems are written, and where trusted update or build paths might be vulnerable. This intelligence allows threat actors to understand defensive tools from the inside and potentially weaponize the software ecosystem itself as a delivery mechanism for attacks.

The incident follows a pattern of recent supply chain attacks targeting security vendors. Multiple companies, including Aqua Security and Checkmarx, were recently compromised through an attack on the security scanner Trivy, which resulted in the exposure of numerous enterprise secrets. Google Cloud's Wiz Security reported in late March that the TeamPCP group behind the Trivy campaign may be collaborating with the extortion group Lapsus$ to monetize stolen credentials, with additional signs pointing to cooperation with the Vect ransomware group.

Security professionals emphasize that organizations must treat code repositories as critical assets requiring robust protection, not merely storage locations. Stolen tokens, gaps in continuous integration and deployment pipelines, and overtrusted build workflows enable attackers to move laterally between projects, harvesting secrets and establishing persistence. The targeting of security vendors represents a strategic shift where attackers seek not just customer data but leverage over the entire security ecosystem.

Subscribe now

Source: https://www.infosecurity-magazine.com/news/trellix-reveals-unauthorized/

Qualcomm Technologies has issued its May 2026 security bulletin, disclosing a significant number of vulnerabilities affecting both proprietary and open-source software components across its product portfolio. The security flaws pose serious risks to devices powered by Qualcomm chipsets, including smartphones, automotive systems, and industrial Internet of Things equipment.

The vulnerabilities represent a broad attack surface that threat actors could potentially exploit to gain unauthorized access to affected systems. According to the bulletin, these security gaps could enable attackers to compromise devices without requiring any user interaction, significantly lowering the barrier for successful exploitation. This no-click attack vector makes the vulnerabilities particularly dangerous for enterprise and consumer environments alike.

While specific technical details about individual vulnerabilities were not provided in the available information, the scope of affected systems suggests the flaws exist across multiple software layers in Qualcomm's technology stack. The inclusion of both proprietary Qualcomm code and open-source components indicates that the security issues may stem from various sources within the complex chipset ecosystem. Remote code execution capabilities would allow attackers to run arbitrary code on vulnerable devices, potentially leading to data theft, device control, or use of compromised systems as entry points for broader network attacks.

The impact spans multiple critical sectors given Qualcomm's dominant position in mobile and embedded systems. Smartphones represent the most widespread consumer risk, while automotive vulnerabilities could affect vehicle safety and security systems. Industrial IoT deployments face operational technology risks that could disrupt manufacturing, logistics, and infrastructure operations. The cross-sector nature of these vulnerabilities amplifies the urgency for coordinated patching efforts.

Claim Your Workspace

Qualcomm is strongly recommending that original equipment manufacturers immediately deploy the available security patches to their device fleets. Organizations using Qualcomm-powered devices should contact their hardware vendors to determine patch availability and deployment timelines. Security teams should prioritize updating internet-facing and mission-critical systems first, while monitoring for any signs of exploitation attempts. Given the remote code execution potential, network segmentation and enhanced monitoring should be implemented for devices that cannot be immediately patched.

Subscribe now

Source: https://gbhackers.com/qualcomm-chipset-vulnerabilities/

Meta has released security patches for WhatsApp addressing two vulnerabilities that could enable attackers to execute malicious URLs and mask harmful files on user devices. The flaws were discovered in the messaging platform's handling of Instagram Reels and file processing mechanisms.

The more critical vulnerability centers on WhatsApp's processing of Instagram Reels content. The flaw allows remote threat actors to exploit unvalidated message elements within Reels shared through the platform. By manipulating these elements, attackers could force arbitrary URLs to execute on a victim's device without proper validation or user consent.

The technical issue stems from insufficient input validation when WhatsApp processes Instagram Reels metadata and embedded links. When a malicious Reel is shared through WhatsApp, the application fails to properly sanitize certain message components, allowing attackers to inject and trigger unauthorized URLs. The second vulnerability involves file disguising capabilities, though specific technical details about this flaw remain limited in available reporting.

Claim Your Workspace

The vulnerabilities pose significant risks to WhatsApp’s user base, which numbers in the billions globally. Successful exploitation could lead to phishing attacks, malware distribution, or redirection to malicious websites. The remote nature of the Instagram Reels vulnerability is particularly concerning, as it requires no physical access to target devices and could potentially be deployed at scale through social engineering tactics.

Meta has deployed patches through standard WhatsApp updates to address both vulnerabilities. Users should immediately update their WhatsApp applications to the latest version available through their device’s app store. Organizations using WhatsApp for business communications should prioritize these updates and remind employees to exercise caution when interacting with Instagram Reels shared through the platform, even from known contacts, until updates are confirmed installed.

Subscribe now

Source: https://gbhackers.com/whatsapp-security-flaw-enables-malicious-url-execution/

Welcome to Cyber Briefing, your daily source for all things cybersecurity. We bring you the latest advisories, alerts, incidents, and news every weekday.

The current threat landscape is defined by a volatile mix of high-speed cloud extortion and critical infrastructure vulnerabilities. From the widespread “Copy Fail” Linux kernel flaw to the “Salt Typhoon” infiltration of IBM subsidiaries, attackers are exploiting both deep-system bugs and human-centric weaknesses like vishing and SSO gaps. These incidents, coupled with a massive data breach at Instructure affecting millions, highlight a shift toward rapid, high-impact campaigns that bypass traditional defenses to compromise national digital sovereignty and global supply chains.

Simultaneously, the integration of AI is fundamentally altering the pace of cybersecurity, with the UK NCSC warning that automated vulnerability discovery is forcing an era of “hyper-patching.” In response, the industry is pivoting toward quality over quantity; Google’s strategic shift in its bug bounty programs prioritizes human-driven, high-impact research to filter out AI-generated noise. As state-sponsored operatives face legal accountability in international courts, the focus for organizations has moved beyond simple perimeter defense toward systemic resilience and the mitigation of third-party risks.

Listen to our podcast here ⏬

Get BlueSleuth-Lite

⚡THREAT LANDSCAPE

CISA Adds Major Linux Kernel Vulnerability to Known Exploited Vulnerabilities Catalog

The United States Cybersecurity and Infrastructure Security Agency has officially added CVE-2026-31431, a critical Linux Kernel flaw known as Copy Fail, to its list of exploited vulnerabilities. This high-severity bug allows unprivileged local users to gain root access across nearly all major Linux distributions by manipulating the system page cache. Read More

Cybercrime Syndicates Exploit Vishing and SSO Vulnerabilities for High-Speed Cloud Extortion

Recent investigations into modern cyber threats reveal that sophisticated hacking groups are increasingly leveraging voice phishing and Single Sign-On weaknesses to execute rapid extortion campaigns against corporate SaaS environments. These attackers bypass traditional perimeter defenses by tricking employees into revealing credentials or approving multi-factor authentication prompts, allowing them to move laterally through cloud applications with unprecedented speed. Read More

Subscribe Now

🚨INCIDENTS & REAL-WORLD IMPACT

Ubuntu Infrastructure Disruptions Linked to Coordinated DDoS Campaign

Canonical and Ubuntu face widespread service interruptions following a targeted cyberattack claimed by a hacktivist collective. The ongoing incident has disabled essential web systems and repository access, leaving millions of users temporarily unable to perform routine system updates or software installations. Read More

ShinyHunters Targets Instructure in Massive Data Breach Affecting Millions

Educational technology giant Instructure has confirmed a security breach involving its Canvas platform, with the ShinyHunters hacking group claiming to have stolen personal data from 275 million users. While the company acknowledges the exposure of names and messages, the attackers allege a much larger scale of theft involving thousands of schools and a compromise of the company’s Salesforce environment. Read More

Salt Typhoon Linked to IBM Subsidiary Breach

“The April 2026 infiltration of IBM Italy subsidiary Sistemi Informativi has ignited urgent discussions regarding European digital sovereignty and the persistent threat of state-sponsored espionage. Attributed by intelligence sources to the China-linked group Salt Typhoon, the incident underscores the vulnerability of national infrastructure when managed by third-party IT providers. Read More

Claim Your Workspace

🔓 EXECUTIVE RISK & CYBERNOMICS

AI accelerates vulnerability discovery and forces rapid updates according to UK NCSC

The National Cyber Security Centre warns that artificial intelligence is significantly shortening the time it takes for attackers to find and exploit software vulnerabilities. This trend is expected to trigger a massive wave of urgent security patches as hidden flaws across the global technology ecosystem are exposed at an unprecedented pace. Read More

Get Help

🛡️ POLICY, REGULATION & LEGAL SIGNALS

Russian cyber operative admits to sabotaging international energy infrastructure

A Russian hacker linked to state-sponsored attacks on global oil and gas systems has pleaded guilty in a U.S. federal court. Artem Vladimirovich Revenskii faces a potential 27-year prison sentence for his role in damaging critical infrastructure across multiple nations, including the United States and Ukraine. Read More

💻 CAREER ENABLEMENT

Google Shifts Bug Bounty Focus Toward High Impact Exploits and Android Security

Google has overhauled its vulnerability reward programs for Android and Chrome to prioritize high-quality research over the high volume of reports generated by artificial intelligence. The update reflects a strategic pivot toward incentivizing human-driven insights and actionable fixes as automated tools continue to flood the system with low-value submissions.Read More

Click Here To Read

Copyright © 2026 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium

Google is significantly restructuring its security rewards to keep pace with the rapid evolution of generative artificial intelligence in the cybersecurity sector. As advanced AI models make it easier for researchers to automate code analysis and generate voluminous reports, the company is shifting its focus away from raw quantity. The new framework prioritizes vulnerability submissions that provide concrete proof of concept and demonstrable user impact, moving toward a model that values quality and depth over the sheer number of bugs discovered.

The most substantial increases in rewards are targeted at the Android ecosystem, specifically for exploits that remain difficult for automated tools to detect. Top payouts for zero-click exploits targeting the Pixel Titan M security chip have been raised to 1.5 million dollars, emphasizing the protection of critical hardware components. Conversely, Chrome payouts have seen a decrease in base rewards for common issues like memory safety, as Google aims to discourage lengthy, AI-assisted write-ups in favor of concise, reproducible evidence of a flaw.

This recalibration is a direct response to the surge of AI-generated reports that have overwhelmed security teams across the industry. While automation helps identify variants of known problems and suggests potential fixes, it has also led to an influx of noise that can obscure significant threats. By reducing bonuses for certain standard vulnerabilities and focusing on full-chain exploits, Google intends to reward researchers who can bypass advanced structural protections that AI still struggles to navigate effectively.

Despite the reduction in some individual payout categories, Google expects its total expenditure on bug bounties to increase throughout 2026. The company paid out a record 17.1 million dollars in 2025 and maintains that these structural changes are intended to optimize efficiency rather than cut costs. The program now places a higher premium on submissions that include suggested patches and those that focus on components maintained directly by Google, ensuring that resources are directed toward the most relevant security risks.

The broader cybersecurity landscape is facing similar challenges, with other major organizations pausing submissions due to the volume of AI-facilitated data. Google's strategy represents an attempt to harness the benefits of automation while safeguarding the human ingenuity required for complex security research. By adapting its reward structures to favor high-impact and AI-resistant vulnerabilities, the company aims to set a new standard for how tech giants manage security research in an increasingly automated environment.

Subscribe now

Source: https://bughunters.google.com/blog/evolving-the-android-chrome-vrps-for-the-ai-era

A Russian hacker linked to state-sponsored attacks on global oil and gas systems has pleaded guilty in a U.S. federal court. Artem Vladimirovich Revenskii faces a potential 27-year prison sentence for his role in damaging critical infrastructure across multiple nations, including the United States and Ukraine.

A Russian national known by the alias Digit has formally entered a plea agreement following charges of wire fraud, identity theft, and conspiracy to damage protected computers. Federal prosecutors in California reached the deal with Artem Vladimirovich Revenskii after he was extradited from the Dominican Republic late last year. The defendant was allegedly a key member of Sector 16, a hacking collective working on behalf of the Russian government to strike at perceived geopolitical enemies.

The group specifically focused its efforts on industrial control systems that manage energy operations in Western nations and Eastern Europe. Court documents reveal that the hackers infiltrated facilities in the United States, Germany, France, and Latvia, causing direct damage to the systems that keep these utilities running. Revenskii and his associates targeted infrastructure that would maximize disruption for the civilian population and the regional economy.

Much of the group's most aggressive activity was directed toward Ukraine, where they attempted to disable the national electric grid and sabotage gas stations in the capital. Investigators uncovered communications where Revenskii detailed plans to plunge the entire country into a total blackout for several days. In 2025, the group successfully breached a natural gas plant in Poltava, where they discussed methods to physically destroy hardware and deform pipelines by manipulating pressure and ventilation controls.

Sector 16 first surfaced in early 2025 when they collaborated with other pro-Russia hacktivist groups to claim credit for a cyberattack on oil storage tanks in Texas. While many Russian cybercriminals traditionally focused on financial gain through ransomware, this specific cell demonstrated a clear shift toward state-aligned destruction. Their public displays on the dark web were designed to showcase their ability to reach critical Western assets.

The prosecution of Revenskii represents a significant move by the Department of Justice to hold state-backed actors accountable for attacks on civil infrastructure. As Russian cyber operations continue to evolve from simple data theft to physical sabotage, international law enforcement has increased efforts to intercept operatives traveling outside of Russia. Revenskii now awaits sentencing as the court considers the recommendation for a reduced term in exchange for his plea.

Subscribe now

Source: https://kyivindependent.com/russian-hacker-targeted-global-oil-gas-facilities-pleads-guilty/

The National Cyber Security Centre warns that artificial intelligence is significantly shortening the time it takes for attackers to find and exploit software vulnerabilities. This trend is expected to trigger a massive wave of urgent security patches as hidden flaws across the global technology ecosystem are exposed at an unprecedented pace.

The emergence of AI-driven exploitation is forcing a necessary correction for the technical debt currently embedded in modern software. According to NCSC officials, skilled actors are now able to identify and leverage vulnerabilities across proprietary, commercial, and open-source platforms with greater efficiency than ever before. This shift means that organizations can no longer afford to delay updates, as the window between the discovery of a flaw and its active exploitation is rapidly closing.

To manage this incoming surge of security requirements, the NCSC recommends that organizations prioritize their internet-facing systems and external perimeters. By reducing the visible attack surface, companies can mitigate the immediate risk posed by automated discovery tools. Once external defenses are secured, the focus should shift inward to cloud environments and on-premise infrastructure to ensure comprehensive protection against deep-seated flaws.

Security professionals are also being urged to address legacy systems that have reached their end-of-life status. Because these systems no longer receive official updates, they represent a permanent risk that cannot be solved through traditional patching. In these scenarios, the only viable solution is to replace the outdated technology or negotiate for extended vendor support to ensure the systems remain resilient against modern, AI-enhanced threats.

The guidance advocates for an update-by-default strategy, utilizing automatic hot-patching whenever possible to reduce the manual burden on IT teams. For systems where automation is not feasible, organizations should employ risk-based frameworks to prioritize the most critical fixes. By streamlining the update process now, businesses can prepare for a future where high-frequency patching becomes the standard requirement for maintaining digital safety.

Long-term security will ultimately depend on more than just reactive patching; it requires a fundamental shift toward secure-by-design principles. The NCSC suggests that software vendors adopt memory-safe languages and containment technologies to eliminate entire classes of vulnerabilities at the source. Until these architectural changes become widespread, organizations must rely on robust cyber hygiene, enhanced threat detection, and rigorous observability to stay ahead of evolving digital risks.

Subscribe now

Source: https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave

The breach targeted a central pillar of Italy's digital framework, as Sistemi Informativi manages critical IT infrastructure for a wide range of public agencies and private sector giants. When the company’s systems were taken offline in late April, the ripple effect was immediate, prompting IBM to deploy both internal and external specialists to contain the intrusion and restore stability. While the tech giant has officially confirmed the containment of the incident, the specific volume of data compromised and the depth of the network penetration remain subjects of intense forensic scrutiny.

Security analysts are particularly concerned due to the involvement of Salt Typhoon, an advanced persistent threat group known for its technical sophistication and strategic patience. Unlike many cybercriminal groups that seek immediate financial gain, this actor focuses on long-term data exfiltration and the mapping of backbone networks. Their presence within a primary IT integrator suggests a motive beyond simple disruption, likely aimed at establishing a silent, long-term foothold within the communication relays and databases that power the Italian state.

This operation reflects a broader trend of escalating Chinese-linked cyber activities across the West, following recent high-profile compromises of telecommunications and defense logistics in North America and Northern Europe. Salt Typhoon typically bypasses traditional defenses by exploiting zero-day vulnerabilities in enterprise hardware and infiltrating supply chains rather than relying on common phishing tactics. By targeting the service providers that manage government data, the group effectively turns a single point of failure into a master key for an entire nation’s digital assets.

The aftermath of the attack serves as a stark warning for the European Union as it navigates an increasingly hostile digital landscape. It demonstrates that the distinction between private corporate security and national security has effectively vanished, as the compromise of a private subsidiary can have immediate consequences for public safety and governance. To counter such disciplined adversaries, experts argue that European nations must move beyond reactive measures, instead prioritizing unified intelligence sharing and the rigorous hardening of the third-party providers that form the invisible spine of modern society.

Subscribe now

Source: https://www.repubblica.it/tecnologia/2026/05/03/news/esclusivo_pa_italiana_e_non_solo_attaccata_da_un_gruppo_di_hacker_cinesi-425320702/

Instructure officially disclosed the security incident after the ShinyHunters extortion group listed the company on their data leak site. The company confirmed that unauthorized access led to the exposure of personal details, including names, email addresses, student identification numbers, and private communications between users. Although the investigation is still in its early stages, the company maintains that highly sensitive information such as financial records, government IDs, and passwords remained secure during the intrusion.

In response to the discovery, the technology provider implemented immediate security measures to contain the threat and prevent further unauthorized access. These actions included deploying software patches, increasing system monitoring, and rotating application keys to secure their infrastructure. Consequently, institutional customers using the platform have been required to re-authorize their API access so that new, secure keys can be issued for their specific environments.

The ShinyHunters group, which operates on an extortion-as-a-service model, has made bold claims regarding the scope of the data theft that far exceed the company's initial reports. The hackers assert they have obtained over 240 million records from approximately 15,000 educational institutions spanning North America, Europe, and Asia. This group has a history of targeting major corporate entities through Salesforce vulnerabilities, having previously claimed responsibility for significant breaches at other global organizations.

This latest incident follows a pattern of high-profile attacks by ShinyHunters, who recently targeted other major firms and claimed to have accessed over a billion records in previous campaigns. Their strategy typically involves listing victims on a public leak site to pressure them into paying a ransom. The group’s focus on educational technology highlights a growing trend of cybercriminals targeting platforms that host massive amounts of personal data belonging to students and faculty.

The full extent of the breach remains unverified by independent security researchers, as Instructure has not yet provided specific details regarding the timeline of the attack or the veracity of the ransom demands. Currently, the company is working alongside third-party cybersecurity firms and law enforcement agencies to conduct a forensic analysis of the event. As the investigation continues, schools and universities using Canvas are being urged to remain vigilant and follow the updated security protocols issued by the provider.

Subscribe now

Source: https://www.techzine.eu/news/security/140994/shinyhunters-claims-instructure-breach-data-from-275m-users-stolen/

Canonical recently confirmed that its web infrastructure is currently enduring a sustained cross-border attack. The company stated that teams are actively working to mitigate the disruption and promised to release more detailed information through official channels as soon as the situation is stabilized. This confirmation follows a series of reports from users who found themselves unable to access public-facing resources starting late Thursday.

The primary method of the disruption has been identified as a distributed denial-of-service attack. This technique involves overwhelming target servers with a massive influx of junk traffic, effectively drowning out legitimate requests and forcing the infrastructure to crash. While technically less sophisticated than a data breach, the scale of this particular flood has proven sufficient to knock critical services offline for an extended period.

Internal discussions among developers on community forums suggest the impact is broader than a simple website outage. The attack has reportedly compromised the security API used by the operating system, which explains why users have encountered errors when attempting to download security patches or new packages. Independent testing has verified that update protocols remain non-functional across multiple devices, confirming that the core utility of the distribution is currently hampered.

As the outage enters its second day, the impact remains significant with no immediate timeline for a full recovery. A spokesperson for Canonical has largely pointed back to the company's initial public statement, emphasizing that the focus remains on defensive mitigation. The disruption marks one of the most visible service failures for the Linux distribution in recent years, highlighting the vulnerability of centralized update repositories.

Responsibility for the incident has been claimed by a group identified as The Islamic Cyber Resistance in Iraq 313 Team. The group utilized their Telegram channel to announce that they were behind the flooding of Canonical’s servers. While the motive remains tied to hacktivism, the practical result is a continued bottleneck for the global Ubuntu user base as they wait for the infrastructure to be restored.

Subscribe now

Source: https://discourse.ifin.network/t/ubuntu-services-under-attack/356

The evolution of these tactics marks a significant shift in the cybercrime landscape, as threat actors move away from slow, malware-heavy infections toward agile, identity-based intrusions. By targeting administrative accounts within Single Sign-On platforms, attackers can gain broad access to sensitive data stored across various cloud services, often completing their data theft and extortion demands within hours of the initial breach.

The initial phase of these attacks typically begins with a high-pressure voice phishing call, often referred to as vishing. In these scenarios, a threat actor poses as a member of the corporate IT help desk or security team, contacting a specific employee to report a fabricated technical issue. The goal is to convince the target to share their login credentials or to accept a push notification on their authentication app. Because these calls rely on social engineering and psychological manipulation rather than malicious software, they frequently bypass automated security filters that look for suspicious code or links.

Once the attackers gain entry into the corporate environment, they immediately target the Single Sign-On or SSO provider. SSO is designed to streamline user access by allowing one set of credentials to unlock multiple applications, but in the hands of a criminal, it becomes a master key. By abusing SSO configurations, the intruders can grant themselves persistent access to a wide array of Software-as-a-Service platforms, such as document storage, customer databases, and communication tools like Slack or Microsoft Teams. This centralized control allows them to navigate the network with the same privileges as a legitimate administrator.

After securing access to the various SaaS platforms, the group focuses on rapid data exfiltration rather than deploying ransomware to encrypt files. They identify the most sensitive corporate data—financial records, legal documents, or customer personal information—and transfer it to their own servers. The speed of this process is a defining characteristic of modern extortion groups; they aim to steal as much information as possible before the internal security team can detect the anomaly. By the time an alert is triggered, the data has often already left the company's control.

Claim Your Workspace

The extortion phase begins shortly after the data has been stolen. Instead of leaving a digital ransom note on a server, the attackers often contact company executives directly via email or even phone calls to demand payment. They threaten to leak the stolen data on public forums or sell it to competitors if their demands are not met. Because the attackers have already demonstrated their ability to move through the cloud environment at will, the pressure on the victim organization to pay is immense, as the threat of a massive data breach becomes an immediate reality.

Defending against these rapid-fire attacks requires a move beyond traditional antivirus software toward robust identity security and employee awareness. Organizations are being urged to implement more secure forms of multi-factor authentication, such as hardware keys, which are much harder to compromise through vishing. Additionally, monitoring for unusual behavior within SSO logs, such as logins from unexpected locations or at odd hours, is essential for catching these intruders before they can complete their mission. As cybercrime groups continue to refine their social engineering and cloud exploitation techniques, the speed of response has become the most critical factor in modern digital defense.

Subscribe now

Source: https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/

The Cybersecurity and Infrastructure Security Agency recently expanded its Known Exploited Vulnerabilities catalog to include CVE-2026-31431, a logic flaw in the Linux kernel’s cryptographic template. This vulnerability, discovered by researchers at Xint Code, affects a wide range of popular distributions including Ubuntu, Red Hat Enterprise Linux, SUSE, and Amazon Linux. The flaw is particularly dangerous because it allows a local user to execute a deterministic 4-byte write into the page cache of any readable file, which can lead to a full system takeover. Because the exploit targets memory rather than the physical disk, the changes are silent and difficult for traditional security tools to detect.

The technical root of the issue lies in the interaction between the kernel's crypto subsystem and the splice system call. By using an unprivileged AF_ALG socket, an attacker can map sensitive file pages into a cryptographic operation. A specific error in the authencesn algorithm causes the kernel to use the output buffer as a scratch space, inadvertently writing controlled data past the intended boundary. This extra write lands directly in the page cache of a chosen file, such as a setuid-root binary. Because the kernel does not mark these corrupted pages as dirty, the file on the disk remains original while the version running in memory is compromised.

To carry out the attack, an operator uses a small script to target a common binary like the su utility. After binding to the vulnerable cryptographic mode and setting the parameters, the attacker uses the recv system call to trigger the decryption process. This process repeats until enough shellcode has been injected into the cached version of the binary. When the attacker subsequently executes the utility, the kernel loads the corrupted code from the cache. Since the utility naturally runs with root privileges, the injected code provides the attacker with total control over the operating system.

Claim Your Workspace

Research shows that this vulnerability has been present in the Linux kernel since an optimization made in 2017. It is highly portable and effective across different architectures, making it a more reliable threat than previous kernel exploits like Dirty Cow. The simplicity of the exploit is a major concern, as a script under one kilobyte in size can consistently achieve root access on modern systems such as Ubuntu 24.04 or RHEL 10.1. Furthermore, because it exploits the shared page cache, the vulnerability can be used to escape Kubernetes containers and move laterally within cloud environments.

In response to the active exploitation of this flaw, CISA has issued a directive requiring federal agencies to remediate the vulnerability by May 15, 2026. While the mandate specifically applies to Federal Civilian Executive Branch agencies, cybersecurity experts strongly advise private organizations to prioritize patching their Linux infrastructure. Most major distributions have released updates to address the logic bug in the cryptographic subsystem, and administrators are encouraged to apply these kernel patches immediately to prevent unauthorized privilege escalation.

Subscribe now

Source: https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog

Most people think mobile malware is about stolen passwords, banking logins, or credit card details.

But GoldPickaxe changed that.

This is one of the more dangerous mobile malware campaigns to emerge in recent years because it doesn’t stop at account access, it targets identity itself.

And that changes everything.

Watch Summary Video Below: ⬇️

Read more